summaryrefslogtreecommitdiff
path: root/auth-rhosts.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth-rhosts.c')
-rw-r--r--auth-rhosts.c68
1 files changed, 41 insertions, 27 deletions
diff --git a/auth-rhosts.c b/auth-rhosts.c
index bd15261f7..afca1f7c6 100644
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
@@ -14,7 +14,7 @@
14 */ 14 */
15 15
16#include "includes.h" 16#include "includes.h"
17RCSID("$OpenBSD: auth-rhosts.c,v 1.27 2002/03/04 12:43:06 markus Exp $"); 17RCSID("$OpenBSD: auth-rhosts.c,v 1.28 2002/05/13 21:26:49 markus Exp $");
18 18
19#include "packet.h" 19#include "packet.h"
20#include "uidswap.h" 20#include "uidswap.h"
@@ -26,6 +26,7 @@ RCSID("$OpenBSD: auth-rhosts.c,v 1.27 2002/03/04 12:43:06 markus Exp $");
26 26
27/* import */ 27/* import */
28extern ServerOptions options; 28extern ServerOptions options;
29extern int use_privsep;
29 30
30/* 31/*
31 * This function processes an rhosts-style file (.rhosts, .shosts, or 32 * This function processes an rhosts-style file (.rhosts, .shosts, or
@@ -69,7 +70,7 @@ check_rhosts_file(const char *filename, const char *hostname,
69 */ 70 */
70 switch (sscanf(buf, "%s %s %s", hostbuf, userbuf, dummy)) { 71 switch (sscanf(buf, "%s %s %s", hostbuf, userbuf, dummy)) {
71 case 0: 72 case 0:
72 packet_send_debug("Found empty line in %.100s.", filename); 73 auth_debug_add("Found empty line in %.100s.", filename);
73 continue; 74 continue;
74 case 1: 75 case 1:
75 /* Host name only. */ 76 /* Host name only. */
@@ -79,7 +80,7 @@ check_rhosts_file(const char *filename, const char *hostname,
79 /* Got both host and user name. */ 80 /* Got both host and user name. */
80 break; 81 break;
81 case 3: 82 case 3:
82 packet_send_debug("Found garbage in %.100s.", filename); 83 auth_debug_add("Found garbage in %.100s.", filename);
83 continue; 84 continue;
84 default: 85 default:
85 /* Weird... */ 86 /* Weird... */
@@ -106,8 +107,8 @@ check_rhosts_file(const char *filename, const char *hostname,
106 /* Check for empty host/user names (particularly '+'). */ 107 /* Check for empty host/user names (particularly '+'). */
107 if (!host[0] || !user[0]) { 108 if (!host[0] || !user[0]) {
108 /* We come here if either was '+' or '-'. */ 109 /* We come here if either was '+' or '-'. */
109 packet_send_debug("Ignoring wild host/user names in %.100s.", 110 auth_debug_add("Ignoring wild host/user names in %.100s.",
110 filename); 111 filename);
111 continue; 112 continue;
112 } 113 }
113 /* Verify that host name matches. */ 114 /* Verify that host name matches. */
@@ -130,8 +131,8 @@ check_rhosts_file(const char *filename, const char *hostname,
130 131
131 /* If the entry was negated, deny access. */ 132 /* If the entry was negated, deny access. */
132 if (negated) { 133 if (negated) {
133 packet_send_debug("Matched negative entry in %.100s.", 134 auth_debug_add("Matched negative entry in %.100s.",
134 filename); 135 filename);
135 return 0; 136 return 0;
136 } 137 }
137 /* Accept authentication. */ 138 /* Accept authentication. */
@@ -153,16 +154,14 @@ int
153auth_rhosts(struct passwd *pw, const char *client_user) 154auth_rhosts(struct passwd *pw, const char *client_user)
154{ 155{
155 const char *hostname, *ipaddr; 156 const char *hostname, *ipaddr;
156 int ret;
157 157
158 hostname = get_canonical_hostname(options.verify_reverse_mapping); 158 hostname = get_canonical_hostname(options.verify_reverse_mapping);
159 ipaddr = get_remote_ipaddr(); 159 ipaddr = get_remote_ipaddr();
160 ret = auth_rhosts2(pw, client_user, hostname, ipaddr); 160 return auth_rhosts2(pw, client_user, hostname, ipaddr);
161 return ret;
162} 161}
163 162
164int 163static int
165auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, 164auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostname,
166 const char *ipaddr) 165 const char *ipaddr)
167{ 166{
168 char buf[1024]; 167 char buf[1024];
@@ -205,13 +204,13 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
205 if (pw->pw_uid != 0) { 204 if (pw->pw_uid != 0) {
206 if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, 205 if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
207 client_user, pw->pw_name)) { 206 client_user, pw->pw_name)) {
208 packet_send_debug("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", 207 auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.",
209 hostname, ipaddr); 208 hostname, ipaddr);
210 return 1; 209 return 1;
211 } 210 }
212 if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, 211 if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr,
213 client_user, pw->pw_name)) { 212 client_user, pw->pw_name)) {
214 packet_send_debug("Accepted for %.100s [%.100s] by %.100s.", 213 auth_debug_add("Accepted for %.100s [%.100s] by %.100s.",
215 hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); 214 hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV);
216 return 1; 215 return 1;
217 } 216 }
@@ -221,19 +220,19 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
221 * not group or world writable. 220 * not group or world writable.
222 */ 221 */
223 if (stat(pw->pw_dir, &st) < 0) { 222 if (stat(pw->pw_dir, &st) < 0) {
224 log("Rhosts authentication refused for %.100s: no home directory %.200s", 223 log("Rhosts authentication refused for %.100s: "
225 pw->pw_name, pw->pw_dir); 224 "no home directory %.200s", pw->pw_name, pw->pw_dir);
226 packet_send_debug("Rhosts authentication refused for %.100s: no home directory %.200s", 225 auth_debug_add("Rhosts authentication refused for %.100s: "
227 pw->pw_name, pw->pw_dir); 226 "no home directory %.200s", pw->pw_name, pw->pw_dir);
228 return 0; 227 return 0;
229 } 228 }
230 if (options.strict_modes && 229 if (options.strict_modes &&
231 ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || 230 ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
232 (st.st_mode & 022) != 0)) { 231 (st.st_mode & 022) != 0)) {
233 log("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.", 232 log("Rhosts authentication refused for %.100s: "
234 pw->pw_name); 233 "bad ownership or modes for home directory.", pw->pw_name);
235 packet_send_debug("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.", 234 auth_debug_add("Rhosts authentication refused for %.100s: "
236 pw->pw_name); 235 "bad ownership or modes for home directory.", pw->pw_name);
237 return 0; 236 return 0;
238 } 237 }
239 /* Temporarily use the user's uid. */ 238 /* Temporarily use the user's uid. */
@@ -259,21 +258,23 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
259 (st.st_mode & 022) != 0)) { 258 (st.st_mode & 022) != 0)) {
260 log("Rhosts authentication refused for %.100s: bad modes for %.200s", 259 log("Rhosts authentication refused for %.100s: bad modes for %.200s",
261 pw->pw_name, buf); 260 pw->pw_name, buf);
262 packet_send_debug("Bad file modes for %.200s", buf); 261 auth_debug_add("Bad file modes for %.200s", buf);
263 continue; 262 continue;
264 } 263 }
265 /* Check if we have been configured to ignore .rhosts and .shosts files. */ 264 /* Check if we have been configured to ignore .rhosts and .shosts files. */
266 if (options.ignore_rhosts) { 265 if (options.ignore_rhosts) {
267 packet_send_debug("Server has been configured to ignore %.100s.", 266 auth_debug_add("Server has been configured to ignore %.100s.",
268 rhosts_files[rhosts_file_index]); 267 rhosts_files[rhosts_file_index]);
269 continue; 268 continue;
270 } 269 }
271 /* Check if authentication is permitted by the file. */ 270 /* Check if authentication is permitted by the file. */
272 if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name)) { 271 if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name)) {
273 packet_send_debug("Accepted by %.100s.", 272 auth_debug_add("Accepted by %.100s.",
274 rhosts_files[rhosts_file_index]); 273 rhosts_files[rhosts_file_index]);
275 /* Restore the privileged uid. */ 274 /* Restore the privileged uid. */
276 restore_uid(); 275 restore_uid();
276 auth_debug_add("Accepted host %s ip %s client_user %s server_user %s",
277 hostname, ipaddr, client_user, pw->pw_name);
277 return 1; 278 return 1;
278 } 279 }
279 } 280 }
@@ -282,3 +283,16 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
282 restore_uid(); 283 restore_uid();
283 return 0; 284 return 0;
284} 285}
286
287int
288auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
289 const char *ipaddr)
290{
291 int ret;
292
293 auth_debug_reset();
294 ret = auth_rhosts2_raw(pw, client_user, hostname, ipaddr);
295 if (!use_privsep)
296 auth_debug_send();
297 return ret;
298}