Previous Next Contents

6.15 The rhosts module

Synopsis

Module Name:

pam_rhosts_auth

Author:

Al Longyear <longyear@netcom.com>

Maintainer:

Management groups provided:

authentication

Cryptographically sensitive:

Security rating:

Clean code base:

Clean.

System dependencies:

Network aware:

Standard inet_addr(), gethostbyname() function calls.

Overview of module

This module performs the standard network authentication for services, as used by traditional implementations of rlogin and rsh etc.

Authentication component

Recognized arguments:

no_hosts_equiv; no_rhosts; debug; no_warn

Description:

The authentication mechanism of this module is based on the contents of two files; /etc/hosts.equiv (or _PATH_HEQUIV in #include <netdb.h>) and ~/.rhosts. Firstly, hosts listed in the former file are treated as equivalent to the localhost. Secondly, entries in the user's own copy of the latter file is used to map "remote-host remote-user" pairs to that user's account on the current host. Access is granted to the user if their host is present in /etc/hosts.equiv and their remote account is identical to their local one, or if their remote account has an entry in their personal configuration file.

Some restrictions are applied to the attributes of the user's personal configuration file: it must be a regular file (as defined by S_ISREG(x) of POSIX.1); it must be owned by the superuser or the user; it must not be writable by any user besides its owner.

The module authenticates a remote user (internally specified by the item PAM_RUSER) connecting from the remote host (internally specified by the item PAM_RHOST). Accordingly, for applications to be compatible this authentication module they must set these items prior to calling pam_authenticate(). The module is not capable of independently probing the network connection for such information.

Note, the name "root" is hard-wired into the program (XXX - this should be reconfigurable with a configuration option). Caution should be used in the case that the local superuser goes by another name. In the case of root-access, the /etc/host.equiv file is ignored. Instead, the superuser must have a correctly configured personal configuration file.

The behavior of the module is modified by flags:

Examples/suggested usage:

To allow users to login from trusted remote machines, you should try adding the following line to your /etc/pam.conf file before the line that would otherwise prompt the user for a password:

#
# No passwords required for users from hosts listed above.
#
login  auth  sufficient  pam_rhosts_auth.so no_rhosts
Note, in this example, the system administrator has turned off all personal rhosts configuration files. Also note, that this module can be used to only allow remote login from hosts specified in the /etc/host.equiv file, by replacing sufficient in the above example with required.


Previous Next Contents