summaryrefslogtreecommitdiff
path: root/auth2-pubkey.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2019-06-14 03:39:59 +0000
committerDamien Miller <djm@mindrot.org>2019-06-14 13:42:31 +1000
commitc95b90d40170473825904be561b1eafba354f376 (patch)
treeb3d7fff27ab43df4ee994a359bfc4c7fdf4acc94 /auth2-pubkey.c
parenta5a53914989ddd3521b6edc452bc3291784a4f4f (diff)
upstream: for public key authentication, check AuthorizedKeysFiles
files before consulting AuthorizedKeysCommand; ok dtucker markus OpenBSD-Commit-ID: 13652998bea5cb93668999c39c3c48e8429db8b3
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r--auth2-pubkey.c29
1 files changed, 18 insertions, 11 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 3422b518b..4e01b6055 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-pubkey.c,v 1.88 2019/05/20 00:25:55 djm Exp $ */ 1/* $OpenBSD: auth2-pubkey.c,v 1.89 2019/06/14 03:39:59 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -1014,9 +1014,10 @@ int
1014user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, 1014user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
1015 int auth_attempt, struct sshauthopt **authoptsp) 1015 int auth_attempt, struct sshauthopt **authoptsp)
1016{ 1016{
1017 u_int success, i; 1017 u_int success = 0, i;
1018 char *file; 1018 char *file;
1019 struct sshauthopt *opts = NULL; 1019 struct sshauthopt *opts = NULL;
1020
1020 if (authoptsp != NULL) 1021 if (authoptsp != NULL)
1021 *authoptsp = NULL; 1022 *authoptsp = NULL;
1022 1023
@@ -1026,6 +1027,21 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
1026 auth_key_is_revoked(key->cert->signature_key)) 1027 auth_key_is_revoked(key->cert->signature_key))
1027 return 0; 1028 return 0;
1028 1029
1030 for (i = 0; !success && i < options.num_authkeys_files; i++) {
1031 if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
1032 continue;
1033 file = expand_authorized_keys(
1034 options.authorized_keys_files[i], pw);
1035 success = user_key_allowed2(ssh, pw, key, file, &opts);
1036 free(file);
1037 if (!success) {
1038 sshauthopt_free(opts);
1039 opts = NULL;
1040 }
1041 }
1042 if (success)
1043 goto out;
1044
1029 if ((success = user_cert_trusted_ca(ssh, pw, key, &opts)) != 0) 1045 if ((success = user_cert_trusted_ca(ssh, pw, key, &opts)) != 0)
1030 goto out; 1046 goto out;
1031 sshauthopt_free(opts); 1047 sshauthopt_free(opts);
@@ -1036,15 +1052,6 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
1036 sshauthopt_free(opts); 1052 sshauthopt_free(opts);
1037 opts = NULL; 1053 opts = NULL;
1038 1054
1039 for (i = 0; !success && i < options.num_authkeys_files; i++) {
1040 if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
1041 continue;
1042 file = expand_authorized_keys(
1043 options.authorized_keys_files[i], pw);
1044 success = user_key_allowed2(ssh, pw, key, file, &opts);
1045 free(file);
1046 }
1047
1048 out: 1055 out:
1049 if (success && authoptsp != NULL) { 1056 if (success && authoptsp != NULL) {
1050 *authoptsp = opts; 1057 *authoptsp = opts;