summaryrefslogtreecommitdiff
path: root/auth2-hostbased.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2015-08-19 14:23:51 +0100
committerColin Watson <cjwatson@debian.org>2015-08-19 16:48:11 +0100
commit0f0841b2d28b7463267d4d91577e72e3340a1d3a (patch)
treeba55fcd2b6e2cc22b30f5afb561dbb3da4c8b6c7 /auth2-hostbased.c
parentf2a5f5dae656759efb0b76c3d94890b65c197a02 (diff)
parent8698446b972003b63dfe5dcbdb86acfe986afb85 (diff)
New upstream release (6.8p1).
Diffstat (limited to 'auth2-hostbased.c')
-rw-r--r--auth2-hostbased.c36
1 files changed, 28 insertions, 8 deletions
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 6787e4ca4..eebfe8fc3 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-hostbased.c,v 1.18 2014/07/15 15:54:14 millert Exp $ */ 1/* $OpenBSD: auth2-hostbased.c,v 1.24 2015/01/28 22:36:00 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -48,6 +48,7 @@
48#endif 48#endif
49#include "monitor_wrap.h" 49#include "monitor_wrap.h"
50#include "pathnames.h" 50#include "pathnames.h"
51#include "match.h"
51 52
52/* import */ 53/* import */
53extern ServerOptions options; 54extern ServerOptions options;
@@ -107,6 +108,14 @@ userauth_hostbased(Authctxt *authctxt)
107 "signature format"); 108 "signature format");
108 goto done; 109 goto done;
109 } 110 }
111 if (match_pattern_list(sshkey_ssh_name(key),
112 options.hostbased_key_types,
113 strlen(options.hostbased_key_types), 0) != 1) {
114 logit("%s: key type %s not in HostbasedAcceptedKeyTypes",
115 __func__, sshkey_type(key));
116 goto done;
117 }
118
110 service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : 119 service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
111 authctxt->service; 120 authctxt->service;
112 buffer_init(&b); 121 buffer_init(&b);
@@ -163,7 +172,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
163 resolvedname = get_canonical_hostname(options.use_dns); 172 resolvedname = get_canonical_hostname(options.use_dns);
164 ipaddr = get_remote_ipaddr(); 173 ipaddr = get_remote_ipaddr();
165 174
166 debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s", 175 debug2("%s: chost %s resolvedname %s ipaddr %s", __func__,
167 chost, resolvedname, ipaddr); 176 chost, resolvedname, ipaddr);
168 177
169 if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') { 178 if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
@@ -172,19 +181,27 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
172 } 181 }
173 182
174 if (options.hostbased_uses_name_from_packet_only) { 183 if (options.hostbased_uses_name_from_packet_only) {
175 if (auth_rhosts2(pw, cuser, chost, chost) == 0) 184 if (auth_rhosts2(pw, cuser, chost, chost) == 0) {
185 debug2("%s: auth_rhosts2 refused "
186 "user \"%.100s\" host \"%.100s\" (from packet)",
187 __func__, cuser, chost);
176 return 0; 188 return 0;
189 }
177 lookup = chost; 190 lookup = chost;
178 } else { 191 } else {
179 if (strcasecmp(resolvedname, chost) != 0) 192 if (strcasecmp(resolvedname, chost) != 0)
180 logit("userauth_hostbased mismatch: " 193 logit("userauth_hostbased mismatch: "
181 "client sends %s, but we resolve %s to %s", 194 "client sends %s, but we resolve %s to %s",
182 chost, ipaddr, resolvedname); 195 chost, ipaddr, resolvedname);
183 if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0) 196 if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0) {
197 debug2("%s: auth_rhosts2 refused "
198 "user \"%.100s\" host \"%.100s\" addr \"%.100s\"",
199 __func__, cuser, resolvedname, ipaddr);
184 return 0; 200 return 0;
201 }
185 lookup = resolvedname; 202 lookup = resolvedname;
186 } 203 }
187 debug2("userauth_hostbased: access allowed by auth_rhosts2"); 204 debug2("%s: access allowed by auth_rhosts2", __func__);
188 205
189 if (key_is_cert(key) && 206 if (key_is_cert(key) &&
190 key_cert_check_authority(key, 1, 0, lookup, &reason)) { 207 key_cert_check_authority(key, 1, 0, lookup, &reason)) {
@@ -207,14 +224,17 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
207 224
208 if (host_status == HOST_OK) { 225 if (host_status == HOST_OK) {
209 if (key_is_cert(key)) { 226 if (key_is_cert(key)) {
210 fp = key_fingerprint(key->cert->signature_key, 227 if ((fp = sshkey_fingerprint(key->cert->signature_key,
211 SSH_FP_MD5, SSH_FP_HEX); 228 options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
229 fatal("%s: sshkey_fingerprint fail", __func__);
212 verbose("Accepted certificate ID \"%s\" signed by " 230 verbose("Accepted certificate ID \"%s\" signed by "
213 "%s CA %s from %s@%s", key->cert->key_id, 231 "%s CA %s from %s@%s", key->cert->key_id,
214 key_type(key->cert->signature_key), fp, 232 key_type(key->cert->signature_key), fp,
215 cuser, lookup); 233 cuser, lookup);
216 } else { 234 } else {
217 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); 235 if ((fp = sshkey_fingerprint(key,
236 options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
237 fatal("%s: sshkey_fingerprint fail", __func__);
218 verbose("Accepted %s public key %s from %s@%s", 238 verbose("Accepted %s public key %s from %s@%s",
219 key_type(key), fp, cuser, lookup); 239 key_type(key), fp, cuser, lookup);
220 } 240 }
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-11 11:23:03 +0000