summaryrefslogtreecommitdiff
path: root/auth-rsa.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth-rsa.c')
-rw-r--r--auth-rsa.c70
1 files changed, 39 insertions, 31 deletions
diff --git a/auth-rsa.c b/auth-rsa.c
index 4edaab056..4ab46cd51 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-rsa.c,v 1.79 2010/12/03 23:55:27 djm Exp $ */ 1/* $OpenBSD: auth-rsa.c,v 1.80 2011/05/23 03:30:07 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -160,44 +160,27 @@ auth_rsa_challenge_dialog(Key *key)
160 return (success); 160 return (success);
161} 161}
162 162
163/* 163static int
164 * check if there's user key matching client_n, 164rsa_key_allowed_in_file(struct passwd *pw, char *file,
165 * return key if login is allowed, NULL otherwise 165 const BIGNUM *client_n, Key **rkey)
166 */
167
168int
169auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
170{ 166{
171 char line[SSH_MAX_PUBKEY_BYTES], *file; 167 char line[SSH_MAX_PUBKEY_BYTES];
172 int allowed = 0; 168 int allowed = 0;
173 u_int bits; 169 u_int bits;
174 FILE *f; 170 FILE *f;
175 u_long linenum = 0; 171 u_long linenum = 0;
176 Key *key; 172 Key *key;
177 173
178 /* Temporarily use the user's uid. */
179 temporarily_use_uid(pw);
180
181 /* The authorized keys. */
182 file = authorized_keys_file(pw);
183 debug("trying public RSA key file %s", file); 174 debug("trying public RSA key file %s", file);
184 f = auth_openkeyfile(file, pw, options.strict_modes); 175 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
185 if (!f) { 176 return 0;
186 xfree(file);
187 restore_uid();
188 return (0);
189 }
190
191 /* Flag indicating whether the key is allowed. */
192 allowed = 0;
193
194 key = key_new(KEY_RSA1);
195 177
196 /* 178 /*
197 * Go though the accepted keys, looking for the current key. If 179 * Go though the accepted keys, looking for the current key. If
198 * found, perform a challenge-response dialog to verify that the 180 * found, perform a challenge-response dialog to verify that the
199 * user really has the corresponding private key. 181 * user really has the corresponding private key.
200 */ 182 */
183 key = key_new(KEY_RSA1);
201 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 184 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
202 char *cp; 185 char *cp;
203 char *key_options; 186 char *key_options;
@@ -235,7 +218,10 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
235 } 218 }
236 /* cp now points to the comment part. */ 219 /* cp now points to the comment part. */
237 220
238 /* Check if the we have found the desired key (identified by its modulus). */ 221 /*
222 * Check if the we have found the desired key (identified
223 * by its modulus).
224 */
239 if (BN_cmp(key->rsa->n, client_n) != 0) 225 if (BN_cmp(key->rsa->n, client_n) != 0)
240 continue; 226 continue;
241 227
@@ -264,11 +250,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
264 break; 250 break;
265 } 251 }
266 252
267 /* Restore the privileged uid. */
268 restore_uid();
269
270 /* Close the file. */ 253 /* Close the file. */
271 xfree(file);
272 fclose(f); 254 fclose(f);
273 255
274 /* return key if allowed */ 256 /* return key if allowed */
@@ -276,7 +258,33 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
276 *rkey = key; 258 *rkey = key;
277 else 259 else
278 key_free(key); 260 key_free(key);
279 return (allowed); 261
262 return allowed;
263}
264
265/*
266 * check if there's user key matching client_n,
267 * return key if login is allowed, NULL otherwise
268 */
269
270int
271auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
272{
273 char *file;
274 u_int i, allowed = 0;
275
276 temporarily_use_uid(pw);
277
278 for (i = 0; !allowed && i < options.num_authkeys_files; i++) {
279 file = expand_authorized_keys(
280 options.authorized_keys_files[i], pw);
281 allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey);
282 xfree(file);
283 }
284
285 restore_uid();
286
287 return allowed;
280} 288}
281 289
282/* 290/*