More Network Security: Equivalency
As a follow-on to Laurie Sefton's article in Sys Admin
93), I want to discuss an often overlooked area of network
equivalency, also known as trusted access.
Types of Equivalency
TCP/IP environments allow for two types of equivalency:
host and user.
Host equivalency, or trusted host access, can be configured
system administrator. This type of equivalency permits
all of the
users on the specified system to access the local system
a password. Host equivalency is controlled through the
User equivalency, or trusted user access, is controlled
by the user.
It allows that user, as well as any others specified,
to access that
account without using a password. This type of access
is managed through
the user of the file $HOME/.rhosts.
Equivalence is most useful in environments where the
commands - rlogin, rcmd(rsh), and rcp -
Organizations often start out with one or two computers,
more, and suddenly there's a network. Unless the expansion
carefully planned, security can be compromised inadvertently.
For example, my login name at one time was simply "chris".
In one of our company's other offices, through poor
was another user with a login name of "chris".
The two offices
were not connected using TCP/IP; however, when a SLIP
line was introduced
between the two offices, suddenly there were problems,
the most obvious
one being that each of us with the login "chris"
files belonging to the other.
While changing the login name for one user solved the
it did not address the real security issue, which was
that each of
the users should have had an account for each machine
on the network,
each with the same UID.
As a first step toward providing equivalency, keep in
mind the following
points when setting up your network:
you are essentially duplicating the /etc/passwd
and /etc/group files on all of the machines in your
As a result, each user must have a unique login name
group permissions cross system boundaries, so the same
guidelines apply for groups. The same groups with the
same group IDs
(GID) must exist on all machines.
Configuring Host Equivalency
The system administrator configures host equivalency,
or trusted host
access, using the file /etc/hosts.equiv, as shown in
This file consists of host names, one per line (it
is also a good
idea to document in the file who the network administrator
Each entry in the hosts.equiv file is trusted. This
means that, with the exception of root, users on the
can access their equivalent accounts on this machine
without a password.
In the configuration shown in Figure 2, the two machines
and wabbit both have a user named chare. If I am currently
logged into wabbit, and issue the command
with host equivalency established, then I can log into
oreo without being asked for my password. If host equivalency
is not established, then I will be asked for my password
on the remote
There are two things to bear in mind concerning entries
all the users on the remote machine are trusted,
with one exception
root is never trusted.
There is a second format for the hosts.equiv file, as
in Figure 3. This format lists a system name and a username.
the addition of the username, the user can login under
listed in /etc/passwd.
For example, consider the following entry on a machine
This entry states that when coming in from the system
user chare can login under any valid account name from
- as, for example,
rlogin ovide -l andrewg
This means that user chare on wabbit is being equivalenced
to the user andrewg on ovide. This is user equivalency,
which is more typically configured using the methods
To use the commands rcmd(rsh) and rcp, host equivalency
must be set up and operational.
User equivalency makes a particular user known to all
of the machines
in the network. It should be considered absolutely necessary
where NFS is being used or planned. (It has the further
making the network administrator's job easier in the
To configure user equivalence, the user creates a file
home directory called .rhosts. This file must be writeable
only by the owner of the file. If it is not, the file
will be ignored
for validation purposes.
As with the hosts.equiv file, this file contains a system
per line. It generally also includes the name of the
user who is being
As an example: in my company's network, two people are
for the maintenance and operation of news. In order
those people access to our news server, a .rhosts file
in the news home directory, /usr/lib/news.
The .rhosts file looks like
Both of these people can log in as news on the
news server without using a password, as they are "equivalent"
to the user news on that machine.
The potential for serious problems exist in networks
where there is
host equivalency, but not user equivalency. In fact,
of any network without user equivalency is highly jeopardized.
the configuration shown in Figure 4, for example, two
users with same
login ID, Chris M. and Chris S., work on two different
both have the same login ID. Chris S. can do an rlogin
wabbit to oreo without providing a password. He can
therefore access all of Chris M.'s files. The problem
here is that
though there is host equivalence, there is no user equivalence.
How Does Equivalency Work?
Both local host and the remote host play a role in determining
When a user runs an r command:
The local host
attempts to validate the hostname. If the hostname is
not in /etc/hosts and cannot be resolved using the Domain
Server, then the command is aborted, and the user is
the hostname is invalid.
if the hostname is validated, connects via TCP/IP to
the remote host.
The remote host
looks up the requested account name in /etc/passwd.
If the account name is not there, it aborts the command.
checks to see if the account has an encrypted password.
If there is no password, then the command is executed.
checks to see if the user is root. If the user is root,
checks /.rhosts for the local host's name. If it is
then the command is executed. (This is an example of
If the user is not root, then checks /etc/hosts.equiv
for the local hosts's name. If it is found, then the
command is executed.
If no match is found, looks for an .rhosts file in the
$HOME directory. If .rhosts doesn't exist or there is
no match, rcp and rcmd(rsh) commands will fail, and
rlogin will prompt for a password.
Security Issues with Equivalence
The potential for security breaches is significant in
that make extensive use of root equivalency. If someone
the root password on one machine, he or she will then
as root to all of the machines in the network.
The several offices of my company share a high volume
but as we are only using a 19.2 kilobaud PPP link, NFS
usage is not
To avoid using root equivalence, we send some of the
rdist. On the machines involved in these transactions,
a special user with write access to the files into the
Remember, too, that having host equivalency but no user
can also be dangerous, in that a host from outside your
the same username as one of your users would be able
to access your
system almost unrestricted.
For further information on host and user equivalency,
see your system
documentation and the book TCP/IP Network Administration
Craig Hunt (Sebastopol, CA: O'Reilly and Associates,
About the Author
Chris Hare is Ottawa Technical Services Manager for
Choreo Systems, Inc.
He has worked in the UNIX environment since 1986 and
in 1988 became one of
the first SCO authorized instructors in Canada. He teaches
system administration, and programming classes. His
current focus is on
networking, Perl, and X. Chris can be reached at email@example.com,
firstname.lastname@example.org, which is his home.