diff options
Diffstat (limited to 'auth.c')
-rw-r--r-- | auth.c | 48 |
1 files changed, 35 insertions, 13 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth.c,v 1.86 2010/03/05 02:58:11 djm Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.89 2010/08/04 05:42:47 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -144,7 +144,7 @@ allowed_user(struct passwd * pw) | |||
144 | locked = 1; | 144 | locked = 1; |
145 | #endif | 145 | #endif |
146 | #ifdef USE_LIBIAF | 146 | #ifdef USE_LIBIAF |
147 | free(passwd); | 147 | free((void *) passwd); |
148 | #endif /* USE_LIBIAF */ | 148 | #endif /* USE_LIBIAF */ |
149 | if (locked) { | 149 | if (locked) { |
150 | logit("User %.100s not allowed because account is locked", | 150 | logit("User %.100s not allowed because account is locked", |
@@ -367,6 +367,14 @@ authorized_keys_file2(struct passwd *pw) | |||
367 | return expand_authorized_keys(options.authorized_keys_file2, pw); | 367 | return expand_authorized_keys(options.authorized_keys_file2, pw); |
368 | } | 368 | } |
369 | 369 | ||
370 | char * | ||
371 | authorized_principals_file(struct passwd *pw) | ||
372 | { | ||
373 | if (options.authorized_principals_file == NULL) | ||
374 | return NULL; | ||
375 | return expand_authorized_keys(options.authorized_principals_file, pw); | ||
376 | } | ||
377 | |||
370 | /* return ok if key exists in sysfile or userfile */ | 378 | /* return ok if key exists in sysfile or userfile */ |
371 | HostStatus | 379 | HostStatus |
372 | check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, | 380 | check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, |
@@ -378,7 +386,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, | |||
378 | HostStatus host_status; | 386 | HostStatus host_status; |
379 | 387 | ||
380 | /* Check if we know the host and its host key. */ | 388 | /* Check if we know the host and its host key. */ |
381 | found = key_new(key->type); | 389 | found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); |
382 | host_status = check_host_in_hostfile(sysfile, host, key, found, NULL); | 390 | host_status = check_host_in_hostfile(sysfile, host, key, found, NULL); |
383 | 391 | ||
384 | if (host_status != HOST_OK && userfile != NULL) { | 392 | if (host_status != HOST_OK && userfile != NULL) { |
@@ -389,6 +397,8 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, | |||
389 | logit("Authentication refused for %.100s: " | 397 | logit("Authentication refused for %.100s: " |
390 | "bad owner or modes for %.200s", | 398 | "bad owner or modes for %.200s", |
391 | pw->pw_name, user_hostfile); | 399 | pw->pw_name, user_hostfile); |
400 | auth_debug_add("Ignored %.200s: bad ownership or modes", | ||
401 | user_hostfile); | ||
392 | } else { | 402 | } else { |
393 | temporarily_use_uid(pw); | 403 | temporarily_use_uid(pw); |
394 | host_status = check_host_in_hostfile(user_hostfile, | 404 | host_status = check_host_in_hostfile(user_hostfile, |
@@ -475,21 +485,18 @@ secure_filename(FILE *f, const char *file, struct passwd *pw, | |||
475 | return 0; | 485 | return 0; |
476 | } | 486 | } |
477 | 487 | ||
478 | FILE * | 488 | static FILE * |
479 | auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes) | 489 | auth_openfile(const char *file, struct passwd *pw, int strict_modes, |
490 | int log_missing, char *file_type) | ||
480 | { | 491 | { |
481 | char line[1024]; | 492 | char line[1024]; |
482 | struct stat st; | 493 | struct stat st; |
483 | int fd; | 494 | int fd; |
484 | FILE *f; | 495 | FILE *f; |
485 | 496 | ||
486 | /* | ||
487 | * Open the file containing the authorized keys | ||
488 | * Fail quietly if file does not exist | ||
489 | */ | ||
490 | if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) { | 497 | if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) { |
491 | if (errno != ENOENT) | 498 | if (log_missing || errno != ENOENT) |
492 | debug("Could not open keyfile '%s': %s", file, | 499 | debug("Could not open %s '%s': %s", file_type, file, |
493 | strerror(errno)); | 500 | strerror(errno)); |
494 | return NULL; | 501 | return NULL; |
495 | } | 502 | } |
@@ -499,8 +506,8 @@ auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes) | |||
499 | return NULL; | 506 | return NULL; |
500 | } | 507 | } |
501 | if (!S_ISREG(st.st_mode)) { | 508 | if (!S_ISREG(st.st_mode)) { |
502 | logit("User %s authorized keys %s is not a regular file", | 509 | logit("User %s %s %s is not a regular file", |
503 | pw->pw_name, file); | 510 | pw->pw_name, file_type, file); |
504 | close(fd); | 511 | close(fd); |
505 | return NULL; | 512 | return NULL; |
506 | } | 513 | } |
@@ -513,12 +520,27 @@ auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes) | |||
513 | secure_filename(f, file, pw, line, sizeof(line)) != 0) { | 520 | secure_filename(f, file, pw, line, sizeof(line)) != 0) { |
514 | fclose(f); | 521 | fclose(f); |
515 | logit("Authentication refused: %s", line); | 522 | logit("Authentication refused: %s", line); |
523 | auth_debug_add("Ignored %s: %s", file_type, line); | ||
516 | return NULL; | 524 | return NULL; |
517 | } | 525 | } |
518 | 526 | ||
519 | return f; | 527 | return f; |
520 | } | 528 | } |
521 | 529 | ||
530 | |||
531 | FILE * | ||
532 | auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes) | ||
533 | { | ||
534 | return auth_openfile(file, pw, strict_modes, 1, "authorized keys"); | ||
535 | } | ||
536 | |||
537 | FILE * | ||
538 | auth_openprincipals(const char *file, struct passwd *pw, int strict_modes) | ||
539 | { | ||
540 | return auth_openfile(file, pw, strict_modes, 0, | ||
541 | "authorized principals"); | ||
542 | } | ||
543 | |||
522 | struct passwd * | 544 | struct passwd * |
523 | getpwnamallow(const char *user) | 545 | getpwnamallow(const char *user) |
524 | { | 546 | { |