- implement IgnoreRootRhosts. if set, ignores ~root/.[rs]hosts. defaults to

the value of IgnoreRhosts. with `IgnoreRhosts yes' and `IgnoreRootRhosts no' you get similar behaviour to the `-l' flag on rshd(8). this is based on similar modification i made which appeared in ssh 1.2.27 (?) - document that IgnoreRhosts now doesn't apply to root. - clarify that /etc/s?hosts.equiv doesn't apply to root (it didn't before my modification either). - crank the version to 20001003
2000-10-03 09:56:38 +00:00 · 2000-10-03 09:56:38 +00:00 · 8e1c87ce80
parent ff5d9dc3a7
commit 8e1c87ce80
6 changed files with 44 additions and 16 deletions
--- a/crypto/dist/ssh/auth-rhosts.c
+++ b/crypto/dist/ssh/auth-rhosts.c
@ -1,4 +1,4 @@
-/*	$NetBSD: auth-rhosts.c,v 1.1.1.1 2000/09/28 22:09:40 thorpej Exp $	*/
+/*	$NetBSD: auth-rhosts.c,v 1.2 2000/10/03 09:56:38 lukem Exp $	*/

 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -19,7 +19,7 @@

 #include <sys/cdefs.h>
 #ifndef lint
-__RCSID("$NetBSD: auth-rhosts.c,v 1.1.1.1 2000/09/28 22:09:40 thorpej Exp $");
+__RCSID("$NetBSD: auth-rhosts.c,v 1.2 2000/10/03 09:56:38 lukem Exp $");
 #endif

 #include "includes.h"
@ -252,7 +252,8 @@ auth_rhosts(struct passwd *pw, const char *client_user)
 			continue;
 		}
 		/* Check if we have been configured to ignore .rhosts and .shosts files. */
-		if (options.ignore_rhosts) {
+		if ((pw->pw_uid == 0 && options.ignore_root_rhosts) ||
+		    (pw->pw_uid != 0 && options.ignore_rhosts)) {
 			packet_send_debug("Server has been configured to ignore %.100s.",
 					  rhosts_files[rhosts_file_index]);
 			continue;
--- a/crypto/dist/ssh/servconf.c
+++ b/crypto/dist/ssh/servconf.c
@ -1,4 +1,4 @@
-/*	$NetBSD: servconf.c,v 1.1.1.1 2000/09/28 22:10:15 thorpej Exp $	*/
+/*	$NetBSD: servconf.c,v 1.2 2000/10/03 09:56:38 lukem Exp $	*/

 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -15,7 +15,7 @@

 #include <sys/cdefs.h>
 #ifndef lint
-__RCSID("$NetBSD: servconf.c,v 1.1.1.1 2000/09/28 22:10:15 thorpej Exp $");
+__RCSID("$NetBSD: servconf.c,v 1.2 2000/10/03 09:56:38 lukem Exp $");
 #endif

 #include "includes.h"
@ -46,6 +46,7 @@ initialize_server_options(ServerOptions *options)
 	options->key_regeneration_time = -1;
 	options->permit_root_login = -1;
 	options->ignore_rhosts = -1;
+	options->ignore_root_rhosts = -1;
 	options->ignore_user_known_hosts = -1;
 	options->print_motd = -1;
 	options->check_mail = -1;
@ -111,6 +112,8 @@ fill_default_server_options(ServerOptions *options)
 		options->permit_root_login = 1;			/* yes */
 	if (options->ignore_rhosts == -1)
 		options->ignore_rhosts = 1;
+	if (options->ignore_root_rhosts == -1)
+		options->ignore_root_rhosts = options->ignore_rhosts;
 	if (options->ignore_user_known_hosts == -1)
 		options->ignore_user_known_hosts = 0;
 	if (options->check_mail == -1)
@ -197,7 +200,8 @@ typedef enum {
 	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
 	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
 	sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
-	sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem, sMaxStartups
+	sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem,
+	sMaxStartups, sIgnoreRootRhosts
 } ServerOpCodes;

 /* Textual representation of the tokens. */
@ -236,6 +240,7 @@ static struct {
 	{ "listenaddress", sListenAddress },
 	{ "printmotd", sPrintMotd },
 	{ "ignorerhosts", sIgnoreRhosts },
+	{ "ignorerootrhosts", sIgnoreRootRhosts },
 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts },
 	{ "x11forwarding", sX11Forwarding },
 	{ "x11displayoffset", sX11DisplayOffset },
@ -458,6 +463,10 @@ parse_flag:
 				*intptr = value;
 			break;

+		case sIgnoreRootRhosts:
+			intptr = &options->ignore_root_rhosts;
+			goto parse_flag;
+
 		case sIgnoreUserKnownHosts:
 			intptr = &options->ignore_user_known_hosts;
 			goto parse_flag;
--- a/crypto/dist/ssh/servconf.h
+++ b/crypto/dist/ssh/servconf.h
@ -1,4 +1,4 @@
-/*	$NetBSD: servconf.h,v 1.1.1.1 2000/09/28 22:10:16 thorpej Exp $	*/
+/*	$NetBSD: servconf.h,v 1.2 2000/10/03 09:56:38 lukem Exp $	*/

 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -40,7 +40,10 @@ typedef struct {
 					 * (sec). */
 	int     key_regeneration_time;	/* Server key lifetime (seconds). */
 	int     permit_root_login;	/* If true, permit root login. */
-	int     ignore_rhosts;	/* Ignore .rhosts and .shosts. */
+	int     ignore_rhosts;		/* Ignore .rhosts and .shosts. */
+	int     ignore_root_rhosts;	/* Ignore .rhosts and .shosts for root;
+					   defaults to ignore_rhosts if not
+					   given. */
 	int     ignore_user_known_hosts;	/* Ignore ~/.ssh/known_hosts
 						 * for RhostsRsaAuth */
 	int     print_motd;	/* If true, print /etc/motd. */
--- a/crypto/dist/ssh/sshd.8
+++ b/crypto/dist/ssh/sshd.8
@ -1,6 +1,6 @@
 .\"  -*- nroff -*-
 .\"
-.\" $NetBSD: sshd.8,v 1.1.1.1 2000/09/28 22:10:39 thorpej Exp $
+.\" $NetBSD: sshd.8,v 1.2 2000/10/03 09:56:38 lukem Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -36,7 +36,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd September 25, 2000
+.Dd October 3, 2000
 .Dt SSHD 8
 .Os
 .Sh NAME
@ -347,13 +347,27 @@ Specifies that
 .Pa .rhosts
 and
 .Pa .shosts
-files will not be used in authentication.
+files will not be used in authentication for non-root users.
 .Pa /etc/hosts.equiv
 and
 .Pa /etc/shosts.equiv
 are still used.
 The default is
 .Dq yes .
+.It Cm IgnoreRootRhosts
+Specifies that
+.Pa .rhosts
+and
+.Pa .shosts
+files
+will not be used in authentication for root.
+The default is the value of
+.Cm IgnoreRhosts .
+.Pa /etc/hosts.equiv
+and
+.Pa /etc/shosts.equiv
+are never used in authentication for root, irregardless of the setting of
+.Cm IgnoreRootRhosts .
 .It Cm IgnoreUserKnownHosts
 Specifies whether
 .Nm
@ -892,7 +906,7 @@ not used by rlogin and rshd, so using this permits access using SSH only.
 .It Pa /etc/hosts.equiv
 This file is used during
 .Pa .rhosts
-authentication.
+authentication for non root users.
 In the simplest form, this file contains host names, one per line.
 Users on
 those hosts are permitted to log in without a password, provided they
@ -929,7 +943,7 @@ Note that this warning also applies to rsh/rlogin.
 This is processed exactly as
 .Pa /etc/hosts.equiv .
 However, this file may be useful in environments that want to run both
-rsh/rlogin and ssh.
+rsh/rlogin and ssh, with separate access control files for each service.
 .It Pa $HOME/.ssh/environment
 This file is read into the environment at login (if it exists).
 It can only contain empty lines, comment lines (that start with
--- a/crypto/dist/ssh/sshd.conf
+++ b/crypto/dist/ssh/sshd.conf
@ -1,4 +1,4 @@
-#	$NetBSD: sshd.conf,v 1.1.1.1 2000/09/28 22:10:42 thorpej Exp $
+#	$NetBSD: sshd.conf,v 1.2 2000/10/03 09:56:38 lukem Exp $
 #
 # This is ssh server systemwide configuration file.

@ -14,6 +14,7 @@ PermitRootLogin yes
 #
 # Don't read ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes
+IgnoreRootRhosts yes
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes
 StrictModes yes
--- a/crypto/dist/ssh/version.h
+++ b/crypto/dist/ssh/version.h
@ -1,3 +1,3 @@
-/*	$NetBSD: version.h,v 1.1.1.1 2000/09/28 22:10:45 thorpej Exp $	*/
+/*	$NetBSD: version.h,v 1.2 2000/10/03 09:56:38 lukem Exp $	*/

-#define SSH_VERSION	"NetBSD_Secure_Shell-20000928"
+#define SSH_VERSION	"NetBSD_Secure_Shell-20001003"