RepoMirrors
/
openssh
mirror of git://anongit.mindrot.org/openssh.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- markus@cvs.openbsd.org 2002/05/13 21:26:49 

[auth-rhosts.c]
     handle debug messages during rhosts-rsa and hostbased authentication;
     ok provos@
This commit is contained in:
Ben Lindstrom 2002-05-15 16:19:37 +00:00
parent 17401b6b77
commit bdde330d2f
2 changed files with 46 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ChangeLog
View File

@ -24,6 +24,10 @@
Without this, there is a race where the login name of an existing Without this, there is a race where the login name of an existing
connection, as returned by getlogin(), may be changed to the privsep connection, as returned by getlogin(), may be changed to the privsep
user (sshd). markus@ OK user (sshd). markus@ OK
- markus@cvs.openbsd.org 2002/05/13 21:26:49
[auth-rhosts.c]
handle debug messages during rhosts-rsa and hostbased authentication;
ok provos@
20020514 20020514
- (stevesk) [README.privsep] PAM+privsep works with Solaris 8. - (stevesk) [README.privsep] PAM+privsep works with Solaris 8.
@ -628,4 +632,4 @@
- (stevesk) entropy.c: typo in debug message - (stevesk) entropy.c: typo in debug message
- (djm) ssh-keygen -i needs seeded RNG; report from markus@ - (djm) ssh-keygen -i needs seeded RNG; report from markus@
$Id: ChangeLog,v 1.2127 2002/05/15 16:17:56 mouring Exp $ $Id: ChangeLog,v 1.2128 2002/05/15 16:19:37 mouring Exp $

60
auth-rhosts.c
View File

@ -14,7 +14,7 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: auth-rhosts.c,v 1.27 2002/03/04 12:43:06 markus Exp $"); RCSID("$OpenBSD: auth-rhosts.c,v 1.28 2002/05/13 21:26:49 markus Exp $");
#include "packet.h" #include "packet.h"
#include "uidswap.h" #include "uidswap.h"
@ -26,6 +26,7 @@ RCSID("$OpenBSD: auth-rhosts.c,v 1.27 2002/03/04 12:43:06 markus Exp $");
/* import */ /* import */
extern ServerOptions options; extern ServerOptions options;
extern int use_privsep;
/* /*
* This function processes an rhosts-style file (.rhosts, .shosts, or * This function processes an rhosts-style file (.rhosts, .shosts, or
@ -69,7 +70,7 @@ check_rhosts_file(const char *filename, const char *hostname,
*/ */
switch (sscanf(buf, "%s %s %s", hostbuf, userbuf, dummy)) { switch (sscanf(buf, "%s %s %s", hostbuf, userbuf, dummy)) {
case 0: case 0:
packet_send_debug("Found empty line in %.100s.", filename); auth_debug_add("Found empty line in %.100s.", filename);
continue; continue;
case 1: case 1:
/* Host name only. */ /* Host name only. */
@ -79,7 +80,7 @@ check_rhosts_file(const char *filename, const char *hostname,
/* Got both host and user name. */ /* Got both host and user name. */
break; break;
case 3: case 3:
packet_send_debug("Found garbage in %.100s.", filename); auth_debug_add("Found garbage in %.100s.", filename);
continue; continue;
default: default:
/* Weird... */ /* Weird... */
@ -106,7 +107,7 @@ check_rhosts_file(const char *filename, const char *hostname,
/* Check for empty host/user names (particularly '+'). */ /* Check for empty host/user names (particularly '+'). */
if (!host[0] || !user[0]) { if (!host[0] || !user[0]) {
/* We come here if either was '+' or '-'. */ /* We come here if either was '+' or '-'. */
packet_send_debug("Ignoring wild host/user names in %.100s.", auth_debug_add("Ignoring wild host/user names in %.100s.",
filename); filename);
continue; continue;
} }
@ -130,7 +131,7 @@ check_rhosts_file(const char *filename, const char *hostname,
/* If the entry was negated, deny access. */ /* If the entry was negated, deny access. */
if (negated) { if (negated) {
packet_send_debug("Matched negative entry in %.100s.", auth_debug_add("Matched negative entry in %.100s.",
filename); filename);
return 0; return 0;
} }
@ -153,16 +154,14 @@ int
auth_rhosts(struct passwd *pw, const char *client_user) auth_rhosts(struct passwd *pw, const char *client_user)
{ {
const char *hostname, *ipaddr; const char *hostname, *ipaddr;
int ret;
hostname = get_canonical_hostname(options.verify_reverse_mapping); hostname = get_canonical_hostname(options.verify_reverse_mapping);
ipaddr = get_remote_ipaddr(); ipaddr = get_remote_ipaddr();
ret = auth_rhosts2(pw, client_user, hostname, ipaddr); return auth_rhosts2(pw, client_user, hostname, ipaddr);
return ret;
} }
int static int
auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostname,
const char *ipaddr) const char *ipaddr)
{ {
char buf[1024]; char buf[1024];
@ -205,13 +204,13 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
if (pw->pw_uid != 0) { if (pw->pw_uid != 0) {
if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
client_user, pw->pw_name)) { client_user, pw->pw_name)) {
packet_send_debug("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.",
hostname, ipaddr); hostname, ipaddr);
return 1; return 1;
} }
if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr,
client_user, pw->pw_name)) { client_user, pw->pw_name)) {
packet_send_debug("Accepted for %.100s [%.100s] by %.100s.", auth_debug_add("Accepted for %.100s [%.100s] by %.100s.",
hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV);
return 1; return 1;
} }
@ -221,19 +220,19 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
* not group or world writable. * not group or world writable.
*/ */
if (stat(pw->pw_dir, &st) < 0) { if (stat(pw->pw_dir, &st) < 0) {
log("Rhosts authentication refused for %.100s: no home directory %.200s", log("Rhosts authentication refused for %.100s: "
pw->pw_name, pw->pw_dir); "no home directory %.200s", pw->pw_name, pw->pw_dir);
packet_send_debug("Rhosts authentication refused for %.100s: no home directory %.200s", auth_debug_add("Rhosts authentication refused for %.100s: "
pw->pw_name, pw->pw_dir); "no home directory %.200s", pw->pw_name, pw->pw_dir);
return 0; return 0;
} }
if (options.strict_modes && if (options.strict_modes &&
((st.st_uid != 0 && st.st_uid != pw->pw_uid) || ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
(st.st_mode & 022) != 0)) { (st.st_mode & 022) != 0)) {
log("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.", log("Rhosts authentication refused for %.100s: "
pw->pw_name); "bad ownership or modes for home directory.", pw->pw_name);
packet_send_debug("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.", auth_debug_add("Rhosts authentication refused for %.100s: "
pw->pw_name); "bad ownership or modes for home directory.", pw->pw_name);
return 0; return 0;
} }
/* Temporarily use the user's uid. */ /* Temporarily use the user's uid. */
@ -259,21 +258,23 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
(st.st_mode & 022) != 0)) { (st.st_mode & 022) != 0)) {
log("Rhosts authentication refused for %.100s: bad modes for %.200s", log("Rhosts authentication refused for %.100s: bad modes for %.200s",
pw->pw_name, buf); pw->pw_name, buf);
packet_send_debug("Bad file modes for %.200s", buf); auth_debug_add("Bad file modes for %.200s", buf);
continue; continue;
} }
/* Check if we have been configured to ignore .rhosts and .shosts files. */ /* Check if we have been configured to ignore .rhosts and .shosts files. */
if (options.ignore_rhosts) { if (options.ignore_rhosts) {
packet_send_debug("Server has been configured to ignore %.100s.", auth_debug_add("Server has been configured to ignore %.100s.",
rhosts_files[rhosts_file_index]); rhosts_files[rhosts_file_index]);
continue; continue;
} }
/* Check if authentication is permitted by the file. */ /* Check if authentication is permitted by the file. */
if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name)) { if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name)) {
packet_send_debug("Accepted by %.100s.", auth_debug_add("Accepted by %.100s.",
rhosts_files[rhosts_file_index]); rhosts_files[rhosts_file_index]);
/* Restore the privileged uid. */ /* Restore the privileged uid. */
restore_uid(); restore_uid();
auth_debug_add("Accepted host %s ip %s client_user %s server_user %s",
hostname, ipaddr, client_user, pw->pw_name);
return 1; return 1;
} }
} }
@ -282,3 +283,16 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
restore_uid(); restore_uid();
return 0; return 0;
} }
int
auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
const char *ipaddr)
{
int ret;
auth_debug_reset();
ret = auth_rhosts2_raw(pw, client_user, hostname, ipaddr);
if (!use_privsep)
auth_debug_send();
return ret;
}