diff options
| author | Colin Watson <cjwatson@debian.org> | 2011-09-06 14:56:29 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2011-09-06 14:56:29 +0100 |
| commit | 978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch) | |
| tree | 89400a44e42d84937deba7864e4964d6c7734da5 /auth2-pubkey.c | |
| parent | 87c685b8c6a49814fd782288097b3093f975aa72 (diff) | |
| parent | 3a7e89697ca363de0f64e0d5704c57219294e41c (diff) | |
* New upstream release (http://www.openssh.org/txt/release-5.9).
- Introduce sandboxing of the pre-auth privsep child using an optional
sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
mandatory restrictions on the syscalls the privsep child can perform.
- Add new SHA256-based HMAC transport integrity modes from
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt.
- The pre-authentication sshd(8) privilege separation slave process now
logs via a socket shared with the master process, avoiding the need to
maintain /dev/log inside the chroot (closes: #75043, #429243,
#599240).
- ssh(1) now warns when a server refuses X11 forwarding (closes:
#504757).
- sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
separated by whitespace (closes: #76312). The authorized_keys2
fallback is deprecated but documented (closes: #560156).
- ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4
ToS/DSCP (closes: #498297).
- ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add
- < /path/to/key" (closes: #229124).
- Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691).
- Say "required" rather than "recommended" in unprotected-private-key
warning (LP: #663455).
Diffstat (limited to 'auth2-pubkey.c')
| -rw-r--r-- | auth2-pubkey.c | 19 |
1 files changed, 8 insertions, 11 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index dbf0d0d22..a1d31e930 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth2-pubkey.c,v 1.27 2010/11/20 05:12:38 deraadt Exp $ */ | 1 | /* $OpenBSD: auth2-pubkey.c,v 1.29 2011/05/23 03:30:07 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -440,7 +440,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) | |||
| 440 | int | 440 | int |
| 441 | user_key_allowed(struct passwd *pw, Key *key) | 441 | user_key_allowed(struct passwd *pw, Key *key) |
| 442 | { | 442 | { |
| 443 | int success; | 443 | u_int success, i; |
| 444 | char *file; | 444 | char *file; |
| 445 | 445 | ||
| 446 | if (auth_key_is_revoked(key, 0)) | 446 | if (auth_key_is_revoked(key, 0)) |
| @@ -453,16 +453,13 @@ user_key_allowed(struct passwd *pw, Key *key) | |||
| 453 | if (success) | 453 | if (success) |
| 454 | return success; | 454 | return success; |
| 455 | 455 | ||
| 456 | file = authorized_keys_file(pw); | 456 | for (i = 0; !success && i < options.num_authkeys_files; i++) { |
| 457 | success = user_key_allowed2(pw, key, file); | 457 | file = expand_authorized_keys( |
| 458 | xfree(file); | 458 | options.authorized_keys_files[i], pw); |
| 459 | if (success) | 459 | success = user_key_allowed2(pw, key, file); |
| 460 | return success; | 460 | xfree(file); |
| 461 | } | ||
| 461 | 462 | ||
| 462 | /* try suffix "2" for backward compat, too */ | ||
| 463 | file = authorized_keys_file2(pw); | ||
| 464 | success = user_key_allowed2(pw, key, file); | ||
| 465 | xfree(file); | ||
| 466 | return success; | 463 | return success; |
| 467 | } | 464 | } |
| 468 | 465 | ||