diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2019-06-14 03:39:59 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-06-14 13:42:31 +1000 |
| commit | c95b90d40170473825904be561b1eafba354f376 (patch) | |
| tree | b3d7fff27ab43df4ee994a359bfc4c7fdf4acc94 /auth2-pubkey.c | |
| parent | a5a53914989ddd3521b6edc452bc3291784a4f4f (diff) | |
upstream: for public key authentication, check AuthorizedKeysFiles
files before consulting AuthorizedKeysCommand; ok dtucker markus
OpenBSD-Commit-ID: 13652998bea5cb93668999c39c3c48e8429db8b3
Diffstat (limited to 'auth2-pubkey.c')
| -rw-r--r-- | auth2-pubkey.c | 29 |
1 files changed, 18 insertions, 11 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 3422b518b..4e01b6055 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth2-pubkey.c,v 1.88 2019/05/20 00:25:55 djm Exp $ */ | 1 | /* $OpenBSD: auth2-pubkey.c,v 1.89 2019/06/14 03:39:59 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -1014,9 +1014,10 @@ int | |||
| 1014 | user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, | 1014 | user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, |
| 1015 | int auth_attempt, struct sshauthopt **authoptsp) | 1015 | int auth_attempt, struct sshauthopt **authoptsp) |
| 1016 | { | 1016 | { |
| 1017 | u_int success, i; | 1017 | u_int success = 0, i; |
| 1018 | char *file; | 1018 | char *file; |
| 1019 | struct sshauthopt *opts = NULL; | 1019 | struct sshauthopt *opts = NULL; |
| 1020 | |||
| 1020 | if (authoptsp != NULL) | 1021 | if (authoptsp != NULL) |
| 1021 | *authoptsp = NULL; | 1022 | *authoptsp = NULL; |
| 1022 | 1023 | ||
| @@ -1026,6 +1027,21 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, | |||
| 1026 | auth_key_is_revoked(key->cert->signature_key)) | 1027 | auth_key_is_revoked(key->cert->signature_key)) |
| 1027 | return 0; | 1028 | return 0; |
| 1028 | 1029 | ||
| 1030 | for (i = 0; !success && i < options.num_authkeys_files; i++) { | ||
| 1031 | if (strcasecmp(options.authorized_keys_files[i], "none") == 0) | ||
| 1032 | continue; | ||
| 1033 | file = expand_authorized_keys( | ||
| 1034 | options.authorized_keys_files[i], pw); | ||
| 1035 | success = user_key_allowed2(ssh, pw, key, file, &opts); | ||
| 1036 | free(file); | ||
| 1037 | if (!success) { | ||
| 1038 | sshauthopt_free(opts); | ||
| 1039 | opts = NULL; | ||
| 1040 | } | ||
| 1041 | } | ||
| 1042 | if (success) | ||
| 1043 | goto out; | ||
| 1044 | |||
| 1029 | if ((success = user_cert_trusted_ca(ssh, pw, key, &opts)) != 0) | 1045 | if ((success = user_cert_trusted_ca(ssh, pw, key, &opts)) != 0) |
| 1030 | goto out; | 1046 | goto out; |
| 1031 | sshauthopt_free(opts); | 1047 | sshauthopt_free(opts); |
| @@ -1036,15 +1052,6 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, | |||
| 1036 | sshauthopt_free(opts); | 1052 | sshauthopt_free(opts); |
| 1037 | opts = NULL; | 1053 | opts = NULL; |
| 1038 | 1054 | ||
| 1039 | for (i = 0; !success && i < options.num_authkeys_files; i++) { | ||
| 1040 | if (strcasecmp(options.authorized_keys_files[i], "none") == 0) | ||
| 1041 | continue; | ||
| 1042 | file = expand_authorized_keys( | ||
| 1043 | options.authorized_keys_files[i], pw); | ||
| 1044 | success = user_key_allowed2(ssh, pw, key, file, &opts); | ||
| 1045 | free(file); | ||
| 1046 | } | ||
| 1047 | |||
| 1048 | out: | 1055 | out: |
| 1049 | if (success && authoptsp != NULL) { | 1056 | if (success && authoptsp != NULL) { |
| 1050 | *authoptsp = opts; | 1057 | *authoptsp = opts; |