auth-rh-rsa.c revision 60576
1/* 2 * 3 * auth-rh-rsa.c 4 * 5 * Author: Tatu Ylonen <ylo@cs.hut.fi> 6 * 7 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 8 * All rights reserved 9 * 10 * Created: Sun May 7 03:08:06 1995 ylo 11 * 12 * Rhosts or /etc/hosts.equiv authentication combined with RSA host 13 * authentication. 14 * 15 * $FreeBSD: head/crypto/openssh/auth-rh-rsa.c 60576 2000-05-15 05:24:25Z kris $ 16 */ 17 18#include "includes.h" 19RCSID("$Id: auth-rh-rsa.c,v 1.13 2000/04/14 10:30:29 markus Exp $"); 20 21#include "packet.h" 22#include "ssh.h" 23#include "xmalloc.h" 24#include "uidswap.h" 25#include "servconf.h" 26 27#include <openssl/rsa.h> 28#include <openssl/dsa.h> 29#include "key.h" 30#include "hostfile.h" 31 32/* 33 * Tries to authenticate the user using the .rhosts file and the host using 34 * its host key. Returns true if authentication succeeds. 35 */ 36 37int 38auth_rhosts_rsa(struct passwd *pw, const char *client_user, RSA *client_host_key) 39{ 40 extern ServerOptions options; 41 const char *canonical_hostname; 42 HostStatus host_status; 43 Key *client_key, *found; 44 45 debug("Trying rhosts with RSA host authentication for %.100s", client_user); 46 47 if (client_host_key == NULL) 48 return 0; 49 50 /* Check if we would accept it using rhosts authentication. */ 51 if (!auth_rhosts(pw, client_user)) 52 return 0; 53 54 canonical_hostname = get_canonical_hostname(); 55 56 debug("Rhosts RSA authentication: canonical host %.900s", canonical_hostname); 57 58 /* wrap the RSA key into a 'generic' key */ 59 client_key = key_new(KEY_RSA); 60 BN_copy(client_key->rsa->e, client_host_key->e); 61 BN_copy(client_key->rsa->n, client_host_key->n); 62 found = key_new(KEY_RSA); 63 64 /* Check if we know the host and its host key. */ 65 host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname, 66 client_key, found); 67 68 /* Check user host file unless ignored. */ 69 if (host_status != HOST_OK && !options.ignore_user_known_hosts) { 70 struct stat st; 71 char *user_hostfile = tilde_expand_filename(SSH_USER_HOSTFILE, pw->pw_uid); 72 /* 73 * Check file permissions of SSH_USER_HOSTFILE, auth_rsa() 74 * did already check pw->pw_dir, but there is a race XXX 75 */ 76 if (options.strict_modes && 77 (stat(user_hostfile, &st) == 0) && 78 ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || 79 (st.st_mode & 022) != 0)) { 80 log("Rhosts RSA authentication refused for %.100s: bad owner or modes for %.200s", 81 pw->pw_name, user_hostfile); 82 } else { 83 /* XXX race between stat and the following open() */ 84 temporarily_use_uid(pw->pw_uid); 85 host_status = check_host_in_hostfile(user_hostfile, canonical_hostname, 86 client_key, found); 87 restore_uid(); 88 } 89 xfree(user_hostfile); 90 } 91 key_free(client_key); 92 key_free(found); 93 94 if (host_status != HOST_OK) { 95 debug("Rhosts with RSA host authentication denied: unknown or invalid host key"); 96 packet_send_debug("Your host key cannot be verified: unknown or invalid host key."); 97 return 0; 98 } 99 /* A matching host key was found and is known. */ 100 101 /* Perform the challenge-response dialog with the client for the host key. */ 102 if (!auth_rsa_challenge_dialog(client_host_key)) { 103 log("Client on %.800s failed to respond correctly to host authentication.", 104 canonical_hostname); 105 return 0; 106 } 107 /* 108 * We have authenticated the user using .rhosts or /etc/hosts.equiv, 109 * and the host using RSA. We accept the authentication. 110 */ 111 112 verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.", 113 pw->pw_name, client_user, canonical_hostname); 114 packet_send_debug("Rhosts with RSA host authentication accepted."); 115 return 1; 116} 117