diff options
-rw-r--r-- | auth-options.c | 3 | ||||
-rw-r--r-- | auth-options.h | 4 | ||||
-rw-r--r-- | auth2-pubkey.c | 34 | ||||
-rw-r--r-- | session.c | 7 |
4 files changed, 47 insertions, 1 deletions
diff --git a/auth-options.c b/auth-options.c index 98afdf5fe..4a4ba9016 100644 --- a/auth-options.c +++ b/auth-options.c | |||
@@ -40,6 +40,9 @@ | |||
40 | #include "ssh2.h" | 40 | #include "ssh2.h" |
41 | #include "auth-options.h" | 41 | #include "auth-options.h" |
42 | 42 | ||
43 | char *wildcard_match = NULL; | ||
44 | char *wildcard_fingerprint = NULL; | ||
45 | |||
43 | static int | 46 | static int |
44 | dup_strings(char ***dstp, size_t *ndstp, char **src, size_t nsrc) | 47 | dup_strings(char ***dstp, size_t *ndstp, char **src, size_t nsrc) |
45 | { | 48 | { |
diff --git a/auth-options.h b/auth-options.h index 118a32087..165180187 100644 --- a/auth-options.h +++ b/auth-options.h | |||
@@ -75,6 +75,10 @@ struct sshauthopt { | |||
75 | int require_verify; | 75 | int require_verify; |
76 | }; | 76 | }; |
77 | 77 | ||
78 | |||
79 | extern char *wildcard_match; | ||
80 | extern char *wildcard_fingerprint; | ||
81 | |||
78 | struct sshauthopt *sshauthopt_new(void); | 82 | struct sshauthopt *sshauthopt_new(void); |
79 | struct sshauthopt *sshauthopt_new_with_keys_defaults(void); | 83 | struct sshauthopt *sshauthopt_new_with_keys_defaults(void); |
80 | void sshauthopt_free(struct sshauthopt *opts); | 84 | void sshauthopt_free(struct sshauthopt *opts); |
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index c3ecd9afc..bba8dfefa 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -69,6 +69,7 @@ | |||
69 | #include "channels.h" /* XXX for session.h */ | 69 | #include "channels.h" /* XXX for session.h */ |
70 | #include "session.h" /* XXX for child_set_env(); refactor? */ | 70 | #include "session.h" /* XXX for child_set_env(); refactor? */ |
71 | #include "sk-api.h" | 71 | #include "sk-api.h" |
72 | #include "digest.h" | ||
72 | 73 | ||
73 | /* import */ | 74 | /* import */ |
74 | extern ServerOptions options; | 75 | extern ServerOptions options; |
@@ -604,6 +605,8 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key, | |||
604 | 605 | ||
605 | /* XXX djm: peek at key type in line and skip if unwanted */ | 606 | /* XXX djm: peek at key type in line and skip if unwanted */ |
606 | 607 | ||
608 | int wild = 0; | ||
609 | |||
607 | if (sshkey_read(found, &cp) != 0) { | 610 | if (sshkey_read(found, &cp) != 0) { |
608 | /* no key? check for options */ | 611 | /* no key? check for options */ |
609 | debug2("%s: check options: '%s'", loc, cp); | 612 | debug2("%s: check options: '%s'", loc, cp); |
@@ -613,7 +616,10 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key, | |||
613 | goto fail_reason; | 616 | goto fail_reason; |
614 | } | 617 | } |
615 | skip_space(&cp); | 618 | skip_space(&cp); |
616 | if (sshkey_read(found, &cp) != 0) { | 619 | if (*cp == '*' && (cp[1] == ' ' || cp[1] == '\n' || cp[1] == '\t' || cp[1] == '\0')) { |
620 | cp += 2; | ||
621 | wild = 1; | ||
622 | } else if (sshkey_read(found, &cp) != 0) { | ||
617 | /* still no key? advance to next line*/ | 623 | /* still no key? advance to next line*/ |
618 | debug2("%s: advance: '%s'", loc, cp); | 624 | debug2("%s: advance: '%s'", loc, cp); |
619 | goto out; | 625 | goto out; |
@@ -625,6 +631,32 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key, | |||
625 | auth_debug_add("%s: bad key options: %s", loc, reason); | 631 | auth_debug_add("%s: bad key options: %s", loc, reason); |
626 | goto out; | 632 | goto out; |
627 | } | 633 | } |
634 | |||
635 | if (wild) { | ||
636 | int r; | ||
637 | char *keytext = NULL; | ||
638 | if ((r = sshkey_to_base64(key, &keytext)) != 0) { | ||
639 | error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r)); | ||
640 | goto out; | ||
641 | } | ||
642 | if (!keyopts->force_command) { | ||
643 | reason = "Wildcard login is not allowed without specifying a forced command"; | ||
644 | goto fail_reason; | ||
645 | } | ||
646 | |||
647 | wildcard_match = keytext; | ||
648 | wildcard_fingerprint = sshkey_fingerprint(key, SSH_DIGEST_SHA256, SSH_FP_HEX); | ||
649 | |||
650 | verbose("Accepted wildcard authorization for %s key %s with forced_command=%s", | ||
651 | sshkey_type(key), | ||
652 | wildcard_fingerprint, | ||
653 | keyopts->force_command); | ||
654 | |||
655 | finalopts = keyopts; | ||
656 | keyopts = NULL; | ||
657 | goto success; | ||
658 | } | ||
659 | |||
628 | /* Ignore keys that don't match or incorrectly marked as CAs */ | 660 | /* Ignore keys that don't match or incorrectly marked as CAs */ |
629 | if (sshkey_is_cert(key)) { | 661 | if (sshkey_is_cert(key)) { |
630 | /* Certificate; check signature key against CA */ | 662 | /* Certificate; check signature key against CA */ |
@@ -1071,6 +1071,13 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) | |||
1071 | child_set_env(&env, &envsize, "TERM", s->term); | 1071 | child_set_env(&env, &envsize, "TERM", s->term); |
1072 | if (s->display) | 1072 | if (s->display) |
1073 | child_set_env(&env, &envsize, "DISPLAY", s->display); | 1073 | child_set_env(&env, &envsize, "DISPLAY", s->display); |
1074 | if (wildcard_match) { | ||
1075 | child_set_env(&env, &envsize, "SSH_REMOTE_KEY", | ||
1076 | wildcard_match); | ||
1077 | child_set_env(&env, &envsize, "SSH_REMOTE_FINGERPRINT", | ||
1078 | wildcard_fingerprint); | ||
1079 | } | ||
1080 | |||
1074 | 1081 | ||
1075 | /* | 1082 | /* |
1076 | * Since we clear KRB5CCNAME at startup, if it's set now then it | 1083 | * Since we clear KRB5CCNAME at startup, if it's set now then it |