=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/auth-rhosts.c,v retrieving revision 1.16 retrieving revision 1.16.2.6 diff -u -r1.16 -r1.16.2.6 --- src/usr.bin/ssh/auth-rhosts.c 2000/10/03 18:03:03 1.16 +++ src/usr.bin/ssh/auth-rhosts.c 2002/03/08 17:04:41 1.16.2.6 @@ -14,21 +14,26 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rhosts.c,v 1.16 2000/10/03 18:03:03 markus Exp $"); +RCSID("$OpenBSD: auth-rhosts.c,v 1.16.2.6 2002/03/08 17:04:41 brad Exp $"); #include "packet.h" -#include "ssh.h" -#include "xmalloc.h" #include "uidswap.h" +#include "pathnames.h" +#include "log.h" #include "servconf.h" +#include "canohost.h" +#include "auth.h" +/* import */ +extern ServerOptions options; + /* * This function processes an rhosts-style file (.rhosts, .shosts, or * /etc/hosts.equiv). This returns true if authentication can be granted * based on the file, and returns zero otherwise. */ -int +static int check_rhosts_file(const char *filename, const char *hostname, const char *ipaddr, const char *client_user, const char *server_user) @@ -147,25 +152,40 @@ int auth_rhosts(struct passwd *pw, const char *client_user) { - extern ServerOptions options; - char buf[1024]; const char *hostname, *ipaddr; + int ret; + + hostname = get_canonical_hostname(options.verify_reverse_mapping); + ipaddr = get_remote_ipaddr(); + ret = auth_rhosts2(pw, client_user, hostname, ipaddr); + return ret; +} + +int +auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, + const char *ipaddr) +{ + char buf[1024]; struct stat st; static const char *rhosts_files[] = {".shosts", ".rhosts", NULL}; - unsigned int rhosts_file_index; + u_int rhosts_file_index; + debug2("auth_rhosts2: clientuser %s hostname %s ipaddr %s", + client_user, hostname, ipaddr); + /* no user given */ if (pw == NULL) return 0; + /* Switch to the user's uid. */ - temporarily_use_uid(pw->pw_uid); + temporarily_use_uid(pw); /* * Quick check: if the user has no .shosts or .rhosts files, return * failure immediately without doing costly lookups from name * servers. */ for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; - rhosts_file_index++) { + rhosts_file_index++) { /* Check users .rhosts or .shosts. */ snprintf(buf, sizeof buf, "%.500s/%.100s", pw->pw_dir, rhosts_files[rhosts_file_index]); @@ -177,25 +197,22 @@ /* Deny if The user has no .shosts or .rhosts file and there are no system-wide files. */ if (!rhosts_files[rhosts_file_index] && - stat("/etc/hosts.equiv", &st) < 0 && - stat(SSH_HOSTS_EQUIV, &st) < 0) + stat(_PATH_RHOSTS_EQUIV, &st) < 0 && + stat(_PATH_SSH_HOSTS_EQUIV, &st) < 0) return 0; - hostname = get_canonical_hostname(); - ipaddr = get_remote_ipaddr(); - /* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */ if (pw->pw_uid != 0) { - if (check_rhosts_file("/etc/hosts.equiv", hostname, ipaddr, client_user, - pw->pw_name)) { + if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, + client_user, pw->pw_name)) { packet_send_debug("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", - hostname, ipaddr); + hostname, ipaddr); return 1; } - if (check_rhosts_file(SSH_HOSTS_EQUIV, hostname, ipaddr, client_user, - pw->pw_name)) { + if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, + client_user, pw->pw_name)) { packet_send_debug("Accepted for %.100s [%.100s] by %.100s.", - hostname, ipaddr, SSH_HOSTS_EQUIV); + hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); return 1; } } @@ -212,7 +229,7 @@ } if (options.strict_modes && ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || - (st.st_mode & 022) != 0)) { + (st.st_mode & 022) != 0)) { log("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.", pw->pw_name); packet_send_debug("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.", @@ -220,11 +237,11 @@ return 0; } /* Temporarily use the user's uid. */ - temporarily_use_uid(pw->pw_uid); + temporarily_use_uid(pw); /* Check all .rhosts files (currently .shosts and .rhosts). */ for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; - rhosts_file_index++) { + rhosts_file_index++) { /* Check users .rhosts or .shosts. */ snprintf(buf, sizeof buf, "%.500s/%.100s", pw->pw_dir, rhosts_files[rhosts_file_index]); @@ -239,7 +256,7 @@ */ if (options.strict_modes && ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || - (st.st_mode & 022) != 0)) { + (st.st_mode & 022) != 0)) { log("Rhosts authentication refused for %.100s: bad modes for %.200s", pw->pw_name, buf); packet_send_debug("Bad file modes for %.200s", buf);