[Bug 3148] New: Unable to perform host-based authentication as root if "IgnoreRhosts" is set to "yes" on server configuration

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Apr 14 17:25:36 AEST 2020 

https://bugzilla.mindrot.org/show_bug.cgi?id=3148

            Bug ID: 3148
           Summary: Unable to perform host-based authentication as root if
                    "IgnoreRhosts" is set to "yes" on server configuration
           Product: Portable OpenSSH
           Version: 8.2p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: amg1127 at gmail.com

Created attachment 3376
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3376&action=edit
/etc/ssh/sshd_config

Dear OpenSSH maintainers,

While I was answering a question in Unix & Linux Stack Exchange (
https://unix.stackexchange.com/a/579762/158359 ), I identified that
OpenSSH is not able to perform host-based authentication as superuser
if "IgnoreRhosts yes" is set in "/etc/ssh/sshd_config" file.

Although host-based authentication as superuser might sound unsafe, it
may be useful in scenarios like the one described in my answer, where
"AuthenticationMethods" parameter is set to "hostbased,publickey"
because an administrator wants OpenSSH server to authenticate client
hosts before allowing users connecting from those machines to
authenticate themselves.

The problem can be reproduced with a couple of Arch Linux containers in
Docker and terminal windows running concurrently. To do so, ensure that
configuration files attached to this report have been saved into "/tmp"
directory.

-------------------------------------------
----------- Terminal window #1 ------------

[root at workstation ~]# docker run --rm --tty --interactive --name
ssh-client --hostname ssh-client --ip 172.17.0.4 --add-host
ssh-server:172.17.0.5 --volume /tmp/ssh_config:/etc/ssh/ssh_config
archlinux/base:latest

[root at ssh-client ~]# pacman -Sy --noconfirm openssh vim man less
iproute2 iputils bind-tools grep psmisc

[root at ssh-client ~]# ssh-keygen -A

[root at ssh-client ~]# useradd -U -m sshuser

[root at ssh-client ~]# /usr/sbin/sshd -De

-------------------------------------------
----------- Terminal window #2 ------------

[root at workstation ~]# docker run --rm --tty --interactive --name
ssh-server --hostname ssh-server --ip 172.17.0.5 --add-host
ssh-client:172.17.0.4 --volume /tmp/sshd_config:/etc/ssh/sshd_config
archlinux/base:latest

[root at ssh-server ~]# pacman -Sy --noconfirm openssh vim man less
iproute2 iputils bind-tools grep psmisc

[root at ssh-server ~]# ssh-keygen -A

[root at ssh-server ~]# useradd -U -m sshuser

[root at ssh-server ~]# echo -e 'sshuser:sshpassword\nroot:sshpassword' |
chpasswd

[root at ssh-server ~]# echo ssh-client > /etc/ssh/shosts.equiv

[root at ssh-server ~]# ssh-keyscan ssh-client > /etc/ssh/ssh_known_hosts

[root at ssh-server ~]# /usr/sbin/sshd -De

-------------------------------------------
----------- Terminal window #1 ------------

(press CTRL+C to quit the running SSH daemon)

[root at ssh-client ~]# ssh ssh-server
root at ssh-server: Permission denied (hostbased).

[root at ssh-client ~]# su - sshuser

[sshuser at ssh-client ~]$ ssh ssh-server
sshuser at ssh-server's password: sshpassword
Last login: Tue Apr 14 05:51:42 2020 from 172.29.0.5
[sshuser at ssh-server ~]$ exit

-------------------------------------------
-------------------------------------------

I could not find any documentation snippet declaring that host-based
authentication of the root user is blocked. The relevant snippets in
"man(1) ssh" and "man(5) sshd_config" are:


-----------------------------------
----------- man(1) ssh ------------

AUTHENTICATION

The OpenSSH SSH client supports SSH protocol 2.

The methods available for authentication are: GSSAPI-based
authentication, host-based authentication, public key authentication,
challenge-response authentication, and password authentication. 
Authentication methods are tried in the order specified above, though
PreferredAuthentications can be used to change the default order.

Host-based authentication works as follows: If the machine the user
logs in from is listed in /etc/hosts.equiv or /etc/ssh/shosts.equiv on
the remote machine, and the user names are the same on both sides, or
if the files ~/.rhosts or ~/.shosts exist in the user's home directory
on the remote machine and contain a line containing the name of the
client machine and the name of the user on that machine, the user is
considered for login.  Additionally, the server must be able to verify
the client's host key (see the description of /etc/ssh/ssh_known_hosts
and ~/.ssh/known_hosts, below) for login to be permitted.  This
authentication method closes security holes due to IP spoofing, DNS
spoofing, and routing spoofing.  [Note to the administrator:
/etc/hosts.equiv, ~/.rhosts, and the rlogin/rsh protocol in general,
are inherently insecure and should be disabled if security is desired.]

-------------------------------------------
----------- man(5) sshd_config ------------

IgnoreRhosts

Specifies that .rhosts and .shosts files will not be used in
HostbasedAuthentication.

/etc/hosts.equiv and /etc/ssh/shosts.equiv are still used.  The default
is yes.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list