X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/665a873d320a97fed924de9a5bc7781a495e4fc1..HEAD:/openssh/auth-rhosts.c diff --git a/openssh/auth-rhosts.c b/openssh/auth-rhosts.c index aaba855..9ba64db 100644 --- a/openssh/auth-rhosts.c +++ b/openssh/auth-rhosts.c @@ -14,9 +14,10 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rhosts.c,v 1.33 2005/07/17 07:17:54 djm Exp $"); +RCSID("$OpenBSD: auth-rhosts.c,v 1.24 2001/06/23 15:12:17 itojun Exp $"); #include "packet.h" +#include "xmalloc.h" #include "uidswap.h" #include "pathnames.h" #include "log.h" @@ -26,7 +27,6 @@ RCSID("$OpenBSD: auth-rhosts.c,v 1.33 2005/07/17 07:17:54 djm Exp $"); /* import */ extern ServerOptions options; -extern int use_privsep; /* * This function processes an rhosts-style file (.rhosts, .shosts, or @@ -68,10 +68,9 @@ check_rhosts_file(const char *filename, const char *hostname, * This should be safe because each buffer is as big as the * whole string, and thus cannot be overwritten. */ - switch (sscanf(buf, "%1023s %1023s %1023s", hostbuf, userbuf, - dummy)) { + switch (sscanf(buf, "%s %s %s", hostbuf, userbuf, dummy)) { case 0: - auth_debug_add("Found empty line in %.100s.", filename); + packet_send_debug("Found empty line in %.100s.", filename); continue; case 1: /* Host name only. */ @@ -81,7 +80,7 @@ check_rhosts_file(const char *filename, const char *hostname, /* Got both host and user name. */ break; case 3: - auth_debug_add("Found garbage in %.100s.", filename); + packet_send_debug("Found garbage in %.100s.", filename); continue; default: /* Weird... */ @@ -108,8 +107,8 @@ check_rhosts_file(const char *filename, const char *hostname, /* Check for empty host/user names (particularly '+'). */ if (!host[0] || !user[0]) { /* We come here if either was '+' or '-'. */ - auth_debug_add("Ignoring wild host/user names in %.100s.", - filename); + packet_send_debug("Ignoring wild host/user names in %.100s.", + filename); continue; } /* Verify that host name matches. */ @@ -132,8 +131,8 @@ check_rhosts_file(const char *filename, const char *hostname, /* If the entry was negated, deny access. */ if (negated) { - auth_debug_add("Matched negative entry in %.100s.", - filename); + packet_send_debug("Matched negative entry in %.100s.", + filename); return 0; } /* Accept authentication. */ @@ -155,14 +154,16 @@ int auth_rhosts(struct passwd *pw, const char *client_user) { const char *hostname, *ipaddr; + int ret; - hostname = get_canonical_hostname(options.use_dns); + hostname = get_canonical_hostname(options.reverse_mapping_check); ipaddr = get_remote_ipaddr(); - return auth_rhosts2(pw, client_user, hostname, ipaddr); + ret = auth_rhosts2(pw, client_user, hostname, ipaddr); + return ret; } -static int -auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostname, +int +auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, const char *ipaddr) { char buf[1024]; @@ -173,6 +174,10 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam debug2("auth_rhosts2: clientuser %s hostname %s ipaddr %s", client_user, hostname, ipaddr); + /* no user given */ + if (pw == NULL) + return 0; + /* Switch to the user's uid. */ temporarily_use_uid(pw); /* @@ -181,7 +186,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam * servers. */ for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; - rhosts_file_index++) { + rhosts_file_index++) { /* Check users .rhosts or .shosts. */ snprintf(buf, sizeof buf, "%.500s/%.100s", pw->pw_dir, rhosts_files[rhosts_file_index]); @@ -199,16 +204,16 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam /* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */ if (pw->pw_uid != 0) { - if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, - client_user, pw->pw_name)) { - auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", - hostname, ipaddr); + if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, client_user, + pw->pw_name)) { + packet_send_debug("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", + hostname, ipaddr); return 1; } - if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, - client_user, pw->pw_name)) { - auth_debug_add("Accepted for %.100s [%.100s] by %.100s.", - hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); + if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, client_user, + pw->pw_name)) { + packet_send_debug("Accepted for %.100s [%.100s] by %.100s.", + hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); return 1; } } @@ -217,19 +222,19 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam * not group or world writable. */ if (stat(pw->pw_dir, &st) < 0) { - logit("Rhosts authentication refused for %.100s: " - "no home directory %.200s", pw->pw_name, pw->pw_dir); - auth_debug_add("Rhosts authentication refused for %.100s: " - "no home directory %.200s", pw->pw_name, pw->pw_dir); + log("Rhosts authentication refused for %.100s: no home directory %.200s", + pw->pw_name, pw->pw_dir); + packet_send_debug("Rhosts authentication refused for %.100s: no home directory %.200s", + pw->pw_name, pw->pw_dir); return 0; } if (options.strict_modes && ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || - (st.st_mode & 022) != 0)) { - logit("Rhosts authentication refused for %.100s: " - "bad ownership or modes for home directory.", pw->pw_name); - auth_debug_add("Rhosts authentication refused for %.100s: " - "bad ownership or modes for home directory.", pw->pw_name); + (st.st_mode & 022) != 0)) { + log("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.", + pw->pw_name); + packet_send_debug("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.", + pw->pw_name); return 0; } /* Temporarily use the user's uid. */ @@ -237,7 +242,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam /* Check all .rhosts files (currently .shosts and .rhosts). */ for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; - rhosts_file_index++) { + rhosts_file_index++) { /* Check users .rhosts or .shosts. */ snprintf(buf, sizeof buf, "%.500s/%.100s", pw->pw_dir, rhosts_files[rhosts_file_index]); @@ -252,26 +257,24 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam */ if (options.strict_modes && ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || - (st.st_mode & 022) != 0)) { - logit("Rhosts authentication refused for %.100s: bad modes for %.200s", + (st.st_mode & 022) != 0)) { + log("Rhosts authentication refused for %.100s: bad modes for %.200s", pw->pw_name, buf); - auth_debug_add("Bad file modes for %.200s", buf); + packet_send_debug("Bad file modes for %.200s", buf); continue; } /* Check if we have been configured to ignore .rhosts and .shosts files. */ if (options.ignore_rhosts) { - auth_debug_add("Server has been configured to ignore %.100s.", - rhosts_files[rhosts_file_index]); + packet_send_debug("Server has been configured to ignore %.100s.", + rhosts_files[rhosts_file_index]); continue; } /* Check if authentication is permitted by the file. */ if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name)) { - auth_debug_add("Accepted by %.100s.", - rhosts_files[rhosts_file_index]); + packet_send_debug("Accepted by %.100s.", + rhosts_files[rhosts_file_index]); /* Restore the privileged uid. */ restore_uid(); - auth_debug_add("Accepted host %s ip %s client_user %s server_user %s", - hostname, ipaddr, client_user, pw->pw_name); return 1; } } @@ -280,16 +283,3 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam restore_uid(); return 0; } - -int -auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, - const char *ipaddr) -{ - int ret; - - auth_debug_reset(); - ret = auth_rhosts2_raw(pw, client_user, hostname, ipaddr); - if (!use_privsep) - auth_debug_send(); - return ret; -}