diff options
author | Damien Miller <djm@mindrot.org> | 2010-03-04 21:53:35 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2010-03-04 21:53:35 +1100 |
commit | 1aed65eb27feec505997c98621bdf158f9ab8b99 (patch) | |
tree | 81c2d0b9aff3c2211388ba00cde544e0618750d2 /auth2-pubkey.c | |
parent | 2befbad9b3c8fc6e4e564c062870229bc722734c (diff) |
- djm@cvs.openbsd.org 2010/03/04 10:36:03
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
[authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
[ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
are trusted to authenticate users (in addition than doing it per-user
in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to
known_hosts to allow keys to me revoked and banned for user or host
authentication.
feedback and ok markus@
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r-- | auth2-pubkey.c | 53 |
1 files changed, 52 insertions, 1 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 66ca5266b..51aa77487 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-pubkey.c,v 1.20 2010/02/26 20:29:54 djm Exp $ */ | 1 | /* $OpenBSD: auth2-pubkey.c,v 1.21 2010/03/04 10:36:03 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -56,6 +56,7 @@ | |||
56 | #endif | 56 | #endif |
57 | #include "monitor_wrap.h" | 57 | #include "monitor_wrap.h" |
58 | #include "misc.h" | 58 | #include "misc.h" |
59 | #include "authfile.h" | ||
59 | 60 | ||
60 | /* import */ | 61 | /* import */ |
61 | extern ServerOptions options; | 62 | extern ServerOptions options; |
@@ -276,6 +277,47 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) | |||
276 | return found_key; | 277 | return found_key; |
277 | } | 278 | } |
278 | 279 | ||
280 | /* Authenticate a certificate key against TrustedUserCAKeys */ | ||
281 | static int | ||
282 | user_cert_trusted_ca(struct passwd *pw, Key *key) | ||
283 | { | ||
284 | char *key_fp, *ca_fp; | ||
285 | const char *reason; | ||
286 | int ret = 0; | ||
287 | |||
288 | if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) | ||
289 | return 0; | ||
290 | |||
291 | key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | ||
292 | ca_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | ||
293 | |||
294 | if (key_in_file(key->cert->signature_key, | ||
295 | options.trusted_user_ca_keys, 1) != 1) { | ||
296 | debug2("%s: CA %s %s is not listed in %s", __func__, | ||
297 | key_type(key->cert->signature_key), ca_fp, | ||
298 | options.trusted_user_ca_keys); | ||
299 | goto out; | ||
300 | } | ||
301 | if (key_cert_check_authority(key, 0, 1, pw->pw_name, &reason) != 0) { | ||
302 | error("%s", reason); | ||
303 | auth_debug_add("%s", reason); | ||
304 | goto out; | ||
305 | } | ||
306 | if (auth_cert_constraints(&key->cert->constraints, pw) != 0) | ||
307 | goto out; | ||
308 | |||
309 | verbose("%s certificate %s allowed by trusted %s key %s", | ||
310 | key_type(key), key_fp, key_type(key->cert->signature_key), ca_fp); | ||
311 | ret = 1; | ||
312 | |||
313 | out: | ||
314 | if (key_fp != NULL) | ||
315 | xfree(key_fp); | ||
316 | if (ca_fp != NULL) | ||
317 | xfree(ca_fp); | ||
318 | return ret; | ||
319 | } | ||
320 | |||
279 | /* check whether given key is in .ssh/authorized_keys* */ | 321 | /* check whether given key is in .ssh/authorized_keys* */ |
280 | int | 322 | int |
281 | user_key_allowed(struct passwd *pw, Key *key) | 323 | user_key_allowed(struct passwd *pw, Key *key) |
@@ -283,6 +325,15 @@ user_key_allowed(struct passwd *pw, Key *key) | |||
283 | int success; | 325 | int success; |
284 | char *file; | 326 | char *file; |
285 | 327 | ||
328 | if (auth_key_is_revoked(key)) | ||
329 | return 0; | ||
330 | if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) | ||
331 | return 0; | ||
332 | |||
333 | success = user_cert_trusted_ca(pw, key); | ||
334 | if (success) | ||
335 | return success; | ||
336 | |||
286 | file = authorized_keys_file(pw); | 337 | file = authorized_keys_file(pw); |
287 | success = user_key_allowed2(pw, key, file); | 338 | success = user_key_allowed2(pw, key, file); |
288 | xfree(file); | 339 | xfree(file); |