- djm@cvs.openbsd.org 2013/05/19 02:38:28

[auth2-pubkey.c] fix failure to recognise cert-authority keys if a key of a different type appeared in authorized_keys before it; ok markus@
author: Darren Tucker <dtucker@zip.com.au> 2013-06-02 07:32:00 +1000
committer: Darren Tucker <dtucker@zip.com.au> 2013-06-02 07:32:00 +1000
commit: 74836ae0fabcc1a76b9d9eacd1629c88a054b2d0 (patch)
tree: d82e1ff85ed1f7d88daf3e31c98cc23a7b495bd3 /auth2-pubkey.c
parent: a627d42e51ffa71e014d7b2d2c07118122fd3ec3 (diff)
1 files changed, 31 insertions, 8 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 4c326df7a..45306f839 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.36 2013/05/17 00:13:13 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.37 2013/05/19 02:38:28 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -147,6 +147,8 @@ userauth_pubkey(Authctxt *authctxt)
 #ifdef DEBUG_PK
                buffer_dump(&b);
 #endif
+                pubkey_auth_info(authctxt, key);
                /* test for correct signature */
                authenticated = 0;
                if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
@@ -187,6 +189,26 @@ done:
        return authenticated;
 }
+void
+pubkey_auth_info(Authctxt *authctxt, const Key *key)
+{
+        char *fp;
+        if (key_is_cert(key)) {
+                fp = key_fingerprint(key->cert->signature_key,
+                    SSH_FP_MD5, SSH_FP_HEX);
+                auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s", 
+                    key_type(key), key->cert->key_id,
+                    (unsigned long long)key->cert->serial,
+                    key_type(key->cert->signature_key), fp);
+                free(fp);
+        } else {
+                fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+                auth_info(authctxt, "%s %s", key_type(key), fp);
+                free(fp);
+        }
+}
 static int
 match_principals_option(const char *principal_list, struct KeyCert *cert)
 {
@@ -280,11 +302,13 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
        char *fp;
        found_key = 0;
-        found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
+        found = NULL;
        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                char *cp, *key_options = NULL;
+                if (found != NULL)
+                        key_free(found);
+                found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
                auth_clear_options();
                /* Skip leading whitespace, empty and comment lines. */
@@ -362,16 +386,15 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
                        if (key_is_cert_authority)
                                continue;
                        found_key = 1;
-                        debug("matching key found: file %s, line %lu",
-                            file, linenum);
                        fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
-                        verbose("Found matching %s key: %s",
+                        debug("matching key found: file %s, line %lu %s %s",
-                            key_type(found), fp);
+                            file, linenum, key_type(found), fp);
                        free(fp);
                        break;
                }
        }
-        key_free(found);
+        if (found != NULL)
+                key_free(found);
        if (!found_key)
                debug2("key not found");
        return found_key;
author	Darren Tucker <dtucker@zip.com.au>	2013-06-02 07:32:00 +1000
committer	Darren Tucker <dtucker@zip.com.au>	2013-06-02 07:32:00 +1000
commit	74836ae0fabcc1a76b9d9eacd1629c88a054b2d0 (patch)
tree	d82e1ff85ed1f7d88daf3e31c98cc23a7b495bd3 /auth2-pubkey.c
parent	a627d42e51ffa71e014d7b2d2c07118122fd3ec3 (diff)

diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 4c326df7a..45306f839 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth2-pubkey.c,v 1.36 2013/05/17 00:13:13 djm Exp $ */	1	/* $OpenBSD: auth2-pubkey.c,v 1.37 2013/05/19 02:38:28 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000 Markus Friedl. All rights reserved.	3	* Copyright (c) 2000 Markus Friedl. All rights reserved.
4	*	4	*
@@ -147,6 +147,8 @@ userauth_pubkey(Authctxt *authctxt)
147	#ifdef DEBUG_PK	147	#ifdef DEBUG_PK
148	buffer_dump(&b);	148	buffer_dump(&b);
149	#endif	149	#endif
		150	pubkey_auth_info(authctxt, key);
		151
150	/* test for correct signature */	152	/* test for correct signature */
151	authenticated = 0;	153	authenticated = 0;
152	if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&	154	if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
@@ -187,6 +189,26 @@ done:
187	return authenticated;	189	return authenticated;
188	}	190	}
189		191
		192	void
		193	pubkey_auth_info(Authctxt authctxt, const Key key)
		194	{
		195	char *fp;
		196
		197	if (key_is_cert(key)) {
		198	fp = key_fingerprint(key->cert->signature_key,
		199	SSH_FP_MD5, SSH_FP_HEX);
		200	auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s",
		201	key_type(key), key->cert->key_id,
		202	(unsigned long long)key->cert->serial,
		203	key_type(key->cert->signature_key), fp);
		204	free(fp);
		205	} else {
		206	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
		207	auth_info(authctxt, "%s %s", key_type(key), fp);
		208	free(fp);
		209	}
		210	}
		211
190	static int	212	static int
191	match_principals_option(const char principal_list, struct KeyCert cert)	213	match_principals_option(const char principal_list, struct KeyCert cert)
192	{	214	{
@@ -280,11 +302,13 @@ check_authkeys_file(FILE f, char file, Key* key, struct passwd *pw)
280	char *fp;	302	char *fp;
281		303
282	found_key = 0;	304	found_key = 0;
283	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
284		305
		306	found = NULL;
285	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {	307	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
286	char cp, key_options = NULL;	308	char cp, key_options = NULL;
287		309	if (found != NULL)
		310	key_free(found);
		311	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
288	auth_clear_options();	312	auth_clear_options();
289		313
290	/* Skip leading whitespace, empty and comment lines. */	314	/* Skip leading whitespace, empty and comment lines. */
@@ -362,16 +386,15 @@ check_authkeys_file(FILE f, char file, Key* key, struct passwd *pw)
362	if (key_is_cert_authority)	386	if (key_is_cert_authority)
363	continue;	387	continue;
364	found_key = 1;	388	found_key = 1;
365	debug("matching key found: file %s, line %lu",
366	file, linenum);
367	fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);	389	fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
368	verbose("Found matching %s key: %s",	390	debug("matching key found: file %s, line %lu %s %s",
369	key_type(found), fp);	391	file, linenum, key_type(found), fp);
370	free(fp);	392	free(fp);
371	break;	393	break;
372	}	394	}
373	}	395	}
374	key_free(found);	396	if (found != NULL)
		397	key_free(found);
375	if (!found_key)	398	if (!found_key)
376	debug2("key not found");	399	debug2("key not found");
377	return found_key;	400	return found_key;