auth2-pubkey.c revision 1305e95ba6ff9fa202d0818caf10405df4b0f648
11305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood/* $OpenBSD: auth2-pubkey.c,v 1.29 2011/05/23 03:30:07 djm Exp $ */ 21305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood/* 31305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * Copyright (c) 2000 Markus Friedl. All rights reserved. 41305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * 51305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * Redistribution and use in source and binary forms, with or without 61305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * modification, are permitted provided that the following conditions 71305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * are met: 81305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * 1. Redistributions of source code must retain the above copyright 91305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * notice, this list of conditions and the following disclaimer. 101305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * 2. Redistributions in binary form must reproduce the above copyright 111305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * notice, this list of conditions and the following disclaimer in the 121305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * documentation and/or other materials provided with the distribution. 131305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * 141305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 151305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 161305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 171305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 181305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 191305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 201305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 211305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 221305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 231305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 241305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood */ 251305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 261305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "includes.h" 271305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 281305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include <sys/types.h> 291305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include <sys/stat.h> 301305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 311305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include <fcntl.h> 321305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include <pwd.h> 331305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include <stdio.h> 341305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include <stdarg.h> 351305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include <string.h> 361305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include <time.h> 371305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include <unistd.h> 381305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 391305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "xmalloc.h" 401305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "ssh.h" 411305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "ssh2.h" 421305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "packet.h" 431305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "buffer.h" 441305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "log.h" 451305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "servconf.h" 461305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "compat.h" 471305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "key.h" 481305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "hostfile.h" 491305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "auth.h" 501305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "pathnames.h" 511305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "uidswap.h" 521305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "auth-options.h" 531305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "canohost.h" 541305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#ifdef GSSAPI 551305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "ssh-gss.h" 561305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#endif 571305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "monitor_wrap.h" 581305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "misc.h" 591305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "authfile.h" 601305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "match.h" 611305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 621305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood/* import */ 631305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodextern ServerOptions options; 641305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodextern u_char *session_id2; 651305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodextern u_int session_id2_len; 661305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 671305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodstatic int 681305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwooduserauth_pubkey(Authctxt *authctxt) 691305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood{ 701305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood Buffer b; 711305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood Key *key = NULL; 721305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood char *pkalg; 731305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood u_char *pkblob, *sig; 741305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood u_int alen, blen, slen; 751305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood int have_sig, pktype; 761305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood int authenticated = 0; 771305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 781305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (!authctxt->valid) { 791305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood debug2("userauth_pubkey: disabled because of invalid user"); 801305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return 0; 811305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 821305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood have_sig = packet_get_char(); 831305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (datafellows & SSH_BUG_PKAUTH) { 841305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood debug2("userauth_pubkey: SSH_BUG_PKAUTH"); 851305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* no explicit pkalg given */ 861305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood pkblob = packet_get_string(&blen); 871305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_init(&b); 881305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_append(&b, pkblob, blen); 891305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* so we have to extract the pkalg from the pkblob */ 901305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood pkalg = buffer_get_string(&b, &alen); 911305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_free(&b); 921305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } else { 931305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood pkalg = packet_get_string(&alen); 941305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood pkblob = packet_get_string(&blen); 951305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 961305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood pktype = key_type_from_name(pkalg); 971305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (pktype == KEY_UNSPEC) { 981305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* this is perfectly legal */ 991305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood logit("userauth_pubkey: unsupported public key algorithm: %s", 1001305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood pkalg); 1011305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood goto done; 1021305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 1031305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood key = key_from_blob(pkblob, blen); 1041305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (key == NULL) { 1051305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood error("userauth_pubkey: cannot decode key: %s", pkalg); 1061305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood goto done; 1071305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 1081305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (key->type != pktype) { 1091305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood error("userauth_pubkey: type mismatch for decoded key " 1101305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood "(received %d, expected %d)", key->type, pktype); 1111305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood goto done; 1121305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 1131305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (have_sig) { 1141305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood sig = packet_get_string(&slen); 1151305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood packet_check_eom(); 1161305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_init(&b); 1171305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (datafellows & SSH_OLD_SESSIONID) { 1181305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_append(&b, session_id2, session_id2_len); 1191305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } else { 1201305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_put_string(&b, session_id2, session_id2_len); 1211305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 1221305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* reconstruct packet */ 1231305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); 1241305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_put_cstring(&b, authctxt->user); 1251305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_put_cstring(&b, 1261305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood datafellows & SSH_BUG_PKSERVICE ? 1271305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood "ssh-userauth" : 1281305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood authctxt->service); 1291305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (datafellows & SSH_BUG_PKAUTH) { 1301305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_put_char(&b, have_sig); 1311305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } else { 1321305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_put_cstring(&b, "publickey"); 1331305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_put_char(&b, have_sig); 1341305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_put_cstring(&b, pkalg); 1351305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 1361305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_put_string(&b, pkblob, blen); 1371305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#ifdef DEBUG_PK 1381305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_dump(&b); 1391305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#endif 1401305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* test for correct signature */ 1411305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood authenticated = 0; 1421305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && 1431305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), 1441305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_len(&b))) == 1) 1451305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood authenticated = 1; 1461305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_free(&b); 1471305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood xfree(sig); 1481305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } else { 1491305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood debug("test whether pkalg/pkblob are acceptable"); 1501305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood packet_check_eom(); 1511305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 1521305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* XXX fake reply and always send PK_OK ? */ 1531305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* 1541305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * XXX this allows testing whether a user is allowed 1551305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * to login: if you happen to have a valid pubkey this 1561305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * message is sent. the message is NEVER sent at all 1571305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * if a user is not allowed to login. is this an 1581305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * issue? -markus 1591305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood */ 1601305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (PRIVSEP(user_key_allowed(authctxt->pw, key))) { 1611305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood packet_start(SSH2_MSG_USERAUTH_PK_OK); 1621305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood packet_put_string(pkalg, alen); 1631305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood packet_put_string(pkblob, blen); 1641305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood packet_send(); 1651305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood packet_write_wait(); 1661305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood authctxt->postponed = 1; 1671305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 1681305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 1691305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (authenticated != 1) 1701305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood auth_clear_options(); 1711305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwooddone: 1721305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); 1731305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (key != NULL) 1741305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood key_free(key); 1751305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood xfree(pkalg); 1761305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood xfree(pkblob); 1771305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return authenticated; 1781305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood} 1791305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 1801305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodstatic int 1811305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodmatch_principals_option(const char *principal_list, struct KeyCert *cert) 1821305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood{ 1831305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood char *result; 1841305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood u_int i; 1851305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 1861305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* XXX percent_expand() sequences for authorized_principals? */ 1871305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 1881305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood for (i = 0; i < cert->nprincipals; i++) { 1891305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if ((result = match_list(cert->principals[i], 1901305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood principal_list, NULL)) != NULL) { 1911305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood debug3("matched principal from key options \"%.100s\"", 1921305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood result); 1931305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood xfree(result); 1941305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return 1; 1951305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 1961305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 1971305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return 0; 1981305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood} 1991305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2001305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodstatic int 2011305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodmatch_principals_file(char *file, struct passwd *pw, struct KeyCert *cert) 2021305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood{ 2031305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood FILE *f; 2041305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts; 2051305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood u_long linenum = 0; 2061305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood u_int i; 2071305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2081305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood temporarily_use_uid(pw); 2091305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood debug("trying authorized principals file %s", file); 2101305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if ((f = auth_openprincipals(file, pw, options.strict_modes)) == NULL) { 2111305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood restore_uid(); 2121305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return 0; 2131305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 2141305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 2151305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* Skip leading whitespace. */ 2161305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 2171305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ; 2181305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* Skip blank and comment lines. */ 2191305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if ((ep = strchr(cp, '#')) != NULL) 2201305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood *ep = '\0'; 2211305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (!*cp || *cp == '\n') 2221305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood continue; 2231305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* Trim trailing whitespace. */ 2241305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ep = cp + strlen(cp) - 1; 2251305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood while (ep > cp && (*ep == '\n' || *ep == ' ' || *ep == '\t')) 2261305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood *ep-- = '\0'; 2271305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* 2281305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * If the line has internal whitespace then assume it has 2291305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * key options. 2301305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood */ 2311305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood line_opts = NULL; 2321305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if ((ep = strrchr(cp, ' ')) != NULL || 2331305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood (ep = strrchr(cp, '\t')) != NULL) { 2341305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood for (; *ep == ' ' || *ep == '\t'; ep++) 2351305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ; 2361305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood line_opts = cp; 2371305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood cp = ep; 2381305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 2391305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood for (i = 0; i < cert->nprincipals; i++) { 2401305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (strcmp(cp, cert->principals[i]) == 0) { 2411305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood debug3("matched principal from file \"%.100s\"", 2421305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood cert->principals[i]); 2431305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (auth_parse_options(pw, line_opts, 2441305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood file, linenum) != 1) 2451305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood continue; 2461305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood fclose(f); 2471305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood restore_uid(); 2481305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return 1; 2491305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 2501305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 2511305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 2521305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood fclose(f); 2531305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood restore_uid(); 2541305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return 0; 2551305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood} 2561305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2571305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood/* return 1 if user allows given key */ 2581305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodstatic int 2591305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwooduser_key_allowed2(struct passwd *pw, Key *key, char *file) 2601305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood{ 2611305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood char line[SSH_MAX_PUBKEY_BYTES]; 2621305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood const char *reason; 2631305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood int found_key = 0; 2641305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood FILE *f; 2651305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood u_long linenum = 0; 2661305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood Key *found; 2671305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood char *fp; 2681305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2691305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* Temporarily use the user's uid. */ 2701305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood temporarily_use_uid(pw); 2711305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2721305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood debug("trying public key file %s", file); 2731305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood f = auth_openkeyfile(file, pw, options.strict_modes); 2741305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2751305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (!f) { 2761305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood restore_uid(); 2771305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return 0; 2781305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 2791305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2801305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood found_key = 0; 2811305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); 2821305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2831305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 2841305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood char *cp, *key_options = NULL; 2851305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2861305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood auth_clear_options(); 2871305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2881305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* Skip leading whitespace, empty and comment lines. */ 2891305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 2901305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ; 2911305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (!*cp || *cp == '\n' || *cp == '#') 2921305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood continue; 2931305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2941305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (key_read(found, &cp) != 1) { 2951305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* no key? check if there are options for this key */ 2961305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood int quoted = 0; 2971305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood debug2("user_key_allowed: check options: '%s'", cp); 2981305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood key_options = cp; 2991305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { 3001305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (*cp == '\\' && cp[1] == '"') 3011305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood cp++; /* Skip both */ 3021305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood else if (*cp == '"') 3031305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood quoted = !quoted; 3041305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 3051305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* Skip remaining whitespace. */ 3061305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood for (; *cp == ' ' || *cp == '\t'; cp++) 3071305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ; 3081305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (key_read(found, &cp) != 1) { 3091305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood debug2("user_key_allowed: advance: '%s'", cp); 3101305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* still no key? advance to next line*/ 3111305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood continue; 3121305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 3131305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 3141305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (key_is_cert(key)) { 3151305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (!key_equal(found, key->cert->signature_key)) 3161305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood continue; 3171305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (auth_parse_options(pw, key_options, file, 3181305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood linenum) != 1) 3191305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood continue; 3201305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (!key_is_cert_authority) 3211305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood continue; 3221305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood fp = key_fingerprint(found, SSH_FP_MD5, 3231305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood SSH_FP_HEX); 3241305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood debug("matching CA found: file %s, line %lu, %s %s", 3251305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood file, linenum, key_type(found), fp); 3261305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* 3271305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * If the user has specified a list of principals as 3281305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * a key option, then prefer that list to matching 3291305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * their username in the certificate principals list. 3301305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood */ 3311305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (authorized_principals != NULL && 3321305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood !match_principals_option(authorized_principals, 3331305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood key->cert)) { 3341305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood reason = "Certificate does not contain an " 3351305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood "authorized principal"; 3361305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood fail_reason: 3371305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood xfree(fp); 3381305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood error("%s", reason); 3391305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood auth_debug_add("%s", reason); 3401305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood continue; 3411305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 3421305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (key_cert_check_authority(key, 0, 0, 3431305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood authorized_principals == NULL ? pw->pw_name : NULL, 3441305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood &reason) != 0) 3451305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood goto fail_reason; 3461305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (auth_cert_options(key, pw) != 0) { 3471305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood xfree(fp); 3481305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood continue; 3491305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 3501305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood verbose("Accepted certificate ID \"%s\" " 3511305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood "signed by %s CA %s via %s", key->cert->key_id, 3521305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood key_type(found), fp, file); 3531305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood xfree(fp); 3541305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood found_key = 1; 3551305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood break; 3561305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } else if (key_equal(found, key)) { 3571305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (auth_parse_options(pw, key_options, file, 3581305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood linenum) != 1) 3591305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood continue; 3601305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (key_is_cert_authority) 3611305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood continue; 3621305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood found_key = 1; 3631305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood debug("matching key found: file %s, line %lu", 3641305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood file, linenum); 3651305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); 3661305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood verbose("Found matching %s key: %s", 3671305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood key_type(found), fp); 3681305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood xfree(fp); 3691305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood break; 3701305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 3711305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 3721305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood restore_uid(); 3731305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood fclose(f); 3741305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood key_free(found); 3751305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (!found_key) 3761305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood debug2("key not found"); 3771305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return found_key; 3781305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood} 3791305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 3801305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood/* Authenticate a certificate key against TrustedUserCAKeys */ 3811305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodstatic int 3821305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwooduser_cert_trusted_ca(struct passwd *pw, Key *key) 3831305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood{ 3841305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood char *ca_fp, *principals_file = NULL; 3851305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood const char *reason; 3861305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood int ret = 0; 3871305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 3881305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) 3891305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return 0; 3901305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 3911305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ca_fp = key_fingerprint(key->cert->signature_key, 3921305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood SSH_FP_MD5, SSH_FP_HEX); 3931305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 3941305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (key_in_file(key->cert->signature_key, 3951305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood options.trusted_user_ca_keys, 1) != 1) { 3961305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood debug2("%s: CA %s %s is not listed in %s", __func__, 3971305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood key_type(key->cert->signature_key), ca_fp, 3981305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood options.trusted_user_ca_keys); 3991305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood goto out; 4001305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 4011305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* 4021305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * If AuthorizedPrincipals is in use, then compare the certificate 4031305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * principals against the names in that file rather than matching 4041305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * against the username. 4051305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood */ 4061305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if ((principals_file = authorized_principals_file(pw)) != NULL) { 4071305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (!match_principals_file(principals_file, pw, key->cert)) { 4081305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood reason = "Certificate does not contain an " 4091305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood "authorized principal"; 4101305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood fail_reason: 4111305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood error("%s", reason); 4121305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood auth_debug_add("%s", reason); 4131305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood goto out; 4141305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 4151305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 4161305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (key_cert_check_authority(key, 0, 1, 4171305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) 4181305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood goto fail_reason; 4191305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (auth_cert_options(key, pw) != 0) 4201305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood goto out; 4211305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 4221305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s", 4231305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood key->cert->key_id, key_type(key->cert->signature_key), ca_fp, 4241305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood options.trusted_user_ca_keys); 4251305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ret = 1; 4261305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 4271305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood out: 4281305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (principals_file != NULL) 4291305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood xfree(principals_file); 4301305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (ca_fp != NULL) 4311305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood xfree(ca_fp); 4321305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return ret; 4331305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood} 4341305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 4351305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood/* check whether given key is in .ssh/authorized_keys* */ 4361305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodint 4371305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwooduser_key_allowed(struct passwd *pw, Key *key) 4381305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood{ 4391305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood u_int success, i; 4401305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood char *file; 4411305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 4421305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (auth_key_is_revoked(key)) 4431305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return 0; 4441305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) 4451305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return 0; 4461305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 4471305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood success = user_cert_trusted_ca(pw, key); 4481305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (success) 4491305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return success; 4501305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 4511305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood for (i = 0; !success && i < options.num_authkeys_files; i++) { 4521305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood file = expand_authorized_keys( 4531305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood options.authorized_keys_files[i], pw); 4541305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood success = user_key_allowed2(pw, key, file); 4551305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood xfree(file); 4561305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 4571305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 4581305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return success; 4591305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood} 4601305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 4611305e95ba6ff9fa202d0818caf10405df4b0f648Mike LockwoodAuthmethod method_pubkey = { 4621305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood "publickey", 4631305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood userauth_pubkey, 4641305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood &options.pubkey_authentication 4651305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood}; 466