diff options
Diffstat (limited to 'auth2.c')
| -rw-r--r-- | auth2.c | 38 |
1 files changed, 19 insertions, 19 deletions
| @@ -23,7 +23,7 @@ | |||
| 23 | */ | 23 | */ |
| 24 | 24 | ||
| 25 | #include "includes.h" | 25 | #include "includes.h" |
| 26 | RCSID("$OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $"); | 26 | RCSID("$OpenBSD: auth2.c,v 1.21 2000/11/12 19:50:37 markus Exp $"); |
| 27 | 27 | ||
| 28 | #ifdef HAVE_OSF_SIA | 28 | #ifdef HAVE_OSF_SIA |
| 29 | # include <sia.h> | 29 | # include <sia.h> |
| @@ -52,7 +52,6 @@ RCSID("$OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $"); | |||
| 52 | #include "key.h" | 52 | #include "key.h" |
| 53 | #include "kex.h" | 53 | #include "kex.h" |
| 54 | 54 | ||
| 55 | #include "dsa.h" | ||
| 56 | #include "uidswap.h" | 55 | #include "uidswap.h" |
| 57 | #include "auth-options.h" | 56 | #include "auth-options.h" |
| 58 | 57 | ||
| @@ -89,7 +88,7 @@ void protocol_error(int type, int plen, void *ctxt); | |||
| 89 | /* helper */ | 88 | /* helper */ |
| 90 | Authmethod *authmethod_lookup(const char *name); | 89 | Authmethod *authmethod_lookup(const char *name); |
| 91 | struct passwd *pwcopy(struct passwd *pw); | 90 | struct passwd *pwcopy(struct passwd *pw); |
| 92 | int user_dsa_key_allowed(struct passwd *pw, Key *key); | 91 | int user_key_allowed(struct passwd *pw, Key *key); |
| 93 | char *authmethods_get(void); | 92 | char *authmethods_get(void); |
| 94 | 93 | ||
| 95 | /* auth */ | 94 | /* auth */ |
| @@ -104,7 +103,7 @@ Authmethod authmethods[] = { | |||
| 104 | &one}, | 103 | &one}, |
| 105 | {"publickey", | 104 | {"publickey", |
| 106 | userauth_pubkey, | 105 | userauth_pubkey, |
| 107 | &options.dsa_authentication}, | 106 | &options.pubkey_authentication}, |
| 108 | {"keyboard-interactive", | 107 | {"keyboard-interactive", |
| 109 | userauth_kbdint, | 108 | userauth_kbdint, |
| 110 | &options.kbd_interactive_authentication}, | 109 | &options.kbd_interactive_authentication}, |
| @@ -422,7 +421,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
| 422 | Key *key; | 421 | Key *key; |
| 423 | char *pkalg, *pkblob, *sig; | 422 | char *pkalg, *pkblob, *sig; |
| 424 | unsigned int alen, blen, slen; | 423 | unsigned int alen, blen, slen; |
| 425 | int have_sig; | 424 | int have_sig, pktype; |
| 426 | int authenticated = 0; | 425 | int authenticated = 0; |
| 427 | 426 | ||
| 428 | if (!authctxt->valid) { | 427 | if (!authctxt->valid) { |
| @@ -431,13 +430,14 @@ userauth_pubkey(Authctxt *authctxt) | |||
| 431 | } | 430 | } |
| 432 | have_sig = packet_get_char(); | 431 | have_sig = packet_get_char(); |
| 433 | pkalg = packet_get_string(&alen); | 432 | pkalg = packet_get_string(&alen); |
| 434 | if (strcmp(pkalg, KEX_DSS) != 0) { | 433 | pktype = key_type_from_name(pkalg); |
| 435 | log("bad pkalg %s", pkalg); /*XXX*/ | 434 | if (pktype == KEY_UNSPEC) { |
| 435 | log("bad pkalg %s", pkalg); | ||
| 436 | xfree(pkalg); | 436 | xfree(pkalg); |
| 437 | return 0; | 437 | return 0; |
| 438 | } | 438 | } |
| 439 | pkblob = packet_get_string(&blen); | 439 | pkblob = packet_get_string(&blen); |
| 440 | key = dsa_key_from_blob(pkblob, blen); | 440 | key = key_from_blob(pkblob, blen); |
| 441 | if (key != NULL) { | 441 | if (key != NULL) { |
| 442 | if (have_sig) { | 442 | if (have_sig) { |
| 443 | sig = packet_get_string(&slen); | 443 | sig = packet_get_string(&slen); |
| @@ -457,14 +457,14 @@ userauth_pubkey(Authctxt *authctxt) | |||
| 457 | authctxt->service); | 457 | authctxt->service); |
| 458 | buffer_put_cstring(&b, "publickey"); | 458 | buffer_put_cstring(&b, "publickey"); |
| 459 | buffer_put_char(&b, have_sig); | 459 | buffer_put_char(&b, have_sig); |
| 460 | buffer_put_cstring(&b, KEX_DSS); | 460 | buffer_put_cstring(&b, key_ssh_name(key)); |
| 461 | buffer_put_string(&b, pkblob, blen); | 461 | buffer_put_string(&b, pkblob, blen); |
| 462 | #ifdef DEBUG_DSS | 462 | #ifdef DEBUG_PK |
| 463 | buffer_dump(&b); | 463 | buffer_dump(&b); |
| 464 | #endif | 464 | #endif |
| 465 | /* test for correct signature */ | 465 | /* test for correct signature */ |
| 466 | if (user_dsa_key_allowed(authctxt->pw, key) && | 466 | if (user_key_allowed(authctxt->pw, key) && |
| 467 | dsa_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) | 467 | key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) |
| 468 | authenticated = 1; | 468 | authenticated = 1; |
| 469 | buffer_clear(&b); | 469 | buffer_clear(&b); |
| 470 | xfree(sig); | 470 | xfree(sig); |
| @@ -480,7 +480,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
| 480 | * if a user is not allowed to login. is this an | 480 | * if a user is not allowed to login. is this an |
| 481 | * issue? -markus | 481 | * issue? -markus |
| 482 | */ | 482 | */ |
| 483 | if (user_dsa_key_allowed(authctxt->pw, key)) { | 483 | if (user_key_allowed(authctxt->pw, key)) { |
| 484 | packet_start(SSH2_MSG_USERAUTH_PK_OK); | 484 | packet_start(SSH2_MSG_USERAUTH_PK_OK); |
| 485 | packet_put_string(pkalg, alen); | 485 | packet_put_string(pkalg, alen); |
| 486 | packet_put_string(pkblob, blen); | 486 | packet_put_string(pkblob, blen); |
| @@ -493,6 +493,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
| 493 | auth_clear_options(); | 493 | auth_clear_options(); |
| 494 | key_free(key); | 494 | key_free(key); |
| 495 | } | 495 | } |
| 496 | debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); | ||
| 496 | xfree(pkalg); | 497 | xfree(pkalg); |
| 497 | xfree(pkblob); | 498 | xfree(pkblob); |
| 498 | #ifdef HAVE_CYGWIN | 499 | #ifdef HAVE_CYGWIN |
| @@ -560,11 +561,10 @@ authmethod_lookup(const char *name) | |||
| 560 | 561 | ||
| 561 | /* return 1 if user allows given key */ | 562 | /* return 1 if user allows given key */ |
| 562 | int | 563 | int |
| 563 | user_dsa_key_allowed(struct passwd *pw, Key *key) | 564 | user_key_allowed(struct passwd *pw, Key *key) |
| 564 | { | 565 | { |
| 565 | char line[8192], file[1024]; | 566 | char line[8192], file[1024]; |
| 566 | int found_key = 0; | 567 | int found_key = 0; |
| 567 | unsigned int bits = -1; | ||
| 568 | FILE *f; | 568 | FILE *f; |
| 569 | unsigned long linenum = 0; | 569 | unsigned long linenum = 0; |
| 570 | struct stat st; | 570 | struct stat st; |
| @@ -645,10 +645,10 @@ user_dsa_key_allowed(struct passwd *pw, Key *key) | |||
| 645 | if (!*cp || *cp == '\n' || *cp == '#') | 645 | if (!*cp || *cp == '\n' || *cp == '#') |
| 646 | continue; | 646 | continue; |
| 647 | 647 | ||
| 648 | bits = key_read(found, &cp); | 648 | if (key_read(found, &cp) == -1) { |
| 649 | if (bits == 0) { | ||
| 650 | /* no key? check if there are options for this key */ | 649 | /* no key? check if there are options for this key */ |
| 651 | int quoted = 0; | 650 | int quoted = 0; |
| 651 | debug2("user_key_allowed: check options: '%s'", cp); | ||
| 652 | options = cp; | 652 | options = cp; |
| 653 | for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { | 653 | for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { |
| 654 | if (*cp == '\\' && cp[1] == '"') | 654 | if (*cp == '\\' && cp[1] == '"') |
| @@ -659,8 +659,8 @@ user_dsa_key_allowed(struct passwd *pw, Key *key) | |||
| 659 | /* Skip remaining whitespace. */ | 659 | /* Skip remaining whitespace. */ |
| 660 | for (; *cp == ' ' || *cp == '\t'; cp++) | 660 | for (; *cp == ' ' || *cp == '\t'; cp++) |
| 661 | ; | 661 | ; |
| 662 | bits = key_read(found, &cp); | 662 | if (key_read(found, &cp) == -1) { |
| 663 | if (bits == 0) { | 663 | debug2("user_key_allowed: advance: '%s'", cp); |
| 664 | /* still no key? advance to next line*/ | 664 | /* still no key? advance to next line*/ |
| 665 | continue; | 665 | continue; |
| 666 | } | 666 | } |