8 files changed, 56 insertions, 27 deletions
diff --git a/ChangeLog b/ChangeLog
index 2d702dca4..a1e2cac87 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,10 @@
 19991112
 - Merged changes from OpenBSD CVS
   - [sshd.c] session_key_int may be zero
+   - [auth-rh-rsa.c servconf.c servconf.h ssh.h sshd.8 sshd.c sshd_config]
+     IgnoreUserKnownHosts(default=no), used for RhostRSAAuth, ok 
+     deraadt,millert
+ - Brought default sshd_config more in line with OpenBSD's
 19991111
 - Added (untested) Entropy Gathering Daemon (EGD) support
diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c
index ee6af218c..b6f1d6c73 100644
--- a/auth-rh-rsa.c
+++ b/auth-rh-rsa.c
@@ -15,22 +15,22 @@ authentication.
 */
 #include "includes.h"
-RCSID("$Id: auth-rh-rsa.c,v 1.2 1999/11/11 00:43:13 damien Exp $");
+RCSID("$Id: auth-rh-rsa.c,v 1.3 1999/11/12 00:33:04 damien Exp $");
 #include "packet.h"
 #include "ssh.h"
 #include "xmalloc.h"
 #include "uidswap.h"
+#include "servconf.h"
 /* Tries to authenticate the user using the .rhosts file and the host using
-   its host key.  Returns true if authentication succeeds. 
+   its host key.  Returns true if authentication succeeds. */
-   .rhosts and .shosts will be ignored if ignore_rhosts is non-zero. */
 int auth_rhosts_rsa(struct passwd *pw, const char *client_user,
                    unsigned int client_host_key_bits,
-                    BIGNUM *client_host_key_e, BIGNUM *client_host_key_n,
+                    BIGNUM *client_host_key_e, BIGNUM *client_host_key_n)
-                    int ignore_rhosts, int strict_modes)
 {
+  extern ServerOptions options;
  const char *canonical_hostname;
  HostStatus host_status;
  BIGNUM *ke, *kn;
@@ -38,7 +38,7 @@ int auth_rhosts_rsa(struct passwd *pw, const char *client_user,
  debug("Trying rhosts with RSA host authentication for %.100s", client_user);
  /* Check if we would accept it using rhosts authentication. */
-  if (!auth_rhosts(pw, client_user, ignore_rhosts, strict_modes))
+  if (!auth_rhosts(pw, client_user, options.ignore_rhosts, options.strict_modes))
    return 0;
  canonical_hostname = get_canonical_hostname();
@@ -53,13 +53,14 @@ int auth_rhosts_rsa(struct passwd *pw, const char *client_user,
  host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname,
                                       client_host_key_bits, client_host_key_e,
                                       client_host_key_n, ke, kn);
-  /* Check user host file. */
-  if (host_status != HOST_OK) {
+  /* Check user host file unless ignored. */
+  if (host_status != HOST_OK && !options.ignore_user_known_hosts) {
    struct stat st;
    char *user_hostfile = tilde_expand_filename(SSH_USER_HOSTFILE, pw->pw_uid);
    /* Check file permissions of SSH_USER_HOSTFILE,
       auth_rsa() did already check pw->pw_dir, but there is a race XXX */
-    if (strict_modes &&
+    if (options.strict_modes &&
        (stat(user_hostfile, &st) == 0) &&
        ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
        (st.st_mode & 022) != 0)) {
diff --git a/servconf.c b/servconf.c
index d7f54a62f..b1e52638c 100644
--- a/servconf.c
+++ b/servconf.c
@@ -12,7 +12,7 @@ Created: Mon Aug 21 15:48:58 1995 ylo
 */
 #include "includes.h"
-RCSID("$Id: servconf.c,v 1.2 1999/11/11 06:57:39 damien Exp $");
+RCSID("$Id: servconf.c,v 1.3 1999/11/12 00:33:04 damien Exp $");
 #include "ssh.h"
 #include "servconf.h"
@@ -31,6 +31,7 @@ void initialize_server_options(ServerOptions *options)
  options->key_regeneration_time = -1;
  options->permit_root_login = -1;
  options->ignore_rhosts = -1;
+  options->ignore_user_known_hosts = -1;
  options->print_motd = -1;
  options->check_mail = -1;
  options->x11_forwarding = -1;
@@ -88,6 +89,8 @@ void fill_default_server_options(ServerOptions *options)
    options->permit_root_login = 1;              /* yes */
  if (options->ignore_rhosts == -1)
    options->ignore_rhosts = 0;
+  if (options->ignore_user_known_hosts == -1)
+    options->ignore_user_known_hosts = 0;
  if (options->check_mail == -1)
    options->check_mail = 0;
  if (options->print_motd == -1)
@@ -156,8 +159,8 @@ typedef enum
  sPasswordAuthentication, sListenAddress,
  sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
  sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
-  sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups
+  sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
+  sIgnoreUserKnownHosts
 } ServerOpCodes;
 /* Textual representation of the tokens. */
@@ -195,6 +198,7 @@ static struct
  { "listenaddress", sListenAddress },
  { "printmotd", sPrintMotd },
  { "ignorerhosts", sIgnoreRhosts },
+  { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
  { "x11forwarding", sX11Forwarding },
  { "x11displayoffset", sX11DisplayOffset },
  { "strictmodes", sStrictModes },
@@ -402,7 +406,11 @@ void read_server_config(ServerOptions *options, const char *filename)
          if (*intptr == -1)
            *intptr = value;
          break;
-          
+        case sIgnoreUserKnownHosts:
+          intptr = &options->ignore_user_known_hosts;
+          goto parse_int;
        case sRhostsAuthentication:
          intptr = &options->rhosts_authentication;
          goto parse_flag;
diff --git a/servconf.h b/servconf.h
index 584935bad..e16f3d044 100644
--- a/servconf.h
+++ b/servconf.h
@@ -13,7 +13,7 @@ Definitions for server configuration data and for the functions reading it.
 */
-/* RCSID("$Id: servconf.h,v 1.2 1999/11/11 06:57:40 damien Exp $"); */
+/* RCSID("$Id: servconf.h,v 1.3 1999/11/12 00:33:04 damien Exp $"); */
 #ifndef SERVCONF_H
 #define SERVCONF_H
@@ -33,6 +33,7 @@ typedef struct
  int key_regeneration_time;    /* Server key lifetime (seconds). */
  int permit_root_login;        /* If true, permit root login. */
  int ignore_rhosts;            /* Ignore .rhosts and .shosts. */
+  int ignore_user_known_hosts;  /* Ignore ~/.ssh/known_hosts for RhostsRsaAuth */
  int print_motd;               /* If true, print /etc/motd. */
  int check_mail;               /* If true, check for new mail. */
  int x11_forwarding;           /* If true, permit inet (spoofing) X11 fwd. */
diff --git a/ssh.h b/ssh.h
index da818b225..f33621320 100644
--- a/ssh.h
+++ b/ssh.h
@@ -13,7 +13,7 @@ Generic header file for ssh.
 */
-/* RCSID("$Id: ssh.h,v 1.10 1999/11/11 06:57:40 damien Exp $"); */
+/* RCSID("$Id: ssh.h,v 1.11 1999/11/12 00:33:04 damien Exp $"); */
 #ifndef SSH_H
 #define SSH_H
@@ -138,8 +138,8 @@ only by root, whereas ssh_config should be world-readable. */
 #define SSH_AUTHSOCKET_ENV_NAME "SSH_AUTH_SOCK"
 /* Name of the environment variable containing the pathname of the
-        authentication socket. */
+   authentication socket. */
-#define SSH_AGENTPID_ENV_NAME  "SSH_AGENT_PID"
+#define SSH_AGENTPID_ENV_NAME   "SSH_AGENT_PID"
 /* Force host key length and server key length to differ by at least this
   many bits.  This is to make double encryption with rsaref work. */
@@ -334,8 +334,7 @@ int auth_rhosts(struct passwd *pw, const char *client_user,
   its host key.  Returns true if authentication succeeds. */
 int auth_rhosts_rsa(struct passwd *pw, const char *client_user,
                    unsigned int bits, BIGNUM *client_host_key_e,
-                    BIGNUM *client_host_key_n, int ignore_rhosts,
+                    BIGNUM *client_host_key_n);
-                    int strict_modes);
 /* Tries to authenticate the user using password.  Returns true if
   authentication succeeds. */
diff --git a/sshd.8 b/sshd.8
index 20e9712a5..e9a09f439 100644
--- a/sshd.8
+++ b/sshd.8
@@ -9,7 +9,7 @@
 .\"
 .\" Created: Sat Apr 22 21:55:14 1995 ylo
 .\"
-.\" $Id: sshd.8,v 1.6 1999/11/11 06:57:40 damien Exp $
+.\" $Id: sshd.8,v 1.7 1999/11/12 00:33:04 damien Exp $
 .\"
 .Dd September 25, 1999
 .Dt SSHD 8
@@ -245,6 +245,15 @@ and
 .Pa /etc/ssh/shosts.equiv 
 are still used.  The default is 
 .Dq no .
+.It Cm IgnoreUserKnownHosts
+Specifies whether
+.Nm
+should ignore the user's
+.Pa $HOME/.ssh/known_hosts
+during
+.Cm RhostsRSAAuthentication .
+The default is
+.Dq no .
 .It Cm KeepAlive
 Specifies whether the system should send keepalive messages to the
 other side.  If they are sent, death of the connection or crash of one
diff --git a/sshd.c b/sshd.c
index 59526007e..7cc24cd1a 100644
--- a/sshd.c
+++ b/sshd.c
@@ -18,7 +18,7 @@ agent connections.
 */
 #include "includes.h"
-RCSID("$Id: sshd.c,v 1.15 1999/11/11 21:49:09 damien Exp $");
+RCSID("$Id: sshd.c,v 1.16 1999/11/12 00:33:04 damien Exp $");
 #include "xmalloc.h"
 #include "rsa.h"
@@ -1394,11 +1394,8 @@ do_authentication(char *user, int privileged_port)
            packet_integrity_check(plen, (4 + ulen) + 4 + elen + nlen, type);
          }
-          /* Try to authenticate using /etc/hosts.equiv and .rhosts. */
          if (auth_rhosts_rsa(pw, client_user,
-                              client_host_key_bits, client_host_key_e,
+                              client_host_key_bits, client_host_key_e, client_host_key_n))
-                              client_host_key_n, options.ignore_rhosts,
-                              options.strict_modes))
            {
              /* Authentication accepted. */
              authenticated = 1;
diff --git a/sshd_config b/sshd_config
index 42c3244b6..791fd13bd 100644
--- a/sshd_config
+++ b/sshd_config
@@ -11,13 +11,13 @@ PermitRootLogin yes
 #
 # Loglevel replaces QuietMode and FascistLogging
 #
+SyslogFacility AUTH
 LogLevel INFO
 #
 # Don't read ~/.rhosts and ~/.shosts files
-IgnoreRhosts yes
 StrictModes yes
-X11Forwarding yes
+X11Forwarding no
 X11DisplayOffset 10
 FascistLogging no
 PrintMotd yes
@@ -32,6 +32,16 @@ RhostsAuthentication no
 #
 RhostsRSAAuthentication no
+#
+# Don't read ~/.rhosts and ~/.shosts files
+#
+IgnoreRhosts yes
+#
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#
+#IgnoreUserKnownHosts yes
 RSAAuthentication yes
 # To disable tunneled clear text passwords, change to no here!

diff --git a/ChangeLog b/ChangeLog index 2d702dca4..a1e2cac87 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -1,6 +1,10 @@
1	19991112	1	19991112
2	- Merged changes from OpenBSD CVS	2	- Merged changes from OpenBSD CVS
3	- [sshd.c] session_key_int may be zero	3	- [sshd.c] session_key_int may be zero
		4	- [auth-rh-rsa.c servconf.c servconf.h ssh.h sshd.8 sshd.c sshd_config]
		5	IgnoreUserKnownHosts(default=no), used for RhostRSAAuth, ok
		6	deraadt,millert
		7	- Brought default sshd_config more in line with OpenBSD's
4		8
5	19991111	9	19991111
6	- Added (untested) Entropy Gathering Daemon (EGD) support	10	- Added (untested) Entropy Gathering Daemon (EGD) support


diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c index ee6af218c..b6f1d6c73 100644 --- a/auth-rh-rsa.c +++ b/auth-rh-rsa.c
@@ -15,22 +15,22 @@ authentication.
15	*/	15	*/
16		16
17	#include "includes.h"	17	#include "includes.h"
18	RCSID("$Id: auth-rh-rsa.c,v 1.2 1999/11/11 00:43:13 damien Exp $");	18	RCSID("$Id: auth-rh-rsa.c,v 1.3 1999/11/12 00:33:04 damien Exp $");
19		19
20	#include "packet.h"	20	#include "packet.h"
21	#include "ssh.h"	21	#include "ssh.h"
22	#include "xmalloc.h"	22	#include "xmalloc.h"
23	#include "uidswap.h"	23	#include "uidswap.h"
		24	#include "servconf.h"
24		25
25	/* Tries to authenticate the user using the .rhosts file and the host using	26	/* Tries to authenticate the user using the .rhosts file and the host using
26	its host key. Returns true if authentication succeeds.	27	its host key. Returns true if authentication succeeds. */
27	.rhosts and .shosts will be ignored if ignore_rhosts is non-zero. */
28		28
29	int auth_rhosts_rsa(struct passwd pw, const char client_user,	29	int auth_rhosts_rsa(struct passwd pw, const char client_user,
30	unsigned int client_host_key_bits,	30	unsigned int client_host_key_bits,
31	BIGNUM client_host_key_e, BIGNUM client_host_key_n,	31	BIGNUM client_host_key_e, BIGNUM client_host_key_n)
32	int ignore_rhosts, int strict_modes)
33	{	32	{
		33	extern ServerOptions options;
34	const char *canonical_hostname;	34	const char *canonical_hostname;
35	HostStatus host_status;	35	HostStatus host_status;
36	BIGNUM ke, kn;	36	BIGNUM ke, kn;
@@ -38,7 +38,7 @@ int auth_rhosts_rsa(struct passwd pw, const char client_user,
38	debug("Trying rhosts with RSA host authentication for %.100s", client_user);	38	debug("Trying rhosts with RSA host authentication for %.100s", client_user);
39		39
40	/* Check if we would accept it using rhosts authentication. */	40	/* Check if we would accept it using rhosts authentication. */
41	if (!auth_rhosts(pw, client_user, ignore_rhosts, strict_modes))	41	if (!auth_rhosts(pw, client_user, options.ignore_rhosts, options.strict_modes))
42	return 0;	42	return 0;
43		43
44	canonical_hostname = get_canonical_hostname();	44	canonical_hostname = get_canonical_hostname();
@@ -53,13 +53,14 @@ int auth_rhosts_rsa(struct passwd pw, const char client_user,
53	host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname,	53	host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname,
54	client_host_key_bits, client_host_key_e,	54	client_host_key_bits, client_host_key_e,
55	client_host_key_n, ke, kn);	55	client_host_key_n, ke, kn);
56	/* Check user host file. */	56
57	if (host_status != HOST_OK) {	57	/* Check user host file unless ignored. */
		58	if (host_status != HOST_OK && !options.ignore_user_known_hosts) {
58	struct stat st;	59	struct stat st;
59	char *user_hostfile = tilde_expand_filename(SSH_USER_HOSTFILE, pw->pw_uid);	60	char *user_hostfile = tilde_expand_filename(SSH_USER_HOSTFILE, pw->pw_uid);
60	/* Check file permissions of SSH_USER_HOSTFILE,	61	/* Check file permissions of SSH_USER_HOSTFILE,
61	auth_rsa() did already check pw->pw_dir, but there is a race XXX */	62	auth_rsa() did already check pw->pw_dir, but there is a race XXX */
62	if (strict_modes &&	63	if (options.strict_modes &&
63	(stat(user_hostfile, &st) == 0) &&	64	(stat(user_hostfile, &st) == 0) &&
64	((st.st_uid != 0 && st.st_uid != pw->pw_uid) \|\|	65	((st.st_uid != 0 && st.st_uid != pw->pw_uid) \|\|
65	(st.st_mode & 022) != 0)) {	66	(st.st_mode & 022) != 0)) {


diff --git a/servconf.c b/servconf.c index d7f54a62f..b1e52638c 100644 --- a/servconf.c +++ b/servconf.c
@@ -12,7 +12,7 @@ Created: Mon Aug 21 15:48:58 1995 ylo
12	*/	12	*/
13		13
14	#include "includes.h"	14	#include "includes.h"
15	RCSID("$Id: servconf.c,v 1.2 1999/11/11 06:57:39 damien Exp $");	15	RCSID("$Id: servconf.c,v 1.3 1999/11/12 00:33:04 damien Exp $");
16		16
17	#include "ssh.h"	17	#include "ssh.h"
18	#include "servconf.h"	18	#include "servconf.h"
@@ -31,6 +31,7 @@ void initialize_server_options(ServerOptions *options)
31	options->key_regeneration_time = -1;	31	options->key_regeneration_time = -1;
32	options->permit_root_login = -1;	32	options->permit_root_login = -1;
33	options->ignore_rhosts = -1;	33	options->ignore_rhosts = -1;
		34	options->ignore_user_known_hosts = -1;
34	options->print_motd = -1;	35	options->print_motd = -1;
35	options->check_mail = -1;	36	options->check_mail = -1;
36	options->x11_forwarding = -1;	37	options->x11_forwarding = -1;
@@ -88,6 +89,8 @@ void fill_default_server_options(ServerOptions *options)
88	options->permit_root_login = 1; /* yes */	89	options->permit_root_login = 1; /* yes */
89	if (options->ignore_rhosts == -1)	90	if (options->ignore_rhosts == -1)
90	options->ignore_rhosts = 0;	91	options->ignore_rhosts = 0;
		92	if (options->ignore_user_known_hosts == -1)
		93	options->ignore_user_known_hosts = 0;
91	if (options->check_mail == -1)	94	if (options->check_mail == -1)
92	options->check_mail = 0;	95	options->check_mail = 0;
93	if (options->print_motd == -1)	96	if (options->print_motd == -1)
@@ -156,8 +159,8 @@ typedef enum
156	sPasswordAuthentication, sListenAddress,	159	sPasswordAuthentication, sListenAddress,
157	sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,	160	sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
158	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,	161	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
159	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups	162	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
160		163	sIgnoreUserKnownHosts
161	} ServerOpCodes;	164	} ServerOpCodes;
162		165
163	/* Textual representation of the tokens. */	166	/* Textual representation of the tokens. */
@@ -195,6 +198,7 @@ static struct
195	{ "listenaddress", sListenAddress },	198	{ "listenaddress", sListenAddress },
196	{ "printmotd", sPrintMotd },	199	{ "printmotd", sPrintMotd },
197	{ "ignorerhosts", sIgnoreRhosts },	200	{ "ignorerhosts", sIgnoreRhosts },
		201	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts },
198	{ "x11forwarding", sX11Forwarding },	202	{ "x11forwarding", sX11Forwarding },
199	{ "x11displayoffset", sX11DisplayOffset },	203	{ "x11displayoffset", sX11DisplayOffset },
200	{ "strictmodes", sStrictModes },	204	{ "strictmodes", sStrictModes },
@@ -402,7 +406,11 @@ void read_server_config(ServerOptions options, const char filename)
402	if (*intptr == -1)	406	if (*intptr == -1)
403	*intptr = value;	407	*intptr = value;
404	break;	408	break;
405		409
		410	case sIgnoreUserKnownHosts:
		411	intptr = &options->ignore_user_known_hosts;
		412	goto parse_int;
		413
406	case sRhostsAuthentication:	414	case sRhostsAuthentication:
407	intptr = &options->rhosts_authentication;	415	intptr = &options->rhosts_authentication;
408	goto parse_flag;	416	goto parse_flag;


diff --git a/servconf.h b/servconf.h index 584935bad..e16f3d044 100644 --- a/servconf.h +++ b/servconf.h
@@ -13,7 +13,7 @@ Definitions for server configuration data and for the functions reading it.
13		13
14	*/	14	*/
15		15
16	/* RCSID("$Id: servconf.h,v 1.2 1999/11/11 06:57:40 damien Exp $"); */	16	/* RCSID("$Id: servconf.h,v 1.3 1999/11/12 00:33:04 damien Exp $"); */
17		17
18	#ifndef SERVCONF_H	18	#ifndef SERVCONF_H
19	#define SERVCONF_H	19	#define SERVCONF_H
@@ -33,6 +33,7 @@ typedef struct
33	int key_regeneration_time; /* Server key lifetime (seconds). */	33	int key_regeneration_time; /* Server key lifetime (seconds). */
34	int permit_root_login; /* If true, permit root login. */	34	int permit_root_login; /* If true, permit root login. */
35	int ignore_rhosts; /* Ignore .rhosts and .shosts. */	35	int ignore_rhosts; /* Ignore .rhosts and .shosts. */
		36	int ignore_user_known_hosts; /* Ignore ~/.ssh/known_hosts for RhostsRsaAuth */
36	int print_motd; /* If true, print /etc/motd. */	37	int print_motd; /* If true, print /etc/motd. */
37	int check_mail; /* If true, check for new mail. */	38	int check_mail; /* If true, check for new mail. */
38	int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */	39	int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */


diff --git a/ssh.h b/ssh.h index da818b225..f33621320 100644 --- a/ssh.h +++ b/ssh.h
@@ -13,7 +13,7 @@ Generic header file for ssh.
13		13
14	*/	14	*/
15		15
16	/* RCSID("$Id: ssh.h,v 1.10 1999/11/11 06:57:40 damien Exp $"); */	16	/* RCSID("$Id: ssh.h,v 1.11 1999/11/12 00:33:04 damien Exp $"); */
17		17
18	#ifndef SSH_H	18	#ifndef SSH_H
19	#define SSH_H	19	#define SSH_H
@@ -138,8 +138,8 @@ only by root, whereas ssh_config should be world-readable. */
138	#define SSH_AUTHSOCKET_ENV_NAME "SSH_AUTH_SOCK"	138	#define SSH_AUTHSOCKET_ENV_NAME "SSH_AUTH_SOCK"
139		139
140	/* Name of the environment variable containing the pathname of the	140	/* Name of the environment variable containing the pathname of the
141	authentication socket. */	141	authentication socket. */
142	#define SSH_AGENTPID_ENV_NAME "SSH_AGENT_PID"	142	#define SSH_AGENTPID_ENV_NAME "SSH_AGENT_PID"
143		143
144	/* Force host key length and server key length to differ by at least this	144	/* Force host key length and server key length to differ by at least this
145	many bits. This is to make double encryption with rsaref work. */	145	many bits. This is to make double encryption with rsaref work. */
@@ -334,8 +334,7 @@ int auth_rhosts(struct passwd pw, const char client_user,
334	its host key. Returns true if authentication succeeds. */	334	its host key. Returns true if authentication succeeds. */
335	int auth_rhosts_rsa(struct passwd pw, const char client_user,	335	int auth_rhosts_rsa(struct passwd pw, const char client_user,
336	unsigned int bits, BIGNUM *client_host_key_e,	336	unsigned int bits, BIGNUM *client_host_key_e,
337	BIGNUM *client_host_key_n, int ignore_rhosts,	337	BIGNUM *client_host_key_n);
338	int strict_modes);
339		338
340	/* Tries to authenticate the user using password. Returns true if	339	/* Tries to authenticate the user using password. Returns true if
341	authentication succeeds. */	340	authentication succeeds. */


diff --git a/sshd.8 b/sshd.8 index 20e9712a5..e9a09f439 100644 --- a/sshd.8 +++ b/sshd.8
@@ -9,7 +9,7 @@
9	.\"	9	.\"
10	.\" Created: Sat Apr 22 21:55:14 1995 ylo	10	.\" Created: Sat Apr 22 21:55:14 1995 ylo
11	.\"	11	.\"
12	.\" $Id: sshd.8,v 1.6 1999/11/11 06:57:40 damien Exp $	12	.\" $Id: sshd.8,v 1.7 1999/11/12 00:33:04 damien Exp $
13	.\"	13	.\"
14	.Dd September 25, 1999	14	.Dd September 25, 1999
15	.Dt SSHD 8	15	.Dt SSHD 8
@@ -245,6 +245,15 @@ and
245	.Pa /etc/ssh/shosts.equiv	245	.Pa /etc/ssh/shosts.equiv
246	are still used. The default is	246	are still used. The default is
247	.Dq no .	247	.Dq no .
		248	.It Cm IgnoreUserKnownHosts
		249	Specifies whether
		250	.Nm
		251	should ignore the user's
		252	.Pa $HOME/.ssh/known_hosts
		253	during
		254	.Cm RhostsRSAAuthentication .
		255	The default is
		256	.Dq no .
248	.It Cm KeepAlive	257	.It Cm KeepAlive
249	Specifies whether the system should send keepalive messages to the	258	Specifies whether the system should send keepalive messages to the
250	other side. If they are sent, death of the connection or crash of one	259	other side. If they are sent, death of the connection or crash of one


diff --git a/sshd.c b/sshd.c index 59526007e..7cc24cd1a 100644 --- a/sshd.c +++ b/sshd.c
@@ -18,7 +18,7 @@ agent connections.
18	*/	18	*/
19		19
20	#include "includes.h"	20	#include "includes.h"
21	RCSID("$Id: sshd.c,v 1.15 1999/11/11 21:49:09 damien Exp $");	21	RCSID("$Id: sshd.c,v 1.16 1999/11/12 00:33:04 damien Exp $");
22		22
23	#include "xmalloc.h"	23	#include "xmalloc.h"
24	#include "rsa.h"	24	#include "rsa.h"
@@ -1394,11 +1394,8 @@ do_authentication(char *user, int privileged_port)
1394	packet_integrity_check(plen, (4 + ulen) + 4 + elen + nlen, type);	1394	packet_integrity_check(plen, (4 + ulen) + 4 + elen + nlen, type);
1395	}	1395	}
1396		1396
1397	/* Try to authenticate using /etc/hosts.equiv and .rhosts. */
1398	if (auth_rhosts_rsa(pw, client_user,	1397	if (auth_rhosts_rsa(pw, client_user,
1399	client_host_key_bits, client_host_key_e,	1398	client_host_key_bits, client_host_key_e, client_host_key_n))
1400	client_host_key_n, options.ignore_rhosts,
1401	options.strict_modes))
1402	{	1399	{
1403	/* Authentication accepted. */	1400	/* Authentication accepted. */
1404	authenticated = 1;	1401	authenticated = 1;


diff --git a/sshd_config b/sshd_config index 42c3244b6..791fd13bd 100644 --- a/sshd_config +++ b/sshd_config
@@ -11,13 +11,13 @@ PermitRootLogin yes
11	#	11	#
12	# Loglevel replaces QuietMode and FascistLogging	12	# Loglevel replaces QuietMode and FascistLogging
13	#	13	#
		14	SyslogFacility AUTH
14	LogLevel INFO	15	LogLevel INFO
15		16
16	#	17	#
17	# Don't read ~/.rhosts and ~/.shosts files	18	# Don't read ~/.rhosts and ~/.shosts files
18	IgnoreRhosts yes
19	StrictModes yes	19	StrictModes yes
20	X11Forwarding yes	20	X11Forwarding no
21	X11DisplayOffset 10	21	X11DisplayOffset 10
22	FascistLogging no	22	FascistLogging no
23	PrintMotd yes	23	PrintMotd yes
@@ -32,6 +32,16 @@ RhostsAuthentication no
32	#	32	#
33	RhostsRSAAuthentication no	33	RhostsRSAAuthentication no
34		34
		35	#
		36	# Don't read ~/.rhosts and ~/.shosts files
		37	#
		38	IgnoreRhosts yes
		39
		40	#
		41	# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
		42	#
		43	#IgnoreUserKnownHosts yes
		44
35	RSAAuthentication yes	45	RSAAuthentication yes
36		46
37	# To disable tunneled clear text passwords, change to no here!	47	# To disable tunneled clear text passwords, change to no here!