diff options
Diffstat (limited to 'auth.c')
-rw-r--r-- | auth.c | 72 |
1 files changed, 35 insertions, 37 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth.c,v 1.106 2014/07/15 15:54:14 millert Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.110 2015/02/25 17:29:38 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -27,7 +27,6 @@ | |||
27 | 27 | ||
28 | #include <sys/types.h> | 28 | #include <sys/types.h> |
29 | #include <sys/stat.h> | 29 | #include <sys/stat.h> |
30 | #include <sys/param.h> | ||
31 | 30 | ||
32 | #include <netinet/in.h> | 31 | #include <netinet/in.h> |
33 | 32 | ||
@@ -50,6 +49,7 @@ | |||
50 | #include <stdio.h> | 49 | #include <stdio.h> |
51 | #include <string.h> | 50 | #include <string.h> |
52 | #include <unistd.h> | 51 | #include <unistd.h> |
52 | #include <limits.h> | ||
53 | 53 | ||
54 | #include "xmalloc.h" | 54 | #include "xmalloc.h" |
55 | #include "match.h" | 55 | #include "match.h" |
@@ -71,7 +71,8 @@ | |||
71 | #endif | 71 | #endif |
72 | #include "authfile.h" | 72 | #include "authfile.h" |
73 | #include "monitor_wrap.h" | 73 | #include "monitor_wrap.h" |
74 | #include "krl.h" | 74 | #include "authfile.h" |
75 | #include "ssherr.h" | ||
75 | #include "compat.h" | 76 | #include "compat.h" |
76 | 77 | ||
77 | /* import */ | 78 | /* import */ |
@@ -330,13 +331,14 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, | |||
330 | void | 331 | void |
331 | auth_maxtries_exceeded(Authctxt *authctxt) | 332 | auth_maxtries_exceeded(Authctxt *authctxt) |
332 | { | 333 | { |
333 | packet_disconnect("Too many authentication failures for " | 334 | error("maximum authentication attempts exceeded for " |
334 | "%s%.100s from %.200s port %d %s", | 335 | "%s%.100s from %.200s port %d %s", |
335 | authctxt->valid ? "" : "invalid user ", | 336 | authctxt->valid ? "" : "invalid user ", |
336 | authctxt->user, | 337 | authctxt->user, |
337 | get_remote_ipaddr(), | 338 | get_remote_ipaddr(), |
338 | get_remote_port(), | 339 | get_remote_port(), |
339 | compat20 ? "ssh2" : "ssh1"); | 340 | compat20 ? "ssh2" : "ssh1"); |
341 | packet_disconnect("Too many authentication failures"); | ||
340 | /* NOTREACHED */ | 342 | /* NOTREACHED */ |
341 | } | 343 | } |
342 | 344 | ||
@@ -375,7 +377,7 @@ auth_root_allowed(const char *method) | |||
375 | char * | 377 | char * |
376 | expand_authorized_keys(const char *filename, struct passwd *pw) | 378 | expand_authorized_keys(const char *filename, struct passwd *pw) |
377 | { | 379 | { |
378 | char *file, ret[MAXPATHLEN]; | 380 | char *file, ret[PATH_MAX]; |
379 | int i; | 381 | int i; |
380 | 382 | ||
381 | file = percent_expand(filename, "h", pw->pw_dir, | 383 | file = percent_expand(filename, "h", pw->pw_dir, |
@@ -467,7 +469,7 @@ int | |||
467 | auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, | 469 | auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, |
468 | uid_t uid, char *err, size_t errlen) | 470 | uid_t uid, char *err, size_t errlen) |
469 | { | 471 | { |
470 | char buf[MAXPATHLEN], homedir[MAXPATHLEN]; | 472 | char buf[PATH_MAX], homedir[PATH_MAX]; |
471 | char *cp; | 473 | char *cp; |
472 | int comparehome = 0; | 474 | int comparehome = 0; |
473 | struct stat st; | 475 | struct stat st; |
@@ -673,43 +675,39 @@ getpwnamallow(const char *user) | |||
673 | int | 675 | int |
674 | auth_key_is_revoked(Key *key) | 676 | auth_key_is_revoked(Key *key) |
675 | { | 677 | { |
676 | #ifdef WITH_OPENSSL | 678 | char *fp = NULL; |
677 | char *key_fp; | 679 | int r; |
678 | 680 | ||
679 | if (options.revoked_keys_file == NULL) | 681 | if (options.revoked_keys_file == NULL) |
680 | return 0; | 682 | return 0; |
681 | switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) { | 683 | if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, |
682 | case 0: | 684 | SSH_FP_DEFAULT)) == NULL) { |
683 | return 0; /* Not revoked */ | 685 | r = SSH_ERR_ALLOC_FAIL; |
684 | case -2: | 686 | error("%s: fingerprint key: %s", __func__, ssh_err(r)); |
685 | break; /* Not a KRL */ | 687 | goto out; |
686 | default: | ||
687 | goto revoked; | ||
688 | } | 688 | } |
689 | #endif | 689 | |
690 | debug3("%s: treating %s as a key list", __func__, | 690 | r = sshkey_check_revoked(key, options.revoked_keys_file); |
691 | options.revoked_keys_file); | 691 | switch (r) { |
692 | switch (key_in_file(key, options.revoked_keys_file, 0)) { | ||
693 | case 0: | 692 | case 0: |
694 | /* key not revoked */ | 693 | break; /* not revoked */ |
695 | return 0; | 694 | case SSH_ERR_KEY_REVOKED: |
696 | case -1: | 695 | error("Authentication key %s %s revoked by file %s", |
697 | /* Error opening revoked_keys_file: refuse all keys */ | 696 | sshkey_type(key), fp, options.revoked_keys_file); |
698 | error("Revoked keys file is unreadable: refusing public key " | 697 | goto out; |
699 | "authentication"); | 698 | default: |
700 | return 1; | 699 | error("Error checking authentication key %s %s in " |
701 | #ifdef WITH_OPENSSL | 700 | "revoked keys file %s: %s", sshkey_type(key), fp, |
702 | case 1: | 701 | options.revoked_keys_file, ssh_err(r)); |
703 | revoked: | 702 | goto out; |
704 | /* Key revoked */ | ||
705 | key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | ||
706 | error("WARNING: authentication attempt with a revoked " | ||
707 | "%s key %s ", key_type(key), key_fp); | ||
708 | free(key_fp); | ||
709 | return 1; | ||
710 | #endif | ||
711 | } | 703 | } |
712 | fatal("key_in_file returned junk"); | 704 | |
705 | /* Success */ | ||
706 | r = 0; | ||
707 | |||
708 | out: | ||
709 | free(fp); | ||
710 | return r == 0 ? 0 : 1; | ||
713 | } | 711 | } |
714 | 712 | ||
715 | void | 713 | void |