mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-01 01:36:11 +08:00
d783435315
[OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c] [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c] [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ] [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c] [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c] [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c] [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c] [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c] [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c] [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c] [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h] [serverloop.c session.c session.h sftp-client.c sftp-common.c] [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c] [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c] [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c] [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h] [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h] almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step NB. portable commit contains everything *except* removing includes.h, as that will take a fair bit more work as we move headers that are required for portability workarounds to defines.h. (also, this step wasn't "easy")
101 lines
2.9 KiB
C
101 lines
2.9 KiB
C
/* $OpenBSD: auth-rh-rsa.c,v 1.42 2006/08/03 03:34:41 deraadt Exp $ */
|
|
/*
|
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
|
* All rights reserved
|
|
* Rhosts or /etc/hosts.equiv authentication combined with RSA host
|
|
* authentication.
|
|
*
|
|
* As far as I am concerned, the code I have written for this software
|
|
* can be used freely for any purpose. Any derived versions of this
|
|
* software must be clearly marked as such, and if the derived work is
|
|
* incompatible with the protocol description in the RFC file, it must be
|
|
* called by a name other than "ssh" or "Secure Shell".
|
|
*/
|
|
|
|
#include "includes.h"
|
|
|
|
#include <sys/types.h>
|
|
|
|
#include <pwd.h>
|
|
#include <stdarg.h>
|
|
|
|
#include "packet.h"
|
|
#include "uidswap.h"
|
|
#include "log.h"
|
|
#include "buffer.h"
|
|
#include "servconf.h"
|
|
#include "key.h"
|
|
#include "hostfile.h"
|
|
#include "pathnames.h"
|
|
#include "auth.h"
|
|
#include "canohost.h"
|
|
#ifdef GSSAPI
|
|
#include "ssh-gss.h"
|
|
#endif
|
|
#include "monitor_wrap.h"
|
|
|
|
/* import */
|
|
extern ServerOptions options;
|
|
|
|
int
|
|
auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost,
|
|
Key *client_host_key)
|
|
{
|
|
HostStatus host_status;
|
|
|
|
/* Check if we would accept it using rhosts authentication. */
|
|
if (!auth_rhosts(pw, cuser))
|
|
return 0;
|
|
|
|
host_status = check_key_in_hostfiles(pw, client_host_key,
|
|
chost, _PATH_SSH_SYSTEM_HOSTFILE,
|
|
options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
|
|
|
|
return (host_status == HOST_OK);
|
|
}
|
|
|
|
/*
|
|
* Tries to authenticate the user using the .rhosts file and the host using
|
|
* its host key. Returns true if authentication succeeds.
|
|
*/
|
|
int
|
|
auth_rhosts_rsa(Authctxt *authctxt, char *cuser, Key *client_host_key)
|
|
{
|
|
char *chost;
|
|
struct passwd *pw = authctxt->pw;
|
|
|
|
debug("Trying rhosts with RSA host authentication for client user %.100s",
|
|
cuser);
|
|
|
|
if (!authctxt->valid || client_host_key == NULL ||
|
|
client_host_key->rsa == NULL)
|
|
return 0;
|
|
|
|
chost = (char *)get_canonical_hostname(options.use_dns);
|
|
debug("Rhosts RSA authentication: canonical host %.900s", chost);
|
|
|
|
if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) {
|
|
debug("Rhosts with RSA host authentication denied: unknown or invalid host key");
|
|
packet_send_debug("Your host key cannot be verified: unknown or invalid host key.");
|
|
return 0;
|
|
}
|
|
/* A matching host key was found and is known. */
|
|
|
|
/* Perform the challenge-response dialog with the client for the host key. */
|
|
if (!auth_rsa_challenge_dialog(client_host_key)) {
|
|
logit("Client on %.800s failed to respond correctly to host authentication.",
|
|
chost);
|
|
return 0;
|
|
}
|
|
/*
|
|
* We have authenticated the user using .rhosts or /etc/hosts.equiv,
|
|
* and the host using RSA. We accept the authentication.
|
|
*/
|
|
|
|
verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.",
|
|
pw->pw_name, cuser, chost);
|
|
packet_send_debug("Rhosts with RSA host authentication accepted.");
|
|
return 1;
|
|
}
|