Rhosts-RSA authentication broken

Markus Friedl Markus.Friedl at informatik.uni-erlangen.de
Tue Mar 20 21:43:57 EST 2001 

On Tue, Mar 20, 2001 at 11:27:05AM +0100, Bladt Norbert wrote:
> > Markus Friedl [SMTP:Markus.Friedl at informatik.uni-erlangen.de] wrote:
> > 
> > On Tue, Mar 20, 2001 at 09:53:28AM +0100, Bladt Norbert wrote:
> >> The reason are the following wrong lines of source in auth-rh-rsa.c:
> >> 
> >> 	/* Check if we would accept it using rhosts authentication. */
> >>  	if (!auth_rhosts(pw, client_user))
> >>  		return 0;
> 
> > what is wrong here?
> That is easy to tell:
> 	auth_rhosts returns 0 if I have "IgnoreRhosts yes" in the
> 	sshd_config file.

yes, but only if it finds a match in .rhosts. and this is correct.

it does not affect /etc/shosts.equiv.

the checks for hosts.equiv/shosts.equiv are much ealier, and
they return 1:

        /* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */
        if (pw->pw_uid != 0) {
                if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, client_user,
                                      pw->pw_name)) {
                        packet_send_debug("Accepted for %.100s [%.100s] by /etc/hosts.equiv.",
                                          hostname, ipaddr);
                        return 1;
                }
                if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, client_user,
                                      pw->pw_name)) {
                        packet_send_debug("Accepted for %.100s [%.100s] by %.100s.",
                                      hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV);
                        return 1;
                }
        }

> The relevant part of the source in auth-rhosts.c looks like this
> (around line 249 in 2.3.0p1):
> 
> 	if (options.ignore_rhosts)
> 	   packet_send_debug ("Server has been configured to ignore .%100s",
> rhosts_file)
> 		continue;
> 
> ... and later:
> 
> 	return 0

this is just for .rhosts/.shosts, not for _PATH_SSH_HOSTS_EQUIV
or _PATH_RHOSTS_EQUIV

> And the rest of the source is NEVER executed.
> So, I have to enable the usage of ~/.rhosts to use rhosts-RSA
> authentication.
> But I do not want to do this. I want to use shosts.equiv ONLY !
> The default of "IgnoreRhosts" is "yes", anyway.
> 
> Please try to use rhosts RSA authentication based on shosts.equiv
> and the host keys.
> It does not work !
> 
> >> I applied the attached patch and now it works, again.
> >> Please advice if this is not the right fix or whether this
> >> change was intended.
> 
> >!       if (auth_rhosts(pw, client_user))
> >!               return 1;
> 
> >this is very very very wrong!
> 
> > it makes auth-rhost-rsa behave like auth-rhosts. in fact, this turns off
> > checking of the rsa host keys. make makes auth-rhosts-rsa as unsafe as
> > auth-rhosts.
> No. If the authentication with ~/.rhosts is not allowed
> ("IgnoreRhosts yes") it will check the rsa host keys.
> If "IgnoreRhosts no" is configured, it will use the normal
> ~/.rhosts authentication and if that passes all the tests,
> then this is fine.
> 
> This is true at least for 2.3.0p1 as far as I can see.
> 
> Trust me, I tried it.

i cannot trust you, since the patch is wrong :)

-m

More information about the openssh-unix-dev mailing list