openssh bugs - Apr 2020 - [Bug 3148] New: Unable to perform host-based authentication as root if "IgnoreRhosts" is set to "yes" on server configuration

https://bugzilla.mindrot.org/show_bug.cgi?id=3148

            Bug ID: 3148
           Summary: Unable to perform host-based authentication as root if
                    "IgnoreRhosts" is set to "yes" on server
configuration
           Product: Portable OpenSSH
           Version: 8.2p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: amg1127 at gmail.com

Created attachment 3376
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3376&action=edit
/etc/ssh/sshd_config

Dear OpenSSH maintainers,

While I was answering a question in Unix & Linux Stack Exchange (
https://unix.stackexchange.com/a/579762/158359 ), I identified that
OpenSSH is not able to perform host-based authentication as superuser
if "IgnoreRhosts yes" is set in "/etc/ssh/sshd_config" file.

Although host-based authentication as superuser might sound unsafe, it
may be useful in scenarios like the one described in my answer, where
"AuthenticationMethods" parameter is set to
"hostbased,publickey"
because an administrator wants OpenSSH server to authenticate client
hosts before allowing users connecting from those machines to
authenticate themselves.

The problem can be reproduced with a couple of Arch Linux containers in
Docker and terminal windows running concurrently. To do so, ensure that
configuration files attached to this report have been saved into
"/tmp"
directory.

-------------------------------------------
----------- Terminal window #1 ------------

[root at workstation ~]# docker run --rm --tty --interactive --name
ssh-client --hostname ssh-client --ip 172.17.0.4 --add-host
ssh-server:172.17.0.5 --volume /tmp/ssh_config:/etc/ssh/ssh_config
archlinux/base:latest

[root at ssh-client ~]# pacman -Sy --noconfirm openssh vim man less
iproute2 iputils bind-tools grep psmisc

[root at ssh-client ~]# ssh-keygen -A

[root at ssh-client ~]# useradd -U -m sshuser

[root at ssh-client ~]# /usr/sbin/sshd -De

-------------------------------------------
----------- Terminal window #2 ------------

[root at workstation ~]# docker run --rm --tty --interactive --name
ssh-server --hostname ssh-server --ip 172.17.0.5 --add-host
ssh-client:172.17.0.4 --volume /tmp/sshd_config:/etc/ssh/sshd_config
archlinux/base:latest

[root at ssh-server ~]# pacman -Sy --noconfirm openssh vim man less
iproute2 iputils bind-tools grep psmisc

[root at ssh-server ~]# ssh-keygen -A

[root at ssh-server ~]# useradd -U -m sshuser

[root at ssh-server ~]# echo -e 'sshuser:sshpassword\nroot:sshpassword'
|
chpasswd

[root at ssh-server ~]# echo ssh-client > /etc/ssh/shosts.equiv

[root at ssh-server ~]# ssh-keyscan ssh-client > /etc/ssh/ssh_known_hosts

[root at ssh-server ~]# /usr/sbin/sshd -De

-------------------------------------------
----------- Terminal window #1 ------------

(press CTRL+C to quit the running SSH daemon)

[root at ssh-client ~]# ssh ssh-server
root at ssh-server: Permission denied (hostbased).

[root at ssh-client ~]# su - sshuser

[sshuser at ssh-client ~]$ ssh ssh-server
sshuser at ssh-server's password: sshpassword
Last login: Tue Apr 14 05:51:42 2020 from 172.29.0.5
[sshuser at ssh-server ~]$ exit

-------------------------------------------
-------------------------------------------

I could not find any documentation snippet declaring that host-based
authentication of the root user is blocked. The relevant snippets in
"man(1) ssh" and "man(5) sshd_config" are:


-----------------------------------
----------- man(1) ssh ------------

AUTHENTICATION

The OpenSSH SSH client supports SSH protocol 2.

The methods available for authentication are: GSSAPI-based
authentication, host-based authentication, public key authentication,
challenge-response authentication, and password authentication. 
Authentication methods are tried in the order specified above, though
PreferredAuthentications can be used to change the default order.

Host-based authentication works as follows: If the machine the user
logs in from is listed in /etc/hosts.equiv or /etc/ssh/shosts.equiv on
the remote machine, and the user names are the same on both sides, or
if the files ~/.rhosts or ~/.shosts exist in the user's home directory
on the remote machine and contain a line containing the name of the
client machine and the name of the user on that machine, the user is
considered for login.  Additionally, the server must be able to verify
the client's host key (see the description of /etc/ssh/ssh_known_hosts
and ~/.ssh/known_hosts, below) for login to be permitted.  This
authentication method closes security holes due to IP spoofing, DNS
spoofing, and routing spoofing.  [Note to the administrator:
/etc/hosts.equiv, ~/.rhosts, and the rlogin/rsh protocol in general,
are inherently insecure and should be disabled if security is desired.]

-------------------------------------------
----------- man(5) sshd_config ------------

IgnoreRhosts

Specifies that .rhosts and .shosts files will not be used in
HostbasedAuthentication.

/etc/hosts.equiv and /etc/ssh/shosts.equiv are still used.  The default
is yes.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3148

--- Comment #1 from Anderson Medeiros Gomes <amg1127 at gmail.com> ---
Created attachment 3377
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3377&action=edit
/etc/ssh/ssh_config

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3148

--- Comment #2 from Anderson Medeiros Gomes <amg1127 at gmail.com> ---
According to my source code analysis, two code blocks written in file
"/src/usr.bin/ssh/auth-rhosts.c" (
https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/auth-rhosts.c?rev=1.51
) are explicitly preventing root user from authenticating itself via
host-based method.

This code block, which starts at line 226 and is declared inside
function "auth_rhosts2", prevents parsing of
"/etc/ssh/shosts.equiv" if
"root" is the user being authenticated:

--------------------------------
        /*
         * If not logging in as superuser, try /etc/hosts.equiv and
         * shosts.equiv.
         */
        if (pw->pw_uid == 0)
                debug3("%s: root user, ignoring system hosts files",
__func__);
        else {
                if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname,
ipaddr,
                    client_user, pw->pw_name)) {
                        auth_debug_add("Accepted for %.100s [%.100s] by
"
                            "/etc/hosts.equiv.", hostname, ipaddr);
                        return 1;
                }
                if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname,
ipaddr,
                    client_user, pw->pw_name)) {
                        auth_debug_add("Accepted for %.100s [%.100s] by
"
                            "%.100s.", hostname, ipaddr,
_PATH_SSH_HOSTS_EQUIV);
                        return 1;
                }
        }

--------------------------------

And this code block, starting at line 293, prevents parsing of
"/root/.shosts" file if "IgnoreRhost yes" is set in
"/etc/ssh/sshd_config". As a result, host-based authentication as root
will fail even if a systems administrator creates in "/root/.shosts" a
symbolic link targeting to "/etc/ssh/shosts.equiv" as a workaround.

--------------------------------
                /*
                 * Check if we have been configured to ignore .rhosts
                 * and .shosts files.
                 */
                if (options.ignore_rhosts) {
                        auth_debug_add("Server has been configured to
"
                            "ignore %.100s.",
rhosts_files[rhosts_file_index]);
                        continue;
                }
--------------------------------

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3148

--- Comment #3 from Anderson Medeiros Gomes <amg1127 at gmail.com> ---
Created attachment 3378
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3378&action=edit
OpenSSH server log

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3148

--- Comment #4 from Anderson Medeiros Gomes <amg1127 at gmail.com> ---
Created attachment 3379
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3379&action=edit
OpenSSH client log

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3148

Anderson Medeiros Gomes <amg1127 at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3376|application/octet-stream    |text/plain
          mime type|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3148

Anderson Medeiros Gomes <amg1127 at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3377|application/octet-stream    |text/plain
          mime type|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3148

Anderson Medeiros Gomes <amg1127 at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |amg1127 at gmail.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3148

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org,
                   |                            |dtucker at dtucker.net
   Attachment #3380|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Created attachment 3380
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3380&action=edit
allow IgnoreRhosts to appear in a Match block

I don't think we want to change the current behaviour of refusing root
for /etc/hosts.equiv as that is likely to be surprising, so I think the
easiest way around this is to allow IgnoreRhosts to appear in a Match
block. Then you'll be able to do something like:

IgnoreRhosts yes
HostbasedAuthentication yes

Match user root
    IgnoreRhosts no

to enable .shosts just for root

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3148

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3381|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Created attachment 3381
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3381&action=edit
IgnoreRhosts=shosts-only

While I'm in there, fix something else that has annoyed me for a while:
make IgnoreRhosts a tri-state option to allow admins to ban .rhosts but
permit .shosts (which AFAIK isn't shared with terrible IP-trusting
crypto-free horrors from the ancient world)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3148

--- Comment #7 from Anderson Medeiros Gomes <amg1127 at gmail.com> ---
Ok. The proposed solution sounds good to me. Thanks, Damien.

Although sole host-based authentication for superuser is a bad security
practice, I think that OpenSSH should be sufficiently flexible to allow
such configuration and fit specific needs. I know that my request
sounds weird.

Please, could the documentation be patched to in order to clarify that
refusing host-based root login is intentional? I propose something like
this:

-------------------------------------------
----------- man(5) sshd_config ------------

HostbasedAuthentication

Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful public key client host authentication is allowed
(host-based authentication).  /etc/hosts.equiv is always ignored for
host-based superuser authentication. The default is no.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3148

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3380|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3148

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3381|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3148

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
             Blocks|                            |3117
         Resolution|---                         |FIXED

--- Comment #8 from Damien Miller <djm at mindrot.org> ---
These have been committed, along with a note in ssh(1) mentioning that
[s]hosts.equiv does not apply to root. They will be in the OpenSSH 8.3
release. Thanks!


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3117
[Bug 3117] Tracking bug for 8.3 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3148

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #9 from Damien Miller <djm at mindrot.org> ---
close bugs that were resolved in OpenSSH 8.5 release cycle

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3148

Ahmed Sayeed <ahmedsayeed1982 at yahoo.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ahmedsayeed1982 at yahoo.com

--- Comment #10 from Ahmed Sayeed <ahmedsayeed1982 at yahoo.com> ---
#0  compute_frame_id (fi=0x10007c50040) at
/home/simark/src/wt/good/gdb/frame.c:549
#1  0x000001000324ddd8 in get_prev_frame_if_no_cycle
(this_frame=0x10007c4f230) at /home/simark/src/wt/good/gdb/frame.c:1927
http://www-look-4.com/health/covid-and-tech/
#2  0x000001000324f9f8 in get_prev_frame_always_1
(this_frame=0x10007c4f230) at /home/simark/src/wt/good/gdb/frame.c:2108
https://komiya-dental.com/property/google-android/
#3  0x000001000324fa38 in get_prev_frame_always
(this_frame=0x10007c4f230) at /home/simark/src/wt/good/gdb/frame.c:2124
http://www.iu-bloomington.com/shopping/hatchback-cars/
#4  0x00000100032511fc in get_prev_frame (this_frame=0x10007c4f230) at
/home/simark/src/wt/good/gdb/frame.c:2376
https://waytowhatsnext.com/sports/asian-sports/
#5  0x00000100042972c0 in backtrace_command_1 (fp_opts=...,
bt_opts=..., http://www.wearelondonmade.com/technology/van-technology/ 
count_exp=0x0, from_tty=1) at /home/simark/src/wt/good/gdb/stack.c:2055
#6  0x0000010004297918 in backtrace_command (arg=0x0, from_tty=1) at
/home/simark/src/wt/good/gdb/stack.c:2183
http://www.jopspeech.com/travel/windows-11/
#7  0x0000010002a4a538 in do_const_cfunc (c=0x10007c93390, args=0x0,
from_tty=1) at /home/simark/src/wt/good/gdb/cli/cli-decode.c:107
http://joerg.li/health/covid-and-tech/
#8  0x0000010002a56ea4 in cmd_func (cmd=0x10007c93390, args=0x0,
from_tty=1) at /home/simark/src/wt/good/gdb/cli/cli-decode.c:1952
http://connstr.net/services/mobile-games/
#9  0x00000100045e32e4 in execute_command (p=0x10007ab9c52 "",
from_tty=1) at /home/simark/src/wt/good/gdb/top.c:653
http://embermanchester.uk/services/whatsapp-number-change/
#10 0x00000100031b21c0 in command_handler (command=0x10007ab9c50 "bt")
at /home/simark/src/wt/good/gdb/event-top.c:587
http://www.slipstone.co.uk/property/hp-of-cars/
#11 0x00000100031b2d4c in command_line_handler (rl=...) at
/home/simark/src/wt/good/gdb/event-top.c:772
http://www.logoarts.co.uk/travel/london/
#12 0x00000100031b06e4 in gdb_rl_callback_handler (rl=0x10007cc5e30
"bt") at /home/simark/src/wt/good/gdb/event-top.c:218
#13 0x0000010004ae6410 in rl_callback_read_char () at
http://www.acpirateradio.co.uk/health/transportation-security/
/home/simark/src/wt/good/readline/readline/callback.c:281
#14 0x00000100031b02b0 in gdb_rl_callback_read_char_wrapper_noexcept ()
at /home/simark/src/wt/good/gdb/event-top.c:176
http://www.compilatori.com/technology/download-videos/
#15 0x00000100031b03d4 in gdb_rl_callback_read_char_wrapper
(client_data=0x10007ab99c0) at
/home/simark/src/wt/good/gdb/event-top.c:193
#16 0x00000100031b1a4c in stdin_event_handler (error=0,
client_data=0x10007ab99c0) at
/home/simark/src/wt/good/gdb/event-top.c:515
https://www.webb-dev.co.uk/services/navona-trains/
#17 0x00000100031aa778 in handle_file_event (file_ptr=0x10007d6aa20,
ready_mask=1) at /home/simark/src/wt/good/gdb/event-loop.c:731
#18 0x00000100031ab3e0 in gdb_wait_for_event (block=1) at

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.