Bug 3148

Summary: Unable to perform host-based authentication as root if "IgnoreRhosts" is set to "yes" on server configuration
Product: Portable OpenSSH Reporter: Anderson Medeiros Gomes <amg1127>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: normal CC: ahmedsayeed1982, amg1127, djm, dtucker
Priority: P5    
Version: 8.2p1   
Hardware: amd64   
OS: Linux   
Bug Depends on:    
Bug Blocks: 3117    
Attachments:
Description Flags
/etc/ssh/sshd_config
none
/etc/ssh/ssh_config
none
OpenSSH server log
none
OpenSSH client log
none
allow IgnoreRhosts to appear in a Match block
dtucker: ok+
IgnoreRhosts=shosts-only dtucker: ok+

Description Anderson Medeiros Gomes 2020-04-14 17:25:36 AEST 
Created attachment 3376 [details]
/etc/ssh/sshd_config

Dear OpenSSH maintainers,

While I was answering a question in Unix & Linux Stack Exchange ( https://unix.stackexchange.com/a/579762/158359 ), I identified that OpenSSH is not able to perform host-based authentication as superuser if "IgnoreRhosts yes" is set in "/etc/ssh/sshd_config" file.

Although host-based authentication as superuser might sound unsafe, it may be useful in scenarios like the one described in my answer, where "AuthenticationMethods" parameter is set to "hostbased,publickey" because an administrator wants OpenSSH server to authenticate client hosts before allowing users connecting from those machines to authenticate themselves.

The problem can be reproduced with a couple of Arch Linux containers in Docker and terminal windows running concurrently. To do so, ensure that configuration files attached to this report have been saved into "/tmp" directory.

-------------------------------------------
----------- Terminal window #1 ------------

[root@workstation ~]# docker run --rm --tty --interactive --name ssh-client --hostname ssh-client --ip 172.17.0.4 --add-host ssh-server:172.17.0.5 --volume /tmp/ssh_config:/etc/ssh/ssh_config archlinux/base:latest

[root@ssh-client ~]# pacman -Sy --noconfirm openssh vim man less iproute2 iputils bind-tools grep psmisc

[root@ssh-client ~]# ssh-keygen -A

[root@ssh-client ~]# useradd -U -m sshuser

[root@ssh-client ~]# /usr/sbin/sshd -De

-------------------------------------------
----------- Terminal window #2 ------------

[root@workstation ~]# docker run --rm --tty --interactive --name ssh-server --hostname ssh-server --ip 172.17.0.5 --add-host ssh-client:172.17.0.4 --volume /tmp/sshd_config:/etc/ssh/sshd_config archlinux/base:latest

[root@ssh-server ~]# pacman -Sy --noconfirm openssh vim man less iproute2 iputils bind-tools grep psmisc

[root@ssh-server ~]# ssh-keygen -A

[root@ssh-server ~]# useradd -U -m sshuser

[root@ssh-server ~]# echo -e 'sshuser:sshpassword\nroot:sshpassword' | chpasswd

[root@ssh-server ~]# echo ssh-client > /etc/ssh/shosts.equiv

[root@ssh-server ~]# ssh-keyscan ssh-client > /etc/ssh/ssh_known_hosts

[root@ssh-server ~]# /usr/sbin/sshd -De

-------------------------------------------
----------- Terminal window #1 ------------

(press CTRL+C to quit the running SSH daemon)

[root@ssh-client ~]# ssh ssh-server
root@ssh-server: Permission denied (hostbased).

[root@ssh-client ~]# su - sshuser

[sshuser@ssh-client ~]$ ssh ssh-server
sshuser@ssh-server's password: sshpassword
Last login: Tue Apr 14 05:51:42 2020 from 172.29.0.5
[sshuser@ssh-server ~]$ exit

-------------------------------------------
-------------------------------------------

I could not find any documentation snippet declaring that host-based authentication of the root user is blocked. The relevant snippets in "man(1) ssh" and "man(5) sshd_config" are:


-----------------------------------
----------- man(1) ssh ------------

AUTHENTICATION

The OpenSSH SSH client supports SSH protocol 2.

The methods available for authentication are: GSSAPI-based authentication, host-based authentication, public key authentication, challenge-response authentication, and password authentication.  Authentication methods are tried in the order specified above, though PreferredAuthentications can be used to change the default order.

Host-based authentication works as follows: If the machine the user logs in from is listed in /etc/hosts.equiv or /etc/ssh/shosts.equiv on the remote machine, and the user names are the same on both sides, or if the files ~/.rhosts or ~/.shosts exist in the user's home directory on the remote machine and contain a line containing the name of the client machine and the name of the user on that machine, the user is considered for login.  Additionally, the server must be able to verify the client's host key (see the description of /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts, below) for login to be permitted.  This authentication method closes security holes due to IP spoofing, DNS spoofing, and routing spoofing.  [Note to the administrator: /etc/hosts.equiv, ~/.rhosts, and the rlogin/rsh protocol in general, are inherently insecure and should be disabled if security is desired.]

-------------------------------------------
----------- man(5) sshd_config ------------

IgnoreRhosts

Specifies that .rhosts and .shosts files will not be used in HostbasedAuthentication.

/etc/hosts.equiv and /etc/ssh/shosts.equiv are still used.  The default is yes.
Comment 1 Anderson Medeiros Gomes 2020-04-14 17:26:12 AEST 
Created attachment 3377 [details]
/etc/ssh/ssh_config
Comment 2 Anderson Medeiros Gomes 2020-04-14 17:31:57 AEST 
According to my source code analysis, two code blocks written in file "/src/usr.bin/ssh/auth-rhosts.c" ( https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/auth-rhosts.c?rev=1.51 ) are explicitly preventing root user from authenticating itself via host-based method.

This code block, which starts at line 226 and is declared inside function "auth_rhosts2", prevents parsing of "/etc/ssh/shosts.equiv" if "root" is the user being authenticated:

--------------------------------
	/*
	 * If not logging in as superuser, try /etc/hosts.equiv and
	 * shosts.equiv.
	 */
	if (pw->pw_uid == 0)
		debug3("%s: root user, ignoring system hosts files", __func__);
	else {
		if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
		    client_user, pw->pw_name)) {
			auth_debug_add("Accepted for %.100s [%.100s] by "
			    "/etc/hosts.equiv.", hostname, ipaddr);
			return 1;
		}
		if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr,
		    client_user, pw->pw_name)) {
			auth_debug_add("Accepted for %.100s [%.100s] by "
			    "%.100s.", hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV);
			return 1;
		}
	}

--------------------------------

And this code block, starting at line 293, prevents parsing of "/root/.shosts" file if "IgnoreRhost yes" is set in "/etc/ssh/sshd_config". As a result, host-based authentication as root will fail even if a systems administrator creates in "/root/.shosts" a symbolic link targeting to "/etc/ssh/shosts.equiv" as a workaround.

--------------------------------
		/*
		 * Check if we have been configured to ignore .rhosts
		 * and .shosts files.
		 */
		if (options.ignore_rhosts) {
			auth_debug_add("Server has been configured to "
			    "ignore %.100s.", rhosts_files[rhosts_file_index]);
			continue;
		}
--------------------------------
Comment 3 Anderson Medeiros Gomes 2020-04-14 17:41:43 AEST 
Created attachment 3378 [details]
OpenSSH server log
Comment 4 Anderson Medeiros Gomes 2020-04-14 17:42:11 AEST 
Created attachment 3379 [details]
OpenSSH client log
Comment 5 Damien Miller 2020-04-14 21:35:59 AEST 
Created attachment 3380 [details]
allow IgnoreRhosts to appear in a Match block

I don't think we want to change the current behaviour of refusing root for /etc/hosts.equiv as that is likely to be surprising, so I think the easiest way around this is to allow IgnoreRhosts to appear in a Match block. Then you'll be able to do something like:

IgnoreRhosts yes
HostbasedAuthentication yes

Match user root
    IgnoreRhosts no

to enable .shosts just for root
Comment 6 Damien Miller 2020-04-14 21:54:59 AEST 
Created attachment 3381 [details]
IgnoreRhosts=shosts-only

While I'm in there, fix something else that has annoyed me for a while: make IgnoreRhosts a tri-state option to allow admins to ban .rhosts but permit .shosts (which AFAIK isn't shared with terrible IP-trusting crypto-free horrors from the ancient world)
Comment 7 Anderson Medeiros Gomes 2020-04-14 22:29:41 AEST 
Ok. The proposed solution sounds good to me. Thanks, Damien.

Although sole host-based authentication for superuser is a bad security practice, I think that OpenSSH should be sufficiently flexible to allow such configuration and fit specific needs. I know that my request sounds weird.

Please, could the documentation be patched to in order to clarify that refusing host-based root login is intentional? I propose something like this:

-------------------------------------------
----------- man(5) sshd_config ------------

HostbasedAuthentication

Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed (host-based authentication).  /etc/hosts.equiv is always ignored for host-based superuser authentication. The default is no.
Comment 8 Damien Miller 2020-04-17 13:36:35 AEST 
These have been committed, along with a note in ssh(1) mentioning that [s]hosts.equiv does not apply to root. They will be in the OpenSSH 8.3 release. Thanks!
Comment 9 Damien Miller 2021-03-04 09:52:20 AEDT 
close bugs that were resolved in OpenSSH 8.5 release cycle
Comment 10 Ahmed Sayeed 2021-10-14 01:41:45 AEDT 
[spam removed]