- (djm) Merge OpenBSD changes:

- markus@cvs.openbsd.org 2000/11/06 16:04:56 [channels.c channels.h clientloop.c nchan.c serverloop.c] [session.c ssh.c] agent forwarding and -R for ssh2, based on work from jhuuskon@messi.uku.fi - markus@cvs.openbsd.org 2000/11/06 16:13:27 [ssh.c sshconnect.c sshd.c] do not disabled rhosts(rsa) if server port > 1024; from pekkas@netcore.fi - markus@cvs.openbsd.org 2000/11/06 16:16:35 [sshconnect.c] downgrade client to 1.3 if server is 1.4; help from mdb@juniper.net - markus@cvs.openbsd.org 2000/11/09 18:04:40 [auth1.c] typo; from mouring@pconline.com - markus@cvs.openbsd.org 2000/11/12 12:03:28 [ssh-agent.c] off-by-one when removing a key from the agent - markus@cvs.openbsd.org 2000/11/12 12:50:39 [auth-rh-rsa.c auth2.c authfd.c authfd.h] [authfile.c hostfile.c kex.c kex.h key.c key.h myproposal.h] [readconf.c readconf.h rsa.c rsa.h servconf.c servconf.h ssh-add.c] [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config] [sshconnect1.c sshconnect2.c sshd.8 sshd.c sshd_config ssh-dss.c] [ssh-dss.h ssh-rsa.c ssh-rsa.h dsa.c dsa.h] add support for RSA to SSH2. please test. there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2. you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys. SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before. - (djm) Fix up Makefile and Redhat init script to create RSA host keys - (djm) Change to interim version
author: Damien Miller <djm@mindrot.org> 2000-11-13 22:57:25 +1100
committer: Damien Miller <djm@mindrot.org> 2000-11-13 22:57:25 +1100
commit: 0bc1bd814e3c2b5e92d6f595930051960d17f47f (patch)
tree: 176c7dc2844ecc2c1de0f72d221449556ffa5209 /auth2.c
parent: 559d383037b0872fcde4e6c40188b649c574be74 (diff)
1 files changed, 19 insertions, 19 deletions
diff --git a/auth2.c b/auth2.c
index d51a1a765..46bf07c80 100644
--- a/auth2.c
+++ b/auth2.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.21 2000/11/12 19:50:37 markus Exp $");
 #ifdef HAVE_OSF_SIA
 # include <sia.h>
@@ -52,7 +52,6 @@ RCSID("$OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $");
 #include "key.h"
 #include "kex.h"
-#include "dsa.h"
 #include "uidswap.h"
 #include "auth-options.h"
@@ -89,7 +88,7 @@ void	protocol_error(int type, int plen, void *ctxt);
 /* helper */
 Authmethod      *authmethod_lookup(const char *name);
 struct passwd   *pwcopy(struct passwd *pw);
-int     user_dsa_key_allowed(struct passwd *pw, Key *key);
+int     user_key_allowed(struct passwd *pw, Key *key);
 char    *authmethods_get(void);
 /* auth */
@@ -104,7 +103,7 @@ Authmethod authmethods[] = {
                &one},
        {"publickey",
                userauth_pubkey,
-                &options.dsa_authentication},
+                &options.pubkey_authentication},
        {"keyboard-interactive",
                userauth_kbdint,
                &options.kbd_interactive_authentication},
@@ -422,7 +421,7 @@ userauth_pubkey(Authctxt *authctxt)
        Key *key;
        char *pkalg, *pkblob, *sig;
        unsigned int alen, blen, slen;
-        int have_sig;
+        int have_sig, pktype;
        int authenticated = 0;
        if (!authctxt->valid) {
@@ -431,13 +430,14 @@ userauth_pubkey(Authctxt *authctxt)
        }
        have_sig = packet_get_char();
        pkalg = packet_get_string(&alen);
-        if (strcmp(pkalg, KEX_DSS) != 0) {
+        pktype = key_type_from_name(pkalg);
-                log("bad pkalg %s", pkalg);     /*XXX*/
+        if (pktype == KEY_UNSPEC) {
+                log("bad pkalg %s", pkalg);
                xfree(pkalg);
                return 0;
        }
        pkblob = packet_get_string(&blen);
-        key = dsa_key_from_blob(pkblob, blen);
+        key = key_from_blob(pkblob, blen);
        if (key != NULL) {
                if (have_sig) {
                        sig = packet_get_string(&slen);
@@ -457,14 +457,14 @@ userauth_pubkey(Authctxt *authctxt)
                            authctxt->service);
                        buffer_put_cstring(&b, "publickey");
                        buffer_put_char(&b, have_sig);
-                        buffer_put_cstring(&b, KEX_DSS);
+                        buffer_put_cstring(&b, key_ssh_name(key));
                        buffer_put_string(&b, pkblob, blen);
-#ifdef DEBUG_DSS
+#ifdef DEBUG_PK
                        buffer_dump(&b);
 #endif
                        /* test for correct signature */
-                        if (user_dsa_key_allowed(authctxt->pw, key) &&
+                        if (user_key_allowed(authctxt->pw, key) &&
-                            dsa_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
+                            key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
                                authenticated = 1;
                        buffer_clear(&b);
                        xfree(sig);
@@ -480,7 +480,7 @@ userauth_pubkey(Authctxt *authctxt)
                         * if a user is not allowed to login. is this an
                         * issue? -markus
                         */
-                        if (user_dsa_key_allowed(authctxt->pw, key)) {
+                        if (user_key_allowed(authctxt->pw, key)) {
                                packet_start(SSH2_MSG_USERAUTH_PK_OK);
                                packet_put_string(pkalg, alen);
                                packet_put_string(pkblob, blen);
@@ -493,6 +493,7 @@ userauth_pubkey(Authctxt *authctxt)
                        auth_clear_options();
                key_free(key);
        }
+        debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
        xfree(pkalg);
        xfree(pkblob);
 #ifdef HAVE_CYGWIN
@@ -560,11 +561,10 @@ authmethod_lookup(const char *name)
 /* return 1 if user allows given key */
 int
-user_dsa_key_allowed(struct passwd *pw, Key *key)
+user_key_allowed(struct passwd *pw, Key *key)
 {
        char line[8192], file[1024];
        int found_key = 0;
-        unsigned int bits = -1;
        FILE *f;
        unsigned long linenum = 0;
        struct stat st;
@@ -645,10 +645,10 @@ user_dsa_key_allowed(struct passwd *pw, Key *key)
                if (!*cp || *cp == '\n' || *cp == '#')
                        continue;
-                bits = key_read(found, &cp);
+                if (key_read(found, &cp) == -1) {
-                if (bits == 0) {
                        /* no key?  check if there are options for this key */
                        int quoted = 0;
+                        debug2("user_key_allowed: check options: '%s'", cp);
                        options = cp;
                        for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
                                if (*cp == '\\' && cp[1] == '"')
@@ -659,8 +659,8 @@ user_dsa_key_allowed(struct passwd *pw, Key *key)
                        /* Skip remaining whitespace. */
                        for (; *cp == ' ' || *cp == '\t'; cp++)
                                ;
-                        bits = key_read(found, &cp);
+                        if (key_read(found, &cp) == -1) {
-                        if (bits == 0) {
+                                debug2("user_key_allowed: advance: '%s'", cp);
                                /* still no key?  advance to next line*/
                                continue;
                        }
author	Damien Miller <djm@mindrot.org>	2000-11-13 22:57:25 +1100
committer	Damien Miller <djm@mindrot.org>	2000-11-13 22:57:25 +1100
commit	0bc1bd814e3c2b5e92d6f595930051960d17f47f (patch)
tree	176c7dc2844ecc2c1de0f72d221449556ffa5209 /auth2.c
parent	559d383037b0872fcde4e6c40188b649c574be74 (diff)