diff options
-rw-r--r-- | auth2-pubkey.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index c820c2816..5aa319ccc 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-pubkey.c,v 1.52 2015/06/15 18:42:19 jsing Exp $ */ | 1 | /* $OpenBSD: auth2-pubkey.c,v 1.53 2015/06/15 18:44:22 jsing Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -831,7 +831,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) | |||
831 | { | 831 | { |
832 | char *ca_fp, *principals_file = NULL; | 832 | char *ca_fp, *principals_file = NULL; |
833 | const char *reason; | 833 | const char *reason; |
834 | int ret = 0, found_principal = 0; | 834 | int ret = 0, found_principal = 0, use_authorized_principals; |
835 | 835 | ||
836 | if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) | 836 | if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) |
837 | return 0; | 837 | return 0; |
@@ -859,9 +859,10 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) | |||
859 | /* Try querying command if specified */ | 859 | /* Try querying command if specified */ |
860 | if (!found_principal && match_principals_command(pw, key->cert)) | 860 | if (!found_principal && match_principals_command(pw, key->cert)) |
861 | found_principal = 1; | 861 | found_principal = 1; |
862 | /* If principals file or command specify, then require a match here */ | 862 | /* If principals file or command is specified, then require a match */ |
863 | if (!found_principal && (principals_file != NULL || | 863 | use_authorized_principals = principals_file != NULL || |
864 | options.authorized_principals_command != NULL)) { | 864 | options.authorized_principals_command != NULL; |
865 | if (!found_principal && use_authorized_principals) { | ||
865 | reason = "Certificate does not contain an authorized principal"; | 866 | reason = "Certificate does not contain an authorized principal"; |
866 | fail_reason: | 867 | fail_reason: |
867 | error("%s", reason); | 868 | error("%s", reason); |
@@ -869,7 +870,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) | |||
869 | goto out; | 870 | goto out; |
870 | } | 871 | } |
871 | if (key_cert_check_authority(key, 0, 1, | 872 | if (key_cert_check_authority(key, 0, 1, |
872 | principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) | 873 | use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) |
873 | goto fail_reason; | 874 | goto fail_reason; |
874 | if (auth_cert_options(key, pw) != 0) | 875 | if (auth_cert_options(key, pw) != 0) |
875 | goto out; | 876 | goto out; |