There are three built-in methods for controlling remote access to a Solaris computer.
/etc/hosts.equiv
$HOME/.rhosts
/etc/ftpusers
The first two remote access control files are used to subvert the standard password-based mode of Solaris. Their contents (if they exist) are checked before the password prompt appears to determine if the user has privileges on the system.
Both files have a similar format for entries they contain:
hostname
hostname username
+
- A value for hostname indicates that all users from that particular host are trusted and may log into the system.
- A value for hostname username is a bit more restrictive, and means that only the username from a particular host is allowed access.
- A value of + means that all remote hosts on the network are trusted, and anyone may log in using rlogin without a password (assuming of course, they have a similarly named local user account)
/etc/hosts.equiv is a system-wide file, meaning that as long as a user has an account on the local host, and they are contacting the system from the hostname specified in the file, they will get access. The root user account is excluded from this list, and will always be asked for a password.
$HOME/.rhosts is a way for a specific user to use this functionality. If the .rhosts file is created in the home directory for a user and contains the name of a trusted host, they will not be prompted for a password upon logging into the system from that trusted host. Every user may use .rhosts, including the root user.
The access control described above controls the functionality of the commands rlogin, rcp and rsh.
rlogin is the program a user executes in their shell to log into a host where they are trusted without a password. Example:
# rlogin trusting_host
rcp is the program a user would use to copy a file from their system to a remote system on which they are trusted without a password. Example:
# rcp testfile remote_server:/tmp
rsh is the program a user runs to execute a shell command on a remote system on which they are trusted without a password. Example:
# rsh remote_host ls /tmp
Note: the above functionality is advertised as a good way to keep ASCII passwords from traversing a network. However, because of the uncontrolled nature of the .rhosts environments, allowing trusted access is a huge security risk. Remove the /etc/hosts.equiv, $HOME/.rhosts, and remove the shell and login lines from /etc/inetd.conf to disable this on a system.
Remote access might also come in the form of file transfers. To this end, the /etc/ftpusers file exists to restrict access to specific accounts that are not allowed to access the system via ftp. Any usernames on the system that appear in this file will be denied access should they connect via FTP.
State the subcommands that are used by the ftp utility to transfer files between a local system and a remote system.
FTP stands for File Transfer Protocol, and is a standard UNIX method for transferring files from a system.
FTP listens on port 21. The FTP daemon authenticates users using the /etc/passwd file. Some systems allow users to connect without entries listed in /etc/passwd -- these users are known as anonymous. Anonymous FTP is the de facto standard for sharing public software (or any software) on the Internet.
Once a user connects to a system using FTP, they are able to traverse the directory tree they have access to as if they were on the local system. Commands like cd and ls work as they do on a local system.
When files are ready to be transferred, there are some additional commands that must be used.
ascii - specifies ASCII format, and is used to tell FTP that the file being sent or retrieved is in ASCII text format.
binary - specifies a binary format, which is all other file types besides ASCII.
get - instructs the remote computer to send a specified file.
put - instructs the remote computer to expect a specified file.
mget - 'multiple get' specifies more than one remote file to be sent. Used with wildcards.
mput - 'multiple put' specifies more than one local file to be sent. Used with wildcards.
lcd - changes directories on the local computer.
prompt - enables or disables confirmation prompts.
hash - enables or disables the printing of 'hash marks' that represents a block of bytes in a file and is a visual aid when files are actually being transferred.
