diff options
Diffstat (limited to 'auth.c')
| -rw-r--r-- | auth.c | 49 |
1 files changed, 45 insertions, 4 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth.c,v 1.75 2006/08/03 03:34:41 deraadt Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.79 2008/07/02 12:03:51 dtucker Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -32,6 +32,7 @@ | |||
| 32 | #include <netinet/in.h> | 32 | #include <netinet/in.h> |
| 33 | 33 | ||
| 34 | #include <errno.h> | 34 | #include <errno.h> |
| 35 | #include <fcntl.h> | ||
| 35 | #ifdef HAVE_PATHS_H | 36 | #ifdef HAVE_PATHS_H |
| 36 | # include <paths.h> | 37 | # include <paths.h> |
| 37 | #endif | 38 | #endif |
| @@ -48,6 +49,7 @@ | |||
| 48 | #include <stdarg.h> | 49 | #include <stdarg.h> |
| 49 | #include <stdio.h> | 50 | #include <stdio.h> |
| 50 | #include <string.h> | 51 | #include <string.h> |
| 52 | #include <unistd.h> | ||
| 51 | 53 | ||
| 52 | #include "xmalloc.h" | 54 | #include "xmalloc.h" |
| 53 | #include "match.h" | 55 | #include "match.h" |
| @@ -113,6 +115,7 @@ allowed_user(struct passwd * pw) | |||
| 113 | #endif /* USE_SHADOW */ | 115 | #endif /* USE_SHADOW */ |
| 114 | 116 | ||
| 115 | /* grab passwd field for locked account check */ | 117 | /* grab passwd field for locked account check */ |
| 118 | passwd = pw->pw_passwd; | ||
| 116 | #ifdef USE_SHADOW | 119 | #ifdef USE_SHADOW |
| 117 | if (spw != NULL) | 120 | if (spw != NULL) |
| 118 | #ifdef USE_LIBIAF | 121 | #ifdef USE_LIBIAF |
| @@ -120,8 +123,6 @@ allowed_user(struct passwd * pw) | |||
| 120 | #else | 123 | #else |
| 121 | passwd = spw->sp_pwdp; | 124 | passwd = spw->sp_pwdp; |
| 122 | #endif /* USE_LIBIAF */ | 125 | #endif /* USE_LIBIAF */ |
| 123 | #else | ||
| 124 | passwd = pw->pw_passwd; | ||
| 125 | #endif | 126 | #endif |
| 126 | 127 | ||
| 127 | /* check for locked account */ | 128 | /* check for locked account */ |
| @@ -410,7 +411,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, | |||
| 410 | * | 411 | * |
| 411 | * Returns 0 on success and -1 on failure | 412 | * Returns 0 on success and -1 on failure |
| 412 | */ | 413 | */ |
| 413 | int | 414 | static int |
| 414 | secure_filename(FILE *f, const char *file, struct passwd *pw, | 415 | secure_filename(FILE *f, const char *file, struct passwd *pw, |
| 415 | char *err, size_t errlen) | 416 | char *err, size_t errlen) |
| 416 | { | 417 | { |
| @@ -470,6 +471,46 @@ secure_filename(FILE *f, const char *file, struct passwd *pw, | |||
| 470 | return 0; | 471 | return 0; |
| 471 | } | 472 | } |
| 472 | 473 | ||
| 474 | FILE * | ||
| 475 | auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes) | ||
| 476 | { | ||
| 477 | char line[1024]; | ||
| 478 | struct stat st; | ||
| 479 | int fd; | ||
| 480 | FILE *f; | ||
| 481 | |||
| 482 | /* | ||
| 483 | * Open the file containing the authorized keys | ||
| 484 | * Fail quietly if file does not exist | ||
| 485 | */ | ||
| 486 | if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) | ||
| 487 | return NULL; | ||
| 488 | |||
| 489 | if (fstat(fd, &st) < 0) { | ||
| 490 | close(fd); | ||
| 491 | return NULL; | ||
| 492 | } | ||
| 493 | if (!S_ISREG(st.st_mode)) { | ||
| 494 | logit("User %s authorized keys %s is not a regular file", | ||
| 495 | pw->pw_name, file); | ||
| 496 | close(fd); | ||
| 497 | return NULL; | ||
| 498 | } | ||
| 499 | unset_nonblock(fd); | ||
| 500 | if ((f = fdopen(fd, "r")) == NULL) { | ||
| 501 | close(fd); | ||
| 502 | return NULL; | ||
| 503 | } | ||
| 504 | if (options.strict_modes && | ||
| 505 | secure_filename(f, file, pw, line, sizeof(line)) != 0) { | ||
| 506 | fclose(f); | ||
| 507 | logit("Authentication refused: %s", line); | ||
| 508 | return NULL; | ||
| 509 | } | ||
| 510 | |||
| 511 | return f; | ||
| 512 | } | ||
| 513 | |||
| 473 | struct passwd * | 514 | struct passwd * |
| 474 | getpwnamallow(const char *user) | 515 | getpwnamallow(const char *user) |
| 475 | { | 516 | { |