- [auth-rh-rsa.c] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too

   - [ssh.1] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too
   - [sshd.8] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too

diff --git a/ChangeLog b/ChangeLog
index 4fed0720f0bfb2e8461b844003413276ebe0e984..8088670c90a77c26f84998b972ed3908436faab5 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,10 @@
 19991111
  - Added (untested) Entropy Gathering Daemon (EGD) support
  - Fixed fd leak
-
+ - Merged OpenBSD CVS changes:
+   - [auth-rh-rsa.c] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too
+   - [ssh.1] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too
+   - [sshd.8] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too
 19991110
  - Merged several minor fixed:
    - ssh-agent commandline parsing

diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c
index 9c71715e2f117a32d3b99766a9fb5e5a3150b53d..609cca630e6d96f7a159e764f1070979ddf0207b 100644 (file)
--- a/auth-rh-rsa.c
+++ b/auth-rh-rsa.c
@@ -53,8 +53,31 @@ int auth_rhosts_rsa(struct passwd *pw, const char *client_user,
   host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname,
                                       client_host_key_bits, client_host_key_e,
                                       client_host_key_n, ke, kn);
+  /* Check user host file. */
+  if (host_status != HOST_OK) {
+    struct stat st;
+    char *user_hostfile = tilde_expand_filename(SSH_USER_HOSTFILE, pw->pw_uid);
+    /* Check file permissions of SSH_USER_HOSTFILE,
+       auth_rsa() did already check pw->pw_dir, but there is a race XXX */
+    if (strict_modes &&
+       (stat(user_hostfile, &st) == 0) &&
+       ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+       (st.st_mode & 022) != 0)) {
+       log("Rhosts RSA authentication refused for %.100s: bad owner or modes for %.200s",
+          pw->pw_name, user_hostfile);
+    } else {
+      /* XXX race between stat and the following open() */
+      temporarily_use_uid(pw->pw_uid);
+      host_status = check_host_in_hostfile(user_hostfile, canonical_hostname,
+                                          client_host_key_bits, client_host_key_e,
+                                          client_host_key_n, ke, kn);
+      restore_uid();
+    }
+    xfree(user_hostfile);
+  }
   BN_free(ke);
   BN_free(kn);
+
   if (host_status != HOST_OK) {
     /* The host key was not found. */
     debug("Rhosts with RSA host authentication denied: unknown or invalid host key");

diff --git a/ssh.1 b/ssh.1
index b4c3a41f03ebf9d9c8ecd94100cdbf7d4b5a2916..b3b2f236fed12fdcf01ee411c363859127d527c7 100644 (file)
--- a/ssh.1
+++ b/ssh.1
@@ -93,6 +93,8 @@ or
 and if additionally the server can verify the client's
 host key (see 
 .Pa /etc/ssh/ssh_known_hosts
+and
+.Pa $HOME/.ssh/known_hosts
 in the
 .Sx FILES
 section), only then login is

diff --git a/sshd.8 b/sshd.8
index 2fc185127d5bcf3431a81bd70f3b6ee6cc639568..c01f57121c3e45b14a192eb246731fee0ce349b8 100644 (file)
--- a/sshd.8
+++ b/sshd.8
@@ -622,14 +622,11 @@ This file must be readable by root (which may on some machines imply
 it being world-readable if the user's home directory resides on an NFS
 volume).  It is recommended that it not be accessible by others.  The
 format of this file is described above.
-.It Pa /etc/ssh/ssh_known_hosts
+.It Pa "/etc/ssh/ssh_known_hosts" and "$HOME/.ssh/known_hosts"
 This file is consulted when using rhosts with RSA host
 authentication to check the public key of the host.  The key must be
-listed in this file to be accepted.
-.It Pa $HOME/.ssh/known_hosts
-The client uses this file
-and
-.Pa /etc/ssh/ssh_known_hosts
+listed in one of these files to be accepted.
+The client uses the same files
 to verify that the remote host is the one we intended to
 connect. These files should be writable only by root/the owner.
 .Pa /etc/ssh/ssh_known_hosts