.rhosts vs. hosts.equiv

Dean Riddlebarger dean at truevision.com
Fri Jan 11 02:30:14 AEST 1991 

In article <TsNiV1w163w at wvus.wciu.edu> pete at wvus.wciu.edu (Pete Gregory) writes:
>Hi -
>
>Could someone please describe for me the differences between what $HOME/.rhosts
>and /etc/hosts.equiv do for me, with regards to ftp, telnet, rlogin, resh
>access from one system to another?

The short answer:  The hosts.equiv file establishes a more loose level
of network security when users wish to use rlogin etc. to move amongst
various servers on a network.  The most obvious manifestation of this
is found when using rlogin.  If server foo appears in the hosts.equiv
file of server bar, and user jdoe has an account on both systems, then
he/she will not be prompted for password input when using rlogin from
foo to bar.  This holds for all users with accounts on both systems, but
does not hold true for root.  Relaxed security for root with respect
to the networking utilities is handled by the /.rhosts file.  This
scheme allows you to let general users have relaxed access through
the hosts.equiv file while keeping tighter control at the root
level if you so desire.

Of course, using any of these files for relaxed access is potentially
dangerous.  You should really make sure that your network has minimal
or no external access, and you must also be very careful about
unattended terminals etc.  Of special note is the case in which pcs
using DOS-based TCP/IP utilities are connected to a network in which
the servers make heavy use of a hosts.equiv scheme.  If you assume
that jdoe, moving from foo to bar, has already been required to give
a password for access to foo, then your security is at least fair.
But a good number of people do not equip their DOS boxes with
password protection or terminal locking schemes.  And if they use,
say, the rlogin provided with PC/TCP, and the servers have very
liberal hosts.equiv files, then anyone who can turn the DOS machine
on and recognize the presence of rlogin can stage a run on their
server accounts.....


-- 
<:>   Dean Riddlebarger                               "The bus came by   <:>
<:>   Truevision, Inc.                                  and I got on,    <:>
<:>   [317] 841-0332                                   That's when it    <:>
<:>   dean at truevision.com      uunet!epicb!dean         all began."      <:>

More information about the Comp.unix.admin mailing list