Bugzilla – Attachment 3381 Details for
Bug 3148
Unable to perform host-based authentication as root if "IgnoreRhosts" is set to "yes" on server configuration
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
IgnoreRhosts=shosts-only
shostsonly.diff (text/plain), 4.36 KB, created by
Damien Miller
on 2020-04-14 21:54:59 AEST
(
hide
)
Description:
IgnoreRhosts=shosts-only
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2020-04-14 21:54:59 AEST
Size:
4.36 KB
patch
obsolete
>commit 3583eb1858a240eb1cd55ccca8f6d36e17050346 >Author: Damien Miller <djm@mindrot.org> >Date: Tue Apr 14 21:52:24 2020 +1000 > > IgnoreRhosts=shosts-only > >diff --git a/auth-rhosts.c b/auth-rhosts.c >index 7a10210b6..b2f693d05 100644 >--- a/auth-rhosts.c >+++ b/auth-rhosts.c >@@ -298,7 +298,9 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, > * Check if we have been configured to ignore .rhosts > * and .shosts files. > */ >- if (options.ignore_rhosts) { >+ if (options.ignore_rhosts == IGNORE_RHOSTS_YES || >+ (options.ignore_rhosts == IGNORE_RHOSTS_SHOSTS && >+ strcmp(rhosts_files[rhosts_file_index], ".shosts") != 0)) { > auth_debug_add("Server has been configured to " > "ignore %.100s.", rhosts_files[rhosts_file_index]); > continue; >diff --git a/servconf.c b/servconf.c >index 748db5dec..a6d9d1553 100644 >--- a/servconf.c >+++ b/servconf.c >@@ -626,7 +626,7 @@ static struct { > #else > { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, > #endif >- { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, >+ { "ignorerhosts", sIgnoreRhosts, SSHCFG_ALL }, > { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, > { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, > { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, >@@ -1213,6 +1213,12 @@ static const struct multistate multistate_flag[] = { > { "no", 0 }, > { NULL, -1 } > }; >+static const struct multistate multistate_ignore_rhosts[] = { >+ { "yes", IGNORE_RHOSTS_YES }, >+ { "no", IGNORE_RHOSTS_NO }, >+ { "shosts-only", IGNORE_RHOSTS_SHOSTS }, >+ { NULL, -1 } >+}; > static const struct multistate multistate_addressfamily[] = { > { "inet", AF_INET }, > { "inet6", AF_INET6 }, >@@ -1462,13 +1468,14 @@ process_server_config_line_depth(ServerOptions *options, char *line, > > case sIgnoreRhosts: > intptr = &options->ignore_rhosts; >- parse_flag: >- multistate_ptr = multistate_flag; >+ multistate_ptr = multistate_ignore_rhosts; > goto parse_multistate; > > case sIgnoreUserKnownHosts: > intptr = &options->ignore_user_known_hosts; >- goto parse_flag; >+ parse_flag: >+ multistate_ptr = multistate_flag; >+ goto parse_multistate; > > case sHostbasedAuthentication: > intptr = &options->hostbased_authentication; >@@ -2473,6 +2480,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) > M_CP_INTOPT(kbd_interactive_authentication); > M_CP_INTOPT(permit_root_login); > M_CP_INTOPT(permit_empty_passwd); >+ M_CP_INTOPT(ignore_rhosts); > > M_CP_INTOPT(allow_tcp_forwarding); > M_CP_INTOPT(allow_streamlocal_forwarding); >@@ -2627,6 +2635,8 @@ fmt_intarg(ServerOpCodes code, int val) > return fmt_multistate_int(val, multistate_tcpfwd); > case sAllowStreamLocalForwarding: > return fmt_multistate_int(val, multistate_tcpfwd); >+ case sIgnoreRhosts: >+ return fmt_multistate_int(val, multistate_ignore_rhosts); > case sFingerprintHash: > return ssh_digest_alg_name(val); > default: >diff --git a/servconf.h b/servconf.h >index 4202a2d02..ed545c6bc 100644 >--- a/servconf.h >+++ b/servconf.h >@@ -38,6 +38,11 @@ > #define PERMITOPEN_ANY 0 > #define PERMITOPEN_NONE -2 > >+/* IgnoreRhosts */ >+#define IGNORE_RHOSTS_NO 0 >+#define IGNORE_RHOSTS_YES 1 >+#define IGNORE_RHOSTS_SHOSTS 2 >+ > #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ > #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ > >diff --git a/sshd_config.5 b/sshd_config.5 >index 70ccea449..b40c9127a 100644 >--- a/sshd_config.5 >+++ b/sshd_config.5 >@@ -778,19 +778,32 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa > The list of available key types may also be obtained using > .Qq ssh -Q HostKeyAlgorithms . > .It Cm IgnoreRhosts >-Specifies that >+Specifies whether to ignore per-user > .Pa .rhosts > and > .Pa .shosts >-files will not be used in >+files during > .Cm HostbasedAuthentication . >-.Pp >+The system-wide > .Pa /etc/hosts.equiv > and > .Pa /etc/shosts.equiv >-are still used. >-The default is >-.Cm yes . >+are still used regardless of this setting. >+.Pp >+Accepted values are >+.Cm yes >+(the default) to ignore all per-user files, >+.Cm shosts-only >+to allow the use of >+.Pa .shosts >+but to ignore >+.Pa .rhosts >+or >+.Cm no >+to allow both >+.Pa .shosts >+and >+.Pa rhosts. > .It Cm IgnoreUserKnownHosts > Specifies whether > .Xr sshd 8 >@@ -1162,6 +1175,7 @@ Available keywords are > .Cm HostbasedAcceptedKeyTypes , > .Cm HostbasedAuthentication , > .Cm HostbasedUsesNameFromPacketOnly , >+.Cm IgnoreRhosts , > .Cm Include , > .Cm IPQoS , > .Cm KbdInteractiveAuthentication ,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3381">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
dtucker
:
ok+
Actions:
View
|
Diff
Attachments on
bug 3148
:
3376
|
3377
|
3378
|
3379
|
3380
| 3381