1204917Sdes/* $OpenBSD: auth-rhosts.c,v 1.44 2010/03/07 11:57:13 dtucker Exp $ */ 257429Smarkm/* 357429Smarkm * Author: Tatu Ylonen <ylo@cs.hut.fi> 457429Smarkm * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 557429Smarkm * All rights reserved 657429Smarkm * Rhosts authentication. This file contains code to check whether to admit 757429Smarkm * the login based on rhosts authentication. This file also processes 857429Smarkm * /etc/hosts.equiv. 960573Skris * 1065668Skris * As far as I am concerned, the code I have written for this software 1165668Skris * can be used freely for any purpose. Any derived versions of this 1265668Skris * software must be clearly marked as such, and if the derived work is 1365668Skris * incompatible with the protocol description in the RFC file, it must be 1465668Skris * called by a name other than "ssh" or "Secure Shell". 1557429Smarkm */ 1657429Smarkm 1757429Smarkm#include "includes.h" 1857429Smarkm 19162852Sdes#include <sys/types.h> 20162852Sdes#include <sys/stat.h> 21162852Sdes 22162852Sdes#ifdef HAVE_NETGROUP_H 23162852Sdes# include <netgroup.h> 24162852Sdes#endif 25162852Sdes#include <pwd.h> 26162852Sdes#include <stdio.h> 27162852Sdes#include <string.h> 28162852Sdes#include <stdarg.h> 29181111Sdes#include <fcntl.h> 30181111Sdes#include <unistd.h> 31162852Sdes 3257429Smarkm#include "packet.h" 33162852Sdes#include "buffer.h" 3457429Smarkm#include "uidswap.h" 3576259Sgreen#include "pathnames.h" 3676259Sgreen#include "log.h" 3757429Smarkm#include "servconf.h" 3876259Sgreen#include "canohost.h" 39162852Sdes#include "key.h" 40162852Sdes#include "hostfile.h" 4176259Sgreen#include "auth.h" 42181111Sdes#include "misc.h" 4357429Smarkm 4476259Sgreen/* import */ 4576259Sgreenextern ServerOptions options; 4698675Sdesextern int use_privsep; 4776259Sgreen 4857429Smarkm/* 4957429Smarkm * This function processes an rhosts-style file (.rhosts, .shosts, or 5057429Smarkm * /etc/hosts.equiv). This returns true if authentication can be granted 5157429Smarkm * based on the file, and returns zero otherwise. 5257429Smarkm */ 5357429Smarkm 5492555Sdesstatic int 5557429Smarkmcheck_rhosts_file(const char *filename, const char *hostname, 5657429Smarkm const char *ipaddr, const char *client_user, 5757429Smarkm const char *server_user) 5857429Smarkm{ 5957429Smarkm FILE *f; 6057429Smarkm char buf[1024]; /* Must not be larger than host, user, dummy below. */ 61181111Sdes int fd; 62181111Sdes struct stat st; 6357429Smarkm 6457429Smarkm /* Open the .rhosts file, deny if unreadable */ 65181111Sdes if ((fd = open(filename, O_RDONLY|O_NONBLOCK)) == -1) 6657429Smarkm return 0; 67181111Sdes if (fstat(fd, &st) == -1) { 68181111Sdes close(fd); 69181111Sdes return 0; 70181111Sdes } 71181111Sdes if (!S_ISREG(st.st_mode)) { 72181111Sdes logit("User %s hosts file %s is not a regular file", 73181111Sdes server_user, filename); 74181111Sdes close(fd); 75181111Sdes return 0; 76181111Sdes } 77181111Sdes unset_nonblock(fd); 78181111Sdes if ((f = fdopen(fd, "r")) == NULL) { 79181111Sdes close(fd); 80181111Sdes return 0; 81181111Sdes } 8257429Smarkm while (fgets(buf, sizeof(buf), f)) { 8357429Smarkm /* All three must be at least as big as buf to avoid overflows. */ 8457429Smarkm char hostbuf[1024], userbuf[1024], dummy[1024], *host, *user, *cp; 8557429Smarkm int negated; 8657429Smarkm 8757429Smarkm for (cp = buf; *cp == ' ' || *cp == '\t'; cp++) 8857429Smarkm ; 8957429Smarkm if (*cp == '#' || *cp == '\n' || !*cp) 9057429Smarkm continue; 9157429Smarkm 9257429Smarkm /* 9357429Smarkm * NO_PLUS is supported at least on OSF/1. We skip it (we 9457429Smarkm * don't ever support the plus syntax). 9557429Smarkm */ 9657429Smarkm if (strncmp(cp, "NO_PLUS", 7) == 0) 9757429Smarkm continue; 9857429Smarkm 9957429Smarkm /* 10057429Smarkm * This should be safe because each buffer is as big as the 10157429Smarkm * whole string, and thus cannot be overwritten. 10257429Smarkm */ 103124208Sdes switch (sscanf(buf, "%1023s %1023s %1023s", hostbuf, userbuf, 104124208Sdes dummy)) { 10557429Smarkm case 0: 10698675Sdes auth_debug_add("Found empty line in %.100s.", filename); 10757429Smarkm continue; 10857429Smarkm case 1: 10957429Smarkm /* Host name only. */ 11057429Smarkm strlcpy(userbuf, server_user, sizeof(userbuf)); 11157429Smarkm break; 11257429Smarkm case 2: 11357429Smarkm /* Got both host and user name. */ 11457429Smarkm break; 11557429Smarkm case 3: 11698675Sdes auth_debug_add("Found garbage in %.100s.", filename); 11757429Smarkm continue; 11857429Smarkm default: 11957429Smarkm /* Weird... */ 12057429Smarkm continue; 12157429Smarkm } 12257429Smarkm 12357429Smarkm host = hostbuf; 12457429Smarkm user = userbuf; 12557429Smarkm negated = 0; 12657429Smarkm 12757429Smarkm /* Process negated host names, or positive netgroups. */ 12857429Smarkm if (host[0] == '-') { 12957429Smarkm negated = 1; 13057429Smarkm host++; 13157429Smarkm } else if (host[0] == '+') 13257429Smarkm host++; 13357429Smarkm 13457429Smarkm if (user[0] == '-') { 13557429Smarkm negated = 1; 13657429Smarkm user++; 13757429Smarkm } else if (user[0] == '+') 13857429Smarkm user++; 13957429Smarkm 14057429Smarkm /* Check for empty host/user names (particularly '+'). */ 14157429Smarkm if (!host[0] || !user[0]) { 14257429Smarkm /* We come here if either was '+' or '-'. */ 14398675Sdes auth_debug_add("Ignoring wild host/user names in %.100s.", 14498675Sdes filename); 14557429Smarkm continue; 14657429Smarkm } 14757429Smarkm /* Verify that host name matches. */ 14857429Smarkm if (host[0] == '@') { 14957429Smarkm if (!innetgr(host + 1, hostname, NULL, NULL) && 15057429Smarkm !innetgr(host + 1, ipaddr, NULL, NULL)) 15157429Smarkm continue; 15257429Smarkm } else if (strcasecmp(host, hostname) && strcmp(host, ipaddr) != 0) 15357429Smarkm continue; /* Different hostname. */ 15457429Smarkm 15557429Smarkm /* Verify that user name matches. */ 15657429Smarkm if (user[0] == '@') { 15757429Smarkm if (!innetgr(user + 1, NULL, client_user, NULL)) 15857429Smarkm continue; 15957429Smarkm } else if (strcmp(user, client_user) != 0) 16057429Smarkm continue; /* Different username. */ 16157429Smarkm 16257429Smarkm /* Found the user and host. */ 16357429Smarkm fclose(f); 16457429Smarkm 16557429Smarkm /* If the entry was negated, deny access. */ 16657429Smarkm if (negated) { 16798675Sdes auth_debug_add("Matched negative entry in %.100s.", 168149749Sdes filename); 16957429Smarkm return 0; 17057429Smarkm } 17157429Smarkm /* Accept authentication. */ 17257429Smarkm return 1; 17357429Smarkm } 17457429Smarkm 17557429Smarkm /* Authentication using this file denied. */ 17657429Smarkm fclose(f); 17757429Smarkm return 0; 17857429Smarkm} 17957429Smarkm 18057429Smarkm/* 18157429Smarkm * Tries to authenticate the user using the .shosts or .rhosts file. Returns 18257429Smarkm * true if authentication succeeds. If ignore_rhosts is true, only 18357429Smarkm * /etc/hosts.equiv will be considered (.rhosts and .shosts are ignored). 18457429Smarkm */ 18557429Smarkm 18660573Skrisint 18757429Smarkmauth_rhosts(struct passwd *pw, const char *client_user) 18857429Smarkm{ 18976259Sgreen const char *hostname, *ipaddr; 19076259Sgreen 191124208Sdes hostname = get_canonical_hostname(options.use_dns); 19276259Sgreen ipaddr = get_remote_ipaddr(); 19398675Sdes return auth_rhosts2(pw, client_user, hostname, ipaddr); 19476259Sgreen} 19576259Sgreen 19698675Sdesstatic int 19798675Sdesauth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostname, 19876259Sgreen const char *ipaddr) 19976259Sgreen{ 20057429Smarkm char buf[1024]; 20157429Smarkm struct stat st; 20257429Smarkm static const char *rhosts_files[] = {".shosts", ".rhosts", NULL}; 20376259Sgreen u_int rhosts_file_index; 20457429Smarkm 20576259Sgreen debug2("auth_rhosts2: clientuser %s hostname %s ipaddr %s", 20676259Sgreen client_user, hostname, ipaddr); 20776259Sgreen 20857429Smarkm /* Switch to the user's uid. */ 20976259Sgreen temporarily_use_uid(pw); 21057429Smarkm /* 21157429Smarkm * Quick check: if the user has no .shosts or .rhosts files, return 21257429Smarkm * failure immediately without doing costly lookups from name 21357429Smarkm * servers. 21457429Smarkm */ 21557429Smarkm for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; 21692555Sdes rhosts_file_index++) { 21757429Smarkm /* Check users .rhosts or .shosts. */ 21857429Smarkm snprintf(buf, sizeof buf, "%.500s/%.100s", 21957429Smarkm pw->pw_dir, rhosts_files[rhosts_file_index]); 22057429Smarkm if (stat(buf, &st) >= 0) 22157429Smarkm break; 22257429Smarkm } 22357429Smarkm /* Switch back to privileged uid. */ 22457429Smarkm restore_uid(); 22557429Smarkm 22657429Smarkm /* Deny if The user has no .shosts or .rhosts file and there are no system-wide files. */ 22757429Smarkm if (!rhosts_files[rhosts_file_index] && 22876259Sgreen stat(_PATH_RHOSTS_EQUIV, &st) < 0 && 22976259Sgreen stat(_PATH_SSH_HOSTS_EQUIV, &st) < 0) 23057429Smarkm return 0; 23157429Smarkm 23257429Smarkm /* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */ 23357429Smarkm if (pw->pw_uid != 0) { 23492555Sdes if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, 23592555Sdes client_user, pw->pw_name)) { 23698675Sdes auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", 23792555Sdes hostname, ipaddr); 23857429Smarkm return 1; 23957429Smarkm } 24092555Sdes if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, 24192555Sdes client_user, pw->pw_name)) { 24298675Sdes auth_debug_add("Accepted for %.100s [%.100s] by %.100s.", 24392555Sdes hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); 24457429Smarkm return 1; 24557429Smarkm } 24657429Smarkm } 24757429Smarkm /* 24857429Smarkm * Check that the home directory is owned by root or the user, and is 24957429Smarkm * not group or world writable. 25057429Smarkm */ 25157429Smarkm if (stat(pw->pw_dir, &st) < 0) { 252124208Sdes logit("Rhosts authentication refused for %.100s: " 25398675Sdes "no home directory %.200s", pw->pw_name, pw->pw_dir); 25498675Sdes auth_debug_add("Rhosts authentication refused for %.100s: " 25598675Sdes "no home directory %.200s", pw->pw_name, pw->pw_dir); 25657429Smarkm return 0; 25757429Smarkm } 25857429Smarkm if (options.strict_modes && 25957429Smarkm ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || 26092555Sdes (st.st_mode & 022) != 0)) { 261124208Sdes logit("Rhosts authentication refused for %.100s: " 26298675Sdes "bad ownership or modes for home directory.", pw->pw_name); 26398675Sdes auth_debug_add("Rhosts authentication refused for %.100s: " 26498675Sdes "bad ownership or modes for home directory.", pw->pw_name); 26557429Smarkm return 0; 26657429Smarkm } 26757429Smarkm /* Temporarily use the user's uid. */ 26876259Sgreen temporarily_use_uid(pw); 26957429Smarkm 27057429Smarkm /* Check all .rhosts files (currently .shosts and .rhosts). */ 27157429Smarkm for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; 27292555Sdes rhosts_file_index++) { 27357429Smarkm /* Check users .rhosts or .shosts. */ 27457429Smarkm snprintf(buf, sizeof buf, "%.500s/%.100s", 27557429Smarkm pw->pw_dir, rhosts_files[rhosts_file_index]); 27657429Smarkm if (stat(buf, &st) < 0) 27757429Smarkm continue; 27857429Smarkm 27957429Smarkm /* 28057429Smarkm * Make sure that the file is either owned by the user or by 28157429Smarkm * root, and make sure it is not writable by anyone but the 28257429Smarkm * owner. This is to help avoid novices accidentally 28357429Smarkm * allowing access to their account by anyone. 28457429Smarkm */ 28557429Smarkm if (options.strict_modes && 28657429Smarkm ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || 28792555Sdes (st.st_mode & 022) != 0)) { 288124208Sdes logit("Rhosts authentication refused for %.100s: bad modes for %.200s", 28957429Smarkm pw->pw_name, buf); 29098675Sdes auth_debug_add("Bad file modes for %.200s", buf); 29157429Smarkm continue; 29257429Smarkm } 29357429Smarkm /* Check if we have been configured to ignore .rhosts and .shosts files. */ 29457429Smarkm if (options.ignore_rhosts) { 29598675Sdes auth_debug_add("Server has been configured to ignore %.100s.", 29698675Sdes rhosts_files[rhosts_file_index]); 29757429Smarkm continue; 29857429Smarkm } 29957429Smarkm /* Check if authentication is permitted by the file. */ 30057429Smarkm if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name)) { 30198675Sdes auth_debug_add("Accepted by %.100s.", 30298675Sdes rhosts_files[rhosts_file_index]); 30357429Smarkm /* Restore the privileged uid. */ 30457429Smarkm restore_uid(); 30598675Sdes auth_debug_add("Accepted host %s ip %s client_user %s server_user %s", 30698675Sdes hostname, ipaddr, client_user, pw->pw_name); 30757429Smarkm return 1; 30857429Smarkm } 30957429Smarkm } 31057429Smarkm 31157429Smarkm /* Restore the privileged uid. */ 31257429Smarkm restore_uid(); 31357429Smarkm return 0; 31457429Smarkm} 31598675Sdes 31698675Sdesint 31798675Sdesauth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, 31898675Sdes const char *ipaddr) 31998675Sdes{ 320204917Sdes return auth_rhosts2_raw(pw, client_user, hostname, ipaddr); 32198675Sdes} 322