auth-rh-rsa.c revision 58583
1/* 2 * 3 * auth-rh-rsa.c 4 * 5 * Author: Tatu Ylonen <ylo@cs.hut.fi> 6 * 7 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 8 * All rights reserved 9 * 10 * Created: Sun May 7 03:08:06 1995 ylo 11 * 12 * Rhosts or /etc/hosts.equiv authentication combined with RSA host 13 * authentication. 14 * 15 */ 16 17#include "includes.h" 18RCSID("$Id: auth-rh-rsa.c,v 1.11 2000/03/23 22:15:33 markus Exp $"); 19 20#include "packet.h" 21#include "ssh.h" 22#include "xmalloc.h" 23#include "uidswap.h" 24#include "servconf.h" 25 26#include <ssl/rsa.h> 27#include <ssl/dsa.h> 28#include "key.h" 29#include "hostfile.h" 30 31/* 32 * Tries to authenticate the user using the .rhosts file and the host using 33 * its host key. Returns true if authentication succeeds. 34 */ 35 36int 37auth_rhosts_rsa(struct passwd *pw, const char *client_user, RSA *client_host_key) 38{ 39 extern ServerOptions options; 40 const char *canonical_hostname; 41 HostStatus host_status; 42 Key *client_key, *found; 43 44 debug("Trying rhosts with RSA host authentication for %.100s", client_user); 45 46 if (client_host_key == NULL) 47 return 0; 48 49 /* Check if we would accept it using rhosts authentication. */ 50 if (!auth_rhosts(pw, client_user)) 51 return 0; 52 53 canonical_hostname = get_canonical_hostname(); 54 55 debug("Rhosts RSA authentication: canonical host %.900s", canonical_hostname); 56 57 /* wrap the RSA key into a 'generic' key */ 58 client_key = key_new(KEY_RSA); 59 BN_copy(client_key->rsa->e, client_host_key->e); 60 BN_copy(client_key->rsa->n, client_host_key->n); 61 found = key_new(KEY_RSA); 62 63 /* Check if we know the host and its host key. */ 64 host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname, 65 client_key, found); 66 67 /* Check user host file unless ignored. */ 68 if (host_status != HOST_OK && !options.ignore_user_known_hosts) { 69 struct stat st; 70 char *user_hostfile = tilde_expand_filename(SSH_USER_HOSTFILE, pw->pw_uid); 71 /* 72 * Check file permissions of SSH_USER_HOSTFILE, auth_rsa() 73 * did already check pw->pw_dir, but there is a race XXX 74 */ 75 if (options.strict_modes && 76 (stat(user_hostfile, &st) == 0) && 77 ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || 78 (st.st_mode & 022) != 0)) { 79 log("Rhosts RSA authentication refused for %.100s: bad owner or modes for %.200s", 80 pw->pw_name, user_hostfile); 81 } else { 82 /* XXX race between stat and the following open() */ 83 temporarily_use_uid(pw->pw_uid); 84 host_status = check_host_in_hostfile(user_hostfile, canonical_hostname, 85 client_key, found); 86 restore_uid(); 87 } 88 xfree(user_hostfile); 89 } 90 key_free(client_key); 91 key_free(found); 92 93 if (host_status != HOST_OK) { 94 debug("Rhosts with RSA host authentication denied: unknown or invalid host key"); 95 packet_send_debug("Your host key cannot be verified: unknown or invalid host key."); 96 return 0; 97 } 98 /* A matching host key was found and is known. */ 99 100 /* Perform the challenge-response dialog with the client for the host key. */ 101 if (!auth_rsa_challenge_dialog(client_host_key)) { 102 log("Client on %.800s failed to respond correctly to host authentication.", 103 canonical_hostname); 104 return 0; 105 } 106 /* 107 * We have authenticated the user using .rhosts or /etc/hosts.equiv, 108 * and the host using RSA. We accept the authentication. 109 */ 110 111 verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.", 112 pw->pw_name, client_user, canonical_hostname); 113 packet_send_debug("Rhosts with RSA host authentication accepted."); 114 return 1; 115} 116