summaryrefslogtreecommitdiff
path: root/auth2-pubkey.c
diff options
context:
space:
mode:
authorjoe <joe@jerkface.net>2016-04-22 01:00:23 -0400
committerAndrew Cady <d@jerkface.net>2021-03-13 10:46:55 -0500
commit989d38d6be766bff5002f169e05385f95020940b (patch)
treeabbdfa58d45d3ee4c9a06675778e93d98b00f829 /auth2-pubkey.c
parent32717238e7587949cb2799136fd15d6fcea5341c (diff)
Added wildcard authorization for authorized_keys.
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r--auth2-pubkey.c34
1 files changed, 33 insertions, 1 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index c3ecd9afc..bba8dfefa 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -69,6 +69,7 @@
69#include "channels.h" /* XXX for session.h */ 69#include "channels.h" /* XXX for session.h */
70#include "session.h" /* XXX for child_set_env(); refactor? */ 70#include "session.h" /* XXX for child_set_env(); refactor? */
71#include "sk-api.h" 71#include "sk-api.h"
72#include "digest.h"
72 73
73/* import */ 74/* import */
74extern ServerOptions options; 75extern ServerOptions options;
@@ -604,6 +605,8 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
604 605
605 /* XXX djm: peek at key type in line and skip if unwanted */ 606 /* XXX djm: peek at key type in line and skip if unwanted */
606 607
608 int wild = 0;
609
607 if (sshkey_read(found, &cp) != 0) { 610 if (sshkey_read(found, &cp) != 0) {
608 /* no key? check for options */ 611 /* no key? check for options */
609 debug2("%s: check options: '%s'", loc, cp); 612 debug2("%s: check options: '%s'", loc, cp);
@@ -613,7 +616,10 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
613 goto fail_reason; 616 goto fail_reason;
614 } 617 }
615 skip_space(&cp); 618 skip_space(&cp);
616 if (sshkey_read(found, &cp) != 0) { 619 if (*cp == '*' && (cp[1] == ' ' || cp[1] == '\n' || cp[1] == '\t' || cp[1] == '\0')) {
620 cp += 2;
621 wild = 1;
622 } else if (sshkey_read(found, &cp) != 0) {
617 /* still no key? advance to next line*/ 623 /* still no key? advance to next line*/
618 debug2("%s: advance: '%s'", loc, cp); 624 debug2("%s: advance: '%s'", loc, cp);
619 goto out; 625 goto out;
@@ -625,6 +631,32 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
625 auth_debug_add("%s: bad key options: %s", loc, reason); 631 auth_debug_add("%s: bad key options: %s", loc, reason);
626 goto out; 632 goto out;
627 } 633 }
634
635 if (wild) {
636 int r;
637 char *keytext = NULL;
638 if ((r = sshkey_to_base64(key, &keytext)) != 0) {
639 error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r));
640 goto out;
641 }
642 if (!keyopts->force_command) {
643 reason = "Wildcard login is not allowed without specifying a forced command";
644 goto fail_reason;
645 }
646
647 wildcard_match = keytext;
648 wildcard_fingerprint = sshkey_fingerprint(key, SSH_DIGEST_SHA256, SSH_FP_HEX);
649
650 verbose("Accepted wildcard authorization for %s key %s with forced_command=%s",
651 sshkey_type(key),
652 wildcard_fingerprint,
653 keyopts->force_command);
654
655 finalopts = keyopts;
656 keyopts = NULL;
657 goto success;
658 }
659
628 /* Ignore keys that don't match or incorrectly marked as CAs */ 660 /* Ignore keys that don't match or incorrectly marked as CAs */
629 if (sshkey_is_cert(key)) { 661 if (sshkey_is_cert(key)) {
630 /* Certificate; check signature key against CA */ 662 /* Certificate; check signature key against CA */