diff options
author | Damien Miller <djm@mindrot.org> | 2000-11-13 22:57:25 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2000-11-13 22:57:25 +1100 |
commit | 0bc1bd814e3c2b5e92d6f595930051960d17f47f (patch) | |
tree | 176c7dc2844ecc2c1de0f72d221449556ffa5209 /auth2.c | |
parent | 559d383037b0872fcde4e6c40188b649c574be74 (diff) |
- (djm) Merge OpenBSD changes:
- markus@cvs.openbsd.org 2000/11/06 16:04:56
[channels.c channels.h clientloop.c nchan.c serverloop.c]
[session.c ssh.c]
agent forwarding and -R for ssh2, based on work from
jhuuskon@messi.uku.fi
- markus@cvs.openbsd.org 2000/11/06 16:13:27
[ssh.c sshconnect.c sshd.c]
do not disabled rhosts(rsa) if server port > 1024; from
pekkas@netcore.fi
- markus@cvs.openbsd.org 2000/11/06 16:16:35
[sshconnect.c]
downgrade client to 1.3 if server is 1.4; help from mdb@juniper.net
- markus@cvs.openbsd.org 2000/11/09 18:04:40
[auth1.c]
typo; from mouring@pconline.com
- markus@cvs.openbsd.org 2000/11/12 12:03:28
[ssh-agent.c]
off-by-one when removing a key from the agent
- markus@cvs.openbsd.org 2000/11/12 12:50:39
[auth-rh-rsa.c auth2.c authfd.c authfd.h]
[authfile.c hostfile.c kex.c kex.h key.c key.h myproposal.h]
[readconf.c readconf.h rsa.c rsa.h servconf.c servconf.h ssh-add.c]
[ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config]
[sshconnect1.c sshconnect2.c sshd.8 sshd.c sshd_config ssh-dss.c]
[ssh-dss.h ssh-rsa.c ssh-rsa.h dsa.c dsa.h]
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only,
RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA
keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
- (djm) Fix up Makefile and Redhat init script to create RSA host keys
- (djm) Change to interim version
Diffstat (limited to 'auth2.c')
-rw-r--r-- | auth2.c | 38 |
1 files changed, 19 insertions, 19 deletions
@@ -23,7 +23,7 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $"); | 26 | RCSID("$OpenBSD: auth2.c,v 1.21 2000/11/12 19:50:37 markus Exp $"); |
27 | 27 | ||
28 | #ifdef HAVE_OSF_SIA | 28 | #ifdef HAVE_OSF_SIA |
29 | # include <sia.h> | 29 | # include <sia.h> |
@@ -52,7 +52,6 @@ RCSID("$OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $"); | |||
52 | #include "key.h" | 52 | #include "key.h" |
53 | #include "kex.h" | 53 | #include "kex.h" |
54 | 54 | ||
55 | #include "dsa.h" | ||
56 | #include "uidswap.h" | 55 | #include "uidswap.h" |
57 | #include "auth-options.h" | 56 | #include "auth-options.h" |
58 | 57 | ||
@@ -89,7 +88,7 @@ void protocol_error(int type, int plen, void *ctxt); | |||
89 | /* helper */ | 88 | /* helper */ |
90 | Authmethod *authmethod_lookup(const char *name); | 89 | Authmethod *authmethod_lookup(const char *name); |
91 | struct passwd *pwcopy(struct passwd *pw); | 90 | struct passwd *pwcopy(struct passwd *pw); |
92 | int user_dsa_key_allowed(struct passwd *pw, Key *key); | 91 | int user_key_allowed(struct passwd *pw, Key *key); |
93 | char *authmethods_get(void); | 92 | char *authmethods_get(void); |
94 | 93 | ||
95 | /* auth */ | 94 | /* auth */ |
@@ -104,7 +103,7 @@ Authmethod authmethods[] = { | |||
104 | &one}, | 103 | &one}, |
105 | {"publickey", | 104 | {"publickey", |
106 | userauth_pubkey, | 105 | userauth_pubkey, |
107 | &options.dsa_authentication}, | 106 | &options.pubkey_authentication}, |
108 | {"keyboard-interactive", | 107 | {"keyboard-interactive", |
109 | userauth_kbdint, | 108 | userauth_kbdint, |
110 | &options.kbd_interactive_authentication}, | 109 | &options.kbd_interactive_authentication}, |
@@ -422,7 +421,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
422 | Key *key; | 421 | Key *key; |
423 | char *pkalg, *pkblob, *sig; | 422 | char *pkalg, *pkblob, *sig; |
424 | unsigned int alen, blen, slen; | 423 | unsigned int alen, blen, slen; |
425 | int have_sig; | 424 | int have_sig, pktype; |
426 | int authenticated = 0; | 425 | int authenticated = 0; |
427 | 426 | ||
428 | if (!authctxt->valid) { | 427 | if (!authctxt->valid) { |
@@ -431,13 +430,14 @@ userauth_pubkey(Authctxt *authctxt) | |||
431 | } | 430 | } |
432 | have_sig = packet_get_char(); | 431 | have_sig = packet_get_char(); |
433 | pkalg = packet_get_string(&alen); | 432 | pkalg = packet_get_string(&alen); |
434 | if (strcmp(pkalg, KEX_DSS) != 0) { | 433 | pktype = key_type_from_name(pkalg); |
435 | log("bad pkalg %s", pkalg); /*XXX*/ | 434 | if (pktype == KEY_UNSPEC) { |
435 | log("bad pkalg %s", pkalg); | ||
436 | xfree(pkalg); | 436 | xfree(pkalg); |
437 | return 0; | 437 | return 0; |
438 | } | 438 | } |
439 | pkblob = packet_get_string(&blen); | 439 | pkblob = packet_get_string(&blen); |
440 | key = dsa_key_from_blob(pkblob, blen); | 440 | key = key_from_blob(pkblob, blen); |
441 | if (key != NULL) { | 441 | if (key != NULL) { |
442 | if (have_sig) { | 442 | if (have_sig) { |
443 | sig = packet_get_string(&slen); | 443 | sig = packet_get_string(&slen); |
@@ -457,14 +457,14 @@ userauth_pubkey(Authctxt *authctxt) | |||
457 | authctxt->service); | 457 | authctxt->service); |
458 | buffer_put_cstring(&b, "publickey"); | 458 | buffer_put_cstring(&b, "publickey"); |
459 | buffer_put_char(&b, have_sig); | 459 | buffer_put_char(&b, have_sig); |
460 | buffer_put_cstring(&b, KEX_DSS); | 460 | buffer_put_cstring(&b, key_ssh_name(key)); |
461 | buffer_put_string(&b, pkblob, blen); | 461 | buffer_put_string(&b, pkblob, blen); |
462 | #ifdef DEBUG_DSS | 462 | #ifdef DEBUG_PK |
463 | buffer_dump(&b); | 463 | buffer_dump(&b); |
464 | #endif | 464 | #endif |
465 | /* test for correct signature */ | 465 | /* test for correct signature */ |
466 | if (user_dsa_key_allowed(authctxt->pw, key) && | 466 | if (user_key_allowed(authctxt->pw, key) && |
467 | dsa_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) | 467 | key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) |
468 | authenticated = 1; | 468 | authenticated = 1; |
469 | buffer_clear(&b); | 469 | buffer_clear(&b); |
470 | xfree(sig); | 470 | xfree(sig); |
@@ -480,7 +480,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
480 | * if a user is not allowed to login. is this an | 480 | * if a user is not allowed to login. is this an |
481 | * issue? -markus | 481 | * issue? -markus |
482 | */ | 482 | */ |
483 | if (user_dsa_key_allowed(authctxt->pw, key)) { | 483 | if (user_key_allowed(authctxt->pw, key)) { |
484 | packet_start(SSH2_MSG_USERAUTH_PK_OK); | 484 | packet_start(SSH2_MSG_USERAUTH_PK_OK); |
485 | packet_put_string(pkalg, alen); | 485 | packet_put_string(pkalg, alen); |
486 | packet_put_string(pkblob, blen); | 486 | packet_put_string(pkblob, blen); |
@@ -493,6 +493,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
493 | auth_clear_options(); | 493 | auth_clear_options(); |
494 | key_free(key); | 494 | key_free(key); |
495 | } | 495 | } |
496 | debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); | ||
496 | xfree(pkalg); | 497 | xfree(pkalg); |
497 | xfree(pkblob); | 498 | xfree(pkblob); |
498 | #ifdef HAVE_CYGWIN | 499 | #ifdef HAVE_CYGWIN |
@@ -560,11 +561,10 @@ authmethod_lookup(const char *name) | |||
560 | 561 | ||
561 | /* return 1 if user allows given key */ | 562 | /* return 1 if user allows given key */ |
562 | int | 563 | int |
563 | user_dsa_key_allowed(struct passwd *pw, Key *key) | 564 | user_key_allowed(struct passwd *pw, Key *key) |
564 | { | 565 | { |
565 | char line[8192], file[1024]; | 566 | char line[8192], file[1024]; |
566 | int found_key = 0; | 567 | int found_key = 0; |
567 | unsigned int bits = -1; | ||
568 | FILE *f; | 568 | FILE *f; |
569 | unsigned long linenum = 0; | 569 | unsigned long linenum = 0; |
570 | struct stat st; | 570 | struct stat st; |
@@ -645,10 +645,10 @@ user_dsa_key_allowed(struct passwd *pw, Key *key) | |||
645 | if (!*cp || *cp == '\n' || *cp == '#') | 645 | if (!*cp || *cp == '\n' || *cp == '#') |
646 | continue; | 646 | continue; |
647 | 647 | ||
648 | bits = key_read(found, &cp); | 648 | if (key_read(found, &cp) == -1) { |
649 | if (bits == 0) { | ||
650 | /* no key? check if there are options for this key */ | 649 | /* no key? check if there are options for this key */ |
651 | int quoted = 0; | 650 | int quoted = 0; |
651 | debug2("user_key_allowed: check options: '%s'", cp); | ||
652 | options = cp; | 652 | options = cp; |
653 | for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { | 653 | for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { |
654 | if (*cp == '\\' && cp[1] == '"') | 654 | if (*cp == '\\' && cp[1] == '"') |
@@ -659,8 +659,8 @@ user_dsa_key_allowed(struct passwd *pw, Key *key) | |||
659 | /* Skip remaining whitespace. */ | 659 | /* Skip remaining whitespace. */ |
660 | for (; *cp == ' ' || *cp == '\t'; cp++) | 660 | for (; *cp == ' ' || *cp == '\t'; cp++) |
661 | ; | 661 | ; |
662 | bits = key_read(found, &cp); | 662 | if (key_read(found, &cp) == -1) { |
663 | if (bits == 0) { | 663 | debug2("user_key_allowed: advance: '%s'", cp); |
664 | /* still no key? advance to next line*/ | 664 | /* still no key? advance to next line*/ |
665 | continue; | 665 | continue; |
666 | } | 666 | } |