Sun Microsystems Sun Workstation 100U System Manager's Manual page 97

System Set-Up and Operation Sun 100/150 Installation Manual
1. When a user initiates a remote process on another machine (rlogin, r,h or rcp, for exam-
ple), the system first checks for an entry for this user in letclpa"wd on the remote
machine. If no entry is found, the user will be denied access: if he is trying to rlogin to the
machine, he will be prompted for a password and then get a "Login incorrect" message; if
he is attempting a rcp or r,h, he will get a "Login incorrect" message.
2.
If
an entry for the user is found in
I
etc/ pa"wd, the system next checks for his machine's
hostnam~
in the other machine's
I
etcl holt,.equiv file. If the hostname is found, the user
gains access.
3.
If no
I
etcl holt,.equiv entry is found, the system checks for a line with his host name (and,
optionally) username) in the . rholt, file in his home directory on the other machine. If the .
entry is found, the user gains access.
If no entry is found in either I etcl ho,t,.equiv or - USERNAMEI .rho,t" but the user is in
I
etcl pa"wd, the user is allowed to rlog,'n to the machine after giving his password, but gets
"Permission denied" messages when attempting remote processes like rcp or "h.
The single exception to this security scenario is the super-user: the system skips the second-
level check
(I
etcl holt,.equ;v is not checked), and goes directly to looking at
I.
rholt,.
So, if you want to allow access to your machine by all users on another specific machine, include
an entry for each user in
I
etcl pa"wd and include the machine's hostname in your
I
etcl holt,.equ.·v file. For example, if my machine's hostname is gaia, and I want to allow any-
one on host kepler to gain access to gaia, I simply edit my
I
etcl holt,.equiv file as follows. The
file is just a list of hostnames, one per line:
core
ganymede
krypton
Add kepler's name to the list:
core
ganymede
krypton
kepler
Now all users who can gain access to kepler can also freely rlogin(I) to gaia (without being
asked for a password), and can
,cp(1)
from and use
,11,(1)
on gaia, provided they are in gaia's
/ etcl pa"wd file.
lf you want to allow access to some users on a particular machine but not all, do not put the
machine's hostname in
I
etcl ho,t,.equiv. Instead, put it in the .rho,t, file in each user's home
directory on your machine
r
USERNAMEI .rholt,). Note that, to avoid some security prob-
lems, this file must be owned by either this user or root, and must not be a symbolic link. The
.rholt. file has a slightly different format than letclho,t,.equ;v: letclho,t,.equivaccepts only
hostnames; .rholt, accepts a hostname and, optionally, a user name on each line. Format is
best illustrated by an example. I can allow user donald at host canard to have access to my
machine, gaia, and keep other users of canard out by (1) removing other users' entries from
I
etcl pa"wd (or changing their passwords), (2) making sure canard is not in my / etcl ho,t,.equiv
file, and (3) adding an entry for donald at canard to
I
u.rl donaldl .rholt,. The entry looks like
this:
canard donald
Note also, that this means donald only has access when he's coming from canard; if he tries to
use gaia from another host, he must know his password to be able to rlogin and can't complete
6-4
Revision H of
12
March
1984