-/* $OpenBSD: auth-rhosts.c,v 1.51 2019/10/02 00:42:30 djm Exp $ */
+/* $OpenBSD: auth-rhosts.c,v 1.52 2020/04/17 03:30:05 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* Check if we have been configured to ignore .rhosts
* and .shosts files.
*/
- if (options.ignore_rhosts) {
+ if (options.ignore_rhosts == IGNORE_RHOSTS_YES ||
+ (options.ignore_rhosts == IGNORE_RHOSTS_SHOSTS &&
+ strcmp(rhosts_files[rhosts_file_index], ".shosts") != 0)) {
auth_debug_add("Server has been configured to "
"ignore %.100s.", rhosts_files[rhosts_file_index]);
continue;
-/* $OpenBSD: servconf.c,v 1.362 2020/04/17 03:23:13 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.363 2020/04/17 03:30:05 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
{ "no", 0 },
{ NULL, -1 }
};
+static const struct multistate multistate_ignore_rhosts[] = {
+ { "yes", IGNORE_RHOSTS_YES },
+ { "no", IGNORE_RHOSTS_NO },
+ { "shosts-only", IGNORE_RHOSTS_SHOSTS },
+ { NULL, -1 }
+};
static const struct multistate multistate_addressfamily[] = {
{ "inet", AF_INET },
{ "inet6", AF_INET6 },
case sIgnoreRhosts:
intptr = &options->ignore_rhosts;
- parse_flag:
- multistate_ptr = multistate_flag;
+ multistate_ptr = multistate_ignore_rhosts;
goto parse_multistate;
case sIgnoreUserKnownHosts:
intptr = &options->ignore_user_known_hosts;
- goto parse_flag;
+ parse_flag:
+ multistate_ptr = multistate_flag;
+ goto parse_multistate;
case sHostbasedAuthentication:
intptr = &options->hostbased_authentication;
return fmt_multistate_int(val, multistate_tcpfwd);
case sAllowStreamLocalForwarding:
return fmt_multistate_int(val, multistate_tcpfwd);
+ case sIgnoreRhosts:
+ return fmt_multistate_int(val, multistate_ignore_rhosts);
case sFingerprintHash:
return ssh_digest_alg_name(val);
default:
-/* $OpenBSD: servconf.h,v 1.143 2020/01/31 22:42:45 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.144 2020/04/17 03:30:05 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
#define PERMITOPEN_ANY 0
#define PERMITOPEN_NONE -2
+/* IgnoreRhosts */
+#define IGNORE_RHOSTS_NO 0
+#define IGNORE_RHOSTS_YES 1
+#define IGNORE_RHOSTS_SHOSTS 2
+
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.308 2020/04/17 03:23:13 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.309 2020/04/17 03:30:05 djm Exp $
.Dd $Mdocdate: April 17 2020 $
.Dt SSHD_CONFIG 5
.Os
The list of available key types may also be obtained using
.Qq ssh -Q HostKeyAlgorithms .
.It Cm IgnoreRhosts
-Specifies that
+Specifies whether to ignore per-user
.Pa .rhosts
and
.Pa .shosts
-files will not be used in
+files during
.Cm HostbasedAuthentication .
-.Pp
+The system-wide
.Pa /etc/hosts.equiv
and
.Pa /etc/shosts.equiv
-are still used.
-The default is
-.Cm yes .
+are still used regardless of this setting.
+.Pp
+Accepted values are
+.Cm yes
+(the default) to ignore all per-user files,
+.Cm shosts-only
+to allow the use of
+.Pa .shosts
+but to ignore
+.Pa .rhosts
+or
+.Cm no
+to allow both
+.Pa .shosts
+and
+.Pa rhosts.
.It Cm IgnoreUserKnownHosts
Specifies whether
.Xr sshd 8
projects / thirdparty / openssh-portable.git / commitdiff
