summaryrefslogtreecommitdiff
path: root/auth2-hostbased.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth2-hostbased.c')
-rw-r--r--auth2-hostbased.c31
1 files changed, 28 insertions, 3 deletions
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 721646520..cdf442f97 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-hostbased.c,v 1.13 2010/03/04 10:36:03 djm Exp $ */ 1/* $OpenBSD: auth2-hostbased.c,v 1.14 2010/08/04 05:42:47 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -141,9 +141,10 @@ int
141hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, 141hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
142 Key *key) 142 Key *key)
143{ 143{
144 const char *resolvedname, *ipaddr, *lookup; 144 const char *resolvedname, *ipaddr, *lookup, *reason;
145 HostStatus host_status; 145 HostStatus host_status;
146 int len; 146 int len;
147 char *fp;
147 148
148 if (auth_key_is_revoked(key)) 149 if (auth_key_is_revoked(key))
149 return 0; 150 return 0;
@@ -174,16 +175,40 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
174 } 175 }
175 debug2("userauth_hostbased: access allowed by auth_rhosts2"); 176 debug2("userauth_hostbased: access allowed by auth_rhosts2");
176 177
178 if (key_is_cert(key) &&
179 key_cert_check_authority(key, 1, 0, lookup, &reason)) {
180 error("%s", reason);
181 auth_debug_add("%s", reason);
182 return 0;
183 }
184
177 host_status = check_key_in_hostfiles(pw, key, lookup, 185 host_status = check_key_in_hostfiles(pw, key, lookup,
178 _PATH_SSH_SYSTEM_HOSTFILE, 186 _PATH_SSH_SYSTEM_HOSTFILE,
179 options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE); 187 options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
180 188
181 /* backward compat if no key has been found. */ 189 /* backward compat if no key has been found. */
182 if (host_status == HOST_NEW) 190 if (host_status == HOST_NEW) {
183 host_status = check_key_in_hostfiles(pw, key, lookup, 191 host_status = check_key_in_hostfiles(pw, key, lookup,
184 _PATH_SSH_SYSTEM_HOSTFILE2, 192 _PATH_SSH_SYSTEM_HOSTFILE2,
185 options.ignore_user_known_hosts ? NULL : 193 options.ignore_user_known_hosts ? NULL :
186 _PATH_SSH_USER_HOSTFILE2); 194 _PATH_SSH_USER_HOSTFILE2);
195 }
196
197 if (host_status == HOST_OK) {
198 if (key_is_cert(key)) {
199 fp = key_fingerprint(key->cert->signature_key,
200 SSH_FP_MD5, SSH_FP_HEX);
201 verbose("Accepted certificate ID \"%s\" signed by "
202 "%s CA %s from %s@%s", key->cert->key_id,
203 key_type(key->cert->signature_key), fp,
204 cuser, lookup);
205 } else {
206 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
207 verbose("Accepted %s public key %s from %s@%s",
208 key_type(key), fp, cuser, lookup);
209 }
210 xfree(fp);
211 }
187 212
188 return (host_status == HOST_OK); 213 return (host_status == HOST_OK);
189} 214}