diff options
Diffstat (limited to 'auth.c')
-rw-r--r-- | auth.c | 36 |
1 files changed, 29 insertions, 7 deletions
@@ -59,6 +59,7 @@ | |||
59 | #include "servconf.h" | 59 | #include "servconf.h" |
60 | #include "key.h" | 60 | #include "key.h" |
61 | #include "hostfile.h" | 61 | #include "hostfile.h" |
62 | #include "authfile.h" | ||
62 | #include "auth.h" | 63 | #include "auth.h" |
63 | #include "auth-options.h" | 64 | #include "auth-options.h" |
64 | #include "canohost.h" | 65 | #include "canohost.h" |
@@ -392,8 +393,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, | |||
392 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); | 393 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); |
393 | if (options.strict_modes && | 394 | if (options.strict_modes && |
394 | (stat(user_hostfile, &st) == 0) && | 395 | (stat(user_hostfile, &st) == 0) && |
395 | ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || | 396 | !secure_permissions(&st, pw->pw_uid)) { |
396 | (st.st_mode & 022) != 0)) { | ||
397 | logit("Authentication refused for %.100s: " | 397 | logit("Authentication refused for %.100s: " |
398 | "bad owner or modes for %.200s", | 398 | "bad owner or modes for %.200s", |
399 | pw->pw_name, user_hostfile); | 399 | pw->pw_name, user_hostfile); |
@@ -447,8 +447,7 @@ secure_filename(FILE *f, const char *file, struct passwd *pw, | |||
447 | 447 | ||
448 | /* check the open file to avoid races */ | 448 | /* check the open file to avoid races */ |
449 | if (fstat(fileno(f), &st) < 0 || | 449 | if (fstat(fileno(f), &st) < 0 || |
450 | (st.st_uid != 0 && st.st_uid != uid) || | 450 | !secure_permissions(&st, uid)) { |
451 | (st.st_mode & 022) != 0) { | ||
452 | snprintf(err, errlen, "bad ownership or modes for file %s", | 451 | snprintf(err, errlen, "bad ownership or modes for file %s", |
453 | buf); | 452 | buf); |
454 | return -1; | 453 | return -1; |
@@ -464,8 +463,7 @@ secure_filename(FILE *f, const char *file, struct passwd *pw, | |||
464 | 463 | ||
465 | debug3("secure_filename: checking '%s'", buf); | 464 | debug3("secure_filename: checking '%s'", buf); |
466 | if (stat(buf, &st) < 0 || | 465 | if (stat(buf, &st) < 0 || |
467 | (st.st_uid != 0 && st.st_uid != uid) || | 466 | !secure_permissions(&st, uid)) { |
468 | (st.st_mode & 022) != 0) { | ||
469 | snprintf(err, errlen, | 467 | snprintf(err, errlen, |
470 | "bad ownership or modes for directory %s", buf); | 468 | "bad ownership or modes for directory %s", buf); |
471 | return -1; | 469 | return -1; |
@@ -615,10 +613,34 @@ getpwnamallow(const char *user) | |||
615 | 613 | ||
616 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ | 614 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ |
617 | int | 615 | int |
618 | auth_key_is_revoked(Key *key) | 616 | auth_key_is_revoked(Key *key, int hostkey) |
619 | { | 617 | { |
620 | char *key_fp; | 618 | char *key_fp; |
621 | 619 | ||
620 | if (blacklisted_key(key, &key_fp) == 1) { | ||
621 | if (options.permit_blacklisted_keys) { | ||
622 | if (hostkey) | ||
623 | error("Host key %s blacklisted (see " | ||
624 | "ssh-vulnkey(1)); continuing anyway", | ||
625 | key_fp); | ||
626 | else | ||
627 | logit("Public key %s from %s blacklisted (see " | ||
628 | "ssh-vulnkey(1)); continuing anyway", | ||
629 | key_fp, get_remote_ipaddr()); | ||
630 | xfree(key_fp); | ||
631 | } else { | ||
632 | if (hostkey) | ||
633 | error("Host key %s blacklisted (see " | ||
634 | "ssh-vulnkey(1))", key_fp); | ||
635 | else | ||
636 | logit("Public key %s from %s blacklisted (see " | ||
637 | "ssh-vulnkey(1))", | ||
638 | key_fp, get_remote_ipaddr()); | ||
639 | xfree(key_fp); | ||
640 | return 1; | ||
641 | } | ||
642 | } | ||
643 | |||
622 | if (options.revoked_keys_file == NULL) | 644 | if (options.revoked_keys_file == NULL) |
623 | return 0; | 645 | return 0; |
624 | 646 | ||