Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!cs.utexas.edu!samsung!uunet!epicb!dean From: dean@truevision.com (Dean Riddlebarger) Newsgroups: comp.unix.admin Subject: Re: .rhosts vs. hosts.equiv Summary: Special file for root permissions... Keywords: .rhosts vs. hosts.equiv Message-ID: <1991Jan10.153014.1369@truevision.com> Date: 10 Jan 91 15:30:14 GMT References: Distribution: usa Organization: Truevision Inc., Indianapolis, IN Lines: 41 In article pete@wvus.wciu.edu (Pete Gregory) writes: >Hi - > >Could someone please describe for me the differences between what $HOME/.rhosts >and /etc/hosts.equiv do for me, with regards to ftp, telnet, rlogin, resh >access from one system to another? The short answer: The hosts.equiv file establishes a more loose level of network security when users wish to use rlogin etc. to move amongst various servers on a network. The most obvious manifestation of this is found when using rlogin. If server foo appears in the hosts.equiv file of server bar, and user jdoe has an account on both systems, then he/she will not be prompted for password input when using rlogin from foo to bar. This holds for all users with accounts on both systems, but does not hold true for root. Relaxed security for root with respect to the networking utilities is handled by the /.rhosts file. This scheme allows you to let general users have relaxed access through the hosts.equiv file while keeping tighter control at the root level if you so desire. Of course, using any of these files for relaxed access is potentially dangerous. You should really make sure that your network has minimal or no external access, and you must also be very careful about unattended terminals etc. Of special note is the case in which pcs using DOS-based TCP/IP utilities are connected to a network in which the servers make heavy use of a hosts.equiv scheme. If you assume that jdoe, moving from foo to bar, has already been required to give a password for access to foo, then your security is at least fair. But a good number of people do not equip their DOS boxes with password protection or terminal locking schemes. And if they use, say, the rlogin provided with PC/TCP, and the servers have very liberal hosts.equiv files, then anyone who can turn the DOS machine on and recognize the presence of rlogin can stage a run on their server accounts..... -- <:> Dean Riddlebarger "The bus came by <:> <:> Truevision, Inc. and I got on, <:> <:> [317] 841-0332 That's when it <:> <:> dean@truevision.com uunet!epicb!dean all began." <:>