Configuring Files to Bypass Security

To Configure the /etc/hosts.equiv File

Each line in the /etc/hosts.equiv file has the following form:

hostname [username]

You can use either a text editor or SAM to configure the /etc/hosts.equiv file. To run SAM, type sam at the HP-UX prompt. SAM has an extensive online help facility.

If a user is logged into a host listed in your /etc/hosts.equiv file, and the user's login name is listed in your passwd database, the user may connect to your host with rcp, remsh, or rlogin, and the user will not be prompted for a password.

If a username is included in /etc/hosts.equiv, only the specified user on the associated host may connect to your host without supplying a password. However, the specified user may log in as any user on your system (except root) without supplying a password.

	CAUTION: Hewlett-Packard recommends that you leave user names out of the /etc/hosts.equiv file, unless you intend to give a user the privilege of logging into all the accounts on the system without having to provide a password.

When a non-root user attempts to log into your host, the /etc/hosts.equiv file is checked before $HOME/.rhosts. If an entry is found in /etc/hosts.equiv, $HOME/.rhosts is not checked. When a user attempts to log into your host as root, the /etc/hosts.equiv file is not checked. Only the /.rhosts file is checked. See “To Configure the $HOME/.rhosts File”.

The /etc/hosts.equiv file may contain NFS netgroups. See Installing and Administering NFS Services for more information.

The /etc/hosts.equiv file should be owned by user root, with permissions set to 0444 (-r--r--r--).

	CAUTION: The /etc/hosts.equiv file creates a significant security risk.

Type man 4 hosts.equiv for more information.

To Configure the $HOME/.rhosts File

Any user may create a .rhosts file in his or her home directory. Each line in the .rhosts file has the following form:

hostname [username]

To create a .rhosts file in any home directory other than the superuser's home directory, you must use a text editor. You can use SAM to configure the /.rhosts file (in the superuser's home directory). To run SAM, type sam at the HP-UX prompt. SAM has an extensive online help facility.

A remote user logged into a host specified in a local $HOME/.rhosts file can use rcp, remsh, or rlogin to log into that local user's account without supplying a password.

If your host has a /.rhosts file, the root user on any system listed in that file may use rcp, remsh, or rlogin to connect to your host without being prompted for a password.

The remshd and rlogind servers can be configured to ignore $HOME/.rhosts files. See “To Disable Use of $HOME/.rhosts”.

When a non-root user attempts to connect to your host, the /etc/hosts.equiv file is checked before $HOME/.rhosts. If an entry is found in /etc/hosts.equiv, $HOME/.rhosts is not checked. When a user attempts to connect to your host as root, the /etc/hosts.equiv file is not checked. Only the /.rhosts file is checked.

The $HOME/.rhosts file may contain NFS netgroups. See Installing and Administering NFS Services for more information.

Each $HOME/.rhosts file should be owned by the user of the home directory, with permissions set to 0600 (-rw-------). The user's home directory should be write-protected so that no other user can create a .rhosts file in it.

	CAUTION: The $HOME/.rhosts file creates a significant security risk.

Type man 4 hosts.equiv for more information.

To Disable Use of $HOME/.rhosts

This procedure disables the use of $HOME/.rhosts files. It does not disable the use of the /etc/hosts.equiv file.

For more information, type man 1M rlogind or man 1M remshd.

To Configure the $HOME/.netrc File

Any user may create a .netrc file in his or her home directory. Each line in the .netrc file has the following form:

machine hostname login remote_login_name password password

Following is an example entry in a .netrc file:

machine broccoli login bill password try2Bhave

If user andrea has this entry in her .netrc file on host cabbage, she can use ftp or rexec to connect to user bill's account on host broccoli without being prompted for a password.

Each $HOME/.netrc file should be owned by the user of the home directory, with permissions set to 0600 (-rw-------). The user's home directory should be write-protected so that no other user can create a .netrc file in it.

The fields in a .netrc entry may be separated by white space, line breaks, or commas. If you want to include a comma in a field, enclose the whole field in double quotes. For example, if you need to supply both account and user passwords for a login to an MPE/iX machine, enter both passwords in the password field, separated by a comma, and enclose the field in double quotes. Following is an example of a .netrc entry for an MPE/iX login with both account and user passwords:

machine corn login manager.sys password "usrpass,acctpass"

	CAUTION: The $HOME/.netrc file creates a significant security risk. It contains unencrypted passwords.

For more information, type man 4 netrc at the HP-UX prompt.