summaryrefslogtreecommitdiff
path: root/auth.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth.c')
-rw-r--r--auth.c48
1 files changed, 35 insertions, 13 deletions
diff --git a/auth.c b/auth.c
index a188b891e..669bfc740 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.c,v 1.86 2010/03/05 02:58:11 djm Exp $ */ 1/* $OpenBSD: auth.c,v 1.89 2010/08/04 05:42:47 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -144,7 +144,7 @@ allowed_user(struct passwd * pw)
144 locked = 1; 144 locked = 1;
145#endif 145#endif
146#ifdef USE_LIBIAF 146#ifdef USE_LIBIAF
147 free(passwd); 147 free((void *) passwd);
148#endif /* USE_LIBIAF */ 148#endif /* USE_LIBIAF */
149 if (locked) { 149 if (locked) {
150 logit("User %.100s not allowed because account is locked", 150 logit("User %.100s not allowed because account is locked",
@@ -367,6 +367,14 @@ authorized_keys_file2(struct passwd *pw)
367 return expand_authorized_keys(options.authorized_keys_file2, pw); 367 return expand_authorized_keys(options.authorized_keys_file2, pw);
368} 368}
369 369
370char *
371authorized_principals_file(struct passwd *pw)
372{
373 if (options.authorized_principals_file == NULL)
374 return NULL;
375 return expand_authorized_keys(options.authorized_principals_file, pw);
376}
377
370/* return ok if key exists in sysfile or userfile */ 378/* return ok if key exists in sysfile or userfile */
371HostStatus 379HostStatus
372check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, 380check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
@@ -378,7 +386,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
378 HostStatus host_status; 386 HostStatus host_status;
379 387
380 /* Check if we know the host and its host key. */ 388 /* Check if we know the host and its host key. */
381 found = key_new(key->type); 389 found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
382 host_status = check_host_in_hostfile(sysfile, host, key, found, NULL); 390 host_status = check_host_in_hostfile(sysfile, host, key, found, NULL);
383 391
384 if (host_status != HOST_OK && userfile != NULL) { 392 if (host_status != HOST_OK && userfile != NULL) {
@@ -389,6 +397,8 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
389 logit("Authentication refused for %.100s: " 397 logit("Authentication refused for %.100s: "
390 "bad owner or modes for %.200s", 398 "bad owner or modes for %.200s",
391 pw->pw_name, user_hostfile); 399 pw->pw_name, user_hostfile);
400 auth_debug_add("Ignored %.200s: bad ownership or modes",
401 user_hostfile);
392 } else { 402 } else {
393 temporarily_use_uid(pw); 403 temporarily_use_uid(pw);
394 host_status = check_host_in_hostfile(user_hostfile, 404 host_status = check_host_in_hostfile(user_hostfile,
@@ -475,21 +485,18 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
475 return 0; 485 return 0;
476} 486}
477 487
478FILE * 488static FILE *
479auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes) 489auth_openfile(const char *file, struct passwd *pw, int strict_modes,
490 int log_missing, char *file_type)
480{ 491{
481 char line[1024]; 492 char line[1024];
482 struct stat st; 493 struct stat st;
483 int fd; 494 int fd;
484 FILE *f; 495 FILE *f;
485 496
486 /*
487 * Open the file containing the authorized keys
488 * Fail quietly if file does not exist
489 */
490 if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) { 497 if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) {
491 if (errno != ENOENT) 498 if (log_missing || errno != ENOENT)
492 debug("Could not open keyfile '%s': %s", file, 499 debug("Could not open %s '%s': %s", file_type, file,
493 strerror(errno)); 500 strerror(errno));
494 return NULL; 501 return NULL;
495 } 502 }
@@ -499,8 +506,8 @@ auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes)
499 return NULL; 506 return NULL;
500 } 507 }
501 if (!S_ISREG(st.st_mode)) { 508 if (!S_ISREG(st.st_mode)) {
502 logit("User %s authorized keys %s is not a regular file", 509 logit("User %s %s %s is not a regular file",
503 pw->pw_name, file); 510 pw->pw_name, file_type, file);
504 close(fd); 511 close(fd);
505 return NULL; 512 return NULL;
506 } 513 }
@@ -513,12 +520,27 @@ auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes)
513 secure_filename(f, file, pw, line, sizeof(line)) != 0) { 520 secure_filename(f, file, pw, line, sizeof(line)) != 0) {
514 fclose(f); 521 fclose(f);
515 logit("Authentication refused: %s", line); 522 logit("Authentication refused: %s", line);
523 auth_debug_add("Ignored %s: %s", file_type, line);
516 return NULL; 524 return NULL;
517 } 525 }
518 526
519 return f; 527 return f;
520} 528}
521 529
530
531FILE *
532auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes)
533{
534 return auth_openfile(file, pw, strict_modes, 1, "authorized keys");
535}
536
537FILE *
538auth_openprincipals(const char *file, struct passwd *pw, int strict_modes)
539{
540 return auth_openfile(file, pw, strict_modes, 0,
541 "authorized principals");
542}
543
522struct passwd * 544struct passwd *
523getpwnamallow(const char *user) 545getpwnamallow(const char *user)
524{ 546{