- markus@cvs.openbsd.org 2001/08/30 22:22:32

[openssh.git] / auth-rh-rsa.c

diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c
index 3070c9d4138885743f64da1dad2efefc512bd674..5bca5a9702d695c64e317801356d350fba0aef97 100644 (file)
--- a/auth-rh-rsa.c
+++ b/auth-rh-rsa.c
@@ -13,18 +13,19 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-rh-rsa.c,v 1.17 2000/10/03 18:03:03 markus Exp $");
+RCSID("$OpenBSD: auth-rh-rsa.c,v 1.25 2001/06/23 03:04:42 markus Exp $");
 
 #include "packet.h"
-#include "ssh.h"
 #include "xmalloc.h"
 #include "uidswap.h"
+#include "log.h"
 #include "servconf.h"
-
-#include <openssl/rsa.h>
-#include <openssl/dsa.h>
 #include "key.h"
 #include "hostfile.h"
+#include "pathnames.h"
+#include "auth.h"
+#include "tildexpand.h"
+#include "canohost.h"
 
 /*
  * Tries to authenticate the user using the .rhosts file and the host using
@@ -37,7 +38,7 @@ auth_rhosts_rsa(struct passwd *pw, const char *client_user, RSA *client_host_key
        extern ServerOptions options;
        const char *canonical_hostname;
        HostStatus host_status;
-       Key *client_key, *found;
+       Key *client_key;
 
        debug("Trying rhosts with RSA host authentication for client user %.100s", client_user);
 
@@ -48,45 +49,21 @@ auth_rhosts_rsa(struct passwd *pw, const char *client_user, RSA *client_host_key
        if (!auth_rhosts(pw, client_user))
                return 0;
 
-       canonical_hostname = get_canonical_hostname();
+       canonical_hostname = get_canonical_hostname(
+           options.reverse_mapping_check);
 
        debug("Rhosts RSA authentication: canonical host %.900s", canonical_hostname);
 
        /* wrap the RSA key into a 'generic' key */
-       client_key = key_new(KEY_RSA);
+       client_key = key_new(KEY_RSA1);
        BN_copy(client_key->rsa->e, client_host_key->e);
        BN_copy(client_key->rsa->n, client_host_key->n);
-       found = key_new(KEY_RSA);
 
-       /* Check if we know the host and its host key. */
-       host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname,
-           client_key, found);
+       host_status = check_key_in_hostfiles(pw, client_key, canonical_hostname,
+           _PATH_SSH_SYSTEM_HOSTFILE,
+           options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
 
-       /* Check user host file unless ignored. */
-       if (host_status != HOST_OK && !options.ignore_user_known_hosts) {
-               struct stat st;
-               char *user_hostfile = tilde_expand_filename(SSH_USER_HOSTFILE, pw->pw_uid);
-               /*
-                * Check file permissions of SSH_USER_HOSTFILE, auth_rsa()
-                * did already check pw->pw_dir, but there is a race XXX
-                */
-               if (options.strict_modes &&
-                   (stat(user_hostfile, &st) == 0) &&
-                   ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
-                    (st.st_mode & 022) != 0)) {
-                       log("Rhosts RSA authentication refused for %.100s: bad owner or modes for %.200s",
-                           pw->pw_name, user_hostfile);
-               } else {
-                       /* XXX race between stat and the following open() */
-                       temporarily_use_uid(pw->pw_uid);
-                       host_status = check_host_in_hostfile(user_hostfile, canonical_hostname,
-                           client_key, found);
-                       restore_uid();
-               }
-               xfree(user_hostfile);
-       }
        key_free(client_key);
-       key_free(found);
 
        if (host_status != HOST_OK) {
                debug("Rhosts with RSA host authentication denied: unknown or invalid host key");