diff options
Diffstat (limited to 'auth.c')
| -rw-r--r-- | auth.c | 49 |
1 files changed, 45 insertions, 4 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth.c,v 1.75 2006/08/03 03:34:41 deraadt Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.79 2008/07/02 12:03:51 dtucker Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -32,6 +32,7 @@ | |||
| 32 | #include <netinet/in.h> | 32 | #include <netinet/in.h> |
| 33 | 33 | ||
| 34 | #include <errno.h> | 34 | #include <errno.h> |
| 35 | #include <fcntl.h> | ||
| 35 | #ifdef HAVE_PATHS_H | 36 | #ifdef HAVE_PATHS_H |
| 36 | # include <paths.h> | 37 | # include <paths.h> |
| 37 | #endif | 38 | #endif |
| @@ -48,6 +49,7 @@ | |||
| 48 | #include <stdarg.h> | 49 | #include <stdarg.h> |
| 49 | #include <stdio.h> | 50 | #include <stdio.h> |
| 50 | #include <string.h> | 51 | #include <string.h> |
| 52 | #include <unistd.h> | ||
| 51 | 53 | ||
| 52 | #include "xmalloc.h" | 54 | #include "xmalloc.h" |
| 53 | #include "match.h" | 55 | #include "match.h" |
| @@ -114,6 +116,7 @@ allowed_user(struct passwd * pw) | |||
| 114 | #endif /* USE_SHADOW */ | 116 | #endif /* USE_SHADOW */ |
| 115 | 117 | ||
| 116 | /* grab passwd field for locked account check */ | 118 | /* grab passwd field for locked account check */ |
| 119 | passwd = pw->pw_passwd; | ||
| 117 | #ifdef USE_SHADOW | 120 | #ifdef USE_SHADOW |
| 118 | if (spw != NULL) | 121 | if (spw != NULL) |
| 119 | #ifdef USE_LIBIAF | 122 | #ifdef USE_LIBIAF |
| @@ -121,8 +124,6 @@ allowed_user(struct passwd * pw) | |||
| 121 | #else | 124 | #else |
| 122 | passwd = spw->sp_pwdp; | 125 | passwd = spw->sp_pwdp; |
| 123 | #endif /* USE_LIBIAF */ | 126 | #endif /* USE_LIBIAF */ |
| 124 | #else | ||
| 125 | passwd = pw->pw_passwd; | ||
| 126 | #endif | 127 | #endif |
| 127 | 128 | ||
| 128 | /* check for locked account */ | 129 | /* check for locked account */ |
| @@ -443,7 +444,7 @@ reject_blacklisted_key(Key *key, int hostkey) | |||
| 443 | * | 444 | * |
| 444 | * Returns 0 on success and -1 on failure | 445 | * Returns 0 on success and -1 on failure |
| 445 | */ | 446 | */ |
| 446 | int | 447 | static int |
| 447 | secure_filename(FILE *f, const char *file, struct passwd *pw, | 448 | secure_filename(FILE *f, const char *file, struct passwd *pw, |
| 448 | char *err, size_t errlen) | 449 | char *err, size_t errlen) |
| 449 | { | 450 | { |
| @@ -503,6 +504,46 @@ secure_filename(FILE *f, const char *file, struct passwd *pw, | |||
| 503 | return 0; | 504 | return 0; |
| 504 | } | 505 | } |
| 505 | 506 | ||
| 507 | FILE * | ||
| 508 | auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes) | ||
| 509 | { | ||
| 510 | char line[1024]; | ||
| 511 | struct stat st; | ||
| 512 | int fd; | ||
| 513 | FILE *f; | ||
| 514 | |||
| 515 | /* | ||
| 516 | * Open the file containing the authorized keys | ||
| 517 | * Fail quietly if file does not exist | ||
| 518 | */ | ||
| 519 | if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) | ||
| 520 | return NULL; | ||
| 521 | |||
| 522 | if (fstat(fd, &st) < 0) { | ||
| 523 | close(fd); | ||
| 524 | return NULL; | ||
| 525 | } | ||
| 526 | if (!S_ISREG(st.st_mode)) { | ||
| 527 | logit("User %s authorized keys %s is not a regular file", | ||
| 528 | pw->pw_name, file); | ||
| 529 | close(fd); | ||
| 530 | return NULL; | ||
| 531 | } | ||
| 532 | unset_nonblock(fd); | ||
| 533 | if ((f = fdopen(fd, "r")) == NULL) { | ||
| 534 | close(fd); | ||
| 535 | return NULL; | ||
| 536 | } | ||
| 537 | if (options.strict_modes && | ||
| 538 | secure_filename(f, file, pw, line, sizeof(line)) != 0) { | ||
| 539 | fclose(f); | ||
| 540 | logit("Authentication refused: %s", line); | ||
| 541 | return NULL; | ||
| 542 | } | ||
| 543 | |||
| 544 | return f; | ||
| 545 | } | ||
| 546 | |||
| 506 | struct passwd * | 547 | struct passwd * |
| 507 | getpwnamallow(const char *user) | 548 | getpwnamallow(const char *user) |
| 508 | { | 549 | { |