version 1.27, 2002/03/04 12:43:06 |
version 1.28, 2002/05/13 21:26:49 |
|
|
|
|
/* import */ |
/* import */ |
extern ServerOptions options; |
extern ServerOptions options; |
|
extern int use_privsep; |
|
|
/* |
/* |
* This function processes an rhosts-style file (.rhosts, .shosts, or |
* This function processes an rhosts-style file (.rhosts, .shosts, or |
|
|
*/ |
*/ |
switch (sscanf(buf, "%s %s %s", hostbuf, userbuf, dummy)) { |
switch (sscanf(buf, "%s %s %s", hostbuf, userbuf, dummy)) { |
case 0: |
case 0: |
packet_send_debug("Found empty line in %.100s.", filename); |
auth_debug_add("Found empty line in %.100s.", filename); |
continue; |
continue; |
case 1: |
case 1: |
/* Host name only. */ |
/* Host name only. */ |
|
|
/* Got both host and user name. */ |
/* Got both host and user name. */ |
break; |
break; |
case 3: |
case 3: |
packet_send_debug("Found garbage in %.100s.", filename); |
auth_debug_add("Found garbage in %.100s.", filename); |
continue; |
continue; |
default: |
default: |
/* Weird... */ |
/* Weird... */ |
|
|
/* Check for empty host/user names (particularly '+'). */ |
/* Check for empty host/user names (particularly '+'). */ |
if (!host[0] || !user[0]) { |
if (!host[0] || !user[0]) { |
/* We come here if either was '+' or '-'. */ |
/* We come here if either was '+' or '-'. */ |
packet_send_debug("Ignoring wild host/user names in %.100s.", |
auth_debug_add("Ignoring wild host/user names in %.100s.", |
filename); |
filename); |
continue; |
continue; |
} |
} |
/* Verify that host name matches. */ |
/* Verify that host name matches. */ |
|
|
|
|
/* If the entry was negated, deny access. */ |
/* If the entry was negated, deny access. */ |
if (negated) { |
if (negated) { |
packet_send_debug("Matched negative entry in %.100s.", |
auth_debug_add("Matched negative entry in %.100s.", |
filename); |
filename); |
return 0; |
return 0; |
} |
} |
/* Accept authentication. */ |
/* Accept authentication. */ |
|
|
auth_rhosts(struct passwd *pw, const char *client_user) |
auth_rhosts(struct passwd *pw, const char *client_user) |
{ |
{ |
const char *hostname, *ipaddr; |
const char *hostname, *ipaddr; |
int ret; |
|
|
|
hostname = get_canonical_hostname(options.verify_reverse_mapping); |
hostname = get_canonical_hostname(options.verify_reverse_mapping); |
ipaddr = get_remote_ipaddr(); |
ipaddr = get_remote_ipaddr(); |
ret = auth_rhosts2(pw, client_user, hostname, ipaddr); |
return auth_rhosts2(pw, client_user, hostname, ipaddr); |
return ret; |
|
} |
} |
|
|
int |
static int |
auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, |
auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostname, |
const char *ipaddr) |
const char *ipaddr) |
{ |
{ |
char buf[1024]; |
char buf[1024]; |
|
|
if (pw->pw_uid != 0) { |
if (pw->pw_uid != 0) { |
if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, |
if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, |
client_user, pw->pw_name)) { |
client_user, pw->pw_name)) { |
packet_send_debug("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", |
auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", |
hostname, ipaddr); |
hostname, ipaddr); |
return 1; |
return 1; |
} |
} |
if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, |
if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, |
client_user, pw->pw_name)) { |
client_user, pw->pw_name)) { |
packet_send_debug("Accepted for %.100s [%.100s] by %.100s.", |
auth_debug_add("Accepted for %.100s [%.100s] by %.100s.", |
hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); |
hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); |
return 1; |
return 1; |
} |
} |
|
|
* not group or world writable. |
* not group or world writable. |
*/ |
*/ |
if (stat(pw->pw_dir, &st) < 0) { |
if (stat(pw->pw_dir, &st) < 0) { |
log("Rhosts authentication refused for %.100s: no home directory %.200s", |
log("Rhosts authentication refused for %.100s: " |
pw->pw_name, pw->pw_dir); |
"no home directory %.200s", pw->pw_name, pw->pw_dir); |
packet_send_debug("Rhosts authentication refused for %.100s: no home directory %.200s", |
auth_debug_add("Rhosts authentication refused for %.100s: " |
pw->pw_name, pw->pw_dir); |
"no home directory %.200s", pw->pw_name, pw->pw_dir); |
return 0; |
return 0; |
} |
} |
if (options.strict_modes && |
if (options.strict_modes && |
((st.st_uid != 0 && st.st_uid != pw->pw_uid) || |
((st.st_uid != 0 && st.st_uid != pw->pw_uid) || |
(st.st_mode & 022) != 0)) { |
(st.st_mode & 022) != 0)) { |
log("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.", |
log("Rhosts authentication refused for %.100s: " |
pw->pw_name); |
"bad ownership or modes for home directory.", pw->pw_name); |
packet_send_debug("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.", |
auth_debug_add("Rhosts authentication refused for %.100s: " |
pw->pw_name); |
"bad ownership or modes for home directory.", pw->pw_name); |
return 0; |
return 0; |
} |
} |
/* Temporarily use the user's uid. */ |
/* Temporarily use the user's uid. */ |
|
|
(st.st_mode & 022) != 0)) { |
(st.st_mode & 022) != 0)) { |
log("Rhosts authentication refused for %.100s: bad modes for %.200s", |
log("Rhosts authentication refused for %.100s: bad modes for %.200s", |
pw->pw_name, buf); |
pw->pw_name, buf); |
packet_send_debug("Bad file modes for %.200s", buf); |
auth_debug_add("Bad file modes for %.200s", buf); |
continue; |
continue; |
} |
} |
/* Check if we have been configured to ignore .rhosts and .shosts files. */ |
/* Check if we have been configured to ignore .rhosts and .shosts files. */ |
if (options.ignore_rhosts) { |
if (options.ignore_rhosts) { |
packet_send_debug("Server has been configured to ignore %.100s.", |
auth_debug_add("Server has been configured to ignore %.100s.", |
rhosts_files[rhosts_file_index]); |
rhosts_files[rhosts_file_index]); |
continue; |
continue; |
} |
} |
/* Check if authentication is permitted by the file. */ |
/* Check if authentication is permitted by the file. */ |
if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name)) { |
if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name)) { |
packet_send_debug("Accepted by %.100s.", |
auth_debug_add("Accepted by %.100s.", |
rhosts_files[rhosts_file_index]); |
rhosts_files[rhosts_file_index]); |
/* Restore the privileged uid. */ |
/* Restore the privileged uid. */ |
restore_uid(); |
restore_uid(); |
|
auth_debug_add("Accepted host %s ip %s client_user %s server_user %s", |
|
hostname, ipaddr, client_user, pw->pw_name); |
return 1; |
return 1; |
} |
} |
} |
} |
|
|
/* Restore the privileged uid. */ |
/* Restore the privileged uid. */ |
restore_uid(); |
restore_uid(); |
return 0; |
return 0; |
|
} |
|
|
|
int |
|
auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, |
|
const char *ipaddr) |
|
{ |
|
int ret; |
|
|
|
auth_debug_reset(); |
|
ret = auth_rhosts2_raw(pw, client_user, hostname, ipaddr); |
|
if (!use_privsep) |
|
auth_debug_send(); |
|
return ret; |
} |
} |