Museum

Home

Lab Overview

Retrotechnology Articles

⇒ Online Manual

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

rcp(1)

remsh(1)

rlogin(1)

remshd(1M)

rlogind(1M)

ruserok(3X)

netgroup(4)

HOSTS.EQUIV(4)  —  Series 300 and 800 Only

NAME

hosts.equiv, .rhosts − remote hosts and users equivalent to the local host or user

DESCRIPTION

/etc/hosts.equiv and files named .rhosts in users’ home directories specify remote hosts and users which are “equivalent” to the local host or user.  Users from equivalent remote hosts are permitted to access a local non-super-user account using remsh(1) or rcp(1) or to rlogin(1) to the local account without supplying a password. The security defined in hosts.equiv is implemented by the library routine ruserok(3X). In the following, hosts.equiv should be understood to mean either /etc/hosts.equiv or a file .rhosts in a local user’s home directory.  Note that .rhosts must be owned either by the user in whose home directory it is found, or by the super-user, and must not be a symbolic link.  /etc/hosts.equiv defines system-wide equivalency, while a user’s .rhosts defines equivalency between that user and remote users to which that user wishes to allow or deny access. 

Each line of hosts.equiv may be:

A blank line. 

A comment, beginning with a ‘#’. 

A host name, consisting of a string of any printable characters other than white space, newline, or ‘#’. 

A host name, followed by white space, followed by a user name. 

In order for a user to be granted access, both the remote host name and user name must “match” an entry in hosts.equiv. /etc/hosts.equiv is searched first.  If a match is found, access is permitted.  If not, if there is a file .rhosts in the local user’s home directory, it is searched.  If the remote user is the super-user, /etc/hosts.equiv is ignored. 

A host name or user name matches the corresponding field in an entry in hosts.equiv in one of the following ways:

Literal match: a host name in hosts.equiv may literally match the official host name (not an alias) of the remote host.  See hosts(4). A user name in hosts.equiv may literally match the remote user name.  If there is no user name in the hosts.equiv entry, the remote user name must literally match the local user name. 

-name: if the host name in hosts.equiv is of this form, and the remote host name literally matches name, access is denied regardless of the user name.  If the user name in hosts.equiv is of this form, and the remote user name literally matches name, access is denied.  If access is denied in this way by /etc/hosts.equiv, access may still be allowed by .rhosts. 

+:  any remote host name matches the host name + in hosts.equiv; any remote user matches the user name +. 

+@netgroup_name, where netgroup_name is the name of a network group as defined in netgroup(4): If the host name in hosts.equiv is of this form, then the remote host name AND the remote user name must match the specified network group according to the rules defined in netgroup(4) in order for the host name to match. Similarly, if the user name in hosts.equiv is of this form, then the remote user name AND the remote host name must match the specified network group in order for the user name to match. 

-@netgroup_name: If the host name in hosts.equiv is of this form, and if the remote host name AND the remote user name match the specified network group, according to the rules defined in netgroup(4), then access is denied. Similarly, if the user name in hosts.equiv is of this form, and if the remote user name AND the remote host name match the specified network group, then access is denied.  If access is denied in this way by /etc/hosts.equiv, access may still be allowed by .rhosts. 

EXAMPLES

1) /etc/hosts.equiv on hostA contains the line:

hostB

and /etc/hosts.equiv on hostB is empty.  User “chm” on hostB can use remsh to hostA, or rlogin to the account “chm” on hostA without being prompted for a password.  She will, however, be prompted for a password with rlogin, or denied access with remsh, from hostA to hostB.

If .rhosts in the home directory of user “chm” on hostB contains:

hostA

or

hostA chm

then she will be able to access hostB from hostA. 

2) .rhosts in the home directory of user “chm” on hostA contains:

hostB root

/etc/hosts.equiv on hostB contains the line:

hostA

However, there is no file .rhosts in the home directory of user “chm” on hostB.  The user “root” on hostB can rlogin to the account “chm” on hostA without being prompted for a password, but “root” on hostA cannot rlogin to the account “chm” on hostB. 

3) .rhosts in the home directory of user “chm” on hostA contains:

+
-hostB
+ root

User “chm” from any host will be allowed to access the account “chm” on hostA.  User “root” from any host except hostB will be allowed to access the account “chm” on hostA. 

4) /etc/hosts.equiv on hostA contains the lines:

+ -chm
hostB

Any user from hostB except “chm” will be allowed to access an account on hostA with the same user name. 

However, if .rhosts in the home directory of user “chm” on hostA contains:

hostB

then user “chm” from hostB will be allowed to access the account “chm” on hostA. 

5) /etc/hosts.equiv on hostA contains the line:

+@example_group

The network group example_group consists of:

example_group ( , ,EXAMPLE_DOMAIN)

If hostA is not running Yellow Pages (NFS), user “chm” on any host can access the account “chm” on hostA. 

If hostA is running Yellow Pages (NFS), and hostA is in the domain EXAMPLE_DOMAIN, user “chm” on any host, whether in EXAMPLE_DOMAIN or not, can access the account “chm” on hostA. 

However, if .rhosts in the home directory of user “chm” on hostA contains the line:

-@example_group

and hostA is either not running Yellow Pages (NFS) or is in domain EXAMPLE_DOMAIN, then no user “chm” on any host will be allowed to access the account “chm” on hostA.  If hostA is running Yellow Pages (NFS) but is not in the domain EXAMPLE_DOMAIN, this line will have no effect. 

6) /etc/hosts.equiv on hostA contains the line:

-@example_group

The network group example_group consists of:

example_group (hostB, ,)

User “chm” on hostB will be denied access to the account “chm” on hostA. 

However, if .rhosts in the home directory of user “chm” on hostA contains any of the following lines:

+@example_group
hostB chm
hostB
+ chm
+

then user “chm” on hostB will be allowed to access the account “chm” on hostA. 

WARNINGS

For security purposes, the files /etc/hosts.equiv and .rhosts should exist and be readable and writable only by the owner, even if they are empty. 

DEPENDENCIES

Hosts.equiv is implemented on the Series 300 and 800 only. 

AUTHOR

UCB (University of California at Berkeley)
+, -name, +@netgroup_name, and -@netgroup_name extensions were developed by Sun Microsystems, Inc. 

FILES

/etc/hosts.equiv
$HOME/.rhosts

SEE ALSO

rcp(1), remsh(1), rlogin(1), remshd(1M), rlogind(1M), ruserok(3X), netgroup(4). 

Hewlett-Packard Company  —  May 11, 2021

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026