[openssh.git] / auth-rhosts.c

/*

auth-rhosts.c

Author: Tatu Ylonen <ylo@cs.hut.fi>

Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
                   All rights reserved

Created: Fri Mar 17 05:12:18 1995 ylo

Rhosts authentication.  This file contains code to check whether to admit
the login based on rhosts authentication.  This file also processes
/etc/hosts.equiv.

*/

#include "includes.h"
RCSID("$Id$");

#include "packet.h"
#include "ssh.h"
#include "xmalloc.h"
#include "uidswap.h"
#include "servconf.h"

/* This function processes an rhosts-style file (.rhosts, .shosts, or
   /etc/hosts.equiv).  This returns true if authentication can be granted
   based on the file, and returns zero otherwise. */

int check_rhosts_file(const char *filename, const char *hostname,
		      const char *ipaddr, const char *client_user,
		      const char *server_user)
{
  FILE *f;
  char buf[1024]; /* Must not be larger than host, user, dummy below. */
  
  /* Open the .rhosts file. */
  f = fopen(filename, "r");
  if (!f)
    return 0; /* Cannot read the .rhosts - deny access. */

  /* Go through the file, checking every entry. */
  while (fgets(buf, sizeof(buf), f))
    {
      /* All three must be at least as big as buf to avoid overflows. */
      char hostbuf[1024], userbuf[1024], dummy[1024], *host, *user, *cp;
      int negated;
      
      for (cp = buf; *cp == ' ' || *cp == '\t'; cp++)
	;
      if (*cp == '#' || *cp == '\n' || !*cp)
	continue;

      /* NO_PLUS is supported at least on OSF/1.  We skip it (we don't ever
	 support the plus syntax). */
      if (strncmp(cp, "NO_PLUS", 7) == 0)
	continue;

      /* This should be safe because each buffer is as big as the whole
	 string, and thus cannot be overwritten. */
      switch (sscanf(buf, "%s %s %s", hostbuf, userbuf, dummy))
	{
	case 0:
	  packet_send_debug("Found empty line in %.100s.", filename);
	  continue; /* Empty line? */
	case 1:
	  /* Host name only. */
	  strlcpy(userbuf, server_user, sizeof(userbuf));
	  break;
	case 2:
	  /* Got both host and user name. */
	  break;
	case 3:
	  packet_send_debug("Found garbage in %.100s.", filename);
	  continue; /* Extra garbage */
	default:
	  continue; /* Weird... */
	}

      host = hostbuf;
      user = userbuf;
      negated = 0;

      /* Process negated host names, or positive netgroups. */
      if (host[0] == '-')
	{
	  negated = 1;
	  host++;
	}
      else
	if (host[0] == '+')
	  host++;

      if (user[0] == '-')
	{
	  negated = 1;
	  user++;
	}
      else
	if (user[0] == '+')
	  user++;

      /* Check for empty host/user names (particularly '+'). */
      if (!host[0] || !user[0])
	{ 
	  /* We come here if either was '+' or '-'. */
	  packet_send_debug("Ignoring wild host/user names in %.100s.",
			    filename);
	  continue;
	}
	  
      /* Verify that host name matches. */
      if (host[0] == '@')
	{
	  if (!innetgr(host + 1, hostname, NULL, NULL) &&
	      !innetgr(host + 1, ipaddr, NULL, NULL))
	    continue;
	}
      else
	if (strcasecmp(host, hostname) && strcmp(host, ipaddr) != 0)
	  continue; /* Different hostname. */

      /* Verify that user name matches. */
      if (user[0] == '@')
	{
	  if (!innetgr(user + 1, NULL, client_user, NULL))
	    continue;
	}
      else
	if (strcmp(user, client_user) != 0)
	  continue; /* Different username. */

      /* Found the user and host. */
      fclose(f);

      /* If the entry was negated, deny access. */
      if (negated)
	{
	  packet_send_debug("Matched negative entry in %.100s.",
			    filename);
	  return 0;
	}

      /* Accept authentication. */
      return 1;
    }
     
  /* Authentication using this file denied. */
  fclose(f);
  return 0;
}

/* Tries to authenticate the user using the .shosts or .rhosts file.  
   Returns true if authentication succeeds.  If ignore_rhosts is
   true, only /etc/hosts.equiv will be considered (.rhosts and .shosts
   are ignored). */

int auth_rhosts(struct passwd *pw, const char *client_user)
{
  extern ServerOptions options;
  char buf[1024];
  const char *hostname, *ipaddr;
  int port;
  struct stat st;
  static const char *rhosts_files[] = { ".shosts", ".rhosts", NULL };
  unsigned int rhosts_file_index;

  /* Quick check: if the user has no .shosts or .rhosts files, return failure
     immediately without doing costly lookups from name servers. */
  /* Switch to the user's uid. */
  temporarily_use_uid(pw->pw_uid);
  for (rhosts_file_index = 0; rhosts_files[rhosts_file_index];
       rhosts_file_index++)
    {
      /* Check users .rhosts or .shosts. */
      snprintf(buf, sizeof buf, "%.500s/%.100s", 
	      pw->pw_dir, rhosts_files[rhosts_file_index]);
      if (stat(buf, &st) >= 0)
	break;
    }
  /* Switch back to privileged uid. */
  restore_uid();

  if (!rhosts_files[rhosts_file_index] && stat("/etc/hosts.equiv", &st) < 0 &&
      stat(SSH_HOSTS_EQUIV, &st) < 0)
    return 0; /* The user has no .shosts or .rhosts file and there are no
		 system-wide files. */

  /* Get the name, address, and port of the remote host.  */
  hostname = get_canonical_hostname();
  ipaddr = get_remote_ipaddr();
  port = get_remote_port();

  /* Check that the connection comes from a privileged port.
     Rhosts authentication only makes sense for priviledged programs.
     Of course, if the intruder has root access on his local machine,
     he can connect from any port.  So do not use .rhosts
     authentication from machines that you do not trust. */
  if (port >= IPPORT_RESERVED ||
      port < IPPORT_RESERVED / 2)
    {
      log("Connection from %.100s from nonpriviledged port %d",
	  hostname, port);
      packet_send_debug("Your ssh client is not running as root.");
      return 0;
    }

  /* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */
  if (pw->pw_uid != 0)
    {
      if (check_rhosts_file("/etc/hosts.equiv", hostname, ipaddr, client_user,
			    pw->pw_name))
	{
	  packet_send_debug("Accepted for %.100s [%.100s] by /etc/hosts.equiv.",
			    hostname, ipaddr);
	  return 1;
	}
      if (check_rhosts_file(SSH_HOSTS_EQUIV, hostname, ipaddr, client_user,
			    pw->pw_name))
	{
	  packet_send_debug("Accepted for %.100s [%.100s] by %.100s.", 
			    hostname, ipaddr, SSH_HOSTS_EQUIV);
	  return 1;
	}
    }

  /* Check that the home directory is owned by root or the user, and is not 
     group or world writable. */
  if (stat(pw->pw_dir, &st) < 0)
    {
      log("Rhosts authentication refused for %.100: no home directory %.200s",
	  pw->pw_name, pw->pw_dir);
      packet_send_debug("Rhosts authentication refused for %.100: no home directory %.200s",
			pw->pw_name, pw->pw_dir);
      return 0;
    }
  if (options.strict_modes && 
      ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
       (st.st_mode & 022) != 0))
    {
      log("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.",
	  pw->pw_name);
      packet_send_debug("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.",
			pw->pw_name);
      return 0;
    }
  
  /* Check all .rhosts files (currently .shosts and .rhosts). */
  /* Temporarily use the user's uid. */
  temporarily_use_uid(pw->pw_uid);
  for (rhosts_file_index = 0; rhosts_files[rhosts_file_index];
       rhosts_file_index++)
    {
      /* Check users .rhosts or .shosts. */
      snprintf(buf, sizeof buf, "%.500s/%.100s", 
	      pw->pw_dir, rhosts_files[rhosts_file_index]);
      if (stat(buf, &st) < 0)
	continue; /* No such file. */

      /* Make sure that the file is either owned by the user or by root,
	 and make sure it is not writable by anyone but the owner.  This is
	 to help avoid novices accidentally allowing access to their account
	 by anyone. */
      if (options.strict_modes &&
	  ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
	   (st.st_mode & 022) != 0))
	{
	  log("Rhosts authentication refused for %.100s: bad modes for %.200s",
	      pw->pw_name, buf);
	  packet_send_debug("Bad file modes for %.200s", buf);
	  continue;
	}

      /* Check if we have been configured to ignore .rhosts and .shosts 
	 files. */
      if (options.ignore_rhosts)
	{
	  packet_send_debug("Server has been configured to ignore %.100s.",
			    rhosts_files[rhosts_file_index]);
	  continue;
	}

      /* Check if authentication is permitted by the file. */
      if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name))
	{
	  packet_send_debug("Accepted by %.100s.",
			    rhosts_files[rhosts_file_index]);
	  /* Restore the privileged uid. */
	  restore_uid();
	  return 1;
	}
    }

  /* Rhosts authentication denied. */
  /* Restore the privileged uid. */
  restore_uid();
  return 0;
}
Commit	Line	Data
8efc0c15	1	/*
	2
	3	auth-rhosts.c
	4
	5	Author: Tatu Ylonen <ylo@cs.hut.fi>
	6
	7	Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
	8	All rights reserved
	9
	10	Created: Fri Mar 17 05:12:18 1995 ylo
	11
	12	Rhosts authentication. This file contains code to check whether to admit
	13	the login based on rhosts authentication. This file also processes
	14	/etc/hosts.equiv.
	15
	16	*/
	17
	18	#include "includes.h"
	19	RCSID("$Id$");
	20
	21	#include "packet.h"
	22	#include "ssh.h"
	23	#include "xmalloc.h"
	24	#include "uidswap.h"
6fa724bc	25	#include "servconf.h"
8efc0c15	26
	27	/* This function processes an rhosts-style file (.rhosts, .shosts, or
	28	/etc/hosts.equiv). This returns true if authentication can be granted
	29	based on the file, and returns zero otherwise. */
	30
	31	int check_rhosts_file(const char filename, const char hostname,
	32	const char ipaddr, const char client_user,
	33	const char *server_user)
	34	{
	35	FILE *f;
	36	char buf[1024]; /* Must not be larger than host, user, dummy below. */
	37
	38	/* Open the .rhosts file. */
	39	f = fopen(filename, "r");
	40	if (!f)
	41	return 0; /* Cannot read the .rhosts - deny access. */
	42
	43	/* Go through the file, checking every entry. */
	44	while (fgets(buf, sizeof(buf), f))
	45	{
	46	/* All three must be at least as big as buf to avoid overflows. */
	47	char hostbuf[1024], userbuf[1024], dummy[1024], host, user, *cp;
	48	int negated;
	49
	50	for (cp = buf; cp == ' ' \|\| cp == '\t'; cp++)
	51	;
	52	if (cp == '#' \|\| cp == '\n' \|\| !*cp)
	53	continue;
	54
	55	/* NO_PLUS is supported at least on OSF/1. We skip it (we don't ever
	56	support the plus syntax). */
	57	if (strncmp(cp, "NO_PLUS", 7) == 0)
	58	continue;
	59
	60	/* This should be safe because each buffer is as big as the whole
	61	string, and thus cannot be overwritten. */
	62	switch (sscanf(buf, "%s %s %s", hostbuf, userbuf, dummy))
	63	{
	64	case 0:
	65	packet_send_debug("Found empty line in %.100s.", filename);
	66	continue; /* Empty line? */
	67	case 1:
	68	/* Host name only. */
	69	strlcpy(userbuf, server_user, sizeof(userbuf));
	70	break;
	71	case 2:
	72	/* Got both host and user name. */
	73	break;
	74	case 3:
	75	packet_send_debug("Found garbage in %.100s.", filename);
	76	continue; /* Extra garbage */
	77	default:
	78	continue; /* Weird... */
	79	}
	80
	81	host = hostbuf;
	82	user = userbuf;
	83	negated = 0;
	84
	85	/* Process negated host names, or positive netgroups. */
	86	if (host[0] == '-')
	87	{
	88	negated = 1;
	89	host++;
90	}
91	else
92	if (host[0] == '+')
93	host++;
94
95	if (user[0] == '-')
96	{
97	negated = 1;
98	user++;
99	}
100	else
101	if (user[0] == '+')
102	user++;
103
104	/* Check for empty host/user names (particularly '+'). */
105	if (!host[0] \|\| !user[0])
106	{
107	/* We come here if either was '+' or '-'. */
108	packet_send_debug("Ignoring wild host/user names in %.100s.",
109	filename);
110	continue;
111	}
112
113	/* Verify that host name matches. */
114	if (host[0] == '@')
115	{
116	if (!innetgr(host + 1, hostname, NULL, NULL) &&
117	!innetgr(host + 1, ipaddr, NULL, NULL))
118	continue;
119	}
120	else
121	if (strcasecmp(host, hostname) && strcmp(host, ipaddr) != 0)
122	continue; /* Different hostname. */
123
124	/* Verify that user name matches. */
125	if (user[0] == '@')
126	{
127	if (!innetgr(user + 1, NULL, client_user, NULL))
128	continue;
129	}
130	else
131	if (strcmp(user, client_user) != 0)
132	continue; /* Different username. */
133
134	/* Found the user and host. */
135	fclose(f);
136
137	/* If the entry was negated, deny access. */
138	if (negated)
139	{
140	packet_send_debug("Matched negative entry in %.100s.",
141	filename);
142	return 0;
143	}
144
145	/* Accept authentication. */
146	return 1;
147	}
148
149	/* Authentication using this file denied. */
150	fclose(f);
151	return 0;
152	}
153
154	/* Tries to authenticate the user using the .shosts or .rhosts file.
155	Returns true if authentication succeeds. If ignore_rhosts is
156	true, only /etc/hosts.equiv will be considered (.rhosts and .shosts
157	are ignored). */
158
6fa724bc	159	int auth_rhosts(struct passwd pw, const char client_user)
8efc0c15	160	{
6fa724bc	161	extern ServerOptions options;
8efc0c15	162	char buf[1024];
	163	const char hostname, ipaddr;
	164	int port;
	165	struct stat st;
	166	static const char *rhosts_files[] = { ".shosts", ".rhosts", NULL };
	167	unsigned int rhosts_file_index;
	168
	169	/* Quick check: if the user has no .shosts or .rhosts files, return failure
	170	immediately without doing costly lookups from name servers. */
	171	/* Switch to the user's uid. */
	172	temporarily_use_uid(pw->pw_uid);
	173	for (rhosts_file_index = 0; rhosts_files[rhosts_file_index];
	174	rhosts_file_index++)
	175	{
	176	/* Check users .rhosts or .shosts. */
	177	snprintf(buf, sizeof buf, "%.500s/%.100s",
	178	pw->pw_dir, rhosts_files[rhosts_file_index]);
	179	if (stat(buf, &st) >= 0)
	180	break;
	181	}
	182	/* Switch back to privileged uid. */
	183	restore_uid();
	184
	185	if (!rhosts_files[rhosts_file_index] && stat("/etc/hosts.equiv", &st) < 0 &&
	186	stat(SSH_HOSTS_EQUIV, &st) < 0)
	187	return 0; /* The user has no .shosts or .rhosts file and there are no
	188	system-wide files. */
	189
	190	/* Get the name, address, and port of the remote host. */
	191	hostname = get_canonical_hostname();
	192	ipaddr = get_remote_ipaddr();
	193	port = get_remote_port();
	194
	195	/* Check that the connection comes from a privileged port.
	196	Rhosts authentication only makes sense for priviledged programs.
	197	Of course, if the intruder has root access on his local machine,
	198	he can connect from any port. So do not use .rhosts
	199	authentication from machines that you do not trust. */
	200	if (port >= IPPORT_RESERVED \|\|
	201	port < IPPORT_RESERVED / 2)
	202	{
	203	log("Connection from %.100s from nonpriviledged port %d",
	204	hostname, port);
	205	packet_send_debug("Your ssh client is not running as root.");
	206	return 0;
	207	}
	208
	209	/* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */
	210	if (pw->pw_uid != 0)
	211	{
	212	if (check_rhosts_file("/etc/hosts.equiv", hostname, ipaddr, client_user,
	213	pw->pw_name))
	214	{
	215	packet_send_debug("Accepted for %.100s [%.100s] by /etc/hosts.equiv.",
	216	hostname, ipaddr);
	217	return 1;
	218	}
	219	if (check_rhosts_file(SSH_HOSTS_EQUIV, hostname, ipaddr, client_user,
	220	pw->pw_name))
	221	{
	222	packet_send_debug("Accepted for %.100s [%.100s] by %.100s.",
	223	hostname, ipaddr, SSH_HOSTS_EQUIV);
	224	return 1;
	225	}
226	}
227
228	/* Check that the home directory is owned by root or the user, and is not
229	group or world writable. */
230	if (stat(pw->pw_dir, &st) < 0)
231	{
232	log("Rhosts authentication refused for %.100: no home directory %.200s",
233	pw->pw_name, pw->pw_dir);
234	packet_send_debug("Rhosts authentication refused for %.100: no home directory %.200s",
235	pw->pw_name, pw->pw_dir);
236	return 0;
237	}
6fa724bc	238	if (options.strict_modes &&
8efc0c15	239	((st.st_uid != 0 && st.st_uid != pw->pw_uid) \|\|
	240	(st.st_mode & 022) != 0))
	241	{
	242	log("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.",
	243	pw->pw_name);
	244	packet_send_debug("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.",
	245	pw->pw_name);
	246	return 0;
	247	}
	248
	249	/* Check all .rhosts files (currently .shosts and .rhosts). */
	250	/* Temporarily use the user's uid. */
	251	temporarily_use_uid(pw->pw_uid);
	252	for (rhosts_file_index = 0; rhosts_files[rhosts_file_index];
	253	rhosts_file_index++)
	254	{
	255	/* Check users .rhosts or .shosts. */
	256	snprintf(buf, sizeof buf, "%.500s/%.100s",
	257	pw->pw_dir, rhosts_files[rhosts_file_index]);
	258	if (stat(buf, &st) < 0)
	259	continue; /* No such file. */
	260
	261	/* Make sure that the file is either owned by the user or by root,
	262	and make sure it is not writable by anyone but the owner. This is
	263	to help avoid novices accidentally allowing access to their account
	264	by anyone. */
6fa724bc	265	if (options.strict_modes &&
8efc0c15	266	((st.st_uid != 0 && st.st_uid != pw->pw_uid) \|\|
	267	(st.st_mode & 022) != 0))
	268	{
	269	log("Rhosts authentication refused for %.100s: bad modes for %.200s",
	270	pw->pw_name, buf);
	271	packet_send_debug("Bad file modes for %.200s", buf);
	272	continue;
	273	}
	274
	275	/* Check if we have been configured to ignore .rhosts and .shosts
	276	files. */
6fa724bc	277	if (options.ignore_rhosts)
8efc0c15	278	{
	279	packet_send_debug("Server has been configured to ignore %.100s.",
	280	rhosts_files[rhosts_file_index]);
	281	continue;
	282	}
	283
	284	/* Check if authentication is permitted by the file. */
	285	if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name))
	286	{
	287	packet_send_debug("Accepted by %.100s.",
	288	rhosts_files[rhosts_file_index]);
	289	/* Restore the privileged uid. */
	290	restore_uid();
	291	return 1;
	292	}
	293	}
	294
	295	/* Rhosts authentication denied. */
	296	/* Restore the privileged uid. */
	297	restore_uid();
	298	return 0;
	299	}