diff options
-rw-r--r-- | auth.h | 2 | ||||
-rw-r--r-- | auth2-pubkey.c | 6 | ||||
-rw-r--r-- | monitor.c | 6 | ||||
-rw-r--r-- | monitor_wrap.c | 15 | ||||
-rw-r--r-- | monitor_wrap.h | 6 |
5 files changed, 20 insertions, 15 deletions
@@ -126,7 +126,7 @@ int auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **); | |||
126 | 126 | ||
127 | int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); | 127 | int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); |
128 | int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); | 128 | int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); |
129 | int user_key_allowed(struct passwd *, Key *); | 129 | int user_key_allowed(struct passwd *, Key *, int); |
130 | void pubkey_auth_info(Authctxt *, const Key *, const char *, ...) | 130 | void pubkey_auth_info(Authctxt *, const Key *, const char *, ...) |
131 | __attribute__((__format__ (printf, 3, 4))); | 131 | __attribute__((__format__ (printf, 3, 4))); |
132 | void auth2_record_userkey(Authctxt *, struct sshkey *); | 132 | void auth2_record_userkey(Authctxt *, struct sshkey *); |
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index e103b70af..f96e843c2 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -169,7 +169,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
169 | 169 | ||
170 | /* test for correct signature */ | 170 | /* test for correct signature */ |
171 | authenticated = 0; | 171 | authenticated = 0; |
172 | if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && | 172 | if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) && |
173 | PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), | 173 | PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), |
174 | buffer_len(&b))) == 1) { | 174 | buffer_len(&b))) == 1) { |
175 | authenticated = 1; | 175 | authenticated = 1; |
@@ -191,7 +191,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
191 | * if a user is not allowed to login. is this an | 191 | * if a user is not allowed to login. is this an |
192 | * issue? -markus | 192 | * issue? -markus |
193 | */ | 193 | */ |
194 | if (PRIVSEP(user_key_allowed(authctxt->pw, key))) { | 194 | if (PRIVSEP(user_key_allowed(authctxt->pw, key, 0))) { |
195 | packet_start(SSH2_MSG_USERAUTH_PK_OK); | 195 | packet_start(SSH2_MSG_USERAUTH_PK_OK); |
196 | packet_put_string(pkalg, alen); | 196 | packet_put_string(pkalg, alen); |
197 | packet_put_string(pkblob, blen); | 197 | packet_put_string(pkblob, blen); |
@@ -671,7 +671,7 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) | |||
671 | * Check whether key authenticates and authorises the user. | 671 | * Check whether key authenticates and authorises the user. |
672 | */ | 672 | */ |
673 | int | 673 | int |
674 | user_key_allowed(struct passwd *pw, Key *key) | 674 | user_key_allowed(struct passwd *pw, Key *key, int auth_attempt) |
675 | { | 675 | { |
676 | u_int success, i; | 676 | u_int success, i; |
677 | char *file; | 677 | char *file; |
@@ -1185,7 +1185,7 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1185 | Key *key; | 1185 | Key *key; |
1186 | char *cuser, *chost; | 1186 | char *cuser, *chost; |
1187 | u_char *blob; | 1187 | u_char *blob; |
1188 | u_int bloblen; | 1188 | u_int bloblen, pubkey_auth_attempt; |
1189 | enum mm_keytype type = 0; | 1189 | enum mm_keytype type = 0; |
1190 | int allowed = 0; | 1190 | int allowed = 0; |
1191 | 1191 | ||
@@ -1195,6 +1195,7 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1195 | cuser = buffer_get_string(m, NULL); | 1195 | cuser = buffer_get_string(m, NULL); |
1196 | chost = buffer_get_string(m, NULL); | 1196 | chost = buffer_get_string(m, NULL); |
1197 | blob = buffer_get_string(m, &bloblen); | 1197 | blob = buffer_get_string(m, &bloblen); |
1198 | pubkey_auth_attempt = buffer_get_int(m); | ||
1198 | 1199 | ||
1199 | key = key_from_blob(blob, bloblen); | 1200 | key = key_from_blob(blob, bloblen); |
1200 | 1201 | ||
@@ -1220,7 +1221,8 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1220 | pubkey_auth_attempt); | 1221 | pubkey_auth_attempt); |
1221 | pubkey_auth_info(authctxt, key, NULL); | 1222 | pubkey_auth_info(authctxt, key, NULL); |
1222 | auth_method = "publickey"; | 1223 | auth_method = "publickey"; |
1223 | if (options.pubkey_authentication && allowed != 1) | 1224 | if (options.pubkey_authentication && |
1225 | (!pubkey_auth_attempt || allowed != 1)) | ||
1224 | auth_clear_options(); | 1226 | auth_clear_options(); |
1225 | break; | 1227 | break; |
1226 | case MM_HOSTKEY: | 1228 | case MM_HOSTKEY: |
diff --git a/monitor_wrap.c b/monitor_wrap.c index d39d491c2..e6217b3d4 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor_wrap.c,v 1.84 2015/02/16 22:13:32 djm Exp $ */ | 1 | /* $OpenBSD: monitor_wrap.c,v 1.85 2015/05/01 03:23:51 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -371,16 +371,17 @@ mm_auth_password(Authctxt *authctxt, char *password) | |||
371 | } | 371 | } |
372 | 372 | ||
373 | int | 373 | int |
374 | mm_user_key_allowed(struct passwd *pw, Key *key) | 374 | mm_user_key_allowed(struct passwd *pw, Key *key, int pubkey_auth_attempt) |
375 | { | 375 | { |
376 | return (mm_key_allowed(MM_USERKEY, NULL, NULL, key)); | 376 | return (mm_key_allowed(MM_USERKEY, NULL, NULL, key, |
377 | pubkey_auth_attempt)); | ||
377 | } | 378 | } |
378 | 379 | ||
379 | int | 380 | int |
380 | mm_hostbased_key_allowed(struct passwd *pw, char *user, char *host, | 381 | mm_hostbased_key_allowed(struct passwd *pw, char *user, char *host, |
381 | Key *key) | 382 | Key *key) |
382 | { | 383 | { |
383 | return (mm_key_allowed(MM_HOSTKEY, user, host, key)); | 384 | return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0)); |
384 | } | 385 | } |
385 | 386 | ||
386 | int | 387 | int |
@@ -390,13 +391,14 @@ mm_auth_rhosts_rsa_key_allowed(struct passwd *pw, char *user, | |||
390 | int ret; | 391 | int ret; |
391 | 392 | ||
392 | key->type = KEY_RSA; /* XXX hack for key_to_blob */ | 393 | key->type = KEY_RSA; /* XXX hack for key_to_blob */ |
393 | ret = mm_key_allowed(MM_RSAHOSTKEY, user, host, key); | 394 | ret = mm_key_allowed(MM_RSAHOSTKEY, user, host, key, 0); |
394 | key->type = KEY_RSA1; | 395 | key->type = KEY_RSA1; |
395 | return (ret); | 396 | return (ret); |
396 | } | 397 | } |
397 | 398 | ||
398 | int | 399 | int |
399 | mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key) | 400 | mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key, |
401 | int pubkey_auth_attempt) | ||
400 | { | 402 | { |
401 | Buffer m; | 403 | Buffer m; |
402 | u_char *blob; | 404 | u_char *blob; |
@@ -414,6 +416,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key) | |||
414 | buffer_put_cstring(&m, user ? user : ""); | 416 | buffer_put_cstring(&m, user ? user : ""); |
415 | buffer_put_cstring(&m, host ? host : ""); | 417 | buffer_put_cstring(&m, host ? host : ""); |
416 | buffer_put_string(&m, blob, len); | 418 | buffer_put_string(&m, blob, len); |
419 | buffer_put_int(&m, pubkey_auth_attempt); | ||
417 | free(blob); | 420 | free(blob); |
418 | 421 | ||
419 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m); | 422 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m); |
diff --git a/monitor_wrap.h b/monitor_wrap.h index e18784ac4..de4a08f99 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor_wrap.h,v 1.26 2015/02/16 22:13:32 djm Exp $ */ | 1 | /* $OpenBSD: monitor_wrap.h,v 1.27 2015/05/01 03:23:51 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 4 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
@@ -45,8 +45,8 @@ void mm_inform_authserv(char *, char *); | |||
45 | struct passwd *mm_getpwnamallow(const char *); | 45 | struct passwd *mm_getpwnamallow(const char *); |
46 | char *mm_auth2_read_banner(void); | 46 | char *mm_auth2_read_banner(void); |
47 | int mm_auth_password(struct Authctxt *, char *); | 47 | int mm_auth_password(struct Authctxt *, char *); |
48 | int mm_key_allowed(enum mm_keytype, char *, char *, Key *); | 48 | int mm_key_allowed(enum mm_keytype, char *, char *, Key *, int); |
49 | int mm_user_key_allowed(struct passwd *, Key *); | 49 | int mm_user_key_allowed(struct passwd *, Key *, int); |
50 | int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *); | 50 | int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *); |
51 | int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); | 51 | int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); |
52 | int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int); | 52 | int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int); |