1323124Sdes/* $OpenBSD: auth-rh-rsa.c,v 1.45 2016/03/07 19:02:43 djm Exp $ */ 257429Smarkm/* 357429Smarkm * Author: Tatu Ylonen <ylo@cs.hut.fi> 457429Smarkm * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 557429Smarkm * All rights reserved 657429Smarkm * Rhosts or /etc/hosts.equiv authentication combined with RSA host 757429Smarkm * authentication. 857429Smarkm * 965674Skris * As far as I am concerned, the code I have written for this software 1065674Skris * can be used freely for any purpose. Any derived versions of this 1165674Skris * software must be clearly marked as such, and if the derived work is 1265674Skris * incompatible with the protocol description in the RFC file, it must be 1365674Skris * called by a name other than "ssh" or "Secure Shell". 1457429Smarkm */ 1557429Smarkm 1657429Smarkm#include "includes.h" 1757429Smarkm 18295367Sdes#ifdef WITH_SSH1 19295367Sdes 20162856Sdes#include <sys/types.h> 21162856Sdes 22162856Sdes#include <pwd.h> 23162856Sdes#include <stdarg.h> 24162856Sdes 2557429Smarkm#include "packet.h" 2657429Smarkm#include "uidswap.h" 2776262Sgreen#include "log.h" 28162856Sdes#include "buffer.h" 29295367Sdes#include "misc.h" 3057429Smarkm#include "servconf.h" 3158582Skris#include "key.h" 3258582Skris#include "hostfile.h" 3376262Sgreen#include "pathnames.h" 3476262Sgreen#include "auth.h" 3576262Sgreen#include "canohost.h" 36162856Sdes#ifdef GSSAPI 37162856Sdes#include "ssh-gss.h" 38162856Sdes#endif 3998684Sdes#include "monitor_wrap.h" 4098684Sdes 4198684Sdes/* import */ 4298684Sdesextern ServerOptions options; 4398684Sdes 4498684Sdesint 45323124Sdesauth_rhosts_rsa_key_allowed(struct passwd *pw, const char *cuser, 46323124Sdes const char *chost, Key *client_host_key) 4798684Sdes{ 4898684Sdes HostStatus host_status; 4998684Sdes 50204917Sdes if (auth_key_is_revoked(client_host_key)) 51204917Sdes return 0; 52204917Sdes 5398684Sdes /* Check if we would accept it using rhosts authentication. */ 5498684Sdes if (!auth_rhosts(pw, cuser)) 5598684Sdes return 0; 5698684Sdes 5798684Sdes host_status = check_key_in_hostfiles(pw, client_host_key, 5898684Sdes chost, _PATH_SSH_SYSTEM_HOSTFILE, 5998684Sdes options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE); 6098684Sdes 6198684Sdes return (host_status == HOST_OK); 6298684Sdes} 6398684Sdes 6457429Smarkm/* 6557429Smarkm * Tries to authenticate the user using the .rhosts file and the host using 6657429Smarkm * its host key. Returns true if authentication succeeds. 6757429Smarkm */ 6860576Skrisint 69126277Sdesauth_rhosts_rsa(Authctxt *authctxt, char *cuser, Key *client_host_key) 7057429Smarkm{ 71323124Sdes struct ssh *ssh = active_state; /* XXX */ 72323124Sdes const char *chost; 73126277Sdes struct passwd *pw = authctxt->pw; 7457429Smarkm 7598684Sdes debug("Trying rhosts with RSA host authentication for client user %.100s", 7698684Sdes cuser); 7757429Smarkm 78126277Sdes if (!authctxt->valid || client_host_key == NULL || 7998684Sdes client_host_key->rsa == NULL) 8058582Skris return 0; 8158582Skris 82323124Sdes chost = auth_get_canonical_hostname(ssh, options.use_dns); 8398684Sdes debug("Rhosts RSA authentication: canonical host %.900s", chost); 8457429Smarkm 8598684Sdes if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) { 8657429Smarkm debug("Rhosts with RSA host authentication denied: unknown or invalid host key"); 8757429Smarkm packet_send_debug("Your host key cannot be verified: unknown or invalid host key."); 8857429Smarkm return 0; 8957429Smarkm } 9057429Smarkm /* A matching host key was found and is known. */ 9157429Smarkm 9257429Smarkm /* Perform the challenge-response dialog with the client for the host key. */ 9398684Sdes if (!auth_rsa_challenge_dialog(client_host_key)) { 94124211Sdes logit("Client on %.800s failed to respond correctly to host authentication.", 9598684Sdes chost); 9657429Smarkm return 0; 9757429Smarkm } 9857429Smarkm /* 9957429Smarkm * We have authenticated the user using .rhosts or /etc/hosts.equiv, 10057429Smarkm * and the host using RSA. We accept the authentication. 10157429Smarkm */ 10257429Smarkm 10357429Smarkm verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.", 104149753Sdes pw->pw_name, cuser, chost); 10557429Smarkm packet_send_debug("Rhosts with RSA host authentication accepted."); 10657429Smarkm return 1; 10757429Smarkm} 108295367Sdes 109295367Sdes#endif /* WITH_SSH1 */ 110