diff options
| author | Damien Miller <djm@mindrot.org> | 2010-08-05 13:04:50 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2010-08-05 13:04:50 +1000 |
| commit | c158331f8c7e059c6c1d099bffc7f5fc6087ddbd (patch) | |
| tree | f1998f0fb52e5fb666ee67064a424af45e941f6b /auth2-hostbased.c | |
| parent | 1da638895916bc061ff6aca9f373d48a9776810b (diff) | |
- djm@cvs.openbsd.org 2010/08/04 05:42:47
[auth.c auth2-hostbased.c authfile.c authfile.h ssh-keysign.8]
[ssh-keysign.c ssh.c]
enable certificates for hostbased authentication, from Iain Morgan;
"looks ok" markus@
Diffstat (limited to 'auth2-hostbased.c')
| -rw-r--r-- | auth2-hostbased.c | 31 |
1 files changed, 28 insertions, 3 deletions
diff --git a/auth2-hostbased.c b/auth2-hostbased.c index 721646520..cdf442f97 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth2-hostbased.c,v 1.13 2010/03/04 10:36:03 djm Exp $ */ | 1 | /* $OpenBSD: auth2-hostbased.c,v 1.14 2010/08/04 05:42:47 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -141,9 +141,10 @@ int | |||
| 141 | hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, | 141 | hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, |
| 142 | Key *key) | 142 | Key *key) |
| 143 | { | 143 | { |
| 144 | const char *resolvedname, *ipaddr, *lookup; | 144 | const char *resolvedname, *ipaddr, *lookup, *reason; |
| 145 | HostStatus host_status; | 145 | HostStatus host_status; |
| 146 | int len; | 146 | int len; |
| 147 | char *fp; | ||
| 147 | 148 | ||
| 148 | if (auth_key_is_revoked(key)) | 149 | if (auth_key_is_revoked(key)) |
| 149 | return 0; | 150 | return 0; |
| @@ -174,16 +175,40 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, | |||
| 174 | } | 175 | } |
| 175 | debug2("userauth_hostbased: access allowed by auth_rhosts2"); | 176 | debug2("userauth_hostbased: access allowed by auth_rhosts2"); |
| 176 | 177 | ||
| 178 | if (key_is_cert(key) && | ||
| 179 | key_cert_check_authority(key, 1, 0, lookup, &reason)) { | ||
| 180 | error("%s", reason); | ||
| 181 | auth_debug_add("%s", reason); | ||
| 182 | return 0; | ||
| 183 | } | ||
| 184 | |||
| 177 | host_status = check_key_in_hostfiles(pw, key, lookup, | 185 | host_status = check_key_in_hostfiles(pw, key, lookup, |
| 178 | _PATH_SSH_SYSTEM_HOSTFILE, | 186 | _PATH_SSH_SYSTEM_HOSTFILE, |
| 179 | options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE); | 187 | options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE); |
| 180 | 188 | ||
| 181 | /* backward compat if no key has been found. */ | 189 | /* backward compat if no key has been found. */ |
| 182 | if (host_status == HOST_NEW) | 190 | if (host_status == HOST_NEW) { |
| 183 | host_status = check_key_in_hostfiles(pw, key, lookup, | 191 | host_status = check_key_in_hostfiles(pw, key, lookup, |
| 184 | _PATH_SSH_SYSTEM_HOSTFILE2, | 192 | _PATH_SSH_SYSTEM_HOSTFILE2, |
| 185 | options.ignore_user_known_hosts ? NULL : | 193 | options.ignore_user_known_hosts ? NULL : |
| 186 | _PATH_SSH_USER_HOSTFILE2); | 194 | _PATH_SSH_USER_HOSTFILE2); |
| 195 | } | ||
| 196 | |||
| 197 | if (host_status == HOST_OK) { | ||
| 198 | if (key_is_cert(key)) { | ||
| 199 | fp = key_fingerprint(key->cert->signature_key, | ||
| 200 | SSH_FP_MD5, SSH_FP_HEX); | ||
| 201 | verbose("Accepted certificate ID \"%s\" signed by " | ||
| 202 | "%s CA %s from %s@%s", key->cert->key_id, | ||
| 203 | key_type(key->cert->signature_key), fp, | ||
| 204 | cuser, lookup); | ||
| 205 | } else { | ||
| 206 | fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | ||
| 207 | verbose("Accepted %s public key %s from %s@%s", | ||
| 208 | key_type(key), fp, cuser, lookup); | ||
| 209 | } | ||
| 210 | xfree(fp); | ||
| 211 | } | ||
| 187 | 212 | ||
| 188 | return (host_status == HOST_OK); | 213 | return (host_status == HOST_OK); |
| 189 | } | 214 | } |