System-wide list of trusted remote hosts
The /etc/hosts.equiv and ~/.rhosts files provide the "remote authentication" database for the lpd, rcp, rlogin, and rsh commands and the rcmd() function. These files bypass the standard password-based user authentication mechanism. They specify remote hosts and users that are considered trusted (i.e. are allowed to access the local system without supplying a password):
|The file permissions for the ~/.rhosts file must be as
follows or its contents will be ignored:
The ruserok() function sets the effective userid to that of the remote user, but doesn't change the effective group ID. The user must have search permissions for the directories contained in the pathname of an .rhosts file (i.e. if the file resides in /home/user/.rhosts, the user must have search permissions for /home/user/).
The library routine ruserok() (see also rcmd()) performs the remote authentication. It determines whether a particular remote user from a particular remote host is allowed to access the local system as a (possibly different) particular local user:
|The rlogind daemon doesn't allow root to log in without a password. When rsh is specified without command options, rlogind (not rshd) is invoked on the remote side.|
If the remote authentication fails, lpd, rcp and rsh fail, but rlogin falls back to the standard password-based login procedure.
Both files are formatted as a list of one-line entries of the form:
where hostname must be the fully qualified domain name (FQDN) of the host, not one of its aliases.
The entries in these files are either positive, to explicitly allow access without a password, or negative, to deny it. Authentication succeeds as soon as a matching positive entry is found, but fails when a matching negative entry is found, or if no matching entries are found in either file. Therefore, the order of entries is important: if the files contain both matching positive and negative entries, the entry that appears first prevails.
Positive entries take these forms:
You can use the special character "+" as a wild card in place of either hostname or username to match any host or user:
Negative entries have a "-" character preceding either the hostname or username field. For example:
Use extreme caution in /etc/hosts.equiv with positive entries that include a username field (either an individual named user, a netgroup, or "+" sign). Because /etc/hosts.equiv applies system-wide, these entries allow one or a group of remote users to access the system as any local user without providing a password. This can be a security hole.
The file permissions for the ~/.rhosts file must be as follows or its contents will be ignored:
/etc/hosts, lpd, rcp, ~/.rhosts, rlogin, rsh
rcmd() in the Library Reference