diff options
author | Damien Miller <djm@mindrot.org> | 2010-03-04 21:53:35 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2010-03-04 21:53:35 +1100 |
commit | 1aed65eb27feec505997c98621bdf158f9ab8b99 (patch) | |
tree | 81c2d0b9aff3c2211388ba00cde544e0618750d2 /auth.c | |
parent | 2befbad9b3c8fc6e4e564c062870229bc722734c (diff) |
- djm@cvs.openbsd.org 2010/03/04 10:36:03
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
[authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
[ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
are trusted to authenticate users (in addition than doing it per-user
in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to
known_hosts to allow keys to me revoked and banned for user or host
authentication.
feedback and ok markus@
Diffstat (limited to 'auth.c')
-rw-r--r-- | auth.c | 31 |
1 files changed, 30 insertions, 1 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth.c,v 1.84 2010/02/09 06:18:46 djm Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.85 2010/03/04 10:36:03 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -69,6 +69,7 @@ | |||
69 | #ifdef GSSAPI | 69 | #ifdef GSSAPI |
70 | #include "ssh-gss.h" | 70 | #include "ssh-gss.h" |
71 | #endif | 71 | #endif |
72 | #include "authfile.h" | ||
72 | #include "monitor_wrap.h" | 73 | #include "monitor_wrap.h" |
73 | 74 | ||
74 | /* import */ | 75 | /* import */ |
@@ -582,6 +583,34 @@ getpwnamallow(const char *user) | |||
582 | return (NULL); | 583 | return (NULL); |
583 | } | 584 | } |
584 | 585 | ||
586 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ | ||
587 | int | ||
588 | auth_key_is_revoked(Key *key) | ||
589 | { | ||
590 | char *key_fp; | ||
591 | |||
592 | if (options.revoked_keys_file == NULL) | ||
593 | return 0; | ||
594 | |||
595 | switch (key_in_file(key, options.revoked_keys_file, 0)) { | ||
596 | case 0: | ||
597 | /* key not revoked */ | ||
598 | return 0; | ||
599 | case -1: | ||
600 | /* Error opening revoked_keys_file: refuse all keys */ | ||
601 | error("Revoked keys file is unreadable: refusing public key " | ||
602 | "authentication"); | ||
603 | return 1; | ||
604 | case 1: | ||
605 | /* Key revoked */ | ||
606 | key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | ||
607 | error("%s key %s is revoked", key_type(key), key_fp); | ||
608 | xfree(key_fp); | ||
609 | return 1; | ||
610 | } | ||
611 | fatal("key_in_file returned junk"); | ||
612 | } | ||
613 | |||
585 | void | 614 | void |
586 | auth_debug_add(const char *fmt,...) | 615 | auth_debug_add(const char *fmt,...) |
587 | { | 616 | { |