1*7c478bd9Sstevel@tonic-gate /*
2*7c478bd9Sstevel@tonic-gate * Author: Tatu Ylonen <ylo@cs.hut.fi>
3*7c478bd9Sstevel@tonic-gate * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4*7c478bd9Sstevel@tonic-gate * All rights reserved
5*7c478bd9Sstevel@tonic-gate * Rhosts authentication. This file contains code to check whether to admit
6*7c478bd9Sstevel@tonic-gate * the login based on rhosts authentication. This file also processes
7*7c478bd9Sstevel@tonic-gate * /etc/hosts.equiv.
8*7c478bd9Sstevel@tonic-gate *
9*7c478bd9Sstevel@tonic-gate * As far as I am concerned, the code I have written for this software
10*7c478bd9Sstevel@tonic-gate * can be used freely for any purpose. Any derived versions of this
11*7c478bd9Sstevel@tonic-gate * software must be clearly marked as such, and if the derived work is
12*7c478bd9Sstevel@tonic-gate * incompatible with the protocol description in the RFC file, it must be
13*7c478bd9Sstevel@tonic-gate * called by a name other than "ssh" or "Secure Shell".
14*7c478bd9Sstevel@tonic-gate */
15*7c478bd9Sstevel@tonic-gate
16*7c478bd9Sstevel@tonic-gate #include "includes.h"
17*7c478bd9Sstevel@tonic-gate RCSID("$OpenBSD: auth-rhosts.c,v 1.28 2002/05/13 21:26:49 markus Exp $");
18*7c478bd9Sstevel@tonic-gate
19*7c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI"
20*7c478bd9Sstevel@tonic-gate
21*7c478bd9Sstevel@tonic-gate #include "packet.h"
22*7c478bd9Sstevel@tonic-gate #include "uidswap.h"
23*7c478bd9Sstevel@tonic-gate #include "pathnames.h"
24*7c478bd9Sstevel@tonic-gate #include "log.h"
25*7c478bd9Sstevel@tonic-gate #include "servconf.h"
26*7c478bd9Sstevel@tonic-gate #include "canohost.h"
27*7c478bd9Sstevel@tonic-gate #include "auth.h"
28*7c478bd9Sstevel@tonic-gate
29*7c478bd9Sstevel@tonic-gate /* import */
30*7c478bd9Sstevel@tonic-gate extern ServerOptions options;
31*7c478bd9Sstevel@tonic-gate
32*7c478bd9Sstevel@tonic-gate /*
33*7c478bd9Sstevel@tonic-gate * This function processes an rhosts-style file (.rhosts, .shosts, or
34*7c478bd9Sstevel@tonic-gate * /etc/hosts.equiv). This returns true if authentication can be granted
35*7c478bd9Sstevel@tonic-gate * based on the file, and returns zero otherwise.
36*7c478bd9Sstevel@tonic-gate */
37*7c478bd9Sstevel@tonic-gate
38*7c478bd9Sstevel@tonic-gate static int
check_rhosts_file(const char * filename,const char * hostname,const char * ipaddr,const char * client_user,const char * server_user)39*7c478bd9Sstevel@tonic-gate check_rhosts_file(const char *filename, const char *hostname,
40*7c478bd9Sstevel@tonic-gate const char *ipaddr, const char *client_user,
41*7c478bd9Sstevel@tonic-gate const char *server_user)
42*7c478bd9Sstevel@tonic-gate {
43*7c478bd9Sstevel@tonic-gate FILE *f;
44*7c478bd9Sstevel@tonic-gate char buf[1024]; /* Must not be larger than host, user, dummy below. */
45*7c478bd9Sstevel@tonic-gate
46*7c478bd9Sstevel@tonic-gate /* Open the .rhosts file, deny if unreadable */
47*7c478bd9Sstevel@tonic-gate f = fopen(filename, "r");
48*7c478bd9Sstevel@tonic-gate if (!f)
49*7c478bd9Sstevel@tonic-gate return 0;
50*7c478bd9Sstevel@tonic-gate
51*7c478bd9Sstevel@tonic-gate while (fgets(buf, sizeof(buf), f)) {
52*7c478bd9Sstevel@tonic-gate /* All three must be at least as big as buf to avoid overflows. */
53*7c478bd9Sstevel@tonic-gate char hostbuf[1024], userbuf[1024], dummy[1024], *host, *user, *cp;
54*7c478bd9Sstevel@tonic-gate int negated;
55*7c478bd9Sstevel@tonic-gate
56*7c478bd9Sstevel@tonic-gate for (cp = buf; *cp == ' ' || *cp == '\t'; cp++)
57*7c478bd9Sstevel@tonic-gate ;
58*7c478bd9Sstevel@tonic-gate if (*cp == '#' || *cp == '\n' || !*cp)
59*7c478bd9Sstevel@tonic-gate continue;
60*7c478bd9Sstevel@tonic-gate
61*7c478bd9Sstevel@tonic-gate /*
62*7c478bd9Sstevel@tonic-gate * NO_PLUS is supported at least on OSF/1. We skip it (we
63*7c478bd9Sstevel@tonic-gate * don't ever support the plus syntax).
64*7c478bd9Sstevel@tonic-gate */
65*7c478bd9Sstevel@tonic-gate if (strncmp(cp, "NO_PLUS", 7) == 0)
66*7c478bd9Sstevel@tonic-gate continue;
67*7c478bd9Sstevel@tonic-gate
68*7c478bd9Sstevel@tonic-gate /*
69*7c478bd9Sstevel@tonic-gate * This should be safe because each buffer is as big as the
70*7c478bd9Sstevel@tonic-gate * whole string, and thus cannot be overwritten.
71*7c478bd9Sstevel@tonic-gate */
72*7c478bd9Sstevel@tonic-gate switch (sscanf(buf, "%1024s %1024s %1024s",
73*7c478bd9Sstevel@tonic-gate hostbuf, userbuf, dummy)) {
74*7c478bd9Sstevel@tonic-gate case 0:
75*7c478bd9Sstevel@tonic-gate auth_debug_add("Found empty line in %.100s.", filename);
76*7c478bd9Sstevel@tonic-gate continue;
77*7c478bd9Sstevel@tonic-gate case 1:
78*7c478bd9Sstevel@tonic-gate /* Host name only. */
79*7c478bd9Sstevel@tonic-gate strlcpy(userbuf, server_user, sizeof(userbuf));
80*7c478bd9Sstevel@tonic-gate break;
81*7c478bd9Sstevel@tonic-gate case 2:
82*7c478bd9Sstevel@tonic-gate /* Got both host and user name. */
83*7c478bd9Sstevel@tonic-gate break;
84*7c478bd9Sstevel@tonic-gate case 3:
85*7c478bd9Sstevel@tonic-gate auth_debug_add("Found garbage in %.100s.", filename);
86*7c478bd9Sstevel@tonic-gate continue;
87*7c478bd9Sstevel@tonic-gate default:
88*7c478bd9Sstevel@tonic-gate /* Weird... */
89*7c478bd9Sstevel@tonic-gate continue;
90*7c478bd9Sstevel@tonic-gate }
91*7c478bd9Sstevel@tonic-gate
92*7c478bd9Sstevel@tonic-gate host = hostbuf;
93*7c478bd9Sstevel@tonic-gate user = userbuf;
94*7c478bd9Sstevel@tonic-gate negated = 0;
95*7c478bd9Sstevel@tonic-gate
96*7c478bd9Sstevel@tonic-gate /* Process negated host names, or positive netgroups. */
97*7c478bd9Sstevel@tonic-gate if (host[0] == '-') {
98*7c478bd9Sstevel@tonic-gate negated = 1;
99*7c478bd9Sstevel@tonic-gate host++;
100*7c478bd9Sstevel@tonic-gate } else if (host[0] == '+')
101*7c478bd9Sstevel@tonic-gate host++;
102*7c478bd9Sstevel@tonic-gate
103*7c478bd9Sstevel@tonic-gate if (user[0] == '-') {
104*7c478bd9Sstevel@tonic-gate negated = 1;
105*7c478bd9Sstevel@tonic-gate user++;
106*7c478bd9Sstevel@tonic-gate } else if (user[0] == '+')
107*7c478bd9Sstevel@tonic-gate user++;
108*7c478bd9Sstevel@tonic-gate
109*7c478bd9Sstevel@tonic-gate /* Check for empty host/user names (particularly '+'). */
110*7c478bd9Sstevel@tonic-gate if (!host[0] || !user[0]) {
111*7c478bd9Sstevel@tonic-gate /* We come here if either was '+' or '-'. */
112*7c478bd9Sstevel@tonic-gate auth_debug_add("Ignoring wild host/user names in %.100s.",
113*7c478bd9Sstevel@tonic-gate filename);
114*7c478bd9Sstevel@tonic-gate continue;
115*7c478bd9Sstevel@tonic-gate }
116*7c478bd9Sstevel@tonic-gate /* Verify that host name matches. */
117*7c478bd9Sstevel@tonic-gate if (host[0] == '@') {
118*7c478bd9Sstevel@tonic-gate if (!innetgr(host + 1, hostname, NULL, NULL) &&
119*7c478bd9Sstevel@tonic-gate !innetgr(host + 1, ipaddr, NULL, NULL))
120*7c478bd9Sstevel@tonic-gate continue;
121*7c478bd9Sstevel@tonic-gate } else if (strcasecmp(host, hostname) && strcmp(host, ipaddr) != 0)
122*7c478bd9Sstevel@tonic-gate continue; /* Different hostname. */
123*7c478bd9Sstevel@tonic-gate
124*7c478bd9Sstevel@tonic-gate /* Verify that user name matches. */
125*7c478bd9Sstevel@tonic-gate if (user[0] == '@') {
126*7c478bd9Sstevel@tonic-gate if (!innetgr(user + 1, NULL, client_user, NULL))
127*7c478bd9Sstevel@tonic-gate continue;
128*7c478bd9Sstevel@tonic-gate } else if (strcmp(user, client_user) != 0)
129*7c478bd9Sstevel@tonic-gate continue; /* Different username. */
130*7c478bd9Sstevel@tonic-gate
131*7c478bd9Sstevel@tonic-gate /* Found the user and host. */
132*7c478bd9Sstevel@tonic-gate fclose(f);
133*7c478bd9Sstevel@tonic-gate
134*7c478bd9Sstevel@tonic-gate /* If the entry was negated, deny access. */
135*7c478bd9Sstevel@tonic-gate if (negated) {
136*7c478bd9Sstevel@tonic-gate auth_debug_add("Matched negative entry in %.100s.",
137*7c478bd9Sstevel@tonic-gate filename);
138*7c478bd9Sstevel@tonic-gate return 0;
139*7c478bd9Sstevel@tonic-gate }
140*7c478bd9Sstevel@tonic-gate /* Accept authentication. */
141*7c478bd9Sstevel@tonic-gate return 1;
142*7c478bd9Sstevel@tonic-gate }
143*7c478bd9Sstevel@tonic-gate
144*7c478bd9Sstevel@tonic-gate /* Authentication using this file denied. */
145*7c478bd9Sstevel@tonic-gate fclose(f);
146*7c478bd9Sstevel@tonic-gate return 0;
147*7c478bd9Sstevel@tonic-gate }
148*7c478bd9Sstevel@tonic-gate
149*7c478bd9Sstevel@tonic-gate /*
150*7c478bd9Sstevel@tonic-gate * Tries to authenticate the user using the .shosts or .rhosts file. Returns
151*7c478bd9Sstevel@tonic-gate * true if authentication succeeds. If ignore_rhosts is true, only
152*7c478bd9Sstevel@tonic-gate * /etc/hosts.equiv will be considered (.rhosts and .shosts are ignored).
153*7c478bd9Sstevel@tonic-gate */
154*7c478bd9Sstevel@tonic-gate
155*7c478bd9Sstevel@tonic-gate int
auth_rhosts(struct passwd * pw,const char * client_user)156*7c478bd9Sstevel@tonic-gate auth_rhosts(struct passwd *pw, const char *client_user)
157*7c478bd9Sstevel@tonic-gate {
158*7c478bd9Sstevel@tonic-gate const char *hostname, *ipaddr;
159*7c478bd9Sstevel@tonic-gate
160*7c478bd9Sstevel@tonic-gate hostname = get_canonical_hostname(options.verify_reverse_mapping);
161*7c478bd9Sstevel@tonic-gate ipaddr = get_remote_ipaddr();
162*7c478bd9Sstevel@tonic-gate return auth_rhosts2(pw, client_user, hostname, ipaddr);
163*7c478bd9Sstevel@tonic-gate }
164*7c478bd9Sstevel@tonic-gate
165*7c478bd9Sstevel@tonic-gate static int
auth_rhosts2_raw(struct passwd * pw,const char * client_user,const char * hostname,const char * ipaddr)166*7c478bd9Sstevel@tonic-gate auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostname,
167*7c478bd9Sstevel@tonic-gate const char *ipaddr)
168*7c478bd9Sstevel@tonic-gate {
169*7c478bd9Sstevel@tonic-gate char buf[1024];
170*7c478bd9Sstevel@tonic-gate struct stat st;
171*7c478bd9Sstevel@tonic-gate static const char *rhosts_files[] = {".shosts", ".rhosts", NULL};
172*7c478bd9Sstevel@tonic-gate u_int rhosts_file_index;
173*7c478bd9Sstevel@tonic-gate
174*7c478bd9Sstevel@tonic-gate debug2("auth_rhosts2: clientuser %s hostname %s ipaddr %s",
175*7c478bd9Sstevel@tonic-gate client_user, hostname, ipaddr);
176*7c478bd9Sstevel@tonic-gate
177*7c478bd9Sstevel@tonic-gate /* no user given */
178*7c478bd9Sstevel@tonic-gate if (pw == NULL)
179*7c478bd9Sstevel@tonic-gate return 0;
180*7c478bd9Sstevel@tonic-gate
181*7c478bd9Sstevel@tonic-gate /* Switch to the user's uid. */
182*7c478bd9Sstevel@tonic-gate temporarily_use_uid(pw);
183*7c478bd9Sstevel@tonic-gate /*
184*7c478bd9Sstevel@tonic-gate * Quick check: if the user has no .shosts or .rhosts files, return
185*7c478bd9Sstevel@tonic-gate * failure immediately without doing costly lookups from name
186*7c478bd9Sstevel@tonic-gate * servers.
187*7c478bd9Sstevel@tonic-gate */
188*7c478bd9Sstevel@tonic-gate for (rhosts_file_index = 0; rhosts_files[rhosts_file_index];
189*7c478bd9Sstevel@tonic-gate rhosts_file_index++) {
190*7c478bd9Sstevel@tonic-gate /* Check users .rhosts or .shosts. */
191*7c478bd9Sstevel@tonic-gate snprintf(buf, sizeof buf, "%.500s/%.100s",
192*7c478bd9Sstevel@tonic-gate pw->pw_dir, rhosts_files[rhosts_file_index]);
193*7c478bd9Sstevel@tonic-gate if (stat(buf, &st) >= 0)
194*7c478bd9Sstevel@tonic-gate break;
195*7c478bd9Sstevel@tonic-gate }
196*7c478bd9Sstevel@tonic-gate /* Switch back to privileged uid. */
197*7c478bd9Sstevel@tonic-gate restore_uid();
198*7c478bd9Sstevel@tonic-gate
199*7c478bd9Sstevel@tonic-gate /* Deny if The user has no .shosts or .rhosts file and there are no system-wide files. */
200*7c478bd9Sstevel@tonic-gate if (!rhosts_files[rhosts_file_index] &&
201*7c478bd9Sstevel@tonic-gate stat(_PATH_RHOSTS_EQUIV, &st) < 0 &&
202*7c478bd9Sstevel@tonic-gate stat(_PATH_SSH_HOSTS_EQUIV, &st) < 0)
203*7c478bd9Sstevel@tonic-gate return 0;
204*7c478bd9Sstevel@tonic-gate
205*7c478bd9Sstevel@tonic-gate /* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */
206*7c478bd9Sstevel@tonic-gate if (pw->pw_uid != 0) {
207*7c478bd9Sstevel@tonic-gate if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
208*7c478bd9Sstevel@tonic-gate client_user, pw->pw_name)) {
209*7c478bd9Sstevel@tonic-gate auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.",
210*7c478bd9Sstevel@tonic-gate hostname, ipaddr);
211*7c478bd9Sstevel@tonic-gate return 1;
212*7c478bd9Sstevel@tonic-gate }
213*7c478bd9Sstevel@tonic-gate if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr,
214*7c478bd9Sstevel@tonic-gate client_user, pw->pw_name)) {
215*7c478bd9Sstevel@tonic-gate auth_debug_add("Accepted for %.100s [%.100s] by %.100s.",
216*7c478bd9Sstevel@tonic-gate hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV);
217*7c478bd9Sstevel@tonic-gate return 1;
218*7c478bd9Sstevel@tonic-gate }
219*7c478bd9Sstevel@tonic-gate }
220*7c478bd9Sstevel@tonic-gate /*
221*7c478bd9Sstevel@tonic-gate * Check that the home directory is owned by root or the user, and is
222*7c478bd9Sstevel@tonic-gate * not group or world writable.
223*7c478bd9Sstevel@tonic-gate */
224*7c478bd9Sstevel@tonic-gate if (stat(pw->pw_dir, &st) < 0) {
225*7c478bd9Sstevel@tonic-gate log("Rhosts authentication refused for %.100s: "
226*7c478bd9Sstevel@tonic-gate "no home directory %.200s", pw->pw_name, pw->pw_dir);
227*7c478bd9Sstevel@tonic-gate auth_debug_add("Rhosts authentication refused for %.100s: "
228*7c478bd9Sstevel@tonic-gate "no home directory %.200s", pw->pw_name, pw->pw_dir);
229*7c478bd9Sstevel@tonic-gate return 0;
230*7c478bd9Sstevel@tonic-gate }
231*7c478bd9Sstevel@tonic-gate if (options.strict_modes &&
232*7c478bd9Sstevel@tonic-gate ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
233*7c478bd9Sstevel@tonic-gate (st.st_mode & 022) != 0)) {
234*7c478bd9Sstevel@tonic-gate log("Rhosts authentication refused for %.100s: "
235*7c478bd9Sstevel@tonic-gate "bad ownership or modes for home directory.", pw->pw_name);
236*7c478bd9Sstevel@tonic-gate auth_debug_add("Rhosts authentication refused for %.100s: "
237*7c478bd9Sstevel@tonic-gate "bad ownership or modes for home directory.", pw->pw_name);
238*7c478bd9Sstevel@tonic-gate return 0;
239*7c478bd9Sstevel@tonic-gate }
240*7c478bd9Sstevel@tonic-gate /* Temporarily use the user's uid. */
241*7c478bd9Sstevel@tonic-gate temporarily_use_uid(pw);
242*7c478bd9Sstevel@tonic-gate
243*7c478bd9Sstevel@tonic-gate /* Check all .rhosts files (currently .shosts and .rhosts). */
244*7c478bd9Sstevel@tonic-gate for (rhosts_file_index = 0; rhosts_files[rhosts_file_index];
245*7c478bd9Sstevel@tonic-gate rhosts_file_index++) {
246*7c478bd9Sstevel@tonic-gate /* Check users .rhosts or .shosts. */
247*7c478bd9Sstevel@tonic-gate snprintf(buf, sizeof buf, "%.500s/%.100s",
248*7c478bd9Sstevel@tonic-gate pw->pw_dir, rhosts_files[rhosts_file_index]);
249*7c478bd9Sstevel@tonic-gate if (stat(buf, &st) < 0)
250*7c478bd9Sstevel@tonic-gate continue;
251*7c478bd9Sstevel@tonic-gate
252*7c478bd9Sstevel@tonic-gate /*
253*7c478bd9Sstevel@tonic-gate * Make sure that the file is either owned by the user or by
254*7c478bd9Sstevel@tonic-gate * root, and make sure it is not writable by anyone but the
255*7c478bd9Sstevel@tonic-gate * owner. This is to help avoid novices accidentally
256*7c478bd9Sstevel@tonic-gate * allowing access to their account by anyone.
257*7c478bd9Sstevel@tonic-gate */
258*7c478bd9Sstevel@tonic-gate if (options.strict_modes &&
259*7c478bd9Sstevel@tonic-gate ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
260*7c478bd9Sstevel@tonic-gate (st.st_mode & 022) != 0)) {
261*7c478bd9Sstevel@tonic-gate log("Rhosts authentication refused for %.100s: bad modes for %.200s",
262*7c478bd9Sstevel@tonic-gate pw->pw_name, buf);
263*7c478bd9Sstevel@tonic-gate auth_debug_add("Bad file modes for %.200s", buf);
264*7c478bd9Sstevel@tonic-gate continue;
265*7c478bd9Sstevel@tonic-gate }
266*7c478bd9Sstevel@tonic-gate /* Check if we have been configured to ignore .rhosts and .shosts files. */
267*7c478bd9Sstevel@tonic-gate if (options.ignore_rhosts) {
268*7c478bd9Sstevel@tonic-gate auth_debug_add("Server has been configured to ignore %.100s.",
269*7c478bd9Sstevel@tonic-gate rhosts_files[rhosts_file_index]);
270*7c478bd9Sstevel@tonic-gate continue;
271*7c478bd9Sstevel@tonic-gate }
272*7c478bd9Sstevel@tonic-gate /* Check if authentication is permitted by the file. */
273*7c478bd9Sstevel@tonic-gate if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name)) {
274*7c478bd9Sstevel@tonic-gate auth_debug_add("Accepted by %.100s.",
275*7c478bd9Sstevel@tonic-gate rhosts_files[rhosts_file_index]);
276*7c478bd9Sstevel@tonic-gate /* Restore the privileged uid. */
277*7c478bd9Sstevel@tonic-gate restore_uid();
278*7c478bd9Sstevel@tonic-gate auth_debug_add("Accepted host %s ip %s client_user %s server_user %s",
279*7c478bd9Sstevel@tonic-gate hostname, ipaddr, client_user, pw->pw_name);
280*7c478bd9Sstevel@tonic-gate return 1;
281*7c478bd9Sstevel@tonic-gate }
282*7c478bd9Sstevel@tonic-gate }
283*7c478bd9Sstevel@tonic-gate
284*7c478bd9Sstevel@tonic-gate /* Restore the privileged uid. */
285*7c478bd9Sstevel@tonic-gate restore_uid();
286*7c478bd9Sstevel@tonic-gate return 0;
287*7c478bd9Sstevel@tonic-gate }
288*7c478bd9Sstevel@tonic-gate
289*7c478bd9Sstevel@tonic-gate int
auth_rhosts2(struct passwd * pw,const char * client_user,const char * hostname,const char * ipaddr)290*7c478bd9Sstevel@tonic-gate auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
291*7c478bd9Sstevel@tonic-gate const char *ipaddr)
292*7c478bd9Sstevel@tonic-gate {
293*7c478bd9Sstevel@tonic-gate int ret;
294*7c478bd9Sstevel@tonic-gate
295*7c478bd9Sstevel@tonic-gate auth_debug_reset();
296*7c478bd9Sstevel@tonic-gate ret = auth_rhosts2_raw(pw, client_user, hostname, ipaddr);
297*7c478bd9Sstevel@tonic-gate auth_debug_send();
298*7c478bd9Sstevel@tonic-gate return ret;
299*7c478bd9Sstevel@tonic-gate }
300