diff options
| author | Damien Miller <djm@mindrot.org> | 2000-06-07 19:55:44 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2000-06-07 19:55:44 +1000 |
| commit | d3a185709dfb8588ae7cacc079312d1fcc450e9c (patch) | |
| tree | 8e9798d35f76171481f034720767e507e6bbd6f9 /auth-rsa.c | |
| parent | e37bfc19f7263b838896ae403e55aa703a06b69a (diff) | |
- (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III
<tibbs@math.uh.edu>
- (djm) OpenBSD CVS updates:
- todd@cvs.openbsd.org
[sshconnect2.c]
teach protocol v2 to count login failures properly and also enable an
explanation of why the password prompt comes up again like v1; this is NOT
crypto
- markus@cvs.openbsd.org
[readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8]
xauth_location support; pr 1234
[readconf.c sshconnect2.c]
typo, unused
[session.c]
allow use_login only for login sessions, otherwise remote commands are
execed with uid==0
[sshd.8]
document UseLogin better
[version.h]
OpenSSH 2.1.1
[auth-rsa.c]
fix match_hostname() logic for auth-rsa: deny access if we have a
negative match or no match at all
[channels.c hostfile.c match.c]
don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via
kris@FreeBSD.org
Diffstat (limited to 'auth-rsa.c')
| -rw-r--r-- | auth-rsa.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/auth-rsa.c b/auth-rsa.c index 22e3f01f3..f01c5c920 100644 --- a/auth-rsa.c +++ b/auth-rsa.c | |||
| @@ -16,7 +16,7 @@ | |||
| 16 | */ | 16 | */ |
| 17 | 17 | ||
| 18 | #include "includes.h" | 18 | #include "includes.h" |
| 19 | RCSID("$Id: auth-rsa.c,v 1.19 2000/04/30 00:00:53 damien Exp $"); | 19 | RCSID("$Id: auth-rsa.c,v 1.20 2000/06/07 09:55:44 djm Exp $"); |
| 20 | 20 | ||
| 21 | #include "rsa.h" | 21 | #include "rsa.h" |
| 22 | #include "packet.h" | 22 | #include "packet.h" |
| @@ -133,6 +133,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) | |||
| 133 | unsigned long linenum = 0; | 133 | unsigned long linenum = 0; |
| 134 | struct stat st; | 134 | struct stat st; |
| 135 | RSA *pk; | 135 | RSA *pk; |
| 136 | int mname, mip; | ||
| 136 | 137 | ||
| 137 | /* Temporarily use the user's uid. */ | 138 | /* Temporarily use the user's uid. */ |
| 138 | temporarily_use_uid(pw->pw_uid); | 139 | temporarily_use_uid(pw->pw_uid); |
| @@ -390,10 +391,17 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) | |||
| 390 | } | 391 | } |
| 391 | patterns[i] = 0; | 392 | patterns[i] = 0; |
| 392 | options++; | 393 | options++; |
| 393 | if (!match_hostname(get_canonical_hostname(), patterns, | 394 | /* |
| 394 | strlen(patterns)) && | 395 | * Deny access if we get a negative |
| 395 | !match_hostname(get_remote_ipaddr(), patterns, | 396 | * match for the hostname or the ip |
| 396 | strlen(patterns))) { | 397 | * or if we get not match at all |
| 398 | */ | ||
| 399 | mname = match_hostname(get_canonical_hostname(), | ||
| 400 | patterns, strlen(patterns)); | ||
| 401 | mip = match_hostname(get_remote_ipaddr(), | ||
| 402 | patterns, strlen(patterns)); | ||
| 403 | if (mname == -1 || mip == -1 || | ||
| 404 | (mname != 1 && mip != 1)) { | ||
| 397 | log("RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).", | 405 | log("RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).", |
| 398 | pw->pw_name, get_canonical_hostname(), | 406 | pw->pw_name, get_canonical_hostname(), |
| 399 | get_remote_ipaddr()); | 407 | get_remote_ipaddr()); |