/etc/hosts.equiv & .rhosts

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

can any one give an example for configuring .rhosts file so that
i can allow some trusted computers in my LAN to access my ubuntu 8.04
machine via telnet,ssh without having to enter password

BTW there is no /etc/hosts.equiv file in my machine, so will i have to
create it ...????

Re: /etc/hosts.equiv & .rhosts

aarklon@gmail.com wrote:
Quoted text here. Click to load it

man ssh-keygen
man ssh-copy-id

e9427514 (at) student.tuwien.ac.at

Re: /etc/hosts.equiv & .rhosts

e9427514@student.tuwien.ac.at.invalid (Antonio Batovanja) writes:

Quoted text here. Click to load it

Telnet, and ssh are different things, and require different config
files. Telnet, as far as I know, always requires a
password. Passwordless commands/login without ssh would be with
rlogin/rcp/rsh. Those use the .rhosts, hosts.allow, and hosts.equiv
files. Some of the rlogin & friends packages I've tried did not work,
and if you want to go this route, I'd say get GNU inetutils:

Read in the info files there for setup. 'info rlogin' basically if you
want to login at another host, that host needs the first host's name
listed in /etc/hosts.equiv and .rhosts found in the user's home
directory. The user can't be in /etc/nologin. It's been awhile since I
set this up, so my details are sketchy; read the info files to be

Unless there's no other way, or special cases permit, better to use
the Openssh suite, with ssh for rsh, scp for rcp, and slogin for
rlogin. With those, best to allow key-only login so hackers can't
brute force passwords. Also strongly consider not sticking the daemon
on the port 22 as it WILL be messed with all day long. Generate ssh
user keys on two machines using the ssh-keygen tool. These populate
the ~/.ssh/ directory. On the machine you want to login in, take the
PUBLIC key and send it to that host. cat id_rsa.pub >>
~/.ssh/authorized_keys and also with key id_dsa.pub, and also if
desired identity.pub all into that authorized_keys file. Now when you
login from your host, you will use your private key to the remote
hosts's public key you just copied over.

If you don't have daemon keys made, you need to make those first. They
are the ssh_host_* keys in /etc/ssh/

If your systems are multi-homed, set ListenAddress to the IP/interface
you want it to listen on. The below is an internal machine, which I
allow root keyed login on. External machines I do not allow any root
login on.

## Secure Shell Server
## Configuration file
## This file specifies how the sshd daemon operates.
## $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $
Port 7000
# Protocol 2 only
Protocol 2
#ListenAddress ::
# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 1h
ServerKeyBits           768
# Logging. Obsoletes QuietMode
# and FascistLogging
SyslogFacility          AUTH
LogLevel                INFO
# Authentication:
LoginGraceTime          2m
PermitRootLogin         yes
RSAAuthentication       yes
PubkeyAuthentication    yes
AuthorizedKeysFile      .ssh/authorized_keys
# For this to work you will also need
# host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
AllowTcpForwarding yes
GatewayPorts no
X11Forwarding yes
X11DisplayOffset 5
X11UseLocalhost yes
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
UseLogin no
UsePrivilegeSeparation yes
PermitUserEnvironment yes
Compression yes
ClientAliveInterval 0
ClientAliveCountMax 3
UseDNS yes
PidFile /var/run/sshd.pid
MaxStartups 3
# Default system banner
Banner          /etc/issue.net
# The sftp subsystem
Subsystem       sftp    /usr/libexec/sftp-server
# Specifically name who can use SSH
AllowUsers user1 user2 user3 user4
AllowGroups group1 group2 group3
# And who never can. I've added some of those dumb
# names people try, just to make sure that someone/thing
# never uses those names at some time
DenyUsers bin daemon adm sync shutdown halt mail news uucp operator games ftp
fcron smmsp mysql rpc sshd nobody guest Guest GUEST test Test TEST nouser user
owner admin administrator apache www wwwrun wine windows smb samba swat cybase
httpd uucp UUCP pop sunrpc mailnull

If you change ports like shown here, set which hosts need changed
ports in the ssh_config file so you don't have to keep keying it in on
the command line. Remove Protocol version 1 if you don't want that,
but some machines may need it. This says when we login to
'different.port.host.com', automatically look for the daemon at Port
7000, and in the usual place for all the others.

## Any configuration value is only changed the first time it is set.
## Thus, host-specific definitions should be at the beginning of the
## configuration file, and defaults at the end.

## Specification for host different.port.host.com
Host different.port.host.com
        ForwardAgent yes
        ForwardX11 yes
        RhostsRSAAuthentication no
        RSAAuthentication yes
        PasswordAuthentication no
        HostbasedAuthentication no
        BatchMode no
        CheckHostIP yes
        AddressFamily any
        ConnectTimeout 0
        StrictHostKeyChecking ask
        IdentityFile ~/.ssh/identity
        IdentityFile ~/.ssh/id_rsa
        IdentityFile ~/.ssh/id_dsa
        Port 7000
        Protocol 2,1
        Cipher 3des
        EscapeChar ~

## Site-wide defaults for various options
Host *
        ForwardAgent yes
        ForwardX11 yes
        EnableSSHKeysign yes
        RhostsRSAAuthentication no
        RSAAuthentication yes
        PasswordAuthentication no
        HostbasedAuthentication no
        BatchMode no
        CheckHostIP yes
        AddressFamily any
        ConnectTimeout 0
        StrictHostKeyChecking ask
        IdentityFile ~/.ssh/identity
        IdentityFile ~/.ssh/id_rsa
        IdentityFile ~/.ssh/id_dsa
        Port 22
        Protocol 2,1
        Cipher 3des
        EscapeChar ~

Read the manpages over, of course, as well. You *can* use
telnet/rlogin and friends, just be aware that if an attacker is
sitting in between you and your remote target with a sniffer, they
will be collecting any password to any attack you attempt
telnet/rlogin/etc with. Most times ssh is the better option. You can
put your ssh keys on a small USB stick (FAT filesystem) that will work
on all common PC's. MacOSX, Windows, and Linux all share the FAT

    Protect? [** America, The Police State **] Serve?
http://www.theregister.co.uk/2008/01/27/bush_nsa_internal /
http://www.homelandstupidity.us/2008/07/04/electric-shock-for-air-passengers /
Teen Tazered 19 times: http://www.ky3.com/news/local/26158674.html
Guns For TX Teachers: http://news.bbc.co.uk/1/hi/world/americas/7564654.stm
Castration Punishment: http://www.foxnews.com/story/0,2933,348171,00.html

Re: /etc/hosts.equiv & .rhosts

On 12 Aug, 10:43, aark...@gmail.com wrote:
Quoted text here. Click to load it

No: this is comp.os.linux.**security**

Disable telnet and use key pairs for SSH logins.


Re: /etc/hosts.equiv & .rhosts

C. wrote:
Quoted text here. Click to load it

Use SSH, and learn to use the 'keychain' tool to manage SSH keys as needed. Or
read up on Kerberized rsh and telnet, and use those.

Site Timeline