Rhosts-RSA authentication broken

Markus Friedl Markus.Friedl at informatik.uni-erlangen.de
Tue Mar 20 20:14:58 EST 2001

On Tue, Mar 20, 2001 at 09:53:28AM +0100, Bladt Norbert wrote:
> The reason are the following wrong lines of source in auth-rh-rsa.c:
> 	/* Check if we would accept it using rhosts authentication. */
>  	if (!auth_rhosts(pw, client_user))
>  		return 0;

what is wrong here?

> I applied the attached patch and now it works, again.
> Please advice if this is not the right fix or whether this
> change was intended.

!       if (auth_rhosts(pw, client_user))
!               return 1;

this is very very very wrong!

it makes auth-rhost-rsa behave like auth-rhosts. in fact, this turns off
checking of the rsa host keys. make makes auth-rhosts-rsa as unsafe as


More information about the openssh-unix-dev mailing list