by redmail.netbsd.org with SMTP; 3 Nov 1999 12:28:40 -0000
Date: Wed, 3 Nov 1999 23:28:35 +1100 (EST)
Message-Id: <199911031228.XAA08938@zen.quick.com.au>
From: "Simon J. Gerraty" <sjg@quick.com.au>
To: tech-security@netbsd.org
Cc: sjg@quick.com.au
Subject: evil? sshd patch

I have a simple patch for sshd that allows someone who can RSA
authenticate as root, to authenticate as anyone.  Some people feel
this is evil and that ssh -l root followed by su is the answer, but
that of course does not cater for:

	scp file oracle@host:blah

Tatu Ylonen thought it useful, but was worried about people concerned
about admins abusing the power etc etc.  So I don't know if it will
ever appear in ssh-1.x

Does anyone want this patch in pkgsrc/security/ssh ?

--sjg

*** sshd.c.~3~	Mon Aug  9 13:52:11 1999
--- sshd.c	Thu Sep 23 10:16:22 1999
***************
*** 2468,2475 ****
              MP_INT n;
              mpz_init(&n);
              packet_get_mp_int(&n);
!             if (auth_rsa(pw, &n, &sensitive_data.random_state,
                           options.strict_modes))
                { 
                  /* Successful authentication. */
                  mpz_clear(&n);
--- 2468,2482 ----
              MP_INT n;
              mpz_init(&n);
              packet_get_mp_int(&n);
!             if ((auth_rsa(pw, &n, &sensitive_data.random_state,
                           options.strict_modes))
+ 		/*
+ 		 * <sjg>
+ 		 * If the remote user is allowed to authenticate as root,
+ 		 * they should be able to authenticate as anyone.
+ 		 */
+ 		|| (auth_rsa(getpwnam("root"), &n, &sensitive_data.random_state,
+                          options.strict_modes)))
                { 
                  /* Successful authentication. */
                  mpz_clear(&n);