diff options
| -rw-r--r-- | auth2-gss.c | 11 | ||||
| -rw-r--r-- | auth2-hostbased.c | 11 | ||||
| -rw-r--r-- | auth2-pubkey.c | 25 |
3 files changed, 28 insertions, 19 deletions
diff --git a/auth2-gss.c b/auth2-gss.c index 47308c5ce..9351e0428 100644 --- a/auth2-gss.c +++ b/auth2-gss.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth2-gss.c,v 1.28 2018/07/10 09:13:30 djm Exp $ */ | 1 | /* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
| @@ -70,9 +70,6 @@ userauth_gssapi(struct ssh *ssh) | |||
| 70 | size_t len; | 70 | size_t len; |
| 71 | u_char *doid = NULL; | 71 | u_char *doid = NULL; |
| 72 | 72 | ||
| 73 | if (!authctxt->valid || authctxt->user == NULL) | ||
| 74 | return (0); | ||
| 75 | |||
| 76 | if ((r = sshpkt_get_u32(ssh, &mechs)) != 0) | 73 | if ((r = sshpkt_get_u32(ssh, &mechs)) != 0) |
| 77 | fatal("%s: %s", __func__, ssh_err(r)); | 74 | fatal("%s: %s", __func__, ssh_err(r)); |
| 78 | 75 | ||
| @@ -106,6 +103,12 @@ userauth_gssapi(struct ssh *ssh) | |||
| 106 | return (0); | 103 | return (0); |
| 107 | } | 104 | } |
| 108 | 105 | ||
| 106 | if (!authctxt->valid || authctxt->user == NULL) { | ||
| 107 | debug2("%s: disabled because of invalid user", __func__); | ||
| 108 | free(doid); | ||
| 109 | return (0); | ||
| 110 | } | ||
| 111 | |||
| 109 | if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { | 112 | if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { |
| 110 | if (ctxt != NULL) | 113 | if (ctxt != NULL) |
| 111 | ssh_gssapi_delete_ctx(&ctxt); | 114 | ssh_gssapi_delete_ctx(&ctxt); |
diff --git a/auth2-hostbased.c b/auth2-hostbased.c index 60159a56c..359393291 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth2-hostbased.c,v 1.35 2018/07/09 21:35:50 markus Exp $ */ | 1 | /* $OpenBSD: auth2-hostbased.c,v 1.36 2018/07/31 03:10:27 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -67,10 +67,6 @@ userauth_hostbased(struct ssh *ssh) | |||
| 67 | size_t alen, blen, slen; | 67 | size_t alen, blen, slen; |
| 68 | int r, pktype, authenticated = 0; | 68 | int r, pktype, authenticated = 0; |
| 69 | 69 | ||
| 70 | if (!authctxt->valid) { | ||
| 71 | debug2("%s: disabled because of invalid user", __func__); | ||
| 72 | return 0; | ||
| 73 | } | ||
| 74 | /* XXX use sshkey_froms() */ | 70 | /* XXX use sshkey_froms() */ |
| 75 | if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 || | 71 | if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 || |
| 76 | (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 || | 72 | (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 || |
| @@ -117,6 +113,11 @@ userauth_hostbased(struct ssh *ssh) | |||
| 117 | goto done; | 113 | goto done; |
| 118 | } | 114 | } |
| 119 | 115 | ||
| 116 | if (!authctxt->valid || authctxt->user == NULL) { | ||
| 117 | debug2("%s: disabled because of invalid user", __func__); | ||
| 118 | goto done; | ||
| 119 | } | ||
| 120 | |||
| 120 | if ((b = sshbuf_new()) == NULL) | 121 | if ((b = sshbuf_new()) == NULL) |
| 121 | fatal("%s: sshbuf_new failed", __func__); | 122 | fatal("%s: sshbuf_new failed", __func__); |
| 122 | /* reconstruct packet */ | 123 | /* reconstruct packet */ |
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index c4d0f7908..e1c150401 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth2-pubkey.c,v 1.82 2018/07/11 18:55:11 markus Exp $ */ | 1 | /* $OpenBSD: auth2-pubkey.c,v 1.83 2018/07/31 03:10:27 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -89,19 +89,15 @@ userauth_pubkey(struct ssh *ssh) | |||
| 89 | { | 89 | { |
| 90 | Authctxt *authctxt = ssh->authctxt; | 90 | Authctxt *authctxt = ssh->authctxt; |
| 91 | struct passwd *pw = authctxt->pw; | 91 | struct passwd *pw = authctxt->pw; |
| 92 | struct sshbuf *b; | 92 | struct sshbuf *b = NULL; |
| 93 | struct sshkey *key = NULL; | 93 | struct sshkey *key = NULL; |
| 94 | char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; | 94 | char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; |
| 95 | u_char *pkblob, *sig, have_sig; | 95 | u_char *pkblob = NULL, *sig = NULL, have_sig; |
| 96 | size_t blen, slen; | 96 | size_t blen, slen; |
| 97 | int r, pktype; | 97 | int r, pktype; |
| 98 | int authenticated = 0; | 98 | int authenticated = 0; |
| 99 | struct sshauthopt *authopts = NULL; | 99 | struct sshauthopt *authopts = NULL; |
| 100 | 100 | ||
| 101 | if (!authctxt->valid) { | ||
| 102 | debug2("%s: disabled because of invalid user", __func__); | ||
| 103 | return 0; | ||
| 104 | } | ||
| 105 | if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 || | 101 | if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 || |
| 106 | (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 || | 102 | (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 || |
| 107 | (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0) | 103 | (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0) |
| @@ -167,6 +163,11 @@ userauth_pubkey(struct ssh *ssh) | |||
| 167 | fatal("%s: sshbuf_put_string session id: %s", | 163 | fatal("%s: sshbuf_put_string session id: %s", |
| 168 | __func__, ssh_err(r)); | 164 | __func__, ssh_err(r)); |
| 169 | } | 165 | } |
| 166 | if (!authctxt->valid || authctxt->user == NULL) { | ||
| 167 | debug2("%s: disabled because of invalid user", | ||
| 168 | __func__); | ||
| 169 | goto done; | ||
| 170 | } | ||
| 170 | /* reconstruct packet */ | 171 | /* reconstruct packet */ |
| 171 | xasprintf(&userstyle, "%s%s%s", authctxt->user, | 172 | xasprintf(&userstyle, "%s%s%s", authctxt->user, |
| 172 | authctxt->style ? ":" : "", | 173 | authctxt->style ? ":" : "", |
| @@ -183,7 +184,6 @@ userauth_pubkey(struct ssh *ssh) | |||
| 183 | #ifdef DEBUG_PK | 184 | #ifdef DEBUG_PK |
| 184 | sshbuf_dump(b, stderr); | 185 | sshbuf_dump(b, stderr); |
| 185 | #endif | 186 | #endif |
| 186 | |||
| 187 | /* test for correct signature */ | 187 | /* test for correct signature */ |
| 188 | authenticated = 0; | 188 | authenticated = 0; |
| 189 | if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && | 189 | if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && |
| @@ -194,7 +194,6 @@ userauth_pubkey(struct ssh *ssh) | |||
| 194 | authenticated = 1; | 194 | authenticated = 1; |
| 195 | } | 195 | } |
| 196 | sshbuf_free(b); | 196 | sshbuf_free(b); |
| 197 | free(sig); | ||
| 198 | auth2_record_key(authctxt, authenticated, key); | 197 | auth2_record_key(authctxt, authenticated, key); |
| 199 | } else { | 198 | } else { |
| 200 | debug("%s: test pkalg %s pkblob %s%s%s", | 199 | debug("%s: test pkalg %s pkblob %s%s%s", |
| @@ -205,6 +204,11 @@ userauth_pubkey(struct ssh *ssh) | |||
| 205 | if ((r = sshpkt_get_end(ssh)) != 0) | 204 | if ((r = sshpkt_get_end(ssh)) != 0) |
| 206 | fatal("%s: %s", __func__, ssh_err(r)); | 205 | fatal("%s: %s", __func__, ssh_err(r)); |
| 207 | 206 | ||
| 207 | if (!authctxt->valid || authctxt->user == NULL) { | ||
| 208 | debug2("%s: disabled because of invalid user", | ||
| 209 | __func__); | ||
| 210 | goto done; | ||
| 211 | } | ||
| 208 | /* XXX fake reply and always send PK_OK ? */ | 212 | /* XXX fake reply and always send PK_OK ? */ |
| 209 | /* | 213 | /* |
| 210 | * XXX this allows testing whether a user is allowed | 214 | * XXX this allows testing whether a user is allowed |
| @@ -238,6 +242,7 @@ done: | |||
| 238 | free(pkblob); | 242 | free(pkblob); |
| 239 | free(key_s); | 243 | free(key_s); |
| 240 | free(ca_s); | 244 | free(ca_s); |
| 245 | free(sig); | ||
| 241 | return authenticated; | 246 | return authenticated; |
| 242 | } | 247 | } |
| 243 | 248 | ||