hosts.equiv File Format for TCP/IP

Purpose

Specifies remote systems that can execute commands on the local system.

Description

The /etc/hosts.equiv file, along with any local $HOME/.rhosts files, defines the hosts (computers on a network) and user accounts that can invoke remote commands on a local host without supplying a password. A user or host that is not required to supply a password is considered trusted.

When a local host receives a remote command request, the appropriate local daemon first checks the /etc/hosts.equiv file to determine if the request originates with a trusted user or host. For example, if the local host receives a remote login request, the rlogind daemon checks for the existence of a hosts.equiv file on the local host. If the file exists but does not define the host or user, the system checks the appropriate $HOME/.rhosts file. This file is similar to the /etc/hosts.equiv file, except that it is maintained for individual users.

Both files, hosts.equiv and .rhosts must have permissions denying write access to group and other. If either group or other have write access to a file, that file will be ignored.

Do not give write permission to the /etc/hosts.equiv file to group and others. Permissions of the /etc/hosts.equiv file should be set to 600 (read and write by owner only).

If a remote command request is made by the root user, the /etc/hosts.equiv file is ignored and only the /.rhosts file is read.

Note: Be careful when establishing trusted relationships. Networks that use trusted facilities can be less secure than those that do not.

Granting and Denying Trust

You grant trust from a local host to a remote host or remote user. The local machine's /etc/hosts.equiv file contains entries for each trusted host or user. The format of an entry is:

HostName [UserName]

The HostName field specifies the name of the host to trust. The UserName field specifies the name of the user on that remote host to trust. The UserName field is optional.

You can use the + (plus sign) as a wildcard in either the HostName or UserName field to grant trust to all users from a particular host or from all hosts that a specific user has an account on. To grant trust to every user on every machine on the network, place a plus sign (+) at the beginning of the file.

Note: When granting access through the /etc/hosts.equiv file, extreme caution must be used. Lines that include a UserName, either as an individual user, a netgroup, or the + (plus sign used as a wildcard character), permit the qualifying users to access the system as any non-root local user.

You deny a host or user trust by omitting them from the /etc/hosts.equiv file altogether. By omitting the host or user, you imply they are not trusted. This is the most secure way to deny trust. Otherwise, you can explicitly deny trust to a specific host or user by using the - (minus sign). The format to explicitly deny a host is:

-HostName

The format to explicitly deny a specific user from a host is:

HostName [-UserName]

Using NIS with the /etc/hosts.equiv file

If your network uses the Network Information Services (NIS), you can use netgroups in place of either the HostName or UserName field. The system resolves the netgroup depending on which field the netgroup replaces. For example, if you place a netgroup in the HostName field, the system resolves the hosts component of the netgroup. If the netgroup appears in the UserName field, the user component is resolved. Use the following format to grant trust to a netgroup:

+@NetGroup

To deny trust, use the following:

-@NetGroup

Refer to the NIS netgroup file for more information on netgroups.

Ordering Entries in the /etc/hosts.equiv File

The order of entries in the /etc/hosts.equiv file is important. When verifying trust, the system parses the /etc/hosts.equiv file from top to bottom. When it encounters an entry that matches the host or user attempting a remote command, the system stops parsing the file and grants or denies trust based on the entry. Any additional entries that appear later in the file are ignored.

Examples

  1. To allow all the users on remote hosts emerald and amethyst to log in to host diamond, enter:
    emerald
    amethyst
    These entries in diamond's /etc/hosts.equiv file allow all the users on emerald and amethyst with local accounts on diamond to remotely log in without supplying a password.
  2. To allow only the user gregory to remotely login to diamond from host amethyst, enter:
    emerald
    amethyst gregory
    This entry in diamond's /etc/hosts.equiv file forces all the users on amethyst, except for gregory, to supply a password when remotely logging in to diamond.
  3. To grant trust to peter regardless of the host he attempts to execute remote commands from, enter:
    emerald
    amethyst gregory
    + peter
    This entry in diamond's /etc/hosts.equiv file allows peter to execute remote commands on diamond from any host that he has an account on.
  4. To allow all hosts in the century netgroup to execute remote commands on host diamond, enter:
    emerald
    amethyst gregory
    + peter
    +@century
    This entry in diamond's /etc/hosts.equiv file grants trust to all hosts in the century netgroup. This means that any user with an account on a century host and an account on diamond can execute remote commands on diamond without supplying a password.
  5. To allow all the users in the engineers netgroup with accounts on citrine to execute remote commands on host diamond, enter:
    emerald
    amethyst gregory 
    + peter
    +@century
    citrine +@engineers
    This entry in diamond's /etc/hosts.equiv file grants trust to all of netgroup engineers users with an account on citrine.
  6. To grant trust to all users with accounts on hosts in the servers netgroup that are users in the sysadmins netgroup, enter:
    emerald
    amethyst gregory 
    + peter
    +@century
    citrine +@engineers
    +@servers +@sysadmins
    This entry in diamond's /etc/hosts.equiv file grants trust to any user in the sysadmins netgroup who is remotely executing commands from hosts that are in the servers netgroup.
  7. To force an engineers netgroup user lydia who has an account on citrine to use a password while allowing all other engineers users not to, enter:
    emerald
    amethyst gregory 
    + peter
    +@century
    citrine -lydia
    citrine +@engineers
    +@servers +@sysadmins
    This entry in diamond's /etc/hosts.equiv file grants trust to all of netgroup engineers users, except for lydia, who must supply a password. The order of entries is very important. Recall that the system grants trust based on the first entry it encounters. If the order of the entries appeared as follows:
    emerald
    amethyst gregory 
    + peter
    +@century
    citrine +@engineers
    citrine -lydia
    +@servers +@sysadmins
    User lydia, as a member of engineers, would be allowed to execute remote commands on diamond even though a later entry explicitly denies her trust.

Files

Item Description
$HOME/.rhosts Specifies remote users who can use a local-user account.