diff options
author | Damien Miller <djm@cvs.openbsd.org> | 2020-04-17 03:30:06 +0000 |
---|---|---|
committer | Damien Miller <djm@cvs.openbsd.org> | 2020-04-17 03:30:06 +0000 |
commit | 40a6f00b351e52bbc155980cd25cf023d71ddfc1 (patch) | |
tree | 181d4f95a50fc519adf37010d92b127f35a4b19e /usr.bin/ssh | |
parent | 0609bb2e430b50f14d5c1b4a4efc8854b8af92a6 (diff) |
make IgnoreRhosts a tri-state option: "yes" ignore rhosts/shosts,
"no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts
files but not .rhosts. ok dtucker@
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r-- | usr.bin/ssh/auth-rhosts.c | 6 | ||||
-rw-r--r-- | usr.bin/ssh/servconf.c | 17 | ||||
-rw-r--r-- | usr.bin/ssh/servconf.h | 7 | ||||
-rw-r--r-- | usr.bin/ssh/sshd_config.5 | 27 |
4 files changed, 43 insertions, 14 deletions
diff --git a/usr.bin/ssh/auth-rhosts.c b/usr.bin/ssh/auth-rhosts.c index b8402597d34..89d3f2ae35e 100644 --- a/usr.bin/ssh/auth-rhosts.c +++ b/usr.bin/ssh/auth-rhosts.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rhosts.c,v 1.51 2019/10/02 00:42:30 djm Exp $ */ +/* $OpenBSD: auth-rhosts.c,v 1.52 2020/04/17 03:30:05 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -294,7 +294,9 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, * Check if we have been configured to ignore .rhosts * and .shosts files. */ - if (options.ignore_rhosts) { + if (options.ignore_rhosts == IGNORE_RHOSTS_YES || + (options.ignore_rhosts == IGNORE_RHOSTS_SHOSTS && + strcmp(rhosts_files[rhosts_file_index], ".shosts") != 0)) { auth_debug_add("Server has been configured to " "ignore %.100s.", rhosts_files[rhosts_file_index]); continue; diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index 213667fadf0..c279e722be6 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.362 2020/04/17 03:23:13 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.363 2020/04/17 03:30:05 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -1152,6 +1152,12 @@ static const struct multistate multistate_flag[] = { { "no", 0 }, { NULL, -1 } }; +static const struct multistate multistate_ignore_rhosts[] = { + { "yes", IGNORE_RHOSTS_YES }, + { "no", IGNORE_RHOSTS_NO }, + { "shosts-only", IGNORE_RHOSTS_SHOSTS }, + { NULL, -1 } +}; static const struct multistate multistate_addressfamily[] = { { "inet", AF_INET }, { "inet6", AF_INET6 }, @@ -1395,13 +1401,14 @@ process_server_config_line_depth(ServerOptions *options, char *line, case sIgnoreRhosts: intptr = &options->ignore_rhosts; - parse_flag: - multistate_ptr = multistate_flag; + multistate_ptr = multistate_ignore_rhosts; goto parse_multistate; case sIgnoreUserKnownHosts: intptr = &options->ignore_user_known_hosts; - goto parse_flag; + parse_flag: + multistate_ptr = multistate_flag; + goto parse_multistate; case sHostbasedAuthentication: intptr = &options->hostbased_authentication; @@ -2561,6 +2568,8 @@ fmt_intarg(ServerOpCodes code, int val) return fmt_multistate_int(val, multistate_tcpfwd); case sAllowStreamLocalForwarding: return fmt_multistate_int(val, multistate_tcpfwd); + case sIgnoreRhosts: + return fmt_multistate_int(val, multistate_ignore_rhosts); case sFingerprintHash: return ssh_digest_alg_name(val); default: diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h index b96dad833d1..337c01a9cab 100644 --- a/usr.bin/ssh/servconf.h +++ b/usr.bin/ssh/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.143 2020/01/31 22:42:45 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.144 2020/04/17 03:30:05 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -38,6 +38,11 @@ #define PERMITOPEN_ANY 0 #define PERMITOPEN_NONE -2 +/* IgnoreRhosts */ +#define IGNORE_RHOSTS_NO 0 +#define IGNORE_RHOSTS_YES 1 +#define IGNORE_RHOSTS_SHOSTS 2 + #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index ad89136e792..a73d095d178 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.308 2020/04/17 03:23:13 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.309 2020/04/17 03:30:05 djm Exp $ .Dd $Mdocdate: April 17 2020 $ .Dt SSHD_CONFIG 5 .Os @@ -780,19 +780,32 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa The list of available key types may also be obtained using .Qq ssh -Q HostKeyAlgorithms . .It Cm IgnoreRhosts -Specifies that +Specifies whether to ignore per-user .Pa .rhosts and .Pa .shosts -files will not be used in +files during .Cm HostbasedAuthentication . -.Pp +The system-wide .Pa /etc/hosts.equiv and .Pa /etc/shosts.equiv -are still used. -The default is -.Cm yes . +are still used regardless of this setting. +.Pp +Accepted values are +.Cm yes +(the default) to ignore all per-user files, +.Cm shosts-only +to allow the use of +.Pa .shosts +but to ignore +.Pa .rhosts +or +.Cm no +to allow both +.Pa .shosts +and +.Pa rhosts. .It Cm IgnoreUserKnownHosts Specifies whether .Xr sshd 8 |