Choung S. Park / Choung Networks
2005-Oct-06 01:51 UTC
Possible security problem in hostbased user authentication?
In auth2-hostbased.c, line #146
if (auth_rhosts2(pw, cuser, chost, chost) == 0)
^^^^^
shouldn't this be
if (auth_rhosts2(pw, cuser, chost, ipaddr) == 0)
^^^^^^
The code was found in 4.2.
Best regards,
Choung S.Park
Darren Tucker
2005-Oct-06 02:10 UTC
Possible security problem in hostbased user authentication?
Choung S. Park / Choung Networks wrote:> In auth2-hostbased.c, line #146 > > if (auth_rhosts2(pw, cuser, chost, chost) == 0) > ^^^^^ > > shouldn't this be > > if (auth_rhosts2(pw, cuser, chost, ipaddr) == 0) > ^^^^^^I don't think so. The surrounding code is: if (options.hostbased_uses_name_from_packet_only) { if (auth_rhosts2(pw, cuser, chost, chost) == 0) return 0; lookup = chost; It's the implementation of the HostbasedUsesNameFromPacketOnly sshd_config option. If you look at the authmethod code (in userauth_hostbased() above) you'll see that the host must also be able to prove possession of the private key corresponding to that host identifier to be allowed access. So the host can claim to be whatever it wants, but it won't get very far unless the server has a public key for that host, and the client has the matching private key. On a related note, it appears that HostbasedUsesNameFromPacketOnly is missing from sshd_config(5). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Reasonably Related Threads
- [PATCH] Strip trailing . when using HostbasedUsesNameFromPacketOnly
- openssh-2.9p2, auth2.c
- Hostbased Authentication Question
- Trailing dot is not removed from client hostname if HostbasedUsesNameFromPacketOnly is yes
- [Bug 2541] New: Add explicit_bzero() before free() in OpenSSH-7.1p2 for auth1.c/auth2.c/auth2-hostbased.c