Date: Tue, 24 Nov 1998 17:30:39 +0900 (JST) From: shige@kuis.kyoto-u.ac.jp To: FreeBSD-gnats-submit@FreeBSD.ORG Cc: shige@kuis.kyoto-u.ac.jp Subject: ports/8829: Update port: security/ssh Message-ID: <199811240830.RAA00670@awara.kuis.kyoto-u.ac.jp>
next in thread | raw e-mail | index | archive | help
>Number: 8829
>Category: ports
>Synopsis: Fix port: security/ssh
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Tue Nov 24 00:40:00 PST 1998
>Last-Modified:
>Originator: Shigeyuki FUKUSHIMA
>Organization:
Dept. of Information Science, Kyoto Univ., JAPAN
>Release: FreeBSD 3.0-RELEASE i386
>Environment:
FreeBSD 3.0-RELEASE i386
FreeBSD 2.2.7-RELEASE i386
>Description:
Fix port: security/ssh
Problem: Can't lookup an entry in the netgroup(NIS). (innetgr bug?)
If innetgr function in auth-rhosts.c is called with the condition
that `const char *domain' == NULL, we fail to look up an entry in
a NIS netgroup.
This fix is that before calling innetgr function we set non-NULL to
domain when we can `getdomainname'.
Note that:
My environment is as follows:
NIS server's OS: Solaris 2.5.1 (any?!)
sshd(serverhost): FreeBSD 2.2.7-RELEASE or 3.0-RELEASE
ssh (clienthost): any
serverhost's /etc/hosts.equiv is as follows:
localhost
+@myhosts
And serverhost's /usr/local/etc/ssh_known_hosts includes clienthost's
ssh public key.
I can rlogin server host from client host without inputting password.
But I cannot slogin server host from client host without inputting
password/passphrase because RSAauthentication is failed.
After, I changed serverhost's /etc/hosts.equiv as follows:
localhost
clienthost
I can rlogin and slogin server host from client host without inputting
password.
Hence, I think that serverhost sshd fails to look up 'clienthost'
entry in 'myhosts' NIS netgroup.
# Of course, ypwhich, ypcat, ypmatch works correctly.
# By the way... In 'rlogind' source, after dommainname is set, innetgr
# function is called with the condition that its `const char *domain'
# argument is domainname.
Thank you.
--- shige
>How-To-Repeat:
This is test program.
$ gcc -o test test.c
$ ./test foogroup entry
If `entry' exists in NIS netgroup `foogroup', it prints "result = 1".
Otherwise "result = 0".
But, on FreeBSD, even if `entry' exists in NIS netgroup `foogroup',
it prints "result = 0".
--- test.c -------------------------------------------------------------------
#include <stdio.h>
int main(int argc, char **argv)
{
int result;
if (argc == 3) {
result = innetgr(argv[1], argv[2], NULL, NULL);
fprintf(stderr, "result = %d\n", result);
}
return 0;
}
------------------------------------------------------------------------------
>Fix:
diff -urN ssh.orig/patches/patch-aw ssh/patches/patch-aw
--- ssh.orig/patches/patch-aw Thu Jan 1 09:00:00 1970
+++ ssh/patches/patch-aw Tue Nov 24 16:27:44 1998
@@ -0,0 +1,43 @@
+--- auth-rhosts.c.orig Thu Jul 9 01:40:35 1998
++++ auth-rhosts.c Tue Nov 24 16:25:15 1998
+@@ -130,6 +130,7 @@
+ {
+ UserFile uf;
+ char buf[1024]; /* Must not be larger than host, user, dummy below. */
++ char *domainname;
+
+ /* Open the .rhosts file. */
+ uf = userfile_open(uid, filename, O_RDONLY, 0);
+@@ -226,11 +227,14 @@
+
+ #ifdef HAVE_INNETGR
+
++ domainname = (char *)malloc(sizeof(char) * MAXHOSTNAMELEN);
++ if (getdomainname(domainname, sizeof(domainname)))
++ domainname = NULL;
+ /* Verify that host name matches. */
+ if (host[0] == '@')
+ {
+- if (!innetgr(host + 1, (char *)hostname, NULL, NULL) &&
+- !innetgr(host + 1, (char *)ipaddr, NULL, NULL))
++ if (!innetgr(host + 1, (char *)hostname, NULL, domainname) &&
++ !innetgr(host + 1, (char *)ipaddr, NULL, domainname))
+ continue;
+ }
+ else
+@@ -240,12 +244,14 @@
+ /* Verify that user name matches. */
+ if (user[0] == '@')
+ {
+- if (!innetgr(user + 1, NULL, (char *)client_user, NULL))
++ if (!innetgr(user + 1, NULL, (char *)client_user, domainname))
+ continue;
+ }
+ else
+ if (strcmp(user, client_user) != 0)
+ continue; /* Different username. */
++
++ free(domainname);
+
+ #else /* HAVE_INNETGR */
+
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199811240830.RAA00670>