netbsd-bugs: bin/1558: No hosts.equiv(4) man page

Subject: bin/1558: No hosts.equiv(4) man page
To: None <gnats-bugs@gnats.netbsd.org>
From: None <Mark_Weaver@brown.edu>
List: netbsd-bugs
Date: 10/01/1995 06:13:17
>Number:         1558
>Category:       bin
>Synopsis:       No hosts.equiv(4) man page
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          doc-bug
>Submitter-Id:   mhw
>Arrival-Date:   Mon Oct  2 15:50:24 1995
>Last-Modified:
>Originator:     Mark Weaver
>Organization:
Brown University Department of Computer Science
>Release:        NetBSD-current 9/30/95
>Environment:

>Description:
There's no hosts.equiv(4) man page.  Included is one I got from Solaris,
but it looks unencumbered.

>How-To-Repeat:

>Fix:

diff -u  /dev/null src/share/man/man4/hosts.equiv.4
--- /dev/null	Wed Sep 27 22:56:27 1995
+++ src/share/man/man4/hosts.equiv.4	Thu Sep 21 15:22:01 1995
@@ -0,0 +1,253 @@
+.\" @(#)hosts.equiv.4 1.22 93/09/15 SMI; from UCB 4.2
+.TH hosts.equiv 4 "17 Jan 1992"
+.SH NAME
+hosts.equiv, .rhosts \- trusted remote hosts and users
+.SH DESCRIPTION
+.IX  "hosts.equiv file"  ""  "\fLhosts.equiv\fP \(em trusted hosts list"
+.IX  "remote authentication for hosts and users" "" "remote authentication for hosts and users \(em \fLhosts.equiv, .rhosts\fP"
+.LP
+The 
+.B /etc/hosts.equiv
+and
+.B \&.rhosts
+files provide the ``remote authentication'' database for
+.BR rlogin (1),
+.BR rsh (1),
+.BR rcp (1),
+and
+.BR rcmd (3N).
+The files specify remote hosts and users
+that are considered 
+.IR trusted .
+Trusted users are allowed to access the local system
+\f2without supplying a password.\f1
+The library routine
+.B ruserok(\|)
+(see
+.BR rcmd (3N))
+performs the authentication procedure for programs by using the
+.B /etc/hosts.equiv
+and
+.B \&.rhosts
+files.
+The 
+.B /etc/hosts.equiv
+file applies to the entire system,
+while individual users can maintain their own
+.B \&.rhosts
+files in their home directories.
+.LP
+These files 
+.I bypass
+the standard password-based user authentication mechanism.
+To maintain system security,
+care must be taken in creating and maintaining these files.
+.LP
+The remote authentication procedure determines whether
+a user from a remote host should be
+allowed to access the local system with the identity of a
+local user.
+This procedure first checks the
+.B /etc/hosts.equiv
+file and then checks the
+.B \&.rhosts
+file in the home directory of the local user who is requesting access.
+Entries in these files can be of two forms.
+.I Positive 
+entries  
+.I allow
+access, while 
+.I negative
+entries
+.I deny
+access.
+The authentication succeeds when a matching positive entry is found.
+The procedure fails when the first matching negative entry is found, or if no
+matching entries are found in either file.
+Thus, the order of entries is important;
+If the files contain positive and negative entries,
+the entry that appears first will prevail.
+The
+.BR rsh (1)
+and
+.BR rcp (1)
+programs fail if the remote authentication procedure fails.
+The
+.B rlogin 
+program falls back
+to the standard password-based login procedure if the
+remote authentication fails.
+.LP
+Both files are formatted as
+a list of one-line entries.  Each entry has the form:
+.IP
+.IR hostname " [" username "] "
+.LP
+Negative entries are differentiated from positive
+entries by a `\-' character preceding either the 
+.I hostname
+or
+.I username
+field.
+.SS Positive Entries
+.LP
+If the form:
+.IP
+.I hostname 
+.LP
+is used, then users from the named host are trusted.
+That is, they may access the system with the same user name
+as they have on the remote system.
+This form may be used in both the 
+.B /etc/hosts.equiv
+and
+.B \&.rhosts
+files.
+.LP
+If the line is in the form:
+.IP
+.I hostname username
+.LP
+then the named user from the named host can access the system.
+This form may be used in individual
+.B \&.rhosts
+files to allow 
+remote users to access the system
+.IR "as a different local user" .
+If this form is used in the
+.B /etc/hosts.equiv
+file, the named remote user will be allowed to access the system as 
+.I any 
+local user.
+.LP
+.BR netgroup (4)
+can be used in either the 
+.I hostname
+or
+.I username
+fields to match a number of hosts or users in one entry.
+The form:
+.IP
+.BI +@ netgroup
+.LP
+allows access from all hosts in the named netgroup.
+When used in the
+.I username
+field,
+netgroups allow a group of remote users to access the system
+as a particular local user.  The form:
+.IP
+.I hostname
+.BI +@ netgroup
+.LP
+allows all of the users in the named netgroup from the named host to
+access the system as the local user.
+The form:
+.IP
+.BI +@ netgroup1
+.BI +@ netgroup2
+.LP
+allows the users in
+.I netgroup2
+from the hosts in
+.I netgroup1
+to access the system as the local user.
+.LP
+The special character `+' can be used in place of either
+.I hostname
+or
+.I username
+to match any host or user.
+For example, the entry
+.IP
+.B +
+.LP
+will allow a user from any remote host to access the system
+with the same username.
+The entry
+.IP
+.B +
+.I username
+.LP
+will allow the named user from any remote host to access the
+system.
+The entry
+.IP
+.I hostname
+.B +
+.LP
+will allow any user from the named host to access the system
+as the local user.
+.SS Negative Entries
+.LP
+Negative entries are preceded by a `/-' sign.
+The form:
+.IP
+.BI \- hostname
+.LP
+will disallow all access from the named host.
+The form:
+.IP
+.BI \-@ netgroup
+.LP
+means that access is explicitly disallowed from all hosts in the
+named netgroup.
+The form:
+.IP
+.I hostname 
+.BI \- username
+.LP
+disallows access by the named user only from the named host,
+while the form:
+.IP
+.B +
+.BI \-@ netgroup
+.LP
+will disallow access by all of the users in the named netgroup from all hosts.
+.SH FILES
+.PD 0
+.TP 20
+.B /etc/hosts.equiv
+.TP
+.B ~/.rhosts
+.PD
+.SH "SEE ALSO"
+.BR rcp (1),
+.BR rlogin (1),
+.BR rsh (1),
+.BR rcmd (3N),
+.BR hosts (4),
+.BR netgroup (4),
+.BR passwd (4)
+.SH NOTES
+.LP
+Hostnames in
+.B /etc/hosts.equiv
+and
+.B \&.rhosts
+files must be the official name of the host, not one of its
+nicknames.
+.LP
+Root access is handled as a special case.  Only the
+.B \&.rhosts
+file is checked when access is being attempted for root.
+To help maintain system security, the
+.B /etc/hosts.equiv
+file is not checked.
+.LP
+As a security feature, the
+.B \&.rhosts
+file must be owned by the user who is attempting access.
+.LP
+Positive entries in
+.B /etc/hosts.equiv
+that include a
+.I username
+field (either an individual named user, a netgroup, or `\f4+\fP' sign) 
+should be used with extreme caution.
+Because 
+.B /etc/hosts.equiv
+applies system-wide, these entries 
+allow one, or a group of, remote users to access the system
+.IR "as any local user" .
+This can be a security hole.
>Audit-Trail:
>Unformatted: