~/.rhosts

trusted remote users

Name:

~/.rhosts

Description:

The ~/.rhosts file provides the ``remote authentication'' database for lpd, rlogin, rsh, rcp, and rcmd(). The file specifies remote hosts and users that are considered trusted. Trusted users are allowed to access the local system without supplying a password. The library routine ruserok() (see also rcmd()) performs the authentication procedure for programs by using the /etc/hosts.equiv and ~/.rhosts files. The /etc/hosts.equiv file applies to the entire system, while individual users can maintain their own ~/.rhosts files in their home directories.

This file bypasses the standard password-based user authentication mechanism. To maintain system security, care must be taken in creating and maintaining this file.

The remote authentication procedure determines whether a particular remote user from a particular remote host should be allowed to access the local system as a (possibly different) particular local user. This procedure first checks the /etc/hosts.equiv file and then checks the ~/.rhosts file in the home directory of the local user attempting access. Entries in these files can be of two forms:

The authentication succeeds as soon as a matching positive entry is found. The procedure fails when a matching negative entry is found, or if no matching entries are found in either file. The order of entries, therefore, can be important: If the files contain both matching positive and negative entries, the entry that appears first will prevail. The rsh and rcp programs fail if the remote authentication procedure fails. The rlogin program falls back to the standard password-based login procedure if the remote authentication fails.

Both files are formatted as a list of one-line entries. Each entry has the form:

hostname [username]

Negative entries are differentiated from positive entries by a ``-'' character preceding either the hostname or username field.

Positive Entries

Users from the named host are trusted if this form is used:

hostname

They may access the system with the same user name as they have on the remote system. This form may be used in both the /etc/hosts.equiv and ~/.rhosts files.

If the line is in the form:

hostname username

then the named user from the named host can access the system. This form may be used in individual /.rhosts files to allow remote users to access the system as a different local user. If this form is used in the /etc/hosts.equiv file, the named remote user will be allowed to access the system as any local user.

The special character ``+'' can be used in place of either hostname or username to match any host or user. For example, the entry:

+

allows a user from any remote host to access the system with the same username. The entry:

+ username

allows the named user from any remote host to access the system. The entry:

hostname +

allows any user from the named host to access the system as the local user.

Negative Entries

Negative entries are preceded by a ``-'' sign. The form:

-hostname

disallows all access from the named host.

Caveats:

Hostnames in /etc/hosts.equiv and ~/.rhosts files must be the ``official'' name of the host, not one of its nicknames.

Root access is handled as a special case. Only the /.rhosts file is checked when the access is being attempted for root. To help maintain system security, the /etc/hosts.equiv file isn't checked.

As a security feature, the ~/.rhosts file must be owned by the user attempting access.

Positive entries in /etc/hosts.equiv that include a username field (either an individual named user, a netgroup, or ``+'' sign) should be used only with extreme caution. Because /etc/hosts.equiv applies system-wide, these entries allow one or a group of remote users to access the system as any local user. This can be the source of a security hole.

See also:

/etc/hosts file, /etc/hosts.equiv file, rcmd(), rcp, rlogin, rsh