Rhosts-RSA authentication broken
Markus Friedl
Markus.Friedl at informatik.uni-erlangen.de
Tue Mar 20 20:14:58 EST 2001
On Tue, Mar 20, 2001 at 09:53:28AM +0100, Bladt Norbert wrote:
> The reason are the following wrong lines of source in auth-rh-rsa.c:
>
> /* Check if we would accept it using rhosts authentication. */
> if (!auth_rhosts(pw, client_user))
> return 0;
what is wrong here?
> I applied the attached patch and now it works, again.
> Please advice if this is not the right fix or whether this
> change was intended.
! if (auth_rhosts(pw, client_user))
! return 1;
this is very very very wrong!
it makes auth-rhost-rsa behave like auth-rhosts. in fact, this turns off
checking of the rsa host keys. make makes auth-rhosts-rsa as unsafe as
auth-rhosts.
-m
More information about the openssh-unix-dev
mailing list