Rhosts Authentication broken in 3.4.p1???

Damien Miller djm at mindrot.org
Thu Oct 31 11:51:15 EST 2002


Randy Zagar wrote:
> 
> Has ANYONE been able to verify that Rhosts authentication works with 
> 3.4.p1?  Does it work with other SSHv2 implementations?  Anybody tried 
> it on a RedHat 7.3 system?

Don't use rhosts authentication, use hostbased instead.

> Also, I'm curious about this code I found in sshd.c:
> 
> 
>     /*
>      * Check that the connection comes from a privileged port.
>      * Rhosts-Authentication only makes sense from priviledged
>      * programs.  Of course, if the intruder has root access on his
>      * local machine, he can connect from any port.  So do not use these
>      * authentication methods from machines that you do not trust.
>      */
>      if (options.rhosts_authentication &&
>         (remote_port >= IPPORT_RESERVED ||
>          remote_port < IPPORT_RESERVED / 2)) {
>             debug("Rhosts Authentication disabled, "
>                 "originating port %d not trusted.", remote_port);
>             options.rhosts_authentication = 0;
>      }
> 
> It looks to me like this overrides the config file without offering any 
> way to override this policy.  Also, I think this would cause 
> compatability problems with the non-commercial F-Secure SSH-2.4.x client 
> as it does not use privileged ports for root client connections.
 >
> As a general rule I like to see security and authentication policy 
> determined by config file and not by hard-coding it into the source. 
> This code doesn't follow that paradigm

You clearly don't understand rhosts "authentication".

-d




More information about the openssh-unix-dev mailing list