summaryrefslogtreecommitdiff
path: root/usr.bin/ssh
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2020-04-17 03:30:06 +0000
committerDamien Miller <djm@cvs.openbsd.org>2020-04-17 03:30:06 +0000
commit40a6f00b351e52bbc155980cd25cf023d71ddfc1 (patch)
tree181d4f95a50fc519adf37010d92b127f35a4b19e /usr.bin/ssh
parent0609bb2e430b50f14d5c1b4a4efc8854b8af92a6 (diff)
make IgnoreRhosts a tri-state option: "yes" ignore rhosts/shosts,
"no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts. ok dtucker@
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r--usr.bin/ssh/auth-rhosts.c6
-rw-r--r--usr.bin/ssh/servconf.c17
-rw-r--r--usr.bin/ssh/servconf.h7
-rw-r--r--usr.bin/ssh/sshd_config.527
4 files changed, 43 insertions, 14 deletions
diff --git a/usr.bin/ssh/auth-rhosts.c b/usr.bin/ssh/auth-rhosts.c
index b8402597d34..89d3f2ae35e 100644
--- a/usr.bin/ssh/auth-rhosts.c
+++ b/usr.bin/ssh/auth-rhosts.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-rhosts.c,v 1.51 2019/10/02 00:42:30 djm Exp $ */
+/* $OpenBSD: auth-rhosts.c,v 1.52 2020/04/17 03:30:05 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -294,7 +294,9 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
* Check if we have been configured to ignore .rhosts
* and .shosts files.
*/
- if (options.ignore_rhosts) {
+ if (options.ignore_rhosts == IGNORE_RHOSTS_YES ||
+ (options.ignore_rhosts == IGNORE_RHOSTS_SHOSTS &&
+ strcmp(rhosts_files[rhosts_file_index], ".shosts") != 0)) {
auth_debug_add("Server has been configured to "
"ignore %.100s.", rhosts_files[rhosts_file_index]);
continue;
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index 213667fadf0..c279e722be6 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.362 2020/04/17 03:23:13 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.363 2020/04/17 03:30:05 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -1152,6 +1152,12 @@ static const struct multistate multistate_flag[] = {
{ "no", 0 },
{ NULL, -1 }
};
+static const struct multistate multistate_ignore_rhosts[] = {
+ { "yes", IGNORE_RHOSTS_YES },
+ { "no", IGNORE_RHOSTS_NO },
+ { "shosts-only", IGNORE_RHOSTS_SHOSTS },
+ { NULL, -1 }
+};
static const struct multistate multistate_addressfamily[] = {
{ "inet", AF_INET },
{ "inet6", AF_INET6 },
@@ -1395,13 +1401,14 @@ process_server_config_line_depth(ServerOptions *options, char *line,
case sIgnoreRhosts:
intptr = &options->ignore_rhosts;
- parse_flag:
- multistate_ptr = multistate_flag;
+ multistate_ptr = multistate_ignore_rhosts;
goto parse_multistate;
case sIgnoreUserKnownHosts:
intptr = &options->ignore_user_known_hosts;
- goto parse_flag;
+ parse_flag:
+ multistate_ptr = multistate_flag;
+ goto parse_multistate;
case sHostbasedAuthentication:
intptr = &options->hostbased_authentication;
@@ -2561,6 +2568,8 @@ fmt_intarg(ServerOpCodes code, int val)
return fmt_multistate_int(val, multistate_tcpfwd);
case sAllowStreamLocalForwarding:
return fmt_multistate_int(val, multistate_tcpfwd);
+ case sIgnoreRhosts:
+ return fmt_multistate_int(val, multistate_ignore_rhosts);
case sFingerprintHash:
return ssh_digest_alg_name(val);
default:
diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h
index b96dad833d1..337c01a9cab 100644
--- a/usr.bin/ssh/servconf.h
+++ b/usr.bin/ssh/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.143 2020/01/31 22:42:45 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.144 2020/04/17 03:30:05 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -38,6 +38,11 @@
#define PERMITOPEN_ANY 0
#define PERMITOPEN_NONE -2
+/* IgnoreRhosts */
+#define IGNORE_RHOSTS_NO 0
+#define IGNORE_RHOSTS_YES 1
+#define IGNORE_RHOSTS_SHOSTS 2
+
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5
index ad89136e792..a73d095d178 100644
--- a/usr.bin/ssh/sshd_config.5
+++ b/usr.bin/ssh/sshd_config.5
@@ -33,7 +33,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.308 2020/04/17 03:23:13 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.309 2020/04/17 03:30:05 djm Exp $
.Dd $Mdocdate: April 17 2020 $
.Dt SSHD_CONFIG 5
.Os
@@ -780,19 +780,32 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa
The list of available key types may also be obtained using
.Qq ssh -Q HostKeyAlgorithms .
.It Cm IgnoreRhosts
-Specifies that
+Specifies whether to ignore per-user
.Pa .rhosts
and
.Pa .shosts
-files will not be used in
+files during
.Cm HostbasedAuthentication .
-.Pp
+The system-wide
.Pa /etc/hosts.equiv
and
.Pa /etc/shosts.equiv
-are still used.
-The default is
-.Cm yes .
+are still used regardless of this setting.
+.Pp
+Accepted values are
+.Cm yes
+(the default) to ignore all per-user files,
+.Cm shosts-only
+to allow the use of
+.Pa .shosts
+but to ignore
+.Pa .rhosts
+or
+.Cm no
+to allow both
+.Pa .shosts
+and
+.Pa rhosts.
.It Cm IgnoreUserKnownHosts
Specifies whether
.Xr sshd 8