- markus@cvs.openbsd.org 2003/08/13 08:46:31

[auth1.c readconf.c readconf.h servconf.c servconf.h ssh.c ssh_config
     ssh_config.5 sshconnect1.c sshd.8 sshd.c sshd_config sshd_config.5]
     remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@,
     fgsch@, miod@, henning@, jakob@ and others

ChangeLog

@@ -5,6 +5,11 @@
      [session.c]
      use more portable tcsendbreak(3) and ignore break_length;
      ok deraadt, millert
+   - markus@cvs.openbsd.org 2003/08/13 08:46:31
+     [auth1.c readconf.c readconf.h servconf.c servconf.h ssh.c ssh_config
+     ssh_config.5 sshconnect1.c sshd.8 sshd.c sshd_config sshd_config.5]
+     remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@,
+     fgsch@, miod@, henning@, jakob@ and others
 
 20030811
  - (dtucker) OpenBSD CVS Sync
@@ -823,4 +828,4 @@
  - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
    Report from murple@murple.net, diagnosis from dtucker@zip.com.au
 
-$Id: ChangeLog,v 1.2890 2003/08/13 10:31:05 dtucker Exp $
+$Id: ChangeLog,v 1.2891 2003/08/13 10:37:05 dtucker Exp $

auth1.c

@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.49 2003/07/22 13:35:22 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.50 2003/08/13 08:46:30 markus Exp $");
 
 #include "xmalloc.h"
 #include "rsa.h"
@@ -160,26 +160,6 @@ do_authloop(Authctxt *authctxt)
 			break;
 #endif
 
-		case SSH_CMSG_AUTH_RHOSTS:
-			if (!options.rhosts_authentication) {
-				verbose("Rhosts authentication disabled.");
-				break;
-			}
-			/*
-			 * Get client user name.  Note that we just have to
-			 * trust the client; this is one reason why rhosts
-			 * authentication is insecure. (Another is
-			 * IP-spoofing on a local network.)
-			 */
-			client_user = packet_get_string(&ulen);
-			packet_check_eom();
-
-			/* Try to authenticate using /etc/hosts.equiv and .rhosts. */
-			authenticated = auth_rhosts(pw, client_user);
-
-			snprintf(info, sizeof info, " ruser %.100s", client_user);
-			break;
-
 		case SSH_CMSG_AUTH_RHOSTS_RSA:
 			if (!options.rhosts_rsa_authentication) {
 				verbose("Rhosts with RSA authentication disabled.");

readconf.c

@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.116 2003/08/13 08:46:30 markus Exp $");
 
 #include "ssh.h"
 #include "xmalloc.h"
@@ -57,7 +57,6 @@ RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $");
    Host fascist.blob.com
      Port 23123
      User tylonen
-     RhostsAuthentication no
      PasswordAuthentication no
 
    Host puukko.hut.fi
@@ -75,7 +74,6 @@ RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $");
    Host *
      ForwardAgent no
      ForwardX11 no
-     RhostsAuthentication yes
      PasswordAuthentication yes
      RSAAuthentication yes
      RhostsRSAAuthentication yes
@@ -91,7 +89,7 @@ RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $");
 
 typedef enum {
 	oBadOption,
-	oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
+	oForwardAgent, oForwardX11, oGatewayPorts,
 	oPasswordAuthentication, oRSAAuthentication,
 	oChallengeResponseAuthentication, oXAuthLocation,
 	oKerberosAuthentication, oKerberosTgtPassing,
@@ -122,7 +120,7 @@ static struct {
 	{ "xauthlocation", oXAuthLocation },
 	{ "gatewayports", oGatewayPorts },
 	{ "useprivilegedport", oUsePrivilegedPort },
-	{ "rhostsauthentication", oRhostsAuthentication },
+	{ "rhostsauthentication", oDeprecated },
 	{ "passwordauthentication", oPasswordAuthentication },
 	{ "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
 	{ "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -351,10 +349,6 @@ parse_flag:
 		intptr = &options->use_privileged_port;
 		goto parse_flag;
 
-	case oRhostsAuthentication:
-		intptr = &options->rhosts_authentication;
-		goto parse_flag;
-
 	case oPasswordAuthentication:
 		intptr = &options->password_authentication;
 		goto parse_flag;
@@ -814,7 +808,6 @@ initialize_options(Options * options)
 	options->xauth_location = NULL;
 	options->gateway_ports = -1;
 	options->use_privileged_port = -1;
-	options->rhosts_authentication = -1;
 	options->rsa_authentication = -1;
 	options->pubkey_authentication = -1;
 	options->challenge_response_authentication = -1;
@@ -884,8 +877,6 @@ fill_default_options(Options * options)
 		options->gateway_ports = 0;
 	if (options->use_privileged_port == -1)
 		options->use_privileged_port = 0;
-	if (options->rhosts_authentication == -1)
-		options->rhosts_authentication = 0;
 	if (options->rsa_authentication == -1)
 		options->rsa_authentication = 1;
 	if (options->pubkey_authentication == -1)

readconf.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: readconf.h,v 1.52 2003/07/22 13:35:22 markus Exp $	*/
+/*	$OpenBSD: readconf.h,v 1.53 2003/08/13 08:46:30 markus Exp $	*/
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -33,7 +33,6 @@ typedef struct {
 	char   *xauth_location;	/* Location for xauth program */
 	int     gateway_ports;	/* Allow remote connects to forwarded ports. */
 	int     use_privileged_port;	/* Don't use privileged port if false. */
-	int     rhosts_authentication;	/* Try rhosts authentication. */
 	int     rhosts_rsa_authentication;	/* Try rhosts with RSA
 						 * authentication. */
 	int     rsa_authentication;	/* Try RSA authentication. */

servconf.c

@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.123 2003/07/22 13:35:22 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.124 2003/08/13 08:46:30 markus Exp $");
 
 #include "ssh.h"
 #include "log.h"
@@ -64,7 +64,6 @@ initialize_server_options(ServerOptions *options)
 	options->keepalives = -1;
 	options->log_facility = SYSLOG_FACILITY_NOT_SET;
 	options->log_level = SYSLOG_LEVEL_NOT_SET;
-	options->rhosts_authentication = -1;
 	options->rhosts_rsa_authentication = -1;
 	options->hostbased_authentication = -1;
 	options->hostbased_uses_name_from_packet_only = -1;
@@ -165,8 +164,6 @@ fill_default_server_options(ServerOptions *options)
 		options->log_facility = SYSLOG_FACILITY_AUTH;
 	if (options->log_level == SYSLOG_LEVEL_NOT_SET)
 		options->log_level = SYSLOG_LEVEL_INFO;
-	if (options->rhosts_authentication == -1)
-		options->rhosts_authentication = 0;
 	if (options->rhosts_rsa_authentication == -1)
 		options->rhosts_rsa_authentication = 0;
 	if (options->hostbased_authentication == -1)
@@ -248,7 +245,7 @@ typedef enum {
 	/* Standard Options */
 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
 	sPermitRootLogin, sLogFacility, sLogLevel,
-	sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
+	sRhostsRSAAuthentication, sRSAAuthentication,
 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
 	sKerberosTgtPassing, sChallengeResponseAuthentication,
 	sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
@@ -288,7 +285,7 @@ static struct {
 	{ "permitrootlogin", sPermitRootLogin },
 	{ "syslogfacility", sLogFacility },
 	{ "loglevel", sLogLevel },
-	{ "rhostsauthentication", sRhostsAuthentication },
+	{ "rhostsauthentication", sDeprecated },
 	{ "rhostsrsaauthentication", sRhostsRSAAuthentication },
 	{ "hostbasedauthentication", sHostbasedAuthentication },
 	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
@@ -589,10 +586,6 @@ parse_flag:
 		intptr = &options->ignore_user_known_hosts;
 		goto parse_flag;
 
-	case sRhostsAuthentication:
-		intptr = &options->rhosts_authentication;
-		goto parse_flag;
-
 	case sRhostsRSAAuthentication:
 		intptr = &options->rhosts_rsa_authentication;
 		goto parse_flag;

servconf.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: servconf.h,v 1.62 2003/07/22 13:35:22 markus Exp $	*/
+/*	$OpenBSD: servconf.h,v 1.63 2003/08/13 08:46:30 markus Exp $	*/
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -65,8 +65,6 @@ typedef struct {
 	int     gateway_ports;	/* If true, allow remote connects to forwarded ports. */
 	SyslogFacility log_facility;	/* Facility for system logging. */
 	LogLevel log_level;	/* Level for system logging. */
-	int     rhosts_authentication;	/* If true, permit rhosts
-					 * authentication. */
 	int     rhosts_rsa_authentication;	/* If true, permit rhosts RSA
 						 * authentication. */
 	int     hostbased_authentication;	/* If true, permit ssh2 hostbased auth */

ssh.c

@@ -40,7 +40,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.198 2003/07/22 13:35:22 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.199 2003/08/13 08:46:30 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -600,19 +600,7 @@ again:
 	    strcmp(options.proxy_command, "none") == 0)
 		options.proxy_command = NULL;
 
-	/* Disable rhosts authentication if not running as root. */
-#ifdef HAVE_CYGWIN
-	/* Ignore uid if running under Windows */
-	if (!options.use_privileged_port) {
-#else
-	if (original_effective_uid != 0 || !options.use_privileged_port) {
-#endif
-		debug("Rhosts Authentication disabled, "
-		    "originating port will not be trusted.");
-		options.rhosts_authentication = 0;
-	}
 	/* Open a connection to the remote host. */
-
 	if (ssh_connect(host, &hostaddr, options.port,
 	    options.address_family, options.connection_attempts,
 #ifdef HAVE_CYGWIN

ssh_config

@@ -1,4 +1,4 @@
-#	$OpenBSD: ssh_config,v 1.18 2003/05/16 03:27:12 djm Exp $
+#	$OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $
 
 # This is the ssh client system-wide configuration file.  See
 # ssh_config(5) for more information.  This file provides defaults for
@@ -18,7 +18,6 @@
 # Host *
 #   ForwardAgent no
 #   ForwardX11 no
-#   RhostsAuthentication no
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes

ssh_config.5

@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.16 2003/07/22 13:35:22 markus Exp $
+.\" $OpenBSD: ssh_config.5,v 1.17 2003/08/13 08:46:31 markus Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -529,26 +529,6 @@ IPv6 addresses can be specified with an alternative syntax:
 Multiple forwardings may be specified, and additional
 forwardings can be given on the command line.
 Only the superuser can forward privileged ports.
-.It Cm RhostsAuthentication
-Specifies whether to try rhosts based authentication.
-Note that this
-declaration only affects the client side and has no effect whatsoever
-on security.
-Most servers do not permit RhostsAuthentication because it
-is not secure (see
-.Cm RhostsRSAAuthentication ) .
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-This option applies to protocol version 1 only and requires
-.Nm ssh
-to be setuid root and
-.Cm UsePrivilegedPort
-to be set to
-.Dq yes .
 .It Cm RhostsRSAAuthentication
 Specifies whether to try rhosts based authentication with RSA host
 authentication.
@@ -629,11 +609,9 @@ If set to
 must be setuid root.
 Note that this option must be set to
 .Dq yes
-if
-.Cm RhostsAuthentication
-and
+for
 .Cm RhostsRSAAuthentication
-authentications are needed with older servers.
+with older servers.
 .It Cm User
 Specifies the user to log in as.
 This can be useful when a different user name is used on different machines.

sshconnect1.c

@@ -13,7 +13,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.54 2003/07/22 13:35:22 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.55 2003/08/13 08:46:31 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/md5.h>
@@ -931,26 +931,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
 	}
 #endif /* KRB5 */
 
-	/*
-	 * Use rhosts authentication if running in privileged socket and we
-	 * do not wish to remain anonymous.
-	 */
-	if ((supported_authentications & (1 << SSH_AUTH_RHOSTS)) &&
-	    options.rhosts_authentication) {
-		debug("Trying rhosts authentication.");
-		packet_start(SSH_CMSG_AUTH_RHOSTS);
-		packet_put_cstring(local_user);
-		packet_send();
-		packet_write_wait();
-
-		/* The server should respond with success or failure. */
-		type = packet_read();
-		if (type == SSH_SMSG_SUCCESS)
-			goto success;
-		if (type != SSH_SMSG_FAILURE)
-			packet_disconnect("Protocol error: got %d in response to rhosts auth",
-					  type);
-	}
 	/*
 	 * Try .rhosts or /etc/hosts.equiv authentication with RSA host
 	 * authentication.

sshd.8

@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.198 2003/06/10 09:12:12 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.199 2003/08/13 08:46:31 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -292,7 +292,6 @@ may also be used to prevent
 from making DNS requests unless the authentication
 mechanism or configuration requires it.
 Authentication mechanisms that may require DNS include
-.Cm RhostsAuthentication ,
 .Cm RhostsRSAAuthentication ,
 .Cm HostbasedAuthentication
 and using a

sshd.c

@@ -42,7 +42,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.274 2003/07/22 13:35:22 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.275 2003/08/13 08:46:31 markus Exp $");
 
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -1462,20 +1462,7 @@ main(int ac, char **av)
 		alarm(options.login_grace_time);
 
 	sshd_exchange_identification(sock_in, sock_out);
-	/*
-	 * Check that the connection comes from a privileged port.
-	 * Rhosts-Authentication only makes sense from privileged
-	 * programs.  Of course, if the intruder has root access on his local
-	 * machine, he can connect from any port.  So do not use these
-	 * authentication methods from machines that you do not trust.
-	 */
-	if (options.rhosts_authentication &&
-	    (remote_port >= IPPORT_RESERVED ||
-	    remote_port < IPPORT_RESERVED / 2)) {
-		debug("Rhosts Authentication disabled, "
-		    "originating port %d not trusted.", remote_port);
-		options.rhosts_authentication = 0;
-	}
+
 #ifdef KRB5
 	if (!packet_connection_is_ipv4() &&
 	    options.kerberos_authentication) {
@@ -1643,8 +1630,6 @@ do_ssh1_kex(void)
 
 	/* Declare supported authentication types. */
 	auth_mask = 0;
-	if (options.rhosts_authentication)
-		auth_mask |= 1 << SSH_AUTH_RHOSTS;
 	if (options.rhosts_rsa_authentication)
 		auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
 	if (options.rsa_authentication)

sshd_config

@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.62 2003/07/23 07:42:43 markus Exp $
+#	$OpenBSD: sshd_config,v 1.63 2003/08/13 08:46:31 markus Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -40,10 +40,6 @@
 #PubkeyAuthentication yes
 #AuthorizedKeysFile	.ssh/authorized_keys
 
-# rhosts authentication should not be used
-#RhostsAuthentication no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #RhostsRSAAuthentication no
 # similar for protocol version 2
@@ -51,6 +47,8 @@
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes

sshd_config.5

@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.21 2003/07/22 13:35:22 markus Exp $
+.\" $OpenBSD: sshd_config.5,v 1.22 2003/08/13 08:46:31 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -260,7 +260,6 @@ Specifies that
 and
 .Pa .shosts
 files will not be used in
-.Cm RhostsAuthentication ,
 .Cm RhostsRSAAuthentication
 or
 .Cm HostbasedAuthentication .
@@ -529,10 +528,6 @@ Specifies whether public key authentication is allowed.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
-.It Cm RhostsAuthentication
-Specifies whether authentication using rhosts or /etc/hosts.equiv
-files is sufficient.
-Normally, this method should not be permitted because it is insecure.
 .Cm RhostsRSAAuthentication
 should be used
 instead, because it performs RSA-based host authentication in addition