1 files changed, 39 insertions, 31 deletions
diff --git a/auth-rsa.c b/auth-rsa.c
index 4edaab056..4ab46cd51 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-rsa.c,v 1.79 2010/12/03 23:55:27 djm Exp $ */
+/* $OpenBSD: auth-rsa.c,v 1.80 2011/05/23 03:30:07 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -160,44 +160,27 @@ auth_rsa_challenge_dialog(Key *key)
        return (success);
 }
-/*
+static int
- * check if there's user key matching client_n,
+rsa_key_allowed_in_file(struct passwd *pw, char *file,
- * return key if login is allowed, NULL otherwise
+    const BIGNUM *client_n, Key **rkey)
- */
-int
-auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
 {
-        char line[SSH_MAX_PUBKEY_BYTES], *file;
+        char line[SSH_MAX_PUBKEY_BYTES];
        int allowed = 0;
        u_int bits;
        FILE *f;
        u_long linenum = 0;
        Key *key;
-        /* Temporarily use the user's uid. */
-        temporarily_use_uid(pw);
-        /* The authorized keys. */
-        file = authorized_keys_file(pw);
        debug("trying public RSA key file %s", file);
-        f = auth_openkeyfile(file, pw, options.strict_modes);
+        if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
-        if (!f) {
+                return 0;
-                xfree(file);
-                restore_uid();
-                return (0);
-        }
-        /* Flag indicating whether the key is allowed. */
-        allowed = 0;
-        key = key_new(KEY_RSA1);
        /*
         * Go though the accepted keys, looking for the current key.  If
         * found, perform a challenge-response dialog to verify that the
         * user really has the corresponding private key.
         */
+        key = key_new(KEY_RSA1);
        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                char *cp;
                char *key_options;
@@ -235,7 +218,10 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
                }
                /* cp now points to the comment part. */
-                /* Check if the we have found the desired key (identified by its modulus). */
+                /*
+                 * Check if the we have found the desired key (identified
+                 * by its modulus).
+                 */
                if (BN_cmp(key->rsa->n, client_n) != 0)
                        continue;
@@ -264,11 +250,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
                break;
        }
-        /* Restore the privileged uid. */
-        restore_uid();
        /* Close the file. */
-        xfree(file);
        fclose(f);
        /* return key if allowed */
@@ -276,7 +258,33 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
                *rkey = key;
        else
                key_free(key);
-        return (allowed);
+        return allowed;
+}
+/*
+ * check if there's user key matching client_n,
+ * return key if login is allowed, NULL otherwise
+ */
+int
+auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
+{
+        char *file;
+        u_int i, allowed = 0;
+        temporarily_use_uid(pw);
+        for (i = 0; !allowed && i < options.num_authkeys_files; i++) {
+                file = expand_authorized_keys(
+                    options.authorized_keys_files[i], pw);
+                allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey);
+                xfree(file);
+        }
+        restore_uid();
+        return allowed;
 }
 /*

diff --git a/auth-rsa.c b/auth-rsa.c index 4edaab056..4ab46cd51 100644 --- a/auth-rsa.c +++ b/auth-rsa.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth-rsa.c,v 1.79 2010/12/03 23:55:27 djm Exp $ */	1	/* $OpenBSD: auth-rsa.c,v 1.80 2011/05/23 03:30:07 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -160,44 +160,27 @@ auth_rsa_challenge_dialog(Key *key)
160	return (success);	160	return (success);
161	}	161	}
162		162
163	/*	163	static int
164	* check if there's user key matching client_n,	164	rsa_key_allowed_in_file(struct passwd pw, char file,
165	* return key if login is allowed, NULL otherwise	165	const BIGNUM client_n, Key *rkey)
166	*/
167
168	int
169	auth_rsa_key_allowed(struct passwd pw, BIGNUM client_n, Key **rkey)
170	{	166	{
171	char line[SSH_MAX_PUBKEY_BYTES], *file;	167	char line[SSH_MAX_PUBKEY_BYTES];
172	int allowed = 0;	168	int allowed = 0;
173	u_int bits;	169	u_int bits;
174	FILE *f;	170	FILE *f;
175	u_long linenum = 0;	171	u_long linenum = 0;
176	Key *key;	172	Key *key;
177		173
178	/* Temporarily use the user's uid. */
179	temporarily_use_uid(pw);
180
181	/* The authorized keys. */
182	file = authorized_keys_file(pw);
183	debug("trying public RSA key file %s", file);	174	debug("trying public RSA key file %s", file);
184	f = auth_openkeyfile(file, pw, options.strict_modes);	175	if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
185	if (!f) {	176	return 0;
186	xfree(file);
187	restore_uid();
188	return (0);
189	}
190
191	/* Flag indicating whether the key is allowed. */
192	allowed = 0;
193
194	key = key_new(KEY_RSA1);
195		177
196	/*	178	/*
197	* Go though the accepted keys, looking for the current key. If	179	* Go though the accepted keys, looking for the current key. If
198	* found, perform a challenge-response dialog to verify that the	180	* found, perform a challenge-response dialog to verify that the
199	* user really has the corresponding private key.	181	* user really has the corresponding private key.
200	*/	182	*/
		183	key = key_new(KEY_RSA1);
201	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {	184	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
202	char *cp;	185	char *cp;
203	char *key_options;	186	char *key_options;
@@ -235,7 +218,10 @@ auth_rsa_key_allowed(struct passwd pw, BIGNUM client_n, Key **rkey)
235	}	218	}
236	/* cp now points to the comment part. */	219	/* cp now points to the comment part. */
237		220
238	/* Check if the we have found the desired key (identified by its modulus). */	221	/*
		222	* Check if the we have found the desired key (identified
		223	* by its modulus).
		224	*/
239	if (BN_cmp(key->rsa->n, client_n) != 0)	225	if (BN_cmp(key->rsa->n, client_n) != 0)
240	continue;	226	continue;
241		227
@@ -264,11 +250,7 @@ auth_rsa_key_allowed(struct passwd pw, BIGNUM client_n, Key **rkey)
264	break;	250	break;
265	}	251	}
266		252
267	/* Restore the privileged uid. */
268	restore_uid();
269
270	/* Close the file. */	253	/* Close the file. */
271	xfree(file);
272	fclose(f);	254	fclose(f);
273		255
274	/* return key if allowed */	256	/* return key if allowed */
@@ -276,7 +258,33 @@ auth_rsa_key_allowed(struct passwd pw, BIGNUM client_n, Key **rkey)
276	*rkey = key;	258	*rkey = key;
277	else	259	else
278	key_free(key);	260	key_free(key);
279	return (allowed);	261
		262	return allowed;
		263	}
		264
		265	/*
		266	* check if there's user key matching client_n,
		267	* return key if login is allowed, NULL otherwise
		268	*/
		269
		270	int
		271	auth_rsa_key_allowed(struct passwd pw, BIGNUM client_n, Key **rkey)
		272	{
		273	char *file;
		274	u_int i, allowed = 0;
		275
		276	temporarily_use_uid(pw);
		277
		278	for (i = 0; !allowed && i < options.num_authkeys_files; i++) {
		279	file = expand_authorized_keys(
		280	options.authorized_keys_files[i], pw);
		281	allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey);
		282	xfree(file);
		283	}
		284
		285	restore_uid();
		286
		287	return allowed;
280	}	288	}
281		289
282	/*	290	/*