summaryrefslogtreecommitdiff
path: root/auth2-pubkey.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2017-06-24 06:34:38 +0000
committerDamien Miller <djm@mindrot.org>2017-06-24 16:56:11 +1000
commit8f574959272ac7fe9239c4f5d10fd913f8920ab0 (patch)
tree51ab66a6011af6459e0d4ca15a4b4b78368607a1 /auth2-pubkey.c
parente2004d4bb7eb01c663dd3a3e7eb224f1ccdc9bba (diff)
upstream commit
refactor authentication logging optionally record successful auth methods and public credentials used in a file accessible to user sessions feedback and ok markus@ Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r--auth2-pubkey.c80
1 files changed, 4 insertions, 76 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 5794f1f4d..1c59b5bb0 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-pubkey.c,v 1.67 2017/05/31 10:54:00 markus Exp $ */ 1/* $OpenBSD: auth2-pubkey.c,v 1.68 2017/06/24 06:34:38 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -137,7 +137,7 @@ userauth_pubkey(struct ssh *ssh)
137 goto done; 137 goto done;
138 } 138 }
139 fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT); 139 fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
140 if (auth2_userkey_already_used(authctxt, key)) { 140 if (auth2_key_already_used(authctxt, key)) {
141 logit("refusing previously-used %s key", sshkey_type(key)); 141 logit("refusing previously-used %s key", sshkey_type(key));
142 goto done; 142 goto done;
143 } 143 }
@@ -194,7 +194,6 @@ userauth_pubkey(struct ssh *ssh)
194#ifdef DEBUG_PK 194#ifdef DEBUG_PK
195 sshbuf_dump(b, stderr); 195 sshbuf_dump(b, stderr);
196#endif 196#endif
197 pubkey_auth_info(authctxt, key, NULL);
198 197
199 /* test for correct signature */ 198 /* test for correct signature */
200 authenticated = 0; 199 authenticated = 0;
@@ -202,12 +201,10 @@ userauth_pubkey(struct ssh *ssh)
202 PRIVSEP(sshkey_verify(key, sig, slen, sshbuf_ptr(b), 201 PRIVSEP(sshkey_verify(key, sig, slen, sshbuf_ptr(b),
203 sshbuf_len(b), ssh->compat)) == 0) { 202 sshbuf_len(b), ssh->compat)) == 0) {
204 authenticated = 1; 203 authenticated = 1;
205 /* Record the successful key to prevent reuse */
206 auth2_record_userkey(authctxt, key);
207 key = NULL; /* Don't free below */
208 } 204 }
209 sshbuf_free(b); 205 sshbuf_free(b);
210 free(sig); 206 free(sig);
207 auth2_record_key(authctxt, authenticated, key);
211 } else { 208 } else {
212 debug("%s: test whether pkalg/pkblob are acceptable for %s %s", 209 debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
213 __func__, sshkey_type(key), fp); 210 __func__, sshkey_type(key), fp);
@@ -237,8 +234,7 @@ userauth_pubkey(struct ssh *ssh)
237 auth_clear_options(); 234 auth_clear_options();
238done: 235done:
239 debug2("%s: authenticated %d pkalg %s", __func__, authenticated, pkalg); 236 debug2("%s: authenticated %d pkalg %s", __func__, authenticated, pkalg);
240 if (key != NULL) 237 sshkey_free(key);
241 sshkey_free(key);
242 free(userstyle); 238 free(userstyle);
243 free(pkalg); 239 free(pkalg);
244 free(pkblob); 240 free(pkblob);
@@ -246,44 +242,6 @@ done:
246 return authenticated; 242 return authenticated;
247} 243}
248 244
249void
250pubkey_auth_info(Authctxt *authctxt, const struct sshkey *key,
251 const char *fmt, ...)
252{
253 char *fp, *extra;
254 va_list ap;
255 int i;
256
257 extra = NULL;
258 if (fmt != NULL) {
259 va_start(ap, fmt);
260 i = vasprintf(&extra, fmt, ap);
261 va_end(ap);
262 if (i < 0 || extra == NULL)
263 fatal("%s: vasprintf failed", __func__);
264 }
265
266 if (sshkey_is_cert(key)) {
267 fp = sshkey_fingerprint(key->cert->signature_key,
268 options.fingerprint_hash, SSH_FP_DEFAULT);
269 auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
270 sshkey_type(key), key->cert->key_id,
271 (unsigned long long)key->cert->serial,
272 sshkey_type(key->cert->signature_key),
273 fp == NULL ? "(null)" : fp,
274 extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
275 free(fp);
276 } else {
277 fp = sshkey_fingerprint(key, options.fingerprint_hash,
278 SSH_FP_DEFAULT);
279 auth_info(authctxt, "%s %s%s%s", sshkey_type(key),
280 fp == NULL ? "(null)" : fp,
281 extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
282 free(fp);
283 }
284 free(extra);
285}
286
287/* 245/*
288 * Splits 's' into an argument vector. Handles quoted string and basic 246 * Splits 's' into an argument vector. Handles quoted string and basic
289 * escape characters (\\, \", \'). Caller must free the argument vector 247 * escape characters (\\, \", \'). Caller must free the argument vector
@@ -1148,36 +1106,6 @@ user_key_allowed(struct passwd *pw, struct sshkey *key, int auth_attempt)
1148 return success; 1106 return success;
1149} 1107}
1150 1108
1151/* Records a public key in the list of previously-successful keys */
1152void
1153auth2_record_userkey(Authctxt *authctxt, struct sshkey *key)
1154{
1155 struct sshkey **tmp;
1156
1157 if (authctxt->nprev_userkeys >= INT_MAX ||
1158 (tmp = recallocarray(authctxt->prev_userkeys,
1159 authctxt->nprev_userkeys, authctxt->nprev_userkeys + 1,
1160 sizeof(*tmp))) == NULL)
1161 fatal("%s: recallocarray failed", __func__);
1162 authctxt->prev_userkeys = tmp;
1163 authctxt->prev_userkeys[authctxt->nprev_userkeys] = key;
1164 authctxt->nprev_userkeys++;
1165}
1166
1167/* Checks whether a key has already been used successfully for authentication */
1168int
1169auth2_userkey_already_used(Authctxt *authctxt, struct sshkey *key)
1170{
1171 u_int i;
1172
1173 for (i = 0; i < authctxt->nprev_userkeys; i++) {
1174 if (sshkey_equal_public(key, authctxt->prev_userkeys[i])) {
1175 return 1;
1176 }
1177 }
1178 return 0;
1179}
1180
1181Authmethod method_pubkey = { 1109Authmethod method_pubkey = {
1182 "publickey", 1110 "publickey",
1183 userauth_pubkey, 1111 userauth_pubkey,