diff options
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r-- | auth2-pubkey.c | 37 |
1 files changed, 33 insertions, 4 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 2886f1275..66ca5266b 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-pubkey.c,v 1.19 2008/07/03 21:46:58 otto Exp $ */ | 1 | /* $OpenBSD: auth2-pubkey.c,v 1.20 2010/02/26 20:29:54 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -32,6 +32,8 @@ | |||
32 | #include <pwd.h> | 32 | #include <pwd.h> |
33 | #include <stdio.h> | 33 | #include <stdio.h> |
34 | #include <stdarg.h> | 34 | #include <stdarg.h> |
35 | #include <string.h> | ||
36 | #include <time.h> | ||
35 | #include <unistd.h> | 37 | #include <unistd.h> |
36 | 38 | ||
37 | #include "xmalloc.h" | 39 | #include "xmalloc.h" |
@@ -178,6 +180,7 @@ static int | |||
178 | user_key_allowed2(struct passwd *pw, Key *key, char *file) | 180 | user_key_allowed2(struct passwd *pw, Key *key, char *file) |
179 | { | 181 | { |
180 | char line[SSH_MAX_PUBKEY_BYTES]; | 182 | char line[SSH_MAX_PUBKEY_BYTES]; |
183 | const char *reason; | ||
181 | int found_key = 0; | 184 | int found_key = 0; |
182 | FILE *f; | 185 | FILE *f; |
183 | u_long linenum = 0; | 186 | u_long linenum = 0; |
@@ -196,11 +199,13 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) | |||
196 | } | 199 | } |
197 | 200 | ||
198 | found_key = 0; | 201 | found_key = 0; |
199 | found = key_new(key->type); | 202 | found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); |
200 | 203 | ||
201 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 204 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
202 | char *cp, *key_options = NULL; | 205 | char *cp, *key_options = NULL; |
203 | 206 | ||
207 | auth_clear_options(); | ||
208 | |||
204 | /* Skip leading whitespace, empty and comment lines. */ | 209 | /* Skip leading whitespace, empty and comment lines. */ |
205 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) | 210 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) |
206 | ; | 211 | ; |
@@ -227,8 +232,32 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) | |||
227 | continue; | 232 | continue; |
228 | } | 233 | } |
229 | } | 234 | } |
230 | if (key_equal(found, key) && | 235 | if (auth_parse_options(pw, key_options, file, linenum) != 1) |
231 | auth_parse_options(pw, key_options, file, linenum) == 1) { | 236 | continue; |
237 | if (key->type == KEY_RSA_CERT || key->type == KEY_DSA_CERT) { | ||
238 | if (!key_is_cert_authority) | ||
239 | continue; | ||
240 | if (!key_equal(found, key->cert->signature_key)) | ||
241 | continue; | ||
242 | debug("matching CA found: file %s, line %lu", | ||
243 | file, linenum); | ||
244 | fp = key_fingerprint(found, SSH_FP_MD5, | ||
245 | SSH_FP_HEX); | ||
246 | verbose("Found matching %s CA: %s", | ||
247 | key_type(found), fp); | ||
248 | xfree(fp); | ||
249 | if (key_cert_check_authority(key, 0, 0, pw->pw_name, | ||
250 | &reason) != 0) { | ||
251 | error("%s", reason); | ||
252 | auth_debug_add("%s", reason); | ||
253 | continue; | ||
254 | } | ||
255 | if (auth_cert_constraints(&key->cert->constraints, | ||
256 | pw) != 0) | ||
257 | continue; | ||
258 | found_key = 1; | ||
259 | break; | ||
260 | } else if (!key_is_cert_authority && key_equal(found, key)) { | ||
232 | found_key = 1; | 261 | found_key = 1; |
233 | debug("matching key found: file %s, line %lu", | 262 | debug("matching key found: file %s, line %lu", |
234 | file, linenum); | 263 | file, linenum); |