From shige@kuis.kyoto-u.ac.jp  Tue Nov 24 00:30:47 1998
Received: from spa.kuis.kyoto-u.ac.jp (lab4imgw.kuis.kyoto-u.ac.jp [130.54.23.230])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA22604
          for <freebsd-gnats-submit@freebsd.org>; Tue, 24 Nov 1998 00:30:45 -0800 (PST)
          (envelope-from shige@kuis.kyoto-u.ac.jp)
Received: from awara.kuis.kyoto-u.ac.jp (awara.kuis.kyoto-u.ac.jp [130.54.22.170])
	by spa.kuis.kyoto-u.ac.jp (8.8.8/3.6Wspa) with ESMTP id RAA21384;
	Tue, 24 Nov 1998 17:27:51 +0900 (JST)
Received: (from shige@localhost) by awara.kuis.kyoto-u.ac.jp (8.9.1/3.4W4-lab4kuis) id RAA00670; Tue, 24 Nov 1998 17:30:39 +0900 (JST)
Message-Id: <199811240830.RAA00670@awara.kuis.kyoto-u.ac.jp>
Date: Tue, 24 Nov 1998 17:30:39 +0900 (JST)
From: shige@kuis.kyoto-u.ac.jp
Reply-To: shige@kuis.kyoto-u.ac.jp
To: FreeBSD-gnats-submit@freebsd.org
Cc: shige@kuis.kyoto-u.ac.jp
Subject: Update port: security/ssh
X-Send-Pr-Version: 3.2

>Number:         8829
>Category:       bin
>Synopsis:       bug in innetgr (was: Fix port: security/ssh)
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    dougb
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 24 00:40:00 PST 1998
>Closed-Date:    Sun Jun 3 21:19:33 PDT 2001
>Last-Modified:  Sun Jun 03 21:20:29 PDT 2001
>Originator:     Shigeyuki FUKUSHIMA
>Release:        FreeBSD 3.0-RELEASE i386
>Organization:
Dept. of Information Science, Kyoto Univ., JAPAN
>Environment:

	FreeBSD 3.0-RELEASE i386
	FreeBSD 2.2.7-RELEASE i386

>Description:

Fix port: security/ssh

Problem: Can't lookup an entry in the netgroup(NIS). (innetgr bug?)

If innetgr function in auth-rhosts.c is called with the condition 
that `const char *domain' == NULL, we fail to look up an entry in
a NIS netgroup. 

This fix is that before calling innetgr function we set non-NULL to
domain when we can `getdomainname'.


Note that:

My environment is as follows:
  NIS server's OS:  Solaris 2.5.1 (any?!)
  sshd(serverhost): FreeBSD 2.2.7-RELEASE or 3.0-RELEASE
  ssh (clienthost): any

serverhost's /etc/hosts.equiv is as follows:

localhost
+@myhosts

And serverhost's /usr/local/etc/ssh_known_hosts includes clienthost's
ssh public key.

I can rlogin server host from client host without inputting password.
But I cannot slogin server host from client host without inputting 
password/passphrase because RSAauthentication is failed.

After, I changed serverhost's /etc/hosts.equiv as follows:

localhost
clienthost

I can rlogin and slogin server host from client host without inputting 
password.

Hence, I think that serverhost sshd fails to look up 'clienthost'
entry in 'myhosts' NIS netgroup.

# Of course, ypwhich, ypcat, ypmatch works correctly.

# By the way... In 'rlogind' source, after dommainname is set, innetgr
# function is called with the condition that its `const char *domain'
# argument is domainname.

Thank you.
--- shige

>How-To-Repeat:

This is test program.
 $ gcc -o test test.c
 $ ./test foogroup entry

If `entry' exists in NIS netgroup `foogroup', it prints "result = 1".
Otherwise "result = 0".

But, on FreeBSD, even if `entry' exists in NIS netgroup `foogroup',
it prints "result = 0".

--- test.c -------------------------------------------------------------------
#include <stdio.h>

int main(int argc, char **argv)
{
  int result;

  if (argc == 3) {
    result = innetgr(argv[1], argv[2], NULL, NULL);
    fprintf(stderr, "result = %d\n", result);
  }

  return 0;
}
------------------------------------------------------------------------------

>Fix:

diff -urN ssh.orig/patches/patch-aw ssh/patches/patch-aw
--- ssh.orig/patches/patch-aw	Thu Jan  1 09:00:00 1970
+++ ssh/patches/patch-aw	Tue Nov 24 16:27:44 1998
@@ -0,0 +1,43 @@
+--- auth-rhosts.c.orig	Thu Jul  9 01:40:35 1998
++++ auth-rhosts.c	Tue Nov 24 16:25:15 1998
+@@ -130,6 +130,7 @@
+ {
+   UserFile uf;
+   char buf[1024]; /* Must not be larger than host, user, dummy below. */
++  char *domainname;
+   
+   /* Open the .rhosts file. */
+   uf = userfile_open(uid, filename, O_RDONLY, 0);
+@@ -226,11 +227,14 @@
+ 	  
+ #ifdef HAVE_INNETGR
+ 
++      domainname = (char *)malloc(sizeof(char) * MAXHOSTNAMELEN);
++      if (getdomainname(domainname, sizeof(domainname)))
++        domainname = NULL;
+       /* Verify that host name matches. */
+       if (host[0] == '@')
+ 	{
+-	  if (!innetgr(host + 1, (char *)hostname, NULL, NULL) &&
+-	      !innetgr(host + 1, (char *)ipaddr, NULL, NULL))
++	  if (!innetgr(host + 1, (char *)hostname, NULL, domainname) &&
++	      !innetgr(host + 1, (char *)ipaddr, NULL, domainname))
+ 	    continue;
+ 	}
+       else
+@@ -240,12 +244,14 @@
+       /* Verify that user name matches. */
+       if (user[0] == '@')
+ 	{
+-	  if (!innetgr(user + 1, NULL, (char *)client_user, NULL))
++	  if (!innetgr(user + 1, NULL, (char *)client_user, domainname))
+ 	    continue;
+ 	}
+       else
+ 	if (strcmp(user, client_user) != 0)
+ 	  continue; /* Different username. */
++
++      free(domainname);
+ 
+ #else /* HAVE_INNETGR */
+ 
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports->torstenb 
Responsible-Changed-By: billf 
Responsible-Changed-When: Fri Nov 27 08:09:40 PST 1998 
Responsible-Changed-Why:  
Over to port's maintainer 

From: Bill Fenner <fenner@parc.xerox.com>
To: freebsd-gnats-submit@freebsd.org
Cc: shige@kuis.kyoto-u.ac.jp
Subject: Re: ports/8829: Fix port: security/ssh
Date: Mon, 25 Jan 1999 12:55:24 PST

 Shige,
 
   I think you're right that this is a bug in innetgr().  One workaround is
 to put something in /etc/netgroup other than a bare +, e.g. a newline
 and then a + on the second line.
 
   Bill

From: Shigeyuki FUKUSHIMA <shige@kuis.kyoto-u.ac.jp>
To: fenner@parc.xerox.com
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: ports/8829: Fix port: security/ssh
Date: Tue, 26 Jan 1999 12:39:47 +0900 (JST)

 ----Next_Part(Tue_Jan_26_12:37:46_1999_942)--
 Content-Type: Text/Plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 
  From: Bill Fenner <fenner@parc.xerox.com>
  Date: Mon, 25 Jan 1999 12:55:24 PST
  Title: Re: ports/8829: Fix port: security/ssh
  Message-ID: <199901252055.MAA04567@mango.parc.xerox.com>
 
 >   I think you're right that this is a bug in innetgr().  One workaround is
 > to put something in /etc/netgroup other than a bare +, e.g. a newline
 > and then a + on the second line.
 
 I think (... in my susposition):
 
 Assumptions:
    Netgroup: foo
    domain:   bar
    hostname: host
    username: user
 
 In /usr/src/lib/libc/gen/getnetgrent.c:innetgr(), if dom == NULL,
 _buildkey(357 line) function returns key as "host.*" or "user.*".
 But, yp_match(358 line) function compares "host.*" and "host.foo"
 *as is*?!, and returns YPERR_KEY, that is `no such key in map' error.
 
 Surely, the following program prints:
 
 
 $ ./a.out host
 `*' domain test       = 5 (*1)
 specified domain test = 0
 
 (*1) YPERR_KEY == 5
 ---- 
 #include <stdio.h>
 
 int main(int argc, char **argv)
 {
   int y;
   char *r;
   int rlen;
   char ypdomain[256];
   char key[256];
 
   getdomainname(ypdomain, 256);
   if (argc == 2) {
 
     sprintf((char *)key, "%s.%s", argv[1], "*");
     y = yp_match(ypdomain, "netgroup.byhost", key, strlen(key), &r, &rlen);
     fprintf(stderr, "`*' domain test       = %d\n", y);
 
     sprintf((char *)key, "%s.%s", argv[1], ypdomain);
     y = yp_match(ypdomain, "netgroup.byhost", key, strlen(key), &r, &rlen);
     fprintf(stderr, "specified domain test = %d\n", y);
   }
 
   return 0;
 }
 ---
 
 Finally, I send a stopgap patch for /usr/src/lib/libc/gen/getnetgrent.c.
 
 ---------
 Shigeyuki FUKUSHIMA <shige@kuis.kyoto-u.ac.jp>
   Yuasa Lab., Department of Information Science, Kyoto Univ., JAPAN
 PGP Public Key:
 http://pgp5.ai.mit.edu:11371/pks/lookup?op=get&search=0x56B99BF9
 
 
 ----Next_Part(Tue_Jan_26_12:37:46_1999_942)--
 Content-Type: Text/Plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment; filename=libc.diff
 
 --- lib/libc/gen/getnetgrent.c.orig	Mon Mar  2 03:49:37 1998
 +++ lib/libc/gen/getnetgrent.c	Tue Nov 24 14:32:07 1998
 @@ -348,7 +348,7 @@
  	 * If we're in NIS-only mode, do the search using
  	 * NIS 'reverse netgroup' lookups.
  	 */
 -	if (_use_only_yp) {
 +	if (_use_only_yp && dom != NULL) {
  		char _key[MAXHOSTNAMELEN];
  		int rot = 0, y = 0;
  
 
 ----Next_Part(Tue_Jan_26_12:37:46_1999_942)----
Responsible-Changed-From-To: torstenb->freebsd-bugs 
Responsible-Changed-By: torstenb 
Responsible-Changed-When: Fri Sep 10 13:51:01 PDT 1999 
Responsible-Changed-Why:  
as noted by billf and others (see audit-trail) it's a problem with NIS and 
not with ssh itself. As I don't use NIS (or even know the code good enough 
to fix the problem) I'll asign that back to freebsd-bugs 
State-Changed-From-To: open->feedback 
State-Changed-By: dougb 
State-Changed-When: Sun May 27 15:33:12 PDT 2001 
State-Changed-Why:  

Is this still a problem with newer versions of FreeBSD? 


Responsible-Changed-From-To: freebsd-bugs->dougb 
Responsible-Changed-By: dougb 
Responsible-Changed-When: Sun May 27 15:33:12 PDT 2001 
Responsible-Changed-Why:  

I'll handle the feedback 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=8829 
State-Changed-From-To: feedback->closed 
State-Changed-By: dougb 
State-Changed-When: Sun Jun 3 21:19:33 PDT 2001 
State-Changed-Why:  

No feedback in one week 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=8829 
>Unformatted:
