IBM Informix products follow standard security procedures that are governed by information contained in the network-security files. For a client application to connect to a database server on a remote computer, the user of the client application must have a valid user ID on the remote computer.
The hosts.equiv file lists the remote hosts and users that are trusted by the computer on which the database server resides. Trusted users, and users who log in from trusted hosts, can access the computer without supplying a password. The operating system uses the hosts.equiv file to determine whether a user should be allowed access to the computer without specifying a password. Informix requires a hosts.equiv file for its default authentication policy.
If a client application supplies an invalid account name and password, the database server rejects the connection even if the hosts.equiv file contains an entry for the client computer. You should use the hosts.equiv file only for client applications that do not supply a user account or password. On UNIX, the hosts.equiv file is in the /etc directory. If you do not have a hosts.equiv file, you must create one.
On some networks, the host name that a remote host uses to connect to a particular computer might not be the same as the host name that the computer uses to refer to itself. For example, the network host name might contain the full domain name, as the following example shows:
viking.ibm.com
By contrast, the computer might refer to itself with the local host name, as the following example shows:
viking
If this situation occurs, make sure that you specify both host name formats in the host.equiv file.
To determine whether a client is trusted, execute the following statement on the client computer:
rlogin hostname
If you log in successfully without receiving a password prompt, the client is a trusted computer.
As an alternative, an individual user can list hosts from which he or she can connect as a trusted user in the .rhosts file. This file resides in the user's home directory on the computer on which the database server resides.
The netrc information is optional information that specifies identity data. A user who does not have authorization to access the database server or is not on a computer that is trusted by the database server can use this file to supply a name and password that are trusted. A user who has a different user account and password on a remote computer can also provide this information.
The netrc information resides in the .netrc file in the user's home directory. Use any standard text editor to prepare the .netrc file.
If you do not explicitly provide the user password in an application for a remote server (that is, through the USER clause of the CONNECT statement or the user name and password prompts in DB-Access), the client application looks for the user name and password in the netrc information. If the user has explicitly specified the password in the application, or if the database server is not remote, the netrc information is not consulted.
The database server uses the netrc information regardless of whether it uses the default authentication policy or a communications support module.
For information about the specific content of this file, refer to your operatingsystem documentation.
For certain client queries or operations, the database server must impersonate the client to run a process or program on behalf of the client. In order to impersonate the client, the database server must receive a password for each client connection. Clients can provide a user ID and password through the CONNECT statement or netrc information.
The following examples show how you can provide a password to impersonate a client.