Attachment #3381 for bug #3148

Lines 298-304 auth_rhosts2(struct passwd pw, const char client_user, const char *hostname, Link Here

(-)a/auth-rhosts.c (-1 / +3 lines)
298	* Check if we have been configured to ignore .rhosts	298	* Check if we have been configured to ignore .rhosts
299	* and .shosts files.	299	* and .shosts files.
300	*/	300	*/
301	if (options.ignore_rhosts) {	301	if (options.ignore_rhosts == IGNORE_RHOSTS_YES \|\|
		302	(options.ignore_rhosts == IGNORE_RHOSTS_SHOSTS &&
		303	strcmp(rhosts_files[rhosts_file_index], ".shosts") != 0)) {
302	auth_debug_add("Server has been configured to "	304	auth_debug_add("Server has been configured to "
303	"ignore %.100s.", rhosts_files[rhosts_file_index]);	305	"ignore %.100s.", rhosts_files[rhosts_file_index]);
304	continue;	306	continue;

Lines 626-632 static struct { Link Here

(-)a/servconf.c (-4 / +14 lines)
626	#else	626	#else
627	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },	627	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
628	#endif	628	#endif
629	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },	629	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_ALL },
630	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },	630	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
631	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },	631	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
632	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },	632	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
Lines 1213-1218 static const struct multistate multistate_flag[] = { Link Here
1213	{ "no", 0 },	1213	{ "no", 0 },
1214	{ NULL, -1 }	1214	{ NULL, -1 }
1215	};	1215	};
		1216	static const struct multistate multistate_ignore_rhosts[] = {
		1217	{ "yes", IGNORE_RHOSTS_YES },
		1218	{ "no", IGNORE_RHOSTS_NO },
		1219	{ "shosts-only", IGNORE_RHOSTS_SHOSTS },
		1220	{ NULL, -1 }
		1221	};
1216	static const struct multistate multistate_addressfamily[] = {	1222	static const struct multistate multistate_addressfamily[] = {
1217	{ "inet", AF_INET },	1223	{ "inet", AF_INET },
1218	{ "inet6", AF_INET6 },	1224	{ "inet6", AF_INET6 },
Lines 1462-1474 process_server_config_line_depth(ServerOptions options, char line, Link Here
1462		1468
1463	case sIgnoreRhosts:	1469	case sIgnoreRhosts:
1464	intptr = &options->ignore_rhosts;	1470	intptr = &options->ignore_rhosts;
1465	parse_flag:	1471	multistate_ptr = multistate_ignore_rhosts;
1466	multistate_ptr = multistate_flag;
1467	goto parse_multistate;	1472	goto parse_multistate;
1468		1473
1469	case sIgnoreUserKnownHosts:	1474	case sIgnoreUserKnownHosts:
1470	intptr = &options->ignore_user_known_hosts;	1475	intptr = &options->ignore_user_known_hosts;
1471	goto parse_flag;	1476	parse_flag:
		1477	multistate_ptr = multistate_flag;
		1478	goto parse_multistate;
1472		1479
1473	case sHostbasedAuthentication:	1480	case sHostbasedAuthentication:
1474	intptr = &options->hostbased_authentication;	1481	intptr = &options->hostbased_authentication;
Lines 2473-2478 copy_set_server_options(ServerOptions dst, ServerOptions src, int preauth) Link Here
2473	M_CP_INTOPT(kbd_interactive_authentication);	2480	M_CP_INTOPT(kbd_interactive_authentication);
2474	M_CP_INTOPT(permit_root_login);	2481	M_CP_INTOPT(permit_root_login);
2475	M_CP_INTOPT(permit_empty_passwd);	2482	M_CP_INTOPT(permit_empty_passwd);
		2483	M_CP_INTOPT(ignore_rhosts);
2476		2484
2477	M_CP_INTOPT(allow_tcp_forwarding);	2485	M_CP_INTOPT(allow_tcp_forwarding);
2478	M_CP_INTOPT(allow_streamlocal_forwarding);	2486	M_CP_INTOPT(allow_streamlocal_forwarding);
Lines 2627-2632 fmt_intarg(ServerOpCodes code, int val) Link Here
2627	return fmt_multistate_int(val, multistate_tcpfwd);	2635	return fmt_multistate_int(val, multistate_tcpfwd);
2628	case sAllowStreamLocalForwarding:	2636	case sAllowStreamLocalForwarding:
2629	return fmt_multistate_int(val, multistate_tcpfwd);	2637	return fmt_multistate_int(val, multistate_tcpfwd);
		2638	case sIgnoreRhosts:
		2639	return fmt_multistate_int(val, multistate_ignore_rhosts);
2630	case sFingerprintHash:	2640	case sFingerprintHash:
2631	return ssh_digest_alg_name(val);	2641	return ssh_digest_alg_name(val);
2632	default:	2642	default:

Lines 38-43 Link Here

(-)a/servconf.h (+5 lines)
38	#define PERMITOPEN_ANY 0	38	#define PERMITOPEN_ANY 0
39	#define PERMITOPEN_NONE -2	39	#define PERMITOPEN_NONE -2
40		40
		41	/* IgnoreRhosts */
		42	#define IGNORE_RHOSTS_NO 0
		43	#define IGNORE_RHOSTS_YES 1
		44	#define IGNORE_RHOSTS_SHOSTS 2
		45
41	#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */	46	#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
42	#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */	47	#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
43		48




The list of available key types may also be obtained using
.Qq ssh -Q HostKeyAlgorithms .
.It Cm IgnoreRhosts
Specifies whether to ignore per-user
.Pa .rhosts
and
.Pa .shosts
files during
.Cm HostbasedAuthentication .
The system-wide
.Pa /etc/hosts.equiv
and
.Pa /etc/shosts.equiv
are still used regardless of this setting.
.Pp
Accepted values are
.Cm yes
(the default) to ignore all per-user files,
.Cm shosts-only
to allow the use of
.Pa .shosts
but to ignore
.Pa .rhosts
or
.Cm no
to allow both
.Pa .shosts
and
.Pa rhosts.
.It Cm IgnoreUserKnownHosts
Specifies whether
.Xr sshd 8

.Cm HostbasedAcceptedKeyTypes ,
.Cm HostbasedAuthentication ,
.Cm HostbasedUsesNameFromPacketOnly ,
.Cm IgnoreRhosts ,
.Cm Include ,
.Cm IPQoS ,
.Cm KbdInteractiveAuthentication ,

Return to bug 3148

Lines 778-796 rsa-sha2-512,rsa-sha2-256,ssh-rsa Link Here

(-)a/sshd_config.5 (-6 / +20 lines)
778	The list of available key types may also be obtained using	778	The list of available key types may also be obtained using
779	.Qq ssh -Q HostKeyAlgorithms .	779	.Qq ssh -Q HostKeyAlgorithms .
780	.It Cm IgnoreRhosts	780	.It Cm IgnoreRhosts
781	Specifies that	781	Specifies whether to ignore per-user
782	.Pa .rhosts	782	.Pa .rhosts
783	and	783	and
784	.Pa .shosts	784	.Pa .shosts
785	files will not be used in	785	files during
786	.Cm HostbasedAuthentication .	786	.Cm HostbasedAuthentication .
787	.Pp	787	The system-wide
788	.Pa /etc/hosts.equiv	788	.Pa /etc/hosts.equiv
789	and	789	and
790	.Pa /etc/shosts.equiv	790	.Pa /etc/shosts.equiv
791	are still used.	791	are still used regardless of this setting.
792	The default is	792	.Pp
793	.Cm yes .	793	Accepted values are
		794	.Cm yes
		795	(the default) to ignore all per-user files,
		796	.Cm shosts-only
		797	to allow the use of
		798	.Pa .shosts
		799	but to ignore
		800	.Pa .rhosts
		801	or
		802	.Cm no
		803	to allow both
		804	.Pa .shosts
		805	and
		806	.Pa rhosts.
794	.It Cm IgnoreUserKnownHosts	807	.It Cm IgnoreUserKnownHosts
795	Specifies whether	808	Specifies whether
796	.Xr sshd 8	809	.Xr sshd 8
Lines 1162-1167 Available keywords are Link Here
1162	.Cm HostbasedAcceptedKeyTypes ,	1175	.Cm HostbasedAcceptedKeyTypes ,
1163	.Cm HostbasedAuthentication ,	1176	.Cm HostbasedAuthentication ,
1164	.Cm HostbasedUsesNameFromPacketOnly ,	1177	.Cm HostbasedUsesNameFromPacketOnly ,
		1178	.Cm IgnoreRhosts ,
1165	.Cm Include ,	1179	.Cm Include ,
1166	.Cm IPQoS ,	1180	.Cm IPQoS ,
1167	.Cm KbdInteractiveAuthentication ,	1181	.Cm KbdInteractiveAuthentication ,