diff options
Diffstat (limited to 'auth2-pubkey.c')
| -rw-r--r-- | auth2-pubkey.c | 37 |
1 files changed, 33 insertions, 4 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 2886f1275..66ca5266b 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth2-pubkey.c,v 1.19 2008/07/03 21:46:58 otto Exp $ */ | 1 | /* $OpenBSD: auth2-pubkey.c,v 1.20 2010/02/26 20:29:54 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -32,6 +32,8 @@ | |||
| 32 | #include <pwd.h> | 32 | #include <pwd.h> |
| 33 | #include <stdio.h> | 33 | #include <stdio.h> |
| 34 | #include <stdarg.h> | 34 | #include <stdarg.h> |
| 35 | #include <string.h> | ||
| 36 | #include <time.h> | ||
| 35 | #include <unistd.h> | 37 | #include <unistd.h> |
| 36 | 38 | ||
| 37 | #include "xmalloc.h" | 39 | #include "xmalloc.h" |
| @@ -178,6 +180,7 @@ static int | |||
| 178 | user_key_allowed2(struct passwd *pw, Key *key, char *file) | 180 | user_key_allowed2(struct passwd *pw, Key *key, char *file) |
| 179 | { | 181 | { |
| 180 | char line[SSH_MAX_PUBKEY_BYTES]; | 182 | char line[SSH_MAX_PUBKEY_BYTES]; |
| 183 | const char *reason; | ||
| 181 | int found_key = 0; | 184 | int found_key = 0; |
| 182 | FILE *f; | 185 | FILE *f; |
| 183 | u_long linenum = 0; | 186 | u_long linenum = 0; |
| @@ -196,11 +199,13 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) | |||
| 196 | } | 199 | } |
| 197 | 200 | ||
| 198 | found_key = 0; | 201 | found_key = 0; |
| 199 | found = key_new(key->type); | 202 | found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); |
| 200 | 203 | ||
| 201 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 204 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
| 202 | char *cp, *key_options = NULL; | 205 | char *cp, *key_options = NULL; |
| 203 | 206 | ||
| 207 | auth_clear_options(); | ||
| 208 | |||
| 204 | /* Skip leading whitespace, empty and comment lines. */ | 209 | /* Skip leading whitespace, empty and comment lines. */ |
| 205 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) | 210 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) |
| 206 | ; | 211 | ; |
| @@ -227,8 +232,32 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) | |||
| 227 | continue; | 232 | continue; |
| 228 | } | 233 | } |
| 229 | } | 234 | } |
| 230 | if (key_equal(found, key) && | 235 | if (auth_parse_options(pw, key_options, file, linenum) != 1) |
| 231 | auth_parse_options(pw, key_options, file, linenum) == 1) { | 236 | continue; |
| 237 | if (key->type == KEY_RSA_CERT || key->type == KEY_DSA_CERT) { | ||
| 238 | if (!key_is_cert_authority) | ||
| 239 | continue; | ||
| 240 | if (!key_equal(found, key->cert->signature_key)) | ||
| 241 | continue; | ||
| 242 | debug("matching CA found: file %s, line %lu", | ||
| 243 | file, linenum); | ||
| 244 | fp = key_fingerprint(found, SSH_FP_MD5, | ||
| 245 | SSH_FP_HEX); | ||
| 246 | verbose("Found matching %s CA: %s", | ||
| 247 | key_type(found), fp); | ||
| 248 | xfree(fp); | ||
| 249 | if (key_cert_check_authority(key, 0, 0, pw->pw_name, | ||
| 250 | &reason) != 0) { | ||
| 251 | error("%s", reason); | ||
| 252 | auth_debug_add("%s", reason); | ||
| 253 | continue; | ||
| 254 | } | ||
| 255 | if (auth_cert_constraints(&key->cert->constraints, | ||
| 256 | pw) != 0) | ||
| 257 | continue; | ||
| 258 | found_key = 1; | ||
| 259 | break; | ||
| 260 | } else if (!key_is_cert_authority && key_equal(found, key)) { | ||
| 232 | found_key = 1; | 261 | found_key = 1; |
| 233 | debug("matching key found: file %s, line %lu", | 262 | debug("matching key found: file %s, line %lu", |
| 234 | file, linenum); | 263 | file, linenum); |