[openssh.git] / auth-rh-rsa.c

/*

auth-rh-rsa.c

Author: Tatu Ylonen <ylo@cs.hut.fi>

Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
                   All rights reserved

Created: Sun May  7 03:08:06 1995 ylo

Rhosts or /etc/hosts.equiv authentication combined with RSA host
authentication.

*/

#include "includes.h"
RCSID("$Id$");

#include "packet.h"
#include "ssh.h"
#include "xmalloc.h"
#include "uidswap.h"

/* Tries to authenticate the user using the .rhosts file and the host using
   its host key.  Returns true if authentication succeeds. 
   .rhosts and .shosts will be ignored if ignore_rhosts is non-zero. */

int auth_rhosts_rsa(struct passwd *pw, const char *client_user,
		    unsigned int client_host_key_bits,
		    BIGNUM *client_host_key_e, BIGNUM *client_host_key_n,
		    int ignore_rhosts, int strict_modes)
{
  const char *canonical_hostname;
  HostStatus host_status;
  BIGNUM *ke, *kn;

  debug("Trying rhosts with RSA host authentication for %.100s", client_user);

  /* Check if we would accept it using rhosts authentication. */
  if (!auth_rhosts(pw, client_user, ignore_rhosts, strict_modes))
    return 0;

  canonical_hostname = get_canonical_hostname();

  debug("Rhosts RSA authentication: canonical host %.900s",
	canonical_hostname);
  
  /* Check if we know the host and its host key. */
  /* Check system-wide host file. */
  ke = BN_new();
  kn = BN_new();
  host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname,
				       client_host_key_bits, client_host_key_e,
				       client_host_key_n, ke, kn);
  /* Check user host file. */
  if (host_status != HOST_OK) {
    struct stat st;
    char *user_hostfile = tilde_expand_filename(SSH_USER_HOSTFILE, pw->pw_uid);
    /* Check file permissions of SSH_USER_HOSTFILE,
       auth_rsa() did already check pw->pw_dir, but there is a race XXX */
    if (strict_modes &&
	(stat(user_hostfile, &st) == 0) &&
	((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
	(st.st_mode & 022) != 0)) {
       log("Rhosts RSA authentication refused for %.100s: bad owner or modes for %.200s",
	   pw->pw_name, user_hostfile);
    } else {
      /* XXX race between stat and the following open() */
      temporarily_use_uid(pw->pw_uid);
      host_status = check_host_in_hostfile(user_hostfile, canonical_hostname,
					   client_host_key_bits, client_host_key_e,
					   client_host_key_n, ke, kn);
      restore_uid();
    }
    xfree(user_hostfile);
  }
  BN_free(ke);
  BN_free(kn);

  if (host_status != HOST_OK) {
    /* The host key was not found. */
    debug("Rhosts with RSA host authentication denied: unknown or invalid host key");
    packet_send_debug("Your host key cannot be verified: unknown or invalid host key.");
    return 0;
  }

  /* A matching host key was found and is known. */
  
  /* Perform the challenge-response dialog with the client for the host key. */
  if (!auth_rsa_challenge_dialog(client_host_key_bits,
				 client_host_key_e, client_host_key_n))
    {
      log("Client on %.800s failed to respond correctly to host authentication.",
	  canonical_hostname);
      return 0;
    }

  /* We have authenticated the user using .rhosts or /etc/hosts.equiv, and
     the host using RSA.  We accept the authentication. */
  
  log("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.",
      pw->pw_name, client_user, canonical_hostname);
  packet_send_debug("Rhosts with RSA host authentication accepted.");
  return 1;
}
Commit	Line	Data
8efc0c15	1	/*
	2
	3	auth-rh-rsa.c
	4
	5	Author: Tatu Ylonen <ylo@cs.hut.fi>
	6
	7	Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
	8	All rights reserved
	9
	10	Created: Sun May 7 03:08:06 1995 ylo
	11
	12	Rhosts or /etc/hosts.equiv authentication combined with RSA host
	13	authentication.
	14
	15	*/
	16
	17	#include "includes.h"
	18	RCSID("$Id$");
	19
	20	#include "packet.h"
	21	#include "ssh.h"
	22	#include "xmalloc.h"
	23	#include "uidswap.h"
	24
	25	/* Tries to authenticate the user using the .rhosts file and the host using
	26	its host key. Returns true if authentication succeeds.
	27	.rhosts and .shosts will be ignored if ignore_rhosts is non-zero. */
	28
	29	int auth_rhosts_rsa(struct passwd pw, const char client_user,
	30	unsigned int client_host_key_bits,
	31	BIGNUM client_host_key_e, BIGNUM client_host_key_n,
	32	int ignore_rhosts, int strict_modes)
	33	{
	34	const char *canonical_hostname;
	35	HostStatus host_status;
	36	BIGNUM ke, kn;
	37
	38	debug("Trying rhosts with RSA host authentication for %.100s", client_user);
	39
	40	/* Check if we would accept it using rhosts authentication. */
	41	if (!auth_rhosts(pw, client_user, ignore_rhosts, strict_modes))
	42	return 0;
	43
	44	canonical_hostname = get_canonical_hostname();
	45
	46	debug("Rhosts RSA authentication: canonical host %.900s",
	47	canonical_hostname);
	48
	49	/* Check if we know the host and its host key. */
	50	/* Check system-wide host file. */
	51	ke = BN_new();
	52	kn = BN_new();
	53	host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname,
	54	client_host_key_bits, client_host_key_e,
	55	client_host_key_n, ke, kn);
5bbb5681	56	/* Check user host file. */
	57	if (host_status != HOST_OK) {
	58	struct stat st;
	59	char *user_hostfile = tilde_expand_filename(SSH_USER_HOSTFILE, pw->pw_uid);
	60	/* Check file permissions of SSH_USER_HOSTFILE,
	61	auth_rsa() did already check pw->pw_dir, but there is a race XXX */
	62	if (strict_modes &&
	63	(stat(user_hostfile, &st) == 0) &&
	64	((st.st_uid != 0 && st.st_uid != pw->pw_uid) \|\|
	65	(st.st_mode & 022) != 0)) {
	66	log("Rhosts RSA authentication refused for %.100s: bad owner or modes for %.200s",
	67	pw->pw_name, user_hostfile);
	68	} else {
	69	/* XXX race between stat and the following open() */
	70	temporarily_use_uid(pw->pw_uid);
	71	host_status = check_host_in_hostfile(user_hostfile, canonical_hostname,
	72	client_host_key_bits, client_host_key_e,
	73	client_host_key_n, ke, kn);
	74	restore_uid();
	75	}
	76	xfree(user_hostfile);
	77	}
8efc0c15	78	BN_free(ke);
8efc0c15	79	BN_free(kn);
5bbb5681	80
8efc0c15	81	if (host_status != HOST_OK) {
	82	/* The host key was not found. */
	83	debug("Rhosts with RSA host authentication denied: unknown or invalid host key");
	84	packet_send_debug("Your host key cannot be verified: unknown or invalid host key.");
	85	return 0;
	86	}
	87
	88	/* A matching host key was found and is known. */
	89
	90	/* Perform the challenge-response dialog with the client for the host key. */
	91	if (!auth_rsa_challenge_dialog(client_host_key_bits,
	92	client_host_key_e, client_host_key_n))
	93	{
	94	log("Client on %.800s failed to respond correctly to host authentication.",
	95	canonical_hostname);
	96	return 0;
	97	}
	98
	99	/* We have authenticated the user using .rhosts or /etc/hosts.equiv, and
	100	the host using RSA. We accept the authentication. */
	101
	102	log("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.",
	103	pw->pw_name, client_user, canonical_hostname);
	104	packet_send_debug("Rhosts with RSA host authentication accepted.");
	105	return 1;
	106	}