From 26efc2f5df0e3bcf6a6bbdd0506fd682d60c2145 Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Mon, 16 Jul 2018 11:05:41 +0000 Subject: [PATCH] upstream: Remove support for loading HostBasedAuthentication keys directly in ssh(1) and always use ssh-keysign. This removes one of the few remaining reasons why ssh(1) might be setuid. ok markus@ OpenBSD-Commit-ID: 97f01e1448707129a20d75f86bad5d27c3cf0b7d --- ssh.c | 35 +++++------------------------------ sshconnect.h | 3 +-- sshconnect2.c | 10 +++------- 3 files changed, 9 insertions(+), 39 deletions(-) diff --git a/ssh.c b/ssh.c index 3367e9137..33d7ea2ba 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.484 2018/07/16 07:06:50 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.485 2018/07/16 11:05:41 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1411,16 +1411,12 @@ main(int ac, char **av) debug3("timeout: %d ms remain after connect", timeout_ms); /* - * If we successfully made the connection, load the host private key - * in case we will need it later for hostbased - * authentication. This must be done before releasing extra - * privileges, because the file is only readable by root. - * If we cannot access the private keys, load the public keys - * instead and try to execute the ssh-keysign helper instead. + * If we successfully made the connection and we have hostbased auth + * enabled, load the public keys so we can later use the ssh-keysign + * helper to sign challenges. */ sensitive_data.nkeys = 0; sensitive_data.keys = NULL; - sensitive_data.external_keysign = 0; if (options.hostbased_authentication) { sensitive_data.nkeys = 11; sensitive_data.keys = xcalloc(sensitive_data.nkeys, @@ -1439,27 +1435,7 @@ main(int ac, char **av) #define L_CERT(p,o) \ check_load(sshkey_load_cert(p, &(sensitive_data.keys[o])), p, "cert") - PRIV_START; - L_KEYCERT(KEY_ECDSA, _PATH_HOST_ECDSA_KEY_FILE, 1); - L_KEYCERT(KEY_ED25519, _PATH_HOST_ED25519_KEY_FILE, 2); - L_KEYCERT(KEY_RSA, _PATH_HOST_RSA_KEY_FILE, 3); - L_KEYCERT(KEY_DSA, _PATH_HOST_DSA_KEY_FILE, 4); - L_KEY(KEY_ECDSA, _PATH_HOST_ECDSA_KEY_FILE, 5); - L_KEY(KEY_ED25519, _PATH_HOST_ED25519_KEY_FILE, 6); - L_KEY(KEY_RSA, _PATH_HOST_RSA_KEY_FILE, 7); - L_KEY(KEY_DSA, _PATH_HOST_DSA_KEY_FILE, 8); - L_KEYCERT(KEY_XMSS, _PATH_HOST_XMSS_KEY_FILE, 9); - L_KEY(KEY_XMSS, _PATH_HOST_XMSS_KEY_FILE, 10); - PRIV_END; - - if (options.hostbased_authentication == 1 && - sensitive_data.keys[0] == NULL && - sensitive_data.keys[5] == NULL && - sensitive_data.keys[6] == NULL && - sensitive_data.keys[7] == NULL && - sensitive_data.keys[8] == NULL && - sensitive_data.keys[9] == NULL && - sensitive_data.keys[10] == NULL) { + if (options.hostbased_authentication == 1) { L_CERT(_PATH_HOST_ECDSA_KEY_FILE, 1); L_CERT(_PATH_HOST_ED25519_KEY_FILE, 2); L_CERT(_PATH_HOST_RSA_KEY_FILE, 3); @@ -1470,7 +1446,6 @@ main(int ac, char **av) L_PUBKEY(_PATH_HOST_DSA_KEY_FILE, 8); L_CERT(_PATH_HOST_XMSS_KEY_FILE, 9); L_PUBKEY(_PATH_HOST_XMSS_KEY_FILE, 10); - sensitive_data.external_keysign = 1; } } /* diff --git a/sshconnect.h b/sshconnect.h index dd648b096..6bba62ad0 100644 --- a/sshconnect.h +++ b/sshconnect.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.h,v 1.32 2018/02/10 09:25:35 djm Exp $ */ +/* $OpenBSD: sshconnect.h,v 1.33 2018/07/16 11:05:41 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -28,7 +28,6 @@ typedef struct Sensitive Sensitive; struct Sensitive { struct sshkey **keys; int nkeys; - int external_keysign; }; struct addrinfo; diff --git a/sshconnect2.c b/sshconnect2.c index fb90e8afc..7b0e18f28 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.280 2018/07/11 18:55:11 markus Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.281 2018/07/16 11:05:41 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1990,12 +1990,8 @@ userauth_hostbased(Authctxt *authctxt) #ifdef DEBUG_PK sshbuf_dump(b, stderr); #endif - if (authctxt->sensitive->external_keysign) - r = ssh_keysign(private, &sig, &siglen, - sshbuf_ptr(b), sshbuf_len(b)); - else if ((r = sshkey_sign(private, &sig, &siglen, - sshbuf_ptr(b), sshbuf_len(b), NULL, datafellows)) != 0) - debug("%s: sshkey_sign: %s", __func__, ssh_err(r)); + r = ssh_keysign(private, &sig, &siglen, + sshbuf_ptr(b), sshbuf_len(b)); if (r != 0) { error("sign using hostkey %s %s failed", sshkey_ssh_name(private), fp);