Created attachment 3376 [details] /etc/ssh/sshd_config Dear OpenSSH maintainers, While I was answering a question in Unix & Linux Stack Exchange ( https://unix.stackexchange.com/a/579762/158359 ), I identified that OpenSSH is not able to perform host-based authentication as superuser if "IgnoreRhosts yes" is set in "/etc/ssh/sshd_config" file. Although host-based authentication as superuser might sound unsafe, it may be useful in scenarios like the one described in my answer, where "AuthenticationMethods" parameter is set to "hostbased,publickey" because an administrator wants OpenSSH server to authenticate client hosts before allowing users connecting from those machines to authenticate themselves. The problem can be reproduced with a couple of Arch Linux containers in Docker and terminal windows running concurrently. To do so, ensure that configuration files attached to this report have been saved into "/tmp" directory. ------------------------------------------- ----------- Terminal window #1 ------------ [root@workstation ~]# docker run --rm --tty --interactive --name ssh-client --hostname ssh-client --ip 172.17.0.4 --add-host ssh-server:172.17.0.5 --volume /tmp/ssh_config:/etc/ssh/ssh_config archlinux/base:latest [root@ssh-client ~]# pacman -Sy --noconfirm openssh vim man less iproute2 iputils bind-tools grep psmisc [root@ssh-client ~]# ssh-keygen -A [root@ssh-client ~]# useradd -U -m sshuser [root@ssh-client ~]# /usr/sbin/sshd -De ------------------------------------------- ----------- Terminal window #2 ------------ [root@workstation ~]# docker run --rm --tty --interactive --name ssh-server --hostname ssh-server --ip 172.17.0.5 --add-host ssh-client:172.17.0.4 --volume /tmp/sshd_config:/etc/ssh/sshd_config archlinux/base:latest [root@ssh-server ~]# pacman -Sy --noconfirm openssh vim man less iproute2 iputils bind-tools grep psmisc [root@ssh-server ~]# ssh-keygen -A [root@ssh-server ~]# useradd -U -m sshuser [root@ssh-server ~]# echo -e 'sshuser:sshpassword\nroot:sshpassword' | chpasswd [root@ssh-server ~]# echo ssh-client > /etc/ssh/shosts.equiv [root@ssh-server ~]# ssh-keyscan ssh-client > /etc/ssh/ssh_known_hosts [root@ssh-server ~]# /usr/sbin/sshd -De ------------------------------------------- ----------- Terminal window #1 ------------ (press CTRL+C to quit the running SSH daemon) [root@ssh-client ~]# ssh ssh-server root@ssh-server: Permission denied (hostbased). [root@ssh-client ~]# su - sshuser [sshuser@ssh-client ~]$ ssh ssh-server sshuser@ssh-server's password: sshpassword Last login: Tue Apr 14 05:51:42 2020 from 172.29.0.5 [sshuser@ssh-server ~]$ exit ------------------------------------------- ------------------------------------------- I could not find any documentation snippet declaring that host-based authentication of the root user is blocked. The relevant snippets in "man(1) ssh" and "man(5) sshd_config" are: ----------------------------------- ----------- man(1) ssh ------------ AUTHENTICATION The OpenSSH SSH client supports SSH protocol 2. The methods available for authentication are: GSSAPI-based authentication, host-based authentication, public key authentication, challenge-response authentication, and password authentication. Authentication methods are tried in the order specified above, though PreferredAuthentications can be used to change the default order. Host-based authentication works as follows: If the machine the user logs in from is listed in /etc/hosts.equiv or /etc/ssh/shosts.equiv on the remote machine, and the user names are the same on both sides, or if the files ~/.rhosts or ~/.shosts exist in the user's home directory on the remote machine and contain a line containing the name of the client machine and the name of the user on that machine, the user is considered for login. Additionally, the server must be able to verify the client's host key (see the description of /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts, below) for login to be permitted. This authentication method closes security holes due to IP spoofing, DNS spoofing, and routing spoofing. [Note to the administrator: /etc/hosts.equiv, ~/.rhosts, and the rlogin/rsh protocol in general, are inherently insecure and should be disabled if security is desired.] ------------------------------------------- ----------- man(5) sshd_config ------------ IgnoreRhosts Specifies that .rhosts and .shosts files will not be used in HostbasedAuthentication. /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used. The default is yes.
Created attachment 3377 [details] /etc/ssh/ssh_config
According to my source code analysis, two code blocks written in file "/src/usr.bin/ssh/auth-rhosts.c" ( https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/auth-rhosts.c?rev=1.51 ) are explicitly preventing root user from authenticating itself via host-based method. This code block, which starts at line 226 and is declared inside function "auth_rhosts2", prevents parsing of "/etc/ssh/shosts.equiv" if "root" is the user being authenticated: -------------------------------- /* * If not logging in as superuser, try /etc/hosts.equiv and * shosts.equiv. */ if (pw->pw_uid == 0) debug3("%s: root user, ignoring system hosts files", __func__); else { if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, client_user, pw->pw_name)) { auth_debug_add("Accepted for %.100s [%.100s] by " "/etc/hosts.equiv.", hostname, ipaddr); return 1; } if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, client_user, pw->pw_name)) { auth_debug_add("Accepted for %.100s [%.100s] by " "%.100s.", hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); return 1; } } -------------------------------- And this code block, starting at line 293, prevents parsing of "/root/.shosts" file if "IgnoreRhost yes" is set in "/etc/ssh/sshd_config". As a result, host-based authentication as root will fail even if a systems administrator creates in "/root/.shosts" a symbolic link targeting to "/etc/ssh/shosts.equiv" as a workaround. -------------------------------- /* * Check if we have been configured to ignore .rhosts * and .shosts files. */ if (options.ignore_rhosts) { auth_debug_add("Server has been configured to " "ignore %.100s.", rhosts_files[rhosts_file_index]); continue; } --------------------------------
Created attachment 3378 [details] OpenSSH server log
Created attachment 3379 [details] OpenSSH client log
Created attachment 3380 [details] allow IgnoreRhosts to appear in a Match block I don't think we want to change the current behaviour of refusing root for /etc/hosts.equiv as that is likely to be surprising, so I think the easiest way around this is to allow IgnoreRhosts to appear in a Match block. Then you'll be able to do something like: IgnoreRhosts yes HostbasedAuthentication yes Match user root IgnoreRhosts no to enable .shosts just for root
Created attachment 3381 [details] IgnoreRhosts=shosts-only While I'm in there, fix something else that has annoyed me for a while: make IgnoreRhosts a tri-state option to allow admins to ban .rhosts but permit .shosts (which AFAIK isn't shared with terrible IP-trusting crypto-free horrors from the ancient world)
Ok. The proposed solution sounds good to me. Thanks, Damien. Although sole host-based authentication for superuser is a bad security practice, I think that OpenSSH should be sufficiently flexible to allow such configuration and fit specific needs. I know that my request sounds weird. Please, could the documentation be patched to in order to clarify that refusing host-based root login is intentional? I propose something like this: ------------------------------------------- ----------- man(5) sshd_config ------------ HostbasedAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed (host-based authentication). /etc/hosts.equiv is always ignored for host-based superuser authentication. The default is no.
These have been committed, along with a note in ssh(1) mentioning that [s]hosts.equiv does not apply to root. They will be in the OpenSSH 8.3 release. Thanks!
close bugs that were resolved in OpenSSH 8.5 release cycle
[spam removed]