From f6d9e2218998559cb67aad55d3f4a0bf53600c41 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 18 Jun 2000 14:50:44 +1000 Subject: - OpenBSD CVS updates: - deraadt@cvs.openbsd.org 2000/06/17 09:58:46 [channels.c] everyone says "nix it" (remove protocol 2 debugging message) - markus@cvs.openbsd.org 2000/06/17 13:24:34 [sshconnect.c] allow extended server banners - markus@cvs.openbsd.org 2000/06/17 14:30:10 [sshconnect.c] missing atomicio, typo - jakob@cvs.openbsd.org 2000/06/17 16:52:34 [servconf.c servconf.h session.c sshd.8 sshd_config] add support for ssh v2 subsystems. ok markus@. - deraadt@cvs.openbsd.org 2000/06/17 18:57:48 [readconf.c servconf.c] include = in WHITESPACE; markus ok - markus@cvs.openbsd.org 2000/06/17 19:09:10 [auth2.c] implement bug compatibility with ssh-2.0.13 pubkey, server side - markus@cvs.openbsd.org 2000/06/17 21:00:28 [compat.c] initial support for ssh.com's 2.2.0 - markus@cvs.openbsd.org 2000/06/17 21:16:09 [scp.c] typo - markus@cvs.openbsd.org 2000/06/17 22:05:02 [auth-rsa.c auth2.c serverloop.c session.c auth-options.c auth-options.h] split auth-rsa option parsing into auth-options add options support to authorized_keys2 - markus@cvs.openbsd.org 2000/06/17 22:42:54 [session.c] typo --- auth2.c | 61 +++++++++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 41 insertions(+), 20 deletions(-) (limited to 'auth2.c') diff --git a/auth2.c b/auth2.c index 46c8c1f81..c7dcf1953 100644 --- a/auth2.c +++ b/auth2.c @@ -27,7 +27,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.8 2000/05/08 17:42:24 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.10 2000/06/18 04:05:02 markus Exp $"); #include #include @@ -54,6 +54,7 @@ RCSID("$OpenBSD: auth2.c,v 1.8 2000/05/08 17:42:24 markus Exp $"); #include "dsa.h" #include "uidswap.h" +#include "auth-options.h" /* import */ extern ServerOptions options; @@ -69,7 +70,7 @@ void protocol_error(int type, int plen); /* auth */ int ssh2_auth_none(struct passwd *pw); int ssh2_auth_password(struct passwd *pw); -int ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen); +int ssh2_auth_pubkey(struct passwd *pw, char *service); /* helper */ struct passwd* auth_set_user(char *u, char *s); @@ -150,17 +151,14 @@ input_userauth_request(int type, int plen) { static void (*authlog) (const char *fmt,...) = verbose; static int attempt = 0; - unsigned int len, rlen; + unsigned int len; int authenticated = 0; - char *raw, *user, *service, *method, *authmsg = NULL; + char *user, *service, *method, *authmsg = NULL; struct passwd *pw; #ifdef WITH_AIXAUTHENTICATE extern char *aixloginmsg; #endif /* WITH_AIXAUTHENTICATE */ - raw = packet_get_raw(&rlen); - if (plen != rlen) - fatal("plen != rlen"); user = packet_get_string(&len); service = packet_get_string(&len); method = packet_get_string(&len); @@ -180,7 +178,7 @@ input_userauth_request(int type, int plen) } else if (strcmp(method, "password") == 0) { authenticated = ssh2_auth_password(pw); } else if (strcmp(method, "publickey") == 0) { - authenticated = ssh2_auth_pubkey(pw, raw, rlen); + authenticated = ssh2_auth_pubkey(pw, service); } } if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) { @@ -277,7 +275,7 @@ ssh2_auth_password(struct passwd *pw) return authenticated; } int -ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen) +ssh2_auth_pubkey(struct passwd *pw, char *service) { Buffer b; Key *key; @@ -290,10 +288,6 @@ ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen) debug("pubkey auth disabled"); return 0; } - if (datafellows & SSH_BUG_PUBKEYAUTH) { - log("bug compatibility with ssh-2.0.13 pubkey not implemented"); - return 0; - } have_sig = packet_get_char(); pkalg = packet_get_string(&alen); if (strcmp(pkalg, KEX_DSS) != 0) { @@ -309,10 +303,18 @@ ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen) packet_done(); buffer_init(&b); buffer_append(&b, session_id2, session_id2_len); + + /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); - if (slen + 4 > rlen) - fatal("bad rlen/slen"); - buffer_append(&b, raw, rlen - slen - 4); + buffer_put_cstring(&b, pw->pw_name); + buffer_put_cstring(&b, + datafellows & SSH_BUG_PUBKEYAUTH ? + "ssh-userauth" : + service); + buffer_put_cstring(&b, "publickey"); + buffer_put_char(&b, have_sig); + buffer_put_cstring(&b, KEX_DSS); + buffer_put_string(&b, pkblob, blen); #ifdef DEBUG_DSS buffer_dump(&b); #endif @@ -471,17 +473,36 @@ user_dsa_key_allowed(struct passwd *pw, Key *key) found = key_new(KEY_DSA); while (fgets(line, sizeof(line), f)) { - char *cp; + char *cp, *options = NULL; linenum++; /* Skip leading whitespace, empty and comment lines. */ for (cp = line; *cp == ' ' || *cp == '\t'; cp++) ; if (!*cp || *cp == '\n' || *cp == '#') continue; + bits = key_read(found, &cp); - if (bits == 0) - continue; - if (key_equal(found, key)) { + if (bits == 0) { + /* no key? check if there are options for this key */ + int quoted = 0; + options = cp; + for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { + if (*cp == '\\' && cp[1] == '"') + cp++; /* Skip both */ + else if (*cp == '"') + quoted = !quoted; + } + /* Skip remaining whitespace. */ + for (; *cp == ' ' || *cp == '\t'; cp++) + ; + bits = key_read(found, &cp); + if (bits == 0) { + /* still no key? advance to next line*/ + continue; + } + } + if (key_equal(found, key) && + auth_parse_options(pw, options, linenum) == 1) { found_key = 1; debug("matching key found: file %s, line %ld", file, linenum); -- cgit v1.2.3