[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#64388: marked as done (root logins with {,s}hosts.equiv...)

Your message dated Tue, 03 Jun 2025 12:31:22 +0000
with message-id <914f51281aa2177e9b81385e7ce133be@posteo.de>
and subject line close as to old and no action taken
has caused the Debian Bug report #64388,
regarding root logins with {,s}hosts.equiv...
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
64388: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=64388
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: ssh
Version: 1:1.2.3-3
Severity: wishlist

Sometimes it's desirable to allow root to login with hosts.equiv,
currently this requires .[rs]hosts files (which requires that users
.[rs]hosts files be enabled as well).  The following patch allows root
login with {,s}hosts.equiv to be turned on with a 'HostsEquivRootOK'
option in sshd_config.
							- Tom

diff -C 3 openssh-1.2.3.orig/auth-rhosts.c openssh-1.2.3/auth-rhosts.c
*** openssh-1.2.3.orig/auth-rhosts.c	Mon Dec 27 04:54:55 1999
--- openssh-1.2.3/auth-rhosts.c	Fri May 19 12:52:32 2000
***************
*** 184,190 ****
  	ipaddr = get_remote_ipaddr();
  
  	/* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */
! 	if (pw->pw_uid != 0) {
  		if (check_rhosts_file("/etc/hosts.equiv", hostname, ipaddr, client_user,
  				      pw->pw_name)) {
  			packet_send_debug("Accepted for %.100s [%.100s] by /etc/hosts.equiv.",
--- 184,190 ----
  	ipaddr = get_remote_ipaddr();
  
  	/* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */
! 	if (options.hosts_equiv_rootok || pw->pw_uid != 0) {
  		if (check_rhosts_file("/etc/hosts.equiv", hostname, ipaddr, client_user,
  				      pw->pw_name)) {
  			packet_send_debug("Accepted for %.100s [%.100s] by /etc/hosts.equiv.",
diff -C 3 openssh-1.2.3.orig/servconf.c openssh-1.2.3/servconf.c
*** openssh-1.2.3.orig/servconf.c	Fri May 19 13:58:51 2000
--- openssh-1.2.3/servconf.c	Fri May 19 12:25:31 2000
***************
*** 48,53 ****
--- 48,54 ----
  	options->log_level = (LogLevel) - 1;
  	options->rhosts_authentication = -1;
  	options->rhosts_rsa_authentication = -1;
+ 	options->hosts_equiv_rootok = -1;
  	options->rsa_authentication = -1;
  #ifdef KRB4
  	options->kerberos_authentication = -1;
***************
*** 113,118 ****
--- 114,121 ----
  		options->rhosts_authentication = 0;
  	if (options->rhosts_rsa_authentication == -1)
  		options->rhosts_rsa_authentication = 0;
+ 	if (options->hosts_equiv_rootok == -1)
+ 		options->hosts_equiv_rootok = 0;
  	if (options->rsa_authentication == -1)
  		options->rsa_authentication = 1;
  #ifdef KRB4
***************
*** 162,168 ****
  	sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
  	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
  	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
! 	sIgnoreUserKnownHosts
  } ServerOpCodes;
  
  /* Textual representation of the tokens. */
--- 165,171 ----
  	sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
  	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
  	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
! 	sIgnoreUserKnownHosts, sHostsEquivRootOK
  } ServerOpCodes;
  
  /* Textual representation of the tokens. */
***************
*** 180,185 ****
--- 183,189 ----
  	{ "loglevel", sLogLevel },
  	{ "rhostsauthentication", sRhostsAuthentication },
  	{ "rhostsrsaauthentication", sRhostsRSAAuthentication },
+ 	{ "hostsequivrootok", sHostsEquivRootOK },
  	{ "rsaauthentication", sRSAAuthentication },
  #ifdef KRB4
  	{ "kerberosauthentication", sKerberosAuthentication },
***************
*** 414,419 ****
--- 418,427 ----
  
  		case sRhostsRSAAuthentication:
  			intptr = &options->rhosts_rsa_authentication;
+ 			goto parse_flag;
+ 
+ 		case sHostsEquivRootOK:
+ 			intptr = &options->hosts_equiv_rootok;
  			goto parse_flag;
  
  		case sRSAAuthentication:
diff -C 3 openssh-1.2.3.orig/servconf.h openssh-1.2.3/servconf.h
*** openssh-1.2.3.orig/servconf.h	Fri May 19 13:58:51 2000
--- openssh-1.2.3/servconf.h	Fri May 19 12:26:42 2000
***************
*** 54,59 ****
--- 54,61 ----
  					 * authentication. */
  	int     rhosts_rsa_authentication;	/* If true, permit rhosts RSA
  						 * authentication. */
+ 	int     hosts_equiv_rootok;	/* If true, permit [rs]hosts.equiv
+ 						 * authentication for root. */
  	int     rsa_authentication;	/* If true, permit RSA authentication. */
  #ifdef KRB4
  	int     kerberos_authentication;	/* If true, permit Kerberos
diff -C 3 openssh-1.2.3.orig/sshd_config openssh-1.2.3/sshd_config
*** openssh-1.2.3.orig/sshd_config	Fri May 19 13:58:51 2000
--- openssh-1.2.3/sshd_config	Fri May 19 13:50:15 2000
***************
*** 28,33 ****
--- 28,36 ----
  # For this to work you will also need host keys in /etc/ssh_known_hosts
  RhostsRSAAuthentication no
  #
+ # Normally {,s}hosts.equiv access doesn't apply to root
+ #HostsEquivRootOK yes
+ 
  RSAAuthentication yes
  
  # To disable tunneled clear text passwords, change to no here!

--- End Message ---
--- Begin Message --- Closing this ticket because it is out-dated and there was no activity. No activity means also no interest from maintainer nor the reporter. The package 
might be not actively maintained anymore.
This happens in interest of Debian GNU/Linux project because it harms the project keeping tickets of that age open without any activity, decision or 
action taken.

Feel free to re-open or open a fresh report.

--- End Message ---
Reply to: