diff options
Diffstat (limited to 'auth-rsa.c')
-rw-r--r-- | auth-rsa.c | 70 |
1 files changed, 39 insertions, 31 deletions
diff --git a/auth-rsa.c b/auth-rsa.c index ec32c803f..99c4e882d 100644 --- a/auth-rsa.c +++ b/auth-rsa.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth-rsa.c,v 1.79 2010/12/03 23:55:27 djm Exp $ */ | 1 | /* $OpenBSD: auth-rsa.c,v 1.80 2011/05/23 03:30:07 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -160,38 +160,20 @@ auth_rsa_challenge_dialog(Key *key) | |||
160 | return (success); | 160 | return (success); |
161 | } | 161 | } |
162 | 162 | ||
163 | /* | 163 | static int |
164 | * check if there's user key matching client_n, | 164 | rsa_key_allowed_in_file(struct passwd *pw, char *file, |
165 | * return key if login is allowed, NULL otherwise | 165 | const BIGNUM *client_n, Key **rkey) |
166 | */ | ||
167 | |||
168 | int | ||
169 | auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) | ||
170 | { | 166 | { |
171 | char line[SSH_MAX_PUBKEY_BYTES], *file; | 167 | char line[SSH_MAX_PUBKEY_BYTES]; |
172 | int allowed = 0; | 168 | int allowed = 0; |
173 | u_int bits; | 169 | u_int bits; |
174 | FILE *f; | 170 | FILE *f; |
175 | u_long linenum = 0; | 171 | u_long linenum = 0; |
176 | Key *key; | 172 | Key *key; |
177 | 173 | ||
178 | /* Temporarily use the user's uid. */ | ||
179 | temporarily_use_uid(pw); | ||
180 | |||
181 | /* The authorized keys. */ | ||
182 | file = authorized_keys_file(pw); | ||
183 | debug("trying public RSA key file %s", file); | 174 | debug("trying public RSA key file %s", file); |
184 | f = auth_openkeyfile(file, pw, options.strict_modes); | 175 | if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) |
185 | if (!f) { | 176 | return 0; |
186 | xfree(file); | ||
187 | restore_uid(); | ||
188 | return (0); | ||
189 | } | ||
190 | |||
191 | /* Flag indicating whether the key is allowed. */ | ||
192 | allowed = 0; | ||
193 | |||
194 | key = key_new(KEY_RSA1); | ||
195 | 177 | ||
196 | auth_start_parse_options(); | 178 | auth_start_parse_options(); |
197 | 179 | ||
@@ -200,6 +182,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) | |||
200 | * found, perform a challenge-response dialog to verify that the | 182 | * found, perform a challenge-response dialog to verify that the |
201 | * user really has the corresponding private key. | 183 | * user really has the corresponding private key. |
202 | */ | 184 | */ |
185 | key = key_new(KEY_RSA1); | ||
203 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 186 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
204 | char *cp; | 187 | char *cp; |
205 | char *key_options; | 188 | char *key_options; |
@@ -237,7 +220,10 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) | |||
237 | } | 220 | } |
238 | /* cp now points to the comment part. */ | 221 | /* cp now points to the comment part. */ |
239 | 222 | ||
240 | /* Check if the we have found the desired key (identified by its modulus). */ | 223 | /* |
224 | * Check if the we have found the desired key (identified | ||
225 | * by its modulus). | ||
226 | */ | ||
241 | if (BN_cmp(key->rsa->n, client_n) != 0) | 227 | if (BN_cmp(key->rsa->n, client_n) != 0) |
242 | continue; | 228 | continue; |
243 | 229 | ||
@@ -266,11 +252,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) | |||
266 | break; | 252 | break; |
267 | } | 253 | } |
268 | 254 | ||
269 | /* Restore the privileged uid. */ | ||
270 | restore_uid(); | ||
271 | |||
272 | /* Close the file. */ | 255 | /* Close the file. */ |
273 | xfree(file); | ||
274 | fclose(f); | 256 | fclose(f); |
275 | 257 | ||
276 | /* return key if allowed */ | 258 | /* return key if allowed */ |
@@ -278,7 +260,33 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) | |||
278 | *rkey = key; | 260 | *rkey = key; |
279 | else | 261 | else |
280 | key_free(key); | 262 | key_free(key); |
281 | return (allowed); | 263 | |
264 | return allowed; | ||
265 | } | ||
266 | |||
267 | /* | ||
268 | * check if there's user key matching client_n, | ||
269 | * return key if login is allowed, NULL otherwise | ||
270 | */ | ||
271 | |||
272 | int | ||
273 | auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) | ||
274 | { | ||
275 | char *file; | ||
276 | u_int i, allowed = 0; | ||
277 | |||
278 | temporarily_use_uid(pw); | ||
279 | |||
280 | for (i = 0; !allowed && i < options.num_authkeys_files; i++) { | ||
281 | file = expand_authorized_keys( | ||
282 | options.authorized_keys_files[i], pw); | ||
283 | allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey); | ||
284 | xfree(file); | ||
285 | } | ||
286 | |||
287 | restore_uid(); | ||
288 | |||
289 | return allowed; | ||
282 | } | 290 | } |
283 | 291 | ||
284 | /* | 292 | /* |