diff options
| author | Ben Lindstrom <mouring@eviladmin.org> | 2002-05-15 16:19:37 +0000 |
|---|---|---|
| committer | Ben Lindstrom <mouring@eviladmin.org> | 2002-05-15 16:19:37 +0000 |
| commit | bdde330d2fb2a2ccc50659a592da5241f673b6d1 (patch) | |
| tree | d9911a2f2deca3b3e4622d9389535341c9e14942 | |
| parent | 17401b6b772213ae466cb3ac287b4980ff9f7d0d (diff) | |
- markus@cvs.openbsd.org 2002/05/13 21:26:49
[auth-rhosts.c]
handle debug messages during rhosts-rsa and hostbased authentication;
ok provos@
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | auth-rhosts.c | 68 |
2 files changed, 46 insertions, 28 deletions
| @@ -24,6 +24,10 @@ | |||
| 24 | Without this, there is a race where the login name of an existing | 24 | Without this, there is a race where the login name of an existing |
| 25 | connection, as returned by getlogin(), may be changed to the privsep | 25 | connection, as returned by getlogin(), may be changed to the privsep |
| 26 | user (sshd). markus@ OK | 26 | user (sshd). markus@ OK |
| 27 | - markus@cvs.openbsd.org 2002/05/13 21:26:49 | ||
| 28 | [auth-rhosts.c] | ||
| 29 | handle debug messages during rhosts-rsa and hostbased authentication; | ||
| 30 | ok provos@ | ||
| 27 | 31 | ||
| 28 | 20020514 | 32 | 20020514 |
| 29 | - (stevesk) [README.privsep] PAM+privsep works with Solaris 8. | 33 | - (stevesk) [README.privsep] PAM+privsep works with Solaris 8. |
| @@ -628,4 +632,4 @@ | |||
| 628 | - (stevesk) entropy.c: typo in debug message | 632 | - (stevesk) entropy.c: typo in debug message |
| 629 | - (djm) ssh-keygen -i needs seeded RNG; report from markus@ | 633 | - (djm) ssh-keygen -i needs seeded RNG; report from markus@ |
| 630 | 634 | ||
| 631 | $Id: ChangeLog,v 1.2127 2002/05/15 16:17:56 mouring Exp $ | 635 | $Id: ChangeLog,v 1.2128 2002/05/15 16:19:37 mouring Exp $ |
diff --git a/auth-rhosts.c b/auth-rhosts.c index bd15261f7..afca1f7c6 100644 --- a/auth-rhosts.c +++ b/auth-rhosts.c | |||
| @@ -14,7 +14,7 @@ | |||
| 14 | */ | 14 | */ |
| 15 | 15 | ||
| 16 | #include "includes.h" | 16 | #include "includes.h" |
| 17 | RCSID("$OpenBSD: auth-rhosts.c,v 1.27 2002/03/04 12:43:06 markus Exp $"); | 17 | RCSID("$OpenBSD: auth-rhosts.c,v 1.28 2002/05/13 21:26:49 markus Exp $"); |
| 18 | 18 | ||
| 19 | #include "packet.h" | 19 | #include "packet.h" |
| 20 | #include "uidswap.h" | 20 | #include "uidswap.h" |
| @@ -26,6 +26,7 @@ RCSID("$OpenBSD: auth-rhosts.c,v 1.27 2002/03/04 12:43:06 markus Exp $"); | |||
| 26 | 26 | ||
| 27 | /* import */ | 27 | /* import */ |
| 28 | extern ServerOptions options; | 28 | extern ServerOptions options; |
| 29 | extern int use_privsep; | ||
| 29 | 30 | ||
| 30 | /* | 31 | /* |
| 31 | * This function processes an rhosts-style file (.rhosts, .shosts, or | 32 | * This function processes an rhosts-style file (.rhosts, .shosts, or |
| @@ -69,7 +70,7 @@ check_rhosts_file(const char *filename, const char *hostname, | |||
| 69 | */ | 70 | */ |
| 70 | switch (sscanf(buf, "%s %s %s", hostbuf, userbuf, dummy)) { | 71 | switch (sscanf(buf, "%s %s %s", hostbuf, userbuf, dummy)) { |
| 71 | case 0: | 72 | case 0: |
| 72 | packet_send_debug("Found empty line in %.100s.", filename); | 73 | auth_debug_add("Found empty line in %.100s.", filename); |
| 73 | continue; | 74 | continue; |
| 74 | case 1: | 75 | case 1: |
| 75 | /* Host name only. */ | 76 | /* Host name only. */ |
| @@ -79,7 +80,7 @@ check_rhosts_file(const char *filename, const char *hostname, | |||
| 79 | /* Got both host and user name. */ | 80 | /* Got both host and user name. */ |
| 80 | break; | 81 | break; |
| 81 | case 3: | 82 | case 3: |
| 82 | packet_send_debug("Found garbage in %.100s.", filename); | 83 | auth_debug_add("Found garbage in %.100s.", filename); |
| 83 | continue; | 84 | continue; |
| 84 | default: | 85 | default: |
| 85 | /* Weird... */ | 86 | /* Weird... */ |
| @@ -106,8 +107,8 @@ check_rhosts_file(const char *filename, const char *hostname, | |||
| 106 | /* Check for empty host/user names (particularly '+'). */ | 107 | /* Check for empty host/user names (particularly '+'). */ |
| 107 | if (!host[0] || !user[0]) { | 108 | if (!host[0] || !user[0]) { |
| 108 | /* We come here if either was '+' or '-'. */ | 109 | /* We come here if either was '+' or '-'. */ |
| 109 | packet_send_debug("Ignoring wild host/user names in %.100s.", | 110 | auth_debug_add("Ignoring wild host/user names in %.100s.", |
| 110 | filename); | 111 | filename); |
| 111 | continue; | 112 | continue; |
| 112 | } | 113 | } |
| 113 | /* Verify that host name matches. */ | 114 | /* Verify that host name matches. */ |
| @@ -130,8 +131,8 @@ check_rhosts_file(const char *filename, const char *hostname, | |||
| 130 | 131 | ||
| 131 | /* If the entry was negated, deny access. */ | 132 | /* If the entry was negated, deny access. */ |
| 132 | if (negated) { | 133 | if (negated) { |
| 133 | packet_send_debug("Matched negative entry in %.100s.", | 134 | auth_debug_add("Matched negative entry in %.100s.", |
| 134 | filename); | 135 | filename); |
| 135 | return 0; | 136 | return 0; |
| 136 | } | 137 | } |
| 137 | /* Accept authentication. */ | 138 | /* Accept authentication. */ |
| @@ -153,16 +154,14 @@ int | |||
| 153 | auth_rhosts(struct passwd *pw, const char *client_user) | 154 | auth_rhosts(struct passwd *pw, const char *client_user) |
| 154 | { | 155 | { |
| 155 | const char *hostname, *ipaddr; | 156 | const char *hostname, *ipaddr; |
| 156 | int ret; | ||
| 157 | 157 | ||
| 158 | hostname = get_canonical_hostname(options.verify_reverse_mapping); | 158 | hostname = get_canonical_hostname(options.verify_reverse_mapping); |
| 159 | ipaddr = get_remote_ipaddr(); | 159 | ipaddr = get_remote_ipaddr(); |
| 160 | ret = auth_rhosts2(pw, client_user, hostname, ipaddr); | 160 | return auth_rhosts2(pw, client_user, hostname, ipaddr); |
| 161 | return ret; | ||
| 162 | } | 161 | } |
| 163 | 162 | ||
| 164 | int | 163 | static int |
| 165 | auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, | 164 | auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostname, |
| 166 | const char *ipaddr) | 165 | const char *ipaddr) |
| 167 | { | 166 | { |
| 168 | char buf[1024]; | 167 | char buf[1024]; |
| @@ -205,13 +204,13 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, | |||
| 205 | if (pw->pw_uid != 0) { | 204 | if (pw->pw_uid != 0) { |
| 206 | if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, | 205 | if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, |
| 207 | client_user, pw->pw_name)) { | 206 | client_user, pw->pw_name)) { |
| 208 | packet_send_debug("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", | 207 | auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", |
| 209 | hostname, ipaddr); | 208 | hostname, ipaddr); |
| 210 | return 1; | 209 | return 1; |
| 211 | } | 210 | } |
| 212 | if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, | 211 | if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, |
| 213 | client_user, pw->pw_name)) { | 212 | client_user, pw->pw_name)) { |
| 214 | packet_send_debug("Accepted for %.100s [%.100s] by %.100s.", | 213 | auth_debug_add("Accepted for %.100s [%.100s] by %.100s.", |
| 215 | hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); | 214 | hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); |
| 216 | return 1; | 215 | return 1; |
| 217 | } | 216 | } |
| @@ -221,19 +220,19 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, | |||
| 221 | * not group or world writable. | 220 | * not group or world writable. |
| 222 | */ | 221 | */ |
| 223 | if (stat(pw->pw_dir, &st) < 0) { | 222 | if (stat(pw->pw_dir, &st) < 0) { |
| 224 | log("Rhosts authentication refused for %.100s: no home directory %.200s", | 223 | log("Rhosts authentication refused for %.100s: " |
| 225 | pw->pw_name, pw->pw_dir); | 224 | "no home directory %.200s", pw->pw_name, pw->pw_dir); |
| 226 | packet_send_debug("Rhosts authentication refused for %.100s: no home directory %.200s", | 225 | auth_debug_add("Rhosts authentication refused for %.100s: " |
| 227 | pw->pw_name, pw->pw_dir); | 226 | "no home directory %.200s", pw->pw_name, pw->pw_dir); |
| 228 | return 0; | 227 | return 0; |
| 229 | } | 228 | } |
| 230 | if (options.strict_modes && | 229 | if (options.strict_modes && |
| 231 | ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || | 230 | ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || |
| 232 | (st.st_mode & 022) != 0)) { | 231 | (st.st_mode & 022) != 0)) { |
| 233 | log("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.", | 232 | log("Rhosts authentication refused for %.100s: " |
| 234 | pw->pw_name); | 233 | "bad ownership or modes for home directory.", pw->pw_name); |
| 235 | packet_send_debug("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.", | 234 | auth_debug_add("Rhosts authentication refused for %.100s: " |
| 236 | pw->pw_name); | 235 | "bad ownership or modes for home directory.", pw->pw_name); |
| 237 | return 0; | 236 | return 0; |
| 238 | } | 237 | } |
| 239 | /* Temporarily use the user's uid. */ | 238 | /* Temporarily use the user's uid. */ |
| @@ -259,21 +258,23 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, | |||
| 259 | (st.st_mode & 022) != 0)) { | 258 | (st.st_mode & 022) != 0)) { |
| 260 | log("Rhosts authentication refused for %.100s: bad modes for %.200s", | 259 | log("Rhosts authentication refused for %.100s: bad modes for %.200s", |
| 261 | pw->pw_name, buf); | 260 | pw->pw_name, buf); |
| 262 | packet_send_debug("Bad file modes for %.200s", buf); | 261 | auth_debug_add("Bad file modes for %.200s", buf); |
| 263 | continue; | 262 | continue; |
| 264 | } | 263 | } |
| 265 | /* Check if we have been configured to ignore .rhosts and .shosts files. */ | 264 | /* Check if we have been configured to ignore .rhosts and .shosts files. */ |
| 266 | if (options.ignore_rhosts) { | 265 | if (options.ignore_rhosts) { |
| 267 | packet_send_debug("Server has been configured to ignore %.100s.", | 266 | auth_debug_add("Server has been configured to ignore %.100s.", |
| 268 | rhosts_files[rhosts_file_index]); | 267 | rhosts_files[rhosts_file_index]); |
| 269 | continue; | 268 | continue; |
| 270 | } | 269 | } |
| 271 | /* Check if authentication is permitted by the file. */ | 270 | /* Check if authentication is permitted by the file. */ |
| 272 | if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name)) { | 271 | if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name)) { |
| 273 | packet_send_debug("Accepted by %.100s.", | 272 | auth_debug_add("Accepted by %.100s.", |
| 274 | rhosts_files[rhosts_file_index]); | 273 | rhosts_files[rhosts_file_index]); |
| 275 | /* Restore the privileged uid. */ | 274 | /* Restore the privileged uid. */ |
| 276 | restore_uid(); | 275 | restore_uid(); |
| 276 | auth_debug_add("Accepted host %s ip %s client_user %s server_user %s", | ||
| 277 | hostname, ipaddr, client_user, pw->pw_name); | ||
| 277 | return 1; | 278 | return 1; |
| 278 | } | 279 | } |
| 279 | } | 280 | } |
| @@ -282,3 +283,16 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, | |||
| 282 | restore_uid(); | 283 | restore_uid(); |
| 283 | return 0; | 284 | return 0; |
| 284 | } | 285 | } |
| 286 | |||
| 287 | int | ||
| 288 | auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, | ||
| 289 | const char *ipaddr) | ||
| 290 | { | ||
| 291 | int ret; | ||
| 292 | |||
| 293 | auth_debug_reset(); | ||
| 294 | ret = auth_rhosts2_raw(pw, client_user, hostname, ipaddr); | ||
| 295 | if (!use_privsep) | ||
| 296 | auth_debug_send(); | ||
| 297 | return ret; | ||
| 298 | } | ||