pam_rhosts_auth Module

Purpose

Provides rhosts-based authentication for PAM.

Description

The pam_rhosts_auth module provides rhost authentication services similar to the rlogin, rsh, and rcp commands. The module queries the PAM handle for the remote user name, remote host, and the local user name. This information is then compared to the rules in /etc/hosts.equiv and $HOME/.rhosts.

For a typical user, the module first checks /etc/hosts.equiv. If a match is not found for the username and hostname, the module will continue on to check the $HOME/.rhosts file. If a username and hostname match is still not found, the module returns the PAM_AUTH_ERR failure code. Otherwise, the result depends on the first rule found matching the specified username and hostname.

When authenticating to the root user (user with the UID of 0), the first check of the /etc/hosts.equiv file is skipped. Success of the rhosts authentication is based solely on the contents of the root user's $HOME/.rhosts file.

This module requires that a PAM application, before making the call to pam_authenticate, call pam_set_item and at least set the values of PAM_RHOST and PAM_RUSER. If the PAM_USER item is not set, the module will prompt for the user name through the conversation function provided in the PAM handle.

Further description on how rhosts authentication works can be found in the documentation for the ruserok() subroutine. Information regarding the syntax of rhost configuration files can be found in the $HOME/.rhosts or /etc/hosts.equiv files description.

#
# PAM authentication stack for typical rlogin behavior.
#
rlogin auth sufficient /usr/lib/security/pam_rhosts_auth
rlogin auth required   /usr/lib/security/pam_aix

Supported PAM module types

Authentication

Authenticates a user through rhost-based authentication.

Options

Return Values

Upon successful completion PAM_SUCCESS is returned. If a failure occurs, a PAM error code will be returned, depending on the actual error.

Location

/usr/lib/security/pam_rhosts_auth