diff options
author | dtucker@openbsd.org <dtucker@openbsd.org> | 2018-07-16 11:05:41 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-07-19 20:17:33 +1000 |
commit | 26efc2f5df0e3bcf6a6bbdd0506fd682d60c2145 (patch) | |
tree | 9cd4755df1683a1c861fb380f47b1d141ba25c44 | |
parent | 3eb7f1038d17af7aea3c2c62d1e30cd545607640 (diff) |
upstream: Remove support for loading HostBasedAuthentication keys
directly in ssh(1) and always use ssh-keysign. This removes one of the few
remaining reasons why ssh(1) might be setuid. ok markus@
OpenBSD-Commit-ID: 97f01e1448707129a20d75f86bad5d27c3cf0b7d
-rw-r--r-- | ssh.c | 35 | ||||
-rw-r--r-- | sshconnect.h | 3 | ||||
-rw-r--r-- | sshconnect2.c | 10 |
3 files changed, 9 insertions, 39 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh.c,v 1.484 2018/07/16 07:06:50 djm Exp $ */ | 1 | /* $OpenBSD: ssh.c,v 1.485 2018/07/16 11:05:41 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -1411,16 +1411,12 @@ main(int ac, char **av) | |||
1411 | debug3("timeout: %d ms remain after connect", timeout_ms); | 1411 | debug3("timeout: %d ms remain after connect", timeout_ms); |
1412 | 1412 | ||
1413 | /* | 1413 | /* |
1414 | * If we successfully made the connection, load the host private key | 1414 | * If we successfully made the connection and we have hostbased auth |
1415 | * in case we will need it later for hostbased | 1415 | * enabled, load the public keys so we can later use the ssh-keysign |
1416 | * authentication. This must be done before releasing extra | 1416 | * helper to sign challenges. |
1417 | * privileges, because the file is only readable by root. | ||
1418 | * If we cannot access the private keys, load the public keys | ||
1419 | * instead and try to execute the ssh-keysign helper instead. | ||
1420 | */ | 1417 | */ |
1421 | sensitive_data.nkeys = 0; | 1418 | sensitive_data.nkeys = 0; |
1422 | sensitive_data.keys = NULL; | 1419 | sensitive_data.keys = NULL; |
1423 | sensitive_data.external_keysign = 0; | ||
1424 | if (options.hostbased_authentication) { | 1420 | if (options.hostbased_authentication) { |
1425 | sensitive_data.nkeys = 11; | 1421 | sensitive_data.nkeys = 11; |
1426 | sensitive_data.keys = xcalloc(sensitive_data.nkeys, | 1422 | sensitive_data.keys = xcalloc(sensitive_data.nkeys, |
@@ -1439,27 +1435,7 @@ main(int ac, char **av) | |||
1439 | #define L_CERT(p,o) \ | 1435 | #define L_CERT(p,o) \ |
1440 | check_load(sshkey_load_cert(p, &(sensitive_data.keys[o])), p, "cert") | 1436 | check_load(sshkey_load_cert(p, &(sensitive_data.keys[o])), p, "cert") |
1441 | 1437 | ||
1442 | PRIV_START; | 1438 | if (options.hostbased_authentication == 1) { |
1443 | L_KEYCERT(KEY_ECDSA, _PATH_HOST_ECDSA_KEY_FILE, 1); | ||
1444 | L_KEYCERT(KEY_ED25519, _PATH_HOST_ED25519_KEY_FILE, 2); | ||
1445 | L_KEYCERT(KEY_RSA, _PATH_HOST_RSA_KEY_FILE, 3); | ||
1446 | L_KEYCERT(KEY_DSA, _PATH_HOST_DSA_KEY_FILE, 4); | ||
1447 | L_KEY(KEY_ECDSA, _PATH_HOST_ECDSA_KEY_FILE, 5); | ||
1448 | L_KEY(KEY_ED25519, _PATH_HOST_ED25519_KEY_FILE, 6); | ||
1449 | L_KEY(KEY_RSA, _PATH_HOST_RSA_KEY_FILE, 7); | ||
1450 | L_KEY(KEY_DSA, _PATH_HOST_DSA_KEY_FILE, 8); | ||
1451 | L_KEYCERT(KEY_XMSS, _PATH_HOST_XMSS_KEY_FILE, 9); | ||
1452 | L_KEY(KEY_XMSS, _PATH_HOST_XMSS_KEY_FILE, 10); | ||
1453 | PRIV_END; | ||
1454 | |||
1455 | if (options.hostbased_authentication == 1 && | ||
1456 | sensitive_data.keys[0] == NULL && | ||
1457 | sensitive_data.keys[5] == NULL && | ||
1458 | sensitive_data.keys[6] == NULL && | ||
1459 | sensitive_data.keys[7] == NULL && | ||
1460 | sensitive_data.keys[8] == NULL && | ||
1461 | sensitive_data.keys[9] == NULL && | ||
1462 | sensitive_data.keys[10] == NULL) { | ||
1463 | L_CERT(_PATH_HOST_ECDSA_KEY_FILE, 1); | 1439 | L_CERT(_PATH_HOST_ECDSA_KEY_FILE, 1); |
1464 | L_CERT(_PATH_HOST_ED25519_KEY_FILE, 2); | 1440 | L_CERT(_PATH_HOST_ED25519_KEY_FILE, 2); |
1465 | L_CERT(_PATH_HOST_RSA_KEY_FILE, 3); | 1441 | L_CERT(_PATH_HOST_RSA_KEY_FILE, 3); |
@@ -1470,7 +1446,6 @@ main(int ac, char **av) | |||
1470 | L_PUBKEY(_PATH_HOST_DSA_KEY_FILE, 8); | 1446 | L_PUBKEY(_PATH_HOST_DSA_KEY_FILE, 8); |
1471 | L_CERT(_PATH_HOST_XMSS_KEY_FILE, 9); | 1447 | L_CERT(_PATH_HOST_XMSS_KEY_FILE, 9); |
1472 | L_PUBKEY(_PATH_HOST_XMSS_KEY_FILE, 10); | 1448 | L_PUBKEY(_PATH_HOST_XMSS_KEY_FILE, 10); |
1473 | sensitive_data.external_keysign = 1; | ||
1474 | } | 1449 | } |
1475 | } | 1450 | } |
1476 | /* | 1451 | /* |
diff --git a/sshconnect.h b/sshconnect.h index dd648b096..6bba62ad0 100644 --- a/sshconnect.h +++ b/sshconnect.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect.h,v 1.32 2018/02/10 09:25:35 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect.h,v 1.33 2018/07/16 11:05:41 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
@@ -28,7 +28,6 @@ typedef struct Sensitive Sensitive; | |||
28 | struct Sensitive { | 28 | struct Sensitive { |
29 | struct sshkey **keys; | 29 | struct sshkey **keys; |
30 | int nkeys; | 30 | int nkeys; |
31 | int external_keysign; | ||
32 | }; | 31 | }; |
33 | 32 | ||
34 | struct addrinfo; | 33 | struct addrinfo; |
diff --git a/sshconnect2.c b/sshconnect2.c index fb90e8afc..7b0e18f28 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect2.c,v 1.280 2018/07/11 18:55:11 markus Exp $ */ | 1 | /* $OpenBSD: sshconnect2.c,v 1.281 2018/07/16 11:05:41 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
@@ -1990,12 +1990,8 @@ userauth_hostbased(Authctxt *authctxt) | |||
1990 | #ifdef DEBUG_PK | 1990 | #ifdef DEBUG_PK |
1991 | sshbuf_dump(b, stderr); | 1991 | sshbuf_dump(b, stderr); |
1992 | #endif | 1992 | #endif |
1993 | if (authctxt->sensitive->external_keysign) | 1993 | r = ssh_keysign(private, &sig, &siglen, |
1994 | r = ssh_keysign(private, &sig, &siglen, | 1994 | sshbuf_ptr(b), sshbuf_len(b)); |
1995 | sshbuf_ptr(b), sshbuf_len(b)); | ||
1996 | else if ((r = sshkey_sign(private, &sig, &siglen, | ||
1997 | sshbuf_ptr(b), sshbuf_len(b), NULL, datafellows)) != 0) | ||
1998 | debug("%s: sshkey_sign: %s", __func__, ssh_err(r)); | ||
1999 | if (r != 0) { | 1995 | if (r != 0) { |
2000 | error("sign using hostkey %s %s failed", | 1996 | error("sign using hostkey %s %s failed", |
2001 | sshkey_ssh_name(private), fp); | 1997 | sshkey_ssh_name(private), fp); |