~/.rhosts

Individual users' list of trusted remote users

Name:

~/.rhosts

Description:

The ~/.rhosts and /etc/hosts.equiv files provide the "remote authentication" database for the rcp, rlogin, and rsh commands and the rcmd() function. These files bypass the standard password-based user authentication mechanism. They specify remote hosts and users that are considered trusted (i.e. are allowed to access the local system without supplying a password):

Note: The file permissions for the ~/.rhosts file must be as follows or its contents will be ignored:
  • it must be owned by root or the user
  • it cannot be writable by anyone other than the owner (e.g. rw-r--r--)

The ruserok() function sets the effective userid to that of the remote user, but doesn't change the effective group ID. The user must have search permissions for the directories contained in the pathname of an .rhosts file (i.e. if the file resides in /home/user/.rhosts, the user must have search permissions for /home/user/).

The library routine ruserok() (see also rcmd()) performs the remote authentication. It determines whether a particular remote user from a particular remote host is allowed to access the local system as a (possibly different) particular local user:

If the remote authentication fails, rcp and rsh fail, but rlogin falls back to the standard password-based login procedure.

Both files are formatted as a list of one-line entries of the form:

hostname [username]

where hostname must be the fully qualified domain name (FQDN) of the host, not one of its aliases.

The entries in these files are either positive, to explicitly allow access without a password, or negative, to deny it. Authentication succeeds as soon as a matching positive entry is found, but fails when a matching negative entry is found, or if no matching entries are found in either file. Therefore, the order of entries is important: if the files contain both matching positive and negative entries, the entry that appears first prevails.

Positive entries

Positive entries take these forms:

hostname
All users from the named host are trusted and may access the system with the same user name as they have on the remote system. You can use this form in both /etc/hosts.equiv and individual users' .rhosts files.
hostname username
The meaning of this form depends on which file it's in:
  • .rhosts file in a local user's home directory — the named user from the named host can access the system as that local user.
  • /etc/hosts.equiv — the named remote user can access the system as any local user.

You can use the special character "+" as a wild card in place of either hostname or username to match any host or user:

+
Any user from any remote host can access the system, with the same username.
+ username
The named user from any remote host can access the system.
hostname +
Any user from the named host can access the system as the local user.

Negative entries

Negative entries have a "-" character preceding either the hostname or username field. For example:

hostname -username
Deny access to the named user if they attempt to access your system from the named host without providing a password.

Caveats:

Use extreme caution in /etc/hosts.equiv with positive entries that include a username field (either an individual named user, a netgroup, or "+" sign). Because /etc/hosts.equiv applies system-wide, these entries allow one or a group of remote users to access the system as any local user without providing a password. This can be a security hole.

The file permissions for the ~/.rhosts file must be as follows or its contents will be ignored: