- djm@cvs.openbsd.org 2010/06/29 23:16:46

[auth2-pubkey.c sshd_config.5] allow key options (command="..." and friends) in AuthorizedPrincipals; ok markus@
author: Damien Miller <djm@mindrot.org> 2010-07-02 13:35:19 +1000
committer: Damien Miller <djm@mindrot.org> 2010-07-02 13:35:19 +1000
commit: 6018a36864643ad0e5ff1f7205a7187b961c2c57 (patch)
tree: d40d615290070f2c1a9cdae4dae894ac41394e24
parent: 44b25040110a224a79ff371ee548be9a10ba8bfa (diff)
3 files changed, 43 insertions, 10 deletions
diff --git a/ChangeLog b/ChangeLog
index ee40f10eb..586b23c13 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,10 @@
     [ssh-keygen.1 ssh-keygen.c]
     allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys;
     bz#1749; ok markus@
+   - djm@cvs.openbsd.org 2010/06/29 23:16:46
+     [auth2-pubkey.c sshd_config.5]
+     allow key options (command="..." and friends) in AuthorizedPrincipals;
+     ok markus@
 20100627
 - (tim) [openbsd-compat/port-uw.c] Reorder includes. auth-options.h now needs
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index faab0e771..35cf79c9f 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.25 2010/05/20 11:25:26 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.26 2010/06/29 23:16:46 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -198,10 +198,10 @@ match_principals_option(const char *principal_list, struct KeyCert *cert)
 }
 static int
-match_principals_file(const char *file, struct passwd *pw, struct KeyCert *cert)
+match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
 {
        FILE *f;
-        char line[SSH_MAX_PUBKEY_BYTES], *cp;
+        char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts;
        u_long linenum = 0;
        u_int i;
@@ -212,17 +212,37 @@ match_principals_file(const char *file, struct passwd *pw, struct KeyCert *cert)
                return 0;
        }
        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
-                /* Skip leading whitespace, empty and comment lines. */
+                /* Skip leading whitespace. */
                for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
                        ;
-                if (!*cp || *cp == '\n' || *cp == '#')
+                /* Skip blank and comment lines. */
+                if ((ep = strchr(cp, '#')) != NULL)
+                        *ep = '\0';
+                if (!*cp || *cp == '\n')
                        continue;
-                line[strcspn(line, "\n")] = '\0';
+                /* Trim trailing whitespace. */
+                ep = cp + strlen(cp) - 1;
+                while (ep > cp && (*ep == '\n' || *ep == ' ' || *ep == '\t'))
+                        *ep-- = '\0';
+                /*
+                 * If the line has internal whitespace then assume it has
+                 * key options.
+                 */
+                line_opts = NULL;
+                if ((ep = strrchr(cp, ' ')) != NULL ||
+                    (ep = strrchr(cp, '\t')) != NULL) {
+                        for (; *ep == ' ' || *ep == '\t'; ep++)
+                                ;;
+                        line_opts = cp;
+                        cp = ep;
+                }
                for (i = 0; i < cert->nprincipals; i++) {
                        if (strcmp(cp, cert->principals[i]) == 0) {
                                debug3("matched principal from file \"%.100s\"",
                                    cert->principals[i]);
+                                if (auth_parse_options(pw, line_opts,
+                                    file, linenum) != 1)
+                                        continue;
                                fclose(f);
                                restore_uid();
                                return 1;
diff --git a/sshd_config.5 b/sshd_config.5
index acaf809db..4d066eb8a 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.123 2010/06/22 04:22:59 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.124 2010/06/29 23:16:46 djm Exp $
-.Dd $Mdocdate: June 22 2010 $
+.Dd $Mdocdate: June 29 2010 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -155,6 +155,10 @@ for more information on patterns.
 .It Cm AuthorizedKeysFile
 Specifies the file that contains the public keys that can be used
 for user authentication.
+The format is described in the
+.Sx AUTHORIZED_KEYS FILE FORMAT
+section of
+.Xr sshd 8 .
 .Cm AuthorizedKeysFile
 may contain tokens of the form %T which are substituted during connection
 setup.
@@ -174,7 +178,12 @@ When using certificates signed by a key listed in
 .Cm TrustedUserCAKeys ,
 this file lists names, one of which must appear in the certificate for it
 to be accepted for authentication.
-Names are listed one per line; empty lines and comments starting with
+Names are listed one per line preceeded by key options (as described
+in
+.Sx AUTHORIZED_KEYS FILE FORMAT
+in
+.Xr sshd 8 ).
+Empty lines and comments starting with
 .Ql #
 are ignored.
 .Pp
author	Damien Miller <djm@mindrot.org>	2010-07-02 13:35:19 +1000
committer	Damien Miller <djm@mindrot.org>	2010-07-02 13:35:19 +1000
commit	6018a36864643ad0e5ff1f7205a7187b961c2c57 (patch)
tree	d40d615290070f2c1a9cdae4dae894ac41394e24
parent	44b25040110a224a79ff371ee548be9a10ba8bfa (diff)

diff --git a/ChangeLog b/ChangeLog index ee40f10eb..586b23c13 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -10,6 +10,10 @@
10	[ssh-keygen.1 ssh-keygen.c]	10	[ssh-keygen.1 ssh-keygen.c]
11	allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys;	11	allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys;
12	bz#1749; ok markus@	12	bz#1749; ok markus@
		13	- djm@cvs.openbsd.org 2010/06/29 23:16:46
		14	[auth2-pubkey.c sshd_config.5]
		15	allow key options (command="..." and friends) in AuthorizedPrincipals;
		16	ok markus@
13		17
14	20100627	18	20100627
15	- (tim) [openbsd-compat/port-uw.c] Reorder includes. auth-options.h now needs	19	- (tim) [openbsd-compat/port-uw.c] Reorder includes. auth-options.h now needs


diff --git a/auth2-pubkey.c b/auth2-pubkey.c index faab0e771..35cf79c9f 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth2-pubkey.c,v 1.25 2010/05/20 11:25:26 djm Exp $ */	1	/* $OpenBSD: auth2-pubkey.c,v 1.26 2010/06/29 23:16:46 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000 Markus Friedl. All rights reserved.	3	* Copyright (c) 2000 Markus Friedl. All rights reserved.
4	*	4	*
@@ -198,10 +198,10 @@ match_principals_option(const char principal_list, struct KeyCert cert)
198	}	198	}
199		199
200	static int	200	static int
201	match_principals_file(const char file, struct passwd pw, struct KeyCert *cert)	201	match_principals_file(char file, struct passwd pw, struct KeyCert *cert)
202	{	202	{
203	FILE *f;	203	FILE *f;
204	char line[SSH_MAX_PUBKEY_BYTES], *cp;	204	char line[SSH_MAX_PUBKEY_BYTES], cp, ep, *line_opts;
205	u_long linenum = 0;	205	u_long linenum = 0;
206	u_int i;	206	u_int i;
207		207
@@ -212,17 +212,37 @@ match_principals_file(const char file, struct passwd pw, struct KeyCert *cert)
212	return 0;	212	return 0;
213	}	213	}
214	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {	214	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
215	/* Skip leading whitespace, empty and comment lines. */	215	/* Skip leading whitespace. */
216	for (cp = line; cp == ' ' \|\| cp == '\t'; cp++)	216	for (cp = line; cp == ' ' \|\| cp == '\t'; cp++)
217	;	217	;
218	if (!cp \|\| cp == '\n' \|\| *cp == '#')	218	/* Skip blank and comment lines. */
		219	if ((ep = strchr(cp, '#')) != NULL)
		220	*ep = '\0';
		221	if (!cp \|\| cp == '\n')
219	continue;	222	continue;
220	line[strcspn(line, "\n")] = '\0';	223	/* Trim trailing whitespace. */
221		224	ep = cp + strlen(cp) - 1;
		225	while (ep > cp && (ep == '\n' \|\| ep == ' ' \|\| *ep == '\t'))
		226	*ep-- = '\0';
		227	/*
		228	* If the line has internal whitespace then assume it has
		229	* key options.
		230	*/
		231	line_opts = NULL;
		232	if ((ep = strrchr(cp, ' ')) != NULL \|\|
		233	(ep = strrchr(cp, '\t')) != NULL) {
		234	for (; ep == ' ' \|\| ep == '\t'; ep++)
		235	;;
		236	line_opts = cp;
		237	cp = ep;
		238	}
222	for (i = 0; i < cert->nprincipals; i++) {	239	for (i = 0; i < cert->nprincipals; i++) {
223	if (strcmp(cp, cert->principals[i]) == 0) {	240	if (strcmp(cp, cert->principals[i]) == 0) {
224	debug3("matched principal from file \"%.100s\"",	241	debug3("matched principal from file \"%.100s\"",
225	cert->principals[i]);	242	cert->principals[i]);
		243	if (auth_parse_options(pw, line_opts,
		244	file, linenum) != 1)
		245	continue;
226	fclose(f);	246	fclose(f);
227	restore_uid();	247	restore_uid();
228	return 1;	248	return 1;


diff --git a/sshd_config.5 b/sshd_config.5 index acaf809db..4d066eb8a 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -34,8 +34,8 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd_config.5,v 1.123 2010/06/22 04:22:59 djm Exp $	37	.\" $OpenBSD: sshd_config.5,v 1.124 2010/06/29 23:16:46 djm Exp $
38	.Dd $Mdocdate: June 22 2010 $	38	.Dd $Mdocdate: June 29 2010 $
39	.Dt SSHD_CONFIG 5	39	.Dt SSHD_CONFIG 5
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -155,6 +155,10 @@ for more information on patterns.
155	.It Cm AuthorizedKeysFile	155	.It Cm AuthorizedKeysFile
156	Specifies the file that contains the public keys that can be used	156	Specifies the file that contains the public keys that can be used
157	for user authentication.	157	for user authentication.
		158	The format is described in the
		159	.Sx AUTHORIZED_KEYS FILE FORMAT
		160	section of
		161	.Xr sshd 8 .
158	.Cm AuthorizedKeysFile	162	.Cm AuthorizedKeysFile
159	may contain tokens of the form %T which are substituted during connection	163	may contain tokens of the form %T which are substituted during connection
160	setup.	164	setup.
@@ -174,7 +178,12 @@ When using certificates signed by a key listed in
174	.Cm TrustedUserCAKeys ,	178	.Cm TrustedUserCAKeys ,
175	this file lists names, one of which must appear in the certificate for it	179	this file lists names, one of which must appear in the certificate for it
176	to be accepted for authentication.	180	to be accepted for authentication.
177	Names are listed one per line; empty lines and comments starting with	181	Names are listed one per line preceeded by key options (as described
		182	in
		183	.Sx AUTHORIZED_KEYS FILE FORMAT
		184	in
		185	.Xr sshd 8 ).
		186	Empty lines and comments starting with
178	.Ql #	187	.Ql #
179	are ignored.	188	are ignored.
180	.Pp	189	.Pp