1/* 2 * 3 * auth-rh-rsa.c 4 * 5 * Author: Tatu Ylonen <ylo@cs.hut.fi> 6 * 7 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 8 * All rights reserved 9 * 10 * Created: Sun May 7 03:08:06 1995 ylo 11 * 12 * Rhosts or /etc/hosts.equiv authentication combined with RSA host 13 * authentication. 14 * 15 */ 16 17#include "includes.h" |
18RCSID("$Id: auth-rh-rsa.c,v 1.11 2000/03/23 22:15:33 markus Exp $"); |
19 20#include "packet.h" 21#include "ssh.h" 22#include "xmalloc.h" 23#include "uidswap.h" 24#include "servconf.h" 25 |
26#include <ssl/rsa.h> 27#include <ssl/dsa.h> 28#include "key.h" 29#include "hostfile.h" 30 |
31/* 32 * Tries to authenticate the user using the .rhosts file and the host using 33 * its host key. Returns true if authentication succeeds. 34 */ 35 36int |
37auth_rhosts_rsa(struct passwd *pw, const char *client_user, RSA *client_host_key) |
38{ 39 extern ServerOptions options; 40 const char *canonical_hostname; 41 HostStatus host_status; |
42 Key *client_key, *found; |
43 44 debug("Trying rhosts with RSA host authentication for %.100s", client_user); 45 |
46 if (client_host_key == NULL) 47 return 0; 48 |
49 /* Check if we would accept it using rhosts authentication. */ 50 if (!auth_rhosts(pw, client_user)) 51 return 0; 52 53 canonical_hostname = get_canonical_hostname(); 54 |
55 debug("Rhosts RSA authentication: canonical host %.900s", canonical_hostname); |
56 |
57 /* wrap the RSA key into a 'generic' key */ 58 client_key = key_new(KEY_RSA); 59 BN_copy(client_key->rsa->e, client_host_key->e); 60 BN_copy(client_key->rsa->n, client_host_key->n); 61 found = key_new(KEY_RSA); 62 |
63 /* Check if we know the host and its host key. */ |
64 host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname, |
65 client_key, found); |
66 67 /* Check user host file unless ignored. */ 68 if (host_status != HOST_OK && !options.ignore_user_known_hosts) { 69 struct stat st; 70 char *user_hostfile = tilde_expand_filename(SSH_USER_HOSTFILE, pw->pw_uid); 71 /* 72 * Check file permissions of SSH_USER_HOSTFILE, auth_rsa() 73 * did already check pw->pw_dir, but there is a race XXX 74 */ 75 if (options.strict_modes && 76 (stat(user_hostfile, &st) == 0) && 77 ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || 78 (st.st_mode & 022) != 0)) { 79 log("Rhosts RSA authentication refused for %.100s: bad owner or modes for %.200s", 80 pw->pw_name, user_hostfile); 81 } else { 82 /* XXX race between stat and the following open() */ 83 temporarily_use_uid(pw->pw_uid); 84 host_status = check_host_in_hostfile(user_hostfile, canonical_hostname, |
85 client_key, found); |
86 restore_uid(); 87 } 88 xfree(user_hostfile); 89 } |
90 key_free(client_key); 91 key_free(found); |
92 93 if (host_status != HOST_OK) { 94 debug("Rhosts with RSA host authentication denied: unknown or invalid host key"); 95 packet_send_debug("Your host key cannot be verified: unknown or invalid host key."); 96 return 0; 97 } 98 /* A matching host key was found and is known. */ 99 100 /* Perform the challenge-response dialog with the client for the host key. */ |
101 if (!auth_rsa_challenge_dialog(client_host_key)) { |
102 log("Client on %.800s failed to respond correctly to host authentication.", 103 canonical_hostname); 104 return 0; 105 } 106 /* 107 * We have authenticated the user using .rhosts or /etc/hosts.equiv, 108 * and the host using RSA. We accept the authentication. 109 */ 110 111 verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.", |
112 pw->pw_name, client_user, canonical_hostname); |
113 packet_send_debug("Rhosts with RSA host authentication accepted."); 114 return 1; 115} |