diff options
author | djm@openbsd.org <djm@openbsd.org> | 2020-04-17 03:30:05 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2020-04-17 14:03:36 +1000 |
commit | c90f72d29e84b4a2709078bf5546a72c29a65177 (patch) | |
tree | 58f38f99566d13f7e142c3181878f54e4cd2af21 | |
parent | 321c7147079270f3a154f91b59e66219aac3d514 (diff) | |
download | openssh-git-c90f72d29e84b4a2709078bf5546a72c29a65177.tar.gz |
upstream: make IgnoreRhosts a tri-state option: "yes" ignore
rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow
.shosts files but not .rhosts. ok dtucker@
OpenBSD-Commit-ID: d08d6930ed06377a80cf53923c1955e9589342e9
-rw-r--r-- | auth-rhosts.c | 6 | ||||
-rw-r--r-- | servconf.c | 17 | ||||
-rw-r--r-- | servconf.h | 7 | ||||
-rw-r--r-- | sshd_config.5 | 27 |
4 files changed, 43 insertions, 14 deletions
diff --git a/auth-rhosts.c b/auth-rhosts.c index 7a10210b..e81321b4 100644 --- a/auth-rhosts.c +++ b/auth-rhosts.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rhosts.c,v 1.51 2019/10/02 00:42:30 djm Exp $ */ +/* $OpenBSD: auth-rhosts.c,v 1.52 2020/04/17 03:30:05 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -298,7 +298,9 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, * Check if we have been configured to ignore .rhosts * and .shosts files. */ - if (options.ignore_rhosts) { + if (options.ignore_rhosts == IGNORE_RHOSTS_YES || + (options.ignore_rhosts == IGNORE_RHOSTS_SHOSTS && + strcmp(rhosts_files[rhosts_file_index], ".shosts") != 0)) { auth_debug_add("Server has been configured to " "ignore %.100s.", rhosts_files[rhosts_file_index]); continue; @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.362 2020/04/17 03:23:13 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.363 2020/04/17 03:30:05 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -1213,6 +1213,12 @@ static const struct multistate multistate_flag[] = { { "no", 0 }, { NULL, -1 } }; +static const struct multistate multistate_ignore_rhosts[] = { + { "yes", IGNORE_RHOSTS_YES }, + { "no", IGNORE_RHOSTS_NO }, + { "shosts-only", IGNORE_RHOSTS_SHOSTS }, + { NULL, -1 } +}; static const struct multistate multistate_addressfamily[] = { { "inet", AF_INET }, { "inet6", AF_INET6 }, @@ -1462,13 +1468,14 @@ process_server_config_line_depth(ServerOptions *options, char *line, case sIgnoreRhosts: intptr = &options->ignore_rhosts; - parse_flag: - multistate_ptr = multistate_flag; + multistate_ptr = multistate_ignore_rhosts; goto parse_multistate; case sIgnoreUserKnownHosts: intptr = &options->ignore_user_known_hosts; - goto parse_flag; + parse_flag: + multistate_ptr = multistate_flag; + goto parse_multistate; case sHostbasedAuthentication: intptr = &options->hostbased_authentication; @@ -2628,6 +2635,8 @@ fmt_intarg(ServerOpCodes code, int val) return fmt_multistate_int(val, multistate_tcpfwd); case sAllowStreamLocalForwarding: return fmt_multistate_int(val, multistate_tcpfwd); + case sIgnoreRhosts: + return fmt_multistate_int(val, multistate_ignore_rhosts); case sFingerprintHash: return ssh_digest_alg_name(val); default: @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.143 2020/01/31 22:42:45 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.144 2020/04/17 03:30:05 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -38,6 +38,11 @@ #define PERMITOPEN_ANY 0 #define PERMITOPEN_NONE -2 +/* IgnoreRhosts */ +#define IGNORE_RHOSTS_NO 0 +#define IGNORE_RHOSTS_YES 1 +#define IGNORE_RHOSTS_SHOSTS 2 + #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ diff --git a/sshd_config.5 b/sshd_config.5 index a60be383..5648337a 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.308 2020/04/17 03:23:13 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.309 2020/04/17 03:30:05 djm Exp $ .Dd $Mdocdate: April 17 2020 $ .Dt SSHD_CONFIG 5 .Os @@ -778,19 +778,32 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa The list of available key types may also be obtained using .Qq ssh -Q HostKeyAlgorithms . .It Cm IgnoreRhosts -Specifies that +Specifies whether to ignore per-user .Pa .rhosts and .Pa .shosts -files will not be used in +files during .Cm HostbasedAuthentication . -.Pp +The system-wide .Pa /etc/hosts.equiv and .Pa /etc/shosts.equiv -are still used. -The default is -.Cm yes . +are still used regardless of this setting. +.Pp +Accepted values are +.Cm yes +(the default) to ignore all per-user files, +.Cm shosts-only +to allow the use of +.Pa .shosts +but to ignore +.Pa .rhosts +or +.Cm no +to allow both +.Pa .shosts +and +.Pa rhosts. .It Cm IgnoreUserKnownHosts Specifies whether .Xr sshd 8 |