Hi, after much trying and code-digging I found that hostbased authentication for root is handled differently than for other users. This is from auth-rhosts.c: 236 /* 237 * If not logging in as superuser, try /etc/hosts.equiv and 238 * shosts.equiv. 239 */ 240 if (pw->pw_uid == 0) 241 debug3_f("root user, ignoring system hosts files"); 242 else { This behavior is apparently not documented anywhere, and I just cannot think of a reason why this is done. Can someone enlighten me?
On Sun, 18 Dec 2022 15:30:26 +0100, =?UTF-8?Q?Thomas_K=c3=b6ller?= wrote:> after much trying and code-digging I found that hostbased authentication > for root is handled differently than for other users. This is from > auth-rhosts.c: > > 236 /* > 237 * If not logging in as superuser, try /etc/hosts.equiv and > 238 * shosts.equiv. > 239 */ > 240 if (pw->pw_uid == 0) > 241 debug3_f("root user, ignoring system hosts files"); > 242 else { > > This behavior is apparently not documented anywhere, and I just cannot > think of a reason why this is done. Can someone enlighten me?This is historical practice that comes from the BSD rlogin/rsh (actually libc/net/rcmd.c) and was documented in rcmd(3) on BSD systems. The meager documentation of it in ssh is probably a case of "everyone knows it works that way". However, the behavior is described in ssh(1) in the host-based authentication section. As for the reason, just because you want to allow unprivileged users to be able to login from one system without a password does not mean you necessarily want the root user to be able to do so as well. I think it still makes sense to require root equivalency to be explicitly set via .rhosts/.shosts if you are going to be using host-based authentication. - todd
Hi Thomas, Thomas Koeller wrote on Sun, Dec 18, 2022 at 03:30:26PM +0100:> after much trying and code-digging I found that hostbased authentication > for root is handled differently than for other users. This is from > auth-rhosts.c: > > 236 /* > 237 * If not logging in as superuser, try /etc/hosts.equiv and > 238 * shosts.equiv. > 239 */ > 240 if (pw->pw_uid == 0) > 241 debug3_f("root user, ignoring system hosts files"); > 242 else { > > This behavior is apparently not documented anywhere,My impression is that it *is* documented. https://man.openbsd.org/ssh.1#AUTHENTICATION tells me: Host-based authentication works as follows: If the machine the user logs in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote machine, the user is non-root and [...]> and I just cannot think of a reason why this is done.Host-based authentication is a relatively risky authentication method in the first place, so the security risk of host based authentication for root access is considered too great for providing the feature. For example, that prevents local root exploits on the client host from turning right into remote root exploits on the server, and there may be other attack scenarios somewhat mitigated by not providing the dangerous feature.> Can someone enlighten me?Hope this helps, Ingo