diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | auth-rh-rsa.c | 25 | ||||
-rw-r--r-- | ssh.1 | 4 | ||||
-rw-r--r-- | sshd.8 | 11 |
4 files changed, 35 insertions, 10 deletions
@@ -1,7 +1,10 @@ | |||
1 | 19991111 | 1 | 19991111 |
2 | - Added (untested) Entropy Gathering Daemon (EGD) support | 2 | - Added (untested) Entropy Gathering Daemon (EGD) support |
3 | - Fixed fd leak | 3 | - Fixed fd leak |
4 | 4 | - Merged OpenBSD CVS changes: | |
5 | - [auth-rh-rsa.c] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too | ||
6 | - [ssh.1] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too | ||
7 | - [sshd.8] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too | ||
5 | 19991110 | 8 | 19991110 |
6 | - Merged several minor fixed: | 9 | - Merged several minor fixed: |
7 | - ssh-agent commandline parsing | 10 | - ssh-agent commandline parsing |
diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c index c433578bf..ee6af218c 100644 --- a/auth-rh-rsa.c +++ b/auth-rh-rsa.c | |||
@@ -15,7 +15,7 @@ authentication. | |||
15 | */ | 15 | */ |
16 | 16 | ||
17 | #include "includes.h" | 17 | #include "includes.h" |
18 | RCSID("$Id: auth-rh-rsa.c,v 1.1 1999/10/27 03:42:43 damien Exp $"); | 18 | RCSID("$Id: auth-rh-rsa.c,v 1.2 1999/11/11 00:43:13 damien Exp $"); |
19 | 19 | ||
20 | #include "packet.h" | 20 | #include "packet.h" |
21 | #include "ssh.h" | 21 | #include "ssh.h" |
@@ -53,8 +53,31 @@ int auth_rhosts_rsa(struct passwd *pw, const char *client_user, | |||
53 | host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname, | 53 | host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname, |
54 | client_host_key_bits, client_host_key_e, | 54 | client_host_key_bits, client_host_key_e, |
55 | client_host_key_n, ke, kn); | 55 | client_host_key_n, ke, kn); |
56 | /* Check user host file. */ | ||
57 | if (host_status != HOST_OK) { | ||
58 | struct stat st; | ||
59 | char *user_hostfile = tilde_expand_filename(SSH_USER_HOSTFILE, pw->pw_uid); | ||
60 | /* Check file permissions of SSH_USER_HOSTFILE, | ||
61 | auth_rsa() did already check pw->pw_dir, but there is a race XXX */ | ||
62 | if (strict_modes && | ||
63 | (stat(user_hostfile, &st) == 0) && | ||
64 | ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || | ||
65 | (st.st_mode & 022) != 0)) { | ||
66 | log("Rhosts RSA authentication refused for %.100s: bad owner or modes for %.200s", | ||
67 | pw->pw_name, user_hostfile); | ||
68 | } else { | ||
69 | /* XXX race between stat and the following open() */ | ||
70 | temporarily_use_uid(pw->pw_uid); | ||
71 | host_status = check_host_in_hostfile(user_hostfile, canonical_hostname, | ||
72 | client_host_key_bits, client_host_key_e, | ||
73 | client_host_key_n, ke, kn); | ||
74 | restore_uid(); | ||
75 | } | ||
76 | xfree(user_hostfile); | ||
77 | } | ||
56 | BN_free(ke); | 78 | BN_free(ke); |
57 | BN_free(kn); | 79 | BN_free(kn); |
80 | |||
58 | if (host_status != HOST_OK) { | 81 | if (host_status != HOST_OK) { |
59 | /* The host key was not found. */ | 82 | /* The host key was not found. */ |
60 | debug("Rhosts with RSA host authentication denied: unknown or invalid host key"); | 83 | debug("Rhosts with RSA host authentication denied: unknown or invalid host key"); |
@@ -9,7 +9,7 @@ | |||
9 | .\" | 9 | .\" |
10 | .\" Created: Sat Apr 22 21:55:14 1995 ylo | 10 | .\" Created: Sat Apr 22 21:55:14 1995 ylo |
11 | .\" | 11 | .\" |
12 | .\" $Id: ssh.1,v 1.4 1999/10/28 23:17:36 damien Exp $ | 12 | .\" $Id: ssh.1,v 1.5 1999/11/11 00:43:13 damien Exp $ |
13 | .\" | 13 | .\" |
14 | .Dd September 25, 1999 | 14 | .Dd September 25, 1999 |
15 | .Dt SSH 1 | 15 | .Dt SSH 1 |
@@ -93,6 +93,8 @@ or | |||
93 | and if additionally the server can verify the client's | 93 | and if additionally the server can verify the client's |
94 | host key (see | 94 | host key (see |
95 | .Pa /etc/ssh/ssh_known_hosts | 95 | .Pa /etc/ssh/ssh_known_hosts |
96 | and | ||
97 | .Pa $HOME/.ssh/known_hosts | ||
96 | in the | 98 | in the |
97 | .Sx FILES | 99 | .Sx FILES |
98 | section), only then login is | 100 | section), only then login is |
@@ -9,7 +9,7 @@ | |||
9 | .\" | 9 | .\" |
10 | .\" Created: Sat Apr 22 21:55:14 1995 ylo | 10 | .\" Created: Sat Apr 22 21:55:14 1995 ylo |
11 | .\" | 11 | .\" |
12 | .\" $Id: sshd.8,v 1.4 1999/10/28 23:17:36 damien Exp $ | 12 | .\" $Id: sshd.8,v 1.5 1999/11/11 00:43:13 damien Exp $ |
13 | .\" | 13 | .\" |
14 | .Dd September 25, 1999 | 14 | .Dd September 25, 1999 |
15 | .Dt SSHD 8 | 15 | .Dt SSHD 8 |
@@ -622,14 +622,11 @@ This file must be readable by root (which may on some machines imply | |||
622 | it being world-readable if the user's home directory resides on an NFS | 622 | it being world-readable if the user's home directory resides on an NFS |
623 | volume). It is recommended that it not be accessible by others. The | 623 | volume). It is recommended that it not be accessible by others. The |
624 | format of this file is described above. | 624 | format of this file is described above. |
625 | .It Pa /etc/ssh/ssh_known_hosts | 625 | .It Pa "/etc/ssh/ssh_known_hosts" and "$HOME/.ssh/known_hosts" |
626 | This file is consulted when using rhosts with RSA host | 626 | This file is consulted when using rhosts with RSA host |
627 | authentication to check the public key of the host. The key must be | 627 | authentication to check the public key of the host. The key must be |
628 | listed in this file to be accepted. | 628 | listed in one of these files to be accepted. |
629 | .It Pa $HOME/.ssh/known_hosts | 629 | The client uses the same files |
630 | The client uses this file | ||
631 | and | ||
632 | .Pa /etc/ssh/ssh_known_hosts | ||
633 | to verify that the remote host is the one we intended to | 630 | to verify that the remote host is the one we intended to |
634 | connect. These files should be writable only by root/the owner. | 631 | connect. These files should be writable only by root/the owner. |
635 | .Pa /etc/ssh/ssh_known_hosts | 632 | .Pa /etc/ssh/ssh_known_hosts |