File: [local] / src / usr.bin / ssh / Attic / auth-rh-rsa.c (download)
Revision 1.2, Sun Oct 3 21:50:03 1999 UTC (24 years, 8 months ago) by provos
Branch: MAIN
CVS Tags: OPENBSD_2_6_BASE, OPENBSD_2_6
Changes since 1.1: +17 -10 lines
add code to detect DNS spoofing:
the main idea is to not only store the host key for the hostname but
also for the according IP address. When we check the host key in the
known_hosts file, we also check the key against the according IP address.
When the server key changes, host_status = HOST_CHANGED. If
check_host_in_hostfile() returns differing status for the IP address
that means that either DNS was spoofed or that the IP address
for the host and the host key changed at the same time.
|
/*
auth-rh-rsa.c
Author: Tatu Ylonen <ylo@cs.hut.fi>
Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
All rights reserved
Created: Sun May 7 03:08:06 1995 ylo
Rhosts or /etc/hosts.equiv authentication combined with RSA host
authentication.
*/
#include "includes.h"
RCSID("$Id: auth-rh-rsa.c,v 1.2 1999/10/03 21:50:03 provos Exp $");
#include "packet.h"
#include "ssh.h"
#include "xmalloc.h"
#include "uidswap.h"
/* Tries to authenticate the user using the .rhosts file and the host using
its host key. Returns true if authentication succeeds.
.rhosts and .shosts will be ignored if ignore_rhosts is non-zero. */
int auth_rhosts_rsa(struct passwd *pw, const char *client_user,
unsigned int client_host_key_bits,
BIGNUM *client_host_key_e, BIGNUM *client_host_key_n,
int ignore_rhosts, int strict_modes)
{
const char *canonical_hostname;
HostStatus host_status;
BIGNUM *ke, *kn;
debug("Trying rhosts with RSA host authentication for %.100s", client_user);
/* Check if we would accept it using rhosts authentication. */
if (!auth_rhosts(pw, client_user, ignore_rhosts, strict_modes))
return 0;
canonical_hostname = get_canonical_hostname();
debug("Rhosts RSA authentication: canonical host %.900s",
canonical_hostname);
/* Check if we know the host and its host key. */
/* Check system-wide host file. */
ke = BN_new();
kn = BN_new();
host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname,
client_host_key_bits, client_host_key_e,
client_host_key_n, ke, kn);
BN_free(ke);
BN_free(kn);
if (host_status != HOST_OK) {
/* The host key was not found. */
debug("Rhosts with RSA host authentication denied: unknown or invalid host key");
packet_send_debug("Your host key cannot be verified: unknown or invalid host key.");
return 0;
}
/* A matching host key was found and is known. */
/* Perform the challenge-response dialog with the client for the host key. */
if (!auth_rsa_challenge_dialog(client_host_key_bits,
client_host_key_e, client_host_key_n))
{
log("Client on %.800s failed to respond correctly to host authentication.",
canonical_hostname);
return 0;
}
/* We have authenticated the user using .rhosts or /etc/hosts.equiv, and
the host using RSA. We accept the authentication. */
log("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.",
pw->pw_name, client_user, canonical_hostname);
packet_send_debug("Rhosts with RSA host authentication accepted.");
return 1;
}
![[BACK]](/icons/back.gif){kind=icon}
Return to auth-rh-rsa.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh