diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2016-09-14 05:42:25 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2016-09-14 15:43:23 +1000 |
| commit | e7907c1cb938b96dd33d27c2fea72c4e08c6b2f6 (patch) | |
| tree | 67ec2f667bfccee49098e877a9ecfd8746cc23a0 /auth2-pubkey.c | |
| parent | 2b939c272a81c4d0c47badeedbcb2ba7c128ccda (diff) | |
upstream commit
add %-escapes to AuthorizedPrincipalsCommand to match those
supported for AuthorizedKeysCommand (key, key type, fingerprint, etc) and a
few more to provide access to the certificate's CA key; 'looks ok' dtucker@
Upstream-ID: 6b00fd446dbebe67f4e4e146d2e492d650ae04eb
Diffstat (limited to 'auth2-pubkey.c')
| -rw-r--r-- | auth2-pubkey.c | 40 |
1 files changed, 35 insertions, 5 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 41b34aed2..5e1b88900 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth2-pubkey.c,v 1.55 2016/01/27 00:53:12 djm Exp $ */ | 1 | /* $OpenBSD: auth2-pubkey.c,v 1.56 2016/09/14 05:42:25 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -560,7 +560,7 @@ match_principals_option(const char *principal_list, struct sshkey_cert *cert) | |||
| 560 | 560 | ||
| 561 | static int | 561 | static int |
| 562 | process_principals(FILE *f, char *file, struct passwd *pw, | 562 | process_principals(FILE *f, char *file, struct passwd *pw, |
| 563 | struct sshkey_cert *cert) | 563 | const struct sshkey_cert *cert) |
| 564 | { | 564 | { |
| 565 | char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts; | 565 | char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts; |
| 566 | u_long linenum = 0; | 566 | u_long linenum = 0; |
| @@ -629,14 +629,16 @@ match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert) | |||
| 629 | * returns 1 if the principal is allowed or 0 otherwise. | 629 | * returns 1 if the principal is allowed or 0 otherwise. |
| 630 | */ | 630 | */ |
| 631 | static int | 631 | static int |
| 632 | match_principals_command(struct passwd *user_pw, struct sshkey_cert *cert) | 632 | match_principals_command(struct passwd *user_pw, const struct sshkey *key) |
| 633 | { | 633 | { |
| 634 | const struct sshkey_cert *cert = key->cert; | ||
| 634 | FILE *f = NULL; | 635 | FILE *f = NULL; |
| 635 | int ok, found_principal = 0; | 636 | int r, ok, found_principal = 0; |
| 636 | struct passwd *pw; | 637 | struct passwd *pw; |
| 637 | int i, ac = 0, uid_swapped = 0; | 638 | int i, ac = 0, uid_swapped = 0; |
| 638 | pid_t pid; | 639 | pid_t pid; |
| 639 | char *tmp, *username = NULL, *command = NULL, **av = NULL; | 640 | char *tmp, *username = NULL, *command = NULL, **av = NULL; |
| 641 | char *ca_fp = NULL, *key_fp = NULL, *catext = NULL, *keytext = NULL; | ||
| 640 | void (*osigchld)(int); | 642 | void (*osigchld)(int); |
| 641 | 643 | ||
| 642 | if (options.authorized_principals_command == NULL) | 644 | if (options.authorized_principals_command == NULL) |
| @@ -674,10 +676,34 @@ match_principals_command(struct passwd *user_pw, struct sshkey_cert *cert) | |||
| 674 | command); | 676 | command); |
| 675 | goto out; | 677 | goto out; |
| 676 | } | 678 | } |
| 679 | if ((ca_fp = sshkey_fingerprint(cert->signature_key, | ||
| 680 | options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { | ||
| 681 | error("%s: sshkey_fingerprint failed", __func__); | ||
| 682 | goto out; | ||
| 683 | } | ||
| 684 | if ((key_fp = sshkey_fingerprint(cert->signature_key, | ||
| 685 | options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { | ||
| 686 | error("%s: sshkey_fingerprint failed", __func__); | ||
| 687 | goto out; | ||
| 688 | } | ||
| 689 | if ((r = sshkey_to_base64(cert->signature_key, &catext)) != 0) { | ||
| 690 | error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r)); | ||
| 691 | goto out; | ||
| 692 | } | ||
| 693 | if ((r = sshkey_to_base64(key, &keytext)) != 0) { | ||
| 694 | error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r)); | ||
| 695 | goto out; | ||
| 696 | } | ||
| 677 | for (i = 1; i < ac; i++) { | 697 | for (i = 1; i < ac; i++) { |
| 678 | tmp = percent_expand(av[i], | 698 | tmp = percent_expand(av[i], |
| 679 | "u", user_pw->pw_name, | 699 | "u", user_pw->pw_name, |
| 680 | "h", user_pw->pw_dir, | 700 | "h", user_pw->pw_dir, |
| 701 | "t", sshkey_ssh_name(key), | ||
| 702 | "T", sshkey_ssh_name(cert->signature_key), | ||
| 703 | "f", key_fp, | ||
| 704 | "F", ca_fp, | ||
| 705 | "k", keytext, | ||
| 706 | "K", catext, | ||
| 681 | (char *)NULL); | 707 | (char *)NULL); |
| 682 | if (tmp == NULL) | 708 | if (tmp == NULL) |
| 683 | fatal("%s: percent_expand failed", __func__); | 709 | fatal("%s: percent_expand failed", __func__); |
| @@ -712,6 +738,10 @@ match_principals_command(struct passwd *user_pw, struct sshkey_cert *cert) | |||
| 712 | restore_uid(); | 738 | restore_uid(); |
| 713 | free(command); | 739 | free(command); |
| 714 | free(username); | 740 | free(username); |
| 741 | free(ca_fp); | ||
| 742 | free(key_fp); | ||
| 743 | free(catext); | ||
| 744 | free(keytext); | ||
| 715 | return found_principal; | 745 | return found_principal; |
| 716 | } | 746 | } |
| 717 | /* | 747 | /* |
| @@ -863,7 +893,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) | |||
| 863 | found_principal = 1; | 893 | found_principal = 1; |
| 864 | } | 894 | } |
| 865 | /* Try querying command if specified */ | 895 | /* Try querying command if specified */ |
| 866 | if (!found_principal && match_principals_command(pw, key->cert)) | 896 | if (!found_principal && match_principals_command(pw, key)) |
| 867 | found_principal = 1; | 897 | found_principal = 1; |
| 868 | /* If principals file or command is specified, then require a match */ | 898 | /* If principals file or command is specified, then require a match */ |
| 869 | use_authorized_principals = principals_file != NULL || | 899 | use_authorized_principals = principals_file != NULL || |