summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--auth-rh-rsa.c25
-rw-r--r--ssh.14
-rw-r--r--sshd.811
4 files changed, 35 insertions, 10 deletions
diff --git a/ChangeLog b/ChangeLog
index 4fed0720f..8088670c9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,10 @@
119991111 119991111
2 - Added (untested) Entropy Gathering Daemon (EGD) support 2 - Added (untested) Entropy Gathering Daemon (EGD) support
3 - Fixed fd leak 3 - Fixed fd leak
4 4 - Merged OpenBSD CVS changes:
5 - [auth-rh-rsa.c] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too
6 - [ssh.1] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too
7 - [sshd.8] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too
519991110 819991110
6 - Merged several minor fixed: 9 - Merged several minor fixed:
7 - ssh-agent commandline parsing 10 - ssh-agent commandline parsing
diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c
index c433578bf..ee6af218c 100644
--- a/auth-rh-rsa.c
+++ b/auth-rh-rsa.c
@@ -15,7 +15,7 @@ authentication.
15*/ 15*/
16 16
17#include "includes.h" 17#include "includes.h"
18RCSID("$Id: auth-rh-rsa.c,v 1.1 1999/10/27 03:42:43 damien Exp $"); 18RCSID("$Id: auth-rh-rsa.c,v 1.2 1999/11/11 00:43:13 damien Exp $");
19 19
20#include "packet.h" 20#include "packet.h"
21#include "ssh.h" 21#include "ssh.h"
@@ -53,8 +53,31 @@ int auth_rhosts_rsa(struct passwd *pw, const char *client_user,
53 host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname, 53 host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname,
54 client_host_key_bits, client_host_key_e, 54 client_host_key_bits, client_host_key_e,
55 client_host_key_n, ke, kn); 55 client_host_key_n, ke, kn);
56 /* Check user host file. */
57 if (host_status != HOST_OK) {
58 struct stat st;
59 char *user_hostfile = tilde_expand_filename(SSH_USER_HOSTFILE, pw->pw_uid);
60 /* Check file permissions of SSH_USER_HOSTFILE,
61 auth_rsa() did already check pw->pw_dir, but there is a race XXX */
62 if (strict_modes &&
63 (stat(user_hostfile, &st) == 0) &&
64 ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
65 (st.st_mode & 022) != 0)) {
66 log("Rhosts RSA authentication refused for %.100s: bad owner or modes for %.200s",
67 pw->pw_name, user_hostfile);
68 } else {
69 /* XXX race between stat and the following open() */
70 temporarily_use_uid(pw->pw_uid);
71 host_status = check_host_in_hostfile(user_hostfile, canonical_hostname,
72 client_host_key_bits, client_host_key_e,
73 client_host_key_n, ke, kn);
74 restore_uid();
75 }
76 xfree(user_hostfile);
77 }
56 BN_free(ke); 78 BN_free(ke);
57 BN_free(kn); 79 BN_free(kn);
80
58 if (host_status != HOST_OK) { 81 if (host_status != HOST_OK) {
59 /* The host key was not found. */ 82 /* The host key was not found. */
60 debug("Rhosts with RSA host authentication denied: unknown or invalid host key"); 83 debug("Rhosts with RSA host authentication denied: unknown or invalid host key");
diff --git a/ssh.1 b/ssh.1
index 10054445c..3ea1c27b6 100644
--- a/ssh.1
+++ b/ssh.1
@@ -9,7 +9,7 @@
9.\" 9.\"
10.\" Created: Sat Apr 22 21:55:14 1995 ylo 10.\" Created: Sat Apr 22 21:55:14 1995 ylo
11.\" 11.\"
12.\" $Id: ssh.1,v 1.4 1999/10/28 23:17:36 damien Exp $ 12.\" $Id: ssh.1,v 1.5 1999/11/11 00:43:13 damien Exp $
13.\" 13.\"
14.Dd September 25, 1999 14.Dd September 25, 1999
15.Dt SSH 1 15.Dt SSH 1
@@ -93,6 +93,8 @@ or
93and if additionally the server can verify the client's 93and if additionally the server can verify the client's
94host key (see 94host key (see
95.Pa /etc/ssh/ssh_known_hosts 95.Pa /etc/ssh/ssh_known_hosts
96and
97.Pa $HOME/.ssh/known_hosts
96in the 98in the
97.Sx FILES 99.Sx FILES
98section), only then login is 100section), only then login is
diff --git a/sshd.8 b/sshd.8
index b19880f0e..fd1f7f02b 100644
--- a/sshd.8
+++ b/sshd.8
@@ -9,7 +9,7 @@
9.\" 9.\"
10.\" Created: Sat Apr 22 21:55:14 1995 ylo 10.\" Created: Sat Apr 22 21:55:14 1995 ylo
11.\" 11.\"
12.\" $Id: sshd.8,v 1.4 1999/10/28 23:17:36 damien Exp $ 12.\" $Id: sshd.8,v 1.5 1999/11/11 00:43:13 damien Exp $
13.\" 13.\"
14.Dd September 25, 1999 14.Dd September 25, 1999
15.Dt SSHD 8 15.Dt SSHD 8
@@ -622,14 +622,11 @@ This file must be readable by root (which may on some machines imply
622it being world-readable if the user's home directory resides on an NFS 622it being world-readable if the user's home directory resides on an NFS
623volume). It is recommended that it not be accessible by others. The 623volume). It is recommended that it not be accessible by others. The
624format of this file is described above. 624format of this file is described above.
625.It Pa /etc/ssh/ssh_known_hosts 625.It Pa "/etc/ssh/ssh_known_hosts" and "$HOME/.ssh/known_hosts"
626This file is consulted when using rhosts with RSA host 626This file is consulted when using rhosts with RSA host
627authentication to check the public key of the host. The key must be 627authentication to check the public key of the host. The key must be
628listed in this file to be accepted. 628listed in one of these files to be accepted.
629.It Pa $HOME/.ssh/known_hosts 629The client uses the same files
630The client uses this file
631and
632.Pa /etc/ssh/ssh_known_hosts
633to verify that the remote host is the one we intended to 630to verify that the remote host is the one we intended to
634connect. These files should be writable only by root/the owner. 631connect. These files should be writable only by root/the owner.
635.Pa /etc/ssh/ssh_known_hosts 632.Pa /etc/ssh/ssh_known_hosts