diff options
Diffstat (limited to 'auth2.c')
-rw-r--r-- | auth2.c | 38 |
1 files changed, 19 insertions, 19 deletions
@@ -23,7 +23,7 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $"); | 26 | RCSID("$OpenBSD: auth2.c,v 1.21 2000/11/12 19:50:37 markus Exp $"); |
27 | 27 | ||
28 | #ifdef HAVE_OSF_SIA | 28 | #ifdef HAVE_OSF_SIA |
29 | # include <sia.h> | 29 | # include <sia.h> |
@@ -52,7 +52,6 @@ RCSID("$OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $"); | |||
52 | #include "key.h" | 52 | #include "key.h" |
53 | #include "kex.h" | 53 | #include "kex.h" |
54 | 54 | ||
55 | #include "dsa.h" | ||
56 | #include "uidswap.h" | 55 | #include "uidswap.h" |
57 | #include "auth-options.h" | 56 | #include "auth-options.h" |
58 | 57 | ||
@@ -89,7 +88,7 @@ void protocol_error(int type, int plen, void *ctxt); | |||
89 | /* helper */ | 88 | /* helper */ |
90 | Authmethod *authmethod_lookup(const char *name); | 89 | Authmethod *authmethod_lookup(const char *name); |
91 | struct passwd *pwcopy(struct passwd *pw); | 90 | struct passwd *pwcopy(struct passwd *pw); |
92 | int user_dsa_key_allowed(struct passwd *pw, Key *key); | 91 | int user_key_allowed(struct passwd *pw, Key *key); |
93 | char *authmethods_get(void); | 92 | char *authmethods_get(void); |
94 | 93 | ||
95 | /* auth */ | 94 | /* auth */ |
@@ -104,7 +103,7 @@ Authmethod authmethods[] = { | |||
104 | &one}, | 103 | &one}, |
105 | {"publickey", | 104 | {"publickey", |
106 | userauth_pubkey, | 105 | userauth_pubkey, |
107 | &options.dsa_authentication}, | 106 | &options.pubkey_authentication}, |
108 | {"keyboard-interactive", | 107 | {"keyboard-interactive", |
109 | userauth_kbdint, | 108 | userauth_kbdint, |
110 | &options.kbd_interactive_authentication}, | 109 | &options.kbd_interactive_authentication}, |
@@ -422,7 +421,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
422 | Key *key; | 421 | Key *key; |
423 | char *pkalg, *pkblob, *sig; | 422 | char *pkalg, *pkblob, *sig; |
424 | unsigned int alen, blen, slen; | 423 | unsigned int alen, blen, slen; |
425 | int have_sig; | 424 | int have_sig, pktype; |
426 | int authenticated = 0; | 425 | int authenticated = 0; |
427 | 426 | ||
428 | if (!authctxt->valid) { | 427 | if (!authctxt->valid) { |
@@ -431,13 +430,14 @@ userauth_pubkey(Authctxt *authctxt) | |||
431 | } | 430 | } |
432 | have_sig = packet_get_char(); | 431 | have_sig = packet_get_char(); |
433 | pkalg = packet_get_string(&alen); | 432 | pkalg = packet_get_string(&alen); |
434 | if (strcmp(pkalg, KEX_DSS) != 0) { | 433 | pktype = key_type_from_name(pkalg); |
435 | log("bad pkalg %s", pkalg); /*XXX*/ | 434 | if (pktype == KEY_UNSPEC) { |
435 | log("bad pkalg %s", pkalg); | ||
436 | xfree(pkalg); | 436 | xfree(pkalg); |
437 | return 0; | 437 | return 0; |
438 | } | 438 | } |
439 | pkblob = packet_get_string(&blen); | 439 | pkblob = packet_get_string(&blen); |
440 | key = dsa_key_from_blob(pkblob, blen); | 440 | key = key_from_blob(pkblob, blen); |
441 | if (key != NULL) { | 441 | if (key != NULL) { |
442 | if (have_sig) { | 442 | if (have_sig) { |
443 | sig = packet_get_string(&slen); | 443 | sig = packet_get_string(&slen); |
@@ -457,14 +457,14 @@ userauth_pubkey(Authctxt *authctxt) | |||
457 | authctxt->service); | 457 | authctxt->service); |
458 | buffer_put_cstring(&b, "publickey"); | 458 | buffer_put_cstring(&b, "publickey"); |
459 | buffer_put_char(&b, have_sig); | 459 | buffer_put_char(&b, have_sig); |
460 | buffer_put_cstring(&b, KEX_DSS); | 460 | buffer_put_cstring(&b, key_ssh_name(key)); |
461 | buffer_put_string(&b, pkblob, blen); | 461 | buffer_put_string(&b, pkblob, blen); |
462 | #ifdef DEBUG_DSS | 462 | #ifdef DEBUG_PK |
463 | buffer_dump(&b); | 463 | buffer_dump(&b); |
464 | #endif | 464 | #endif |
465 | /* test for correct signature */ | 465 | /* test for correct signature */ |
466 | if (user_dsa_key_allowed(authctxt->pw, key) && | 466 | if (user_key_allowed(authctxt->pw, key) && |
467 | dsa_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) | 467 | key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) |
468 | authenticated = 1; | 468 | authenticated = 1; |
469 | buffer_clear(&b); | 469 | buffer_clear(&b); |
470 | xfree(sig); | 470 | xfree(sig); |
@@ -480,7 +480,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
480 | * if a user is not allowed to login. is this an | 480 | * if a user is not allowed to login. is this an |
481 | * issue? -markus | 481 | * issue? -markus |
482 | */ | 482 | */ |
483 | if (user_dsa_key_allowed(authctxt->pw, key)) { | 483 | if (user_key_allowed(authctxt->pw, key)) { |
484 | packet_start(SSH2_MSG_USERAUTH_PK_OK); | 484 | packet_start(SSH2_MSG_USERAUTH_PK_OK); |
485 | packet_put_string(pkalg, alen); | 485 | packet_put_string(pkalg, alen); |
486 | packet_put_string(pkblob, blen); | 486 | packet_put_string(pkblob, blen); |
@@ -493,6 +493,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
493 | auth_clear_options(); | 493 | auth_clear_options(); |
494 | key_free(key); | 494 | key_free(key); |
495 | } | 495 | } |
496 | debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); | ||
496 | xfree(pkalg); | 497 | xfree(pkalg); |
497 | xfree(pkblob); | 498 | xfree(pkblob); |
498 | #ifdef HAVE_CYGWIN | 499 | #ifdef HAVE_CYGWIN |
@@ -560,11 +561,10 @@ authmethod_lookup(const char *name) | |||
560 | 561 | ||
561 | /* return 1 if user allows given key */ | 562 | /* return 1 if user allows given key */ |
562 | int | 563 | int |
563 | user_dsa_key_allowed(struct passwd *pw, Key *key) | 564 | user_key_allowed(struct passwd *pw, Key *key) |
564 | { | 565 | { |
565 | char line[8192], file[1024]; | 566 | char line[8192], file[1024]; |
566 | int found_key = 0; | 567 | int found_key = 0; |
567 | unsigned int bits = -1; | ||
568 | FILE *f; | 568 | FILE *f; |
569 | unsigned long linenum = 0; | 569 | unsigned long linenum = 0; |
570 | struct stat st; | 570 | struct stat st; |
@@ -645,10 +645,10 @@ user_dsa_key_allowed(struct passwd *pw, Key *key) | |||
645 | if (!*cp || *cp == '\n' || *cp == '#') | 645 | if (!*cp || *cp == '\n' || *cp == '#') |
646 | continue; | 646 | continue; |
647 | 647 | ||
648 | bits = key_read(found, &cp); | 648 | if (key_read(found, &cp) == -1) { |
649 | if (bits == 0) { | ||
650 | /* no key? check if there are options for this key */ | 649 | /* no key? check if there are options for this key */ |
651 | int quoted = 0; | 650 | int quoted = 0; |
651 | debug2("user_key_allowed: check options: '%s'", cp); | ||
652 | options = cp; | 652 | options = cp; |
653 | for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { | 653 | for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { |
654 | if (*cp == '\\' && cp[1] == '"') | 654 | if (*cp == '\\' && cp[1] == '"') |
@@ -659,8 +659,8 @@ user_dsa_key_allowed(struct passwd *pw, Key *key) | |||
659 | /* Skip remaining whitespace. */ | 659 | /* Skip remaining whitespace. */ |
660 | for (; *cp == ' ' || *cp == '\t'; cp++) | 660 | for (; *cp == ' ' || *cp == '\t'; cp++) |
661 | ; | 661 | ; |
662 | bits = key_read(found, &cp); | 662 | if (key_read(found, &cp) == -1) { |
663 | if (bits == 0) { | 663 | debug2("user_key_allowed: advance: '%s'", cp); |
664 | /* still no key? advance to next line*/ | 664 | /* still no key? advance to next line*/ |
665 | continue; | 665 | continue; |
666 | } | 666 | } |