summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBen Lindstrom <mouring@eviladmin.org>2001-06-25 04:17:12 +0000
committerBen Lindstrom <mouring@eviladmin.org>2001-06-25 04:17:12 +0000
commitf96704d4ef4c55599d9999292abc1457e8153674 (patch)
tree3e3e8a85ae03df6a26b425b607496bac0949e8c0
parentae1c51c208917198fd96f0aca209459f37001ea4 (diff)
- markus@cvs.openbsd.org 2001/06/22 21:55:49
[auth2.c auth-rsa.c pathnames.h ssh.1 sshd.8 sshd_config ssh-keygen.1] merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
-rw-r--r--ChangeLog8
-rw-r--r--auth-rsa.c6
-rw-r--r--auth2.c32
-rw-r--r--pathnames.h4
-rw-r--r--ssh-keygen.16
-rw-r--r--ssh.116
-rw-r--r--sshd.841
-rw-r--r--sshd_config3
8 files changed, 49 insertions, 67 deletions
diff --git a/ChangeLog b/ChangeLog
index 6ad84bfa1..2c964d94e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -19,6 +19,12 @@
19 - provos@cvs.openbsd.org 2001/06/22 21:28:53 19 - provos@cvs.openbsd.org 2001/06/22 21:28:53
20 [sshd.8] 20 [sshd.8]
21 document /etc/moduli 21 document /etc/moduli
22 - markus@cvs.openbsd.org 2001/06/22 21:55:49
23 [auth2.c auth-rsa.c pathnames.h ssh.1 sshd.8 sshd_config
24 ssh-keygen.1]
25 merge authorized_keys2 into authorized_keys.
26 authorized_keys2 is used for backward compat.
27 (just append authorized_keys2 to authorized_keys).
22 28
2320010622 2920010622
24 - (stevesk) handle systems without pw_expire and pw_change. 30 - (stevesk) handle systems without pw_expire and pw_change.
@@ -5703,4 +5709,4 @@
5703 - Wrote replacements for strlcpy and mkdtemp 5709 - Wrote replacements for strlcpy and mkdtemp
5704 - Released 1.0pre1 5710 - Released 1.0pre1
5705 5711
5706$Id: ChangeLog,v 1.1301 2001/06/25 04:14:59 mouring Exp $ 5712$Id: ChangeLog,v 1.1302 2001/06/25 04:17:12 mouring Exp $
diff --git a/auth-rsa.c b/auth-rsa.c
index 491ed81d6..899daae3b 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -14,7 +14,7 @@
14 */ 14 */
15 15
16#include "includes.h" 16#include "includes.h"
17RCSID("$OpenBSD: auth-rsa.c,v 1.41 2001/05/20 17:20:35 markus Exp $"); 17RCSID("$OpenBSD: auth-rsa.c,v 1.42 2001/06/22 21:55:48 markus Exp $");
18 18
19#include <openssl/rsa.h> 19#include <openssl/rsa.h>
20#include <openssl/md5.h> 20#include <openssl/md5.h>
@@ -211,9 +211,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
211 211
212 /* Parse the key from the line. */ 212 /* Parse the key from the line. */
213 if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) { 213 if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) {
214 debug("%.100s, line %lu: bad key syntax", 214 debug("%.100s, line %lu: non ssh1 key syntax",
215 file, linenum);
216 packet_send_debug("%.100s, line %lu: bad key syntax",
217 file, linenum); 215 file, linenum);
218 continue; 216 continue;
219 } 217 }
diff --git a/auth2.c b/auth2.c
index 554ca4c10..1d635d60c 100644
--- a/auth2.c
+++ b/auth2.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: auth2.c,v 1.62 2001/06/07 19:57:53 markus Exp $"); 26RCSID("$OpenBSD: auth2.c,v 1.63 2001/06/22 21:55:49 markus Exp $");
27 27
28#include <openssl/evp.h> 28#include <openssl/evp.h>
29 29
@@ -650,9 +650,9 @@ authmethod_lookup(const char *name)
650 650
651/* return 1 if user allows given key */ 651/* return 1 if user allows given key */
652int 652int
653user_key_allowed(struct passwd *pw, Key *key) 653user_key_allowed2(struct passwd *pw, Key *key, char *file)
654{ 654{
655 char line[8192], *file; 655 char line[8192];
656 int found_key = 0; 656 int found_key = 0;
657 FILE *f; 657 FILE *f;
658 u_long linenum = 0; 658 u_long linenum = 0;
@@ -665,15 +665,12 @@ user_key_allowed(struct passwd *pw, Key *key)
665 /* Temporarily use the user's uid. */ 665 /* Temporarily use the user's uid. */
666 temporarily_use_uid(pw); 666 temporarily_use_uid(pw);
667 667
668 /* The authorized keys. */
669 file = authorized_keys_file2(pw);
670 debug("trying public key file %s", file); 668 debug("trying public key file %s", file);
671 669
672 /* Fail quietly if file does not exist */ 670 /* Fail quietly if file does not exist */
673 if (stat(file, &st) < 0) { 671 if (stat(file, &st) < 0) {
674 /* Restore the privileged uid. */ 672 /* Restore the privileged uid. */
675 restore_uid(); 673 restore_uid();
676 xfree(file);
677 return 0; 674 return 0;
678 } 675 }
679 /* Open the file containing the authorized keys. */ 676 /* Open the file containing the authorized keys. */
@@ -681,12 +678,10 @@ user_key_allowed(struct passwd *pw, Key *key)
681 if (!f) { 678 if (!f) {
682 /* Restore the privileged uid. */ 679 /* Restore the privileged uid. */
683 restore_uid(); 680 restore_uid();
684 xfree(file);
685 return 0; 681 return 0;
686 } 682 }
687 if (options.strict_modes && 683 if (options.strict_modes &&
688 secure_filename(f, file, pw->pw_uid, line, sizeof(line)) != 0) { 684 secure_filename(f, file, pw->pw_uid, line, sizeof(line)) != 0) {
689 xfree(file);
690 fclose(f); 685 fclose(f);
691 log("Authentication refused: %s", line); 686 log("Authentication refused: %s", line);
692 restore_uid(); 687 restore_uid();
@@ -735,13 +730,32 @@ user_key_allowed(struct passwd *pw, Key *key)
735 } 730 }
736 restore_uid(); 731 restore_uid();
737 fclose(f); 732 fclose(f);
738 xfree(file);
739 key_free(found); 733 key_free(found);
740 if (!found_key) 734 if (!found_key)
741 debug2("key not found"); 735 debug2("key not found");
742 return found_key; 736 return found_key;
743} 737}
744 738
739/* check whether given key is in .ssh/authorized_keys* */
740int
741user_key_allowed(struct passwd *pw, Key *key)
742{
743 int success;
744 char *file;
745
746 file = authorized_keys_file(pw);
747 success = user_key_allowed2(pw, key, file);
748 xfree(file);
749 if (success)
750 return success;
751
752 /* try suffix "2" for backward compat, too */
753 file = authorized_keys_file2(pw);
754 success = user_key_allowed2(pw, key, file);
755 xfree(file);
756 return success;
757}
758
745/* return 1 if given hostkey is allowed */ 759/* return 1 if given hostkey is allowed */
746int 760int
747hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, 761hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
diff --git a/pathnames.h b/pathnames.h
index 991fc734a..014f62b3e 100644
--- a/pathnames.h
+++ b/pathnames.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: pathnames.h,v 1.7 2001/06/22 21:27:08 provos Exp $ */ 1/* $OpenBSD: pathnames.h,v 1.8 2001/06/22 21:55:49 markus Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -89,6 +89,8 @@
89 * running as root.) 89 * running as root.)
90 */ 90 */
91#define _PATH_SSH_USER_PERMITTED_KEYS ".ssh/authorized_keys" 91#define _PATH_SSH_USER_PERMITTED_KEYS ".ssh/authorized_keys"
92
93/* backward compat for protocol v2 */
92#define _PATH_SSH_USER_PERMITTED_KEYS2 ".ssh/authorized_keys2" 94#define _PATH_SSH_USER_PERMITTED_KEYS2 ".ssh/authorized_keys2"
93 95
94/* 96/*
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index fec659955..0f04af55b 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keygen.1,v 1.42 2001/06/03 19:36:44 markus Exp $ 1.\" $OpenBSD: ssh-keygen.1,v 1.43 2001/06/22 21:55:49 markus Exp $
2.\" 2.\"
3.\" -*- nroff -*- 3.\" -*- nroff -*-
4.\" 4.\"
@@ -233,7 +233,7 @@ will read this file when a login attempt is made.
233.It Pa $HOME/.ssh/id_dsa.pub 233.It Pa $HOME/.ssh/id_dsa.pub
234Contains the protocol version 2 DSA public key for authentication. 234Contains the protocol version 2 DSA public key for authentication.
235The contents of this file should be added to 235The contents of this file should be added to
236.Pa $HOME/.ssh/authorized_keys2 236.Pa $HOME/.ssh/authorized_keys
237on all machines 237on all machines
238where you wish to log in using public key authentication. 238where you wish to log in using public key authentication.
239There is no need to keep the contents of this file secret. 239There is no need to keep the contents of this file secret.
@@ -251,7 +251,7 @@ will read this file when a login attempt is made.
251.It Pa $HOME/.ssh/id_rsa.pub 251.It Pa $HOME/.ssh/id_rsa.pub
252Contains the protocol version 2 RSA public key for authentication. 252Contains the protocol version 2 RSA public key for authentication.
253The contents of this file should be added to 253The contents of this file should be added to
254.Pa $HOME/.ssh/authorized_keys2 254.Pa $HOME/.ssh/authorized_keys
255on all machines 255on all machines
256where you wish to log in using public key authentication. 256where you wish to log in using public key authentication.
257There is no need to keep the contents of this file secret. 257There is no need to keep the contents of this file secret.
diff --git a/ssh.1 b/ssh.1
index ed17bc181..99371f5ce 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh.1,v 1.114 2001/06/22 10:17:51 mpech Exp $ 37.\" $OpenBSD: ssh.1,v 1.115 2001/06/22 21:55:49 markus Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH 1 39.Dt SSH 1
40.Os 40.Os
@@ -224,7 +224,7 @@ or
224.Pa $HOME/.ssh/id_rsa , 224.Pa $HOME/.ssh/id_rsa ,
225to sign the session identifier and sends the result to the server. 225to sign the session identifier and sends the result to the server.
226The server checks whether the matching public key is listed in 226The server checks whether the matching public key is listed in
227.Pa $HOME/.ssh/authorized_keys2 227.Pa $HOME/.ssh/authorized_keys
228and grants access if both the key is found and the signature is correct. 228and grants access if both the key is found and the signature is correct.
229The session identifier is derived from a shared Diffie-Hellman value 229The session identifier is derived from a shared Diffie-Hellman value
230and is only known to the client and the server. 230and is only known to the client and the server.
@@ -1224,7 +1224,7 @@ The contents of the
1224and 1224and
1225.Pa $HOME/.ssh/id_rsa.pub 1225.Pa $HOME/.ssh/id_rsa.pub
1226file should be added to 1226file should be added to
1227.Pa $HOME/.ssh/authorized_keys2 1227.Pa $HOME/.ssh/authorized_keys
1228on all machines 1228on all machines
1229where you wish to log in using protocol version 2 DSA/RSA authentication. 1229where you wish to log in using protocol version 2 DSA/RSA authentication.
1230These files are not 1230These files are not
@@ -1242,18 +1242,10 @@ This file does not usually contain any sensitive information,
1242but the recommended permissions are read/write for the user, and not 1242but the recommended permissions are read/write for the user, and not
1243accessible by others. 1243accessible by others.
1244.It Pa $HOME/.ssh/authorized_keys 1244.It Pa $HOME/.ssh/authorized_keys
1245Lists the RSA keys that can be used for logging in as this user. 1245Lists the public keys (RSA/DSA) that can be used for logging in as this user.
1246The format of this file is described in the 1246The format of this file is described in the
1247.Xr sshd 8 1247.Xr sshd 8
1248manual page. 1248manual page.
1249In the simplest form the format is the same as the .pub
1250identity files (that is, each line contains the number of bits in
1251modulus, public exponent, modulus, and comment fields, separated by
1252spaces).
1253This file is not highly sensitive, but the recommended
1254permissions are read/write for the user, and not accessible by others.
1255.It Pa $HOME/.ssh/authorized_keys2
1256Lists the public keys (RSA/DSA) that can be used for logging in as this user.
1257This file is not highly sensitive, but the recommended 1249This file is not highly sensitive, but the recommended
1258permissions are read/write for the user, and not accessible by others. 1250permissions are read/write for the user, and not accessible by others.
1259.It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2 1251.It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2
diff --git a/sshd.8 b/sshd.8
index ee3f1164f..b6ac3d40a 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd.8,v 1.129 2001/06/22 21:28:53 provos Exp $ 37.\" $OpenBSD: sshd.8,v 1.130 2001/06/22 21:55:50 markus Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSHD 8 39.Dt SSHD 8
40.Os 40.Os
@@ -345,20 +345,6 @@ is taken to be an absolute path or one relative to the user's home
345directory. 345directory.
346The default is 346The default is
347.Dq .ssh/authorized_keys 347.Dq .ssh/authorized_keys
348.It Cm AuthorizedKeysFile2
349Specifies the file that contains the public keys that can be used
350for public key authentication in protocol version 2.
351.Cm AuthorizedKeysFile2
352may contain tokens of the form %T which are substituted during connection
353set-up. The following tokens are defined; %% is replaces by a literal '%',
354%h is replaced by the home directory of the user being authenticated and
355%u is replaced by the username of that user.
356After expansion,
357.Cm AuthorizedKeysFile2
358is taken to be an absolute path or one relative to the user's home
359directory.
360The default is
361.Dq .ssh/authorized_keys2
362.It Cm Banner 348.It Cm Banner
363In some jurisdictions, sending a warning message before authentication 349In some jurisdictions, sending a warning message before authentication
364may be relevant for getting legal protection. 350may be relevant for getting legal protection.
@@ -921,16 +907,11 @@ Runs user's shell or command.
921.El 907.El
922.Sh AUTHORIZED_KEYS FILE FORMAT 908.Sh AUTHORIZED_KEYS FILE FORMAT
923.Pa $HOME/.ssh/authorized_keys 909.Pa $HOME/.ssh/authorized_keys
924is the default file that lists the RSA keys that are 910is the default file that lists the public keys that are
925permitted for RSA authentication in protocol version 1. 911permitted for RSA authentication in protocol version 1
926.Cm AuthorizedKeysFile 912and for public key authentication (PubkeyAuthentication)
927may be used to specify an alternative file.
928Similarly,
929.Pa $HOME/.ssh/authorized_keys2
930is the default file that lists the DSA and RSA keys that are
931permitted for public key authentication (PubkeyAuthentication)
932in protocol version 2. 913in protocol version 2.
933.Cm AuthorizedKeysFile2 914.Cm AuthorizedKeysFile
934may be used to specify an alternative file. 915may be used to specify an alternative file.
935.Pp 916.Pp
936Each line of the file contains one 917Each line of the file contains one
@@ -1133,17 +1114,6 @@ concurrently for different ports, this contains the pid of the one
1133started last). 1114started last).
1134The content of this file is not sensitive; it can be world-readable. 1115The content of this file is not sensitive; it can be world-readable.
1135.It Pa $HOME/.ssh/authorized_keys 1116.It Pa $HOME/.ssh/authorized_keys
1136Lists the RSA keys that can be used to log into the user's account.
1137This file must be readable by root (which may on some machines imply
1138it being world-readable if the user's home directory resides on an NFS
1139volume).
1140It is recommended that it not be accessible by others.
1141The format of this file is described above.
1142Users will place the contents of their
1143.Pa identity.pub
1144files into this file, as described in
1145.Xr ssh-keygen 1 .
1146.It Pa $HOME/.ssh/authorized_keys2
1147Lists the public keys (RSA or DSA) that can be used to log into the user's account. 1117Lists the public keys (RSA or DSA) that can be used to log into the user's account.
1148This file must be readable by root (which may on some machines imply 1118This file must be readable by root (which may on some machines imply
1149it being world-readable if the user's home directory resides on an NFS 1119it being world-readable if the user's home directory resides on an NFS
@@ -1151,6 +1121,7 @@ volume).
1151It is recommended that it not be accessible by others. 1121It is recommended that it not be accessible by others.
1152The format of this file is described above. 1122The format of this file is described above.
1153Users will place the contents of their 1123Users will place the contents of their
1124.Pa identity.pub ,
1154.Pa id_dsa.pub 1125.Pa id_dsa.pub
1155and/or 1126and/or
1156.Pa id_rsa.pub 1127.Pa id_rsa.pub
diff --git a/sshd_config b/sshd_config
index 0e469300f..9afd28083 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
1# $OpenBSD: sshd_config,v 1.40 2001/05/31 13:08:04 markus Exp $ 1# $OpenBSD: sshd_config,v 1.41 2001/06/22 21:55:50 markus Exp $
2 2
3# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 3# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
4 4
@@ -34,7 +34,6 @@ StrictModes yes
34RSAAuthentication yes 34RSAAuthentication yes
35PubkeyAuthentication yes 35PubkeyAuthentication yes
36#AuthorizedKeysFile %h/.ssh/authorized_keys 36#AuthorizedKeysFile %h/.ssh/authorized_keys
37#AuthorizedKeysFile2 %h/.ssh/authorized_keys2
38 37
39# rhosts authentication should not be used 38# rhosts authentication should not be used
40RhostsAuthentication no 39RhostsAuthentication no