auth-rh-rsa.c revision 124211
111819Sjulian/* 211819Sjulian * Author: Tatu Ylonen <ylo@cs.hut.fi> 311819Sjulian * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 411819Sjulian * All rights reserved 511819Sjulian * Rhosts or /etc/hosts.equiv authentication combined with RSA host 611819Sjulian * authentication. 711819Sjulian * 811819Sjulian * As far as I am concerned, the code I have written for this software 911819Sjulian * can be used freely for any purpose. Any derived versions of this 1011819Sjulian * software must be clearly marked as such, and if the derived work is 1111819Sjulian * incompatible with the protocol description in the RFC file, it must be 1211819Sjulian * called by a name other than "ssh" or "Secure Shell". 1311819Sjulian */ 1411819Sjulian 1511819Sjulian#include "includes.h" 1611819SjulianRCSID("$OpenBSD: auth-rh-rsa.c,v 1.36 2003/06/02 09:17:34 markus Exp $"); 1711819Sjulian 1811819Sjulian#include "packet.h" 1911819Sjulian#include "uidswap.h" 2011819Sjulian#include "log.h" 2111819Sjulian#include "servconf.h" 2211819Sjulian#include "key.h" 2311819Sjulian#include "hostfile.h" 2411819Sjulian#include "pathnames.h" 2511819Sjulian#include "auth.h" 2611819Sjulian#include "canohost.h" 2711819Sjulian 2811819Sjulian#include "monitor_wrap.h" 2911819Sjulian 3011819Sjulian/* import */ 3111819Sjulianextern ServerOptions options; 3211819Sjulian 3311819Sjulianint 3411819Sjulianauth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost, 3511819Sjulian Key *client_host_key) 3611819Sjulian{ 3711819Sjulian HostStatus host_status; 3811819Sjulian 3911819Sjulian /* Check if we would accept it using rhosts authentication. */ 4011819Sjulian if (!auth_rhosts(pw, cuser)) 4111819Sjulian return 0; 4211819Sjulian 4311819Sjulian host_status = check_key_in_hostfiles(pw, client_host_key, 4411819Sjulian chost, _PATH_SSH_SYSTEM_HOSTFILE, 4511819Sjulian options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE); 4611819Sjulian 4711819Sjulian return (host_status == HOST_OK); 4811819Sjulian} 4911819Sjulian 5011819Sjulian/* 5111819Sjulian * Tries to authenticate the user using the .rhosts file and the host using 5211819Sjulian * its host key. Returns true if authentication succeeds. 5311819Sjulian */ 5411819Sjulianint 5511819Sjulianauth_rhosts_rsa(struct passwd *pw, char *cuser, Key *client_host_key) 5611819Sjulian{ 5711819Sjulian char *chost; 5811819Sjulian 5911819Sjulian debug("Trying rhosts with RSA host authentication for client user %.100s", 6011819Sjulian cuser); 6111819Sjulian 6211819Sjulian if (pw == NULL || client_host_key == NULL || 6311819Sjulian client_host_key->rsa == NULL) 6411819Sjulian return 0; 6511819Sjulian 6611819Sjulian chost = (char *)get_canonical_hostname(options.use_dns); 6711819Sjulian debug("Rhosts RSA authentication: canonical host %.900s", chost); 6811819Sjulian 6911819Sjulian if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) { 7011819Sjulian debug("Rhosts with RSA host authentication denied: unknown or invalid host key"); 7111819Sjulian packet_send_debug("Your host key cannot be verified: unknown or invalid host key."); 7211819Sjulian return 0; 7311819Sjulian } 7411819Sjulian /* A matching host key was found and is known. */ 7511819Sjulian 7611819Sjulian /* Perform the challenge-response dialog with the client for the host key. */ 7711819Sjulian if (!auth_rsa_challenge_dialog(client_host_key)) { 7811819Sjulian logit("Client on %.800s failed to respond correctly to host authentication.", 7911819Sjulian chost); 8011819Sjulian return 0; 8111819Sjulian } 8211819Sjulian /* 8311947Sjulian * We have authenticated the user using .rhosts or /etc/hosts.equiv, 8411819Sjulian * and the host using RSA. We accept the authentication. 8511819Sjulian */ 8611947Sjulian 8711947Sjulian verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.", 8811947Sjulian pw->pw_name, cuser, chost); 8911947Sjulian packet_send_debug("Rhosts with RSA host authentication accepted."); 9011947Sjulian return 1; 9111947Sjulian} 9211947Sjulian