Diffstat (limited to 'modules/pam_rhosts/README')
1 files changed, 40 insertions, 41 deletions
diff --git a/modules/pam_rhosts/README b/modules/pam_rhosts/README
index d2e93d1d..b1911785 100644
@@ -1,57 +1,56 @@
+pam_rhosts — The rhosts PAM module
-There are positive entries, when one is matched authentication
-succeeds and terminates. There are negative entries, when one is
-matched authentication fails and terminates. Thus order is
+This module performs the standard network authentication for services, as used
+by traditional implementations of rlogin and rsh etc.
-Entry hosts.equiv .rhosts
-<host> All users on <host> are ok Same username from <host> is ok
-<host> <user> <user> from <host> is ok ditto
--<host> No users from <host> are ok ditto
-<host> -<user> <user> from <host> is not ok ditto
+The authentication mechanism of this module is based on the contents of two
+files; /etc/hosts.equiv (or and ~/.rhosts. Firstly, hosts listed in the former
+file are treated as equivalent to the localhost. Secondly, entries in the
+user's own copy of the latter file is used to map "remote-host remote-user"
+pairs to that user's account on the current host. Access is granted to the user
+if their host is present in /etc/hosts.equiv and their remote account is
+identical to their local one, or if their remote account has an entry in their
+personal configuration file.
-<host> can be ip (IPv4) numbers.
+The module authenticates a remote user (internally specified by the item
+PAM_RUSER connecting from the remote host (internally specified by the item
+PAM_RHOST). Accordingly, for applications to be compatible this authentication
+module they must set these items prior to calling pam_authenticate(). The
+module is not capable of independently probing the network connection for such
-Netgroups may be used in either host or user fields, and then applies
-to all hosts, or users, in the netgroup. The syntax is
+ Print debug information.
- <host> +@<ng>
- +@<ng> +@<ng>
- +@<ng> <user>
-means exactly what you think it does. Negative entries are of the
+ Don't print informative messages.
-When the "promiscuous" option is given the special character + may be
-used as a wildcard in any field.
+ Handle account as root.
- + Allow anyone from any host to connect. DANGEROUS.
- + + Ditto.
- + <user> Allow the user to connect from anywhere. DANGEROUS.
- <host> + Allow any user from the host. Dangerous.
-These, perhaps more useful, forms of the + form is also disallowed
-unless "promiscuous" is specified:
- + -<user> Disallow the user from any host
- + -@<ng> Disallow all members of the netgroup from any host
+To grant a remote user access by /etc/hosts.equiv or .rhosts for rsh add the
+following lines to /etc/pam.d/rsh:
-When "promiscuous" is not specified a '+' is handled as a negative
+auth required pam_rhosts.so
+auth required pam_nologin.so
+auth required pam_env.so
+auth required pam_unix.so
+pam_rhosts was written by Thorsten Kukuk <email@example.com>