From 6018a36864643ad0e5ff1f7205a7187b961c2c57 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 2 Jul 2010 13:35:19 +1000 Subject: - djm@cvs.openbsd.org 2010/06/29 23:16:46 [auth2-pubkey.c sshd_config.5] allow key options (command="..." and friends) in AuthorizedPrincipals; ok markus@ --- ChangeLog | 4 ++++ auth2-pubkey.c | 34 +++++++++++++++++++++++++++------- sshd_config.5 | 15 ++++++++++++--- 3 files changed, 43 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index ee40f10eb..586b23c13 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,10 @@ [ssh-keygen.1 ssh-keygen.c] allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys; bz#1749; ok markus@ + - djm@cvs.openbsd.org 2010/06/29 23:16:46 + [auth2-pubkey.c sshd_config.5] + allow key options (command="..." and friends) in AuthorizedPrincipals; + ok markus@ 20100627 - (tim) [openbsd-compat/port-uw.c] Reorder includes. auth-options.h now needs diff --git a/auth2-pubkey.c b/auth2-pubkey.c index faab0e771..35cf79c9f 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.25 2010/05/20 11:25:26 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.26 2010/06/29 23:16:46 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -198,10 +198,10 @@ match_principals_option(const char *principal_list, struct KeyCert *cert) } static int -match_principals_file(const char *file, struct passwd *pw, struct KeyCert *cert) +match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert) { FILE *f; - char line[SSH_MAX_PUBKEY_BYTES], *cp; + char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts; u_long linenum = 0; u_int i; @@ -212,17 +212,37 @@ match_principals_file(const char *file, struct passwd *pw, struct KeyCert *cert) return 0; } while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { - /* Skip leading whitespace, empty and comment lines. */ + /* Skip leading whitespace. */ for (cp = line; *cp == ' ' || *cp == '\t'; cp++) ; - if (!*cp || *cp == '\n' || *cp == '#') + /* Skip blank and comment lines. */ + if ((ep = strchr(cp, '#')) != NULL) + *ep = '\0'; + if (!*cp || *cp == '\n') continue; - line[strcspn(line, "\n")] = '\0'; - + /* Trim trailing whitespace. */ + ep = cp + strlen(cp) - 1; + while (ep > cp && (*ep == '\n' || *ep == ' ' || *ep == '\t')) + *ep-- = '\0'; + /* + * If the line has internal whitespace then assume it has + * key options. + */ + line_opts = NULL; + if ((ep = strrchr(cp, ' ')) != NULL || + (ep = strrchr(cp, '\t')) != NULL) { + for (; *ep == ' ' || *ep == '\t'; ep++) + ;; + line_opts = cp; + cp = ep; + } for (i = 0; i < cert->nprincipals; i++) { if (strcmp(cp, cert->principals[i]) == 0) { debug3("matched principal from file \"%.100s\"", cert->principals[i]); + if (auth_parse_options(pw, line_opts, + file, linenum) != 1) + continue; fclose(f); restore_uid(); return 1; diff --git a/sshd_config.5 b/sshd_config.5 index acaf809db..4d066eb8a 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.123 2010/06/22 04:22:59 djm Exp $ -.Dd $Mdocdate: June 22 2010 $ +.\" $OpenBSD: sshd_config.5,v 1.124 2010/06/29 23:16:46 djm Exp $ +.Dd $Mdocdate: June 29 2010 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -155,6 +155,10 @@ for more information on patterns. .It Cm AuthorizedKeysFile Specifies the file that contains the public keys that can be used for user authentication. +The format is described in the +.Sx AUTHORIZED_KEYS FILE FORMAT +section of +.Xr sshd 8 . .Cm AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection setup. @@ -174,7 +178,12 @@ When using certificates signed by a key listed in .Cm TrustedUserCAKeys , this file lists names, one of which must appear in the certificate for it to be accepted for authentication. -Names are listed one per line; empty lines and comments starting with +Names are listed one per line preceeded by key options (as described +in +.Sx AUTHORIZED_KEYS FILE FORMAT +in +.Xr sshd 8 ). +Empty lines and comments starting with .Ql # are ignored. .Pp -- cgit v1.2.3