hosts.equiv(4)hosts.equiv(4)NAME
hosts.equiv, .rhosts - security files authorizing access by remote
hosts and users on local host
DESCRIPTION
The file and files named found in users' home directories specify
remote hosts and users that are "equivalent" to the local host or user.
Users from equivalent remote hosts are permitted to access a local
account using or or to to the local account without supplying a pass‐
word (see rcp(1), remsh(1), and rlogin(1)). The security provided by
is implemented by the library routine, (see rcmd(3N)).
In this description, hostequiv means either the system file or the user
file. Note that must be owned either by the root or by the user in
whose home directory it is found and it must not be a symbolic link.
The file defines system-wide equivalency, whereas a user's file defines
equivalency between the local user and any remote users to whom the
local user chooses to allow or deny access.
An entry in the hostequiv file is a single line (no continuations) in
the format:
Thus, it can be:
· A blank line.
· A comment line, beginning with a
· A host name, optionally followed by a comment.
· A host name and user name, optionally followed by a comment.
A host or user name is a string of printable characters, exclud‐
ing whitespace, newlines, and
Names are separated by whitespace.
For a user to be granted access, both the remote host name and the user
name must "match" an entry in hostequiv. When a request is made for
access, the file is searched first. If a match is found, access is
permitted. If no match is found, the file is searched, if one exists
in the local user's home directory. If the local user is a superuser,
is ignored.
A host name or user name must match the corresponding field entry in
hostequiv in one of the following ways:
Literal match A host name in hostequiv can literally
match the official host name (not an
alias) of the remote host.
A user name in hostequiv can literally
match the remote user name. For a user
name to have literal match in the file,
the remote user name must literally
match the local user name.
Domain-extended match The remote host name to be compared
with entries in hostequiv is typically
the official host name returned by (see
gethostent(3N)). In a domain-naming
environment, this is a domain-qualified
name. If a host name in hostequiv does
not literally match the remote host
name, the host name in hostequiv with
the local domain name appended may
match the remote host name.
If the host name in hostequiv is of this form, and if name
literally matches the remote host name
or if name with the local domain name
appended matches the remote host name,
access is denied regardless of the user
name.
If the user name in hostequiv is of
this form, and name literally matches
the remote user name, access is denied.
Even if access is denied in this way by
access can still be allowed by
Any remote host name matches the host name
in hostequiv.
Any remote user matches the user name
netgroup_name is the name of a network group as
defined in netgroup(4). If the host
name in hostequiv is of this form, the
remote host name (only) must match the
specified network group according to
the rules defined in netgroup(4) in
order for the host name to match.
Similarly, if the user name in hoste‐
quiv is of this form, the remote user
name (only) must match the specified
network group in order for the user
name to match.
netgroup_name is the name of a network group as
defined in netgroup(4). If the host
name in hostequiv is of this form, and
if the remote host name (only) matches
the specified network group according
to the rules defined in netgroup(4),
access is denied.
Similarly, if the user name in hoste‐
quiv is of this form, and if the remote
user name (only) matches the specified
network group, access is denied.
Even if access is denied in this way by
access can still be allowed by
EXAMPLES
1. on contains the line:
and on is empty. User on can use to or to account on without
being prompted for a password. will, however, be prompted for a
password with or denied access with from to
If in the home directory of user on contains:
or
then user can access from
2. is in the domain and are in the domain in the home directory of
user on contains:
User can access from since matches with local domain appended.
But user from cannot access since does not match In order for
user to be able to access from file on must contain:
since is in a different domain.
3. in the home directory of user on contains:
on contains the line:
However, there is no file in the home directory of user on The
user on can to account on without being prompted for a password,
but on cannot to account on
4. in the home directory of user on contains:
User from any host is allowed to access account on User from any
host except can access account on
5. on contains the lines:
Any user from except is allowed to access an account on with the
same user name. However, if in the home directory of user on
contains:
then user from can access account on
6. on contains the line:
The network group consists of:
If is not running Network Information Service (NIS), user on any
host can access account on
If is running Network Information Service (NIS), and is in the
domain user on any host, whether in or not, can access account
on
However, if in the home directory of user on contains the line:
and is either not running Network Information Service (NIS) or
is in domain no user on any host can access the account on If is
running Network Information Service (NIS) but is not in the
domain this line has no effect.
7. on contains the line:
The network group consists of:
All users on are denied access to
However, if in the home directory of a user on contains any of
the following lines:
then user on can access that account on
WARNINGS
For security purposes, the files and should exist and be readable and
writable only by the owner, even if they are empty.
Care must be exercised when creating the
The option to and prevents any authentication based on files for users
other than a superuser.
AUTHOR
was developed by the University of California, Berkeley.
The and extensions were developed by Sun Microsystems, Inc.
FILESSEE ALSOrcp(1), rdist(1), remsh(1), rlogin(1), remshd(1M), rlogind(1M), gethos‐
tent(3N), rcmd(3N), netgroup(4).
hosts.equiv(4)
