Re: rhosts/shosts handling in sshd

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


On Sun, 18 Dec 2022 15:30:26 +0100, =?UTF-8?Q?Thomas_K=c3=b6ller?= wrote:

> after much trying and code-digging I found that hostbased authentication 
> for root is handled differently than for other users. This is from 
> auth-rhosts.c:
>      236         /*
>      237          * If not logging in as superuser, try /etc/hosts.equiv and
>      238          * shosts.equiv.
>      239          */
>      240         if (pw->pw_uid == 0)
>      241                 debug3_f("root user, ignoring system hosts files");
>      242         else {
> This behavior is apparently not documented anywhere, and I just cannot 
> think of a reason why this is done. Can someone enlighten me?

This is historical practice that comes from the BSD rlogin/rsh
(actually libc/net/rcmd.c) and was documented in rcmd(3) on BSD
systems.  The meager documentation of it in ssh is probably a case
of "everyone knows it works that way".  However, the behavior is
described in ssh(1) in the host-based authentication section.

As for the reason, just because you want to allow unprivileged users
to be able to login from one system without a password does not
mean you necessarily want the root user to be able to do so as well.
I think it still makes sense to require root equivalency to be
explicitly set via .rhosts/.shosts if you are going to be using
host-based authentication.

 - todd
openssh-unix-dev mailing list

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux