Bugzilla – Attachment 888 Details for
Bug 623
ssh, ssh-keygen and possibly others do not honour $HOME (or ~ for that matter)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Don't pretend we accept $HOME
ssh-HOME.diff (text/plain), 19.86 KB, created by
Damien Miller
on 2005-04-21 15:50:45 AEST
(
hide
)
Description:
Don't pretend we accept $HOME
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2005-04-21 15:50:45 AEST
Size:
19.86 KB
patch
obsolete
>Nothing in openssh uses the $HOME environment variable, so don't pretend >that we do. Ok? > >(bugzilla #623) > >-d > >Index: ssh-add.1 >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/ssh-add.1,v >retrieving revision 1.42 >diff -u -p -r1.42 ssh-add.1 >--- ssh-add.1 1 Mar 2005 17:32:19 -0000 1.42 >+++ ssh-add.1 21 Apr 2005 05:48:08 -0000 >@@ -57,10 +57,10 @@ > adds RSA or DSA identities to the authentication agent, > .Xr ssh-agent 1 . > When run without arguments, it adds the files >-.Pa $HOME/.ssh/id_rsa , >-.Pa $HOME/.ssh/id_dsa >+.Pa ~/.ssh/id_rsa , >+.Pa ~/.ssh/id_dsa > and >-.Pa $HOME/.ssh/identity . >+.Pa ~/.ssh/identity . > Alternative file names can be given on the command line. > If any file requires a passphrase, > .Nm >@@ -142,11 +142,11 @@ agent. > .El > .Sh FILES > .Bl -tag -width Ds >-.It Pa $HOME/.ssh/identity >+.It Pa ~/.ssh/identity > Contains the protocol version 1 RSA authentication identity of the user. >-.It Pa $HOME/.ssh/id_dsa >+.It Pa ~/.ssh/id_dsa > Contains the protocol version 2 DSA authentication identity of the user. >-.It Pa $HOME/.ssh/id_rsa >+.It Pa ~/.ssh/id_rsa > Contains the protocol version 2 RSA authentication identity of the user. > .El > .Pp >Index: ssh-agent.1 >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/ssh-agent.1,v >retrieving revision 1.41 >diff -u -p -r1.41 ssh-agent.1 >--- ssh-agent.1 11 Jul 2004 17:48:47 -0000 1.41 >+++ ssh-agent.1 21 Apr 2005 05:48:08 -0000 >@@ -111,10 +111,10 @@ Keys are added using > When executed without arguments, > .Xr ssh-add 1 > adds the files >-.Pa $HOME/.ssh/id_rsa , >-.Pa $HOME/.ssh/id_dsa >+.Pa ~/.ssh/id_rsa , >+.Pa ~/.ssh/id_dsa > and >-.Pa $HOME/.ssh/identity . >+.Pa ~/.ssh/identity . > If the identity has a passphrase, > .Xr ssh-add 1 > asks for the passphrase (using a small X11 application if running >@@ -179,11 +179,11 @@ The agent exits automatically when the c > line terminates. > .Sh FILES > .Bl -tag -width Ds >-.It Pa $HOME/.ssh/identity >+.It Pa ~/.ssh/identity > Contains the protocol version 1 RSA authentication identity of the user. >-.It Pa $HOME/.ssh/id_dsa >+.It Pa ~/.ssh/id_dsa > Contains the protocol version 2 DSA authentication identity of the user. >-.It Pa $HOME/.ssh/id_rsa >+.It Pa ~/.ssh/id_rsa > Contains the protocol version 2 RSA authentication identity of the user. > .It Pa /tmp/ssh-XXXXXXXX/agent.<ppid> > Unix-domain sockets used to contain the connection to the >Index: ssh-keygen.1 >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.1,v >retrieving revision 1.67 >diff -u -p -r1.67 ssh-keygen.1 >--- ssh-keygen.1 14 Mar 2005 10:09:03 -0000 1.67 >+++ ssh-keygen.1 21 Apr 2005 05:48:08 -0000 >@@ -129,10 +129,10 @@ section for details. > Normally each user wishing to use SSH > with RSA or DSA authentication runs this once to create the authentication > key in >-.Pa $HOME/.ssh/identity , >-.Pa $HOME/.ssh/id_dsa >+.Pa ~/.ssh/identity , >+.Pa ~/.ssh/id_dsa > or >-.Pa $HOME/.ssh/id_rsa . >+.Pa ~/.ssh/id_rsa . > Additionally, the system administrator may use this to generate host keys, > as seen in > .Pa /etc/rc . >@@ -381,7 +381,7 @@ It is important that this file contains > that both ends of a connection share common moduli. > .Sh FILES > .Bl -tag -width Ds >-.It Pa $HOME/.ssh/identity >+.It Pa ~/.ssh/identity > Contains the protocol version 1 RSA authentication identity of the user. > This file should not be readable by anyone but the user. > It is possible to >@@ -392,14 +392,14 @@ This file is not automatically accessed > but it is offered as the default file for the private key. > .Xr ssh 1 > will read this file when a login attempt is made. >-.It Pa $HOME/.ssh/identity.pub >+.It Pa ~/.ssh/identity.pub > Contains the protocol version 1 RSA public key for authentication. > The contents of this file should be added to >-.Pa $HOME/.ssh/authorized_keys >+.Pa ~/.ssh/authorized_keys > on all machines > where the user wishes to log in using RSA authentication. > There is no need to keep the contents of this file secret. >-.It Pa $HOME/.ssh/id_dsa >+.It Pa ~/.ssh/id_dsa > Contains the protocol version 2 DSA authentication identity of the user. > This file should not be readable by anyone but the user. > It is possible to >@@ -410,14 +410,14 @@ This file is not automatically accessed > but it is offered as the default file for the private key. > .Xr ssh 1 > will read this file when a login attempt is made. >-.It Pa $HOME/.ssh/id_dsa.pub >+.It Pa ~/.ssh/id_dsa.pub > Contains the protocol version 2 DSA public key for authentication. > The contents of this file should be added to >-.Pa $HOME/.ssh/authorized_keys >+.Pa ~/.ssh/authorized_keys > on all machines > where the user wishes to log in using public key authentication. > There is no need to keep the contents of this file secret. >-.It Pa $HOME/.ssh/id_rsa >+.It Pa ~/.ssh/id_rsa > Contains the protocol version 2 RSA authentication identity of the user. > This file should not be readable by anyone but the user. > It is possible to >@@ -428,10 +428,10 @@ This file is not automatically accessed > but it is offered as the default file for the private key. > .Xr ssh 1 > will read this file when a login attempt is made. >-.It Pa $HOME/.ssh/id_rsa.pub >+.It Pa ~/.ssh/id_rsa.pub > Contains the protocol version 2 RSA public key for authentication. > The contents of this file should be added to >-.Pa $HOME/.ssh/authorized_keys >+.Pa ~/.ssh/authorized_keys > on all machines > where the user wishes to log in using public key authentication. > There is no need to keep the contents of this file secret. >Index: ssh.1 >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/ssh.1,v >retrieving revision 1.206 >diff -u -p -r1.206 ssh.1 >--- ssh.1 14 Apr 2005 12:30:30 -0000 1.206 >+++ ssh.1 21 Apr 2005 05:48:09 -0000 >@@ -109,9 +109,9 @@ or > .Pa /etc/shosts.equiv > on the remote machine, and the user names are > the same on both sides, or if the files >-.Pa $HOME/.rhosts >+.Pa ~/.rhosts > or >-.Pa $HOME/.shosts >+.Pa ~/.shosts > exist in the user's home directory on the > remote machine and contain a line containing the name of the client > machine and the name of the user on that machine, the user is >@@ -120,7 +120,7 @@ Additionally, if the server can verify t > host key (see > .Pa /etc/ssh/ssh_known_hosts > and >-.Pa $HOME/.ssh/known_hosts >+.Pa ~/.ssh/known_hosts > in the > .Sx FILES > section), only then is login permitted. >@@ -128,7 +128,7 @@ This authentication method closes securi > spoofing, DNS spoofing and routing spoofing. > [Note to the administrator: > .Pa /etc/hosts.equiv , >-.Pa $HOME/.rhosts , >+.Pa ~/.rhosts , > and the rlogin/rsh protocol in general, are inherently insecure and should be > disabled if security is desired.] > .Pp >@@ -144,7 +144,7 @@ key pair for authentication purposes. > The server knows the public key, and only the user knows the private key. > .Pp > The file >-.Pa $HOME/.ssh/authorized_keys >+.Pa ~/.ssh/authorized_keys > lists the public keys that are permitted for logging in. > When the user logs in, the > .Nm >@@ -165,18 +165,18 @@ implements the RSA authentication protoc > The user creates his/her RSA key pair by running > .Xr ssh-keygen 1 . > This stores the private key in >-.Pa $HOME/.ssh/identity >+.Pa ~/.ssh/identity > and stores the public key in >-.Pa $HOME/.ssh/identity.pub >+.Pa ~/.ssh/identity.pub > in the user's home directory. > The user should then copy the > .Pa identity.pub > to >-.Pa $HOME/.ssh/authorized_keys >+.Pa ~/.ssh/authorized_keys > in his/her home directory on the remote machine (the > .Pa authorized_keys > file corresponds to the conventional >-.Pa $HOME/.rhosts >+.Pa ~/.rhosts > file, and has one key > per line, though the lines can be very long). > After this, the user can log in without giving the password. >@@ -206,12 +206,12 @@ password authentication are tried. > The public key method is similar to RSA authentication described > in the previous section and allows the RSA or DSA algorithm to be used: > The client uses his private key, >-.Pa $HOME/.ssh/id_dsa >+.Pa ~/.ssh/id_dsa > or >-.Pa $HOME/.ssh/id_rsa , >+.Pa ~/.ssh/id_rsa , > to sign the session identifier and sends the result to the server. > The server checks whether the matching public key is listed in >-.Pa $HOME/.ssh/authorized_keys >+.Pa ~/.ssh/authorized_keys > and grants access if both the key is found and the signature is correct. > The session identifier is derived from a shared Diffie-Hellman value > and is only known to the client and the server. >@@ -365,7 +365,7 @@ electronic purse; another is going throu > automatically maintains and checks a database containing > identifications for all hosts it has ever been used with. > Host keys are stored in >-.Pa $HOME/.ssh/known_hosts >+.Pa ~/.ssh/known_hosts > in the user's home directory. > Additionally, the file > .Pa /etc/ssh/ssh_known_hosts >@@ -522,7 +522,7 @@ the system-wide configuration file > .Pq Pa /etc/ssh/ssh_config > will be ignored. > The default for the per-user configuration file is >-.Pa $HOME/.ssh/config . >+.Pa ~/.ssh/config . > .It Fl f > Requests > .Nm >@@ -548,11 +548,11 @@ private RSA key. > Selects a file from which the identity (private key) for > RSA or DSA authentication is read. > The default is >-.Pa $HOME/.ssh/identity >+.Pa ~/.ssh/identity > for protocol version 1, and >-.Pa $HOME/.ssh/id_rsa >+.Pa ~/.ssh/id_rsa > and >-.Pa $HOME/.ssh/id_dsa >+.Pa ~/.ssh/id_dsa > for protocol version 2. > Identity files may also be specified on > a per-host basis in the configuration file. >@@ -941,7 +941,7 @@ Set to the name of the user logging in. > Additionally, > .Nm > reads >-.Pa $HOME/.ssh/environment , >+.Pa ~/.ssh/environment , > and adds lines of the format > .Dq VARNAME=value > to the environment if the file exists and if users are allowed to >@@ -952,13 +952,13 @@ option in > .Xr sshd_config 5 . > .Sh FILES > .Bl -tag -width Ds >-.It Pa $HOME/.ssh/known_hosts >+.It Pa ~/.ssh/known_hosts > Records host keys for all hosts the user has logged into that are not > in > .Pa /etc/ssh/ssh_known_hosts . > See > .Xr sshd 8 . >-.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa >+.It Pa ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa > Contains the authentication identity of the user. > They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. > These files >@@ -970,21 +970,21 @@ ignores a private key file if it is acce > It is possible to specify a passphrase when > generating the key; the passphrase will be used to encrypt the > sensitive part of this file using 3DES. >-.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub >+.It Pa ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub > Contains the public key for authentication (public part of the > identity file in human-readable form). > The contents of the >-.Pa $HOME/.ssh/identity.pub >+.Pa ~/.ssh/identity.pub > file should be added to the file >-.Pa $HOME/.ssh/authorized_keys >+.Pa ~/.ssh/authorized_keys > on all machines > where the user wishes to log in using protocol version 1 RSA authentication. > The contents of the >-.Pa $HOME/.ssh/id_dsa.pub >+.Pa ~/.ssh/id_dsa.pub > and >-.Pa $HOME/.ssh/id_rsa.pub >+.Pa ~/.ssh/id_rsa.pub > file should be added to >-.Pa $HOME/.ssh/authorized_keys >+.Pa ~/.ssh/authorized_keys > on all machines > where the user wishes to log in using protocol version 2 DSA/RSA authentication. > These files are not >@@ -992,13 +992,13 @@ sensitive and can (but need not) be read > These files are > never used automatically and are not necessary; they are only provided for > the convenience of the user. >-.It Pa $HOME/.ssh/config >+.It Pa ~/.ssh/config > This is the per-user configuration file. > The file format and configuration options are described in > .Xr ssh_config 5 . > Because of the potential for abuse, this file must have strict permissions: > read/write for the user, and not accessible by others. >-.It Pa $HOME/.ssh/authorized_keys >+.It Pa ~/.ssh/authorized_keys > Lists the public keys (RSA/DSA) that can be used for logging in as this user. > The format of this file is described in the > .Xr sshd 8 >@@ -1058,7 +1058,7 @@ be setuid root when that authentication > By default > .Nm > is not setuid root. >-.It Pa $HOME/.rhosts >+.It Pa ~/.rhosts > This file is used in > .Cm RhostsRSAAuthentication > and >@@ -1088,12 +1088,12 @@ authentication before permitting log in. > If the server machine does not have the client's host key in > .Pa /etc/ssh/ssh_known_hosts , > it can be stored in >-.Pa $HOME/.ssh/known_hosts . >+.Pa ~/.ssh/known_hosts . > The easiest way to do this is to > connect back to the client from the server machine using ssh; this > will automatically add the host key to >-.Pa $HOME/.ssh/known_hosts . >-.It Pa $HOME/.shosts >+.Pa ~/.ssh/known_hosts . >+.It Pa ~/.shosts > This file is used exactly the same way as > .Pa .rhosts . > The purpose for >@@ -1133,7 +1133,7 @@ when the user logs in just before the us > See the > .Xr sshd 8 > manual page for more information. >-.It Pa $HOME/.ssh/rc >+.It Pa ~/.ssh/rc > Commands in this file are executed by > .Nm > when the user logs in just before the user's shell (or command) is >@@ -1141,7 +1141,7 @@ started. > See the > .Xr sshd 8 > manual page for more information. >-.It Pa $HOME/.ssh/environment >+.It Pa ~/.ssh/environment > Contains additional definitions for environment variables, see section > .Sx ENVIRONMENT > above. >Index: ssh_config.5 >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/ssh_config.5,v >retrieving revision 1.49 >diff -u -p -r1.49 ssh_config.5 >--- ssh_config.5 16 Mar 2005 11:10:38 -0000 1.49 >+++ ssh_config.5 21 Apr 2005 05:48:09 -0000 >@@ -43,7 +43,7 @@ > .Nd OpenSSH SSH client configuration files > .Sh SYNOPSIS > .Bl -tag -width Ds -compact >-.It Pa $HOME/.ssh/config >+.It Pa ~/.ssh/config > .It Pa /etc/ssh/ssh_config > .El > .Sh DESCRIPTION >@@ -55,7 +55,7 @@ the following order: > command-line options > .It > user's configuration file >-.Pq Pa $HOME/.ssh/config >+.Pq Pa ~/.ssh/config > .It > system-wide configuration file > .Pq Pa /etc/ssh/ssh_config >@@ -411,7 +411,7 @@ Note that this option applies to protoco > Indicates that > .Nm ssh > should hash host names and addresses when they are added to >-.Pa $HOME/.ssh/known_hosts . >+.Pa ~/.ssh/known_hosts . > These hashed names may be used normally by > .Nm ssh > and >@@ -457,11 +457,11 @@ specifications). > Specifies a file from which the user's RSA or DSA authentication identity > is read. > The default is >-.Pa $HOME/.ssh/identity >+.Pa ~/.ssh/identity > for protocol version 1, and >-.Pa $HOME/.ssh/id_rsa >+.Pa ~/.ssh/id_rsa > and >-.Pa $HOME/.ssh/id_dsa >+.Pa ~/.ssh/id_dsa > for protocol version 2. > Additionally, any identities represented by the authentication agent > will be used for authentication. >@@ -751,7 +751,7 @@ If this flag is set to > .Dq yes , > .Nm ssh > will never automatically add host keys to the >-.Pa $HOME/.ssh/known_hosts >+.Pa ~/.ssh/known_hosts > file, and refuses to connect to hosts whose host key has changed. > This provides maximum protection against trojan horse attacks, > however, can be annoying when the >@@ -823,7 +823,7 @@ having to remember to give the user name > .It Cm UserKnownHostsFile > Specifies a file to use for the user > host key database instead of >-.Pa $HOME/.ssh/known_hosts . >+.Pa ~/.ssh/known_hosts . > .It Cm VerifyHostKeyDNS > Specifies whether to verify the remote key using DNS and SSHFP resource > records. >@@ -856,7 +856,7 @@ The default is > .El > .Sh FILES > .Bl -tag -width Ds >-.It Pa $HOME/.ssh/config >+.It Pa ~/.ssh/config > This is the per-user configuration file. > The format of this file is described above. > This file is used by the >Index: sshd.8 >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/sshd.8,v >retrieving revision 1.206 >diff -u -p -r1.206 sshd.8 >--- sshd.8 1 Mar 2005 14:59:49 -0000 1.206 >+++ sshd.8 21 Apr 2005 05:48:09 -0000 >@@ -328,7 +328,7 @@ If the login is on a tty, and no command > prints last login time and > .Pa /etc/motd > (unless prevented in the configuration file or by >-.Pa $HOME/.hushlogin ; >+.Pa ~/.hushlogin ; > see the > .Sx FILES > section). >@@ -345,7 +345,7 @@ Changes to run with normal user privileg > Sets up basic environment. > .It > Reads the file >-.Pa $HOME/.ssh/environment , >+.Pa ~/.ssh/environment , > if it exists, and users are allowed to change their environment. > See the > .Cm PermitUserEnvironment >@@ -355,7 +355,7 @@ option in > Changes to user's home directory. > .It > If >-.Pa $HOME/.ssh/rc >+.Pa ~/.ssh/rc > exists, runs it; else if > .Pa /etc/ssh/sshrc > exists, runs >@@ -368,7 +368,7 @@ authentication protocol and cookie in st > Runs user's shell or command. > .El > .Sh AUTHORIZED_KEYS FILE FORMAT >-.Pa $HOME/.ssh/authorized_keys >+.Pa ~/.ssh/authorized_keys > is the default file that lists the public keys that are > permitted for RSA authentication in protocol version 1 > and for public key authentication (PubkeyAuthentication) >@@ -506,7 +506,7 @@ permitopen="10.2.1.55:80",permitopen="10 > The > .Pa /etc/ssh/ssh_known_hosts > and >-.Pa $HOME/.ssh/known_hosts >+.Pa ~/.ssh/known_hosts > files contain host public keys for all known hosts. > The global file should > be prepared by the administrator (optional), and the per-user file is >@@ -617,7 +617,7 @@ listening for connections (if there are > concurrently for different ports, this contains the process ID of the one > started last). > The content of this file is not sensitive; it can be world-readable. >-.It Pa $HOME/.ssh/authorized_keys >+.It Pa ~/.ssh/authorized_keys > Lists the public keys (RSA or DSA) that can be used to log into the user's account. > This file must be readable by root (which may on some machines imply > it being world-readable if the user's home directory resides on an NFS >@@ -631,7 +631,7 @@ and/or > .Pa id_rsa.pub > files into this file, as described in > .Xr ssh-keygen 1 . >-.It Pa "/etc/ssh/ssh_known_hosts", "$HOME/.ssh/known_hosts" >+.It Pa "/etc/ssh/ssh_known_hosts", "~/.ssh/known_hosts" > These files are consulted when using rhosts with RSA host > authentication or protocol version 2 hostbased authentication > to check the public key of the host. >@@ -641,12 +641,12 @@ to verify that it is connecting to the c > These files should be writable only by root/the owner. > .Pa /etc/ssh/ssh_known_hosts > should be world-readable, and >-.Pa $HOME/.ssh/known_hosts >+.Pa ~/.ssh/known_hosts > can, but need not be, world-readable. > .It Pa /etc/motd > See > .Xr motd 5 . >-.It Pa $HOME/.hushlogin >+.It Pa ~/.hushlogin > This file is used to suppress printing the last login time and > .Pa /etc/motd , > if >@@ -669,7 +669,7 @@ The file should be world-readable. > Access controls that should be enforced by tcp-wrappers are defined here. > Further details are described in > .Xr hosts_access 5 . >-.It Pa $HOME/.rhosts >+.It Pa ~/.rhosts > This file is used during > .Cm RhostsRSAAuthentication > and >@@ -687,7 +687,7 @@ It is also possible to use netgroups in > Either host or user > name may be of the form +@groupname to specify all hosts or all users > in the group. >-.It Pa $HOME/.shosts >+.It Pa ~/.shosts > For ssh, > this file is exactly the same as for > .Pa .rhosts . >@@ -736,7 +736,7 @@ This is processed exactly as > .Pa /etc/hosts.equiv . > However, this file may be useful in environments that want to run both > rsh/rlogin and ssh. >-.It Pa $HOME/.ssh/environment >+.It Pa ~/.ssh/environment > This file is read into the environment at login (if it exists). > It can only contain empty lines, comment lines (that start with > .Ql # ) , >@@ -747,7 +747,7 @@ Environment processing is disabled by de > controlled via the > .Cm PermitUserEnvironment > option. >-.It Pa $HOME/.ssh/rc >+.It Pa ~/.ssh/rc > If this file exists, it is run with > .Pa /bin/sh > after reading the >@@ -792,7 +792,7 @@ This file should be writable only by the > readable by anyone else. > .It Pa /etc/ssh/sshrc > Like >-.Pa $HOME/.ssh/rc . >+.Pa ~/.ssh/rc . > This can be used to specify > machine-specific login-time initializations globally. > This file should be writable only by root, and should be world-readable. >Index: sshd_config.5 >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v >retrieving revision 1.40 >diff -u -p -r1.40 sshd_config.5 >--- sshd_config.5 18 Mar 2005 17:05:00 -0000 1.40 >+++ sshd_config.5 21 Apr 2005 05:48:09 -0000 >@@ -327,7 +327,7 @@ The default is > Specifies whether > .Nm sshd > should ignore the user's >-.Pa $HOME/.ssh/known_hosts >+.Pa ~/.ssh/known_hosts > during > .Cm RhostsRSAAuthentication > or
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=888">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 623
:
366
| 888