IBM Support

Trust relationships in Unix and Windows

Troubleshooting


Problem

Information about trust relationships in Unix and Windows. Trusted relationships allow users to access remote systems without being prompted for a password. Authentication is governed by the /etc/hosts.equiv and .rhosts files.

Resolving The Problem


TRUST RELATIONSHIP FILES

If a person using a userid on one machine tries to execute a program on another machine then the userid must exist on both machines. If that person does not want to be prompted for a password on the other machine, then setting up a trust relationship is needed.

The files:

    • /etc/hosts.equiv
    • .rhosts

specify remote hosts and users that are considered trusted. Trusted remote users are allowed to access the local system using commands like rlogin, rsh, rcp, and rcmd without supplying a password.

The /etc/hosts.equiv file applies to the entire system, while individual users can maintain their own .rhosts files in their home directories.

Attention: These files bypass the standard password based user authentication mechanism. To maintain system security, care must be taken in creating and maintaining these files.

Note: The hosts.equiv on Windows systems is located
in %WINDOWSDIR%/system32/drivers/etc.
Windows does not use the .rhosts file.


FILE ENTRIES

Entries in /etc/hosts.equiv and .rhosts can be of two forms. Positive entries (+) allow access, while negative entries (-) deny access. The authentication succeeds when the first matching positive entry is found. The authentication fails when the first matching negative entry is found, or if no matching entries are found in either file.

Important: The order of entries is critical. If a file contains both positive and negative entries, the entry that appears first will prevail. The rlogin program falls back to the standard password-based login procedure if the remote authentication fails.

Both /etc/hosts.equiv and .rhosts are formatted as a list of one-line entries. Each entry has the form:
    hostname [username]
Hostname Only Entries
If only the hostname is specified, all users with the same user name on the remote system may access the local system without being prompted for a password.

Example:
    machine1

Hostname and Userid Entries
If both the hostname and user name are specified, then the named user from the named host can access the system. This form may be used in individual .rhosts files to allow remote users to access the system as a different local user. If this form is used in the /etc/hosts.equiv file, the named remote user is allowed to access the system as any local user.

Example:
    machine1  user1


Special Characters
The special character `+' can be used in place of either hostname or username to match any host or user.

Entry
Result
+
Allows a user from any remote host to access the system with the same username
+ username
Allows the named user from any remote host to access the system
hostname +
Allows any user from the named host to access the system as the local user

Negative entries can only be used in the /etc/hosts.equiv file. They are preceded by a `-' sign and restrict access.

Entry
Result
-hostname
Disallow all access from the named host
hostname -username
Disallows access by the named user only from the named host



SEARCH SEQUENCE

The remote authentication procedure determines whether a user from a remote host should be allowed to access the local system with the identity of a local user.
The remote authentication procedure:
    1. checks the /etc/hosts.equiv file
    2. checks the .rhosts file in the home directory of the local user requesting access
The /etc/hosts.equiv file
Checks are made in the following order for lines within /etc/hosts.equiv:
    1. +
    2. -hostname
    3. hostname

The user is granted access if a positive match occurs. Negative entries apply only to /etc/hosts.equiv and may be overridden by subsequent .rhosts entries.

To help maintain system security, the /etc/hosts.equiv file is not checked when access is being attempted for superuser.

The .rhosts file
If no positive match occurred in the /etc/hosts.equiv file, the .rhosts file is searched if the user attempting access maintains such a file. As a security feature, the .rhosts file must be owned by the user who is attempting access. Checks are made in the following order for lines within .rhosts:
    1. +
    2. -hostname
    3. hostname
The .rhosts file is checked even when access is being attempted for superuser.

Attention: Positive entries in /etc/hosts.equiv that include a username field (either an individually named user or `+' sign) should be used with extreme caution. The /etc/hosts.equiv file applies system-wide, so these entries could allow one or many remote users to access the system as any local user. This can be a security violation.

Example:
An /etc/hosts.equiv file with only the following lines:

+
-hostxxx
    will not deny access to "hostxxx" because of the search sequence


    COMMON PROBLEMS
    Problem: User cannot connect without supplying password, but hostname entry appears correct in the hosts.equiv and/or .rhosts file
    Solution: Use fully qualified hostname.

    Example:
      hostname.company.com

    [{"Product":{"code":"SSGU8G","label":"Informix Servers"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"10.0;11.5;9.4;11.7","Edition":"","Line of Business":{"code":"","label":""}}]

    Document Information

    Modified date:
    16 June 2018

    UID

    swg21160933