HPE Community
Operating System - HP-UX
1819802 Members
3194 Online
109607 Solutions
New Discussion юеВ

.rhost file in users home directories

 
Paul Winchcombe
Occasional Contributor

тАО02-13-2002 02:22 AM

тАО02-13-2002 02:22 AM

.rhost file in users home directories

Sorry if this question has been asked before.

I have a need to to allow only a few non root users to rlogin to a host. The users that aren't allowed to rlogin I wish to have a root owned .rhosts file in the users home directory. Trouble is the user if they wish can remove the root owned .rhosts file because it's in a directory they own.

I could add an entry in the .profile to see how the user logged in (different tty types)

Regards

Paul

I have an above average QI
0 Kudos
Reply
8 REPLIES 8
Steve Steel
Honored Contributor

тАО02-13-2002 02:30 AM

тАО02-13-2002 02:30 AM

Re: .rhost file in users home directories

Hi

try

hosts.equiv(4) hosts.equiv(4)

NAME
hosts.equiv, .rhosts - security files authorizing access by remote
hosts and users on local host

DESCRIPTION
The /etc/hosts.equiv file and files named .rhosts found in users' home
directories specify remote hosts and users that are "equivalent" to
the local host or user. Users from equivalent remote hosts are
permitted to access a local account using rcp or remsh or to rlogin to
the local account without supplying a password (see rcp(1), remsh(1),
and rlogin(1)). The security provided by hosts.equiv is implemented
by the ruserok() library routine, (see rcmd(3N)).

In this description, hostequiv means either the system
/etc/hosts.equiv file or the user .rhosts file. Note that .rhosts
must be owned by the user in whose home directory it is found and it
must not be a symbolic link. The /etc/hosts.equiv file defines
system-wide equivalency, whereas a user's .rhosts file defines
equivalency between the local user and any remote users to whom the
local user chooses to allow or deny access.


Steve Steel
If you want truly to understand something, try to change it. (Kurt Lewin)
0 Kudos
Reply
Volker Borowski
Honored Contributor

тАО02-13-2002 02:37 AM

тАО02-13-2002 02:37 AM

Re: .rhost file in users home directories

Hi Paul,

from "man rlogind":

... fails, login(1) prompts the user with the normal login sequence. The -l option to rlogind prevents any authentication based on the user's .rhosts file unless the user is logging in as super-user. ....

So if you reconfigure inetd.conf, you could make rlogind only work with /etc/rhosts and /etc/hosts.equiv, it will simply ignore $HOME/.rhosts

Hope this helps
Volker
0 Kudos
Reply
Deepak Extross
Honored Contributor

тАО02-13-2002 03:10 AM

тАО02-13-2002 03:10 AM

Re: .rhost file in users home directories

Suggest you stick to the /etc/rhosts and /etc/hosts.equiv files rather than getting into user's home directories.

In fact, since you dont want other users to rlogin to the machine, you should have a policy expressly forbidding any user from having a $HOME/.rhosts file. You may want to run a small script weekly or so, to search for user-created .rhosts files and delete them.
0 Kudos
Reply
Darrell Allen
Honored Contributor

тАО02-13-2002 06:05 AM

тАО02-13-2002 06:05 AM

Re: .rhost file in users home directories

Hi Paul,

I presume you want to allow rlogin without a password. If not, you don't need to use .rhosts nor /etc/hosts.equiv. I'd also remove the "r" services from /etc/inetd.conf.

You may want to use /var/adm/inetd.sec to limit the IP addresses a service will allow connections from.

When I've used /etc/hosts.equiv, I did chown root:sys and chmod 000 on it.

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
0 Kudos
Reply
Paul Winchcombe
Occasional Contributor

тАО02-13-2002 09:46 AM

тАО02-13-2002 09:46 AM

Re: .rhost file in users home directories

Thanks for all the info but I think I may have misled you all.

If root creates a .rhost file in my home directory /home/paulw/ preventing me from rlogin/remsh into the box without a password. I as user paulw can remove the .rhost file even though it is created and owned by root.
I understand that I can prevent the use of users .rhost file by editing the inetd.conf file but I want to allow some users to rlogin and other not to. I also cannot be sure of where the user will login from. I.E. the ip address of the remote machine is unknown.

So basically ignoring r-services for a moment.

How can a root user write a file to a users home directory and prevent that user from moving/deleting the file when the directory is owned by that user.

I've tried looking at acl but I think this is just for hfs filesytems.

or am I asking the impossible.
I have an above average QI
0 Kudos
Reply
T. M. Louah
Esteemed Contributor

тАО02-13-2002 10:27 AM

тАО02-13-2002 10:27 AM

Re: .rhost file in users home directories

May be you need to take a look at SSH. You get encrypted "equivalents" of telnet, ftp and more. Using OpenSSH, you can have automated cron scripts connecting to other UNIX box without keeping a password (or unencrypted private key) on disk.
You can try secure shell, obtain openssh and the other required pieces (i.e. zlib, perl, etc.) at http://hpux.cs.utah.edu/ in depot format for HP-UX 11 No compile process needed. Just do the whole thing through swinstall. I'd visit the www.openssh.com as well to get some background information. Having said that ssh is not an HP product... !!
other resources:
You can look at SSH Case studies at http://www.unixreview.com/books/book_preview9.shtml for examples of smart SSH usage.

g'd luck
t++
Little learning is dangerous!
0 Kudos
Reply
Bill Thorsteinson
Honored Contributor

тАО02-13-2002 11:49 AM

тАО02-13-2002 11:49 AM

Re: .rhost file in users home directories

Modify your inetd.conf file and add the -l option to the r* services. This will disable .rhosts files. Add the approved users to the file /etc/hosts.equiv. Other users will still be able to use the r* services but will have to provide passwords.

If you have tcp wrappers enabled, you have better ability to restrict access to the r*. This includes restrictions by user and host.

As noted above ssh (secure shell) may be a better option.
0 Kudos
Reply
Darrell Allen
Honored Contributor

тАО02-13-2002 11:57 AM

тАО02-13-2002 11:57 AM

Re: .rhost file in users home directories

Just came back and looked at this again. Volker (and Bill) have the answer: configure rlogin to ignore user .rhosts files (except for superuser). That way it doesn't matter what the users put in their .rhosts.

Darn good answer. Never had tried it.

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.