Re: Possible security problem in hostbased user authentication?
This is a discussion on Re: Possible security problem in hostbased user authentication? within the OpenSSH Development forums, part of the Networking and Network Related category; Well... I admit it's not a high risk security issue since hostbased also uses pub/priv keys. However, if ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-06-2005
|
|||
|
|||
Re: Possible security problem in hostbased user authentication?
Well... I admit it's not a high risk security issue since hostbased also
uses pub/priv keys. However, if the options.hostbased_uses_name_from_packet_only is "enabled", the connected client will surely pass the test even if its IP is listed as "deny". Anyway, I don't think the person who wrote this routine intentionally decided to pass the two chost's. It seems one of those invisible bugs... :-( Best regards, Choung S.Park ----- Original Message ----- From: "Darren Tucker" <dtucker@zip.com.au> To: "Choung S. Park / Choung Networks" <cspark@choung.net> Cc: <openssh-unix-dev@mindrot.org> Sent: Wednesday, October 05, 2005 7:10 PM Subject: Re: Possible security problem in hostbased user authentication? > Choung S. Park / Choung Networks wrote: > > In auth2-hostbased.c, line #146 > > > > if (auth_rhosts2(pw, cuser, chost, chost) == 0) > > ^^^^^ > > > > shouldn't this be > > > > if (auth_rhosts2(pw, cuser, chost, ipaddr) == 0) > > ^^^^^^ > > I don't think so. The surrounding code is: > if (options.hostbased_uses_name_from_packet_only) { > if (auth_rhosts2(pw, cuser, chost, chost) == 0) > return 0; > lookup = chost; > > It's the implementation of the HostbasedUsesNameFromPacketOnly > sshd_config option. If you look at the authmethod code (in > userauth_hostbased() above) you'll see that the host must also be able > to prove possession of the private key corresponding to that host > identifier to be allowed access. > > So the host can claim to be whatever it wants, but it won't get very far > unless the server has a public key for that host, and the client has the > matching private key. > > On a related note, it appears that HostbasedUsesNameFromPacketOnly is > missing from sshd_config(5). > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org http://www.mindrot.org/mailman/listi...enssh-unix-dev 
|
Linear Mode
