SUMMARY : Hosts.equiv and netgroup

From: saintpe stephanie-ism/is 81737- (
Date: Fri Apr 16 1999 - 02:21:27 CDT

Sorry for the delay, here is the summary of responses to my problem.
I could'nt find a real satisfactory solution, but I have some tracks to

I would particularly like to thank :


"hosts.equiv is not the way to grant individual users access.
 The /etc/hosts.equiv contents is prepended to each ~/.rhosts file.
 So usernames have no place there as they indeed give such users access
 to all accounts.
 The nsswitch.conf "passwd: compat" mode allows you to selectively
 import users from NIS.
 If you want to control access to individual user's hoem directories, you
 have no choice but to chmod them. "
>From Thu Apr 8 14:30:33 1999

"Try this configuration in your environment. We use it here to do restricted
 access to servers and other special-purpose machines:
 In /etc/nsswitch.conf, change the passwd entry to read:
 passwd: compat
 Create netgroups as you wish.
 In /etc/passwd, add lines for the netgroups you want to allow on that
 machine. Note the "+@" construct in the examples. The "+@" references the
 netgroup NIS map, while just a "+" references the NIS passwd map.
 To allow a group named "sysadmin":
 To allow user "webadmin" with a locally-specified home directory:
 To let the machine recognize all user IDs in NIS, but not let them log in:
 Contents of /usr/local/etc/nologin:
 #!/bin/grep ^[^#]
 You do not have permission to log on to this machine.
 End of /usr/local/etc/nologin
 You can modify locally any field in the passwd file. Blanks will be filled
 in from NIS, where available. You will want to spend some time
 experimenting to find the exact combination to satisfy all of your
>From Thu Apr 8 14:42:24 1999

"Here are the steps you need to do to enable this using netgroups. First,
 add a line in netgroups, that looks similar to the following:
 admins (,user1,) (,user2,) (,user3) ... and so on
 you can change the keyword admins to anything, like servers, allow, etc.
 User1, user2, user3, etc would be the login names of the users you want to
 have access to this machine. For the rest of the example, i will use the
 netgroup name admins. Next add the following lines to /etc/passwd, not
 What these two lines will do is only allow the users in the netgroup admins
 to login and the all other users will get /bin/false as their shell,
 essentially not letting them login. Next add this line to the end of
 /etc/shadow, again, not, /etc/yp/shadow.
 Lastly, change the passwd line in /etc/nsswitch.conf to read:
 passwd: compat
 Thats it, of course you'll have to do a make in /var/yp to make the
 netgroups, sorry i forgot to mention that. If you ever need to grant or
 remove access to a user, just add or remove them from /etc/yp/netgroups.
 Hope this helps."
>From Thu Apr 8 14:55:51 1999

 In the /etc/netgroup file put:
 userid (,userid,)
 In the /etc/password file put:
 You can also put multiple userid's.
 userids (,userid1,) (,userid2,)
 Hope this helps."
>From Thu Apr 8 15:22:04 1999

"You can use
 hostname +@netgroup to allow any use in the netgroup access. Conversly you can
 also use
 hostname -@netgroup to deny certain users access (any use in the netgroup).
 If you use @netgroup in the first field of hosts.equiv then any host in the
 netgroup gets access as in
 or can be denied access with
 See the man page on hosts.equiv for more information."

>From Thu Apr 8 15:54:22 1999

"We use netgroups extensively for machine access here.
 For example, say we have a machine named "mach01" and our domain is
 In the yp netgroups file we might have:
 mach01 (-, user1, my.domain) (-, user2, my.domain) (-, user3, my.domain)
 And so on (there is a line length limitation, which you can get around by
 making netgroups comprised of other netgroups).
 In the /etc/passwd file on mach01 you would see this line:
 In the /etc/shadow file on mach01 you would see a corresponding line:
 The /etc/nsswitch.conf file would be set:
 netgroup: nis
 No use of hosts.equiv.
 I hope this helps."
>From Thu Apr 8 17:51:22 1999

 You need to setup a NIS netgroup that looks a little like this..
 netgroupname \
        (machinename,username,NIS domainname) \
        (machinename,username,NIS domainname) \
        (machinename,username,NIS domainname)
 where netgroupname is the name of your netgroup (this can be anything.
 is the name of your users machine that you want to give access to,
 username is the
 username of the user and NIS domainname is your NIS domainname.
 In the /etc/hosts.equiv file put
 This will allow only users from certain machines in your NIS Domain to
 log into
 that machine without a passwd.
 Hope this helps."
>From ramk1@EXCITE.COM Thu Apr 8 21:16:56 1999

 put the hostname and username in the ".rhosts" file of the particular user,
 whose account should be accessable via rlogin.
 cheers & smiles"
>From Fri Apr 9 14:44:11 1999

"Forget rlogin. It is inherently dangerously insecure. Use sshd with it's
 encryption and authentication capabilities. See the DataFellows web site
 for the source for the daemon and for PC's purchase the client software."

From: "Neal S. Pressman" <>
Subject: SUMMARY: NIS and Netgroups behaviour

thanks to:

Ronald Loftin <>
"David W. Blaine" <>
"Salehi, Michael E" <>

also thanks to:

Steve_Kilbane <>
who didnt respond to my e-mail but has posted a summary of this problem
to the archives:

<--- snip --->
Turns out that netgroup works only with NIS running, and that using
it in .rhosts files is no problem. I'll also make the tentative
observation that the wisdom that follows applies certainly to netgroup
usage in .rhosts files, but not necessarily in other places (e.g.,
hosts.equiv, exports) because some of the rules I have to follow
(e.g., don't use capital letters) are rules I've seen violated in
other places without problems. That having been said:
</--- snip --->

my problem was simply that our Netgroup was in UCASE this is not a
problem for 2.6 or 2.7 only earlier versions.



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:18 CDT