Possible security problem in hostbased user authentication?

Choung S. Park / Choung Networks cspark at choung.net
Thu Oct 6 13:52:03 EST 2005 

Well... I admit it's not a high risk security issue since hostbased also
uses pub/priv keys. However, if the
options.hostbased_uses_name_from_packet_only is "enabled", the connected
client will surely pass the test even if its IP is listed as "deny".

Anyway, I don't think the person who wrote this routine intentionally
decided to pass the two chost's. It seems one of those invisible bugs... :-(

Best regards,
Choung S.Park

----- Original Message ----- 
From: "Darren Tucker" <dtucker at zip.com.au>
To: "Choung S. Park / Choung Networks" <cspark at choung.net>
Cc: <openssh-unix-dev at mindrot.org>
Sent: Wednesday, October 05, 2005 7:10 PM
Subject: Re: Possible security problem in hostbased user authentication?


> Choung S. Park / Choung Networks wrote:
> > In auth2-hostbased.c, line #146
> >
> >     if (auth_rhosts2(pw, cuser, chost, chost) == 0)
> >                                        ^^^^^
> >
> > shouldn't this be
> >
> >     if (auth_rhosts2(pw, cuser, chost, ipaddr) == 0)
> >                                        ^^^^^^
>
> I don't think so.  The surrounding code is:
>          if (options.hostbased_uses_name_from_packet_only) {
>                  if (auth_rhosts2(pw, cuser, chost, chost) == 0)
>                          return 0;
>                  lookup = chost;
>
> It's the implementation of the HostbasedUsesNameFromPacketOnly
> sshd_config option.  If you look at the authmethod code (in
> userauth_hostbased() above) you'll see that the host must also be able
> to prove possession of the private key corresponding to that host
> identifier to be allowed access.
>
> So the host can claim to be whatever it wants, but it won't get very far
> unless the server has a public key for that host, and the client has the
> matching private key.
>
> On a related note, it appears that HostbasedUsesNameFromPacketOnly is
> missing from sshd_config(5).
>
> -- 
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>      Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.

More information about the openssh-unix-dev mailing list