mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-11-30 18:03:32 +08:00
d783435315
[OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c]
[auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c]
[auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ]
[auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c]
[buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c]
[cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
[compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c]
[groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
[kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c]
[key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c]
[monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c]
[monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c]
[readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h]
[serverloop.c session.c session.h sftp-client.c sftp-common.c]
[sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
[ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c]
[ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c]
[sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c]
[uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h]
[loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h]
almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step
NB. portable commit contains everything *except* removing includes.h, as
that will take a fair bit more work as we move headers that are required
for portability workarounds to defines.h. (also, this step wasn't "easy")
310 lines
8.7 KiB
C
310 lines
8.7 KiB
C
/* $OpenBSD: auth-rhosts.c,v 1.41 2006/08/03 03:34:41 deraadt Exp $ */
|
|
/*
|
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
|
* All rights reserved
|
|
* Rhosts authentication. This file contains code to check whether to admit
|
|
* the login based on rhosts authentication. This file also processes
|
|
* /etc/hosts.equiv.
|
|
*
|
|
* As far as I am concerned, the code I have written for this software
|
|
* can be used freely for any purpose. Any derived versions of this
|
|
* software must be clearly marked as such, and if the derived work is
|
|
* incompatible with the protocol description in the RFC file, it must be
|
|
* called by a name other than "ssh" or "Secure Shell".
|
|
*/
|
|
|
|
#include "includes.h"
|
|
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
|
|
#ifdef HAVE_NETGROUP_H
|
|
# include <netgroup.h>
|
|
#endif
|
|
#include <pwd.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <stdarg.h>
|
|
|
|
#include "packet.h"
|
|
#include "buffer.h"
|
|
#include "uidswap.h"
|
|
#include "pathnames.h"
|
|
#include "log.h"
|
|
#include "servconf.h"
|
|
#include "canohost.h"
|
|
#include "key.h"
|
|
#include "hostfile.h"
|
|
#include "auth.h"
|
|
|
|
/* import */
|
|
extern ServerOptions options;
|
|
extern int use_privsep;
|
|
|
|
/*
|
|
* This function processes an rhosts-style file (.rhosts, .shosts, or
|
|
* /etc/hosts.equiv). This returns true if authentication can be granted
|
|
* based on the file, and returns zero otherwise.
|
|
*/
|
|
|
|
static int
|
|
check_rhosts_file(const char *filename, const char *hostname,
|
|
const char *ipaddr, const char *client_user,
|
|
const char *server_user)
|
|
{
|
|
FILE *f;
|
|
char buf[1024]; /* Must not be larger than host, user, dummy below. */
|
|
|
|
/* Open the .rhosts file, deny if unreadable */
|
|
f = fopen(filename, "r");
|
|
if (!f)
|
|
return 0;
|
|
|
|
while (fgets(buf, sizeof(buf), f)) {
|
|
/* All three must be at least as big as buf to avoid overflows. */
|
|
char hostbuf[1024], userbuf[1024], dummy[1024], *host, *user, *cp;
|
|
int negated;
|
|
|
|
for (cp = buf; *cp == ' ' || *cp == '\t'; cp++)
|
|
;
|
|
if (*cp == '#' || *cp == '\n' || !*cp)
|
|
continue;
|
|
|
|
/*
|
|
* NO_PLUS is supported at least on OSF/1. We skip it (we
|
|
* don't ever support the plus syntax).
|
|
*/
|
|
if (strncmp(cp, "NO_PLUS", 7) == 0)
|
|
continue;
|
|
|
|
/*
|
|
* This should be safe because each buffer is as big as the
|
|
* whole string, and thus cannot be overwritten.
|
|
*/
|
|
switch (sscanf(buf, "%1023s %1023s %1023s", hostbuf, userbuf,
|
|
dummy)) {
|
|
case 0:
|
|
auth_debug_add("Found empty line in %.100s.", filename);
|
|
continue;
|
|
case 1:
|
|
/* Host name only. */
|
|
strlcpy(userbuf, server_user, sizeof(userbuf));
|
|
break;
|
|
case 2:
|
|
/* Got both host and user name. */
|
|
break;
|
|
case 3:
|
|
auth_debug_add("Found garbage in %.100s.", filename);
|
|
continue;
|
|
default:
|
|
/* Weird... */
|
|
continue;
|
|
}
|
|
|
|
host = hostbuf;
|
|
user = userbuf;
|
|
negated = 0;
|
|
|
|
/* Process negated host names, or positive netgroups. */
|
|
if (host[0] == '-') {
|
|
negated = 1;
|
|
host++;
|
|
} else if (host[0] == '+')
|
|
host++;
|
|
|
|
if (user[0] == '-') {
|
|
negated = 1;
|
|
user++;
|
|
} else if (user[0] == '+')
|
|
user++;
|
|
|
|
/* Check for empty host/user names (particularly '+'). */
|
|
if (!host[0] || !user[0]) {
|
|
/* We come here if either was '+' or '-'. */
|
|
auth_debug_add("Ignoring wild host/user names in %.100s.",
|
|
filename);
|
|
continue;
|
|
}
|
|
/* Verify that host name matches. */
|
|
if (host[0] == '@') {
|
|
if (!innetgr(host + 1, hostname, NULL, NULL) &&
|
|
!innetgr(host + 1, ipaddr, NULL, NULL))
|
|
continue;
|
|
} else if (strcasecmp(host, hostname) && strcmp(host, ipaddr) != 0)
|
|
continue; /* Different hostname. */
|
|
|
|
/* Verify that user name matches. */
|
|
if (user[0] == '@') {
|
|
if (!innetgr(user + 1, NULL, client_user, NULL))
|
|
continue;
|
|
} else if (strcmp(user, client_user) != 0)
|
|
continue; /* Different username. */
|
|
|
|
/* Found the user and host. */
|
|
fclose(f);
|
|
|
|
/* If the entry was negated, deny access. */
|
|
if (negated) {
|
|
auth_debug_add("Matched negative entry in %.100s.",
|
|
filename);
|
|
return 0;
|
|
}
|
|
/* Accept authentication. */
|
|
return 1;
|
|
}
|
|
|
|
/* Authentication using this file denied. */
|
|
fclose(f);
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Tries to authenticate the user using the .shosts or .rhosts file. Returns
|
|
* true if authentication succeeds. If ignore_rhosts is true, only
|
|
* /etc/hosts.equiv will be considered (.rhosts and .shosts are ignored).
|
|
*/
|
|
|
|
int
|
|
auth_rhosts(struct passwd *pw, const char *client_user)
|
|
{
|
|
const char *hostname, *ipaddr;
|
|
|
|
hostname = get_canonical_hostname(options.use_dns);
|
|
ipaddr = get_remote_ipaddr();
|
|
return auth_rhosts2(pw, client_user, hostname, ipaddr);
|
|
}
|
|
|
|
static int
|
|
auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostname,
|
|
const char *ipaddr)
|
|
{
|
|
char buf[1024];
|
|
struct stat st;
|
|
static const char *rhosts_files[] = {".shosts", ".rhosts", NULL};
|
|
u_int rhosts_file_index;
|
|
|
|
debug2("auth_rhosts2: clientuser %s hostname %s ipaddr %s",
|
|
client_user, hostname, ipaddr);
|
|
|
|
/* Switch to the user's uid. */
|
|
temporarily_use_uid(pw);
|
|
/*
|
|
* Quick check: if the user has no .shosts or .rhosts files, return
|
|
* failure immediately without doing costly lookups from name
|
|
* servers.
|
|
*/
|
|
for (rhosts_file_index = 0; rhosts_files[rhosts_file_index];
|
|
rhosts_file_index++) {
|
|
/* Check users .rhosts or .shosts. */
|
|
snprintf(buf, sizeof buf, "%.500s/%.100s",
|
|
pw->pw_dir, rhosts_files[rhosts_file_index]);
|
|
if (stat(buf, &st) >= 0)
|
|
break;
|
|
}
|
|
/* Switch back to privileged uid. */
|
|
restore_uid();
|
|
|
|
/* Deny if The user has no .shosts or .rhosts file and there are no system-wide files. */
|
|
if (!rhosts_files[rhosts_file_index] &&
|
|
stat(_PATH_RHOSTS_EQUIV, &st) < 0 &&
|
|
stat(_PATH_SSH_HOSTS_EQUIV, &st) < 0)
|
|
return 0;
|
|
|
|
/* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */
|
|
if (pw->pw_uid != 0) {
|
|
if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
|
|
client_user, pw->pw_name)) {
|
|
auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.",
|
|
hostname, ipaddr);
|
|
return 1;
|
|
}
|
|
if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr,
|
|
client_user, pw->pw_name)) {
|
|
auth_debug_add("Accepted for %.100s [%.100s] by %.100s.",
|
|
hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV);
|
|
return 1;
|
|
}
|
|
}
|
|
/*
|
|
* Check that the home directory is owned by root or the user, and is
|
|
* not group or world writable.
|
|
*/
|
|
if (stat(pw->pw_dir, &st) < 0) {
|
|
logit("Rhosts authentication refused for %.100s: "
|
|
"no home directory %.200s", pw->pw_name, pw->pw_dir);
|
|
auth_debug_add("Rhosts authentication refused for %.100s: "
|
|
"no home directory %.200s", pw->pw_name, pw->pw_dir);
|
|
return 0;
|
|
}
|
|
if (options.strict_modes &&
|
|
((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
|
|
(st.st_mode & 022) != 0)) {
|
|
logit("Rhosts authentication refused for %.100s: "
|
|
"bad ownership or modes for home directory.", pw->pw_name);
|
|
auth_debug_add("Rhosts authentication refused for %.100s: "
|
|
"bad ownership or modes for home directory.", pw->pw_name);
|
|
return 0;
|
|
}
|
|
/* Temporarily use the user's uid. */
|
|
temporarily_use_uid(pw);
|
|
|
|
/* Check all .rhosts files (currently .shosts and .rhosts). */
|
|
for (rhosts_file_index = 0; rhosts_files[rhosts_file_index];
|
|
rhosts_file_index++) {
|
|
/* Check users .rhosts or .shosts. */
|
|
snprintf(buf, sizeof buf, "%.500s/%.100s",
|
|
pw->pw_dir, rhosts_files[rhosts_file_index]);
|
|
if (stat(buf, &st) < 0)
|
|
continue;
|
|
|
|
/*
|
|
* Make sure that the file is either owned by the user or by
|
|
* root, and make sure it is not writable by anyone but the
|
|
* owner. This is to help avoid novices accidentally
|
|
* allowing access to their account by anyone.
|
|
*/
|
|
if (options.strict_modes &&
|
|
((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
|
|
(st.st_mode & 022) != 0)) {
|
|
logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
|
|
pw->pw_name, buf);
|
|
auth_debug_add("Bad file modes for %.200s", buf);
|
|
continue;
|
|
}
|
|
/* Check if we have been configured to ignore .rhosts and .shosts files. */
|
|
if (options.ignore_rhosts) {
|
|
auth_debug_add("Server has been configured to ignore %.100s.",
|
|
rhosts_files[rhosts_file_index]);
|
|
continue;
|
|
}
|
|
/* Check if authentication is permitted by the file. */
|
|
if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name)) {
|
|
auth_debug_add("Accepted by %.100s.",
|
|
rhosts_files[rhosts_file_index]);
|
|
/* Restore the privileged uid. */
|
|
restore_uid();
|
|
auth_debug_add("Accepted host %s ip %s client_user %s server_user %s",
|
|
hostname, ipaddr, client_user, pw->pw_name);
|
|
return 1;
|
|
}
|
|
}
|
|
|
|
/* Restore the privileged uid. */
|
|
restore_uid();
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
|
|
const char *ipaddr)
|
|
{
|
|
int ret;
|
|
|
|
auth_debug_reset();
|
|
ret = auth_rhosts2_raw(pw, client_user, hostname, ipaddr);
|
|
if (!use_privsep)
|
|
auth_debug_send();
|
|
return ret;
|
|
}
|