Rhosts-RSA authentication broken

Bladt Norbert Norbert.Bladt at adi.ch
Tue Mar 20 21:27:05 EST 2001

> Markus Friedl [SMTP:Markus.Friedl at informatik.uni-erlangen.de] wrote:
> On Tue, Mar 20, 2001 at 09:53:28AM +0100, Bladt Norbert wrote:
>> The reason are the following wrong lines of source in auth-rh-rsa.c:
>> 	/* Check if we would accept it using rhosts authentication. */
>>  	if (!auth_rhosts(pw, client_user))
>>  		return 0;

> what is wrong here?
That is easy to tell:
	auth_rhosts returns 0 if I have "IgnoreRhosts yes" in the
	sshd_config file.
The relevant part of the source in auth-rhosts.c looks like this
(around line 249 in 2.3.0p1):

	if (options.ignore_rhosts)
	   packet_send_debug ("Server has been configured to ignore .%100s",

... and later:

	return 0

And the rest of the source is NEVER executed.
So, I have to enable the usage of ~/.rhosts to use rhosts-RSA
But I do not want to do this. I want to use shosts.equiv ONLY !
The default of "IgnoreRhosts" is "yes", anyway.

Please try to use rhosts RSA authentication based on shosts.equiv
and the host keys.
It does not work !

>> I applied the attached patch and now it works, again.
>> Please advice if this is not the right fix or whether this
>> change was intended.

>!       if (auth_rhosts(pw, client_user))
>!               return 1;

>this is very very very wrong!

> it makes auth-rhost-rsa behave like auth-rhosts. in fact, this turns off
> checking of the rsa host keys. make makes auth-rhosts-rsa as unsafe as
> auth-rhosts.
No. If the authentication with ~/.rhosts is not allowed
("IgnoreRhosts yes") it will check the rsa host keys.
If "IgnoreRhosts no" is configured, it will use the normal
~/.rhosts authentication and if that passes all the tests,
then this is fine.

This is true at least for 2.3.0p1 as far as I can see.

Trust me, I tried it.
The only way to access the target system via ssh is to enable
the .rhosts file for every user and put everything in it.
I do not want that, though.

I am sorry but this is what I experienced in 2.3.0p1.


Norbert Bladt.

Norbert Bladt
ATAG debis Informatik, ISM-TZ1 / Z302
Industriestrasse 1, CH 3052-Zollikofen
E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640

More information about the openssh-unix-dev mailing list