From: tedu Date: Sat, 19 Apr 2014 18:39:51 +0000 (+0000) Subject: stop talking about hosts.equiv X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=a4183261574c2fb21af93c90493b262df44be4d6;p=openbsd stop talking about hosts.equiv --- diff --git a/share/man/man5/Makefile b/share/man/man5/Makefile index 1ceb6e0c234..b7818444692 100644 --- a/share/man/man5/Makefile +++ b/share/man/man5/Makefile @@ -1,11 +1,11 @@ -# $OpenBSD: Makefile,v 1.49 2014/03/19 21:10:27 tedu Exp $ +# $OpenBSD: Makefile,v 1.50 2014/04/19 18:39:51 tedu Exp $ # $NetBSD: Makefile,v 1.14 1995/05/11 23:13:15 cgd Exp $ MAN= acct.5 ar.5 bsd.port.mk.5 bsd.port.arch.mk.5 bsd.regress.mk.5 \ changelist.5 core.5 \ defaultdomain.5 dir.5 disktab.5 elf.5 ethers.5 fbtab.5 files.conf.5 \ fs.5 fstab.5 genassym.cf.5 group.5 hostname.if.5 \ - hosts.equiv.5 hosts.5 intro.5 login.conf.5 mixerctl.conf.5 \ + hosts.5 intro.5 login.conf.5 mixerctl.conf.5 \ mk.conf.5 moduli.5 motd.5 myname.5 netgroup.5 networks.5 passwd.5 \ pf.conf.5 pf.os.5 port-modules.5 printcap.5 protocols.5 \ ranlib.5 remote.5 resolv.conf.5 rpc.5 ruby-module.5 \ @@ -13,7 +13,6 @@ MAN= acct.5 ar.5 bsd.port.mk.5 bsd.port.arch.mk.5 bsd.regress.mk.5 \ spamd.conf.5 sysctl.conf.5 utmp.5 wsconsctl.conf.5 MLINKS= dir.5 dirent.5 fs.5 inode.5 utmp.5 wtmp.5 utmp.5 lastlog.5 -MLINKS+= hosts.equiv.5 .rhosts.5 MLINKS+= resolv.conf.5 resolver.5 resolv.conf.5 resolv.conf.tail.5 MLINKS+= passwd.5 master.passwd.5 MLINKS+= myname.5 mygate.5 diff --git a/share/man/man5/hosts.equiv.5 b/share/man/man5/hosts.equiv.5 deleted file mode 100644 index 7a626409481..00000000000 --- a/share/man/man5/hosts.equiv.5 +++ /dev/null @@ -1,183 +0,0 @@ -.\" $OpenBSD: hosts.equiv.5,v 1.14 2014/04/18 22:04:54 jmc Exp $ -.\" -.\" Copyright (c) 1997 Todd Vierling -.\" Copyright (c) 1997 The NetBSD Foundation, Inc. -.\" All rights reserved. -.\" -.\" This code is derived from software contributed to The NetBSD Foundation -.\" by Todd Vierling . -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. All advertising materials mentioning features or use of this software -.\" must display the following acknowledgement: -.\" This product includes software developed by the NetBSD -.\" Foundation, Inc. and its contributors. -.\" 4. Neither the name of The NetBSD Foundation nor the names of its -.\" contributors may be used to endorse or promote products derived -.\" from this software without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS -.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED -.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS -.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -.\" POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: April 18 2014 $ -.Dt HOSTS.EQUIV 5 -.Os -.Sh NAME -.Nm hosts.equiv , -.Nm .rhosts -.Nd trusted remote hosts and host-user pairs -.Sh DESCRIPTION -The -.Nm hosts.equiv -and -.Nm .rhosts -files list hosts and users which are -.Dq trusted -by the local host when a connection is made via -a server that uses -.Xr ruserok 3 . -This mechanism bypasses password checks, and is required for access via -.Xr rsh 1 . -.Pp -Each line of these files has the format: -.Bd -unfilled -offset indent -hostname [username] -.Ed -.Pp -The -.Ar hostname -may be specified as a host name (typically a fully qualified host -name in a DNS environment) or address, -.Ar +@netgroup -(from which only the host names are checked), -or a -.Sq + -wildcard (allow all hosts). -.Pp -The -.Ar username , -if specified, may be given as a user name on the remote host, -.Ar +@netgroup -(from which only the user names are checked), -or a -.Sq + -wildcard (allow all remote users). -.Pp -If a -.Ar username -is specified, only that user from the specified host may log in to the -local machine. -If a -.Ar username -is not specified, any user may log in with the same user name. -.Sh FILES -.Bl -tag -width /etc/hosts.equiv -compact -.It Pa /etc/hosts.equiv -global trusted host-user pairs list -.It Pa ~/.rhosts -per-user trusted host-user pairs list -.El -.Sh EXAMPLES -.Bl -ohang -compact -.It Li somehost -A common usage; users on -.Ar somehost -may log in to the local host as the same user name. -.Pp -.It Li somehost username -The user -.Ar username -on -.Ar somehost -may log in to the local host. -If specified in -.Pa /etc/hosts.equiv , -the user may log in with only the same user name. -.Pp -.It Li +@anetgroup username -The user -.Ar username -may log in to the local host from any machine listed in the netgroup -.Ar anetgroup . -.Pp -.It + -.It + + -Two severe security hazards. -In the first case, allows a user on any -machine to log in to the local host as the same user name. -In the second -case, allows any user on any machine to log in to the local host (as any -user, if in -.Pa /etc/hosts.equiv ) . -.El -.Sh SEE ALSO -.Xr rsh 1 , -.Xr rcmd 3 , -.Xr ruserok 3 , -.Xr netgroup 5 -.Sh HISTORY -The -.Nm .rhosts -file format appeared in -.Bx 4.2 . -.Sh CAVEATS -The user name checks provided by this mechanism are -.Em not -secure, as the remote user name is received by the server unchecked -for validity. -Therefore this mechanism should only be used -in an environment where all hosts are completely trusted. -.Pp -A numeric host address instead of a host name can help security -considerations somewhat; the address is then used directly by -.Xr iruserok 3 . -.Pp -When a user name (or netgroup, or -.Sq + ) -is specified in -.Pa /etc/hosts.equiv , -that user (or group of users, or all users, respectively) may log in to -the local host as -.Em any local user . -Usernames in -.Pa /etc/hosts.equiv -should therefore be used with extreme caution, or not at all. -.Pp -A -.Pa .rhosts -file must be owned by the user whose home directory it resides in, and -must be writable only by that user. -.Pp -Logins as root only check root's -.Pa .rhosts -file; the -.Pa /etc/hosts.equiv -file is not checked for security. -Access permitted through root's -.Pa .rhosts -file is typically only for -.Xr rsh 1 . -.Sh BUGS -The -.Xr ruserok 3 -implementation currently skips negative entries (preceded with a -.Sq \&- -sign) and does not treat them as -.Dq short-circuit -negative entries.