Troubleshooting
Problem
Information about trust relationships in Unix and Windows. Trusted relationships allow users to access remote systems without being prompted for a password. Authentication is governed by the /etc/hosts.equiv and .rhosts files.
Resolving The Problem
TRUST RELATIONSHIP FILES
If a person using a userid on one machine tries to execute a program on another machine then the userid must exist on both machines. If that person does not want to be prompted for a password on the other machine, then setting up a trust relationship is needed.
The files:
- /etc/hosts.equiv
- .rhosts
specify remote hosts and users that are considered trusted. Trusted remote users are allowed to access the local system using commands like rlogin, rsh, rcp, and rcmd without supplying a password.
The /etc/hosts.equiv file applies to the entire system, while individual users can maintain their own .rhosts files in their home directories.
Attention: These files bypass the standard password based user authentication mechanism. To maintain system security, care must be taken in creating and maintaining these files.
Note: The hosts.equiv on Windows systems is located
in %WINDOWSDIR%/system32/drivers/etc.
Windows does not use the .rhosts file.
FILE ENTRIES
Entries in /etc/hosts.equiv and .rhosts can be of two forms. Positive entries (+) allow access, while negative entries (-) deny access. The authentication succeeds when the first matching positive entry is found. The authentication fails when the first matching negative entry is found, or if no matching entries are found in either file.
Important: The order of entries is critical. If a file contains both positive and negative entries, the entry that appears first will prevail. The rlogin program falls back to the standard password-based login procedure if the remote authentication fails.
Both /etc/hosts.equiv and .rhosts are formatted as a list of one-line entries. Each entry has the form:
- hostname [username]
If only the hostname is specified, all users with the same user name on the remote system may access the local system without being prompted for a password.
Example:
- machine1
If both the hostname and user name are specified, then the named user from the named host can access the system. This form may be used in individual .rhosts files to allow remote users to access the system as a different local user. If this form is used in the /etc/hosts.equiv file, the named remote user is allowed to access the system as any local user.
Example:
- machine1 user1
Special Characters
The special character `+' can be used in place of either hostname or username to match any host or user.
Entry | Result |
+ | Allows a user from any remote host to access the system with the same username |
+ username | Allows the named user from any remote host to access the system |
hostname + | Allows any user from the named host to access the system as the local user |
Negative entries can only be used in the /etc/hosts.equiv file. They are preceded by a `-' sign and restrict access.
Entry | Result |
-hostname | Disallow all access from the named host |
hostname -username | Disallows access by the named user only from the named host |
SEARCH SEQUENCE
The remote authentication procedure determines whether a user from a remote host should be allowed to access the local system with the identity of a local user.
The remote authentication procedure:
- 1. checks the /etc/hosts.equiv file
2. checks the .rhosts file in the home directory of the local user requesting access
Checks are made in the following order for lines within /etc/hosts.equiv:
- 1. +
2. -hostname
3. hostname
The user is granted access if a positive match occurs. Negative entries apply only to /etc/hosts.equiv and may be overridden by subsequent .rhosts entries.
To help maintain system security, the /etc/hosts.equiv file is not checked when access is being attempted for superuser.
The .rhosts file
If no positive match occurred in the /etc/hosts.equiv file, the .rhosts file is searched if the user attempting access maintains such a file. As a security feature, the .rhosts file must be owned by the user who is attempting access. Checks are made in the following order for lines within .rhosts:
- 1. +
2. -hostname
3. hostname
Attention: Positive entries in /etc/hosts.equiv that include a username field (either an individually named user or `+' sign) should be used with extreme caution. The /etc/hosts.equiv file applies system-wide, so these entries could allow one or many remote users to access the system as any local user. This can be a security violation.
Example:
An /etc/hosts.equiv file with only the following lines:
+
-hostxxx
COMMON PROBLEMS
Problem: User cannot connect without supplying password, but hostname entry appears correct in the hosts.equiv and/or .rhosts file
Solution: Use fully qualified hostname.
Example:
- hostname.company.com
[{"Product":{"code":"SSGU8G","label":"Informix Servers"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"10.0;11.5;9.4;11.7","Edition":"","Line of Business":{"code":"","label":""}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21160933