diff options
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r-- | auth2-pubkey.c | 40 |
1 files changed, 35 insertions, 5 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 41b34aed2..5e1b88900 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-pubkey.c,v 1.55 2016/01/27 00:53:12 djm Exp $ */ | 1 | /* $OpenBSD: auth2-pubkey.c,v 1.56 2016/09/14 05:42:25 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -560,7 +560,7 @@ match_principals_option(const char *principal_list, struct sshkey_cert *cert) | |||
560 | 560 | ||
561 | static int | 561 | static int |
562 | process_principals(FILE *f, char *file, struct passwd *pw, | 562 | process_principals(FILE *f, char *file, struct passwd *pw, |
563 | struct sshkey_cert *cert) | 563 | const struct sshkey_cert *cert) |
564 | { | 564 | { |
565 | char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts; | 565 | char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts; |
566 | u_long linenum = 0; | 566 | u_long linenum = 0; |
@@ -629,14 +629,16 @@ match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert) | |||
629 | * returns 1 if the principal is allowed or 0 otherwise. | 629 | * returns 1 if the principal is allowed or 0 otherwise. |
630 | */ | 630 | */ |
631 | static int | 631 | static int |
632 | match_principals_command(struct passwd *user_pw, struct sshkey_cert *cert) | 632 | match_principals_command(struct passwd *user_pw, const struct sshkey *key) |
633 | { | 633 | { |
634 | const struct sshkey_cert *cert = key->cert; | ||
634 | FILE *f = NULL; | 635 | FILE *f = NULL; |
635 | int ok, found_principal = 0; | 636 | int r, ok, found_principal = 0; |
636 | struct passwd *pw; | 637 | struct passwd *pw; |
637 | int i, ac = 0, uid_swapped = 0; | 638 | int i, ac = 0, uid_swapped = 0; |
638 | pid_t pid; | 639 | pid_t pid; |
639 | char *tmp, *username = NULL, *command = NULL, **av = NULL; | 640 | char *tmp, *username = NULL, *command = NULL, **av = NULL; |
641 | char *ca_fp = NULL, *key_fp = NULL, *catext = NULL, *keytext = NULL; | ||
640 | void (*osigchld)(int); | 642 | void (*osigchld)(int); |
641 | 643 | ||
642 | if (options.authorized_principals_command == NULL) | 644 | if (options.authorized_principals_command == NULL) |
@@ -674,10 +676,34 @@ match_principals_command(struct passwd *user_pw, struct sshkey_cert *cert) | |||
674 | command); | 676 | command); |
675 | goto out; | 677 | goto out; |
676 | } | 678 | } |
679 | if ((ca_fp = sshkey_fingerprint(cert->signature_key, | ||
680 | options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { | ||
681 | error("%s: sshkey_fingerprint failed", __func__); | ||
682 | goto out; | ||
683 | } | ||
684 | if ((key_fp = sshkey_fingerprint(cert->signature_key, | ||
685 | options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { | ||
686 | error("%s: sshkey_fingerprint failed", __func__); | ||
687 | goto out; | ||
688 | } | ||
689 | if ((r = sshkey_to_base64(cert->signature_key, &catext)) != 0) { | ||
690 | error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r)); | ||
691 | goto out; | ||
692 | } | ||
693 | if ((r = sshkey_to_base64(key, &keytext)) != 0) { | ||
694 | error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r)); | ||
695 | goto out; | ||
696 | } | ||
677 | for (i = 1; i < ac; i++) { | 697 | for (i = 1; i < ac; i++) { |
678 | tmp = percent_expand(av[i], | 698 | tmp = percent_expand(av[i], |
679 | "u", user_pw->pw_name, | 699 | "u", user_pw->pw_name, |
680 | "h", user_pw->pw_dir, | 700 | "h", user_pw->pw_dir, |
701 | "t", sshkey_ssh_name(key), | ||
702 | "T", sshkey_ssh_name(cert->signature_key), | ||
703 | "f", key_fp, | ||
704 | "F", ca_fp, | ||
705 | "k", keytext, | ||
706 | "K", catext, | ||
681 | (char *)NULL); | 707 | (char *)NULL); |
682 | if (tmp == NULL) | 708 | if (tmp == NULL) |
683 | fatal("%s: percent_expand failed", __func__); | 709 | fatal("%s: percent_expand failed", __func__); |
@@ -712,6 +738,10 @@ match_principals_command(struct passwd *user_pw, struct sshkey_cert *cert) | |||
712 | restore_uid(); | 738 | restore_uid(); |
713 | free(command); | 739 | free(command); |
714 | free(username); | 740 | free(username); |
741 | free(ca_fp); | ||
742 | free(key_fp); | ||
743 | free(catext); | ||
744 | free(keytext); | ||
715 | return found_principal; | 745 | return found_principal; |
716 | } | 746 | } |
717 | /* | 747 | /* |
@@ -863,7 +893,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) | |||
863 | found_principal = 1; | 893 | found_principal = 1; |
864 | } | 894 | } |
865 | /* Try querying command if specified */ | 895 | /* Try querying command if specified */ |
866 | if (!found_principal && match_principals_command(pw, key->cert)) | 896 | if (!found_principal && match_principals_command(pw, key)) |
867 | found_principal = 1; | 897 | found_principal = 1; |
868 | /* If principals file or command is specified, then require a match */ | 898 | /* If principals file or command is specified, then require a match */ |
869 | use_authorized_principals = principals_file != NULL || | 899 | use_authorized_principals = principals_file != NULL || |