diff options
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r-- | auth2-pubkey.c | 34 |
1 files changed, 33 insertions, 1 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 2fb5950ea..bf075c47d 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -67,6 +67,7 @@ | |||
67 | #include "ssherr.h" | 67 | #include "ssherr.h" |
68 | #include "channels.h" /* XXX for session.h */ | 68 | #include "channels.h" /* XXX for session.h */ |
69 | #include "session.h" /* XXX for child_set_env(); refactor? */ | 69 | #include "session.h" /* XXX for child_set_env(); refactor? */ |
70 | #include "digest.h" | ||
70 | 71 | ||
71 | /* import */ | 72 | /* import */ |
72 | extern ServerOptions options; | 73 | extern ServerOptions options; |
@@ -580,6 +581,8 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key, | |||
580 | 581 | ||
581 | /* XXX djm: peek at key type in line and skip if unwanted */ | 582 | /* XXX djm: peek at key type in line and skip if unwanted */ |
582 | 583 | ||
584 | int wild = 0; | ||
585 | |||
583 | if (sshkey_read(found, &cp) != 0) { | 586 | if (sshkey_read(found, &cp) != 0) { |
584 | /* no key? check for options */ | 587 | /* no key? check for options */ |
585 | debug2("%s: check options: '%s'", loc, cp); | 588 | debug2("%s: check options: '%s'", loc, cp); |
@@ -589,7 +592,10 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key, | |||
589 | goto fail_reason; | 592 | goto fail_reason; |
590 | } | 593 | } |
591 | skip_space(&cp); | 594 | skip_space(&cp); |
592 | if (sshkey_read(found, &cp) != 0) { | 595 | if (*cp == '*' && (cp[1] == ' ' || cp[1] == '\n' || cp[1] == '\t' || cp[1] == '\0')) { |
596 | cp += 2; | ||
597 | wild = 1; | ||
598 | } else if (sshkey_read(found, &cp) != 0) { | ||
593 | /* still no key? advance to next line*/ | 599 | /* still no key? advance to next line*/ |
594 | debug2("%s: advance: '%s'", loc, cp); | 600 | debug2("%s: advance: '%s'", loc, cp); |
595 | goto out; | 601 | goto out; |
@@ -601,6 +607,32 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key, | |||
601 | auth_debug_add("%s: bad key options: %s", loc, reason); | 607 | auth_debug_add("%s: bad key options: %s", loc, reason); |
602 | goto out; | 608 | goto out; |
603 | } | 609 | } |
610 | |||
611 | if (wild) { | ||
612 | int r; | ||
613 | char *keytext = NULL; | ||
614 | if ((r = sshkey_to_base64(key, &keytext)) != 0) { | ||
615 | error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r)); | ||
616 | goto out; | ||
617 | } | ||
618 | if (!keyopts->force_command) { | ||
619 | reason = "Wildcard login is not allowed without specifying a forced command"; | ||
620 | goto fail_reason; | ||
621 | } | ||
622 | |||
623 | wildcard_match = keytext; | ||
624 | wildcard_fingerprint = sshkey_fingerprint(key, SSH_DIGEST_SHA256, SSH_FP_HEX); | ||
625 | |||
626 | verbose("Accepted wildcard authorization for %s key %s with forced_command=%s", | ||
627 | sshkey_type(key), | ||
628 | wildcard_fingerprint, | ||
629 | keyopts->force_command); | ||
630 | |||
631 | finalopts = keyopts; | ||
632 | keyopts = NULL; | ||
633 | goto success; | ||
634 | } | ||
635 | |||
604 | /* Ignore keys that don't match or incorrectly marked as CAs */ | 636 | /* Ignore keys that don't match or incorrectly marked as CAs */ |
605 | if (sshkey_is_cert(key)) { | 637 | if (sshkey_is_cert(key)) { |
606 | /* Certificate; check signature key against CA */ | 638 | /* Certificate; check signature key against CA */ |