:::::::::::::: /tmp/ChangeLog.diffs :::::::::::::: --- ChangeLog.org Sun Jun 17 05:40:50 2001 +++ ChangeLog Wed Jul 25 10:15:11 2001 @@ -1,3 +1,10 @@ +20010725 + - (tim@mcgarry.ch) RSAAuthentication in sshd_config, can now have + value "without-nfs", with this value RSA authentication fails + if authorized_keys(2) or the users home directory is of type nfs. + These mods were made on the portable version/Solaris. I have no + idea if they could easily be fed back to the OpenBSD version. + 20010617 - (djm) Pull in small fix from -CURRENT for session.c: typo, use pid not s->pid, mstone@cs.loyola.edu :::::::::::::: /tmp/auth-rsa.c.diffs :::::::::::::: --- auth-rsa.c.org Tue Jul 10 07:48:20 2001 +++ auth-rsa.c Wed Jul 25 17:05:27 2001 @@ -31,6 +31,7 @@ #include "log.h" #include "servconf.h" #include "auth.h" +#include /* import */ extern ServerOptions options; @@ -122,12 +123,14 @@ int auth_rsa(struct passwd *pw, BIGNUM *client_n) { + extern int fstatvfs(); char line[8192], file[MAXPATHLEN]; int authenticated; u_int bits; FILE *f; u_long linenum = 0; struct stat st; + struct statvfs stvfs; RSA *pk; /* no user given */ @@ -161,6 +164,9 @@ char buf[1024]; /* Check open file in order to avoid open/stat races */ if (fstat(fileno(f), &st) < 0 || + (options.rsa_authentication == RSAA_WO_NFS && + (fstatvfs(fileno(f), &stvfs) < 0 || + strcmp(stvfs.f_basetype, "nfs") == 0)) || (st.st_uid != 0 && st.st_uid != pw->pw_uid) || (st.st_mode & 022) != 0) { snprintf(buf, sizeof buf, "RSA authentication refused for %.100s: " @@ -176,6 +182,9 @@ snprintf(line, sizeof line, "%.500s/%.100s", pw->pw_dir, check[i]); if (stat(line, &st) < 0 || (st.st_uid != 0 && st.st_uid != pw->pw_uid) || + (options.rsa_authentication == RSAA_WO_NFS && + (statvfs(line, &stvfs) < 0 || + strcmp(stvfs.f_basetype, "nfs") == 0)) || (st.st_mode & 022) != 0) { snprintf(buf, sizeof buf, "RSA authentication refused for %.100s: " "bad ownership or modes for '%s'.", pw->pw_name, line); :::::::::::::: /tmp/auth1.c.diffs :::::::::::::: --- auth1.c.org Sat Mar 24 01:37:59 2001 +++ auth1.c Wed Jul 25 17:02:29 2001 @@ -228,7 +228,7 @@ break; case SSH_CMSG_AUTH_RSA: - if (!options.rsa_authentication) { + if (options.rsa_authentication == RSAA_NO) { verbose("RSA authentication disabled."); break; } :::::::::::::: /tmp/auth2.c.diffs :::::::::::::: --- auth2.c.org Mon Jul 9 13:59:39 2001 +++ auth2.c Wed Jul 25 17:05:37 2001 @@ -51,6 +51,7 @@ #include "hostfile.h" #include "canohost.h" #include "tildexpand.h" +#include /* import */ extern ServerOptions options; @@ -666,11 +667,13 @@ int user_key_allowed(struct passwd *pw, Key *key) { + extern int fstatvfs(); char line[8192], file[MAXPATHLEN]; int found_key = 0; FILE *f; u_long linenum = 0; struct stat st; + struct statvfs stvfs; Key *found; if (pw == NULL) @@ -701,6 +704,10 @@ char buf[1024]; /* Check open file in order to avoid open/stat races */ if (fstat(fileno(f), &st) < 0 || + (options.rsa_authentication == RSAA_WO_NFS && + (fstatvfs(fileno(f), &stvfs) < 0 || + strcmp(stvfs.f_basetype, "nfs") == 0)) || + (st.st_uid != 0 && st.st_uid != pw->pw_uid) || (st.st_mode & 022) != 0) { snprintf(buf, sizeof buf, @@ -718,6 +725,9 @@ snprintf(line, sizeof line, "%.500s/%.100s", pw->pw_dir, check[i]); if (stat(line, &st) < 0 || + (options.rsa_authentication == RSAA_WO_NFS && + (statvfs(line, &stvfs) < 0 || + strcmp(stvfs.f_basetype, "nfs") == 0)) || (st.st_uid != 0 && st.st_uid != pw->pw_uid) || (st.st_mode & 022) != 0) { snprintf(buf, sizeof buf, :::::::::::::: /tmp/servconf.c.diffs :::::::::::::: --- servconf.c.org Wed Apr 25 14:44:15 2001 +++ servconf.c Wed Jul 25 17:05:58 2001 @@ -68,7 +68,7 @@ options->rhosts_rsa_authentication = -1; options->hostbased_authentication = -1; options->hostbased_uses_name_from_packet_only = -1; - options->rsa_authentication = -1; + options->rsa_authentication = RSAA_NOT_SET; options->pubkey_authentication = -1; #ifdef KRB4 options->kerberos_authentication = -1; @@ -164,8 +164,8 @@ options->hostbased_authentication = 0; if (options->hostbased_uses_name_from_packet_only == -1) options->hostbased_uses_name_from_packet_only = 0; - if (options->rsa_authentication == -1) - options->rsa_authentication = 1; + if (options->rsa_authentication == RSAA_NOT_SET) + options->rsa_authentication = RSAA_WO_NFS; if (options->pubkey_authentication == -1) options->pubkey_authentication = 1; #ifdef KRB4 @@ -560,7 +560,27 @@ case sRSAAuthentication: intptr = &options->rsa_authentication; - goto parse_flag; + /* tim@mcgarry.ch - begin */ + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: missing yes/" + "without-nfs/no " + "argument.", filename, linenum); + value = 0; /* silence compiler */ + if (strcmp(arg, "without-nfs") == 0) + value = RSAA_WO_NFS; + else if (strcmp(arg, "yes") == 0) + value = RSAA_YES; + else if (strcmp(arg, "no") == 0) + value = RSAA_NO; + else + fatal("%s line %d: Bad yes/" + "without-nfs/no " + "argument: %s", filename, linenum, arg); + if (*intptr == -1) + *intptr = value; + break; + /* tim@mcgarry.ch - end */ case sPubkeyAuthentication: intptr = &options->pubkey_authentication; :::::::::::::: /tmp/servconf.h.diffs :::::::::::::: --- servconf.h.org Wed Apr 25 14:44:16 2001 +++ servconf.h Wed Jul 25 17:06:05 2001 @@ -32,6 +32,11 @@ #define PERMIT_NO_PASSWD 2 #define PERMIT_YES 3 +/* RSA_authentication - tim@mcgarry.ch */ +#define RSAA_NOT_SET -1 +#define RSAA_NO 0 +#define RSAA_WO_NFS 1 +#define RSAA_YES 2 typedef struct { u_int num_ports; :::::::::::::: /tmp/sshd.c.diffs :::::::::::::: --- sshd.c.org Mon Apr 16 04:00:02 2001 +++ sshd.c Wed Jul 25 09:59:48 2001 @@ -1253,7 +1253,7 @@ auth_mask |= 1 << SSH_AUTH_RHOSTS; if (options.rhosts_rsa_authentication) auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA; - if (options.rsa_authentication) + if (options.rsa_authentication > RSAA_NO) auth_mask |= 1 << SSH_AUTH_RSA; #ifdef KRB4 if (options.kerberos_authentication)