diff options
| -rw-r--r-- | auth.h | 2 | ||||
| -rw-r--r-- | auth2-pubkey.c | 6 | ||||
| -rw-r--r-- | monitor.c | 6 | ||||
| -rw-r--r-- | monitor_wrap.c | 15 | ||||
| -rw-r--r-- | monitor_wrap.h | 6 |
5 files changed, 20 insertions, 15 deletions
| @@ -126,7 +126,7 @@ int auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **); | |||
| 126 | 126 | ||
| 127 | int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); | 127 | int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); |
| 128 | int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); | 128 | int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); |
| 129 | int user_key_allowed(struct passwd *, Key *); | 129 | int user_key_allowed(struct passwd *, Key *, int); |
| 130 | void pubkey_auth_info(Authctxt *, const Key *, const char *, ...) | 130 | void pubkey_auth_info(Authctxt *, const Key *, const char *, ...) |
| 131 | __attribute__((__format__ (printf, 3, 4))); | 131 | __attribute__((__format__ (printf, 3, 4))); |
| 132 | void auth2_record_userkey(Authctxt *, struct sshkey *); | 132 | void auth2_record_userkey(Authctxt *, struct sshkey *); |
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index e103b70af..f96e843c2 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
| @@ -169,7 +169,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
| 169 | 169 | ||
| 170 | /* test for correct signature */ | 170 | /* test for correct signature */ |
| 171 | authenticated = 0; | 171 | authenticated = 0; |
| 172 | if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && | 172 | if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) && |
| 173 | PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), | 173 | PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), |
| 174 | buffer_len(&b))) == 1) { | 174 | buffer_len(&b))) == 1) { |
| 175 | authenticated = 1; | 175 | authenticated = 1; |
| @@ -191,7 +191,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
| 191 | * if a user is not allowed to login. is this an | 191 | * if a user is not allowed to login. is this an |
| 192 | * issue? -markus | 192 | * issue? -markus |
| 193 | */ | 193 | */ |
| 194 | if (PRIVSEP(user_key_allowed(authctxt->pw, key))) { | 194 | if (PRIVSEP(user_key_allowed(authctxt->pw, key, 0))) { |
| 195 | packet_start(SSH2_MSG_USERAUTH_PK_OK); | 195 | packet_start(SSH2_MSG_USERAUTH_PK_OK); |
| 196 | packet_put_string(pkalg, alen); | 196 | packet_put_string(pkalg, alen); |
| 197 | packet_put_string(pkblob, blen); | 197 | packet_put_string(pkblob, blen); |
| @@ -671,7 +671,7 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) | |||
| 671 | * Check whether key authenticates and authorises the user. | 671 | * Check whether key authenticates and authorises the user. |
| 672 | */ | 672 | */ |
| 673 | int | 673 | int |
| 674 | user_key_allowed(struct passwd *pw, Key *key) | 674 | user_key_allowed(struct passwd *pw, Key *key, int auth_attempt) |
| 675 | { | 675 | { |
| 676 | u_int success, i; | 676 | u_int success, i; |
| 677 | char *file; | 677 | char *file; |
| @@ -1185,7 +1185,7 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
| 1185 | Key *key; | 1185 | Key *key; |
| 1186 | char *cuser, *chost; | 1186 | char *cuser, *chost; |
| 1187 | u_char *blob; | 1187 | u_char *blob; |
| 1188 | u_int bloblen; | 1188 | u_int bloblen, pubkey_auth_attempt; |
| 1189 | enum mm_keytype type = 0; | 1189 | enum mm_keytype type = 0; |
| 1190 | int allowed = 0; | 1190 | int allowed = 0; |
| 1191 | 1191 | ||
| @@ -1195,6 +1195,7 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
| 1195 | cuser = buffer_get_string(m, NULL); | 1195 | cuser = buffer_get_string(m, NULL); |
| 1196 | chost = buffer_get_string(m, NULL); | 1196 | chost = buffer_get_string(m, NULL); |
| 1197 | blob = buffer_get_string(m, &bloblen); | 1197 | blob = buffer_get_string(m, &bloblen); |
| 1198 | pubkey_auth_attempt = buffer_get_int(m); | ||
| 1198 | 1199 | ||
| 1199 | key = key_from_blob(blob, bloblen); | 1200 | key = key_from_blob(blob, bloblen); |
| 1200 | 1201 | ||
| @@ -1220,7 +1221,8 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
| 1220 | pubkey_auth_attempt); | 1221 | pubkey_auth_attempt); |
| 1221 | pubkey_auth_info(authctxt, key, NULL); | 1222 | pubkey_auth_info(authctxt, key, NULL); |
| 1222 | auth_method = "publickey"; | 1223 | auth_method = "publickey"; |
| 1223 | if (options.pubkey_authentication && allowed != 1) | 1224 | if (options.pubkey_authentication && |
| 1225 | (!pubkey_auth_attempt || allowed != 1)) | ||
| 1224 | auth_clear_options(); | 1226 | auth_clear_options(); |
| 1225 | break; | 1227 | break; |
| 1226 | case MM_HOSTKEY: | 1228 | case MM_HOSTKEY: |
diff --git a/monitor_wrap.c b/monitor_wrap.c index d39d491c2..e6217b3d4 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: monitor_wrap.c,v 1.84 2015/02/16 22:13:32 djm Exp $ */ | 1 | /* $OpenBSD: monitor_wrap.c,v 1.85 2015/05/01 03:23:51 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
| 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
| @@ -371,16 +371,17 @@ mm_auth_password(Authctxt *authctxt, char *password) | |||
| 371 | } | 371 | } |
| 372 | 372 | ||
| 373 | int | 373 | int |
| 374 | mm_user_key_allowed(struct passwd *pw, Key *key) | 374 | mm_user_key_allowed(struct passwd *pw, Key *key, int pubkey_auth_attempt) |
| 375 | { | 375 | { |
| 376 | return (mm_key_allowed(MM_USERKEY, NULL, NULL, key)); | 376 | return (mm_key_allowed(MM_USERKEY, NULL, NULL, key, |
| 377 | pubkey_auth_attempt)); | ||
| 377 | } | 378 | } |
| 378 | 379 | ||
| 379 | int | 380 | int |
| 380 | mm_hostbased_key_allowed(struct passwd *pw, char *user, char *host, | 381 | mm_hostbased_key_allowed(struct passwd *pw, char *user, char *host, |
| 381 | Key *key) | 382 | Key *key) |
| 382 | { | 383 | { |
| 383 | return (mm_key_allowed(MM_HOSTKEY, user, host, key)); | 384 | return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0)); |
| 384 | } | 385 | } |
| 385 | 386 | ||
| 386 | int | 387 | int |
| @@ -390,13 +391,14 @@ mm_auth_rhosts_rsa_key_allowed(struct passwd *pw, char *user, | |||
| 390 | int ret; | 391 | int ret; |
| 391 | 392 | ||
| 392 | key->type = KEY_RSA; /* XXX hack for key_to_blob */ | 393 | key->type = KEY_RSA; /* XXX hack for key_to_blob */ |
| 393 | ret = mm_key_allowed(MM_RSAHOSTKEY, user, host, key); | 394 | ret = mm_key_allowed(MM_RSAHOSTKEY, user, host, key, 0); |
| 394 | key->type = KEY_RSA1; | 395 | key->type = KEY_RSA1; |
| 395 | return (ret); | 396 | return (ret); |
| 396 | } | 397 | } |
| 397 | 398 | ||
| 398 | int | 399 | int |
| 399 | mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key) | 400 | mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key, |
| 401 | int pubkey_auth_attempt) | ||
| 400 | { | 402 | { |
| 401 | Buffer m; | 403 | Buffer m; |
| 402 | u_char *blob; | 404 | u_char *blob; |
| @@ -414,6 +416,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key) | |||
| 414 | buffer_put_cstring(&m, user ? user : ""); | 416 | buffer_put_cstring(&m, user ? user : ""); |
| 415 | buffer_put_cstring(&m, host ? host : ""); | 417 | buffer_put_cstring(&m, host ? host : ""); |
| 416 | buffer_put_string(&m, blob, len); | 418 | buffer_put_string(&m, blob, len); |
| 419 | buffer_put_int(&m, pubkey_auth_attempt); | ||
| 417 | free(blob); | 420 | free(blob); |
| 418 | 421 | ||
| 419 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m); | 422 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m); |
diff --git a/monitor_wrap.h b/monitor_wrap.h index e18784ac4..de4a08f99 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: monitor_wrap.h,v 1.26 2015/02/16 22:13:32 djm Exp $ */ | 1 | /* $OpenBSD: monitor_wrap.h,v 1.27 2015/05/01 03:23:51 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 4 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
| @@ -45,8 +45,8 @@ void mm_inform_authserv(char *, char *); | |||
| 45 | struct passwd *mm_getpwnamallow(const char *); | 45 | struct passwd *mm_getpwnamallow(const char *); |
| 46 | char *mm_auth2_read_banner(void); | 46 | char *mm_auth2_read_banner(void); |
| 47 | int mm_auth_password(struct Authctxt *, char *); | 47 | int mm_auth_password(struct Authctxt *, char *); |
| 48 | int mm_key_allowed(enum mm_keytype, char *, char *, Key *); | 48 | int mm_key_allowed(enum mm_keytype, char *, char *, Key *, int); |
| 49 | int mm_user_key_allowed(struct passwd *, Key *); | 49 | int mm_user_key_allowed(struct passwd *, Key *, int); |
| 50 | int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *); | 50 | int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *); |
| 51 | int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); | 51 | int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); |
| 52 | int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int); | 52 | int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int); |