* [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples.
@ 2015-05-24 4:58 Carlos O'Donell
[not found] ` <55615A71.4010600-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
0 siblings, 1 reply; 17+ messages in thread
From: Carlos O'Donell @ 2015-05-24 4:58 UTC (permalink / raw)
To: linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Michael Kerrisk, Arjun Shankar, Siddhesh Poyarekar
Arjun,
As promised. Does this look good to you?
Michael,
In some recent work with a Red Hat customer I had the opportunity
to discuss the fine nuances of the ruserok() function and related
API which are used to implement rlogin and rsh.
It came to my attention after working with QE on some automated
internal testing that there were no good examples in the hosts.equiv
manual page showing how the format was supposed to work for this
file and for ~/.rhosts, worse the "format" line showed that there
should be spaces between arguments when that would clearly lead
to incorrect behaviour. In addition some things that the format
allows you to write are just wrong like "-host -user" which makes
no sense since the host is already rejected, and should be written
as "host -user" instead. I added notes in the example to make it
clear that "-host -user" is invalid.
I fixed three things:
(a) The format line.
- Either +, or [-]hostname, or +@netgrp or -@netgrp.
- Either +, or [-]username, or +@netgrp or -@netgrp.
- You must specify something in the hostname portion so remove
optional brackets.
(b) Clarify language around credentials
- If the host is not trusted you must provide credentials to
the login system and that could be anything really and it
depends on your configuration e.g. PAM or whatever IdM you have.
(c) Provide real-world examples
- Provide several real world examples and some corner case
examples for how you would write something. Hopefully others
can add examples as they see fit.
Patch applies to trunk.
Signed-off-by: Carlos O'Donell <carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
diff --git a/man5/hosts.equiv.5 b/man5/hosts.equiv.5
index 89d0b4a..c8e85ac 100644
--- a/man5/hosts.equiv.5
+++ b/man5/hosts.equiv.5
@@ -22,7 +22,7 @@ supplying a password.
.PP
The file uses the following format:
.TP
-\fI[ + | \- ]\fP \fI[hostname]\fP \fI[username]\fP
+\fI+|[\-]hostname|+@netgroup|\-@netgroup\fP \fI[+|[\-]username|+@netgroup|\-@netgroup]\fP
.PP
The
.I hostname
@@ -37,9 +37,9 @@ If the plus sign is used alone, it allows any host to access your system.
You can explicitly deny access to a host by preceding the
.I hostname
by a minus (\-) sign.
-Users from that host must always supply a password.
-For security reasons you should always use the FQDN of the hostname and
-not the short hostname.
+Users from that host must always supply additional credentials,
+including possibly a password. For security reasons you should always
+use the FQDN of the hostname and not the short hostname.
.PP
The
.I username
@@ -81,6 +81,112 @@ character which means "any host" only when the word
is added to the auth component line in your PAM file for
the particular service
.RB "(e.g., " rlogin ).
+.SH EXAMPLE
+Here are some example
+.I /etc/host.equiv
+or
+.I ~/.rhosts
+files:
+.TP
+Allow any user to login from any host:
+.LP
+.RS 4
+.TP
++
+.PD
+.RE
+.TP
+Allow any user from host with a matching local account to login:
+.LP
+.RS 4
+.TP
+host
+.PD
+.RE
+.PP
+Note: The use of
+.B +host
+is never a valid syntax, including attempting to specify that any user from the host is allowed.
+.TP
+Allow any user from host to login:
+.LP
+.RS 4
+.TP
+host +
+.PD
+.RE
+.PP
+Note: This is distinct from the previous example since it does not require a matching local account.
+.TP
+Allow user from host to login:
+.LP
+.RS 4
+.TP
+host user
+.PD
+.RE
+.TP
+Allow all users with matching local accounts from host to login except for baduser:
+.LP
+.RS 4
+.PD 0
+.TP
+host -baduser
+.TP
+host
+.PD
+.RE
+.TP
+Deny all users from host:
+.LP
+.RS 4
+.TP
+-host
+.PD
+.RE
+.PP
+Note: The use of
+.B -host -user
+is never a valid syntax, including attempting to specify that a particular user from the host is not trusted.
+.TP
+Allow all users with matching local accounts in all hosts in the netgroup:
+.LP
+.RS 4
+.TP
++@netgroup
+.PD
+.RE
+.TP
+Disallow all users in all hosts in the netgroup:
+.LP
+.RS 4
+.TP
+-@netgroup
+.PD
+.RE
+.TP
+Allow all users in netgroup to login from host:
+.LP
+.RS 4
+.TP
+host +@netgroup
+.PD
+.RE
+.TP
+Allow all users with matching local accounts in all hosts in the netgroup except baduser:
+.LP
+.RS 4
+.PD 0
+.TP
++@netgroup -baduser
+.TP
++@netgroup
+.PD
+.RE
+.TP
+Note: The deny statements must always preceed the allow statements because the file is processed one line at a time.
+
+
.SH SEE ALSO
.BR rhosts (5),
.BR rlogind (8),
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples.
[not found] ` <55615A71.4010600-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
@ 2015-06-16 10:06 ` Michael Kerrisk (man-pages)
[not found] ` <557FF511.7040500-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-06-17 8:50 ` Michael Kerrisk (man-pages)
1 sibling, 1 reply; 17+ messages in thread
From: Michael Kerrisk (man-pages) @ 2015-06-16 10:06 UTC (permalink / raw)
To: Carlos O'Donell,
linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Arjun Shankar,
Siddhesh Poyarekar
Cc: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w
On 05/24/2015 06:58 AM, Carlos O'Donell wrote:
> Arjun,
>
> As promised. Does this look good to you?
Just a note: I'm hoping for a response from Arjun before I commit this.
Cheers,
Michael
> Michael,
>
> In some recent work with a Red Hat customer I had the opportunity
> to discuss the fine nuances of the ruserok() function and related
> API which are used to implement rlogin and rsh.
>
> It came to my attention after working with QE on some automated
> internal testing that there were no good examples in the hosts.equiv
> manual page showing how the format was supposed to work for this
> file and for ~/.rhosts, worse the "format" line showed that there
> should be spaces between arguments when that would clearly lead
> to incorrect behaviour. In addition some things that the format
> allows you to write are just wrong like "-host -user" which makes
> no sense since the host is already rejected, and should be written
> as "host -user" instead. I added notes in the example to make it
> clear that "-host -user" is invalid.
>
> I fixed three things:
>
> (a) The format line.
> - Either +, or [-]hostname, or +@netgrp or -@netgrp.
> - Either +, or [-]username, or +@netgrp or -@netgrp.
> - You must specify something in the hostname portion so remove
> optional brackets.
>
> (b) Clarify language around credentials
> - If the host is not trusted you must provide credentials to
> the login system and that could be anything really and it
> depends on your configuration e.g. PAM or whatever IdM you have.
>
> (c) Provide real-world examples
> - Provide several real world examples and some corner case
> examples for how you would write something. Hopefully others
> can add examples as they see fit.
>
> Patch applies to trunk.
>
> Signed-off-by: Carlos O'Donell <carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
>
> diff --git a/man5/hosts.equiv.5 b/man5/hosts.equiv.5
> index 89d0b4a..c8e85ac 100644
> --- a/man5/hosts.equiv.5
> +++ b/man5/hosts.equiv.5
> @@ -22,7 +22,7 @@ supplying a password.
> .PP
> The file uses the following format:
> .TP
> -\fI[ + | \- ]\fP \fI[hostname]\fP \fI[username]\fP
> +\fI+|[\-]hostname|+@netgroup|\-@netgroup\fP \fI[+|[\-]username|+@netgroup|\-@netgroup]\fP
> .PP
> The
> .I hostname
> @@ -37,9 +37,9 @@ If the plus sign is used alone, it allows any host to access your system.
> You can explicitly deny access to a host by preceding the
> .I hostname
> by a minus (\-) sign.
> -Users from that host must always supply a password.
> -For security reasons you should always use the FQDN of the hostname and
> -not the short hostname.
> +Users from that host must always supply additional credentials,
> +including possibly a password. For security reasons you should always
> +use the FQDN of the hostname and not the short hostname.
> .PP
> The
> .I username
> @@ -81,6 +81,112 @@ character which means "any host" only when the word
> is added to the auth component line in your PAM file for
> the particular service
> .RB "(e.g., " rlogin ).
> +.SH EXAMPLE
> +Here are some example
> +.I /etc/host.equiv
> +or
> +.I ~/.rhosts
> +files:
> +.TP
> +Allow any user to login from any host:
> +.LP
> +.RS 4
> +.TP
> ++
> +.PD
> +.RE
> +.TP
> +Allow any user from host with a matching local account to login:
> +.LP
> +.RS 4
> +.TP
> +host
> +.PD
> +.RE
> +.PP
> +Note: The use of
> +.B +host
> +is never a valid syntax, including attempting to specify that any user from the host is allowed.
> +.TP
> +Allow any user from host to login:
> +.LP
> +.RS 4
> +.TP
> +host +
> +.PD
> +.RE
> +.PP
> +Note: This is distinct from the previous example since it does not require a matching local account.
> +.TP
> +Allow user from host to login:
> +.LP
> +.RS 4
> +.TP
> +host user
> +.PD
> +.RE
> +.TP
> +Allow all users with matching local accounts from host to login except for baduser:
> +.LP
> +.RS 4
> +.PD 0
> +.TP
> +host -baduser
> +.TP
> +host
> +.PD
> +.RE
> +.TP
> +Deny all users from host:
> +.LP
> +.RS 4
> +.TP
> +-host
> +.PD
> +.RE
> +.PP
> +Note: The use of
> +.B -host -user
> +is never a valid syntax, including attempting to specify that a particular user from the host is not trusted.
> +.TP
> +Allow all users with matching local accounts in all hosts in the netgroup:
> +.LP
> +.RS 4
> +.TP
> ++@netgroup
> +.PD
> +.RE
> +.TP
> +Disallow all users in all hosts in the netgroup:
> +.LP
> +.RS 4
> +.TP
> +-@netgroup
> +.PD
> +.RE
> +.TP
> +Allow all users in netgroup to login from host:
> +.LP
> +.RS 4
> +.TP
> +host +@netgroup
> +.PD
> +.RE
> +.TP
> +Allow all users with matching local accounts in all hosts in the netgroup except baduser:
> +.LP
> +.RS 4
> +.PD 0
> +.TP
> ++@netgroup -baduser
> +.TP
> ++@netgroup
> +.PD
> +.RE
> +.TP
> +Note: The deny statements must always preceed the allow statements because the file is processed one line at a time.
> +
> +
> .SH SEE ALSO
> .BR rhosts (5),
> .BR rlogind (8),
>
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples.
[not found] ` <557FF511.7040500-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
@ 2015-06-16 21:15 ` Carlos O'Donell
[not found] ` <558091DD.30004-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
0 siblings, 1 reply; 17+ messages in thread
From: Carlos O'Donell @ 2015-06-16 21:15 UTC (permalink / raw)
To: Michael Kerrisk (man-pages),
linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Arjun Shankar,
Siddhesh Poyarekar
On 06/16/2015 06:06 AM, Michael Kerrisk (man-pages) wrote:
> On 05/24/2015 06:58 AM, Carlos O'Donell wrote:
>> Arjun,
>>
>> As promised. Does this look good to you?
>
> Just a note: I'm hoping for a response from Arjun before I commit this.
Hope is not a plan :-)
I do not feel that a response from Arjun is required,
and if I missed any cases that Arjun considers should
be described in more detail we can add those later.
Please apply.
Cheers,
Carlos.
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples.
[not found] ` <558091DD.30004-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
@ 2015-06-17 7:10 ` Michael Kerrisk (man-pages)
2015-06-17 16:17 ` Arjun Shankar
1 sibling, 0 replies; 17+ messages in thread
From: Michael Kerrisk (man-pages) @ 2015-06-17 7:10 UTC (permalink / raw)
To: Carlos O'Donell,
linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Arjun Shankar,
Siddhesh Poyarekar
Cc: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w
On 06/16/2015 11:15 PM, Carlos O'Donell wrote:
> On 06/16/2015 06:06 AM, Michael Kerrisk (man-pages) wrote:
>> On 05/24/2015 06:58 AM, Carlos O'Donell wrote:
>>> Arjun,
>>>
>>> As promised. Does this look good to you?
>>
>> Just a note: I'm hoping for a response from Arjun before I commit this.
>
> Hope is not a plan :-)
>
> I do not feel that a response from Arjun is required,
> and if I missed any cases that Arjun considers should
> be described in more detail we can add those later.
>
> Please apply.
Fair enough -- I'll apply.
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples.
[not found] ` <55615A71.4010600-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-06-16 10:06 ` Michael Kerrisk (man-pages)
@ 2015-06-17 8:50 ` Michael Kerrisk (man-pages)
[not found] ` <558134D3.2010603-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
1 sibling, 1 reply; 17+ messages in thread
From: Michael Kerrisk (man-pages) @ 2015-06-17 8:50 UTC (permalink / raw)
To: Carlos O'Donell,
linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Arjun Shankar,
Siddhesh Poyarekar
Cc: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w
Hi Carlos,
I've applied this patch, making a number of formatting changes along
the way. You might want to review the (rendered) result.
One other comment bewlow
On 05/24/2015 06:58 AM, Carlos O'Donell wrote:
> Arjun,
>
> As promised. Does this look good to you?
>
> Michael,
>
> In some recent work with a Red Hat customer I had the opportunity
> to discuss the fine nuances of the ruserok() function and related
> API which are used to implement rlogin and rsh.
>
> It came to my attention after working with QE on some automated
> internal testing that there were no good examples in the hosts.equiv
> manual page showing how the format was supposed to work for this
> file and for ~/.rhosts, worse the "format" line showed that there
> should be spaces between arguments when that would clearly lead
> to incorrect behaviour. In addition some things that the format
> allows you to write are just wrong like "-host -user" which makes
> no sense since the host is already rejected, and should be written
> as "host -user" instead. I added notes in the example to make it
> clear that "-host -user" is invalid.
>
> I fixed three things:
>
> (a) The format line.
> - Either +, or [-]hostname, or +@netgrp or -@netgrp.
> - Either +, or [-]username, or +@netgrp or -@netgrp.
> - You must specify something in the hostname portion so remove
> optional brackets.
>
> (b) Clarify language around credentials
> - If the host is not trusted you must provide credentials to
> the login system and that could be anything really and it
> depends on your configuration e.g. PAM or whatever IdM you have.
>
> (c) Provide real-world examples
> - Provide several real world examples and some corner case
> examples for how you would write something. Hopefully others
> can add examples as they see fit.
>
> Patch applies to trunk.
>
> Signed-off-by: Carlos O'Donell <carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
>
> diff --git a/man5/hosts.equiv.5 b/man5/hosts.equiv.5
> index 89d0b4a..c8e85ac 100644
> --- a/man5/hosts.equiv.5
> +++ b/man5/hosts.equiv.5
> @@ -22,7 +22,7 @@ supplying a password.
> .PP
> The file uses the following format:
> .TP
> -\fI[ + | \- ]\fP \fI[hostname]\fP \fI[username]\fP
> +\fI+|[\-]hostname|+@netgroup|\-@netgroup\fP \fI[+|[\-]username|+@netgroup|\-@netgroup]\fP
> .PP
> The
> .I hostname
> @@ -37,9 +37,9 @@ If the plus sign is used alone, it allows any host to access your system.
> You can explicitly deny access to a host by preceding the
> .I hostname
> by a minus (\-) sign.
> -Users from that host must always supply a password.
> -For security reasons you should always use the FQDN of the hostname and
> -not the short hostname.
> +Users from that host must always supply additional credentials,
> +including possibly a password. For security reasons you should always
> +use the FQDN of the hostname and not the short hostname.
> .PP
> The
> .I username
> @@ -81,6 +81,112 @@ character which means "any host" only when the word
> is added to the auth component line in your PAM file for
> the particular service
> .RB "(e.g., " rlogin ).
> +.SH EXAMPLE
> +Here are some example
> +.I /etc/host.equiv
> +or
> +.I ~/.rhosts
> +files:
> +.TP
> +Allow any user to login from any host:
> +.LP
> +.RS 4
> +.TP
> ++
> +.PD
> +.RE
> +.TP
> +Allow any user from host with a matching local account to login:
> +.LP
> +.RS 4
> +.TP
> +host
> +.PD
> +.RE
> +.PP
> +Note: The use of
> +.B +host
> +is never a valid syntax, including attempting to specify that any user from the host is allowed.
> +.TP
> +Allow any user from host to login:
> +.LP
> +.RS 4
> +.TP
> +host +
> +.PD
> +.RE
> +.PP
> +Note: This is distinct from the previous example since it does not require a matching local account.
> +.TP
> +Allow user from host to login:
> +.LP
> +.RS 4
> +.TP
> +host user
> +.PD
> +.RE
> +.TP
> +Allow all users with matching local accounts from host to login except for baduser:
> +.LP
> +.RS 4
> +.PD 0
> +.TP
> +host -baduser
> +.TP
> +host
> +.PD
> +.RE
> +.TP
> +Deny all users from host:
> +.LP
> +.RS 4
> +.TP
> +-host
> +.PD
> +.RE
> +.PP
> +Note: The use of
> +.B -host -user
> +is never a valid syntax, including attempting to specify that a particular user from the host is not trusted.
> +.TP
> +Allow all users with matching local accounts in all hosts in the netgroup:
> +.LP
> +.RS 4
> +.TP
> ++@netgroup
> +.PD
> +.RE
> +.TP
> +Disallow all users in all hosts in the netgroup:
> +.LP
> +.RS 4
> +.TP
> +-@netgroup
> +.PD
> +.RE
> +.TP
> +Allow all users in netgroup to login from host:
> +.LP
> +.RS 4
> +.TP
> +host +@netgroup
> +.PD
> +.RE
> +.TP
> +Allow all users with matching local accounts in all hosts in the netgroup except baduser:
> +.LP
> +.RS 4
> +.PD 0
> +.TP
> ++@netgroup -baduser
> +.TP
> ++@netgroup
> +.PD
> +.RE
> +.TP
> +Note: The deny statements must always preceed the allow statements because the file is processed one line at a time.
This last explanation feels incomplete. Should it not be something like:
The deny statements must always precede the allow statements
because the file is processed sequentially until the first
matching rule is found.
?
> +
> +
> .SH SEE ALSO
> .BR rhosts (5),
> .BR rlogind (8),
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples.
[not found] ` <558091DD.30004-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-06-17 7:10 ` Michael Kerrisk (man-pages)
@ 2015-06-17 16:17 ` Arjun Shankar
2015-06-17 17:14 ` [patch] hosts.equiv.5: Clarify that `host <user>` enables non-like-named account logins Carlos O'Donell
2015-06-18 6:34 ` [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples Michael Kerrisk (man-pages)
1 sibling, 2 replies; 17+ messages in thread
From: Arjun Shankar @ 2015-06-17 16:17 UTC (permalink / raw)
To: Carlos O'Donell
Cc: Michael Kerrisk (man-pages),
linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Siddhesh Poyarekar
> > Just a note: I'm hoping for a response from Arjun before I commit this.
> Hope is not a plan :-)
I see that I got here a little late. This looks good, but I have one
nitpick:
> +Allow user from host to login:
> +.LP
> +.RS 4
> +.TP
> +host user
It might make sense to repeat here that such an entry will allow the
specified user on the remote host to login as *any* user on the local host.
i.e., something like:
-Allow user from host to login:
+Allow user from host to login as any non-root user:
Cheers,
Arjun
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 17+ messages in thread
* [patch] hosts.equiv.5: Clarify that `host <user>` enables non-like-named account logins.
2015-06-17 16:17 ` Arjun Shankar
@ 2015-06-17 17:14 ` Carlos O'Donell
[not found] ` <5581AAEA.9090709-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-06-18 6:34 ` [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples Michael Kerrisk (man-pages)
1 sibling, 1 reply; 17+ messages in thread
From: Carlos O'Donell @ 2015-06-17 17:14 UTC (permalink / raw)
To: Arjun Shankar
Cc: Michael Kerrisk (man-pages),
linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Siddhesh Poyarekar
On 06/17/2015 12:17 PM, Arjun Shankar wrote:
>>> Just a note: I'm hoping for a response from Arjun before I commit this.
>> Hope is not a plan :-)
>
> I see that I got here a little late. This looks good, but I have one
> nitpick:
>
>> +Allow user from host to login:
>> +.LP
>> +.RS 4
>> +.TP
>> +host user
>
> It might make sense to repeat here that such an entry will allow the
> specified user on the remote host to login as *any* user on the local host.
>
> i.e., something like:
>
> -Allow user from host to login:
> +Allow user from host to login as any non-root user:
Good point.
Signed-off-by: Carlos O'Donell <carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
diff --git a/man5/hosts.equiv.5 b/man5/hosts.equiv.5
index b6ecb94..9ee0e6e 100644
--- a/man5/hosts.equiv.5
+++ b/man5/hosts.equiv.5
@@ -116,7 +116,7 @@ Allow
.I user
from
.I host
-to login:
+to login as any non-root user:
host user
@@ -152,7 +152,8 @@ Disallow all users on all hosts in a
Allow all users in a
.I netgroup
to log in from
-.IR host :
+.IR host
+as any non-root user:
host +@netgroup
---
Cheers,
Carlos.
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples.
2015-06-17 16:17 ` Arjun Shankar
2015-06-17 17:14 ` [patch] hosts.equiv.5: Clarify that `host <user>` enables non-like-named account logins Carlos O'Donell
@ 2015-06-18 6:34 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkjK89FgqHPMp2znUvO2jYyiHmTreLPZc7DwG8LV-RP33w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
1 sibling, 1 reply; 17+ messages in thread
From: Michael Kerrisk (man-pages) @ 2015-06-18 6:34 UTC (permalink / raw)
To: Arjun Shankar
Cc: Carlos O'Donell,
linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Siddhesh Poyarekar
On 17 June 2015 at 18:17, Arjun Shankar <arjun-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
>> > Just a note: I'm hoping for a response from Arjun before I commit this.
>> Hope is not a plan :-)
>
> I see that I got here a little late. This looks good, but I have one
> nitpick:
>
>> +Allow user from host to login:
>> +.LP
>> +.RS 4
>> +.TP
>> +host user
>
> It might make sense to repeat here that such an entry will allow the
> specified user on the remote host to login as *any* user on the local host.
>
> i.e., something like:
>
> -Allow user from host to login:
> +Allow user from host to login as any non-root user:
Arjun: thanks. I've made that change.
Carlos: when you have a moment, please review the current draft in Git
and let me know if my edits injected any errors.
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [patch] hosts.equiv.5: Clarify that `host <user>` enables non-like-named account logins.
[not found] ` <5581AAEA.9090709-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
@ 2015-06-18 13:07 ` Michael Kerrisk (man-pages)
0 siblings, 0 replies; 17+ messages in thread
From: Michael Kerrisk (man-pages) @ 2015-06-18 13:07 UTC (permalink / raw)
To: Carlos O'Donell
Cc: Arjun Shankar, linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Siddhesh Poyarekar
Hi Carlos,
On 17 June 2015 at 19:14, Carlos O'Donell <carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
> On 06/17/2015 12:17 PM, Arjun Shankar wrote:
>>>> Just a note: I'm hoping for a response from Arjun before I commit this.
>>> Hope is not a plan :-)
>>
>> I see that I got here a little late. This looks good, but I have one
>> nitpick:
>>
>>> +Allow user from host to login:
>>> +.LP
>>> +.RS 4
>>> +.TP
>>> +host user
>>
>> It might make sense to repeat here that such an entry will allow the
>> specified user on the remote host to login as *any* user on the local host.
>>
>> i.e., something like:
>>
>> -Allow user from host to login:
>> +Allow user from host to login as any non-root user:
>
> Good point.
>
> Signed-off-by: Carlos O'Donell <carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
>
> diff --git a/man5/hosts.equiv.5 b/man5/hosts.equiv.5
> index b6ecb94..9ee0e6e 100644
> --- a/man5/hosts.equiv.5
> +++ b/man5/hosts.equiv.5
> @@ -116,7 +116,7 @@ Allow
> .I user
> from
> .I host
> -to login:
> +to login as any non-root user:
>
> host user
>
> @@ -152,7 +152,8 @@ Disallow all users on all hosts in a
> Allow all users in a
> .I netgroup
> to log in from
> -.IR host :
> +.IR host
> +as any non-root user:
>
> host +@netgroup
Okay -- I made this change already after I saw Arjun's comment.
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples.
[not found] ` <CAKgNAkjK89FgqHPMp2znUvO2jYyiHmTreLPZc7DwG8LV-RP33w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
@ 2015-06-18 13:15 ` Carlos O'Donell
[not found] ` <5582C459.3020402-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
0 siblings, 1 reply; 17+ messages in thread
From: Carlos O'Donell @ 2015-06-18 13:15 UTC (permalink / raw)
To: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w, Arjun Shankar
Cc: linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Siddhesh Poyarekar
On 06/18/2015 02:34 AM, Michael Kerrisk (man-pages) wrote:
> Carlos: when you have a moment, please review the current draft in Git
> and let me know if my edits injected any errors.
I don't see a draft branch nor changes to master?
c.
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples.
[not found] ` <5582C459.3020402-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
@ 2015-06-18 13:51 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkhbX+e7vSJrxu0jfGaLESs5G2nEuX1Chaoai_K=X90Jcg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
0 siblings, 1 reply; 17+ messages in thread
From: Michael Kerrisk (man-pages) @ 2015-06-18 13:51 UTC (permalink / raw)
To: Carlos O'Donell
Cc: Arjun Shankar, linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Siddhesh Poyarekar
Hi Carlos,
On 18 June 2015 at 15:15, Carlos O'Donell <carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
> On 06/18/2015 02:34 AM, Michael Kerrisk (man-pages) wrote:
>> Carlos: when you have a moment, please review the current draft in Git
>> and let me know if my edits injected any errors.
>
> I don't see a draft branch nor changes to master?
Where are you looking? I can see hem at
http://git.kernel.org/cgit/docs/man-pages/man-pages.git
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples.
[not found] ` <CAKgNAkhbX+e7vSJrxu0jfGaLESs5G2nEuX1Chaoai_K=X90Jcg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
@ 2015-06-18 15:23 ` Carlos O'Donell
[not found] ` <5582E27D.9070600-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
0 siblings, 1 reply; 17+ messages in thread
From: Carlos O'Donell @ 2015-06-18 15:23 UTC (permalink / raw)
To: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w
Cc: Arjun Shankar, linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Siddhesh Poyarekar
On 06/18/2015 09:51 AM, Michael Kerrisk (man-pages) wrote:
> Hi Carlos,
>
> On 18 June 2015 at 15:15, Carlos O'Donell <carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
>> On 06/18/2015 02:34 AM, Michael Kerrisk (man-pages) wrote:
>>> Carlos: when you have a moment, please review the current draft in Git
>>> and let me know if my edits injected any errors.
>>
>> I don't see a draft branch nor changes to master?
>
> Where are you looking? I can see hem at
> http://git.kernel.org/cgit/docs/man-pages/man-pages.git
I see the changes now.
You missed the second hunk of my patch which adds the same
text to the +@netgroup example.
With that fixed it's OK.
Cheers,
Carlos.
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples.
[not found] ` <5582E27D.9070600-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
@ 2015-06-18 19:20 ` Michael Kerrisk (man-pages)
0 siblings, 0 replies; 17+ messages in thread
From: Michael Kerrisk (man-pages) @ 2015-06-18 19:20 UTC (permalink / raw)
To: Carlos O'Donell
Cc: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w, Arjun Shankar,
linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Siddhesh Poyarekar
On 06/18/2015 05:23 PM, Carlos O'Donell wrote:
> On 06/18/2015 09:51 AM, Michael Kerrisk (man-pages) wrote:
>> Hi Carlos,
>>
>> On 18 June 2015 at 15:15, Carlos O'Donell <carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
>>> On 06/18/2015 02:34 AM, Michael Kerrisk (man-pages) wrote:
>>>> Carlos: when you have a moment, please review the current draft in Git
>>>> and let me know if my edits injected any errors.
>>>
>>> I don't see a draft branch nor changes to master?
>>
>> Where are you looking? I can see hem at
>> http://git.kernel.org/cgit/docs/man-pages/man-pages.git
>
> I see the changes now.
>
> You missed the second hunk of my patch which adds the same
> text to the +@netgroup example.
>
> With that fixed it's OK.
Oops -- thanks for catching that. Fixed now.
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples.
[not found] ` <558134D3.2010603-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
@ 2015-06-18 19:22 ` Michael Kerrisk (man-pages)
[not found] ` <55831A5A.2050407-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
0 siblings, 1 reply; 17+ messages in thread
From: Michael Kerrisk (man-pages) @ 2015-06-18 19:22 UTC (permalink / raw)
To: Carlos O'Donell,
linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Arjun Shankar,
Siddhesh Poyarekar
Cc: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w
Hi Carlos,
In this earlier reply, I should have highlighted that there is
one open question I have about you patch, at the end of the mail
below. Could you take a look please.
Cheers,
Michael
On 06/17/2015 10:50 AM, Michael Kerrisk (man-pages) wrote:
> Hi Carlos,
>
> I've applied this patch, making a number of formatting changes along
> the way. You might want to review the (rendered) result.
>
> One other comment bewlow
> On 05/24/2015 06:58 AM, Carlos O'Donell wrote:
>> Arjun,
>>
>> As promised. Does this look good to you?
>>
>> Michael,
>>
>> In some recent work with a Red Hat customer I had the opportunity
>> to discuss the fine nuances of the ruserok() function and related
>> API which are used to implement rlogin and rsh.
>>
>> It came to my attention after working with QE on some automated
>> internal testing that there were no good examples in the hosts.equiv
>> manual page showing how the format was supposed to work for this
>> file and for ~/.rhosts, worse the "format" line showed that there
>> should be spaces between arguments when that would clearly lead
>> to incorrect behaviour. In addition some things that the format
>> allows you to write are just wrong like "-host -user" which makes
>> no sense since the host is already rejected, and should be written
>> as "host -user" instead. I added notes in the example to make it
>> clear that "-host -user" is invalid.
>>
>> I fixed three things:
>>
>> (a) The format line.
>> - Either +, or [-]hostname, or +@netgrp or -@netgrp.
>> - Either +, or [-]username, or +@netgrp or -@netgrp.
>> - You must specify something in the hostname portion so remove
>> optional brackets.
>>
>> (b) Clarify language around credentials
>> - If the host is not trusted you must provide credentials to
>> the login system and that could be anything really and it
>> depends on your configuration e.g. PAM or whatever IdM you have.
>>
>> (c) Provide real-world examples
>> - Provide several real world examples and some corner case
>> examples for how you would write something. Hopefully others
>> can add examples as they see fit.
>>
>> Patch applies to trunk.
>>
>> Signed-off-by: Carlos O'Donell <carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
>>
>> diff --git a/man5/hosts.equiv.5 b/man5/hosts.equiv.5
>> index 89d0b4a..c8e85ac 100644
>> --- a/man5/hosts.equiv.5
>> +++ b/man5/hosts.equiv.5
>> @@ -22,7 +22,7 @@ supplying a password.
>> .PP
>> The file uses the following format:
>> .TP
>> -\fI[ + | \- ]\fP \fI[hostname]\fP \fI[username]\fP
>> +\fI+|[\-]hostname|+@netgroup|\-@netgroup\fP \fI[+|[\-]username|+@netgroup|\-@netgroup]\fP
>> .PP
>> The
>> .I hostname
>> @@ -37,9 +37,9 @@ If the plus sign is used alone, it allows any host to access your system.
>> You can explicitly deny access to a host by preceding the
>> .I hostname
>> by a minus (\-) sign.
>> -Users from that host must always supply a password.
>> -For security reasons you should always use the FQDN of the hostname and
>> -not the short hostname.
>> +Users from that host must always supply additional credentials,
>> +including possibly a password. For security reasons you should always
>> +use the FQDN of the hostname and not the short hostname.
>> .PP
>> The
>> .I username
>> @@ -81,6 +81,112 @@ character which means "any host" only when the word
>> is added to the auth component line in your PAM file for
>> the particular service
>> .RB "(e.g., " rlogin ).
>> +.SH EXAMPLE
>> +Here are some example
>> +.I /etc/host.equiv
>> +or
>> +.I ~/.rhosts
>> +files:
>> +.TP
>> +Allow any user to login from any host:
>> +.LP
>> +.RS 4
>> +.TP
>> ++
>> +.PD
>> +.RE
>> +.TP
>> +Allow any user from host with a matching local account to login:
>> +.LP
>> +.RS 4
>> +.TP
>> +host
>> +.PD
>> +.RE
>> +.PP
>> +Note: The use of
>> +.B +host
>> +is never a valid syntax, including attempting to specify that any user from the host is allowed.
>> +.TP
>> +Allow any user from host to login:
>> +.LP
>> +.RS 4
>> +.TP
>> +host +
>> +.PD
>> +.RE
>> +.PP
>> +Note: This is distinct from the previous example since it does not require a matching local account.
>> +.TP
>> +Allow user from host to login:
>> +.LP
>> +.RS 4
>> +.TP
>> +host user
>> +.PD
>> +.RE
>> +.TP
>> +Allow all users with matching local accounts from host to login except for baduser:
>> +.LP
>> +.RS 4
>> +.PD 0
>> +.TP
>> +host -baduser
>> +.TP
>> +host
>> +.PD
>> +.RE
>> +.TP
>> +Deny all users from host:
>> +.LP
>> +.RS 4
>> +.TP
>> +-host
>> +.PD
>> +.RE
>> +.PP
>> +Note: The use of
>> +.B -host -user
>> +is never a valid syntax, including attempting to specify that a particular user from the host is not trusted.
>> +.TP
>> +Allow all users with matching local accounts in all hosts in the netgroup:
>> +.LP
>> +.RS 4
>> +.TP
>> ++@netgroup
>> +.PD
>> +.RE
>> +.TP
>> +Disallow all users in all hosts in the netgroup:
>> +.LP
>> +.RS 4
>> +.TP
>> +-@netgroup
>> +.PD
>> +.RE
>> +.TP
>> +Allow all users in netgroup to login from host:
>> +.LP
>> +.RS 4
>> +.TP
>> +host +@netgroup
>> +.PD
>> +.RE
>> +.TP
>> +Allow all users with matching local accounts in all hosts in the netgroup except baduser:
>> +.LP
>> +.RS 4
>> +.PD 0
>> +.TP
>> ++@netgroup -baduser
>> +.TP
>> ++@netgroup
>> +.PD
>> +.RE
>> +.TP
>> +Note: The deny statements must always preceed the allow statements because the file is processed one line at a time.
>
> This last explanation feels incomplete. Should it not be something like:
>
> The deny statements must always precede the allow statements
> because the file is processed sequentially until the first
> matching rule is found.
>
> ?
>
>> +
>> +
>> .SH SEE ALSO
>> .BR rhosts (5),
>> .BR rlogind (8),
>
> Cheers,
>
> Michael
>
>
>
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples.
[not found] ` <55831A5A.2050407-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
@ 2015-06-24 14:13 ` Michael Kerrisk (man-pages)
2015-07-08 5:16 ` Carlos O'Donell
1 sibling, 0 replies; 17+ messages in thread
From: Michael Kerrisk (man-pages) @ 2015-06-24 14:13 UTC (permalink / raw)
To: Carlos O'Donell,
linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Arjun Shankar,
Siddhesh Poyarekar
Cc: Michael Kerrisk
Ping, Carlos!
On 18 June 2015 at 21:22, Michael Kerrisk (man-pages)
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> Hi Carlos,
>
> In this earlier reply, I should have highlighted that there is
> one open question I have about you patch, at the end of the mail
> below. Could you take a look please.
>
> Cheers,
>
> Michael
>
>
> On 06/17/2015 10:50 AM, Michael Kerrisk (man-pages) wrote:
>> Hi Carlos,
>>
>> I've applied this patch, making a number of formatting changes along
>> the way. You might want to review the (rendered) result.
>>
>> One other comment bewlow
>> On 05/24/2015 06:58 AM, Carlos O'Donell wrote:
>>> Arjun,
>>>
>>> As promised. Does this look good to you?
>>>
>>> Michael,
>>>
>>> In some recent work with a Red Hat customer I had the opportunity
>>> to discuss the fine nuances of the ruserok() function and related
>>> API which are used to implement rlogin and rsh.
>>>
>>> It came to my attention after working with QE on some automated
>>> internal testing that there were no good examples in the hosts.equiv
>>> manual page showing how the format was supposed to work for this
>>> file and for ~/.rhosts, worse the "format" line showed that there
>>> should be spaces between arguments when that would clearly lead
>>> to incorrect behaviour. In addition some things that the format
>>> allows you to write are just wrong like "-host -user" which makes
>>> no sense since the host is already rejected, and should be written
>>> as "host -user" instead. I added notes in the example to make it
>>> clear that "-host -user" is invalid.
>>>
>>> I fixed three things:
>>>
>>> (a) The format line.
>>> - Either +, or [-]hostname, or +@netgrp or -@netgrp.
>>> - Either +, or [-]username, or +@netgrp or -@netgrp.
>>> - You must specify something in the hostname portion so remove
>>> optional brackets.
>>>
>>> (b) Clarify language around credentials
>>> - If the host is not trusted you must provide credentials to
>>> the login system and that could be anything really and it
>>> depends on your configuration e.g. PAM or whatever IdM you have.
>>>
>>> (c) Provide real-world examples
>>> - Provide several real world examples and some corner case
>>> examples for how you would write something. Hopefully others
>>> can add examples as they see fit.
>>>
>>> Patch applies to trunk.
>>>
>>> Signed-off-by: Carlos O'Donell <carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
>>>
>>> diff --git a/man5/hosts.equiv.5 b/man5/hosts.equiv.5
>>> index 89d0b4a..c8e85ac 100644
>>> --- a/man5/hosts.equiv.5
>>> +++ b/man5/hosts.equiv.5
>>> @@ -22,7 +22,7 @@ supplying a password.
>>> .PP
>>> The file uses the following format:
>>> .TP
>>> -\fI[ + | \- ]\fP \fI[hostname]\fP \fI[username]\fP
>>> +\fI+|[\-]hostname|+@netgroup|\-@netgroup\fP \fI[+|[\-]username|+@netgroup|\-@netgroup]\fP
>>> .PP
>>> The
>>> .I hostname
>>> @@ -37,9 +37,9 @@ If the plus sign is used alone, it allows any host to access your system.
>>> You can explicitly deny access to a host by preceding the
>>> .I hostname
>>> by a minus (\-) sign.
>>> -Users from that host must always supply a password.
>>> -For security reasons you should always use the FQDN of the hostname and
>>> -not the short hostname.
>>> +Users from that host must always supply additional credentials,
>>> +including possibly a password. For security reasons you should always
>>> +use the FQDN of the hostname and not the short hostname.
>>> .PP
>>> The
>>> .I username
>>> @@ -81,6 +81,112 @@ character which means "any host" only when the word
>>> is added to the auth component line in your PAM file for
>>> the particular service
>>> .RB "(e.g., " rlogin ).
>>> +.SH EXAMPLE
>>> +Here are some example
>>> +.I /etc/host.equiv
>>> +or
>>> +.I ~/.rhosts
>>> +files:
>>> +.TP
>>> +Allow any user to login from any host:
>>> +.LP
>>> +.RS 4
>>> +.TP
>>> ++
>>> +.PD
>>> +.RE
>>> +.TP
>>> +Allow any user from host with a matching local account to login:
>>> +.LP
>>> +.RS 4
>>> +.TP
>>> +host
>>> +.PD
>>> +.RE
>>> +.PP
>>> +Note: The use of
>>> +.B +host
>>> +is never a valid syntax, including attempting to specify that any user from the host is allowed.
>>> +.TP
>>> +Allow any user from host to login:
>>> +.LP
>>> +.RS 4
>>> +.TP
>>> +host +
>>> +.PD
>>> +.RE
>>> +.PP
>>> +Note: This is distinct from the previous example since it does not require a matching local account.
>>> +.TP
>>> +Allow user from host to login:
>>> +.LP
>>> +.RS 4
>>> +.TP
>>> +host user
>>> +.PD
>>> +.RE
>>> +.TP
>>> +Allow all users with matching local accounts from host to login except for baduser:
>>> +.LP
>>> +.RS 4
>>> +.PD 0
>>> +.TP
>>> +host -baduser
>>> +.TP
>>> +host
>>> +.PD
>>> +.RE
>>> +.TP
>>> +Deny all users from host:
>>> +.LP
>>> +.RS 4
>>> +.TP
>>> +-host
>>> +.PD
>>> +.RE
>>> +.PP
>>> +Note: The use of
>>> +.B -host -user
>>> +is never a valid syntax, including attempting to specify that a particular user from the host is not trusted.
>>> +.TP
>>> +Allow all users with matching local accounts in all hosts in the netgroup:
>>> +.LP
>>> +.RS 4
>>> +.TP
>>> ++@netgroup
>>> +.PD
>>> +.RE
>>> +.TP
>>> +Disallow all users in all hosts in the netgroup:
>>> +.LP
>>> +.RS 4
>>> +.TP
>>> +-@netgroup
>>> +.PD
>>> +.RE
>>> +.TP
>>> +Allow all users in netgroup to login from host:
>>> +.LP
>>> +.RS 4
>>> +.TP
>>> +host +@netgroup
>>> +.PD
>>> +.RE
>>> +.TP
>>> +Allow all users with matching local accounts in all hosts in the netgroup except baduser:
>>> +.LP
>>> +.RS 4
>>> +.PD 0
>>> +.TP
>>> ++@netgroup -baduser
>>> +.TP
>>> ++@netgroup
>>> +.PD
>>> +.RE
>>> +.TP
>>> +Note: The deny statements must always preceed the allow statements because the file is processed one line at a time.
>>
>> This last explanation feels incomplete. Should it not be something like:
>>
>> The deny statements must always precede the allow statements
>> because the file is processed sequentially until the first
>> matching rule is found.
>>
>> ?
>>
>>> +
>>> +
>>> .SH SEE ALSO
>>> .BR rhosts (5),
>>> .BR rlogind (8),
>>
>> Cheers,
>>
>> Michael
>>
>>
>>
>
>
> --
> Michael Kerrisk
> Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
> Linux/UNIX System Programming Training: http://man7.org/training/
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples.
[not found] ` <55831A5A.2050407-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-06-24 14:13 ` Michael Kerrisk (man-pages)
@ 2015-07-08 5:16 ` Carlos O'Donell
[not found] ` <559CB227.802-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
1 sibling, 1 reply; 17+ messages in thread
From: Carlos O'Donell @ 2015-07-08 5:16 UTC (permalink / raw)
To: Michael Kerrisk (man-pages),
linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Arjun Shankar,
Siddhesh Poyarekar
On 06/18/2015 03:22 PM, Michael Kerrisk (man-pages) wrote:
> Hi Carlos,
>
> In this earlier reply, I should have highlighted that there is
> one open question I have about you patch, at the end of the mail
> below. Could you take a look please.
Certainly.
>>> +Allow all users with matching local accounts in all hosts in the netgroup except baduser:
>>> +.LP
>>> +.RS 4
>>> +.PD 0
>>> +.TP
>>> ++@netgroup -baduser
>>> +.TP
>>> ++@netgroup
>>> +.PD
>>> +.RE
>>> +.TP
>>> +Note: The deny statements must always preceed the allow statements because the file is processed one line at a time.
>>
>> This last explanation feels incomplete. Should it not be something like:
>>
>> The deny statements must always precede the allow statements
>> because the file is processed sequentially until the first
>> matching rule is found.
Your text is certainly correct and clearer. The processing does stop at
the first match.
Cheers,
Carlos.
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples.
[not found] ` <559CB227.802-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
@ 2015-07-21 14:03 ` Michael Kerrisk (man-pages)
0 siblings, 0 replies; 17+ messages in thread
From: Michael Kerrisk (man-pages) @ 2015-07-21 14:03 UTC (permalink / raw)
To: Carlos O'Donell,
linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Arjun Shankar,
Siddhesh Poyarekar
Cc: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w
On 07/08/2015 07:16 AM, Carlos O'Donell wrote:
> On 06/18/2015 03:22 PM, Michael Kerrisk (man-pages) wrote:
>> Hi Carlos,
>>
>> In this earlier reply, I should have highlighted that there is
>> one open question I have about you patch, at the end of the mail
>> below. Could you take a look please.
>
> Certainly.
>
>>>> +Allow all users with matching local accounts in all hosts in the netgroup except baduser:
>>>> +.LP
>>>> +.RS 4
>>>> +.PD 0
>>>> +.TP
>>>> ++@netgroup -baduser
>>>> +.TP
>>>> ++@netgroup
>>>> +.PD
>>>> +.RE
>>>> +.TP
>>>> +Note: The deny statements must always preceed the allow statements because the file is processed one line at a time.
>>>
>>> This last explanation feels incomplete. Should it not be something like:
>>>
>>> The deny statements must always precede the allow statements
>>> because the file is processed sequentially until the first
>>> matching rule is found.
>
> Your text is certainly correct and clearer. The processing does stop at
> the first match.
Okay -- I've made that change to the text.
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2015-07-21 14:03 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-24 4:58 [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples Carlos O'Donell
[not found] ` <55615A71.4010600-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-06-16 10:06 ` Michael Kerrisk (man-pages)
[not found] ` <557FF511.7040500-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-06-16 21:15 ` Carlos O'Donell
[not found] ` <558091DD.30004-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-06-17 7:10 ` Michael Kerrisk (man-pages)
2015-06-17 16:17 ` Arjun Shankar
2015-06-17 17:14 ` [patch] hosts.equiv.5: Clarify that `host <user>` enables non-like-named account logins Carlos O'Donell
[not found] ` <5581AAEA.9090709-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-06-18 13:07 ` Michael Kerrisk (man-pages)
2015-06-18 6:34 ` [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkjK89FgqHPMp2znUvO2jYyiHmTreLPZc7DwG8LV-RP33w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-06-18 13:15 ` Carlos O'Donell
[not found] ` <5582C459.3020402-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-06-18 13:51 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkhbX+e7vSJrxu0jfGaLESs5G2nEuX1Chaoai_K=X90Jcg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-06-18 15:23 ` Carlos O'Donell
[not found] ` <5582E27D.9070600-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-06-18 19:20 ` Michael Kerrisk (man-pages)
2015-06-17 8:50 ` Michael Kerrisk (man-pages)
[not found] ` <558134D3.2010603-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-06-18 19:22 ` Michael Kerrisk (man-pages)
[not found] ` <55831A5A.2050407-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-06-24 14:13 ` Michael Kerrisk (man-pages)
2015-07-08 5:16 ` Carlos O'Donell
[not found] ` <559CB227.802-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-07-21 14:03 ` Michael Kerrisk (man-pages)
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.