## A Guide
## Greg Munker <>
There are two files can have a significant impact on the security of
your system. Those files are the /etc/hosts.equiv and ~/.rhosts.
/etc/hosts.equiv
The /etc/hosts.equiv file contains a list of trusted hosts. This file
is used by the r* commands, such as rlogin, rcd, and rsh. For more
information about the r* commands, see the second
part of this article.
The format of /etc/hosts.equiv consists of a list of machine names,
one per line. For example:
localhost
infected.org
submental
It would be advisable to use fully qualified domain names, but if
the name is omitted, then TCP/IP will then add it to the hostname when
validating the remote system.
~/.rhosts
The ~/.rhosts file that is used is the your home directory. What it
does is similar to /etc/hosts.equiv. The file format is the same,
with one notable exception. The /etc/hosts.equiv file is used to
provide equivalence between hosts, while the ~/.rhosts file is used to
provide equivalence between users. The .rhosts file is appended to
the info found in /etc/hosts.equiv when checking for equivalence.
The /etc/hosts.equiv file is NOT used for the root user. The only
file processed in this case is root's .rhosts file.
User and Host Equivalency
Host Equivalency, or Trusted Host Access, is configured by the system
admin by using the /etc/hosts.equiv file.
Every entry in the /etc/hosts.equiv file is trusted. That is, users
on the named machine can access their equivalency accounts on this
machine without a password. This is not applicable for root, this
will be explained in my next example.
A sample network
Let's say for example purposes that you have two machines on your
network and their hostnames are infected and submental, and both have
a user john. If the user john is currently logged into submental and
issues the command:
$ rlogin infected
If host equivalency is established, then john will be logged into
infected without being asked for a password. If host equivalency is
not established, john will be asked for his password on the remote
system (infected.org).
Keep in mind the following when dealing with /etc/hosts.equiv:
1) It assumes you trust "ALL" the users on the remote machine.
2) root is NEVER trusted though the use of this file.
There is a second format for the /etc/hosts.equiv file, known as
.rhosts, which was discussed earlier in this article.
This format lists a system name and a user name. With the addition of
the user name, the user is allowed to log in with any user name found
in /etc/passwd.
User equivalence is a mechanism in which the same user is known to all
the machines in the network. This makes the network admin's job
easier in the long run. It should be considered for environments
where NFS is used or is planned.
To configure user equivalence, the user creates a file called
~/.rhosts. This file must be writeable only by the owner of the file.
If it is not then it will be ignored for validation purposes. As with
the /etc/host.equiv file contains a system name per line, but
generally also includes the name of the user who is being authorized.
Good luck with your network,
Greg Munker
Return to Issue #3
|