1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * Rhosts authentication. This file contains code to check whether to admit 6 * the login based on rhosts authentication. This file also processes 7 * /etc/hosts.equiv. 8 * 9 * As far as I am concerned, the code I have written for this software 10 * can be used freely for any purpose. Any derived versions of this 11 * software must be clearly marked as such, and if the derived work is 12 * incompatible with the protocol description in the RFC file, it must be 13 * called by a name other than "ssh" or "Secure Shell". 14 */ 15 16 #include "includes.h" 17 RCSID("$OpenBSD: auth-rhosts.c,v 1.28 2002/05/13 21:26:49 markus Exp $"); 18 19 #pragma ident "%Z%%M% %I% %E% SMI" 20 21 #include "packet.h" 22 #include "uidswap.h" 23 #include "pathnames.h" 24 #include "log.h" 25 #include "servconf.h" 26 #include "canohost.h" 27 #include "auth.h" 28 29 /* import */ 30 extern ServerOptions options; 31 32 /* 33 * This function processes an rhosts-style file (.rhosts, .shosts, or 34 * /etc/hosts.equiv). This returns true if authentication can be granted 35 * based on the file, and returns zero otherwise. 36 */ 37 38 static int 39 check_rhosts_file(const char *filename, const char *hostname, 40 const char *ipaddr, const char *client_user, 41 const char *server_user) 42 { 43 FILE *f; 44 char buf[1024]; /* Must not be larger than host, user, dummy below. */ 45 46 /* Open the .rhosts file, deny if unreadable */ 47 f = fopen(filename, "r"); 48 if (!f) 49 return 0; 50 51 while (fgets(buf, sizeof(buf), f)) { 52 /* All three must be at least as big as buf to avoid overflows. */ 53 char hostbuf[1024], userbuf[1024], dummy[1024], *host, *user, *cp; 54 int negated; 55 56 for (cp = buf; *cp == ' ' || *cp == '\t'; cp++) 57 ; 58 if (*cp == '#' || *cp == '\n' || !*cp) 59 continue; 60 61 /* 62 * NO_PLUS is supported at least on OSF/1. We skip it (we 63 * don't ever support the plus syntax). 64 */ 65 if (strncmp(cp, "NO_PLUS", 7) == 0) 66 continue; 67 68 /* 69 * This should be safe because each buffer is as big as the 70 * whole string, and thus cannot be overwritten. 71 */ 72 switch (sscanf(buf, "%1024s %1024s %1024s", 73 hostbuf, userbuf, dummy)) { 74 case 0: 75 auth_debug_add("Found empty line in %.100s.", filename); 76 continue; 77 case 1: 78 /* Host name only. */ 79 strlcpy(userbuf, server_user, sizeof(userbuf)); 80 break; 81 case 2: 82 /* Got both host and user name. */ 83 break; 84 case 3: 85 auth_debug_add("Found garbage in %.100s.", filename); 86 continue; 87 default: 88 /* Weird... */ 89 continue; 90 } 91 92 host = hostbuf; 93 user = userbuf; 94 negated = 0; 95 96 /* Process negated host names, or positive netgroups. */ 97 if (host[0] == '-') { 98 negated = 1; 99 host++; 100 } else if (host[0] == '+') 101 host++; 102 103 if (user[0] == '-') { 104 negated = 1; 105 user++; 106 } else if (user[0] == '+') 107 user++; 108 109 /* Check for empty host/user names (particularly '+'). */ 110 if (!host[0] || !user[0]) { 111 /* We come here if either was '+' or '-'. */ 112 auth_debug_add("Ignoring wild host/user names in %.100s.", 113 filename); 114 continue; 115 } 116 /* Verify that host name matches. */ 117 if (host[0] == '@') { 118 if (!innetgr(host + 1, hostname, NULL, NULL) && 119 !innetgr(host + 1, ipaddr, NULL, NULL)) 120 continue; 121 } else if (strcasecmp(host, hostname) && strcmp(host, ipaddr) != 0) 122 continue; /* Different hostname. */ 123 124 /* Verify that user name matches. */ 125 if (user[0] == '@') { 126 if (!innetgr(user + 1, NULL, client_user, NULL)) 127 continue; 128 } else if (strcmp(user, client_user) != 0) 129 continue; /* Different username. */ 130 131 /* Found the user and host. */ 132 fclose(f); 133 134 /* If the entry was negated, deny access. */ 135 if (negated) { 136 auth_debug_add("Matched negative entry in %.100s.", 137 filename); 138 return 0; 139 } 140 /* Accept authentication. */ 141 return 1; 142 } 143 144 /* Authentication using this file denied. */ 145 fclose(f); 146 return 0; 147 } 148 149 /* 150 * Tries to authenticate the user using the .shosts or .rhosts file. Returns 151 * true if authentication succeeds. If ignore_rhosts is true, only 152 * /etc/hosts.equiv will be considered (.rhosts and .shosts are ignored). 153 */ 154 155 int 156 auth_rhosts(struct passwd *pw, const char *client_user) 157 { 158 const char *hostname, *ipaddr; 159 160 hostname = get_canonical_hostname(options.verify_reverse_mapping); 161 ipaddr = get_remote_ipaddr(); 162 return auth_rhosts2(pw, client_user, hostname, ipaddr); 163 } 164 165 static int 166 auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostname, 167 const char *ipaddr) 168 { 169 char buf[1024]; 170 struct stat st; 171 static const char *rhosts_files[] = {".shosts", ".rhosts", NULL}; 172 u_int rhosts_file_index; 173 174 debug2("auth_rhosts2: clientuser %s hostname %s ipaddr %s", 175 client_user, hostname, ipaddr); 176 177 /* no user given */ 178 if (pw == NULL) 179 return 0; 180 181 /* Switch to the user's uid. */ 182 temporarily_use_uid(pw); 183 /* 184 * Quick check: if the user has no .shosts or .rhosts files, return 185 * failure immediately without doing costly lookups from name 186 * servers. 187 */ 188 for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; 189 rhosts_file_index++) { 190 /* Check users .rhosts or .shosts. */ 191 snprintf(buf, sizeof buf, "%.500s/%.100s", 192 pw->pw_dir, rhosts_files[rhosts_file_index]); 193 if (stat(buf, &st) >= 0) 194 break; 195 } 196 /* Switch back to privileged uid. */ 197 restore_uid(); 198 199 /* Deny if The user has no .shosts or .rhosts file and there are no system-wide files. */ 200 if (!rhosts_files[rhosts_file_index] && 201 stat(_PATH_RHOSTS_EQUIV, &st) < 0 && 202 stat(_PATH_SSH_HOSTS_EQUIV, &st) < 0) 203 return 0; 204 205 /* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */ 206 if (pw->pw_uid != 0) { 207 if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, 208 client_user, pw->pw_name)) { 209 auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", 210 hostname, ipaddr); 211 return 1; 212 } 213 if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, 214 client_user, pw->pw_name)) { 215 auth_debug_add("Accepted for %.100s [%.100s] by %.100s.", 216 hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); 217 return 1; 218 } 219 } 220 /* 221 * Check that the home directory is owned by root or the user, and is 222 * not group or world writable. 223 */ 224 if (stat(pw->pw_dir, &st) < 0) { 225 log("Rhosts authentication refused for %.100s: " 226 "no home directory %.200s", pw->pw_name, pw->pw_dir); 227 auth_debug_add("Rhosts authentication refused for %.100s: " 228 "no home directory %.200s", pw->pw_name, pw->pw_dir); 229 return 0; 230 } 231 if (options.strict_modes && 232 ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || 233 (st.st_mode & 022) != 0)) { 234 log("Rhosts authentication refused for %.100s: " 235 "bad ownership or modes for home directory.", pw->pw_name); 236 auth_debug_add("Rhosts authentication refused for %.100s: " 237 "bad ownership or modes for home directory.", pw->pw_name); 238 return 0; 239 } 240 /* Temporarily use the user's uid. */ 241 temporarily_use_uid(pw); 242 243 /* Check all .rhosts files (currently .shosts and .rhosts). */ 244 for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; 245 rhosts_file_index++) { 246 /* Check users .rhosts or .shosts. */ 247 snprintf(buf, sizeof buf, "%.500s/%.100s", 248 pw->pw_dir, rhosts_files[rhosts_file_index]); 249 if (stat(buf, &st) < 0) 250 continue; 251 252 /* 253 * Make sure that the file is either owned by the user or by 254 * root, and make sure it is not writable by anyone but the 255 * owner. This is to help avoid novices accidentally 256 * allowing access to their account by anyone. 257 */ 258 if (options.strict_modes && 259 ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || 260 (st.st_mode & 022) != 0)) { 261 log("Rhosts authentication refused for %.100s: bad modes for %.200s", 262 pw->pw_name, buf); 263 auth_debug_add("Bad file modes for %.200s", buf); 264 continue; 265 } 266 /* Check if we have been configured to ignore .rhosts and .shosts files. */ 267 if (options.ignore_rhosts) { 268 auth_debug_add("Server has been configured to ignore %.100s.", 269 rhosts_files[rhosts_file_index]); 270 continue; 271 } 272 /* Check if authentication is permitted by the file. */ 273 if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name)) { 274 auth_debug_add("Accepted by %.100s.", 275 rhosts_files[rhosts_file_index]); 276 /* Restore the privileged uid. */ 277 restore_uid(); 278 auth_debug_add("Accepted host %s ip %s client_user %s server_user %s", 279 hostname, ipaddr, client_user, pw->pw_name); 280 return 1; 281 } 282 } 283 284 /* Restore the privileged uid. */ 285 restore_uid(); 286 return 0; 287 } 288 289 int 290 auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, 291 const char *ipaddr) 292 { 293 int ret; 294 295 auth_debug_reset(); 296 ret = auth_rhosts2_raw(pw, client_user, hostname, ipaddr); 297 auth_debug_send(); 298 return ret; 299 }