From 989d38d6be766bff5002f169e05385f95020940b Mon Sep 17 00:00:00 2001
From: joe <joe@jerkface.net>
Date: Fri, 22 Apr 2016 01:00:23 -0400
Subject: Added wildcard authorization for authorized_keys.

---
 auth2-pubkey.c | 34 +++++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

(limited to 'auth2-pubkey.c')

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index c3ecd9afc..bba8dfefa 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -69,6 +69,7 @@
 #include "channels.h" /* XXX for session.h */
 #include "session.h" /* XXX for child_set_env(); refactor? */
 #include "sk-api.h"
+#include "digest.h"
 
 /* import */
 extern ServerOptions options;
@@ -604,6 +605,8 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
 
 	/* XXX djm: peek at key type in line and skip if unwanted */
 
+	int wild = 0;
+
 	if (sshkey_read(found, &cp) != 0) {
 		/* no key?  check for options */
 		debug2("%s: check options: '%s'", loc, cp);
@@ -613,7 +616,10 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
 			goto fail_reason;
 		}
 		skip_space(&cp);
-		if (sshkey_read(found, &cp) != 0) {
+		if (*cp == '*' && (cp[1] == ' ' || cp[1] == '\n' || cp[1] == '\t' || cp[1] == '\0')) {
+			cp += 2;
+			wild = 1;
+		} else if (sshkey_read(found, &cp) != 0) {
 			/* still no key?  advance to next line*/
 			debug2("%s: advance: '%s'", loc, cp);
 			goto out;
@@ -625,6 +631,32 @@ check_authkey_line(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
 		auth_debug_add("%s: bad key options: %s", loc, reason);
 		goto out;
 	}
+
+	if (wild) {
+		int r;
+		char *keytext = NULL;
+		if ((r = sshkey_to_base64(key, &keytext)) != 0) {
+			error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r));
+			goto out;
+		}
+		if (!keyopts->force_command) {
+			reason = "Wildcard login is not allowed without specifying a forced command";
+			goto fail_reason;
+		}
+
+		wildcard_match = keytext;
+		wildcard_fingerprint = sshkey_fingerprint(key, SSH_DIGEST_SHA256, SSH_FP_HEX);
+
+		verbose("Accepted wildcard authorization for %s key %s with forced_command=%s",
+						sshkey_type(key),
+						wildcard_fingerprint,
+						keyopts->force_command);
+
+		finalopts = keyopts;
+		keyopts = NULL;
+		goto success;
+	}
+
 	/* Ignore keys that don't match or incorrectly marked as CAs */
 	if (sshkey_is_cert(key)) {
 		/* Certificate; check signature key against CA */
-- 
cgit v1.2.3