diff options
Diffstat (limited to 'auth2-hostbased.c')
| -rw-r--r-- | auth2-hostbased.c | 36 |
1 files changed, 28 insertions, 8 deletions
diff --git a/auth2-hostbased.c b/auth2-hostbased.c index 6787e4ca4..eebfe8fc3 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth2-hostbased.c,v 1.18 2014/07/15 15:54:14 millert Exp $ */ | 1 | /* $OpenBSD: auth2-hostbased.c,v 1.24 2015/01/28 22:36:00 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -48,6 +48,7 @@ | |||
| 48 | #endif | 48 | #endif |
| 49 | #include "monitor_wrap.h" | 49 | #include "monitor_wrap.h" |
| 50 | #include "pathnames.h" | 50 | #include "pathnames.h" |
| 51 | #include "match.h" | ||
| 51 | 52 | ||
| 52 | /* import */ | 53 | /* import */ |
| 53 | extern ServerOptions options; | 54 | extern ServerOptions options; |
| @@ -107,6 +108,14 @@ userauth_hostbased(Authctxt *authctxt) | |||
| 107 | "signature format"); | 108 | "signature format"); |
| 108 | goto done; | 109 | goto done; |
| 109 | } | 110 | } |
| 111 | if (match_pattern_list(sshkey_ssh_name(key), | ||
| 112 | options.hostbased_key_types, | ||
| 113 | strlen(options.hostbased_key_types), 0) != 1) { | ||
| 114 | logit("%s: key type %s not in HostbasedAcceptedKeyTypes", | ||
| 115 | __func__, sshkey_type(key)); | ||
| 116 | goto done; | ||
| 117 | } | ||
| 118 | |||
| 110 | service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : | 119 | service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : |
| 111 | authctxt->service; | 120 | authctxt->service; |
| 112 | buffer_init(&b); | 121 | buffer_init(&b); |
| @@ -163,7 +172,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, | |||
| 163 | resolvedname = get_canonical_hostname(options.use_dns); | 172 | resolvedname = get_canonical_hostname(options.use_dns); |
| 164 | ipaddr = get_remote_ipaddr(); | 173 | ipaddr = get_remote_ipaddr(); |
| 165 | 174 | ||
| 166 | debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s", | 175 | debug2("%s: chost %s resolvedname %s ipaddr %s", __func__, |
| 167 | chost, resolvedname, ipaddr); | 176 | chost, resolvedname, ipaddr); |
| 168 | 177 | ||
| 169 | if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') { | 178 | if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') { |
| @@ -172,19 +181,27 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, | |||
| 172 | } | 181 | } |
| 173 | 182 | ||
| 174 | if (options.hostbased_uses_name_from_packet_only) { | 183 | if (options.hostbased_uses_name_from_packet_only) { |
| 175 | if (auth_rhosts2(pw, cuser, chost, chost) == 0) | 184 | if (auth_rhosts2(pw, cuser, chost, chost) == 0) { |
| 185 | debug2("%s: auth_rhosts2 refused " | ||
| 186 | "user \"%.100s\" host \"%.100s\" (from packet)", | ||
| 187 | __func__, cuser, chost); | ||
| 176 | return 0; | 188 | return 0; |
| 189 | } | ||
| 177 | lookup = chost; | 190 | lookup = chost; |
| 178 | } else { | 191 | } else { |
| 179 | if (strcasecmp(resolvedname, chost) != 0) | 192 | if (strcasecmp(resolvedname, chost) != 0) |
| 180 | logit("userauth_hostbased mismatch: " | 193 | logit("userauth_hostbased mismatch: " |
| 181 | "client sends %s, but we resolve %s to %s", | 194 | "client sends %s, but we resolve %s to %s", |
| 182 | chost, ipaddr, resolvedname); | 195 | chost, ipaddr, resolvedname); |
| 183 | if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0) | 196 | if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0) { |
| 197 | debug2("%s: auth_rhosts2 refused " | ||
| 198 | "user \"%.100s\" host \"%.100s\" addr \"%.100s\"", | ||
| 199 | __func__, cuser, resolvedname, ipaddr); | ||
| 184 | return 0; | 200 | return 0; |
| 201 | } | ||
| 185 | lookup = resolvedname; | 202 | lookup = resolvedname; |
| 186 | } | 203 | } |
| 187 | debug2("userauth_hostbased: access allowed by auth_rhosts2"); | 204 | debug2("%s: access allowed by auth_rhosts2", __func__); |
| 188 | 205 | ||
| 189 | if (key_is_cert(key) && | 206 | if (key_is_cert(key) && |
| 190 | key_cert_check_authority(key, 1, 0, lookup, &reason)) { | 207 | key_cert_check_authority(key, 1, 0, lookup, &reason)) { |
| @@ -207,14 +224,17 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, | |||
| 207 | 224 | ||
| 208 | if (host_status == HOST_OK) { | 225 | if (host_status == HOST_OK) { |
| 209 | if (key_is_cert(key)) { | 226 | if (key_is_cert(key)) { |
| 210 | fp = key_fingerprint(key->cert->signature_key, | 227 | if ((fp = sshkey_fingerprint(key->cert->signature_key, |
| 211 | SSH_FP_MD5, SSH_FP_HEX); | 228 | options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) |
| 229 | fatal("%s: sshkey_fingerprint fail", __func__); | ||
| 212 | verbose("Accepted certificate ID \"%s\" signed by " | 230 | verbose("Accepted certificate ID \"%s\" signed by " |
| 213 | "%s CA %s from %s@%s", key->cert->key_id, | 231 | "%s CA %s from %s@%s", key->cert->key_id, |
| 214 | key_type(key->cert->signature_key), fp, | 232 | key_type(key->cert->signature_key), fp, |
| 215 | cuser, lookup); | 233 | cuser, lookup); |
| 216 | } else { | 234 | } else { |
| 217 | fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | 235 | if ((fp = sshkey_fingerprint(key, |
| 236 | options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) | ||
| 237 | fatal("%s: sshkey_fingerprint fail", __func__); | ||
| 218 | verbose("Accepted %s public key %s from %s@%s", | 238 | verbose("Accepted %s public key %s from %s@%s", |
| 219 | key_type(key), fp, cuser, lookup); | 239 | key_type(key), fp, cuser, lookup); |
| 220 | } | 240 | } |