netbsd-bugs: bin/36562: sshd(8) HostbasedAuthentication fails after upgrading to 4.0

Subject: bin/36562: sshd(8) HostbasedAuthentication fails after upgrading to 4.0_BETA2
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: None <nakayama@NetBSD.org>
List: netbsd-bugs
Date: 06/26/2007 16:25:01

>Number:         36562
>Category:       bin
>Synopsis:       sshd(8) HostbasedAuthentication fails after upgrading to 4.0_BETA2
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jun 26 16:25:00 +0000 2007
>Originator:     Takeshi Nakayama
>Release:        NetBSD 4.0_BETA2
>Organization:
>Environment:
System: NetBSD eos 4.0_BETA2 NetBSD 4.0_BETA2 (EOS) #6: Sun Jun 24 04:29:51 JST 2007 takeshi@nyx:/export/anoncvs-4/src/sys/arch/sparc64/compile/EOS sparc64
Architecture: sparc64
Machine: sparc64

>Description:
	HostbasedAuthentication of sshd(8) fails after upgrading my machine
	to 4.0_BETA2.

	The debug message of sshd(8) says it may access /root/.ssh/known_hosts
	as known hosts file instead of ~/.ssh/known_hosts.

	More investigation shows it seems NetBSD's local modification in
	crypto/dist/ssh/misc.c is root cause.

>How-To-Repeat:
	ssh(1) with HostbaseAuthentication to 4.0_BETA2 machine.

>Fix:
	Revert the following NetBSD's local modification,
	or put unsetenv("HOME") in start of sshd(8) to avoid this code path.

# cvs rdiff -rv43-20060201 -r1.17 src/crypto/dist/ssh/misc.c
Index: misc.c
===================================================================
RCS file: /cvsroot/src/crypto/dist/ssh/misc.c,v
retrieving revision 1.1.1.12
retrieving revision 1.17
diff -u -d -r1.1.1.12 -r1.17
--- misc.c	4 Feb 2006 22:22:47 -0000	1.1.1.12
+++ misc.c	4 Feb 2006 22:32:14 -0000	1.17
@@ -448,7 +449,7 @@
 char *
 tilde_expand_filename(const char *filename, uid_t uid)
 {
-	const char *path;
+	const char *path, *homedir;
 	char user[128], ret[MAXPATHLEN];
 	struct passwd *pw;
 	u_int len, slash;
@@ -466,15 +467,20 @@
 		user[slash] = '\0';
 		if ((pw = getpwnam(user)) == NULL)
 			fatal("tilde_expand_filename: No such user %s", user);
-	} else if ((pw = getpwuid(uid)) == NULL)	/* ~/path */
-		fatal("tilde_expand_filename: No such uid %d", uid);
+		homedir = pw->pw_dir;
+	} else if ((homedir = getenv("HOME")) == NULL) { /* ~/path */
+		if ((pw = getpwuid(uid)) == NULL)
+			fatal("tilde_expand_filename: No such uid %d",
+			    (int)uid);
+		homedir = pw->pw_dir;
+	}
 
-	if (strlcpy(ret, pw->pw_dir, sizeof(ret)) >= sizeof(ret))
+	if (strlcpy(ret, homedir, sizeof(ret)) >= sizeof(ret))
 		fatal("tilde_expand_filename: Path too long");
 
 	/* Make sure directory has a trailing '/' */
-	len = strlen(pw->pw_dir);
-	if ((len == 0 || pw->pw_dir[len - 1] != '/') &&
+	len = strlen(homedir);
+	if ((len == 0 || homedir[len - 1] != '/') &&
 	    strlcat(ret, "/", sizeof(ret)) >= sizeof(ret))
 		fatal("tilde_expand_filename: Path too long");