1/* 2 * 3 * auth-rh-rsa.c 4 * 5 * Author: Tatu Ylonen <ylo@cs.hut.fi> 6 * 7 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 8 * All rights reserved 9 * 10 * Created: Sun May 7 03:08:06 1995 ylo 11 * 12 * Rhosts or /etc/hosts.equiv authentication combined with RSA host 13 * authentication. 14 * 15 */ 16 17#include "includes.h"
| 1/* 2 * 3 * auth-rh-rsa.c 4 * 5 * Author: Tatu Ylonen <ylo@cs.hut.fi> 6 * 7 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 8 * All rights reserved 9 * 10 * Created: Sun May 7 03:08:06 1995 ylo 11 * 12 * Rhosts or /etc/hosts.equiv authentication combined with RSA host 13 * authentication. 14 * 15 */ 16 17#include "includes.h"
|
18RCSID("$Id: auth-rh-rsa.c,v 1.10 1999/11/24 19:53:43 markus Exp $");
| 18RCSID("$Id: auth-rh-rsa.c,v 1.11 2000/03/23 22:15:33 markus Exp $");
|
19 20#include "packet.h" 21#include "ssh.h" 22#include "xmalloc.h" 23#include "uidswap.h" 24#include "servconf.h" 25
| 19 20#include "packet.h" 21#include "ssh.h" 22#include "xmalloc.h" 23#include "uidswap.h" 24#include "servconf.h" 25
|
| 26#include <ssl/rsa.h> 27#include <ssl/dsa.h> 28#include "key.h" 29#include "hostfile.h" 30
|
26/* 27 * Tries to authenticate the user using the .rhosts file and the host using 28 * its host key. Returns true if authentication succeeds. 29 */ 30 31int
| 31/* 32 * Tries to authenticate the user using the .rhosts file and the host using 33 * its host key. Returns true if authentication succeeds. 34 */ 35 36int
|
32auth_rhosts_rsa(struct passwd *pw, const char *client_user, 33 BIGNUM *client_host_key_e, BIGNUM *client_host_key_n)
| 37auth_rhosts_rsa(struct passwd *pw, const char *client_user, RSA *client_host_key)
|
34{ 35 extern ServerOptions options; 36 const char *canonical_hostname; 37 HostStatus host_status;
| 38{ 39 extern ServerOptions options; 40 const char *canonical_hostname; 41 HostStatus host_status;
|
38 BIGNUM *ke, *kn;
| 42 Key *client_key, *found;
|
39 40 debug("Trying rhosts with RSA host authentication for %.100s", client_user); 41
| 43 44 debug("Trying rhosts with RSA host authentication for %.100s", client_user); 45
|
| 46 if (client_host_key == NULL) 47 return 0; 48
|
42 /* Check if we would accept it using rhosts authentication. */ 43 if (!auth_rhosts(pw, client_user)) 44 return 0; 45 46 canonical_hostname = get_canonical_hostname(); 47
| 49 /* Check if we would accept it using rhosts authentication. */ 50 if (!auth_rhosts(pw, client_user)) 51 return 0; 52 53 canonical_hostname = get_canonical_hostname(); 54
|
48 debug("Rhosts RSA authentication: canonical host %.900s", 49 canonical_hostname);
| 55 debug("Rhosts RSA authentication: canonical host %.900s", canonical_hostname);
|
50
| 56
|
| 57 /* wrap the RSA key into a 'generic' key */ 58 client_key = key_new(KEY_RSA); 59 BN_copy(client_key->rsa->e, client_host_key->e); 60 BN_copy(client_key->rsa->n, client_host_key->n); 61 found = key_new(KEY_RSA); 62
|
51 /* Check if we know the host and its host key. */
| 63 /* Check if we know the host and its host key. */
|
52 ke = BN_new(); 53 kn = BN_new();
| |
54 host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname,
| 64 host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname,
|
55 client_host_key_e, client_host_key_n, 56 ke, kn);
| 65 client_key, found);
|
57 58 /* Check user host file unless ignored. */ 59 if (host_status != HOST_OK && !options.ignore_user_known_hosts) { 60 struct stat st; 61 char *user_hostfile = tilde_expand_filename(SSH_USER_HOSTFILE, pw->pw_uid); 62 /* 63 * Check file permissions of SSH_USER_HOSTFILE, auth_rsa() 64 * did already check pw->pw_dir, but there is a race XXX 65 */ 66 if (options.strict_modes && 67 (stat(user_hostfile, &st) == 0) && 68 ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || 69 (st.st_mode & 022) != 0)) { 70 log("Rhosts RSA authentication refused for %.100s: bad owner or modes for %.200s", 71 pw->pw_name, user_hostfile); 72 } else { 73 /* XXX race between stat and the following open() */ 74 temporarily_use_uid(pw->pw_uid); 75 host_status = check_host_in_hostfile(user_hostfile, canonical_hostname,
| 66 67 /* Check user host file unless ignored. */ 68 if (host_status != HOST_OK && !options.ignore_user_known_hosts) { 69 struct stat st; 70 char *user_hostfile = tilde_expand_filename(SSH_USER_HOSTFILE, pw->pw_uid); 71 /* 72 * Check file permissions of SSH_USER_HOSTFILE, auth_rsa() 73 * did already check pw->pw_dir, but there is a race XXX 74 */ 75 if (options.strict_modes && 76 (stat(user_hostfile, &st) == 0) && 77 ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || 78 (st.st_mode & 022) != 0)) { 79 log("Rhosts RSA authentication refused for %.100s: bad owner or modes for %.200s", 80 pw->pw_name, user_hostfile); 81 } else { 82 /* XXX race between stat and the following open() */ 83 temporarily_use_uid(pw->pw_uid); 84 host_status = check_host_in_hostfile(user_hostfile, canonical_hostname,
|
76 client_host_key_e, client_host_key_n, 77 ke, kn);
| 85 client_key, found);
|
78 restore_uid(); 79 } 80 xfree(user_hostfile); 81 }
| 86 restore_uid(); 87 } 88 xfree(user_hostfile); 89 }
|
82 BN_free(ke); 83 BN_free(kn);
| 90 key_free(client_key); 91 key_free(found);
|
84 85 if (host_status != HOST_OK) { 86 debug("Rhosts with RSA host authentication denied: unknown or invalid host key"); 87 packet_send_debug("Your host key cannot be verified: unknown or invalid host key."); 88 return 0; 89 } 90 /* A matching host key was found and is known. */ 91 92 /* Perform the challenge-response dialog with the client for the host key. */
| 92 93 if (host_status != HOST_OK) { 94 debug("Rhosts with RSA host authentication denied: unknown or invalid host key"); 95 packet_send_debug("Your host key cannot be verified: unknown or invalid host key."); 96 return 0; 97 } 98 /* A matching host key was found and is known. */ 99 100 /* Perform the challenge-response dialog with the client for the host key. */
|
93 if (!auth_rsa_challenge_dialog(client_host_key_e, client_host_key_n)) {
| 101 if (!auth_rsa_challenge_dialog(client_host_key)) {
|
94 log("Client on %.800s failed to respond correctly to host authentication.", 95 canonical_hostname); 96 return 0; 97 } 98 /* 99 * We have authenticated the user using .rhosts or /etc/hosts.equiv, 100 * and the host using RSA. We accept the authentication. 101 */ 102 103 verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.",
| 102 log("Client on %.800s failed to respond correctly to host authentication.", 103 canonical_hostname); 104 return 0; 105 } 106 /* 107 * We have authenticated the user using .rhosts or /etc/hosts.equiv, 108 * and the host using RSA. We accept the authentication. 109 */ 110 111 verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.",
|
104 pw->pw_name, client_user, canonical_hostname);
| 112 pw->pw_name, client_user, canonical_hostname);
|
105 packet_send_debug("Rhosts with RSA host authentication accepted."); 106 return 1; 107}
| 113 packet_send_debug("Rhosts with RSA host authentication accepted."); 114 return 1; 115}
|