pam_rhosts_auth
Al Longyear <longyear@netcom.com>
authentication
Clean.
Standard inet_addr()
, gethostbyname()
function calls.
This module performs the standard network authentication for services, as used by traditional implementations of rlogin and rsh etc.
no_hosts_equiv
; no_rhosts
; debug
; no_warn
The authentication mechanism of this module is based on the contents
of two files; /etc/hosts.equiv
(or _PATH_HEQUIV
in
#include <netdb.h>
) and ~/.rhosts
. Firstly,
hosts listed in the former file are treated as equivalent to the
localhost. Secondly, entries in the user's own copy of the latter file
is used to map "remote-host remote-user
" pairs to that user's
account on the current host. Access is granted to the user if their
host is present in /etc/hosts.equiv
and their remote account
is identical to their local one, or if their remote account has an
entry in their personal configuration file.
Some restrictions are applied to the attributes of the user's personal
configuration file: it must be a regular file (as defined by
S_ISREG(x)
of POSIX.1); it must be owned by the superuser or
the user; it must not be writable by any user besides its owner.
The module authenticates a remote user (internally specified by the
item PAM_RUSER
) connecting from the remote host (internally
specified by the item PAM_RHOST
). Accordingly, for applications
to be compatible this authentication module they must set these items
prior to calling pam_authenticate()
. The module is not capable
of independently probing the network connection for such information.
Note, the name "root
" is hard-wired into the program (XXX - this
should be reconfigurable with a configuration option). Caution
should be used in the case that the local superuser goes by another
name. In the case of root
-access, the /etc/host.equiv
file is ignored. Instead, the superuser must have a correctly
configured personal configuration file.
The behavior of the module is modified by flags:
debug
-
log more information to syslog(3)
. (XXX - actually, this module
does not do any logging currently, please volunteer to fix this!)
no_warn
-
do not give verbal warnings to the user about failures etc. (XXX -
this module currently does not issue any warnings, please volunteer to
fix this!)
no_hosts_equiv
-
ignore the contents of the /etc/hosts.equiv
file.
no_rhosts
-
ignore the contents of all user's personal configuration file
~/.rhosts
.
To allow users to login from trusted remote machines, you should try
adding the following line to your /etc/pam.conf
file
before the line that would otherwise prompt the user for a
password:
#
# No passwords required for users from hosts listed above.
#
login auth sufficient pam_rhosts_auth.so no_rhosts
Note, in this example, the system administrator has turned off all
personal rhosts configuration files. Also note, that this module
can be used to only allow remote login from hosts specified in
the /etc/host.equiv
file, by replacing sufficient
in the
above example with required
.