diff options
author | Damien Miller <djm@mindrot.org> | 1999-11-16 13:37:16 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 1999-11-16 13:37:16 +1100 |
commit | 7e8e820153a620ab1dcd81857a7de0969c41d043 (patch) | |
tree | 226cc4185feae97f4069ad60b4c18d259aa5df2f /auth-rsa.c | |
parent | 4874c79a3a05fc18678d7a85d7091f5139630fac (diff) |
- Merged OpenBSD CVS changes:
- [auth-rh-rsa.c auth-rsa.c authfd.c authfd.h hostfile.c mpaux.c]
[mpaux.h ssh-add.c ssh-agent.c ssh.h ssh.c sshd.c]
the keysize of rsa-parameter 'n' is passed implizit,
a few more checks and warnings about 'pretended' keysizes.
- [cipher.c cipher.h packet.c packet.h sshd.c]
remove support for cipher RC4
- [ssh.c]
a note for legay systems about secuity issues with permanently_set_uid(),
the private hostkey and ptrace()
- [sshconnect.c]
more detailed messages about adding and checking hostkeys
Diffstat (limited to 'auth-rsa.c')
-rw-r--r-- | auth-rsa.c | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/auth-rsa.c b/auth-rsa.c index cc76bf07e..6041a3211 100644 --- a/auth-rsa.c +++ b/auth-rsa.c | |||
@@ -16,7 +16,7 @@ validity of the host key. | |||
16 | */ | 16 | */ |
17 | 17 | ||
18 | #include "includes.h" | 18 | #include "includes.h" |
19 | RCSID("$Id: auth-rsa.c,v 1.6 1999/11/12 23:51:58 damien Exp $"); | 19 | RCSID("$Id: auth-rsa.c,v 1.7 1999/11/16 02:37:16 damien Exp $"); |
20 | 20 | ||
21 | #include "rsa.h" | 21 | #include "rsa.h" |
22 | #include "packet.h" | 22 | #include "packet.h" |
@@ -61,7 +61,7 @@ extern unsigned char session_id[16]; | |||
61 | our challenge; returns zero if the client gives a wrong answer. */ | 61 | our challenge; returns zero if the client gives a wrong answer. */ |
62 | 62 | ||
63 | int | 63 | int |
64 | auth_rsa_challenge_dialog(unsigned int bits, BIGNUM *e, BIGNUM *n) | 64 | auth_rsa_challenge_dialog(BIGNUM *e, BIGNUM *n) |
65 | { | 65 | { |
66 | BIGNUM *challenge, *encrypted_challenge, *aux; | 66 | BIGNUM *challenge, *encrypted_challenge, *aux; |
67 | RSA *pk; | 67 | RSA *pk; |
@@ -138,7 +138,7 @@ int | |||
138 | auth_rsa(struct passwd *pw, BIGNUM *client_n) | 138 | auth_rsa(struct passwd *pw, BIGNUM *client_n) |
139 | { | 139 | { |
140 | extern ServerOptions options; | 140 | extern ServerOptions options; |
141 | char line[8192]; | 141 | char line[8192], file[1024]; |
142 | int authenticated; | 142 | int authenticated; |
143 | unsigned int bits; | 143 | unsigned int bits; |
144 | FILE *f; | 144 | FILE *f; |
@@ -150,11 +150,11 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) | |||
150 | temporarily_use_uid(pw->pw_uid); | 150 | temporarily_use_uid(pw->pw_uid); |
151 | 151 | ||
152 | /* The authorized keys. */ | 152 | /* The authorized keys. */ |
153 | snprintf(line, sizeof line, "%.500s/%.100s", pw->pw_dir, | 153 | snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir, |
154 | SSH_USER_PERMITTED_KEYS); | 154 | SSH_USER_PERMITTED_KEYS); |
155 | 155 | ||
156 | /* Fail quietly if file does not exist */ | 156 | /* Fail quietly if file does not exist */ |
157 | if (stat(line, &st) < 0) | 157 | if (stat(file, &st) < 0) |
158 | { | 158 | { |
159 | /* Restore the privileged uid. */ | 159 | /* Restore the privileged uid. */ |
160 | restore_uid(); | 160 | restore_uid(); |
@@ -162,12 +162,12 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) | |||
162 | } | 162 | } |
163 | 163 | ||
164 | /* Open the file containing the authorized keys. */ | 164 | /* Open the file containing the authorized keys. */ |
165 | f = fopen(line, "r"); | 165 | f = fopen(file, "r"); |
166 | if (!f) | 166 | if (!f) |
167 | { | 167 | { |
168 | /* Restore the privileged uid. */ | 168 | /* Restore the privileged uid. */ |
169 | restore_uid(); | 169 | restore_uid(); |
170 | packet_send_debug("Could not open %.900s for reading.", line); | 170 | packet_send_debug("Could not open %.900s for reading.", file); |
171 | packet_send_debug("If your home is on an NFS volume, it may need to be world-readable."); | 171 | packet_send_debug("If your home is on an NFS volume, it may need to be world-readable."); |
172 | return 0; | 172 | return 0; |
173 | } | 173 | } |
@@ -180,7 +180,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) | |||
180 | (st.st_uid != 0 && st.st_uid != pw->pw_uid) || | 180 | (st.st_uid != 0 && st.st_uid != pw->pw_uid) || |
181 | (st.st_mode & 022) != 0) { | 181 | (st.st_mode & 022) != 0) { |
182 | snprintf(buf, sizeof buf, "RSA authentication refused for %.100s: " | 182 | snprintf(buf, sizeof buf, "RSA authentication refused for %.100s: " |
183 | "bad ownership or modes for '%s'.", pw->pw_name, line); | 183 | "bad ownership or modes for '%s'.", pw->pw_name, file); |
184 | fail=1; | 184 | fail=1; |
185 | }else{ | 185 | }else{ |
186 | /* Check path to SSH_USER_PERMITTED_KEYS */ | 186 | /* Check path to SSH_USER_PERMITTED_KEYS */ |
@@ -263,6 +263,12 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) | |||
263 | } | 263 | } |
264 | /* cp now points to the comment part. */ | 264 | /* cp now points to the comment part. */ |
265 | 265 | ||
266 | /* check the real bits */ | ||
267 | if (bits != BN_num_bits(n)) | ||
268 | error("Warning: error in %s, line %d: keysize mismatch: " | ||
269 | "actual size %d vs. announced %d.", | ||
270 | file, linenum, BN_num_bits(n), bits); | ||
271 | |||
266 | /* Check if the we have found the desired key (identified by its | 272 | /* Check if the we have found the desired key (identified by its |
267 | modulus). */ | 273 | modulus). */ |
268 | if (BN_cmp(n, client_n) != 0) | 274 | if (BN_cmp(n, client_n) != 0) |
@@ -271,7 +277,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) | |||
271 | /* We have found the desired key. */ | 277 | /* We have found the desired key. */ |
272 | 278 | ||
273 | /* Perform the challenge-response dialog for this key. */ | 279 | /* Perform the challenge-response dialog for this key. */ |
274 | if (!auth_rsa_challenge_dialog(bits, e, n)) | 280 | if (!auth_rsa_challenge_dialog(e, n)) |
275 | { | 281 | { |
276 | /* Wrong response. */ | 282 | /* Wrong response. */ |
277 | log("Wrong response to RSA authentication challenge."); | 283 | log("Wrong response to RSA authentication challenge."); |