Mailing List Archive

On Sun, 18 Dec 2022 15:30:26 +0100, =?UTF-8?Q?Thomas_K=c3=b6ller?= wrote:

> after much trying and code-digging I found that hostbased authentication
> for root is handled differently than for other users. This is from
> auth-rhosts.c:
>
> 236 /*
> 237 * If not logging in as superuser, try /etc/hosts.equiv and
> 238 * shosts.equiv.
> 239 */
> 240 if (pw->pw_uid == 0)
> 241 debug3_f("root user, ignoring system hosts files");
> 242 else {
>
> This behavior is apparently not documented anywhere, and I just cannot
> think of a reason why this is done. Can someone enlighten me?

This is historical practice that comes from the BSD rlogin/rsh
(actually libc/net/rcmd.c) and was documented in rcmd(3) on BSD
systems. The meager documentation of it in ssh is probably a case
of "everyone knows it works that way". However, the behavior is
described in ssh(1) in the host-based authentication section.

As for the reason, just because you want to allow unprivileged users
to be able to login from one system without a password does not
mean you necessarily want the root user to be able to do so as well.
I think it still makes sense to require root equivalency to be
explicitly set via .rhosts/.shosts if you are going to be using
host-based authentication.

- todd
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Hi Thomas,

Thomas Koeller wrote on Sun, Dec 18, 2022 at 03:30:26PM +0100:

> after much trying and code-digging I found that hostbased authentication
> for root is handled differently than for other users. This is from
> auth-rhosts.c:
>
> 236 /*
> 237 * If not logging in as superuser, try /etc/hosts.equiv and
> 238 * shosts.equiv.
> 239 */
> 240 if (pw->pw_uid == 0)
> 241 debug3_f("root user, ignoring system hosts files");
> 242 else {
>
> This behavior is apparently not documented anywhere,

My impression is that it *is* documented.

https://man.openbsd.org/ssh.1#AUTHENTICATION

tells me:

Host-based authentication works as follows: If the machine the user
logs in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on
the remote machine, the user is non-root and [...]

> and I just cannot think of a reason why this is done.

Host-based authentication is a relatively risky authentication
method in the first place, so the security risk of host based
authentication for root access is considered too great for providing
the feature.

For example, that prevents local root exploits on the client host
from turning right into remote root exploits on the server, and there
may be other attack scenarios somewhat mitigated by not providing
the dangerous feature.

> Can someone enlighten me?

Hope this helps,
Ingo
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Am 18.12.22 um 16:07 schrieb Todd C. Miller:
> As for the reason, just because you want to allow unprivileged users
> to be able to login from one system without a password does not
> mean you necessarily want the root user to be able to do so as well.
> I think it still makes sense to require root equivalency to be
> explicitly set via .rhosts/.shosts if you are going to be using
> host-based authentication.

Thanks. This may be true if hostbased were used on its own. What I am
trying to do, however, is

AuthenticationMethods hostbased,publickey

in order to increase security.

Thomas
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev