>make ssh-keysign read /etc/ssh/ssh_config
>and exit if HostbasedAuthentication is disabled globally. based on discussions >with deraadt, itojun and sommerfeld; ok itojun@ sync w/openbsd
This commit is contained in:
parent
d395d11df0
commit
968294e218
|
@ -1,5 +1,5 @@
|
|||
.\" $NetBSD: ssh-keysign.8,v 1.1.1.1 2002/06/24 05:26:12 itojun Exp $
|
||||
.\" $OpenBSD: ssh-keysign.8,v 1.2 2002/06/10 16:56:30 stevesk Exp $
|
||||
.\" $NetBSD: ssh-keysign.8,v 1.2 2002/07/03 14:23:13 itojun Exp $
|
||||
.\" $OpenBSD: ssh-keysign.8,v 1.3 2002/07/03 14:21:05 markus Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
|
||||
.\"
|
||||
|
@ -37,6 +37,16 @@ is used by
|
|||
.Xr ssh 1
|
||||
to access the local host keys and generate the digital signature
|
||||
required during hostbased authentication with SSH protocol version 2.
|
||||
.Pp
|
||||
.Nm
|
||||
is disabled by default and can only be enabled in the
|
||||
the global client configuration file
|
||||
.Pa /etc/ssh/ssh_config
|
||||
by setting
|
||||
.Cm HostbasedAuthentication
|
||||
to
|
||||
.Dq yes .
|
||||
.Pp
|
||||
.Nm
|
||||
is not intended to be invoked by the user, but from
|
||||
.Xr ssh 1 .
|
||||
|
@ -47,6 +57,10 @@ and
|
|||
for more information about hostbased authentication.
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds
|
||||
.It Pa /etc/ssh/ssh_config
|
||||
Controls whether
|
||||
.Nm
|
||||
is enabled.
|
||||
.It Pa /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
|
||||
These files contain the private parts of the host keys used to
|
||||
generate the digital signature. They
|
||||
|
@ -59,6 +73,7 @@ must be set-uid root if hostbased authentication is used.
|
|||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr ssh_config 5 ,
|
||||
.Xr sshd 8
|
||||
.Sh AUTHORS
|
||||
Markus Friedl <markus@openbsd.org>
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: ssh-keysign.c,v 1.3 2002/07/03 10:06:39 itojun Exp $ */
|
||||
/* $NetBSD: ssh-keysign.c,v 1.4 2002/07/03 14:23:13 itojun Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2002 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
@ -31,6 +31,7 @@ RCSID("$OpenBSD: ssh-keysign.c,v 1.6 2002/07/03 09:55:38 markus Exp $");
|
|||
|
||||
#include "log.h"
|
||||
#include "key.h"
|
||||
#include "ssh.h"
|
||||
#include "ssh2.h"
|
||||
#include "misc.h"
|
||||
#include "xmalloc.h"
|
||||
|
@ -40,6 +41,9 @@ RCSID("$OpenBSD: ssh-keysign.c,v 1.6 2002/07/03 09:55:38 markus Exp $");
|
|||
#include "msg.h"
|
||||
#include "canohost.h"
|
||||
#include "pathnames.h"
|
||||
#include "readconf.h"
|
||||
|
||||
uid_t original_real_uid; /* XXX readconf.c needs this */
|
||||
|
||||
static int
|
||||
valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
|
||||
|
@ -131,6 +135,7 @@ int
|
|||
main(int argc, char **argv)
|
||||
{
|
||||
Buffer b;
|
||||
Options options;
|
||||
Key *keys[2], *key;
|
||||
struct passwd *pw;
|
||||
int key_fd[2], i, found, version = 2, fd;
|
||||
|
@ -149,6 +154,15 @@ main(int argc, char **argv)
|
|||
log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
|
||||
#endif
|
||||
|
||||
/* verify that ssh-keysign is enabled by the admin */
|
||||
original_real_uid = getuid(); /* XXX readconf.c needs this */
|
||||
initialize_options(&options);
|
||||
(void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options);
|
||||
fill_default_options(&options);
|
||||
if (options.hostbased_authentication != 1)
|
||||
fatal("Hostbased authentication not enabled in %s",
|
||||
_PATH_HOST_CONFIG_FILE);
|
||||
|
||||
if (key_fd[0] == -1 && key_fd[1] == -1)
|
||||
fatal("could not open any host key");
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: ssh.c,v 1.23 2002/07/01 06:17:13 itojun Exp $ */
|
||||
/* $NetBSD: ssh.c,v 1.24 2002/07/03 14:23:13 itojun Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -626,7 +626,8 @@ again:
|
|||
_PATH_HOST_RSA_KEY_FILE, "", NULL);
|
||||
PRIV_END;
|
||||
|
||||
if (sensitive_data.keys[0] == NULL &&
|
||||
if (options.hostbased_authentication == 1 &&
|
||||
sensitive_data.keys[0] == NULL &&
|
||||
sensitive_data.keys[1] == NULL &&
|
||||
sensitive_data.keys[2] == NULL) {
|
||||
sensitive_data.keys[1] = key_load_public(
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: ssh_config,v 1.6 2002/06/24 05:48:38 itojun Exp $
|
||||
# $NetBSD: ssh_config,v 1.7 2002/07/03 14:23:14 itojun Exp $
|
||||
# $OpenBSD: ssh_config,v 1.15 2002/06/20 20:03:34 stevesk Exp $
|
||||
|
||||
# This is the ssh client system-wide configuration file. See
|
||||
|
@ -23,6 +23,7 @@
|
|||
# RhostsRSAAuthentication no
|
||||
# RSAAuthentication yes
|
||||
# PasswordAuthentication yes
|
||||
# HostbasedAuthentication no
|
||||
# BatchMode no
|
||||
# CheckHostIP yes
|
||||
# StrictHostKeyChecking ask
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
# $NetBSD: Makefile,v 1.4 2002/07/01 06:19:22 itojun Exp $
|
||||
# $NetBSD: Makefile,v 1.5 2002/07/03 14:23:15 itojun Exp $
|
||||
|
||||
.include <bsd.own.mk>
|
||||
|
||||
PROG= ssh-keysign
|
||||
|
||||
SRCS= ssh-keysign.c
|
||||
SRCS= ssh-keysign.c readconf.c
|
||||
|
||||
BINOWN= root
|
||||
#BINMODE=4555
|
||||
|
|
Loading…
Reference in New Issue