| version 1.23.2.3, 2002/06/02 22:56:09 |
version 1.24, 2001/06/23 15:12:17 |
|
|
| RCSID("$OpenBSD$"); |
RCSID("$OpenBSD$"); |
| |
|
| #include "packet.h" |
#include "packet.h" |
| |
#include "xmalloc.h" |
| #include "uidswap.h" |
#include "uidswap.h" |
| #include "pathnames.h" |
#include "pathnames.h" |
| #include "log.h" |
#include "log.h" |
|
|
| |
|
| /* import */ |
/* import */ |
| extern ServerOptions options; |
extern ServerOptions options; |
| extern int use_privsep; |
|
| |
|
| /* |
/* |
| * This function processes an rhosts-style file (.rhosts, .shosts, or |
* This function processes an rhosts-style file (.rhosts, .shosts, or |
|
|
| */ |
*/ |
| switch (sscanf(buf, "%s %s %s", hostbuf, userbuf, dummy)) { |
switch (sscanf(buf, "%s %s %s", hostbuf, userbuf, dummy)) { |
| case 0: |
case 0: |
| auth_debug_add("Found empty line in %.100s.", filename); |
packet_send_debug("Found empty line in %.100s.", filename); |
| continue; |
continue; |
| case 1: |
case 1: |
| /* Host name only. */ |
/* Host name only. */ |
|
|
| /* Got both host and user name. */ |
/* Got both host and user name. */ |
| break; |
break; |
| case 3: |
case 3: |
| auth_debug_add("Found garbage in %.100s.", filename); |
packet_send_debug("Found garbage in %.100s.", filename); |
| continue; |
continue; |
| default: |
default: |
| /* Weird... */ |
/* Weird... */ |
|
|
| /* Check for empty host/user names (particularly '+'). */ |
/* Check for empty host/user names (particularly '+'). */ |
| if (!host[0] || !user[0]) { |
if (!host[0] || !user[0]) { |
| /* We come here if either was '+' or '-'. */ |
/* We come here if either was '+' or '-'. */ |
| auth_debug_add("Ignoring wild host/user names in %.100s.", |
packet_send_debug("Ignoring wild host/user names in %.100s.", |
| filename); |
filename); |
| continue; |
continue; |
| } |
} |
| /* Verify that host name matches. */ |
/* Verify that host name matches. */ |
|
|
| |
|
| /* If the entry was negated, deny access. */ |
/* If the entry was negated, deny access. */ |
| if (negated) { |
if (negated) { |
| auth_debug_add("Matched negative entry in %.100s.", |
packet_send_debug("Matched negative entry in %.100s.", |
| filename); |
filename); |
| return 0; |
return 0; |
| } |
} |
| /* Accept authentication. */ |
/* Accept authentication. */ |
|
|
| auth_rhosts(struct passwd *pw, const char *client_user) |
auth_rhosts(struct passwd *pw, const char *client_user) |
| { |
{ |
| const char *hostname, *ipaddr; |
const char *hostname, *ipaddr; |
| |
int ret; |
| |
|
| hostname = get_canonical_hostname(options.verify_reverse_mapping); |
hostname = get_canonical_hostname(options.reverse_mapping_check); |
| ipaddr = get_remote_ipaddr(); |
ipaddr = get_remote_ipaddr(); |
| return auth_rhosts2(pw, client_user, hostname, ipaddr); |
ret = auth_rhosts2(pw, client_user, hostname, ipaddr); |
| |
return ret; |
| } |
} |
| |
|
| static int |
int |
| auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostname, |
auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, |
| const char *ipaddr) |
const char *ipaddr) |
| { |
{ |
| char buf[1024]; |
char buf[1024]; |
|
|
| * servers. |
* servers. |
| */ |
*/ |
| for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; |
for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; |
| rhosts_file_index++) { |
rhosts_file_index++) { |
| /* Check users .rhosts or .shosts. */ |
/* Check users .rhosts or .shosts. */ |
| snprintf(buf, sizeof buf, "%.500s/%.100s", |
snprintf(buf, sizeof buf, "%.500s/%.100s", |
| pw->pw_dir, rhosts_files[rhosts_file_index]); |
pw->pw_dir, rhosts_files[rhosts_file_index]); |
|
|
| |
|
| /* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */ |
/* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */ |
| if (pw->pw_uid != 0) { |
if (pw->pw_uid != 0) { |
| if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, |
if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, client_user, |
| client_user, pw->pw_name)) { |
pw->pw_name)) { |
| auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", |
packet_send_debug("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", |
| hostname, ipaddr); |
hostname, ipaddr); |
| return 1; |
return 1; |
| } |
} |
| if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, |
if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, client_user, |
| client_user, pw->pw_name)) { |
pw->pw_name)) { |
| auth_debug_add("Accepted for %.100s [%.100s] by %.100s.", |
packet_send_debug("Accepted for %.100s [%.100s] by %.100s.", |
| hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); |
hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); |
| return 1; |
return 1; |
| } |
} |
| } |
} |
|
|
| * not group or world writable. |
* not group or world writable. |
| */ |
*/ |
| if (stat(pw->pw_dir, &st) < 0) { |
if (stat(pw->pw_dir, &st) < 0) { |
| log("Rhosts authentication refused for %.100s: " |
log("Rhosts authentication refused for %.100s: no home directory %.200s", |
| "no home directory %.200s", pw->pw_name, pw->pw_dir); |
pw->pw_name, pw->pw_dir); |
| auth_debug_add("Rhosts authentication refused for %.100s: " |
packet_send_debug("Rhosts authentication refused for %.100s: no home directory %.200s", |
| "no home directory %.200s", pw->pw_name, pw->pw_dir); |
pw->pw_name, pw->pw_dir); |
| return 0; |
return 0; |
| } |
} |
| if (options.strict_modes && |
if (options.strict_modes && |
| ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || |
((st.st_uid != 0 && st.st_uid != pw->pw_uid) || |
| (st.st_mode & 022) != 0)) { |
(st.st_mode & 022) != 0)) { |
| log("Rhosts authentication refused for %.100s: " |
log("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.", |
| "bad ownership or modes for home directory.", pw->pw_name); |
pw->pw_name); |
| auth_debug_add("Rhosts authentication refused for %.100s: " |
packet_send_debug("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.", |
| "bad ownership or modes for home directory.", pw->pw_name); |
pw->pw_name); |
| return 0; |
return 0; |
| } |
} |
| /* Temporarily use the user's uid. */ |
/* Temporarily use the user's uid. */ |
|
|
| |
|
| /* Check all .rhosts files (currently .shosts and .rhosts). */ |
/* Check all .rhosts files (currently .shosts and .rhosts). */ |
| for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; |
for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; |
| rhosts_file_index++) { |
rhosts_file_index++) { |
| /* Check users .rhosts or .shosts. */ |
/* Check users .rhosts or .shosts. */ |
| snprintf(buf, sizeof buf, "%.500s/%.100s", |
snprintf(buf, sizeof buf, "%.500s/%.100s", |
| pw->pw_dir, rhosts_files[rhosts_file_index]); |
pw->pw_dir, rhosts_files[rhosts_file_index]); |
|
|
| */ |
*/ |
| if (options.strict_modes && |
if (options.strict_modes && |
| ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || |
((st.st_uid != 0 && st.st_uid != pw->pw_uid) || |
| (st.st_mode & 022) != 0)) { |
(st.st_mode & 022) != 0)) { |
| log("Rhosts authentication refused for %.100s: bad modes for %.200s", |
log("Rhosts authentication refused for %.100s: bad modes for %.200s", |
| pw->pw_name, buf); |
pw->pw_name, buf); |
| auth_debug_add("Bad file modes for %.200s", buf); |
packet_send_debug("Bad file modes for %.200s", buf); |
| continue; |
continue; |
| } |
} |
| /* Check if we have been configured to ignore .rhosts and .shosts files. */ |
/* Check if we have been configured to ignore .rhosts and .shosts files. */ |
| if (options.ignore_rhosts) { |
if (options.ignore_rhosts) { |
| auth_debug_add("Server has been configured to ignore %.100s.", |
packet_send_debug("Server has been configured to ignore %.100s.", |
| rhosts_files[rhosts_file_index]); |
rhosts_files[rhosts_file_index]); |
| continue; |
continue; |
| } |
} |
| /* Check if authentication is permitted by the file. */ |
/* Check if authentication is permitted by the file. */ |
| if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name)) { |
if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name)) { |
| auth_debug_add("Accepted by %.100s.", |
packet_send_debug("Accepted by %.100s.", |
| rhosts_files[rhosts_file_index]); |
rhosts_files[rhosts_file_index]); |
| /* Restore the privileged uid. */ |
/* Restore the privileged uid. */ |
| restore_uid(); |
restore_uid(); |
| auth_debug_add("Accepted host %s ip %s client_user %s server_user %s", |
|
| hostname, ipaddr, client_user, pw->pw_name); |
|
| return 1; |
return 1; |
| } |
} |
| } |
} |
|
|
| /* Restore the privileged uid. */ |
/* Restore the privileged uid. */ |
| restore_uid(); |
restore_uid(); |
| return 0; |
return 0; |
| } |
|
| |
|
| int |
|
| auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, |
|
| const char *ipaddr) |
|
| { |
|
| int ret; |
|
| |
|
| auth_debug_reset(); |
|
| ret = auth_rhosts2_raw(pw, client_user, hostname, ipaddr); |
|
| if (!use_privsep) |
|
| auth_debug_send(); |
|
| return ret; |
|
| } |
} |
![[BACK]](/icons/back.gif){kind=icon}
Return to auth-rhosts.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh