14 files changed, 28 insertions, 140 deletions

diff --git a/ChangeLog b/ChangeLog
index f80dea665..b421d6ffd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,11 @@
      [session.c]
      use more portable tcsendbreak(3) and ignore break_length;
      ok deraadt, millert
+   - markus@cvs.openbsd.org 2003/08/13 08:46:31
+     [auth1.c readconf.c readconf.h servconf.c servconf.h ssh.c ssh_config
+     ssh_config.5 sshconnect1.c sshd.8 sshd.c sshd_config sshd_config.5]
+     remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@,
+     fgsch@, miod@, henning@, jakob@ and others
 
 20030811
  - (dtucker) OpenBSD CVS Sync
@@ -823,4 +828,4 @@
  - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
    Report from murple@murple.net, diagnosis from dtucker@zip.com.au
 
-$Id: ChangeLog,v 1.2890 2003/08/13 10:31:05 dtucker Exp $
+$Id: ChangeLog,v 1.2891 2003/08/13 10:37:05 dtucker Exp $
diff --git a/auth1.c b/auth1.c
index 877e2e62d..7c0100103 100644
--- a/auth1.c
+++ b/auth1.c
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.49 2003/07/22 13:35:22 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.50 2003/08/13 08:46:30 markus Exp $");
 
 #include "xmalloc.h"
 #include "rsa.h"
@@ -160,26 +160,6 @@ do_authloop(Authctxt *authctxt)
                         break;
 #endif
 
-                case SSH_CMSG_AUTH_RHOSTS:
-                        if (!options.rhosts_authentication) {
-                                verbose("Rhosts authentication disabled.");
-                                break;
-                        }
-                        /*
-                         * Get client user name.  Note that we just have to
-                         * trust the client; this is one reason why rhosts
-                         * authentication is insecure. (Another is
-                         * IP-spoofing on a local network.)
-                         */
-                        client_user = packet_get_string(&ulen);
-                        packet_check_eom();
-
-                        /* Try to authenticate using /etc/hosts.equiv and .rhosts. */
-                        authenticated = auth_rhosts(pw, client_user);
-
-                        snprintf(info, sizeof info, " ruser %.100s", client_user);
-                        break;
-
                 case SSH_CMSG_AUTH_RHOSTS_RSA:
                         if (!options.rhosts_rsa_authentication) {
                                 verbose("Rhosts with RSA authentication disabled.");
diff --git a/readconf.c b/readconf.c
index 332500e7c..355a7dfcc 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.116 2003/08/13 08:46:30 markus Exp $");
 
 #include "ssh.h"
 #include "xmalloc.h"
@@ -57,7 +57,6 @@ RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $");
    Host fascist.blob.com
      Port 23123
      User tylonen
-     RhostsAuthentication no
      PasswordAuthentication no
 
    Host puukko.hut.fi
@@ -75,7 +74,6 @@ RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $");
    Host *
      ForwardAgent no
      ForwardX11 no
-     RhostsAuthentication yes
      PasswordAuthentication yes
      RSAAuthentication yes
      RhostsRSAAuthentication yes
@@ -91,7 +89,7 @@ RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $");
 
 typedef enum {
         oBadOption,
-        oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
+        oForwardAgent, oForwardX11, oGatewayPorts,
         oPasswordAuthentication, oRSAAuthentication,
         oChallengeResponseAuthentication, oXAuthLocation,
         oKerberosAuthentication, oKerberosTgtPassing,
@@ -122,7 +120,7 @@ static struct {
         { "xauthlocation", oXAuthLocation },
         { "gatewayports", oGatewayPorts },
         { "useprivilegedport", oUsePrivilegedPort },
-        { "rhostsauthentication", oRhostsAuthentication },
+        { "rhostsauthentication", oDeprecated },
         { "passwordauthentication", oPasswordAuthentication },
         { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
         { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -351,10 +349,6 @@ parse_flag:
                 intptr = &options->use_privileged_port;
                 goto parse_flag;
 
-        case oRhostsAuthentication:
-                intptr = &options->rhosts_authentication;
-                goto parse_flag;
-
         case oPasswordAuthentication:
                 intptr = &options->password_authentication;
                 goto parse_flag;
@@ -814,7 +808,6 @@ initialize_options(Options * options)
         options->xauth_location = NULL;
         options->gateway_ports = -1;
         options->use_privileged_port = -1;
-        options->rhosts_authentication = -1;
         options->rsa_authentication = -1;
         options->pubkey_authentication = -1;
         options->challenge_response_authentication = -1;
@@ -884,8 +877,6 @@ fill_default_options(Options * options)
                 options->gateway_ports = 0;
         if (options->use_privileged_port == -1)
                 options->use_privileged_port = 0;
-        if (options->rhosts_authentication == -1)
-                options->rhosts_authentication = 0;
         if (options->rsa_authentication == -1)
                 options->rsa_authentication = 1;
         if (options->pubkey_authentication == -1)
diff --git a/readconf.h b/readconf.h
index cc94253e6..6fbf467e5 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: readconf.h,v 1.52 2003/07/22 13:35:22 markus Exp $    */
+/*      $OpenBSD: readconf.h,v 1.53 2003/08/13 08:46:30 markus Exp $    */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -33,7 +33,6 @@ typedef struct {
         char   *xauth_location; /* Location for xauth program */
         int     gateway_ports;  /* Allow remote connects to forwarded ports. */
         int     use_privileged_port;    /* Don't use privileged port if false. */
-        int     rhosts_authentication;  /* Try rhosts authentication. */
         int     rhosts_rsa_authentication;      /* Try rhosts with RSA
                                                  * authentication. */
         int     rsa_authentication;     /* Try RSA authentication. */
diff --git a/servconf.c b/servconf.c
index c4b2bb284..e9c313bbb 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.123 2003/07/22 13:35:22 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.124 2003/08/13 08:46:30 markus Exp $");
 
 #include "ssh.h"
 #include "log.h"
@@ -64,7 +64,6 @@ initialize_server_options(ServerOptions *options)
         options->keepalives = -1;
         options->log_facility = SYSLOG_FACILITY_NOT_SET;
         options->log_level = SYSLOG_LEVEL_NOT_SET;
-        options->rhosts_authentication = -1;
         options->rhosts_rsa_authentication = -1;
         options->hostbased_authentication = -1;
         options->hostbased_uses_name_from_packet_only = -1;
@@ -165,8 +164,6 @@ fill_default_server_options(ServerOptions *options)
                 options->log_facility = SYSLOG_FACILITY_AUTH;
         if (options->log_level == SYSLOG_LEVEL_NOT_SET)
                 options->log_level = SYSLOG_LEVEL_INFO;
-        if (options->rhosts_authentication == -1)
-                options->rhosts_authentication = 0;
         if (options->rhosts_rsa_authentication == -1)
                 options->rhosts_rsa_authentication = 0;
         if (options->hostbased_authentication == -1)
@@ -248,7 +245,7 @@ typedef enum {
         /* Standard Options */
         sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
         sPermitRootLogin, sLogFacility, sLogLevel,
-        sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
+        sRhostsRSAAuthentication, sRSAAuthentication,
         sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
         sKerberosTgtPassing, sChallengeResponseAuthentication,
         sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
@@ -288,7 +285,7 @@ static struct {
         { "permitrootlogin", sPermitRootLogin },
         { "syslogfacility", sLogFacility },
         { "loglevel", sLogLevel },
-        { "rhostsauthentication", sRhostsAuthentication },
+        { "rhostsauthentication", sDeprecated },
         { "rhostsrsaauthentication", sRhostsRSAAuthentication },
         { "hostbasedauthentication", sHostbasedAuthentication },
         { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
@@ -589,10 +586,6 @@ parse_flag:
                 intptr = &options->ignore_user_known_hosts;
                 goto parse_flag;
 
-        case sRhostsAuthentication:
-                intptr = &options->rhosts_authentication;
-                goto parse_flag;
-
         case sRhostsRSAAuthentication:
                 intptr = &options->rhosts_rsa_authentication;
                 goto parse_flag;
diff --git a/servconf.h b/servconf.h
index 65ad2071a..42bcda757 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: servconf.h,v 1.62 2003/07/22 13:35:22 markus Exp $    */
+/*      $OpenBSD: servconf.h,v 1.63 2003/08/13 08:46:30 markus Exp $    */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -65,8 +65,6 @@ typedef struct {
         int     gateway_ports;  /* If true, allow remote connects to forwarded ports. */
         SyslogFacility log_facility;    /* Facility for system logging. */
         LogLevel log_level;     /* Level for system logging. */
-        int     rhosts_authentication;  /* If true, permit rhosts
-                                         * authentication. */
         int     rhosts_rsa_authentication;      /* If true, permit rhosts RSA
                                                  * authentication. */
         int     hostbased_authentication;       /* If true, permit ssh2 hostbased auth */
diff --git a/ssh.c b/ssh.c
index 82b40193d..71556e205 100644
--- a/ssh.c
+++ b/ssh.c
@@ -40,7 +40,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.198 2003/07/22 13:35:22 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.199 2003/08/13 08:46:30 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -600,19 +600,7 @@ again:
             strcmp(options.proxy_command, "none") == 0)
                 options.proxy_command = NULL;
 
-        /* Disable rhosts authentication if not running as root. */
-#ifdef HAVE_CYGWIN
-        /* Ignore uid if running under Windows */
-        if (!options.use_privileged_port) {
-#else
-        if (original_effective_uid != 0 || !options.use_privileged_port) {
-#endif
-                debug("Rhosts Authentication disabled, "
-                    "originating port will not be trusted.");
-                options.rhosts_authentication = 0;
-        }
         /* Open a connection to the remote host. */
-
         if (ssh_connect(host, &hostaddr, options.port,
             options.address_family, options.connection_attempts,
 #ifdef HAVE_CYGWIN
diff --git a/ssh_config b/ssh_config
index 721e374e0..2692e8913 100644
--- a/ssh_config
+++ b/ssh_config
@@ -1,4 +1,4 @@
-#       $OpenBSD: ssh_config,v 1.18 2003/05/16 03:27:12 djm Exp $
+#       $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $
 
 # This is the ssh client system-wide configuration file.  See
 # ssh_config(5) for more information.  This file provides defaults for
@@ -18,7 +18,6 @@
 # Host *
 #   ForwardAgent no
 #   ForwardX11 no
-#   RhostsAuthentication no
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
diff --git a/ssh_config.5 b/ssh_config.5
index 3a79af8f0..fb341d79b 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.16 2003/07/22 13:35:22 markus Exp $
+.\" $OpenBSD: ssh_config.5,v 1.17 2003/08/13 08:46:31 markus Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -529,26 +529,6 @@ IPv6 addresses can be specified with an alternative syntax:
 Multiple forwardings may be specified, and additional
 forwardings can be given on the command line.
 Only the superuser can forward privileged ports.
-.It Cm RhostsAuthentication
-Specifies whether to try rhosts based authentication.
-Note that this
-declaration only affects the client side and has no effect whatsoever
-on security.
-Most servers do not permit RhostsAuthentication because it
-is not secure (see
-.Cm RhostsRSAAuthentication ) .
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-This option applies to protocol version 1 only and requires
-.Nm ssh
-to be setuid root and
-.Cm UsePrivilegedPort
-to be set to
-.Dq yes .
 .It Cm RhostsRSAAuthentication
 Specifies whether to try rhosts based authentication with RSA host
 authentication.
@@ -629,11 +609,9 @@ If set to
 must be setuid root.
 Note that this option must be set to
 .Dq yes
-if
-.Cm RhostsAuthentication
-and
+for
 .Cm RhostsRSAAuthentication
-authentications are needed with older servers.
+with older servers.
 .It Cm User
 Specifies the user to log in as.
 This can be useful when a different user name is used on different machines.
diff --git a/sshconnect1.c b/sshconnect1.c
index 8851c35f6..5e1802b10 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,7 +13,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.54 2003/07/22 13:35:22 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.55 2003/08/13 08:46:31 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/md5.h>
@@ -932,26 +932,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
 #endif /* KRB5 */
 
         /*
-         * Use rhosts authentication if running in privileged socket and we
-         * do not wish to remain anonymous.
-         */
-        if ((supported_authentications & (1 << SSH_AUTH_RHOSTS)) &&
-            options.rhosts_authentication) {
-                debug("Trying rhosts authentication.");
-                packet_start(SSH_CMSG_AUTH_RHOSTS);
-                packet_put_cstring(local_user);
-                packet_send();
-                packet_write_wait();
-
-                /* The server should respond with success or failure. */
-                type = packet_read();
-                if (type == SSH_SMSG_SUCCESS)
-                        goto success;
-                if (type != SSH_SMSG_FAILURE)
-                        packet_disconnect("Protocol error: got %d in response to rhosts auth",
-                                          type);
-        }
-        /*
          * Try .rhosts or /etc/hosts.equiv authentication with RSA host
          * authentication.
          */
diff --git a/sshd.8 b/sshd.8
index 1cad834f6..4749fab84 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.198 2003/06/10 09:12:12 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.199 2003/08/13 08:46:31 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -292,7 +292,6 @@ may also be used to prevent
 from making DNS requests unless the authentication
 mechanism or configuration requires it.
 Authentication mechanisms that may require DNS include
-.Cm RhostsAuthentication ,
 .Cm RhostsRSAAuthentication ,
 .Cm HostbasedAuthentication
 and using a
diff --git a/sshd.c b/sshd.c
index 896e56c76..dc275b0cb 100644
--- a/sshd.c
+++ b/sshd.c
@@ -42,7 +42,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.274 2003/07/22 13:35:22 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.275 2003/08/13 08:46:31 markus Exp $");
 
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -1462,20 +1462,7 @@ main(int ac, char **av)
                 alarm(options.login_grace_time);
 
         sshd_exchange_identification(sock_in, sock_out);
-        /*
-         * Check that the connection comes from a privileged port.
-         * Rhosts-Authentication only makes sense from privileged
-         * programs.  Of course, if the intruder has root access on his local
-         * machine, he can connect from any port.  So do not use these
-         * authentication methods from machines that you do not trust.
-         */
-        if (options.rhosts_authentication &&
-            (remote_port >= IPPORT_RESERVED ||
-            remote_port < IPPORT_RESERVED / 2)) {
-                debug("Rhosts Authentication disabled, "
-                    "originating port %d not trusted.", remote_port);
-                options.rhosts_authentication = 0;
-        }
+
 #ifdef KRB5
         if (!packet_connection_is_ipv4() &&
             options.kerberos_authentication) {
@@ -1643,8 +1630,6 @@ do_ssh1_kex(void)
 
         /* Declare supported authentication types. */
         auth_mask = 0;
-        if (options.rhosts_authentication)
-                auth_mask |= 1 << SSH_AUTH_RHOSTS;
         if (options.rhosts_rsa_authentication)
                 auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
         if (options.rsa_authentication)
diff --git a/sshd_config b/sshd_config
index 262b6883a..a2bd2ff60 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-#       $OpenBSD: sshd_config,v 1.62 2003/07/23 07:42:43 markus Exp $
+#       $OpenBSD: sshd_config,v 1.63 2003/08/13 08:46:31 markus Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -40,10 +40,6 @@
 #PubkeyAuthentication yes
 #AuthorizedKeysFile     .ssh/authorized_keys
 
-# rhosts authentication should not be used
-#RhostsAuthentication no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #RhostsRSAAuthentication no
 # similar for protocol version 2
@@ -51,6 +47,8 @@
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
diff --git a/sshd_config.5 b/sshd_config.5
index 223ff8aae..3d920cc80 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.21 2003/07/22 13:35:22 markus Exp $
+.\" $OpenBSD: sshd_config.5,v 1.22 2003/08/13 08:46:31 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -260,7 +260,6 @@ Specifies that
 and
 .Pa .shosts
 files will not be used in
-.Cm RhostsAuthentication ,
 .Cm RhostsRSAAuthentication
 or
 .Cm HostbasedAuthentication .
@@ -529,10 +528,6 @@ Specifies whether public key authentication is allowed.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
-.It Cm RhostsAuthentication
-Specifies whether authentication using rhosts or /etc/hosts.equiv
-files is sufficient.
-Normally, this method should not be permitted because it is insecure.
 .Cm RhostsRSAAuthentication
 should be used
 instead, because it performs RSA-based host authentication in addition