1/*
2 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
5 * Rhosts or /etc/hosts.equiv authentication combined with RSA host
6 * authentication.
7 *
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
13 */
14
15#include "includes.h"
| 1/*
2 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
5 * Rhosts or /etc/hosts.equiv authentication combined with RSA host
6 * authentication.
7 *
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
13 */
14
15#include "includes.h"
|
16RCSID("$OpenBSD: auth-rh-rsa.c,v 1.23 2001/04/06 21:00:04 markus Exp $");
17RCSID("$FreeBSD: head/crypto/openssh/auth-rh-rsa.c 76262 2001-05-04 04:14:23Z green $");
| 16RCSID("$OpenBSD: auth-rh-rsa.c,v 1.29 2002/03/04 12:43:06 markus Exp $");
17RCSID("$FreeBSD: head/crypto/openssh/auth-rh-rsa.c 92559 2002-03-18 10:09:43Z des $");
|
18
19#include "packet.h"
| 18
19#include "packet.h"
|
20#include "xmalloc.h"
| |
21#include "uidswap.h"
22#include "log.h"
23#include "servconf.h"
24#include "key.h"
25#include "hostfile.h"
26#include "pathnames.h"
27#include "auth.h"
| 20#include "uidswap.h"
21#include "log.h"
22#include "servconf.h"
23#include "key.h"
24#include "hostfile.h"
25#include "pathnames.h"
26#include "auth.h"
|
28#include "tildexpand.h"
| |
29#include "canohost.h"
30
31/*
32 * Tries to authenticate the user using the .rhosts file and the host using
33 * its host key. Returns true if authentication succeeds.
34 */
35
36int
| 27#include "canohost.h"
28
29/*
30 * Tries to authenticate the user using the .rhosts file and the host using
31 * its host key. Returns true if authentication succeeds.
32 */
33
34int
|
37auth_rhosts_rsa(struct passwd *pw, const char *client_user, RSA *client_host_key)
| 35auth_rhosts_rsa(struct passwd *pw, const char *client_user, Key *client_host_key)
|
38{
39 extern ServerOptions options;
40 const char *canonical_hostname;
41 HostStatus host_status;
| 36{
37 extern ServerOptions options;
38 const char *canonical_hostname;
39 HostStatus host_status;
|
42 Key *client_key, *found;
| |
43
44 debug("Trying rhosts with RSA host authentication for client user %.100s", client_user);
45
| 40
41 debug("Trying rhosts with RSA host authentication for client user %.100s", client_user);
42
|
46 if (pw == NULL || client_host_key == NULL)
| 43 if (pw == NULL || client_host_key == NULL || client_host_key->rsa == NULL)
|
47 return 0;
48
49 /* Check if we would accept it using rhosts authentication. */
50 if (!auth_rhosts(pw, client_user))
51 return 0;
52
53 canonical_hostname = get_canonical_hostname(
| 44 return 0;
45
46 /* Check if we would accept it using rhosts authentication. */
47 if (!auth_rhosts(pw, client_user))
48 return 0;
49
50 canonical_hostname = get_canonical_hostname(
|
54 options.reverse_mapping_check);
| 51 options.verify_reverse_mapping);
|
55
56 debug("Rhosts RSA authentication: canonical host %.900s", canonical_hostname);
57
| 52
53 debug("Rhosts RSA authentication: canonical host %.900s", canonical_hostname);
54
|
58 /* wrap the RSA key into a 'generic' key */
59 client_key = key_new(KEY_RSA1);
60 BN_copy(client_key->rsa->e, client_host_key->e);
61 BN_copy(client_key->rsa->n, client_host_key->n);
62 found = key_new(KEY_RSA1);
| 55 host_status = check_key_in_hostfiles(pw, client_host_key,
56 canonical_hostname, _PATH_SSH_SYSTEM_HOSTFILE,
57 options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
|
63
| 58
|
64 /* Check if we know the host and its host key. */
65 host_status = check_host_in_hostfile(_PATH_SSH_SYSTEM_HOSTFILE, canonical_hostname,
66 client_key, found, NULL);
67
68 /* Check user host file unless ignored. */
69 if (host_status != HOST_OK && !options.ignore_user_known_hosts) {
70 struct stat st;
71 char *user_hostfile = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid);
72 /*
73 * Check file permissions of _PATH_SSH_USER_HOSTFILE, auth_rsa()
74 * did already check pw->pw_dir, but there is a race XXX
75 */
76 if (options.strict_modes &&
77 (stat(user_hostfile, &st) == 0) &&
78 ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
79 (st.st_mode & 022) != 0)) {
80 log("Rhosts RSA authentication refused for %.100s: bad owner or modes for %.200s",
81 pw->pw_name, user_hostfile);
82 } else {
83 /* XXX race between stat and the following open() */
84 temporarily_use_uid(pw);
85 host_status = check_host_in_hostfile(user_hostfile, canonical_hostname,
86 client_key, found, NULL);
87 restore_uid();
88 }
89 xfree(user_hostfile);
90 }
91 key_free(client_key);
92 key_free(found);
93
| |
94 if (host_status != HOST_OK) {
95 debug("Rhosts with RSA host authentication denied: unknown or invalid host key");
96 packet_send_debug("Your host key cannot be verified: unknown or invalid host key.");
97 return 0;
98 }
99 /* A matching host key was found and is known. */
100
101 /* Perform the challenge-response dialog with the client for the host key. */
| 59 if (host_status != HOST_OK) {
60 debug("Rhosts with RSA host authentication denied: unknown or invalid host key");
61 packet_send_debug("Your host key cannot be verified: unknown or invalid host key.");
62 return 0;
63 }
64 /* A matching host key was found and is known. */
65
66 /* Perform the challenge-response dialog with the client for the host key. */
|
102 if (!auth_rsa_challenge_dialog(client_host_key)) {
| 67 if (!auth_rsa_challenge_dialog(client_host_key->rsa)) {
|
103 log("Client on %.800s failed to respond correctly to host authentication.",
104 canonical_hostname);
105 return 0;
106 }
107 /*
108 * We have authenticated the user using .rhosts or /etc/hosts.equiv,
109 * and the host using RSA. We accept the authentication.
110 */
111
112 verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.",
113 pw->pw_name, client_user, canonical_hostname);
114 packet_send_debug("Rhosts with RSA host authentication accepted.");
115 return 1;
116}
| 68 log("Client on %.800s failed to respond correctly to host authentication.",
69 canonical_hostname);
70 return 0;
71 }
72 /*
73 * We have authenticated the user using .rhosts or /etc/hosts.equiv,
74 * and the host using RSA. We accept the authentication.
75 */
76
77 verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.",
78 pw->pw_name, client_user, canonical_hostname);
79 packet_send_debug("Rhosts with RSA host authentication accepted.");
80 return 1;
81}
|