diff options
Diffstat (limited to 'auth.c')
-rw-r--r-- | auth.c | 28 |
1 files changed, 23 insertions, 5 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth.c,v 1.126 2018/03/03 03:15:51 djm Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.127 2018/03/12 00:52:01 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -1004,20 +1004,21 @@ auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote) | |||
1004 | int do_permitopen = opts->npermitopen > 0 && | 1004 | int do_permitopen = opts->npermitopen > 0 && |
1005 | (options.allow_tcp_forwarding & FORWARD_LOCAL) != 0; | 1005 | (options.allow_tcp_forwarding & FORWARD_LOCAL) != 0; |
1006 | size_t i; | 1006 | size_t i; |
1007 | char msg[1024], tbuf[32]; | 1007 | char msg[1024], buf[64]; |
1008 | 1008 | ||
1009 | snprintf(tbuf, sizeof(tbuf), "%d", opts->force_tun_device); | 1009 | snprintf(buf, sizeof(buf), "%d", opts->force_tun_device); |
1010 | /* Try to keep this alphabetically sorted */ | 1010 | /* Try to keep this alphabetically sorted */ |
1011 | snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s", | 1011 | snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s", |
1012 | opts->permit_agent_forwarding_flag ? " agent-forwarding" : "", | 1012 | opts->permit_agent_forwarding_flag ? " agent-forwarding" : "", |
1013 | opts->force_command == NULL ? "" : " command", | 1013 | opts->force_command == NULL ? "" : " command", |
1014 | do_env ? " environment" : "", | 1014 | do_env ? " environment" : "", |
1015 | opts->valid_before == 0 ? "" : "expires", | ||
1015 | do_permitopen ? " permitopen" : "", | 1016 | do_permitopen ? " permitopen" : "", |
1016 | opts->permit_port_forwarding_flag ? " port-forwarding" : "", | 1017 | opts->permit_port_forwarding_flag ? " port-forwarding" : "", |
1017 | opts->cert_principals == NULL ? "" : " principals", | 1018 | opts->cert_principals == NULL ? "" : " principals", |
1018 | opts->permit_pty_flag ? " pty" : "", | 1019 | opts->permit_pty_flag ? " pty" : "", |
1019 | opts->force_tun_device == -1 ? "" : " tun=", | 1020 | opts->force_tun_device == -1 ? "" : " tun=", |
1020 | opts->force_tun_device == -1 ? "" : tbuf, | 1021 | opts->force_tun_device == -1 ? "" : buf, |
1021 | opts->permit_user_rc ? " user-rc" : "", | 1022 | opts->permit_user_rc ? " user-rc" : "", |
1022 | opts->permit_x11_forwarding_flag ? " x11-forwarding" : ""); | 1023 | opts->permit_x11_forwarding_flag ? " x11-forwarding" : ""); |
1023 | 1024 | ||
@@ -1036,6 +1037,10 @@ auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote) | |||
1036 | } | 1037 | } |
1037 | 1038 | ||
1038 | /* Go into a little more details for the local logs. */ | 1039 | /* Go into a little more details for the local logs. */ |
1040 | if (opts->valid_before != 0) { | ||
1041 | format_absolute_time(opts->valid_before, buf, sizeof(buf)); | ||
1042 | debug("%s: expires at %s", loc, buf); | ||
1043 | } | ||
1039 | if (opts->cert_principals != NULL) { | 1044 | if (opts->cert_principals != NULL) { |
1040 | debug("%s: authorized principals: \"%s\"", | 1045 | debug("%s: authorized principals: \"%s\"", |
1041 | loc, opts->cert_principals); | 1046 | loc, opts->cert_principals); |
@@ -1089,7 +1094,20 @@ auth_authorise_keyopts(struct ssh *ssh, struct passwd *pw, | |||
1089 | const char *remote_ip = ssh_remote_ipaddr(ssh); | 1094 | const char *remote_ip = ssh_remote_ipaddr(ssh); |
1090 | const char *remote_host = auth_get_canonical_hostname(ssh, | 1095 | const char *remote_host = auth_get_canonical_hostname(ssh, |
1091 | options.use_dns); | 1096 | options.use_dns); |
1097 | time_t now = time(NULL); | ||
1098 | char buf[64]; | ||
1092 | 1099 | ||
1100 | /* | ||
1101 | * Check keys/principals file expiry time. | ||
1102 | * NB. validity interval in certificate is handled elsewhere. | ||
1103 | */ | ||
1104 | if (opts->valid_before && now > 0 && | ||
1105 | opts->valid_before < (uint64_t)now) { | ||
1106 | format_absolute_time(opts->valid_before, buf, sizeof(buf)); | ||
1107 | debug("%s: entry expired at %s", loc, buf); | ||
1108 | auth_debug_add("%s: entry expired at %s", loc, buf); | ||
1109 | return -1; | ||
1110 | } | ||
1093 | /* Consistency checks */ | 1111 | /* Consistency checks */ |
1094 | if (opts->cert_principals != NULL && !opts->cert_authority) { | 1112 | if (opts->cert_principals != NULL && !opts->cert_authority) { |
1095 | debug("%s: principals on non-CA key", loc); | 1113 | debug("%s: principals on non-CA key", loc); |