Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src >make ssh-keysign read /etc/ssh/ssh_config
details: https://anonhg.NetBSD.org/src/rev/2b2aa6fac222
branches: trunk
changeset: 533531:2b2aa6fac222
user: itojun <itojun%NetBSD.org@localhost>
date: Wed Jul 03 14:23:13 2002 +0000
description:
>make ssh-keysign read /etc/ssh/ssh_config
>and exit if HostbasedAuthentication is disabled globally. based on discussions
>with deraadt, itojun and sommerfeld; ok itojun@
sync w/openbsd
diffstat:
crypto/dist/ssh/ssh-keysign.8 | 19 +++++++++++++++++--
crypto/dist/ssh/ssh-keysign.c | 16 +++++++++++++++-
crypto/dist/ssh/ssh.c | 5 +++--
crypto/dist/ssh/ssh_config | 3 ++-
usr.bin/ssh/ssh-keysign/Makefile | 4 ++--
5 files changed, 39 insertions(+), 8 deletions(-)
diffs (150 lines):
diff -r 40a7cfe275d9 -r 2b2aa6fac222 crypto/dist/ssh/ssh-keysign.8
--- a/crypto/dist/ssh/ssh-keysign.8 Wed Jul 03 12:45:06 2002 +0000
+++ b/crypto/dist/ssh/ssh-keysign.8 Wed Jul 03 14:23:13 2002 +0000
@@ -1,5 +1,5 @@
-.\" $NetBSD: ssh-keysign.8,v 1.1.1.1 2002/06/24 05:26:12 itojun Exp $
-.\" $OpenBSD: ssh-keysign.8,v 1.2 2002/06/10 16:56:30 stevesk Exp $
+.\" $NetBSD: ssh-keysign.8,v 1.2 2002/07/03 14:23:13 itojun Exp $
+.\" $OpenBSD: ssh-keysign.8,v 1.3 2002/07/03 14:21:05 markus Exp $
.\"
.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
.\"
@@ -37,6 +37,16 @@
.Xr ssh 1
to access the local host keys and generate the digital signature
required during hostbased authentication with SSH protocol version 2.
+.Pp
+.Nm
+is disabled by default and can only be enabled in the
+the global client configuration file
+.Pa /etc/ssh/ssh_config
+by setting
+.Cm HostbasedAuthentication
+to
+.Dq yes .
+.Pp
.Nm
is not intended to be invoked by the user, but from
.Xr ssh 1 .
@@ -47,6 +57,10 @@
for more information about hostbased authentication.
.Sh FILES
.Bl -tag -width Ds
+.It Pa /etc/ssh/ssh_config
+Controls whether
+.Nm
+is enabled.
.It Pa /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
These files contain the private parts of the host keys used to
generate the digital signature. They
@@ -59,6 +73,7 @@
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-keygen 1 ,
+.Xr ssh_config 5 ,
.Xr sshd 8
.Sh AUTHORS
Markus Friedl <markus%openbsd.org@localhost>
diff -r 40a7cfe275d9 -r 2b2aa6fac222 crypto/dist/ssh/ssh-keysign.c
--- a/crypto/dist/ssh/ssh-keysign.c Wed Jul 03 12:45:06 2002 +0000
+++ b/crypto/dist/ssh/ssh-keysign.c Wed Jul 03 14:23:13 2002 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ssh-keysign.c,v 1.3 2002/07/03 10:06:39 itojun Exp $ */
+/* $NetBSD: ssh-keysign.c,v 1.4 2002/07/03 14:23:13 itojun Exp $ */
/*
* Copyright (c) 2002 Markus Friedl. All rights reserved.
*
@@ -31,6 +31,7 @@
#include "log.h"
#include "key.h"
+#include "ssh.h"
#include "ssh2.h"
#include "misc.h"
#include "xmalloc.h"
@@ -40,6 +41,9 @@
#include "msg.h"
#include "canohost.h"
#include "pathnames.h"
+#include "readconf.h"
+
+uid_t original_real_uid; /* XXX readconf.c needs this */
static int
valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
@@ -131,6 +135,7 @@
main(int argc, char **argv)
{
Buffer b;
+ Options options;
Key *keys[2], *key;
struct passwd *pw;
int key_fd[2], i, found, version = 2, fd;
@@ -149,6 +154,15 @@
log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
#endif
+ /* verify that ssh-keysign is enabled by the admin */
+ original_real_uid = getuid(); /* XXX readconf.c needs this */
+ initialize_options(&options);
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options);
+ fill_default_options(&options);
+ if (options.hostbased_authentication != 1)
+ fatal("Hostbased authentication not enabled in %s",
+ _PATH_HOST_CONFIG_FILE);
+
if (key_fd[0] == -1 && key_fd[1] == -1)
fatal("could not open any host key");
diff -r 40a7cfe275d9 -r 2b2aa6fac222 crypto/dist/ssh/ssh.c
--- a/crypto/dist/ssh/ssh.c Wed Jul 03 12:45:06 2002 +0000
+++ b/crypto/dist/ssh/ssh.c Wed Jul 03 14:23:13 2002 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ssh.c,v 1.23 2002/07/01 06:17:13 itojun Exp $ */
+/* $NetBSD: ssh.c,v 1.24 2002/07/03 14:23:13 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
* Copyright (c) 1995 Tatu Ylonen <ylo%cs.hut.fi@localhost>, Espoo, Finland
@@ -626,7 +626,8 @@
_PATH_HOST_RSA_KEY_FILE, "", NULL);
PRIV_END;
- if (sensitive_data.keys[0] == NULL &&
+ if (options.hostbased_authentication == 1 &&
+ sensitive_data.keys[0] == NULL &&
sensitive_data.keys[1] == NULL &&
sensitive_data.keys[2] == NULL) {
sensitive_data.keys[1] = key_load_public(
diff -r 40a7cfe275d9 -r 2b2aa6fac222 crypto/dist/ssh/ssh_config
--- a/crypto/dist/ssh/ssh_config Wed Jul 03 12:45:06 2002 +0000
+++ b/crypto/dist/ssh/ssh_config Wed Jul 03 14:23:13 2002 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: ssh_config,v 1.6 2002/06/24 05:48:38 itojun Exp $
+# $NetBSD: ssh_config,v 1.7 2002/07/03 14:23:14 itojun Exp $
# $OpenBSD: ssh_config,v 1.15 2002/06/20 20:03:34 stevesk Exp $
# This is the ssh client system-wide configuration file. See
@@ -23,6 +23,7 @@
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
+# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# StrictHostKeyChecking ask
diff -r 40a7cfe275d9 -r 2b2aa6fac222 usr.bin/ssh/ssh-keysign/Makefile
--- a/usr.bin/ssh/ssh-keysign/Makefile Wed Jul 03 12:45:06 2002 +0000
+++ b/usr.bin/ssh/ssh-keysign/Makefile Wed Jul 03 14:23:13 2002 +0000
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.4 2002/07/01 06:19:22 itojun Exp $
+# $NetBSD: Makefile,v 1.5 2002/07/03 14:23:15 itojun Exp $
.include <bsd.own.mk>
PROG= ssh-keysign
-SRCS= ssh-keysign.c
+SRCS= ssh-keysign.c readconf.c
BINOWN= root
#BINMODE=4555
Home |
Main Index |
Thread Index |
Old Index