diff options
| author | Damien Miller <djm@mindrot.org> | 2010-03-04 21:53:35 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2010-03-04 21:53:35 +1100 |
| commit | 1aed65eb27feec505997c98621bdf158f9ab8b99 (patch) | |
| tree | 81c2d0b9aff3c2211388ba00cde544e0618750d2 /auth.c | |
| parent | 2befbad9b3c8fc6e4e564c062870229bc722734c (diff) | |
- djm@cvs.openbsd.org 2010/03/04 10:36:03
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
[authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
[ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
are trusted to authenticate users (in addition than doing it per-user
in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to
known_hosts to allow keys to me revoked and banned for user or host
authentication.
feedback and ok markus@
Diffstat (limited to 'auth.c')
| -rw-r--r-- | auth.c | 31 |
1 files changed, 30 insertions, 1 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth.c,v 1.84 2010/02/09 06:18:46 djm Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.85 2010/03/04 10:36:03 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -69,6 +69,7 @@ | |||
| 69 | #ifdef GSSAPI | 69 | #ifdef GSSAPI |
| 70 | #include "ssh-gss.h" | 70 | #include "ssh-gss.h" |
| 71 | #endif | 71 | #endif |
| 72 | #include "authfile.h" | ||
| 72 | #include "monitor_wrap.h" | 73 | #include "monitor_wrap.h" |
| 73 | 74 | ||
| 74 | /* import */ | 75 | /* import */ |
| @@ -582,6 +583,34 @@ getpwnamallow(const char *user) | |||
| 582 | return (NULL); | 583 | return (NULL); |
| 583 | } | 584 | } |
| 584 | 585 | ||
| 586 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ | ||
| 587 | int | ||
| 588 | auth_key_is_revoked(Key *key) | ||
| 589 | { | ||
| 590 | char *key_fp; | ||
| 591 | |||
| 592 | if (options.revoked_keys_file == NULL) | ||
| 593 | return 0; | ||
| 594 | |||
| 595 | switch (key_in_file(key, options.revoked_keys_file, 0)) { | ||
| 596 | case 0: | ||
| 597 | /* key not revoked */ | ||
| 598 | return 0; | ||
| 599 | case -1: | ||
| 600 | /* Error opening revoked_keys_file: refuse all keys */ | ||
| 601 | error("Revoked keys file is unreadable: refusing public key " | ||
| 602 | "authentication"); | ||
| 603 | return 1; | ||
| 604 | case 1: | ||
| 605 | /* Key revoked */ | ||
| 606 | key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | ||
| 607 | error("%s key %s is revoked", key_type(key), key_fp); | ||
| 608 | xfree(key_fp); | ||
| 609 | return 1; | ||
| 610 | } | ||
| 611 | fatal("key_in_file returned junk"); | ||
| 612 | } | ||
| 613 | |||
| 585 | void | 614 | void |
| 586 | auth_debug_add(const char *fmt,...) | 615 | auth_debug_add(const char *fmt,...) |
| 587 | { | 616 | { |