pam_rhosts

Authenticate based on rhosts files

SYNOPSIS

The pam_rhosts module is configured in PAM service files, typically located in /etc/pam.d/. It is usually placed in the auth or account module types. Its syntax in a PAM configuration file follows the general PAM module syntax:

auth required pam_rhosts.so [module_options]
account required pam_rhosts.so [module_options]

Where module_options are specific arguments passed to the module to modify its behavior.

PARAMETERS

no_hosts_equiv
    Do not consult the system-wide /etc/hosts.equiv file.

no_rhosts
    Do not consult the user's home directory ~/.rhosts file.

allow_root
    Permit root authentication via hosts.equiv (highly insecure and generally discouraged).

debug
    Enable verbose debugging messages to syslog.

no_warn
    Do not issue warnings when authentication fails due to conditions like missing files or permissions.

debug_rhosts
    Similar to debug, specifically for R-command related debugging.

no_wait
    Return immediately if authentication fails; do not wait for a delay.

set_user
    Changes the effective user ID of the calling process to the authenticated user. Used by some PAM services.

DESCRIPTION

The pam_rhosts module is a Pluggable Authentication Module (PAM) designed to authenticate users based on the legacy .rhosts and /etc/hosts.equiv files. It is primarily used to provide compatibility with the insecure R-commands like rsh, rlogin, and rcp, which rely on a "trusted host" mechanism. When configured in a PAM service file (e.g., /etc/pam.d/rlogin), pam_rhosts checks if the remote host and user are listed as trusted, allowing access without a password. This module implements the auth and account PAM module types. While it fulfills the historical requirement for R-command authentication, its reliance on host-based trust, which can be easily spoofed or misconfigured, makes it a significant security risk. Modern systems strongly discourage its use in favor of more secure authentication methods like SSH.

CAVEATS

The pam_rhosts module is inherently insecure due to its reliance on trusting remote host IP addresses, which can be spoofed. It also depends on accurate DNS resolution and properly secured .rhosts and hosts.equiv files. Misconfigurations or weak permissions on these files can lead to unauthorized access. It does not provide encryption for data in transit, making it vulnerable to eavesdropping. Its use is strongly discouraged in modern network environments; secure alternatives like SSH should always be preferred.

CONFIGURATION EXAMPLE

While generally not recommended, a typical configuration for pam_rhosts in a PAM service file (e.g., /etc/pam.d/rlogin) might look like this:

auth sufficient pam_rhosts.so
auth required pam_unix.so

In this example, if pam_rhosts successfully authenticates (i.e., the host and user are trusted), the authentication process is considered sufficient, and subsequent modules might be skipped. If pam_rhosts fails, the system falls back to traditional UNIX password authentication via pam_unix.so. This setup allows for legacy R-command trust while still requiring a password if the trust fails.

HISTORY

The concept behind pam_rhosts originates from the Berkeley "r-commands" (rsh, rlogin, rcp) developed in the early days of UNIX networking. These commands introduced a host-based authentication mechanism where systems could trust each other based on IP addresses and user mappings in /etc/hosts.equiv and ~/.rhosts files. As security became a growing concern, these methods were found to be highly insecure due to IP spoofing, DNS vulnerabilities, and lack of encryption. When PAM was introduced to Linux (around the mid-1990s), pam_rhosts was created to provide backward compatibility for services that still relied on this legacy authentication, allowing administrators to transition systems gradually. However, its usage has steadily declined, and it is now largely considered deprecated for new deployments due to the availability of much more secure alternatives like SSH.