summaryrefslogtreecommitdiff
path: root/auth.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth.c')
-rw-r--r--auth.c48
1 files changed, 35 insertions, 13 deletions
diff --git a/auth.c b/auth.c
index 89a936068..dba1e6555 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.c,v 1.86 2010/03/05 02:58:11 djm Exp $ */ 1/* $OpenBSD: auth.c,v 1.89 2010/08/04 05:42:47 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -143,7 +143,7 @@ allowed_user(struct passwd * pw)
143 locked = 1; 143 locked = 1;
144#endif 144#endif
145#ifdef USE_LIBIAF 145#ifdef USE_LIBIAF
146 free(passwd); 146 free((void *) passwd);
147#endif /* USE_LIBIAF */ 147#endif /* USE_LIBIAF */
148 if (locked) { 148 if (locked) {
149 logit("User %.100s not allowed because account is locked", 149 logit("User %.100s not allowed because account is locked",
@@ -366,6 +366,14 @@ authorized_keys_file2(struct passwd *pw)
366 return expand_authorized_keys(options.authorized_keys_file2, pw); 366 return expand_authorized_keys(options.authorized_keys_file2, pw);
367} 367}
368 368
369char *
370authorized_principals_file(struct passwd *pw)
371{
372 if (options.authorized_principals_file == NULL)
373 return NULL;
374 return expand_authorized_keys(options.authorized_principals_file, pw);
375}
376
369/* return ok if key exists in sysfile or userfile */ 377/* return ok if key exists in sysfile or userfile */
370HostStatus 378HostStatus
371check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, 379check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
@@ -377,7 +385,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
377 HostStatus host_status; 385 HostStatus host_status;
378 386
379 /* Check if we know the host and its host key. */ 387 /* Check if we know the host and its host key. */
380 found = key_new(key->type); 388 found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
381 host_status = check_host_in_hostfile(sysfile, host, key, found, NULL); 389 host_status = check_host_in_hostfile(sysfile, host, key, found, NULL);
382 390
383 if (host_status != HOST_OK && userfile != NULL) { 391 if (host_status != HOST_OK && userfile != NULL) {
@@ -389,6 +397,8 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
389 logit("Authentication refused for %.100s: " 397 logit("Authentication refused for %.100s: "
390 "bad owner or modes for %.200s", 398 "bad owner or modes for %.200s",
391 pw->pw_name, user_hostfile); 399 pw->pw_name, user_hostfile);
400 auth_debug_add("Ignored %.200s: bad ownership or modes",
401 user_hostfile);
392 } else { 402 } else {
393 temporarily_use_uid(pw); 403 temporarily_use_uid(pw);
394 host_status = check_host_in_hostfile(user_hostfile, 404 host_status = check_host_in_hostfile(user_hostfile,
@@ -477,21 +487,18 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
477 return 0; 487 return 0;
478} 488}
479 489
480FILE * 490static FILE *
481auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes) 491auth_openfile(const char *file, struct passwd *pw, int strict_modes,
492 int log_missing, char *file_type)
482{ 493{
483 char line[1024]; 494 char line[1024];
484 struct stat st; 495 struct stat st;
485 int fd; 496 int fd;
486 FILE *f; 497 FILE *f;
487 498
488 /*
489 * Open the file containing the authorized keys
490 * Fail quietly if file does not exist
491 */
492 if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) { 499 if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) {
493 if (errno != ENOENT) 500 if (log_missing || errno != ENOENT)
494 debug("Could not open keyfile '%s': %s", file, 501 debug("Could not open %s '%s': %s", file_type, file,
495 strerror(errno)); 502 strerror(errno));
496 return NULL; 503 return NULL;
497 } 504 }
@@ -501,8 +508,8 @@ auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes)
501 return NULL; 508 return NULL;
502 } 509 }
503 if (!S_ISREG(st.st_mode)) { 510 if (!S_ISREG(st.st_mode)) {
504 logit("User %s authorized keys %s is not a regular file", 511 logit("User %s %s %s is not a regular file",
505 pw->pw_name, file); 512 pw->pw_name, file_type, file);
506 close(fd); 513 close(fd);
507 return NULL; 514 return NULL;
508 } 515 }
@@ -515,12 +522,27 @@ auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes)
515 secure_filename(f, file, pw, line, sizeof(line)) != 0) { 522 secure_filename(f, file, pw, line, sizeof(line)) != 0) {
516 fclose(f); 523 fclose(f);
517 logit("Authentication refused: %s", line); 524 logit("Authentication refused: %s", line);
525 auth_debug_add("Ignored %s: %s", file_type, line);
518 return NULL; 526 return NULL;
519 } 527 }
520 528
521 return f; 529 return f;
522} 530}
523 531
532
533FILE *
534auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes)
535{
536 return auth_openfile(file, pw, strict_modes, 1, "authorized keys");
537}
538
539FILE *
540auth_openprincipals(const char *file, struct passwd *pw, int strict_modes)
541{
542 return auth_openfile(file, pw, strict_modes, 0,
543 "authorized principals");
544}
545
524struct passwd * 546struct passwd *
525getpwnamallow(const char *user) 547getpwnamallow(const char *user)
526{ 548{
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-17 07:18:11 +0000