1 |
|
|
/* $OpenBSD: auth-rhosts.c,v 1.48 2016/08/13 17:47:41 markus Exp $ */ |
2 |
|
|
/* |
3 |
|
|
* Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 |
|
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 |
|
|
* All rights reserved |
6 |
|
|
* Rhosts authentication. This file contains code to check whether to admit |
7 |
|
|
* the login based on rhosts authentication. This file also processes |
8 |
|
|
* /etc/hosts.equiv. |
9 |
|
|
* |
10 |
|
|
* As far as I am concerned, the code I have written for this software |
11 |
|
|
* can be used freely for any purpose. Any derived versions of this |
12 |
|
|
* software must be clearly marked as such, and if the derived work is |
13 |
|
|
* incompatible with the protocol description in the RFC file, it must be |
14 |
|
|
* called by a name other than "ssh" or "Secure Shell". |
15 |
|
|
*/ |
16 |
|
|
|
17 |
|
|
#include <sys/types.h> |
18 |
|
|
#include <sys/stat.h> |
19 |
|
|
|
20 |
|
|
#include <fcntl.h> |
21 |
|
|
#include <netgroup.h> |
22 |
|
|
#include <pwd.h> |
23 |
|
|
#include <stdio.h> |
24 |
|
|
#include <string.h> |
25 |
|
|
#include <stdarg.h> |
26 |
|
|
#include <unistd.h> |
27 |
|
|
|
28 |
|
|
#include "packet.h" |
29 |
|
|
#include "uidswap.h" |
30 |
|
|
#include "pathnames.h" |
31 |
|
|
#include "log.h" |
32 |
|
|
#include "misc.h" |
33 |
|
|
#include "buffer.h" /* XXX */ |
34 |
|
|
#include "key.h" /* XXX */ |
35 |
|
|
#include "servconf.h" |
36 |
|
|
#include "canohost.h" |
37 |
|
|
#include "sshkey.h" |
38 |
|
|
#include "hostfile.h" |
39 |
|
|
#include "auth.h" |
40 |
|
|
|
41 |
|
|
/* import */ |
42 |
|
|
extern ServerOptions options; |
43 |
|
|
extern int use_privsep; |
44 |
|
|
|
45 |
|
|
/* |
46 |
|
|
* This function processes an rhosts-style file (.rhosts, .shosts, or |
47 |
|
|
* /etc/hosts.equiv). This returns true if authentication can be granted |
48 |
|
|
* based on the file, and returns zero otherwise. |
49 |
|
|
*/ |
50 |
|
|
|
51 |
|
|
static int |
52 |
|
|
check_rhosts_file(const char *filename, const char *hostname, |
53 |
|
|
const char *ipaddr, const char *client_user, |
54 |
|
|
const char *server_user) |
55 |
|
|
{ |
56 |
|
|
FILE *f; |
57 |
|
|
#define RBUFLN 1024 |
58 |
|
|
char buf[RBUFLN];/* Must not be larger than host, user, dummy below. */ |
59 |
|
|
int fd; |
60 |
|
|
struct stat st; |
61 |
|
|
|
62 |
|
|
/* Open the .rhosts file, deny if unreadable */ |
63 |
|
|
if ((fd = open(filename, O_RDONLY|O_NONBLOCK)) == -1) |
64 |
|
|
return 0; |
65 |
|
|
if (fstat(fd, &st) == -1) { |
66 |
|
|
close(fd); |
67 |
|
|
return 0; |
68 |
|
|
} |
69 |
|
|
if (!S_ISREG(st.st_mode)) { |
70 |
|
|
logit("User %s hosts file %s is not a regular file", |
71 |
|
|
server_user, filename); |
72 |
|
|
close(fd); |
73 |
|
|
return 0; |
74 |
|
|
} |
75 |
|
|
unset_nonblock(fd); |
76 |
|
|
if ((f = fdopen(fd, "r")) == NULL) { |
77 |
|
|
close(fd); |
78 |
|
|
return 0; |
79 |
|
|
} |
80 |
|
|
while (fgets(buf, sizeof(buf), f)) { |
81 |
|
|
/* All three must have length >= buf to avoid overflows. */ |
82 |
|
|
char hostbuf[RBUFLN], userbuf[RBUFLN], dummy[RBUFLN]; |
83 |
|
|
char *host, *user, *cp; |
84 |
|
|
int negated; |
85 |
|
|
|
86 |
|
|
for (cp = buf; *cp == ' ' || *cp == '\t'; cp++) |
87 |
|
|
; |
88 |
|
|
if (*cp == '#' || *cp == '\n' || !*cp) |
89 |
|
|
continue; |
90 |
|
|
|
91 |
|
|
/* |
92 |
|
|
* NO_PLUS is supported at least on OSF/1. We skip it (we |
93 |
|
|
* don't ever support the plus syntax). |
94 |
|
|
*/ |
95 |
|
|
if (strncmp(cp, "NO_PLUS", 7) == 0) |
96 |
|
|
continue; |
97 |
|
|
|
98 |
|
|
/* |
99 |
|
|
* This should be safe because each buffer is as big as the |
100 |
|
|
* whole string, and thus cannot be overwritten. |
101 |
|
|
*/ |
102 |
|
|
switch (sscanf(buf, "%1023s %1023s %1023s", hostbuf, userbuf, |
103 |
|
|
dummy)) { |
104 |
|
|
case 0: |
105 |
|
|
auth_debug_add("Found empty line in %.100s.", filename); |
106 |
|
|
continue; |
107 |
|
|
case 1: |
108 |
|
|
/* Host name only. */ |
109 |
|
|
strlcpy(userbuf, server_user, sizeof(userbuf)); |
110 |
|
|
break; |
111 |
|
|
case 2: |
112 |
|
|
/* Got both host and user name. */ |
113 |
|
|
break; |
114 |
|
|
case 3: |
115 |
|
|
auth_debug_add("Found garbage in %.100s.", filename); |
116 |
|
|
continue; |
117 |
|
|
default: |
118 |
|
|
/* Weird... */ |
119 |
|
|
continue; |
120 |
|
|
} |
121 |
|
|
|
122 |
|
|
host = hostbuf; |
123 |
|
|
user = userbuf; |
124 |
|
|
negated = 0; |
125 |
|
|
|
126 |
|
|
/* Process negated host names, or positive netgroups. */ |
127 |
|
|
if (host[0] == '-') { |
128 |
|
|
negated = 1; |
129 |
|
|
host++; |
130 |
|
|
} else if (host[0] == '+') |
131 |
|
|
host++; |
132 |
|
|
|
133 |
|
|
if (user[0] == '-') { |
134 |
|
|
negated = 1; |
135 |
|
|
user++; |
136 |
|
|
} else if (user[0] == '+') |
137 |
|
|
user++; |
138 |
|
|
|
139 |
|
|
/* Check for empty host/user names (particularly '+'). */ |
140 |
|
|
if (!host[0] || !user[0]) { |
141 |
|
|
/* We come here if either was '+' or '-'. */ |
142 |
|
|
auth_debug_add("Ignoring wild host/user names " |
143 |
|
|
"in %.100s.", filename); |
144 |
|
|
continue; |
145 |
|
|
} |
146 |
|
|
/* Verify that host name matches. */ |
147 |
|
|
if (host[0] == '@') { |
148 |
|
|
if (!innetgr(host + 1, hostname, NULL, NULL) && |
149 |
|
|
!innetgr(host + 1, ipaddr, NULL, NULL)) |
150 |
|
|
continue; |
151 |
|
|
} else if (strcasecmp(host, hostname) && |
152 |
|
|
strcmp(host, ipaddr) != 0) |
153 |
|
|
continue; /* Different hostname. */ |
154 |
|
|
|
155 |
|
|
/* Verify that user name matches. */ |
156 |
|
|
if (user[0] == '@') { |
157 |
|
|
if (!innetgr(user + 1, NULL, client_user, NULL)) |
158 |
|
|
continue; |
159 |
|
|
} else if (strcmp(user, client_user) != 0) |
160 |
|
|
continue; /* Different username. */ |
161 |
|
|
|
162 |
|
|
/* Found the user and host. */ |
163 |
|
|
fclose(f); |
164 |
|
|
|
165 |
|
|
/* If the entry was negated, deny access. */ |
166 |
|
|
if (negated) { |
167 |
|
|
auth_debug_add("Matched negative entry in %.100s.", |
168 |
|
|
filename); |
169 |
|
|
return 0; |
170 |
|
|
} |
171 |
|
|
/* Accept authentication. */ |
172 |
|
|
return 1; |
173 |
|
|
} |
174 |
|
|
|
175 |
|
|
/* Authentication using this file denied. */ |
176 |
|
|
fclose(f); |
177 |
|
|
return 0; |
178 |
|
|
} |
179 |
|
|
|
180 |
|
|
/* |
181 |
|
|
* Tries to authenticate the user using the .shosts or .rhosts file. Returns |
182 |
|
|
* true if authentication succeeds. If ignore_rhosts is true, only |
183 |
|
|
* /etc/hosts.equiv will be considered (.rhosts and .shosts are ignored). |
184 |
|
|
*/ |
185 |
|
|
int |
186 |
|
|
auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, |
187 |
|
|
const char *ipaddr) |
188 |
|
|
{ |
189 |
|
|
char buf[1024]; |
190 |
|
|
struct stat st; |
191 |
|
|
static const char *rhosts_files[] = {".shosts", ".rhosts", NULL}; |
192 |
|
|
u_int rhosts_file_index; |
193 |
|
|
|
194 |
|
|
debug2("auth_rhosts2: clientuser %s hostname %s ipaddr %s", |
195 |
|
|
client_user, hostname, ipaddr); |
196 |
|
|
|
197 |
|
|
/* Switch to the user's uid. */ |
198 |
|
|
temporarily_use_uid(pw); |
199 |
|
|
/* |
200 |
|
|
* Quick check: if the user has no .shosts or .rhosts files and |
201 |
|
|
* no system hosts.equiv/shosts.equiv files exist then return |
202 |
|
|
* failure immediately without doing costly lookups from name |
203 |
|
|
* servers. |
204 |
|
|
*/ |
205 |
|
|
for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; |
206 |
|
|
rhosts_file_index++) { |
207 |
|
|
/* Check users .rhosts or .shosts. */ |
208 |
|
|
snprintf(buf, sizeof buf, "%.500s/%.100s", |
209 |
|
|
pw->pw_dir, rhosts_files[rhosts_file_index]); |
210 |
|
|
if (stat(buf, &st) >= 0) |
211 |
|
|
break; |
212 |
|
|
} |
213 |
|
|
/* Switch back to privileged uid. */ |
214 |
|
|
restore_uid(); |
215 |
|
|
|
216 |
|
|
/* |
217 |
|
|
* Deny if The user has no .shosts or .rhosts file and there |
218 |
|
|
* are no system-wide files. |
219 |
|
|
*/ |
220 |
|
|
if (!rhosts_files[rhosts_file_index] && |
221 |
|
|
stat(_PATH_RHOSTS_EQUIV, &st) < 0 && |
222 |
|
|
stat(_PATH_SSH_HOSTS_EQUIV, &st) < 0) { |
223 |
|
|
debug3("%s: no hosts access files exist", __func__); |
224 |
|
|
return 0; |
225 |
|
|
} |
226 |
|
|
|
227 |
|
|
/* |
228 |
|
|
* If not logging in as superuser, try /etc/hosts.equiv and |
229 |
|
|
* shosts.equiv. |
230 |
|
|
*/ |
231 |
|
|
if (pw->pw_uid == 0) |
232 |
|
|
debug3("%s: root user, ignoring system hosts files", __func__); |
233 |
|
|
else { |
234 |
|
|
if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, |
235 |
|
|
client_user, pw->pw_name)) { |
236 |
|
|
auth_debug_add("Accepted for %.100s [%.100s] by " |
237 |
|
|
"/etc/hosts.equiv.", hostname, ipaddr); |
238 |
|
|
return 1; |
239 |
|
|
} |
240 |
|
|
if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, |
241 |
|
|
client_user, pw->pw_name)) { |
242 |
|
|
auth_debug_add("Accepted for %.100s [%.100s] by " |
243 |
|
|
"%.100s.", hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); |
244 |
|
|
return 1; |
245 |
|
|
} |
246 |
|
|
} |
247 |
|
|
|
248 |
|
|
/* |
249 |
|
|
* Check that the home directory is owned by root or the user, and is |
250 |
|
|
* not group or world writable. |
251 |
|
|
*/ |
252 |
|
|
if (stat(pw->pw_dir, &st) < 0) { |
253 |
|
|
logit("Rhosts authentication refused for %.100s: " |
254 |
|
|
"no home directory %.200s", pw->pw_name, pw->pw_dir); |
255 |
|
|
auth_debug_add("Rhosts authentication refused for %.100s: " |
256 |
|
|
"no home directory %.200s", pw->pw_name, pw->pw_dir); |
257 |
|
|
return 0; |
258 |
|
|
} |
259 |
|
|
if (options.strict_modes && |
260 |
|
|
((st.st_uid != 0 && st.st_uid != pw->pw_uid) || |
261 |
|
|
(st.st_mode & 022) != 0)) { |
262 |
|
|
logit("Rhosts authentication refused for %.100s: " |
263 |
|
|
"bad ownership or modes for home directory.", pw->pw_name); |
264 |
|
|
auth_debug_add("Rhosts authentication refused for %.100s: " |
265 |
|
|
"bad ownership or modes for home directory.", pw->pw_name); |
266 |
|
|
return 0; |
267 |
|
|
} |
268 |
|
|
/* Temporarily use the user's uid. */ |
269 |
|
|
temporarily_use_uid(pw); |
270 |
|
|
|
271 |
|
|
/* Check all .rhosts files (currently .shosts and .rhosts). */ |
272 |
|
|
for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; |
273 |
|
|
rhosts_file_index++) { |
274 |
|
|
/* Check users .rhosts or .shosts. */ |
275 |
|
|
snprintf(buf, sizeof buf, "%.500s/%.100s", |
276 |
|
|
pw->pw_dir, rhosts_files[rhosts_file_index]); |
277 |
|
|
if (stat(buf, &st) < 0) |
278 |
|
|
continue; |
279 |
|
|
|
280 |
|
|
/* |
281 |
|
|
* Make sure that the file is either owned by the user or by |
282 |
|
|
* root, and make sure it is not writable by anyone but the |
283 |
|
|
* owner. This is to help avoid novices accidentally |
284 |
|
|
* allowing access to their account by anyone. |
285 |
|
|
*/ |
286 |
|
|
if (options.strict_modes && |
287 |
|
|
((st.st_uid != 0 && st.st_uid != pw->pw_uid) || |
288 |
|
|
(st.st_mode & 022) != 0)) { |
289 |
|
|
logit("Rhosts authentication refused for %.100s: bad modes for %.200s", |
290 |
|
|
pw->pw_name, buf); |
291 |
|
|
auth_debug_add("Bad file modes for %.200s", buf); |
292 |
|
|
continue; |
293 |
|
|
} |
294 |
|
|
/* |
295 |
|
|
* Check if we have been configured to ignore .rhosts |
296 |
|
|
* and .shosts files. |
297 |
|
|
*/ |
298 |
|
|
if (options.ignore_rhosts) { |
299 |
|
|
auth_debug_add("Server has been configured to " |
300 |
|
|
"ignore %.100s.", rhosts_files[rhosts_file_index]); |
301 |
|
|
continue; |
302 |
|
|
} |
303 |
|
|
/* Check if authentication is permitted by the file. */ |
304 |
|
|
if (check_rhosts_file(buf, hostname, ipaddr, |
305 |
|
|
client_user, pw->pw_name)) { |
306 |
|
|
auth_debug_add("Accepted by %.100s.", |
307 |
|
|
rhosts_files[rhosts_file_index]); |
308 |
|
|
/* Restore the privileged uid. */ |
309 |
|
|
restore_uid(); |
310 |
|
|
auth_debug_add("Accepted host %s ip %s client_user " |
311 |
|
|
"%s server_user %s", hostname, ipaddr, |
312 |
|
|
client_user, pw->pw_name); |
313 |
|
|
return 1; |
314 |
|
|
} |
315 |
|
|
} |
316 |
|
|
|
317 |
|
|
/* Restore the privileged uid. */ |
318 |
|
|
restore_uid(); |
319 |
|
|
return 0; |
320 |
|
|
} |