[Bug 3148] Unable to perform host-based authentication as root if "IgnoreRhosts" is set to "yes" on server configuration

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Apr 14 17:31:57 AEST 2020 

https://bugzilla.mindrot.org/show_bug.cgi?id=3148

--- Comment #2 from Anderson Medeiros Gomes <amg1127 at gmail.com> ---
According to my source code analysis, two code blocks written in file
"/src/usr.bin/ssh/auth-rhosts.c" (
https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/auth-rhosts.c?rev=1.51
) are explicitly preventing root user from authenticating itself via
host-based method.

This code block, which starts at line 226 and is declared inside
function "auth_rhosts2", prevents parsing of "/etc/ssh/shosts.equiv" if
"root" is the user being authenticated:

--------------------------------
        /*
         * If not logging in as superuser, try /etc/hosts.equiv and
         * shosts.equiv.
         */
        if (pw->pw_uid == 0)
                debug3("%s: root user, ignoring system hosts files",
__func__);
        else {
                if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname,
ipaddr,
                    client_user, pw->pw_name)) {
                        auth_debug_add("Accepted for %.100s [%.100s] by
"
                            "/etc/hosts.equiv.", hostname, ipaddr);
                        return 1;
                }
                if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname,
ipaddr,
                    client_user, pw->pw_name)) {
                        auth_debug_add("Accepted for %.100s [%.100s] by
"
                            "%.100s.", hostname, ipaddr,
_PATH_SSH_HOSTS_EQUIV);
                        return 1;
                }
        }

--------------------------------

And this code block, starting at line 293, prevents parsing of
"/root/.shosts" file if "IgnoreRhost yes" is set in
"/etc/ssh/sshd_config". As a result, host-based authentication as root
will fail even if a systems administrator creates in "/root/.shosts" a
symbolic link targeting to "/etc/ssh/shosts.equiv" as a workaround.

--------------------------------
                /*
                 * Check if we have been configured to ignore .rhosts
                 * and .shosts files.
                 */
                if (options.ignore_rhosts) {
                        auth_debug_add("Server has been configured to "
                            "ignore %.100s.",
rhosts_files[rhosts_file_index]);
                        continue;
                }
--------------------------------

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list