diff options
author | Ben Lindstrom <mouring@eviladmin.org> | 2001-06-05 20:25:05 +0000 |
---|---|---|
committer | Ben Lindstrom <mouring@eviladmin.org> | 2001-06-05 20:25:05 +0000 |
commit | bfb3a0e973214fabc1be744b8c7e4a89a0c5570c (patch) | |
tree | 8227151356ee10ae6762c42442f272b0db418973 /auth-rsa.c | |
parent | e2595448766a4149bbd2652830d1b086a066af13 (diff) |
- markus@cvs.openbsd.org 2001/05/20 17:20:36
[auth-rsa.c auth.c auth.h auth2.c servconf.c servconf.h sshd.8
sshd_config]
configurable authorized_keys{,2} location; originally from peter@;
ok djm@
Diffstat (limited to 'auth-rsa.c')
-rw-r--r-- | auth-rsa.c | 54 |
1 files changed, 15 insertions, 39 deletions
diff --git a/auth-rsa.c b/auth-rsa.c index 59bee18bd..491ed81d6 100644 --- a/auth-rsa.c +++ b/auth-rsa.c | |||
@@ -14,7 +14,7 @@ | |||
14 | */ | 14 | */ |
15 | 15 | ||
16 | #include "includes.h" | 16 | #include "includes.h" |
17 | RCSID("$OpenBSD: auth-rsa.c,v 1.40 2001/04/06 21:00:07 markus Exp $"); | 17 | RCSID("$OpenBSD: auth-rsa.c,v 1.41 2001/05/20 17:20:35 markus Exp $"); |
18 | 18 | ||
19 | #include <openssl/rsa.h> | 19 | #include <openssl/rsa.h> |
20 | #include <openssl/md5.h> | 20 | #include <openssl/md5.h> |
@@ -122,7 +122,7 @@ auth_rsa_challenge_dialog(RSA *pk) | |||
122 | int | 122 | int |
123 | auth_rsa(struct passwd *pw, BIGNUM *client_n) | 123 | auth_rsa(struct passwd *pw, BIGNUM *client_n) |
124 | { | 124 | { |
125 | char line[8192], file[MAXPATHLEN]; | 125 | char line[8192], *file; |
126 | int authenticated; | 126 | int authenticated; |
127 | u_int bits; | 127 | u_int bits; |
128 | FILE *f; | 128 | FILE *f; |
@@ -138,13 +138,14 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) | |||
138 | temporarily_use_uid(pw); | 138 | temporarily_use_uid(pw); |
139 | 139 | ||
140 | /* The authorized keys. */ | 140 | /* The authorized keys. */ |
141 | snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir, | 141 | file = authorized_keys_file(pw); |
142 | _PATH_SSH_USER_PERMITTED_KEYS); | 142 | debug("trying public RSA key file %s", file); |
143 | 143 | ||
144 | /* Fail quietly if file does not exist */ | 144 | /* Fail quietly if file does not exist */ |
145 | if (stat(file, &st) < 0) { | 145 | if (stat(file, &st) < 0) { |
146 | /* Restore the privileged uid. */ | 146 | /* Restore the privileged uid. */ |
147 | restore_uid(); | 147 | restore_uid(); |
148 | xfree(file); | ||
148 | return 0; | 149 | return 0; |
149 | } | 150 | } |
150 | /* Open the file containing the authorized keys. */ | 151 | /* Open the file containing the authorized keys. */ |
@@ -154,43 +155,17 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) | |||
154 | restore_uid(); | 155 | restore_uid(); |
155 | packet_send_debug("Could not open %.900s for reading.", file); | 156 | packet_send_debug("Could not open %.900s for reading.", file); |
156 | packet_send_debug("If your home is on an NFS volume, it may need to be world-readable."); | 157 | packet_send_debug("If your home is on an NFS volume, it may need to be world-readable."); |
158 | xfree(file); | ||
157 | return 0; | 159 | return 0; |
158 | } | 160 | } |
159 | if (options.strict_modes) { | 161 | if (options.strict_modes && |
160 | int fail = 0; | 162 | secure_filename(f, file, pw->pw_uid, line, sizeof(line)) != 0) { |
161 | char buf[1024]; | 163 | xfree(file); |
162 | /* Check open file in order to avoid open/stat races */ | 164 | fclose(f); |
163 | if (fstat(fileno(f), &st) < 0 || | 165 | log("Authentication refused: %s", line); |
164 | (st.st_uid != 0 && st.st_uid != pw->pw_uid) || | 166 | packet_send_debug("Authentication refused: %s", line); |
165 | (st.st_mode & 022) != 0) { | 167 | restore_uid(); |
166 | snprintf(buf, sizeof buf, "RSA authentication refused for %.100s: " | 168 | return 0; |
167 | "bad ownership or modes for '%s'.", pw->pw_name, file); | ||
168 | fail = 1; | ||
169 | } else { | ||
170 | /* Check path to _PATH_SSH_USER_PERMITTED_KEYS */ | ||
171 | int i; | ||
172 | static const char *check[] = { | ||
173 | "", _PATH_SSH_USER_DIR, NULL | ||
174 | }; | ||
175 | for (i = 0; check[i]; i++) { | ||
176 | snprintf(line, sizeof line, "%.500s/%.100s", pw->pw_dir, check[i]); | ||
177 | if (stat(line, &st) < 0 || | ||
178 | (st.st_uid != 0 && st.st_uid != pw->pw_uid) || | ||
179 | (st.st_mode & 022) != 0) { | ||
180 | snprintf(buf, sizeof buf, "RSA authentication refused for %.100s: " | ||
181 | "bad ownership or modes for '%s'.", pw->pw_name, line); | ||
182 | fail = 1; | ||
183 | break; | ||
184 | } | ||
185 | } | ||
186 | } | ||
187 | if (fail) { | ||
188 | fclose(f); | ||
189 | log("%s", buf); | ||
190 | packet_send_debug("%s", buf); | ||
191 | restore_uid(); | ||
192 | return 0; | ||
193 | } | ||
194 | } | 169 | } |
195 | /* Flag indicating whether authentication has succeeded. */ | 170 | /* Flag indicating whether authentication has succeeded. */ |
196 | authenticated = 0; | 171 | authenticated = 0; |
@@ -285,6 +260,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) | |||
285 | restore_uid(); | 260 | restore_uid(); |
286 | 261 | ||
287 | /* Close the file. */ | 262 | /* Close the file. */ |
263 | xfree(file); | ||
288 | fclose(f); | 264 | fclose(f); |
289 | 265 | ||
290 | RSA_free(pk); | 266 | RSA_free(pk); |