diff options
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r-- | auth2-pubkey.c | 34 |
1 files changed, 33 insertions, 1 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 815ea0f25..f89716a21 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -69,6 +69,7 @@ | |||
69 | #include "channels.h" /* XXX for session.h */ | 69 | #include "channels.h" /* XXX for session.h */ |
70 | #include "session.h" /* XXX for child_set_env(); refactor? */ | 70 | #include "session.h" /* XXX for child_set_env(); refactor? */ |
71 | #include "sk-api.h" | 71 | #include "sk-api.h" |
72 | #include "digest.h" | ||
72 | 73 | ||
73 | /* import */ | 74 | /* import */ |
74 | extern ServerOptions options; | 75 | extern ServerOptions options; |
@@ -590,6 +591,8 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key, | |||
590 | 591 | ||
591 | /* XXX djm: peek at key type in line and skip if unwanted */ | 592 | /* XXX djm: peek at key type in line and skip if unwanted */ |
592 | 593 | ||
594 | int wild = 0; | ||
595 | |||
593 | if (sshkey_read(found, &cp) != 0) { | 596 | if (sshkey_read(found, &cp) != 0) { |
594 | /* no key? check for options */ | 597 | /* no key? check for options */ |
595 | debug2("%s: check options: '%s'", loc, cp); | 598 | debug2("%s: check options: '%s'", loc, cp); |
@@ -599,7 +602,10 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key, | |||
599 | goto fail_reason; | 602 | goto fail_reason; |
600 | } | 603 | } |
601 | skip_space(&cp); | 604 | skip_space(&cp); |
602 | if (sshkey_read(found, &cp) != 0) { | 605 | if (*cp == '*' && (cp[1] == ' ' || cp[1] == '\n' || cp[1] == '\t' || cp[1] == '\0')) { |
606 | cp += 2; | ||
607 | wild = 1; | ||
608 | } else if (sshkey_read(found, &cp) != 0) { | ||
603 | /* still no key? advance to next line*/ | 609 | /* still no key? advance to next line*/ |
604 | debug2("%s: advance: '%s'", loc, cp); | 610 | debug2("%s: advance: '%s'", loc, cp); |
605 | goto out; | 611 | goto out; |
@@ -611,6 +617,32 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key, | |||
611 | auth_debug_add("%s: bad key options: %s", loc, reason); | 617 | auth_debug_add("%s: bad key options: %s", loc, reason); |
612 | goto out; | 618 | goto out; |
613 | } | 619 | } |
620 | |||
621 | if (wild) { | ||
622 | int r; | ||
623 | char *keytext = NULL; | ||
624 | if ((r = sshkey_to_base64(key, &keytext)) != 0) { | ||
625 | error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r)); | ||
626 | goto out; | ||
627 | } | ||
628 | if (!keyopts->force_command) { | ||
629 | reason = "Wildcard login is not allowed without specifying a forced command"; | ||
630 | goto fail_reason; | ||
631 | } | ||
632 | |||
633 | wildcard_match = keytext; | ||
634 | wildcard_fingerprint = sshkey_fingerprint(key, SSH_DIGEST_SHA256, SSH_FP_HEX); | ||
635 | |||
636 | verbose("Accepted wildcard authorization for %s key %s with forced_command=%s", | ||
637 | sshkey_type(key), | ||
638 | wildcard_fingerprint, | ||
639 | keyopts->force_command); | ||
640 | |||
641 | finalopts = keyopts; | ||
642 | keyopts = NULL; | ||
643 | goto success; | ||
644 | } | ||
645 | |||
614 | /* Ignore keys that don't match or incorrectly marked as CAs */ | 646 | /* Ignore keys that don't match or incorrectly marked as CAs */ |
615 | if (sshkey_is_cert(key)) { | 647 | if (sshkey_is_cert(key)) { |
616 | /* Certificate; check signature key against CA */ | 648 | /* Certificate; check signature key against CA */ |