diff options
author | Colin Watson <cjwatson@debian.org> | 2011-09-06 14:56:29 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2011-09-06 14:56:29 +0100 |
commit | 978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch) | |
tree | 89400a44e42d84937deba7864e4964d6c7734da5 /auth-rsa.c | |
parent | 87c685b8c6a49814fd782288097b3093f975aa72 (diff) | |
parent | 3a7e89697ca363de0f64e0d5704c57219294e41c (diff) |
* New upstream release (http://www.openssh.org/txt/release-5.9).
- Introduce sandboxing of the pre-auth privsep child using an optional
sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
mandatory restrictions on the syscalls the privsep child can perform.
- Add new SHA256-based HMAC transport integrity modes from
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt.
- The pre-authentication sshd(8) privilege separation slave process now
logs via a socket shared with the master process, avoiding the need to
maintain /dev/log inside the chroot (closes: #75043, #429243,
#599240).
- ssh(1) now warns when a server refuses X11 forwarding (closes:
#504757).
- sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
separated by whitespace (closes: #76312). The authorized_keys2
fallback is deprecated but documented (closes: #560156).
- ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4
ToS/DSCP (closes: #498297).
- ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add
- < /path/to/key" (closes: #229124).
- Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691).
- Say "required" rather than "recommended" in unprotected-private-key
warning (LP: #663455).
Diffstat (limited to 'auth-rsa.c')
-rw-r--r-- | auth-rsa.c | 70 |
1 files changed, 39 insertions, 31 deletions
diff --git a/auth-rsa.c b/auth-rsa.c index ec32c803f..99c4e882d 100644 --- a/auth-rsa.c +++ b/auth-rsa.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth-rsa.c,v 1.79 2010/12/03 23:55:27 djm Exp $ */ | 1 | /* $OpenBSD: auth-rsa.c,v 1.80 2011/05/23 03:30:07 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -160,38 +160,20 @@ auth_rsa_challenge_dialog(Key *key) | |||
160 | return (success); | 160 | return (success); |
161 | } | 161 | } |
162 | 162 | ||
163 | /* | 163 | static int |
164 | * check if there's user key matching client_n, | 164 | rsa_key_allowed_in_file(struct passwd *pw, char *file, |
165 | * return key if login is allowed, NULL otherwise | 165 | const BIGNUM *client_n, Key **rkey) |
166 | */ | ||
167 | |||
168 | int | ||
169 | auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) | ||
170 | { | 166 | { |
171 | char line[SSH_MAX_PUBKEY_BYTES], *file; | 167 | char line[SSH_MAX_PUBKEY_BYTES]; |
172 | int allowed = 0; | 168 | int allowed = 0; |
173 | u_int bits; | 169 | u_int bits; |
174 | FILE *f; | 170 | FILE *f; |
175 | u_long linenum = 0; | 171 | u_long linenum = 0; |
176 | Key *key; | 172 | Key *key; |
177 | 173 | ||
178 | /* Temporarily use the user's uid. */ | ||
179 | temporarily_use_uid(pw); | ||
180 | |||
181 | /* The authorized keys. */ | ||
182 | file = authorized_keys_file(pw); | ||
183 | debug("trying public RSA key file %s", file); | 174 | debug("trying public RSA key file %s", file); |
184 | f = auth_openkeyfile(file, pw, options.strict_modes); | 175 | if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) |
185 | if (!f) { | 176 | return 0; |
186 | xfree(file); | ||
187 | restore_uid(); | ||
188 | return (0); | ||
189 | } | ||
190 | |||
191 | /* Flag indicating whether the key is allowed. */ | ||
192 | allowed = 0; | ||
193 | |||
194 | key = key_new(KEY_RSA1); | ||
195 | 177 | ||
196 | auth_start_parse_options(); | 178 | auth_start_parse_options(); |
197 | 179 | ||
@@ -200,6 +182,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) | |||
200 | * found, perform a challenge-response dialog to verify that the | 182 | * found, perform a challenge-response dialog to verify that the |
201 | * user really has the corresponding private key. | 183 | * user really has the corresponding private key. |
202 | */ | 184 | */ |
185 | key = key_new(KEY_RSA1); | ||
203 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 186 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
204 | char *cp; | 187 | char *cp; |
205 | char *key_options; | 188 | char *key_options; |
@@ -237,7 +220,10 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) | |||
237 | } | 220 | } |
238 | /* cp now points to the comment part. */ | 221 | /* cp now points to the comment part. */ |
239 | 222 | ||
240 | /* Check if the we have found the desired key (identified by its modulus). */ | 223 | /* |
224 | * Check if the we have found the desired key (identified | ||
225 | * by its modulus). | ||
226 | */ | ||
241 | if (BN_cmp(key->rsa->n, client_n) != 0) | 227 | if (BN_cmp(key->rsa->n, client_n) != 0) |
242 | continue; | 228 | continue; |
243 | 229 | ||
@@ -266,11 +252,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) | |||
266 | break; | 252 | break; |
267 | } | 253 | } |
268 | 254 | ||
269 | /* Restore the privileged uid. */ | ||
270 | restore_uid(); | ||
271 | |||
272 | /* Close the file. */ | 255 | /* Close the file. */ |
273 | xfree(file); | ||
274 | fclose(f); | 256 | fclose(f); |
275 | 257 | ||
276 | /* return key if allowed */ | 258 | /* return key if allowed */ |
@@ -278,7 +260,33 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) | |||
278 | *rkey = key; | 260 | *rkey = key; |
279 | else | 261 | else |
280 | key_free(key); | 262 | key_free(key); |
281 | return (allowed); | 263 | |
264 | return allowed; | ||
265 | } | ||
266 | |||
267 | /* | ||
268 | * check if there's user key matching client_n, | ||
269 | * return key if login is allowed, NULL otherwise | ||
270 | */ | ||
271 | |||
272 | int | ||
273 | auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) | ||
274 | { | ||
275 | char *file; | ||
276 | u_int i, allowed = 0; | ||
277 | |||
278 | temporarily_use_uid(pw); | ||
279 | |||
280 | for (i = 0; !allowed && i < options.num_authkeys_files; i++) { | ||
281 | file = expand_authorized_keys( | ||
282 | options.authorized_keys_files[i], pw); | ||
283 | allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey); | ||
284 | xfree(file); | ||
285 | } | ||
286 | |||
287 | restore_uid(); | ||
288 | |||
289 | return allowed; | ||
282 | } | 290 | } |
283 | 291 | ||
284 | /* | 292 | /* |