[openssh-unix-announce] OpenSSH 3.5 released
Markus Friedl
i'm not sure how to fix this.
ssh-keysign(8) does not know about the remote hostname.
On Wed, Oct 16, 2002 at 02:57:10PM +0200, Reinhard Zierke wrote:
> Markus,
>
> I've got a problem with OpenSSH 3.5p1:
>
> > Changes since OpenSSH 3.4:
> > ============================
> > ...
> > * ssh-keysign(8) is disabled by default and only enabled if the
> > HostbasedAuthentication option is enabled in the global ssh_config(5)
> > file.
>
> and the new ssh says:
>
> zierke@rzdspc81% ssh rzdspc5
> Hostbased authentication not enabled in /etc/ssh/ssh_config
> ssh_msg_send: write
> zierke@rzdspc81%
>
> My /etc/ssh/ssh_config basically is
>
> Host rz?spc? rz?spc??
> ...
> HostbasedAuthentication yes
> ...
>
> Host *
> ...
> HostbasedAuthentication no
> ...
>
> If I change the default entry to "HostbasedAuthentication yes" too, then ssh
> works fine. But I want HostbasedAuthentication for local hosts only as it
> does work up to version 3.4p1. How can I do this with 3.5p1?
>
> Regards,
> Reinhard
>
> --
> Reinhard Zierke Universität Hamburg, FB Informatik
> zie...@informatik.uni-hamburg.de Vogt-Kölln-Straße 30, D-22527 Hamburg
> postm...@informatik.uni-hamburg.de Tel.: (040) 42883-2295/2276 Fax: -2241
_______________________________________________
openssh-...@mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
Markus Friedl
> My /etc/ssh/ssh_config basically is
>
> Host rz?spc? rz?spc??
> ...
> HostbasedAuthentication yes
> ...
>
> Host *
> ...
> HostbasedAuthentication no
> ...
>
> If I change the default entry to "HostbasedAuthentication yes" too, then ssh
> works fine. But I want HostbasedAuthentication for local hosts only as it
> does work up to version 3.4p1. How can I do this with 3.5p1?
since HostbasedAuthentication defaults to no, you can just use:
Host rz?spc? rz?spc??
HostbasedAuthentication yes
Host *
dont-mention-HostbasedAuthentication
Markus Friedl
> On Wed, Oct 16, 2002 at 02:57:10PM +0200, Reinhard Zierke wrote:
> > My /etc/ssh/ssh_config basically is
> >
> > Host rz?spc? rz?spc??
> > ...
> > HostbasedAuthentication yes
> > ...
> >
> > Host *
> > ...
> > HostbasedAuthentication no
> > ...
> >
i'm very wrong, it's a bug.
this patch (a little bit ugly) should fix this problem:
Index: ssh.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh.c,v
retrieving revision 1.186
diff -u -r1.186 ssh.c
--- ssh.c 19 Sep 2002 01:58:18 -0000 1.186
+++ ssh.c 16 Oct 2002 17:02:46 -0000
@@ -118,6 +118,7 @@
* configuration file.
*/
char *host;
+char *orighost;
/* socket address the host resolves to */
struct sockaddr_storage hostaddr;
@@ -503,6 +504,7 @@
/* Check that we got a host name. */
if (!host)
usage();
+ orighost = host;
SSLeay_add_all_algorithms();
ERR_load_crypto_strings();
Index: sshconnect2.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshconnect2.c,v
retrieving revision 1.107
diff -u -r1.107 sshconnect2.c
--- sshconnect2.c 1 Jul 2002 19:48:46 -0000 1.107
+++ sshconnect2.c 16 Oct 2002 17:18:19 -0000
@@ -51,6 +51,7 @@
/* import */
extern char *client_version_string;
extern char *server_version_string;
+extern char *orighost; /* XXX */
extern Options options;
/*
@@ -904,10 +905,12 @@
Buffer b;
struct stat st;
pid_t pid;
- int to[2], from[2], status, version = 2;
+ int to[2], from[2], status, version = 3;
debug("ssh_keysign called");
+ if (orighost == NULL)
+ return -1;
if (stat(_PATH_SSH_KEY_SIGN, &st) < 0) {
error("ssh_keysign: no installed: %s", strerror(errno));
return -1;
@@ -945,6 +948,7 @@
close(to[0]);
buffer_init(&b);
+ buffer_put_cstring(&b, orighost);
buffer_put_int(&b, packet_get_connection_in()); /* send # of socket */
buffer_put_string(&b, data, datalen);
msg_send(to[1], version, &b);
Index: ssh-keysign.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh-keysign.c,v
retrieving revision 1.7
diff -u -r1.7 ssh-keysign.c
--- ssh-keysign.c 3 Jul 2002 14:21:05 -0000 1.7
+++ ssh-keysign.c 16 Oct 2002 17:18:28 -0000
@@ -137,9 +137,9 @@
Options options;
Key *keys[2], *key;
struct passwd *pw;
- int key_fd[2], i, found, version = 2, fd;
+ int key_fd[2], i, found, version = 3, fd;
u_char *signature, *data;
- char *host;
+ char *host, *remotehost;
u_int slen, dlen;
u_int32_t rnd[256];
@@ -153,15 +153,6 @@
log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
#endif
- /* verify that ssh-keysign is enabled by the admin */
- original_real_uid = getuid(); /* XXX readconf.c needs this */
- initialize_options(&options);
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options);
- fill_default_options(&options);
- if (options.hostbased_authentication != 1)
- fatal("Hostbased authentication not enabled in %s",
- _PATH_HOST_CONFIG_FILE);
-
if (key_fd[0] == -1 && key_fd[1] == -1)
fatal("could not open any host key");
@@ -200,6 +191,18 @@
fatal("msg_recv failed");
if (buffer_get_char(&b) != version)
fatal("bad version");
+
+ /* verify that ssh-keysign is enabled by the admin */
+ remotehost = buffer_get_string(&b, NULL);
+ original_real_uid = getuid(); /* XXX readconf.c needs this */
+ initialize_options(&options);
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, remotehost, &options);
+ fill_default_options(&options);
+ xfree(remotehost);
+ if (options.hostbased_authentication != 1)
+ fatal("Hostbased authentication not enabled in %s",
+ _PATH_HOST_CONFIG_FILE);
+
fd = buffer_get_int(&b);
if ((fd == STDIN_FILENO) || (fd == STDOUT_FILENO))
fatal("bad fd");