5 files changed, 43 insertions, 6 deletions

diff --git a/ChangeLog b/ChangeLog
index 03d11bb23..1e5ce7adf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -50,6 +50,12 @@
      use RSA_blinding_on() for rsa hostkeys (suggested by Bill Sommerfeld)
      in order to avoid a possible Kocher timing attack pointed out by Charles
      Hannum; ok provos@
+   - markus@cvs.openbsd.org 2002/07/03 14:21:05
+     [ssh-keysign.8 ssh-keysign.c ssh.c ssh_config]
+     re-enable ssh-keysign's sbit, but make ssh-keysign read 
+     /etc/ssh/ssh_config and exit if HostbasedAuthentication is disabled 
+     globally. based on discussions with deraadt, itojun and sommerfeld; 
+     ok itojun@
 
 20020702
  - (djm) Use PAM_MSG_MEMBER for PAM_TEXT_INFO messages, use xmalloc & 
@@ -1258,4 +1264,4 @@
  - (stevesk) entropy.c: typo in debug message
  - (djm) ssh-keygen -i needs seeded RNG; report from markus@
 
-$Id: ChangeLog,v 1.2328 2002/07/04 00:17:33 mouring Exp $
+$Id: ChangeLog,v 1.2329 2002/07/04 00:19:40 mouring Exp $
diff --git a/ssh-keysign.8 b/ssh-keysign.8
index ab2cf21ba..cea4a8244 100644
--- a/ssh-keysign.8
+++ b/ssh-keysign.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keysign.8,v 1.2 2002/06/10 16:56:30 stevesk Exp $
+.\" $OpenBSD: ssh-keysign.8,v 1.3 2002/07/03 14:21:05 markus Exp $
 .\"
 .\" Copyright (c) 2002 Markus Friedl.  All rights reserved.
 .\"
@@ -36,6 +36,16 @@ is used by
 .Xr ssh 1
 to access the local host keys and generate the digital signature
 required during hostbased authentication with SSH protocol version 2.
+.Pp
+.Nm
+is disabled by default and can only be enabled in the
+the global client configuration file
+.Pa /etc/ssh/ssh_config
+by setting
+.Cm HostbasedAuthentication
+to
+.Dq yes .
+.Pp
 .Nm
 is not intended to be invoked by the user, but from
 .Xr ssh 1 .
@@ -46,6 +56,10 @@ and
 for more information about hostbased authentication.
 .Sh FILES
 .Bl -tag -width Ds
+.It Pa /etc/ssh/ssh_config
+Controls whether
+.Nm
+is enabled.
 .It Pa /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
 These files contain the private parts of the host keys used to
 generate the digital signature.  They
@@ -58,6 +72,7 @@ must be set-uid root if hostbased authentication is used.
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr ssh-keygen 1 ,
+.Xr ssh_config 5 ,
 .Xr sshd 8
 .Sh AUTHORS
 Markus Friedl <markus@openbsd.org>
diff --git a/ssh-keysign.c b/ssh-keysign.c
index bed2b9874..06d28efa8 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -22,7 +22,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keysign.c,v 1.6 2002/07/03 09:55:38 markus Exp $");
+RCSID("$OpenBSD: ssh-keysign.c,v 1.7 2002/07/03 14:21:05 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/rand.h>
@@ -30,6 +30,7 @@ RCSID("$OpenBSD: ssh-keysign.c,v 1.6 2002/07/03 09:55:38 markus Exp $");
 
 #include "log.h"
 #include "key.h"
+#include "ssh.h"
 #include "ssh2.h"
 #include "misc.h"
 #include "xmalloc.h"
@@ -39,6 +40,9 @@ RCSID("$OpenBSD: ssh-keysign.c,v 1.6 2002/07/03 09:55:38 markus Exp $");
 #include "msg.h"
 #include "canohost.h"
 #include "pathnames.h"
+#include "readconf.h"
+
+uid_t original_real_uid;        /* XXX readconf.c needs this */
 
 #ifdef HAVE___PROGNAME
 extern char *__progname;
@@ -136,6 +140,7 @@ int
 main(int argc, char **argv)
 {
         Buffer b;
+        Options options;
         Key *keys[2], *key;
         struct passwd *pw;
         int key_fd[2], i, found, version = 2, fd;
@@ -158,6 +163,15 @@ main(int argc, char **argv)
         log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
 #endif
 
+        /* verify that ssh-keysign is enabled by the admin */
+        original_real_uid = getuid();   /* XXX readconf.c needs this */
+        initialize_options(&options);
+        (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options);
+        fill_default_options(&options);
+        if (options.hostbased_authentication != 1)
+                fatal("Hostbased authentication not enabled in %s",
+                    _PATH_HOST_CONFIG_FILE);
+
         if (key_fd[0] == -1 && key_fd[1] == -1)
                 fatal("could not open any host key");
 
diff --git a/ssh.c b/ssh.c
index 67d297c0a..77e709daf 100644
--- a/ssh.c
+++ b/ssh.c
@@ -40,7 +40,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.180 2002/06/30 21:59:45 deraadt Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.181 2002/07/03 14:21:05 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -649,7 +649,8 @@ again:
                     _PATH_HOST_RSA_KEY_FILE, "", NULL);
                 PRIV_END;
 
-                if (sensitive_data.keys[0] == NULL &&
+                if (options.hostbased_authentication == 1 &&
+                    sensitive_data.keys[0] == NULL &&
                     sensitive_data.keys[1] == NULL &&
                     sensitive_data.keys[2] == NULL) {
                         sensitive_data.keys[1] = key_load_public(
diff --git a/ssh_config b/ssh_config
index ef31d4336..94cffbf39 100644
--- a/ssh_config
+++ b/ssh_config
@@ -1,4 +1,4 @@
-#       $OpenBSD: ssh_config,v 1.15 2002/06/20 20:03:34 stevesk Exp $
+#       $OpenBSD: ssh_config,v 1.16 2002/07/03 14:21:05 markus Exp $
 
 # This is the ssh client system-wide configuration file.  See
 # ssh_config(5) for more information.  This file provides defaults for
@@ -22,6 +22,7 @@
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
+#   HostbasedAuthentication no
 #   BatchMode no
 #   CheckHostIP yes
 #   StrictHostKeyChecking ask