diff options
| author | Damien Miller <djm@mindrot.org> | 2012-12-03 09:49:52 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2012-12-03 09:49:52 +1100 |
| commit | cb6b68b209d8868a94a30b1a634beb1a65cb5265 (patch) | |
| tree | 049f0251f5ee3f2cb2fb236ba4ee5eb37b356351 /sshconnect2.c | |
| parent | cf6ef137b516a9f739b6e899ec5ef7306835530b (diff) | |
- djm@cvs.openbsd.org 2012/12/02 20:26:11
[ssh_config.5 sshconnect2.c]
Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
This allows control of which keys are offered from tokens using
IdentityFile. ok markus@
Diffstat (limited to 'sshconnect2.c')
| -rw-r--r-- | sshconnect2.c | 29 |
1 files changed, 26 insertions, 3 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index 7c369d743..6791ea344 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshconnect2.c,v 1.189 2012/06/22 12:30:26 dtucker Exp $ */ | 1 | /* $OpenBSD: sshconnect2.c,v 1.190 2012/12/02 20:26:11 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
| @@ -1359,7 +1359,7 @@ load_identity_file(char *filename) | |||
| 1359 | static void | 1359 | static void |
| 1360 | pubkey_prepare(Authctxt *authctxt) | 1360 | pubkey_prepare(Authctxt *authctxt) |
| 1361 | { | 1361 | { |
| 1362 | Identity *id; | 1362 | Identity *id, *id2, *tmp; |
| 1363 | Idlist agent, files, *preferred; | 1363 | Idlist agent, files, *preferred; |
| 1364 | Key *key; | 1364 | Key *key; |
| 1365 | AuthenticationConnection *ac; | 1365 | AuthenticationConnection *ac; |
| @@ -1371,7 +1371,7 @@ pubkey_prepare(Authctxt *authctxt) | |||
| 1371 | preferred = &authctxt->keys; | 1371 | preferred = &authctxt->keys; |
| 1372 | TAILQ_INIT(preferred); /* preferred order of keys */ | 1372 | TAILQ_INIT(preferred); /* preferred order of keys */ |
| 1373 | 1373 | ||
| 1374 | /* list of keys stored in the filesystem */ | 1374 | /* list of keys stored in the filesystem and PKCS#11 */ |
| 1375 | for (i = 0; i < options.num_identity_files; i++) { | 1375 | for (i = 0; i < options.num_identity_files; i++) { |
| 1376 | key = options.identity_keys[i]; | 1376 | key = options.identity_keys[i]; |
| 1377 | if (key && key->type == KEY_RSA1) | 1377 | if (key && key->type == KEY_RSA1) |
| @@ -1384,6 +1384,29 @@ pubkey_prepare(Authctxt *authctxt) | |||
| 1384 | id->filename = xstrdup(options.identity_files[i]); | 1384 | id->filename = xstrdup(options.identity_files[i]); |
| 1385 | TAILQ_INSERT_TAIL(&files, id, next); | 1385 | TAILQ_INSERT_TAIL(&files, id, next); |
| 1386 | } | 1386 | } |
| 1387 | /* Prefer PKCS11 keys that are explicitly listed */ | ||
| 1388 | TAILQ_FOREACH_SAFE(id, &files, next, tmp) { | ||
| 1389 | if (id->key == NULL || (id->key->flags & KEY_FLAG_EXT) == 0) | ||
| 1390 | continue; | ||
| 1391 | found = 0; | ||
| 1392 | TAILQ_FOREACH(id2, &files, next) { | ||
| 1393 | if (id2->key == NULL || | ||
| 1394 | (id2->key->flags & KEY_FLAG_EXT) != 0) | ||
| 1395 | continue; | ||
| 1396 | if (key_equal(id->key, id2->key)) { | ||
| 1397 | TAILQ_REMOVE(&files, id, next); | ||
| 1398 | TAILQ_INSERT_TAIL(preferred, id, next); | ||
| 1399 | found = 1; | ||
| 1400 | break; | ||
| 1401 | } | ||
| 1402 | } | ||
| 1403 | /* If IdentitiesOnly set and key not found then don't use it */ | ||
| 1404 | if (!found && options.identities_only) { | ||
| 1405 | TAILQ_REMOVE(&files, id, next); | ||
| 1406 | bzero(id, sizeof(id)); | ||
| 1407 | free(id); | ||
| 1408 | } | ||
| 1409 | } | ||
| 1387 | /* list of keys supported by the agent */ | 1410 | /* list of keys supported by the agent */ |
| 1388 | if ((ac = ssh_get_authentication_connection())) { | 1411 | if ((ac = ssh_get_authentication_connection())) { |
| 1389 | for (key = ssh_get_first_identity(ac, &comment, 2); | 1412 | for (key = ssh_get_first_identity(ac, &comment, 2); |