[Bug 3148] Unable to perform host-based authentication as root if "IgnoreRhosts" is set to "yes" on server configuration
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Apr 14 17:31:57 AEST 2020
https://bugzilla.mindrot.org/show_bug.cgi?id=3148
--- Comment #2 from Anderson Medeiros Gomes <amg1127 at gmail.com> ---
According to my source code analysis, two code blocks written in file
"/src/usr.bin/ssh/auth-rhosts.c" (
https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/auth-rhosts.c?rev=1.51
) are explicitly preventing root user from authenticating itself via
host-based method.
This code block, which starts at line 226 and is declared inside
function "auth_rhosts2", prevents parsing of "/etc/ssh/shosts.equiv" if
"root" is the user being authenticated:
--------------------------------
/*
* If not logging in as superuser, try /etc/hosts.equiv and
* shosts.equiv.
*/
if (pw->pw_uid == 0)
debug3("%s: root user, ignoring system hosts files",
__func__);
else {
if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname,
ipaddr,
client_user, pw->pw_name)) {
auth_debug_add("Accepted for %.100s [%.100s] by
"
"/etc/hosts.equiv.", hostname, ipaddr);
return 1;
}
if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname,
ipaddr,
client_user, pw->pw_name)) {
auth_debug_add("Accepted for %.100s [%.100s] by
"
"%.100s.", hostname, ipaddr,
_PATH_SSH_HOSTS_EQUIV);
return 1;
}
}
--------------------------------
And this code block, starting at line 293, prevents parsing of
"/root/.shosts" file if "IgnoreRhost yes" is set in
"/etc/ssh/sshd_config". As a result, host-based authentication as root
will fail even if a systems administrator creates in "/root/.shosts" a
symbolic link targeting to "/etc/ssh/shosts.equiv" as a workaround.
--------------------------------
/*
* Check if we have been configured to ignore .rhosts
* and .shosts files.
*/
if (options.ignore_rhosts) {
auth_debug_add("Server has been configured to "
"ignore %.100s.",
rhosts_files[rhosts_file_index]);
continue;
}
--------------------------------
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list