diff options
Diffstat (limited to 'auth.c')
-rw-r--r-- | auth.c | 49 |
1 files changed, 45 insertions, 4 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth.c,v 1.75 2006/08/03 03:34:41 deraadt Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.79 2008/07/02 12:03:51 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -32,6 +32,7 @@ | |||
32 | #include <netinet/in.h> | 32 | #include <netinet/in.h> |
33 | 33 | ||
34 | #include <errno.h> | 34 | #include <errno.h> |
35 | #include <fcntl.h> | ||
35 | #ifdef HAVE_PATHS_H | 36 | #ifdef HAVE_PATHS_H |
36 | # include <paths.h> | 37 | # include <paths.h> |
37 | #endif | 38 | #endif |
@@ -48,6 +49,7 @@ | |||
48 | #include <stdarg.h> | 49 | #include <stdarg.h> |
49 | #include <stdio.h> | 50 | #include <stdio.h> |
50 | #include <string.h> | 51 | #include <string.h> |
52 | #include <unistd.h> | ||
51 | 53 | ||
52 | #include "xmalloc.h" | 54 | #include "xmalloc.h" |
53 | #include "match.h" | 55 | #include "match.h" |
@@ -114,6 +116,7 @@ allowed_user(struct passwd * pw) | |||
114 | #endif /* USE_SHADOW */ | 116 | #endif /* USE_SHADOW */ |
115 | 117 | ||
116 | /* grab passwd field for locked account check */ | 118 | /* grab passwd field for locked account check */ |
119 | passwd = pw->pw_passwd; | ||
117 | #ifdef USE_SHADOW | 120 | #ifdef USE_SHADOW |
118 | if (spw != NULL) | 121 | if (spw != NULL) |
119 | #ifdef USE_LIBIAF | 122 | #ifdef USE_LIBIAF |
@@ -121,8 +124,6 @@ allowed_user(struct passwd * pw) | |||
121 | #else | 124 | #else |
122 | passwd = spw->sp_pwdp; | 125 | passwd = spw->sp_pwdp; |
123 | #endif /* USE_LIBIAF */ | 126 | #endif /* USE_LIBIAF */ |
124 | #else | ||
125 | passwd = pw->pw_passwd; | ||
126 | #endif | 127 | #endif |
127 | 128 | ||
128 | /* check for locked account */ | 129 | /* check for locked account */ |
@@ -443,7 +444,7 @@ reject_blacklisted_key(Key *key, int hostkey) | |||
443 | * | 444 | * |
444 | * Returns 0 on success and -1 on failure | 445 | * Returns 0 on success and -1 on failure |
445 | */ | 446 | */ |
446 | int | 447 | static int |
447 | secure_filename(FILE *f, const char *file, struct passwd *pw, | 448 | secure_filename(FILE *f, const char *file, struct passwd *pw, |
448 | char *err, size_t errlen) | 449 | char *err, size_t errlen) |
449 | { | 450 | { |
@@ -503,6 +504,46 @@ secure_filename(FILE *f, const char *file, struct passwd *pw, | |||
503 | return 0; | 504 | return 0; |
504 | } | 505 | } |
505 | 506 | ||
507 | FILE * | ||
508 | auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes) | ||
509 | { | ||
510 | char line[1024]; | ||
511 | struct stat st; | ||
512 | int fd; | ||
513 | FILE *f; | ||
514 | |||
515 | /* | ||
516 | * Open the file containing the authorized keys | ||
517 | * Fail quietly if file does not exist | ||
518 | */ | ||
519 | if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) | ||
520 | return NULL; | ||
521 | |||
522 | if (fstat(fd, &st) < 0) { | ||
523 | close(fd); | ||
524 | return NULL; | ||
525 | } | ||
526 | if (!S_ISREG(st.st_mode)) { | ||
527 | logit("User %s authorized keys %s is not a regular file", | ||
528 | pw->pw_name, file); | ||
529 | close(fd); | ||
530 | return NULL; | ||
531 | } | ||
532 | unset_nonblock(fd); | ||
533 | if ((f = fdopen(fd, "r")) == NULL) { | ||
534 | close(fd); | ||
535 | return NULL; | ||
536 | } | ||
537 | if (options.strict_modes && | ||
538 | secure_filename(f, file, pw, line, sizeof(line)) != 0) { | ||
539 | fclose(f); | ||
540 | logit("Authentication refused: %s", line); | ||
541 | return NULL; | ||
542 | } | ||
543 | |||
544 | return f; | ||
545 | } | ||
546 | |||
506 | struct passwd * | 547 | struct passwd * |
507 | getpwnamallow(const char *user) | 548 | getpwnamallow(const char *user) |
508 | { | 549 | { |