version 1.16, 2000/10/03 18:03:03 |
version 1.16.2.4, 2001/05/07 21:09:25 |
|
|
RCSID("$OpenBSD$"); |
RCSID("$OpenBSD$"); |
|
|
#include "packet.h" |
#include "packet.h" |
#include "ssh.h" |
|
#include "xmalloc.h" |
#include "xmalloc.h" |
#include "uidswap.h" |
#include "uidswap.h" |
|
#include "pathnames.h" |
|
#include "log.h" |
#include "servconf.h" |
#include "servconf.h" |
|
#include "canohost.h" |
|
#include "auth.h" |
|
|
|
/* import */ |
|
extern ServerOptions options; |
|
|
/* |
/* |
* This function processes an rhosts-style file (.rhosts, .shosts, or |
* This function processes an rhosts-style file (.rhosts, .shosts, or |
* /etc/hosts.equiv). This returns true if authentication can be granted |
* /etc/hosts.equiv). This returns true if authentication can be granted |
|
|
int |
int |
auth_rhosts(struct passwd *pw, const char *client_user) |
auth_rhosts(struct passwd *pw, const char *client_user) |
{ |
{ |
extern ServerOptions options; |
|
char buf[1024]; |
|
const char *hostname, *ipaddr; |
const char *hostname, *ipaddr; |
|
int ret; |
|
|
|
hostname = get_canonical_hostname(options.reverse_mapping_check); |
|
ipaddr = get_remote_ipaddr(); |
|
ret = auth_rhosts2(pw, client_user, hostname, ipaddr); |
|
return ret; |
|
} |
|
|
|
int |
|
auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, |
|
const char *ipaddr) |
|
{ |
|
char buf[1024]; |
struct stat st; |
struct stat st; |
static const char *rhosts_files[] = {".shosts", ".rhosts", NULL}; |
static const char *rhosts_files[] = {".shosts", ".rhosts", NULL}; |
unsigned int rhosts_file_index; |
u_int rhosts_file_index; |
|
|
|
debug2("auth_rhosts2: clientuser %s hostname %s ipaddr %s", |
|
client_user, hostname, ipaddr); |
|
|
/* no user given */ |
/* no user given */ |
if (pw == NULL) |
if (pw == NULL) |
return 0; |
return 0; |
|
|
/* Switch to the user's uid. */ |
/* Switch to the user's uid. */ |
temporarily_use_uid(pw->pw_uid); |
temporarily_use_uid(pw); |
/* |
/* |
* Quick check: if the user has no .shosts or .rhosts files, return |
* Quick check: if the user has no .shosts or .rhosts files, return |
* failure immediately without doing costly lookups from name |
* failure immediately without doing costly lookups from name |
|
|
|
|
/* Deny if The user has no .shosts or .rhosts file and there are no system-wide files. */ |
/* Deny if The user has no .shosts or .rhosts file and there are no system-wide files. */ |
if (!rhosts_files[rhosts_file_index] && |
if (!rhosts_files[rhosts_file_index] && |
stat("/etc/hosts.equiv", &st) < 0 && |
stat(_PATH_RHOSTS_EQUIV, &st) < 0 && |
stat(SSH_HOSTS_EQUIV, &st) < 0) |
stat(_PATH_SSH_HOSTS_EQUIV, &st) < 0) |
return 0; |
return 0; |
|
|
hostname = get_canonical_hostname(); |
|
ipaddr = get_remote_ipaddr(); |
|
|
|
/* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */ |
/* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */ |
if (pw->pw_uid != 0) { |
if (pw->pw_uid != 0) { |
if (check_rhosts_file("/etc/hosts.equiv", hostname, ipaddr, client_user, |
if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, client_user, |
pw->pw_name)) { |
pw->pw_name)) { |
packet_send_debug("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", |
packet_send_debug("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", |
hostname, ipaddr); |
hostname, ipaddr); |
return 1; |
return 1; |
} |
} |
if (check_rhosts_file(SSH_HOSTS_EQUIV, hostname, ipaddr, client_user, |
if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, client_user, |
pw->pw_name)) { |
pw->pw_name)) { |
packet_send_debug("Accepted for %.100s [%.100s] by %.100s.", |
packet_send_debug("Accepted for %.100s [%.100s] by %.100s.", |
hostname, ipaddr, SSH_HOSTS_EQUIV); |
hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); |
return 1; |
return 1; |
} |
} |
} |
} |
|
|
return 0; |
return 0; |
} |
} |
/* Temporarily use the user's uid. */ |
/* Temporarily use the user's uid. */ |
temporarily_use_uid(pw->pw_uid); |
temporarily_use_uid(pw); |
|
|
/* Check all .rhosts files (currently .shosts and .rhosts). */ |
/* Check all .rhosts files (currently .shosts and .rhosts). */ |
for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; |
for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; |