auth-rh-rsa.c revision 57429
1/* 2 * 3 * auth-rh-rsa.c 4 * 5 * Author: Tatu Ylonen <ylo@cs.hut.fi> 6 * 7 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 8 * All rights reserved 9 * 10 * Created: Sun May 7 03:08:06 1995 ylo 11 * 12 * Rhosts or /etc/hosts.equiv authentication combined with RSA host 13 * authentication. 14 * 15 */ 16 17#include "includes.h" 18RCSID("$Id: auth-rh-rsa.c,v 1.10 1999/11/24 19:53:43 markus Exp $"); 19 20#include "packet.h" 21#include "ssh.h" 22#include "xmalloc.h" 23#include "uidswap.h" 24#include "servconf.h" 25 26/* 27 * Tries to authenticate the user using the .rhosts file and the host using 28 * its host key. Returns true if authentication succeeds. 29 */ 30 31int 32auth_rhosts_rsa(struct passwd *pw, const char *client_user, 33 BIGNUM *client_host_key_e, BIGNUM *client_host_key_n) 34{ 35 extern ServerOptions options; 36 const char *canonical_hostname; 37 HostStatus host_status; 38 BIGNUM *ke, *kn; 39 40 debug("Trying rhosts with RSA host authentication for %.100s", client_user); 41 42 /* Check if we would accept it using rhosts authentication. */ 43 if (!auth_rhosts(pw, client_user)) 44 return 0; 45 46 canonical_hostname = get_canonical_hostname(); 47 48 debug("Rhosts RSA authentication: canonical host %.900s", 49 canonical_hostname); 50 51 /* Check if we know the host and its host key. */ 52 ke = BN_new(); 53 kn = BN_new(); 54 host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname, 55 client_host_key_e, client_host_key_n, 56 ke, kn); 57 58 /* Check user host file unless ignored. */ 59 if (host_status != HOST_OK && !options.ignore_user_known_hosts) { 60 struct stat st; 61 char *user_hostfile = tilde_expand_filename(SSH_USER_HOSTFILE, pw->pw_uid); 62 /* 63 * Check file permissions of SSH_USER_HOSTFILE, auth_rsa() 64 * did already check pw->pw_dir, but there is a race XXX 65 */ 66 if (options.strict_modes && 67 (stat(user_hostfile, &st) == 0) && 68 ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || 69 (st.st_mode & 022) != 0)) { 70 log("Rhosts RSA authentication refused for %.100s: bad owner or modes for %.200s", 71 pw->pw_name, user_hostfile); 72 } else { 73 /* XXX race between stat and the following open() */ 74 temporarily_use_uid(pw->pw_uid); 75 host_status = check_host_in_hostfile(user_hostfile, canonical_hostname, 76 client_host_key_e, client_host_key_n, 77 ke, kn); 78 restore_uid(); 79 } 80 xfree(user_hostfile); 81 } 82 BN_free(ke); 83 BN_free(kn); 84 85 if (host_status != HOST_OK) { 86 debug("Rhosts with RSA host authentication denied: unknown or invalid host key"); 87 packet_send_debug("Your host key cannot be verified: unknown or invalid host key."); 88 return 0; 89 } 90 /* A matching host key was found and is known. */ 91 92 /* Perform the challenge-response dialog with the client for the host key. */ 93 if (!auth_rsa_challenge_dialog(client_host_key_e, client_host_key_n)) { 94 log("Client on %.800s failed to respond correctly to host authentication.", 95 canonical_hostname); 96 return 0; 97 } 98 /* 99 * We have authenticated the user using .rhosts or /etc/hosts.equiv, 100 * and the host using RSA. We accept the authentication. 101 */ 102 103 verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.", 104 pw->pw_name, client_user, canonical_hostname); 105 packet_send_debug("Rhosts with RSA host authentication accepted."); 106 return 1; 107} 108