John_Stewart@CARLETON.CA (11/07/89)
I would like to modify our /etc/hosts.equiv files so that only hosts within our YP domain are trusted. Having a '+' record in the file is too liberal because it results in all machines on our campus ethernet being trusted. After reading the Sun manuals, I can only conclude that Sun hasn't given much thought to the problems in maintaining /etc/hosts.equiv. There appears to be no way to say "trust all machines in your YP domain". The only solution seems to be to list each individual host in the file which means the file has to be modified each time a machine is added/removed from your YP domain. Since /etc/hosts.equiv isn't one of the files served by YP, there is no easy way to change every copy in your YP domain. I would be interested in hearing (by mail) what other people are doing to maintain their /etc/hosts.equiv files. If I get any particularily inspiring responses, I will summarize and post to sun-spots. Regards... jas <John_Stewart@carleton.ca>
rd@chorus.fr (Roland Dirlewanger) (11/14/89)
In `comp.sys.sun' (message #6183) John_Stewart@CARLETON.CA wrote: > > I would be interested in hearing (by mail) what other people are doing to > maintain their /etc/hosts.equiv files. If I get any particularily > inspiring responses, I will summarize and post to sun-spots. The way I did it is to define a netgroup for all the trusted machines. The /etc/netgroup is maintained by the Yellow Pages, so every time you install a new host, you just need to modify one file. You just have to replace all your current /etc/hosts.equiv with one containing the line : +@trustedhosts
joe@uunet.uu.net (Joe Michel-Angelo) (11/20/89)
In article <3006@brazos.Rice.edu>, by rd@chorus.fr (Roland Dirlewanger): > replace all your current /etc/hosts.equiv with one containing the line : > > +@trustedhosts Don't forget that /etc/hosts.equiv is also used by /usr/lib/lpd to "verify" that a remote machine can print to the local host (atleast in 3.x). Sigh. You could try a binary editor on /usr/lib/lpd and change /etc/hosts.equiv to /etc/hosts.lpdiv or whatever if you are worried about security. This new file could contain a netgroup of +@allhosts; however, I find that netgroup/YP is too limited and LARGE sites can't take advantage of this feature as YP will puke on the large strings that are generated.