diff options
| author | Ben Lindstrom <mouring@eviladmin.org> | 2001-06-05 20:25:05 +0000 |
|---|---|---|
| committer | Ben Lindstrom <mouring@eviladmin.org> | 2001-06-05 20:25:05 +0000 |
| commit | bfb3a0e973214fabc1be744b8c7e4a89a0c5570c (patch) | |
| tree | 8227151356ee10ae6762c42442f272b0db418973 /auth-rsa.c | |
| parent | e2595448766a4149bbd2652830d1b086a066af13 (diff) | |
- markus@cvs.openbsd.org 2001/05/20 17:20:36
[auth-rsa.c auth.c auth.h auth2.c servconf.c servconf.h sshd.8
sshd_config]
configurable authorized_keys{,2} location; originally from peter@;
ok djm@
Diffstat (limited to 'auth-rsa.c')
| -rw-r--r-- | auth-rsa.c | 54 |
1 files changed, 15 insertions, 39 deletions
diff --git a/auth-rsa.c b/auth-rsa.c index 59bee18bd..491ed81d6 100644 --- a/auth-rsa.c +++ b/auth-rsa.c | |||
| @@ -14,7 +14,7 @@ | |||
| 14 | */ | 14 | */ |
| 15 | 15 | ||
| 16 | #include "includes.h" | 16 | #include "includes.h" |
| 17 | RCSID("$OpenBSD: auth-rsa.c,v 1.40 2001/04/06 21:00:07 markus Exp $"); | 17 | RCSID("$OpenBSD: auth-rsa.c,v 1.41 2001/05/20 17:20:35 markus Exp $"); |
| 18 | 18 | ||
| 19 | #include <openssl/rsa.h> | 19 | #include <openssl/rsa.h> |
| 20 | #include <openssl/md5.h> | 20 | #include <openssl/md5.h> |
| @@ -122,7 +122,7 @@ auth_rsa_challenge_dialog(RSA *pk) | |||
| 122 | int | 122 | int |
| 123 | auth_rsa(struct passwd *pw, BIGNUM *client_n) | 123 | auth_rsa(struct passwd *pw, BIGNUM *client_n) |
| 124 | { | 124 | { |
| 125 | char line[8192], file[MAXPATHLEN]; | 125 | char line[8192], *file; |
| 126 | int authenticated; | 126 | int authenticated; |
| 127 | u_int bits; | 127 | u_int bits; |
| 128 | FILE *f; | 128 | FILE *f; |
| @@ -138,13 +138,14 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) | |||
| 138 | temporarily_use_uid(pw); | 138 | temporarily_use_uid(pw); |
| 139 | 139 | ||
| 140 | /* The authorized keys. */ | 140 | /* The authorized keys. */ |
| 141 | snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir, | 141 | file = authorized_keys_file(pw); |
| 142 | _PATH_SSH_USER_PERMITTED_KEYS); | 142 | debug("trying public RSA key file %s", file); |
| 143 | 143 | ||
| 144 | /* Fail quietly if file does not exist */ | 144 | /* Fail quietly if file does not exist */ |
| 145 | if (stat(file, &st) < 0) { | 145 | if (stat(file, &st) < 0) { |
| 146 | /* Restore the privileged uid. */ | 146 | /* Restore the privileged uid. */ |
| 147 | restore_uid(); | 147 | restore_uid(); |
| 148 | xfree(file); | ||
| 148 | return 0; | 149 | return 0; |
| 149 | } | 150 | } |
| 150 | /* Open the file containing the authorized keys. */ | 151 | /* Open the file containing the authorized keys. */ |
| @@ -154,43 +155,17 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) | |||
| 154 | restore_uid(); | 155 | restore_uid(); |
| 155 | packet_send_debug("Could not open %.900s for reading.", file); | 156 | packet_send_debug("Could not open %.900s for reading.", file); |
| 156 | packet_send_debug("If your home is on an NFS volume, it may need to be world-readable."); | 157 | packet_send_debug("If your home is on an NFS volume, it may need to be world-readable."); |
| 158 | xfree(file); | ||
| 157 | return 0; | 159 | return 0; |
| 158 | } | 160 | } |
| 159 | if (options.strict_modes) { | 161 | if (options.strict_modes && |
| 160 | int fail = 0; | 162 | secure_filename(f, file, pw->pw_uid, line, sizeof(line)) != 0) { |
| 161 | char buf[1024]; | 163 | xfree(file); |
| 162 | /* Check open file in order to avoid open/stat races */ | 164 | fclose(f); |
| 163 | if (fstat(fileno(f), &st) < 0 || | 165 | log("Authentication refused: %s", line); |
| 164 | (st.st_uid != 0 && st.st_uid != pw->pw_uid) || | 166 | packet_send_debug("Authentication refused: %s", line); |
| 165 | (st.st_mode & 022) != 0) { | 167 | restore_uid(); |
| 166 | snprintf(buf, sizeof buf, "RSA authentication refused for %.100s: " | 168 | return 0; |
| 167 | "bad ownership or modes for '%s'.", pw->pw_name, file); | ||
| 168 | fail = 1; | ||
| 169 | } else { | ||
| 170 | /* Check path to _PATH_SSH_USER_PERMITTED_KEYS */ | ||
| 171 | int i; | ||
| 172 | static const char *check[] = { | ||
| 173 | "", _PATH_SSH_USER_DIR, NULL | ||
| 174 | }; | ||
| 175 | for (i = 0; check[i]; i++) { | ||
| 176 | snprintf(line, sizeof line, "%.500s/%.100s", pw->pw_dir, check[i]); | ||
| 177 | if (stat(line, &st) < 0 || | ||
| 178 | (st.st_uid != 0 && st.st_uid != pw->pw_uid) || | ||
| 179 | (st.st_mode & 022) != 0) { | ||
| 180 | snprintf(buf, sizeof buf, "RSA authentication refused for %.100s: " | ||
| 181 | "bad ownership or modes for '%s'.", pw->pw_name, line); | ||
| 182 | fail = 1; | ||
| 183 | break; | ||
| 184 | } | ||
| 185 | } | ||
| 186 | } | ||
| 187 | if (fail) { | ||
| 188 | fclose(f); | ||
| 189 | log("%s", buf); | ||
| 190 | packet_send_debug("%s", buf); | ||
| 191 | restore_uid(); | ||
| 192 | return 0; | ||
| 193 | } | ||
| 194 | } | 169 | } |
| 195 | /* Flag indicating whether authentication has succeeded. */ | 170 | /* Flag indicating whether authentication has succeeded. */ |
| 196 | authenticated = 0; | 171 | authenticated = 0; |
| @@ -285,6 +260,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) | |||
| 285 | restore_uid(); | 260 | restore_uid(); |
| 286 | 261 | ||
| 287 | /* Close the file. */ | 262 | /* Close the file. */ |
| 263 | xfree(file); | ||
| 288 | fclose(f); | 264 | fclose(f); |
| 289 | 265 | ||
| 290 | RSA_free(pk); | 266 | RSA_free(pk); |