1323124Sdes/* $OpenBSD: auth-rhosts.c,v 1.47 2016/03/07 19:02:43 djm Exp $ */ 257429Smarkm/* 357429Smarkm * Author: Tatu Ylonen <ylo@cs.hut.fi> 457429Smarkm * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 557429Smarkm * All rights reserved 657429Smarkm * Rhosts authentication. This file contains code to check whether to admit 757429Smarkm * the login based on rhosts authentication. This file also processes 857429Smarkm * /etc/hosts.equiv. 960573Skris * 1065668Skris * As far as I am concerned, the code I have written for this software 1165668Skris * can be used freely for any purpose. Any derived versions of this 1265668Skris * software must be clearly marked as such, and if the derived work is 1365668Skris * incompatible with the protocol description in the RFC file, it must be 1465668Skris * called by a name other than "ssh" or "Secure Shell". 1557429Smarkm */ 1657429Smarkm 1757429Smarkm#include "includes.h" 1857429Smarkm 19162852Sdes#include <sys/types.h> 20162852Sdes#include <sys/stat.h> 21162852Sdes 22162852Sdes#ifdef HAVE_NETGROUP_H 23162852Sdes# include <netgroup.h> 24162852Sdes#endif 25162852Sdes#include <pwd.h> 26162852Sdes#include <stdio.h> 27162852Sdes#include <string.h> 28162852Sdes#include <stdarg.h> 29181111Sdes#include <fcntl.h> 30181111Sdes#include <unistd.h> 31162852Sdes 3257429Smarkm#include "packet.h" 3357429Smarkm#include "uidswap.h" 3476259Sgreen#include "pathnames.h" 3576259Sgreen#include "log.h" 36295367Sdes#include "misc.h" 37323124Sdes#include "buffer.h" /* XXX */ 38323124Sdes#include "key.h" /* XXX */ 3957429Smarkm#include "servconf.h" 4076259Sgreen#include "canohost.h" 41323124Sdes#include "sshkey.h" 42162852Sdes#include "hostfile.h" 4376259Sgreen#include "auth.h" 4457429Smarkm 4576259Sgreen/* import */ 4676259Sgreenextern ServerOptions options; 4798675Sdesextern int use_privsep; 4876259Sgreen 4957429Smarkm/* 5057429Smarkm * This function processes an rhosts-style file (.rhosts, .shosts, or 5157429Smarkm * /etc/hosts.equiv). This returns true if authentication can be granted 5257429Smarkm * based on the file, and returns zero otherwise. 5357429Smarkm */ 5457429Smarkm 5592555Sdesstatic int 5657429Smarkmcheck_rhosts_file(const char *filename, const char *hostname, 5757429Smarkm const char *ipaddr, const char *client_user, 5857429Smarkm const char *server_user) 5957429Smarkm{ 6057429Smarkm FILE *f; 61295367Sdes#define RBUFLN 1024 62295367Sdes char buf[RBUFLN];/* Must not be larger than host, user, dummy below. */ 63181111Sdes int fd; 64181111Sdes struct stat st; 6557429Smarkm 6657429Smarkm /* Open the .rhosts file, deny if unreadable */ 67181111Sdes if ((fd = open(filename, O_RDONLY|O_NONBLOCK)) == -1) 6857429Smarkm return 0; 69181111Sdes if (fstat(fd, &st) == -1) { 70181111Sdes close(fd); 71181111Sdes return 0; 72181111Sdes } 73181111Sdes if (!S_ISREG(st.st_mode)) { 74181111Sdes logit("User %s hosts file %s is not a regular file", 75181111Sdes server_user, filename); 76181111Sdes close(fd); 77181111Sdes return 0; 78181111Sdes } 79181111Sdes unset_nonblock(fd); 80181111Sdes if ((f = fdopen(fd, "r")) == NULL) { 81181111Sdes close(fd); 82181111Sdes return 0; 83181111Sdes } 8457429Smarkm while (fgets(buf, sizeof(buf), f)) { 85295367Sdes /* All three must have length >= buf to avoid overflows. */ 86295367Sdes char hostbuf[RBUFLN], userbuf[RBUFLN], dummy[RBUFLN]; 87295367Sdes char *host, *user, *cp; 8857429Smarkm int negated; 8957429Smarkm 9057429Smarkm for (cp = buf; *cp == ' ' || *cp == '\t'; cp++) 9157429Smarkm ; 9257429Smarkm if (*cp == '#' || *cp == '\n' || !*cp) 9357429Smarkm continue; 9457429Smarkm 9557429Smarkm /* 9657429Smarkm * NO_PLUS is supported at least on OSF/1. We skip it (we 9757429Smarkm * don't ever support the plus syntax). 9857429Smarkm */ 9957429Smarkm if (strncmp(cp, "NO_PLUS", 7) == 0) 10057429Smarkm continue; 10157429Smarkm 10257429Smarkm /* 10357429Smarkm * This should be safe because each buffer is as big as the 10457429Smarkm * whole string, and thus cannot be overwritten. 10557429Smarkm */ 106124208Sdes switch (sscanf(buf, "%1023s %1023s %1023s", hostbuf, userbuf, 107124208Sdes dummy)) { 10857429Smarkm case 0: 10998675Sdes auth_debug_add("Found empty line in %.100s.", filename); 11057429Smarkm continue; 11157429Smarkm case 1: 11257429Smarkm /* Host name only. */ 11357429Smarkm strlcpy(userbuf, server_user, sizeof(userbuf)); 11457429Smarkm break; 11557429Smarkm case 2: 11657429Smarkm /* Got both host and user name. */ 11757429Smarkm break; 11857429Smarkm case 3: 11998675Sdes auth_debug_add("Found garbage in %.100s.", filename); 12057429Smarkm continue; 12157429Smarkm default: 12257429Smarkm /* Weird... */ 12357429Smarkm continue; 12457429Smarkm } 12557429Smarkm 12657429Smarkm host = hostbuf; 12757429Smarkm user = userbuf; 12857429Smarkm negated = 0; 12957429Smarkm 13057429Smarkm /* Process negated host names, or positive netgroups. */ 13157429Smarkm if (host[0] == '-') { 13257429Smarkm negated = 1; 13357429Smarkm host++; 13457429Smarkm } else if (host[0] == '+') 13557429Smarkm host++; 13657429Smarkm 13757429Smarkm if (user[0] == '-') { 13857429Smarkm negated = 1; 13957429Smarkm user++; 14057429Smarkm } else if (user[0] == '+') 14157429Smarkm user++; 14257429Smarkm 14357429Smarkm /* Check for empty host/user names (particularly '+'). */ 14457429Smarkm if (!host[0] || !user[0]) { 14557429Smarkm /* We come here if either was '+' or '-'. */ 146295367Sdes auth_debug_add("Ignoring wild host/user names " 147295367Sdes "in %.100s.", filename); 14857429Smarkm continue; 14957429Smarkm } 15057429Smarkm /* Verify that host name matches. */ 15157429Smarkm if (host[0] == '@') { 15257429Smarkm if (!innetgr(host + 1, hostname, NULL, NULL) && 15357429Smarkm !innetgr(host + 1, ipaddr, NULL, NULL)) 15457429Smarkm continue; 155295367Sdes } else if (strcasecmp(host, hostname) && 156295367Sdes strcmp(host, ipaddr) != 0) 15757429Smarkm continue; /* Different hostname. */ 15857429Smarkm 15957429Smarkm /* Verify that user name matches. */ 16057429Smarkm if (user[0] == '@') { 16157429Smarkm if (!innetgr(user + 1, NULL, client_user, NULL)) 16257429Smarkm continue; 16357429Smarkm } else if (strcmp(user, client_user) != 0) 16457429Smarkm continue; /* Different username. */ 16557429Smarkm 16657429Smarkm /* Found the user and host. */ 16757429Smarkm fclose(f); 16857429Smarkm 16957429Smarkm /* If the entry was negated, deny access. */ 17057429Smarkm if (negated) { 17198675Sdes auth_debug_add("Matched negative entry in %.100s.", 172149749Sdes filename); 17357429Smarkm return 0; 17457429Smarkm } 17557429Smarkm /* Accept authentication. */ 17657429Smarkm return 1; 17757429Smarkm } 17857429Smarkm 17957429Smarkm /* Authentication using this file denied. */ 18057429Smarkm fclose(f); 18157429Smarkm return 0; 18257429Smarkm} 18357429Smarkm 18457429Smarkm/* 18557429Smarkm * Tries to authenticate the user using the .shosts or .rhosts file. Returns 18657429Smarkm * true if authentication succeeds. If ignore_rhosts is true, only 18757429Smarkm * /etc/hosts.equiv will be considered (.rhosts and .shosts are ignored). 18857429Smarkm */ 18957429Smarkm 19060573Skrisint 19157429Smarkmauth_rhosts(struct passwd *pw, const char *client_user) 19257429Smarkm{ 193323124Sdes struct ssh *ssh = active_state; /* XXX */ 19476259Sgreen const char *hostname, *ipaddr; 19576259Sgreen 196323124Sdes hostname = auth_get_canonical_hostname(ssh, options.use_dns); 197323124Sdes ipaddr = ssh_remote_ipaddr(ssh); 19898675Sdes return auth_rhosts2(pw, client_user, hostname, ipaddr); 19976259Sgreen} 20076259Sgreen 20198675Sdesstatic int 20298675Sdesauth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostname, 20376259Sgreen const char *ipaddr) 20476259Sgreen{ 20557429Smarkm char buf[1024]; 20657429Smarkm struct stat st; 20757429Smarkm static const char *rhosts_files[] = {".shosts", ".rhosts", NULL}; 20876259Sgreen u_int rhosts_file_index; 20957429Smarkm 21076259Sgreen debug2("auth_rhosts2: clientuser %s hostname %s ipaddr %s", 21176259Sgreen client_user, hostname, ipaddr); 21276259Sgreen 21357429Smarkm /* Switch to the user's uid. */ 21476259Sgreen temporarily_use_uid(pw); 21557429Smarkm /* 216295367Sdes * Quick check: if the user has no .shosts or .rhosts files and 217295367Sdes * no system hosts.equiv/shosts.equiv files exist then return 21857429Smarkm * failure immediately without doing costly lookups from name 21957429Smarkm * servers. 22057429Smarkm */ 22157429Smarkm for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; 22292555Sdes rhosts_file_index++) { 22357429Smarkm /* Check users .rhosts or .shosts. */ 22457429Smarkm snprintf(buf, sizeof buf, "%.500s/%.100s", 22557429Smarkm pw->pw_dir, rhosts_files[rhosts_file_index]); 22657429Smarkm if (stat(buf, &st) >= 0) 22757429Smarkm break; 22857429Smarkm } 22957429Smarkm /* Switch back to privileged uid. */ 23057429Smarkm restore_uid(); 23157429Smarkm 232295367Sdes /* 233295367Sdes * Deny if The user has no .shosts or .rhosts file and there 234295367Sdes * are no system-wide files. 235295367Sdes */ 23657429Smarkm if (!rhosts_files[rhosts_file_index] && 23776259Sgreen stat(_PATH_RHOSTS_EQUIV, &st) < 0 && 238295367Sdes stat(_PATH_SSH_HOSTS_EQUIV, &st) < 0) { 239295367Sdes debug3("%s: no hosts access files exist", __func__); 24057429Smarkm return 0; 241295367Sdes } 24257429Smarkm 243295367Sdes /* 244295367Sdes * If not logging in as superuser, try /etc/hosts.equiv and 245295367Sdes * shosts.equiv. 246295367Sdes */ 247295367Sdes if (pw->pw_uid == 0) 248295367Sdes debug3("%s: root user, ignoring system hosts files", __func__); 249295367Sdes else { 25092555Sdes if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, 25192555Sdes client_user, pw->pw_name)) { 252295367Sdes auth_debug_add("Accepted for %.100s [%.100s] by " 253295367Sdes "/etc/hosts.equiv.", hostname, ipaddr); 25457429Smarkm return 1; 25557429Smarkm } 25692555Sdes if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, 25792555Sdes client_user, pw->pw_name)) { 258295367Sdes auth_debug_add("Accepted for %.100s [%.100s] by " 259295367Sdes "%.100s.", hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); 26057429Smarkm return 1; 26157429Smarkm } 26257429Smarkm } 263295367Sdes 26457429Smarkm /* 26557429Smarkm * Check that the home directory is owned by root or the user, and is 26657429Smarkm * not group or world writable. 26757429Smarkm */ 26857429Smarkm if (stat(pw->pw_dir, &st) < 0) { 269124208Sdes logit("Rhosts authentication refused for %.100s: " 27098675Sdes "no home directory %.200s", pw->pw_name, pw->pw_dir); 27198675Sdes auth_debug_add("Rhosts authentication refused for %.100s: " 27298675Sdes "no home directory %.200s", pw->pw_name, pw->pw_dir); 27357429Smarkm return 0; 27457429Smarkm } 27557429Smarkm if (options.strict_modes && 27657429Smarkm ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || 27792555Sdes (st.st_mode & 022) != 0)) { 278124208Sdes logit("Rhosts authentication refused for %.100s: " 27998675Sdes "bad ownership or modes for home directory.", pw->pw_name); 28098675Sdes auth_debug_add("Rhosts authentication refused for %.100s: " 28198675Sdes "bad ownership or modes for home directory.", pw->pw_name); 28257429Smarkm return 0; 28357429Smarkm } 28457429Smarkm /* Temporarily use the user's uid. */ 28576259Sgreen temporarily_use_uid(pw); 28657429Smarkm 28757429Smarkm /* Check all .rhosts files (currently .shosts and .rhosts). */ 28857429Smarkm for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; 28992555Sdes rhosts_file_index++) { 29057429Smarkm /* Check users .rhosts or .shosts. */ 29157429Smarkm snprintf(buf, sizeof buf, "%.500s/%.100s", 29257429Smarkm pw->pw_dir, rhosts_files[rhosts_file_index]); 29357429Smarkm if (stat(buf, &st) < 0) 29457429Smarkm continue; 29557429Smarkm 29657429Smarkm /* 29757429Smarkm * Make sure that the file is either owned by the user or by 29857429Smarkm * root, and make sure it is not writable by anyone but the 29957429Smarkm * owner. This is to help avoid novices accidentally 30057429Smarkm * allowing access to their account by anyone. 30157429Smarkm */ 30257429Smarkm if (options.strict_modes && 30357429Smarkm ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || 30492555Sdes (st.st_mode & 022) != 0)) { 305124208Sdes logit("Rhosts authentication refused for %.100s: bad modes for %.200s", 30657429Smarkm pw->pw_name, buf); 30798675Sdes auth_debug_add("Bad file modes for %.200s", buf); 30857429Smarkm continue; 30957429Smarkm } 310295367Sdes /* 311295367Sdes * Check if we have been configured to ignore .rhosts 312295367Sdes * and .shosts files. 313295367Sdes */ 31457429Smarkm if (options.ignore_rhosts) { 315295367Sdes auth_debug_add("Server has been configured to " 316295367Sdes "ignore %.100s.", rhosts_files[rhosts_file_index]); 31757429Smarkm continue; 31857429Smarkm } 31957429Smarkm /* Check if authentication is permitted by the file. */ 320295367Sdes if (check_rhosts_file(buf, hostname, ipaddr, 321295367Sdes client_user, pw->pw_name)) { 32298675Sdes auth_debug_add("Accepted by %.100s.", 32398675Sdes rhosts_files[rhosts_file_index]); 32457429Smarkm /* Restore the privileged uid. */ 32557429Smarkm restore_uid(); 326295367Sdes auth_debug_add("Accepted host %s ip %s client_user " 327295367Sdes "%s server_user %s", hostname, ipaddr, 328295367Sdes client_user, pw->pw_name); 32957429Smarkm return 1; 33057429Smarkm } 33157429Smarkm } 33257429Smarkm 33357429Smarkm /* Restore the privileged uid. */ 33457429Smarkm restore_uid(); 33557429Smarkm return 0; 33657429Smarkm} 33798675Sdes 33898675Sdesint 33998675Sdesauth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, 34098675Sdes const char *ipaddr) 34198675Sdes{ 342204917Sdes return auth_rhosts2_raw(pw, client_user, hostname, ipaddr); 34398675Sdes} 344