* New upstream release (http://www.openssh.com/txt/release-5.6):

- Added a ControlPersist option to ssh_config(5) that automatically starts a background ssh(1) multiplex master when connecting. This connection can stay alive indefinitely, or can be set to automatically close after a user-specified duration of inactivity (closes: #335697, #350898, #454787, #500573, #550262). - Support AuthorizedKeysFile, AuthorizedPrincipalsFile, HostbasedUsesNameFromPacketOnly, and PermitTunnel in sshd_config(5) Match blocks (closes: #549858). - sftp(1): fix ls in working directories that contain globbing characters in their pathnames (LP: #530714).
author: Colin Watson <cjwatson@debian.org> 2010-08-23 23:52:36 +0100
committer: Colin Watson <cjwatson@debian.org> 2010-08-23 23:52:36 +0100
commit: 78799892cb1858927be02be9737c594052e3f910 (patch)
tree: ac3dc2e848ab9dc62fe4252e01e52c3d456f628f /auth.c
parent: 3875951bb76a9ec62634ae4026c9cc885d933477 (diff)
parent: 31e30b835fd9695d3b6647cab4867001b092e28f (diff)
1 files changed, 35 insertions, 13 deletions
diff --git a/auth.c b/auth.c
index a188b891e..669bfc740 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.86 2010/03/05 02:58:11 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.89 2010/08/04 05:42:47 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -144,7 +144,7 @@ allowed_user(struct passwd * pw)
                        locked = 1;
 #endif
 #ifdef USE_LIBIAF
-                free(passwd);
+                free((void *) passwd);
 #endif /* USE_LIBIAF */
                if (locked) {
                        logit("User %.100s not allowed because account is locked",
@@ -367,6 +367,14 @@ authorized_keys_file2(struct passwd *pw)
        return expand_authorized_keys(options.authorized_keys_file2, pw);
 }
+char *
+authorized_principals_file(struct passwd *pw)
+{
+        if (options.authorized_principals_file == NULL)
+                return NULL;
+        return expand_authorized_keys(options.authorized_principals_file, pw);
+}
 /* return ok if key exists in sysfile or userfile */
 HostStatus
 check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
@@ -378,7 +386,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
        HostStatus host_status;
        /* Check if we know the host and its host key. */
-        found = key_new(key->type);
+        found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
        host_status = check_host_in_hostfile(sysfile, host, key, found, NULL);
        if (host_status != HOST_OK && userfile != NULL) {
@@ -389,6 +397,8 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
                        logit("Authentication refused for %.100s: "
                            "bad owner or modes for %.200s",
                            pw->pw_name, user_hostfile);
+                        auth_debug_add("Ignored %.200s: bad ownership or modes",
+                            user_hostfile);
                } else {
                        temporarily_use_uid(pw);
                        host_status = check_host_in_hostfile(user_hostfile,
@@ -475,21 +485,18 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
        return 0;
 }
-FILE *
+static FILE *
-auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes)
+auth_openfile(const char *file, struct passwd *pw, int strict_modes,
+    int log_missing, char *file_type)
 {
        char line[1024];
        struct stat st;
        int fd;
        FILE *f;
-        /*
-         * Open the file containing the authorized keys
-         * Fail quietly if file does not exist
-         */
        if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) {
-                if (errno != ENOENT)
+                if (log_missing || errno != ENOENT)
-                        debug("Could not open keyfile '%s': %s", file,
+                        debug("Could not open %s '%s': %s", file_type, file,
                           strerror(errno));
                return NULL;
        }
@@ -499,8 +506,8 @@ auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes)
                return NULL;
        }
        if (!S_ISREG(st.st_mode)) {
-                logit("User %s authorized keys %s is not a regular file",
+                logit("User %s %s %s is not a regular file",
-                    pw->pw_name, file);
+                    pw->pw_name, file_type, file);
                close(fd);
                return NULL;
        }
@@ -513,12 +520,27 @@ auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes)
            secure_filename(f, file, pw, line, sizeof(line)) != 0) {
                fclose(f);
                logit("Authentication refused: %s", line);
+                auth_debug_add("Ignored %s: %s", file_type, line);
                return NULL;
        }
        return f;
 }
+FILE *
+auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes)
+{
+        return auth_openfile(file, pw, strict_modes, 1, "authorized keys");
+}
+FILE *
+auth_openprincipals(const char *file, struct passwd *pw, int strict_modes)
+{
+        return auth_openfile(file, pw, strict_modes, 0,
+            "authorized principals");
+}
 struct passwd *
 getpwnamallow(const char *user)
 {
author	Colin Watson <cjwatson@debian.org>	2010-08-23 23:52:36 +0100
committer	Colin Watson <cjwatson@debian.org>	2010-08-23 23:52:36 +0100
commit	78799892cb1858927be02be9737c594052e3f910 (patch)
tree	ac3dc2e848ab9dc62fe4252e01e52c3d456f628f /auth.c
parent	3875951bb76a9ec62634ae4026c9cc885d933477 (diff)
parent	31e30b835fd9695d3b6647cab4867001b092e28f (diff)