##################################################################
Searchable Keywords: pam rhosts auth dump


To be able to access other systems periferial devices and/or
the machines themselves. You must enable(no matter how unsecure)
the older berkley "r" commands. For device access you need an
entry in the .rhosts file. If you are root and you wish to access
a tape drive on another linux machine. The machine you are trying
to access must have an entry in a .rhosts file in roots home directory.
/root/.rhosts. Failing to remember that on linux machines root DOES
have it's own home directory called root will confound you and 
frustrate the #@$%^& out of you. 

The following are from a web page explaining more about pam 
authentication, rhosts and hosts.equiv


The rhosts module: pam_rhosts_auth.so 
        
This module performs the standard network authentication for services, as used by traditional implementations of rlogin and
 rsh etc. 
                
 The authentication mechanism of this module is based on the contents of the files /etc/hosts.equiv and ~/.rhosts.
 Firstly, hosts listed in the former file are treated as equivalent to the localhost. Secondly, entries in the user's own copy of the latter
 file is used to map remote-host remote-user pairs to that user's account on the current host. Access is granted to the user if their
host is present in /etc/hosts.equiv and their remote account is identical to their local one, or if their remote account has an
 entry in their personal configuration file. 
               
 Some restrictions are applied to the attributes of the user's personal configuration file: it must be a regular file; it must be owned by
 the superuser (root) or the user; it must not be writable by any user besides its owner. 
                
 In the case of root-access, the /etc/host.equiv file is ignored unless the hosts_equiv_rootok option should be
 used. Instead, the superuser must have a correctly configured personal configuration file. 
                
 The behavior of the module is modified by the following flags: 
        

debug - log more information to syslog(3). (actually, this module does not do any logging currently, please volunteer to
 fix this) 

 no_warn - do not give verbal warnings to the user about failures etc. (same as above, this module currently does not issue
any warnings, please volunteer to fix this) 

 no_hosts_equiv - ignore the contents of the /etc/hosts.equiv file. 

 hosts_equiv_rootok - allow the use of /etc/hosts.equiv for superuser. Without this option
 /etc/hosts.equiv is not consulted for the superuser account. This option has no effect if the no_hosts_equiv
 option is used. 

 no_rhosts - ignore the contents of all user's personal configuration file ~/.rhosts. 

 privategroup - normally, the ~/.rhosts file must not be writable by anyone other than its owner. This option
 overlooks group write access in the case that the group owner of this file has the same name as the user being authenticated.
 To lessen the security problems associated with this option, the module also checks that the user is the only member of their
 private group. 

 promiscuous - A host entry of + will lead to all hosts being granted access. Without this option, + entries will be ignored.
Note, that the debug option will write a warning entry to /var/log/messages in this latter case. 

 suppress - This will prevent the module from syslog(3)ing a warning message when this authentication fails. This
 option is mostly for keeping logs free of meaningless errors, in particular when the module is used with the sufficient control
 flag.