diff options
author | Damien Miller <djm@mindrot.org> | 2010-07-02 13:35:19 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2010-07-02 13:35:19 +1000 |
commit | 6018a36864643ad0e5ff1f7205a7187b961c2c57 (patch) | |
tree | d40d615290070f2c1a9cdae4dae894ac41394e24 | |
parent | 44b25040110a224a79ff371ee548be9a10ba8bfa (diff) |
- djm@cvs.openbsd.org 2010/06/29 23:16:46
[auth2-pubkey.c sshd_config.5]
allow key options (command="..." and friends) in AuthorizedPrincipals;
ok markus@
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | auth2-pubkey.c | 34 | ||||
-rw-r--r-- | sshd_config.5 | 15 |
3 files changed, 43 insertions, 10 deletions
@@ -10,6 +10,10 @@ | |||
10 | [ssh-keygen.1 ssh-keygen.c] | 10 | [ssh-keygen.1 ssh-keygen.c] |
11 | allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys; | 11 | allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys; |
12 | bz#1749; ok markus@ | 12 | bz#1749; ok markus@ |
13 | - djm@cvs.openbsd.org 2010/06/29 23:16:46 | ||
14 | [auth2-pubkey.c sshd_config.5] | ||
15 | allow key options (command="..." and friends) in AuthorizedPrincipals; | ||
16 | ok markus@ | ||
13 | 17 | ||
14 | 20100627 | 18 | 20100627 |
15 | - (tim) [openbsd-compat/port-uw.c] Reorder includes. auth-options.h now needs | 19 | - (tim) [openbsd-compat/port-uw.c] Reorder includes. auth-options.h now needs |
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index faab0e771..35cf79c9f 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-pubkey.c,v 1.25 2010/05/20 11:25:26 djm Exp $ */ | 1 | /* $OpenBSD: auth2-pubkey.c,v 1.26 2010/06/29 23:16:46 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -198,10 +198,10 @@ match_principals_option(const char *principal_list, struct KeyCert *cert) | |||
198 | } | 198 | } |
199 | 199 | ||
200 | static int | 200 | static int |
201 | match_principals_file(const char *file, struct passwd *pw, struct KeyCert *cert) | 201 | match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert) |
202 | { | 202 | { |
203 | FILE *f; | 203 | FILE *f; |
204 | char line[SSH_MAX_PUBKEY_BYTES], *cp; | 204 | char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts; |
205 | u_long linenum = 0; | 205 | u_long linenum = 0; |
206 | u_int i; | 206 | u_int i; |
207 | 207 | ||
@@ -212,17 +212,37 @@ match_principals_file(const char *file, struct passwd *pw, struct KeyCert *cert) | |||
212 | return 0; | 212 | return 0; |
213 | } | 213 | } |
214 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 214 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
215 | /* Skip leading whitespace, empty and comment lines. */ | 215 | /* Skip leading whitespace. */ |
216 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) | 216 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) |
217 | ; | 217 | ; |
218 | if (!*cp || *cp == '\n' || *cp == '#') | 218 | /* Skip blank and comment lines. */ |
219 | if ((ep = strchr(cp, '#')) != NULL) | ||
220 | *ep = '\0'; | ||
221 | if (!*cp || *cp == '\n') | ||
219 | continue; | 222 | continue; |
220 | line[strcspn(line, "\n")] = '\0'; | 223 | /* Trim trailing whitespace. */ |
221 | 224 | ep = cp + strlen(cp) - 1; | |
225 | while (ep > cp && (*ep == '\n' || *ep == ' ' || *ep == '\t')) | ||
226 | *ep-- = '\0'; | ||
227 | /* | ||
228 | * If the line has internal whitespace then assume it has | ||
229 | * key options. | ||
230 | */ | ||
231 | line_opts = NULL; | ||
232 | if ((ep = strrchr(cp, ' ')) != NULL || | ||
233 | (ep = strrchr(cp, '\t')) != NULL) { | ||
234 | for (; *ep == ' ' || *ep == '\t'; ep++) | ||
235 | ;; | ||
236 | line_opts = cp; | ||
237 | cp = ep; | ||
238 | } | ||
222 | for (i = 0; i < cert->nprincipals; i++) { | 239 | for (i = 0; i < cert->nprincipals; i++) { |
223 | if (strcmp(cp, cert->principals[i]) == 0) { | 240 | if (strcmp(cp, cert->principals[i]) == 0) { |
224 | debug3("matched principal from file \"%.100s\"", | 241 | debug3("matched principal from file \"%.100s\"", |
225 | cert->principals[i]); | 242 | cert->principals[i]); |
243 | if (auth_parse_options(pw, line_opts, | ||
244 | file, linenum) != 1) | ||
245 | continue; | ||
226 | fclose(f); | 246 | fclose(f); |
227 | restore_uid(); | 247 | restore_uid(); |
228 | return 1; | 248 | return 1; |
diff --git a/sshd_config.5 b/sshd_config.5 index acaf809db..4d066eb8a 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,8 +34,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.123 2010/06/22 04:22:59 djm Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.124 2010/06/29 23:16:46 djm Exp $ |
38 | .Dd $Mdocdate: June 22 2010 $ | 38 | .Dd $Mdocdate: June 29 2010 $ |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -155,6 +155,10 @@ for more information on patterns. | |||
155 | .It Cm AuthorizedKeysFile | 155 | .It Cm AuthorizedKeysFile |
156 | Specifies the file that contains the public keys that can be used | 156 | Specifies the file that contains the public keys that can be used |
157 | for user authentication. | 157 | for user authentication. |
158 | The format is described in the | ||
159 | .Sx AUTHORIZED_KEYS FILE FORMAT | ||
160 | section of | ||
161 | .Xr sshd 8 . | ||
158 | .Cm AuthorizedKeysFile | 162 | .Cm AuthorizedKeysFile |
159 | may contain tokens of the form %T which are substituted during connection | 163 | may contain tokens of the form %T which are substituted during connection |
160 | setup. | 164 | setup. |
@@ -174,7 +178,12 @@ When using certificates signed by a key listed in | |||
174 | .Cm TrustedUserCAKeys , | 178 | .Cm TrustedUserCAKeys , |
175 | this file lists names, one of which must appear in the certificate for it | 179 | this file lists names, one of which must appear in the certificate for it |
176 | to be accepted for authentication. | 180 | to be accepted for authentication. |
177 | Names are listed one per line; empty lines and comments starting with | 181 | Names are listed one per line preceeded by key options (as described |
182 | in | ||
183 | .Sx AUTHORIZED_KEYS FILE FORMAT | ||
184 | in | ||
185 | .Xr sshd 8 ). | ||
186 | Empty lines and comments starting with | ||
178 | .Ql # | 187 | .Ql # |
179 | are ignored. | 188 | are ignored. |
180 | .Pp | 189 | .Pp |