1/* $NetBSD: auth-rh-rsa.c,v 1.4 2011/07/25 03:03:10 christos Exp $ */ 2/* $OpenBSD: auth-rh-rsa.c,v 1.43 2010/03/04 10:36:03 djm Exp $ */ 3/* 4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 5 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 6 * All rights reserved 7 * Rhosts or /etc/hosts.equiv authentication combined with RSA host 8 * authentication. 9 * 10 * As far as I am concerned, the code I have written for this software 11 * can be used freely for any purpose. Any derived versions of this 12 * software must be clearly marked as such, and if the derived work is 13 * incompatible with the protocol description in the RFC file, it must be 14 * called by a name other than "ssh" or "Secure Shell". 15 */ 16 17#include "includes.h" 18__RCSID("$NetBSD: auth-rh-rsa.c,v 1.4 2011/07/25 03:03:10 christos Exp $"); 19#include <sys/types.h> 20 21#include <pwd.h> 22#include <stdarg.h> 23 24#include "packet.h" 25#include "uidswap.h" 26#include "log.h" 27#include "buffer.h" 28#include "servconf.h" 29#include "key.h" 30#include "hostfile.h" 31#include "pathnames.h" 32#include "auth.h" 33#include "canohost.h" 34#ifdef GSSAPI 35#include "ssh-gss.h" 36#endif 37#include "monitor_wrap.h" 38 39/* import */ 40extern ServerOptions options; 41 42int 43auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost, 44 Key *client_host_key) 45{ 46 HostStatus host_status; 47 48 if (auth_key_is_revoked(client_host_key)) 49 return 0; 50 51 /* Check if we would accept it using rhosts authentication. */ 52 if (!auth_rhosts(pw, cuser)) 53 return 0; 54 55 host_status = check_key_in_hostfiles(pw, client_host_key, 56 chost, _PATH_SSH_SYSTEM_HOSTFILE, 57 options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE); 58 59 return (host_status == HOST_OK); 60} 61 62/* 63 * Tries to authenticate the user using the .rhosts file and the host using 64 * its host key. Returns true if authentication succeeds. 65 */ 66int 67auth_rhosts_rsa(Authctxt *authctxt, char *cuser, Key *client_host_key) 68{ 69 char *chost; 70 struct passwd *pw = authctxt->pw; 71 72 debug("Trying rhosts with RSA host authentication for client user %.100s", 73 cuser); 74 75 if (!authctxt->valid || client_host_key == NULL || 76 client_host_key->rsa == NULL) 77 return 0; 78 79 chost = __UNCONST(get_canonical_hostname(options.use_dns)); 80 debug("Rhosts RSA authentication: canonical host %.900s", chost); 81 82 if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) { 83 debug("Rhosts with RSA host authentication denied: unknown or invalid host key"); 84 packet_send_debug("Your host key cannot be verified: unknown or invalid host key."); 85 return 0; 86 } 87 /* A matching host key was found and is known. */ 88 89 /* Perform the challenge-response dialog with the client for the host key. */ 90 if (!auth_rsa_challenge_dialog(client_host_key)) { 91 logit("Client on %.800s failed to respond correctly to host authentication.", 92 chost); 93 return 0; 94 } 95 /* 96 * We have authenticated the user using .rhosts or /etc/hosts.equiv, 97 * and the host using RSA. We accept the authentication. 98 */ 99 100 verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.", 101 pw->pw_name, cuser, chost); 102 packet_send_debug("Rhosts with RSA host authentication accepted."); 103 return 1; 104} 105