From ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 30 Dec 2016 22:08:02 +0000 Subject: upstream commit fix deadlock when keys/principals command produces a lot of output and a key is matched early; bz#2655, patch from jboning AT gmail.com Upstream-ID: e19456429bf99087ea994432c16d00a642060afe --- auth2-pubkey.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'auth2-pubkey.c') diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 20f3309e1..70c021589 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.60 2016/11/30 02:57:40 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.61 2016/12/30 22:08:02 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -727,6 +727,9 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key) ok = process_principals(f, NULL, pw, cert); + fclose(f); + f = NULL; + if (exited_cleanly(pid, "AuthorizedPrincipalsCommand", command) != 0) goto out; @@ -1050,6 +1053,9 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) ok = check_authkeys_file(f, options.authorized_keys_command, key, pw); + fclose(f); + f = NULL; + if (exited_cleanly(pid, "AuthorizedKeysCommand", command) != 0) goto out; -- cgit v1.2.3 From 52763dd3fe0a4678dafdf7aeb32286e514130afc Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 30 Jan 2017 01:03:00 +0000 Subject: upstream commit revise keys/principals command hang fix (bz#2655) to consume entire output, avoiding sending SIGPIPE to subprocesses early; ok dtucker@ Upstream-ID: 7cb04b31a61f8c78c4e48ceededcd2fd5c4ee1bc --- auth2-pubkey.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) (limited to 'auth2-pubkey.c') diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 70c021589..3e5706f4d 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.61 2016/12/30 22:08:02 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.62 2017/01/30 01:03:00 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -564,9 +564,12 @@ process_principals(FILE *f, char *file, struct passwd *pw, { char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts; u_long linenum = 0; - u_int i; + u_int i, found_principal = 0; while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { + /* Always consume entire input */ + if (found_principal) + continue; /* Skip leading whitespace. */ for (cp = line; *cp == ' ' || *cp == '\t'; cp++) ; @@ -599,11 +602,12 @@ process_principals(FILE *f, char *file, struct passwd *pw, if (auth_parse_options(pw, line_opts, file, linenum) != 1) continue; - return 1; + found_principal = 1; + continue; } } } - return 0; + return found_principal; } static int @@ -771,6 +775,9 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) char *cp, *key_options = NULL, *fp = NULL; const char *reason = NULL; + /* Always consume entrire file */ + if (found_key) + continue; if (found != NULL) key_free(found); found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); @@ -857,7 +864,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) file, linenum, key_type(found), fp); free(fp); found_key = 1; - break; + continue; } } if (found != NULL) -- cgit v1.2.3 From e08f96cf1105a3ee9a23de7102d593443e031e0c Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:02 +0000 Subject: Quieten logs when multiple from= restrictions are used Bug-Debian: http://bugs.debian.org/630606 Forwarded: no Last-Update: 2013-09-14 Patch-Name: auth-log-verbosity.patch --- auth-options.c | 35 ++++++++++++++++++++++++++--------- auth-options.h | 1 + auth2-pubkey.c | 3 +++ 3 files changed, 30 insertions(+), 9 deletions(-) (limited to 'auth2-pubkey.c') diff --git a/auth-options.c b/auth-options.c index 57b49f7fd..7eb87b352 100644 --- a/auth-options.c +++ b/auth-options.c @@ -59,8 +59,19 @@ int forced_tun_device = -1; /* "principals=" option. */ char *authorized_principals = NULL; +/* Throttle log messages. */ +int logged_from_hostip = 0; +int logged_cert_hostip = 0; + extern ServerOptions options; +void +auth_start_parse_options(void) +{ + logged_from_hostip = 0; + logged_cert_hostip = 0; +} + void auth_clear_options(void) { @@ -316,10 +327,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) /* FALLTHROUGH */ case 0: free(patterns); - logit("Authentication tried for %.100s with " - "correct key but not from a permitted " - "host (host=%.200s, ip=%.200s).", - pw->pw_name, remote_host, remote_ip); + if (!logged_from_hostip) { + logit("Authentication tried for %.100s with " + "correct key but not from a permitted " + "host (host=%.200s, ip=%.200s).", + pw->pw_name, remote_host, remote_ip); + logged_from_hostip = 1; + } auth_debug_add("Your host '%.200s' is not " "permitted to use this key for login.", remote_host); @@ -543,11 +557,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, break; case 0: /* no match */ - logit("Authentication tried for %.100s " - "with valid certificate but not " - "from a permitted host " - "(ip=%.200s).", pw->pw_name, - remote_ip); + if (!logged_cert_hostip) { + logit("Authentication tried for %.100s " + "with valid certificate but not " + "from a permitted host " + "(ip=%.200s).", pw->pw_name, + remote_ip); + logged_cert_hostip = 1; + } auth_debug_add("Your address '%.200s' " "is not permitted to use this " "certificate for login.", diff --git a/auth-options.h b/auth-options.h index 52cbb42aa..823552761 100644 --- a/auth-options.h +++ b/auth-options.h @@ -33,6 +33,7 @@ extern int forced_tun_device; extern int key_is_cert_authority; extern char *authorized_principals; +void auth_start_parse_options(void); int auth_parse_options(struct passwd *, char *, char *, u_long); void auth_clear_options(void); int auth_cert_options(struct sshkey *, struct passwd *, const char **); diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 3e5706f4d..6dc5076ef 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -566,6 +566,7 @@ process_principals(FILE *f, char *file, struct passwd *pw, u_long linenum = 0; u_int i, found_principal = 0; + auth_start_parse_options(); while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { /* Always consume entire input */ if (found_principal) @@ -771,6 +772,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) found_key = 0; found = NULL; + auth_start_parse_options(); while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { char *cp, *key_options = NULL, *fp = NULL; const char *reason = NULL; @@ -921,6 +923,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) if (key_cert_check_authority(key, 0, 1, use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) goto fail_reason; + auth_start_parse_options(); if (auth_cert_options(key, pw, &reason) != 0) goto fail_reason; -- cgit v1.2.3