1 files changed, 33 insertions, 1 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index c3ecd9afc..bba8dfefa 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -69,6 +69,7 @@
 #include "channels.h" /* XXX for session.h */
 #include "session.h" /* XXX for child_set_env(); refactor? */
 #include "sk-api.h"
+#include "digest.h"
 /* import */
 extern ServerOptions options;
@@ -604,6 +605,8 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
        /* XXX djm: peek at key type in line and skip if unwanted */
+        int wild = 0;
        if (sshkey_read(found, &cp) != 0) {
                /* no key?  check for options */
                debug2("%s: check options: '%s'", loc, cp);
@@ -613,7 +616,10 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
                        goto fail_reason;
                }
                skip_space(&cp);
-                if (sshkey_read(found, &cp) != 0) {
+                if (*cp == '*' && (cp[1] == ' ' || cp[1] == '\n' || cp[1] == '\t' || cp[1] == '\0')) {
+                        cp += 2;
+                        wild = 1;
+                } else if (sshkey_read(found, &cp) != 0) {
                        /* still no key?  advance to next line*/
                        debug2("%s: advance: '%s'", loc, cp);
                        goto out;
@@ -625,6 +631,32 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
                auth_debug_add("%s: bad key options: %s", loc, reason);
                goto out;
        }
+        if (wild) {
+                int r;
+                char *keytext = NULL;
+                if ((r = sshkey_to_base64(key, &keytext)) != 0) {
+                        error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r));
+                        goto out;
+                }
+                if (!keyopts->force_command) {
+                        reason = "Wildcard login is not allowed without specifying a forced command";
+                        goto fail_reason;
+                }
+                wildcard_match = keytext;
+                wildcard_fingerprint = sshkey_fingerprint(key, SSH_DIGEST_SHA256, SSH_FP_HEX);
+                verbose("Accepted wildcard authorization for %s key %s with forced_command=%s",
+                                                sshkey_type(key),
+                                                wildcard_fingerprint,
+                                                keyopts->force_command);
+                finalopts = keyopts;
+                keyopts = NULL;
+                goto success;
+        }
        /* Ignore keys that don't match or incorrectly marked as CAs */
        if (sshkey_is_cert(key)) {
                /* Certificate; check signature key against CA */

diff --git a/auth2-pubkey.c b/auth2-pubkey.c index c3ecd9afc..bba8dfefa 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c
@@ -69,6 +69,7 @@
69	#include "channels.h" /* XXX for session.h */	69	#include "channels.h" /* XXX for session.h */
70	#include "session.h" /* XXX for child_set_env(); refactor? */	70	#include "session.h" /* XXX for child_set_env(); refactor? */
71	#include "sk-api.h"	71	#include "sk-api.h"
		72	#include "digest.h"
72		73
73	/* import */	74	/* import */
74	extern ServerOptions options;	75	extern ServerOptions options;
@@ -604,6 +605,8 @@ check_authkey_line(struct ssh ssh, struct passwd pw, struct sshkey *key,
604		605
605	/* XXX djm: peek at key type in line and skip if unwanted */	606	/* XXX djm: peek at key type in line and skip if unwanted */
606		607
		608	int wild = 0;
		609
607	if (sshkey_read(found, &cp) != 0) {	610	if (sshkey_read(found, &cp) != 0) {
608	/* no key? check for options */	611	/* no key? check for options */
609	debug2("%s: check options: '%s'", loc, cp);	612	debug2("%s: check options: '%s'", loc, cp);
@@ -613,7 +616,10 @@ check_authkey_line(struct ssh ssh, struct passwd pw, struct sshkey *key,
613	goto fail_reason;	616	goto fail_reason;
614	}	617	}
615	skip_space(&cp);	618	skip_space(&cp);
616	if (sshkey_read(found, &cp) != 0) {	619	if (cp == '' && (cp[1] == ' ' \|\| cp[1] == '\n' \|\| cp[1] == '\t' \|\| cp[1] == '\0')) {
		620	cp += 2;
		621	wild = 1;
		622	} else if (sshkey_read(found, &cp) != 0) {
617	/* still no key? advance to next line*/	623	/* still no key? advance to next line*/
618	debug2("%s: advance: '%s'", loc, cp);	624	debug2("%s: advance: '%s'", loc, cp);
619	goto out;	625	goto out;
@@ -625,6 +631,32 @@ check_authkey_line(struct ssh ssh, struct passwd pw, struct sshkey *key,
625	auth_debug_add("%s: bad key options: %s", loc, reason);	631	auth_debug_add("%s: bad key options: %s", loc, reason);
626	goto out;	632	goto out;
627	}	633	}
		634
		635	if (wild) {
		636	int r;
		637	char *keytext = NULL;
		638	if ((r = sshkey_to_base64(key, &keytext)) != 0) {
		639	error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r));
		640	goto out;
		641	}
		642	if (!keyopts->force_command) {
		643	reason = "Wildcard login is not allowed without specifying a forced command";
		644	goto fail_reason;
		645	}
		646
		647	wildcard_match = keytext;
		648	wildcard_fingerprint = sshkey_fingerprint(key, SSH_DIGEST_SHA256, SSH_FP_HEX);
		649
		650	verbose("Accepted wildcard authorization for %s key %s with forced_command=%s",
		651	sshkey_type(key),
		652	wildcard_fingerprint,
		653	keyopts->force_command);
		654
		655	finalopts = keyopts;
		656	keyopts = NULL;
		657	goto success;
		658	}
		659
628	/* Ignore keys that don't match or incorrectly marked as CAs */	660	/* Ignore keys that don't match or incorrectly marked as CAs */
629	if (sshkey_is_cert(key)) {	661	if (sshkey_is_cert(key)) {
630	/* Certificate; check signature key against CA */	662	/* Certificate; check signature key against CA */