diff options
Diffstat (limited to 'man5/hosts.equiv.5')
-rw-r--r-- | man5/hosts.equiv.5 | 212 |
1 files changed, 212 insertions, 0 deletions
diff --git a/man5/hosts.equiv.5 b/man5/hosts.equiv.5 new file mode 100644 index 0000000..a9521da --- /dev/null +++ b/man5/hosts.equiv.5 @@ -0,0 +1,212 @@ +.\" Copyright (c) 1995 Peter Tobias <tobias@et-inf.fho-emden.de> +.\" +.\" SPDX-License-Identifier: GPL-1.0-or-later +.TH hosts.equiv 5 2023-02-05 "Linux man-pages 6.05.01" +.SH NAME +hosts.equiv \- list of hosts and users that are granted "trusted" +.B r +command access to your system +.SH DESCRIPTION +The file +.I /etc/hosts.equiv +allows or denies hosts and users to use +the \fBr\fP-commands (e.g., +.BR rlogin , +.BR rsh , +or +.BR rcp ) +without +supplying a password. +.PP +The file uses the following format: +.TP +\fI+|[\-]hostname|+@netgroup|\-@netgroup\fP \fI[+|[\-]username|+@netgroup|\-@netgroup]\fP +.PP +The +.I hostname +is the name of a host which is logically equivalent +to the local host. +Users logged into that host are allowed to access +like-named user accounts on the local host without supplying a password. +The +.I hostname +may be (optionally) preceded by a plus (+) sign. +If the plus sign is used alone, it allows any host to access your system. +You can explicitly deny access to a host by preceding the +.I hostname +by a minus (\-) sign. +Users from that host must always supply additional credentials, +including possibly a password. +For security reasons you should always +use the FQDN of the hostname and not the short hostname. +.PP +The +.I username +entry grants a specific user access to all user +accounts (except root) without supplying a password. +That means the +user is NOT restricted to like-named accounts. +The +.I username +may +be (optionally) preceded by a plus (+) sign. +You can also explicitly +deny access to a specific user by preceding the +.I username +with +a minus (\-) sign. +This says that the user is not trusted no matter +what other entries for that host exist. +.PP +Netgroups can be specified by preceding the netgroup by an @ sign. +.PP +Be extremely careful when using the plus (+) sign. +A simple typographical +error could result in a standalone plus sign. +A standalone plus sign is +a wildcard character that means "any host"! +.SH FILES +.I /etc/hosts.equiv +.SH NOTES +Some systems will honor the contents of this file only when it has owner +root and no write permission for anybody else. +Some exceptionally +paranoid systems even require that there be no other hard links to the file. +.PP +Modern systems use the Pluggable Authentication Modules library (PAM). +With PAM a standalone plus sign is considered a wildcard +character which means "any host" only when the word +.I promiscuous +is added to the auth component line in your PAM file for +the particular service +.RB "(e.g., " rlogin ). +.SH EXAMPLES +Below are some example +.I /etc/host.equiv +or +.I \[ti]/.rhosts +files. +.PP +Allow any user to log in from any host: +.PP +.in +4n +.EX ++ +.EE +.in +.PP +Allow any user from +.I host +with a matching local account to log in: +.PP +.in +4n +.EX +host +.EE +.in +.PP +Note: the use of +.I +host +is never a valid syntax, +including attempting to specify that any user from the host is allowed. +.PP +Allow any user from +.I host +to log in: +.PP +.in +4n +.EX +host + +.EE +.in +.PP +Note: this is distinct from the previous example +since it does not require a matching local account. +.PP +Allow +.I user +from +.I host +to log in as any non-root user: +.PP +.in +4n +.EX +host user +.EE +.in +.PP +Allow all users with matching local accounts from +.I host +to log in except for +.IR baduser : +.PP +.in +4n +.EX +host \-baduser +host +.EE +.in +.PP +Deny all users from +.IR host : +.PP +.in +4n +.EX +\-host +.EE +.in +.PP +Note: the use of +.I "\-host\ \-user" +is never a valid syntax, +including attempting to specify that a particular user from the host +is not trusted. +.PP +Allow all users with matching local accounts on all hosts in a +.IR netgroup : +.PP +.in +4n +.EX ++@netgroup +.EE +.in +.PP +Disallow all users on all hosts in a +.IR netgroup : +.PP +.in +4n +.EX +\-@netgroup +.EE +.in +.PP +Allow all users in a +.I netgroup +to log in from +.I host +as any non-root user: +.PP +.in +4n +.EX +host +@netgroup +.EE +.in +.PP +Allow all users with matching local accounts on all hosts in a +.I netgroup +except +.IR baduser : +.PP +.in +4n +.EX ++@netgroup \-baduser ++@netgroup +.EE +.in +.PP +Note: the deny statements must always precede the allow statements because +the file is processed sequentially until the first matching rule is found. +.SH SEE ALSO +.BR rhosts (5), +.BR rlogind (8), +.BR rshd (8) |