summaryrefslogtreecommitdiff
path: root/auth2-pubkey.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r--auth2-pubkey.c23
1 files changed, 14 insertions, 9 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 8024b1d6a..a9272b97f 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -89,19 +89,15 @@ userauth_pubkey(struct ssh *ssh)
89{ 89{
90 Authctxt *authctxt = ssh->authctxt; 90 Authctxt *authctxt = ssh->authctxt;
91 struct passwd *pw = authctxt->pw; 91 struct passwd *pw = authctxt->pw;
92 struct sshbuf *b; 92 struct sshbuf *b = NULL;
93 struct sshkey *key = NULL; 93 struct sshkey *key = NULL;
94 char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; 94 char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
95 u_char *pkblob, *sig, have_sig; 95 u_char *pkblob = NULL, *sig = NULL, have_sig;
96 size_t blen, slen; 96 size_t blen, slen;
97 int r, pktype; 97 int r, pktype;
98 int authenticated = 0; 98 int authenticated = 0;
99 struct sshauthopt *authopts = NULL; 99 struct sshauthopt *authopts = NULL;
100 100
101 if (!authctxt->valid) {
102 debug2("%s: disabled because of invalid user", __func__);
103 return 0;
104 }
105 if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 || 101 if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 ||
106 (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 || 102 (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 ||
107 (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0) 103 (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
@@ -168,6 +164,11 @@ userauth_pubkey(struct ssh *ssh)
168 fatal("%s: sshbuf_put_string session id: %s", 164 fatal("%s: sshbuf_put_string session id: %s",
169 __func__, ssh_err(r)); 165 __func__, ssh_err(r));
170 } 166 }
167 if (!authctxt->valid || authctxt->user == NULL) {
168 debug2("%s: disabled because of invalid user",
169 __func__);
170 goto done;
171 }
171 /* reconstruct packet */ 172 /* reconstruct packet */
172 xasprintf(&userstyle, "%s%s%s", authctxt->user, 173 xasprintf(&userstyle, "%s%s%s", authctxt->user,
173 authctxt->style ? ":" : "", 174 authctxt->style ? ":" : "",
@@ -184,7 +185,6 @@ userauth_pubkey(struct ssh *ssh)
184#ifdef DEBUG_PK 185#ifdef DEBUG_PK
185 sshbuf_dump(b, stderr); 186 sshbuf_dump(b, stderr);
186#endif 187#endif
187
188 /* test for correct signature */ 188 /* test for correct signature */
189 authenticated = 0; 189 authenticated = 0;
190 if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && 190 if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
@@ -193,7 +193,6 @@ userauth_pubkey(struct ssh *ssh)
193 authenticated = 1; 193 authenticated = 1;
194 } 194 }
195 sshbuf_free(b); 195 sshbuf_free(b);
196 free(sig);
197 auth2_record_key(authctxt, authenticated, key); 196 auth2_record_key(authctxt, authenticated, key);
198 } else { 197 } else {
199 debug("%s: test pkalg %s pkblob %s%s%s", 198 debug("%s: test pkalg %s pkblob %s%s%s",
@@ -204,6 +203,11 @@ userauth_pubkey(struct ssh *ssh)
204 if ((r = sshpkt_get_end(ssh)) != 0) 203 if ((r = sshpkt_get_end(ssh)) != 0)
205 fatal("%s: %s", __func__, ssh_err(r)); 204 fatal("%s: %s", __func__, ssh_err(r));
206 205
206 if (!authctxt->valid || authctxt->user == NULL) {
207 debug2("%s: disabled because of invalid user",
208 __func__);
209 goto done;
210 }
207 /* XXX fake reply and always send PK_OK ? */ 211 /* XXX fake reply and always send PK_OK ? */
208 /* 212 /*
209 * XXX this allows testing whether a user is allowed 213 * XXX this allows testing whether a user is allowed
@@ -237,6 +241,7 @@ done:
237 free(pkblob); 241 free(pkblob);
238 free(key_s); 242 free(key_s);
239 free(ca_s); 243 free(ca_s);
244 free(sig);
240 return authenticated; 245 return authenticated;
241} 246}
242 247