tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-29 16:54:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

upstream: make IgnoreRhosts a tri-state option: "yes" ignore

Browse Source 
rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow
.shosts files but not .rhosts. ok dtucker@

OpenBSD-Commit-ID: d08d6930ed06377a80cf53923c1955e9589342e9
This commit is contained in:
djm@openbsd.org 2020-04-17 03:30:05 +00:00 committed by Damien Miller
parent 321c714707
commit c90f72d29e
4 changed files with 43 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
auth-rhosts.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth-rhosts.c,v 1.51 2019/10/02 00:42:30 djm Exp $ */ /* $OpenBSD: auth-rhosts.c,v 1.52 2020/04/17 03:30:05 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -298,7 +298,9 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
* Check if we have been configured to ignore .rhosts * Check if we have been configured to ignore .rhosts
* and .shosts files. * and .shosts files.
*/ */
if (options.ignore_rhosts) { if (options.ignore_rhosts == IGNORE_RHOSTS_YES ||
(options.ignore_rhosts == IGNORE_RHOSTS_SHOSTS &&
strcmp(rhosts_files[rhosts_file_index], ".shosts") != 0)) {
auth_debug_add("Server has been configured to " auth_debug_add("Server has been configured to "
"ignore %.100s.", rhosts_files[rhosts_file_index]); "ignore %.100s.", rhosts_files[rhosts_file_index]);
continue; continue;

17
servconf.c
View File

@ -1,5 +1,5 @@
/* $OpenBSD: servconf.c,v 1.362 2020/04/17 03:23:13 djm Exp $ */ /* $OpenBSD: servconf.c,v 1.363 2020/04/17 03:30:05 djm Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -1213,6 +1213,12 @@ static const struct multistate multistate_flag[] = {
{ "no", 0 }, { "no", 0 },
{ NULL, -1 } { NULL, -1 }
}; };
static const struct multistate multistate_ignore_rhosts[] = {
{ "yes", IGNORE_RHOSTS_YES },
{ "no", IGNORE_RHOSTS_NO },
{ "shosts-only", IGNORE_RHOSTS_SHOSTS },
{ NULL, -1 }
};
static const struct multistate multistate_addressfamily[] = { static const struct multistate multistate_addressfamily[] = {
{ "inet", AF_INET }, { "inet", AF_INET },
{ "inet6", AF_INET6 }, { "inet6", AF_INET6 },
@ -1462,13 +1468,14 @@ process_server_config_line_depth(ServerOptions *options, char *line,
case sIgnoreRhosts: case sIgnoreRhosts:
intptr = &options->ignore_rhosts; intptr = &options->ignore_rhosts;
parse_flag: multistate_ptr = multistate_ignore_rhosts;
multistate_ptr = multistate_flag;
goto parse_multistate; goto parse_multistate;
case sIgnoreUserKnownHosts: case sIgnoreUserKnownHosts:
intptr = &options->ignore_user_known_hosts; intptr = &options->ignore_user_known_hosts;
goto parse_flag; parse_flag:
multistate_ptr = multistate_flag;
goto parse_multistate;
case sHostbasedAuthentication: case sHostbasedAuthentication:
intptr = &options->hostbased_authentication; intptr = &options->hostbased_authentication;
@ -2628,6 +2635,8 @@ fmt_intarg(ServerOpCodes code, int val)
return fmt_multistate_int(val, multistate_tcpfwd); return fmt_multistate_int(val, multistate_tcpfwd);
case sAllowStreamLocalForwarding: case sAllowStreamLocalForwarding:
return fmt_multistate_int(val, multistate_tcpfwd); return fmt_multistate_int(val, multistate_tcpfwd);
case sIgnoreRhosts:
return fmt_multistate_int(val, multistate_ignore_rhosts);
case sFingerprintHash: case sFingerprintHash:
return ssh_digest_alg_name(val); return ssh_digest_alg_name(val);
default: default:

7
servconf.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.h,v 1.143 2020/01/31 22:42:45 djm Exp $ */ /* $OpenBSD: servconf.h,v 1.144 2020/04/17 03:30:05 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -38,6 +38,11 @@
#define PERMITOPEN_ANY 0 #define PERMITOPEN_ANY 0
#define PERMITOPEN_NONE -2 #define PERMITOPEN_NONE -2
/* IgnoreRhosts */
#define IGNORE_RHOSTS_NO 0
#define IGNORE_RHOSTS_YES 1
#define IGNORE_RHOSTS_SHOSTS 2
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */

27
sshd_config.5
View File

@ -33,7 +33,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd_config.5,v 1.308 2020/04/17 03:23:13 djm Exp $ .\" $OpenBSD: sshd_config.5,v 1.309 2020/04/17 03:30:05 djm Exp $
.Dd $Mdocdate: April 17 2020 $ .Dd $Mdocdate: April 17 2020 $
.Dt SSHD_CONFIG 5 .Dt SSHD_CONFIG 5
.Os .Os
@ -778,19 +778,32 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa
The list of available key types may also be obtained using The list of available key types may also be obtained using
.Qq ssh -Q HostKeyAlgorithms . .Qq ssh -Q HostKeyAlgorithms .
.It Cm IgnoreRhosts .It Cm IgnoreRhosts
Specifies that Specifies whether to ignore per-user
.Pa .rhosts .Pa .rhosts
and and
.Pa .shosts .Pa .shosts
files will not be used in files during
.Cm HostbasedAuthentication . .Cm HostbasedAuthentication .
.Pp The system-wide
.Pa /etc/hosts.equiv .Pa /etc/hosts.equiv
and and
.Pa /etc/shosts.equiv .Pa /etc/shosts.equiv
are still used. are still used regardless of this setting.
The default is .Pp
.Cm yes . Accepted values are
.Cm yes
(the default) to ignore all per-user files,
.Cm shosts-only
to allow the use of
.Pa .shosts
but to ignore
.Pa .rhosts
or
.Cm no
to allow both
.Pa .shosts
and
.Pa rhosts.
.It Cm IgnoreUserKnownHosts .It Cm IgnoreUserKnownHosts
Specifies whether Specifies whether
.Xr sshd 8 .Xr sshd 8