diff options
author | joe <joe@jerkface.net> | 2016-04-22 01:00:23 -0400 |
---|---|---|
committer | Andrew Cady <d@jerkface.net> | 2021-03-13 10:46:55 -0500 |
commit | 989d38d6be766bff5002f169e05385f95020940b (patch) | |
tree | abbdfa58d45d3ee4c9a06675778e93d98b00f829 /auth2-pubkey.c | |
parent | 32717238e7587949cb2799136fd15d6fcea5341c (diff) |
Added wildcard authorization for authorized_keys.
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r-- | auth2-pubkey.c | 34 |
1 files changed, 33 insertions, 1 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index c3ecd9afc..bba8dfefa 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -69,6 +69,7 @@ | |||
69 | #include "channels.h" /* XXX for session.h */ | 69 | #include "channels.h" /* XXX for session.h */ |
70 | #include "session.h" /* XXX for child_set_env(); refactor? */ | 70 | #include "session.h" /* XXX for child_set_env(); refactor? */ |
71 | #include "sk-api.h" | 71 | #include "sk-api.h" |
72 | #include "digest.h" | ||
72 | 73 | ||
73 | /* import */ | 74 | /* import */ |
74 | extern ServerOptions options; | 75 | extern ServerOptions options; |
@@ -604,6 +605,8 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key, | |||
604 | 605 | ||
605 | /* XXX djm: peek at key type in line and skip if unwanted */ | 606 | /* XXX djm: peek at key type in line and skip if unwanted */ |
606 | 607 | ||
608 | int wild = 0; | ||
609 | |||
607 | if (sshkey_read(found, &cp) != 0) { | 610 | if (sshkey_read(found, &cp) != 0) { |
608 | /* no key? check for options */ | 611 | /* no key? check for options */ |
609 | debug2("%s: check options: '%s'", loc, cp); | 612 | debug2("%s: check options: '%s'", loc, cp); |
@@ -613,7 +616,10 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key, | |||
613 | goto fail_reason; | 616 | goto fail_reason; |
614 | } | 617 | } |
615 | skip_space(&cp); | 618 | skip_space(&cp); |
616 | if (sshkey_read(found, &cp) != 0) { | 619 | if (*cp == '*' && (cp[1] == ' ' || cp[1] == '\n' || cp[1] == '\t' || cp[1] == '\0')) { |
620 | cp += 2; | ||
621 | wild = 1; | ||
622 | } else if (sshkey_read(found, &cp) != 0) { | ||
617 | /* still no key? advance to next line*/ | 623 | /* still no key? advance to next line*/ |
618 | debug2("%s: advance: '%s'", loc, cp); | 624 | debug2("%s: advance: '%s'", loc, cp); |
619 | goto out; | 625 | goto out; |
@@ -625,6 +631,32 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key, | |||
625 | auth_debug_add("%s: bad key options: %s", loc, reason); | 631 | auth_debug_add("%s: bad key options: %s", loc, reason); |
626 | goto out; | 632 | goto out; |
627 | } | 633 | } |
634 | |||
635 | if (wild) { | ||
636 | int r; | ||
637 | char *keytext = NULL; | ||
638 | if ((r = sshkey_to_base64(key, &keytext)) != 0) { | ||
639 | error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r)); | ||
640 | goto out; | ||
641 | } | ||
642 | if (!keyopts->force_command) { | ||
643 | reason = "Wildcard login is not allowed without specifying a forced command"; | ||
644 | goto fail_reason; | ||
645 | } | ||
646 | |||
647 | wildcard_match = keytext; | ||
648 | wildcard_fingerprint = sshkey_fingerprint(key, SSH_DIGEST_SHA256, SSH_FP_HEX); | ||
649 | |||
650 | verbose("Accepted wildcard authorization for %s key %s with forced_command=%s", | ||
651 | sshkey_type(key), | ||
652 | wildcard_fingerprint, | ||
653 | keyopts->force_command); | ||
654 | |||
655 | finalopts = keyopts; | ||
656 | keyopts = NULL; | ||
657 | goto success; | ||
658 | } | ||
659 | |||
628 | /* Ignore keys that don't match or incorrectly marked as CAs */ | 660 | /* Ignore keys that don't match or incorrectly marked as CAs */ |
629 | if (sshkey_is_cert(key)) { | 661 | if (sshkey_is_cert(key)) { |
630 | /* Certificate; check signature key against CA */ | 662 | /* Certificate; check signature key against CA */ |