tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream commit 

prevent authorized_keys options picked up on public key
 tests without a corresponding private key authentication being applied to
 other authentication methods. Reported by halex@, ok markus@
This commit is contained in:
djm@openbsd.org 2015-05-01 03:23:51 +00:00 committed by Damien Miller
parent a42d67be65
commit 179be0f5e6
5 changed files with 20 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
auth.h
View File

@ -126,7 +126,7 @@ int auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
int user_key_allowed(struct passwd *, Key *); int user_key_allowed(struct passwd *, Key *, int);
void pubkey_auth_info(Authctxt *, const Key *, const char *, ...) void pubkey_auth_info(Authctxt *, const Key *, const char *, ...)
__attribute__((__format__ (printf, 3, 4))); __attribute__((__format__ (printf, 3, 4)));
void auth2_record_userkey(Authctxt *, struct sshkey *); void auth2_record_userkey(Authctxt *, struct sshkey *);

6
auth2-pubkey.c
View File

@ -169,7 +169,7 @@ userauth_pubkey(Authctxt *authctxt)
/* test for correct signature */ /* test for correct signature */
authenticated = 0; authenticated = 0;
if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&
PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
buffer_len(&b))) == 1) { buffer_len(&b))) == 1) {
authenticated = 1; authenticated = 1;
@ -191,7 +191,7 @@ userauth_pubkey(Authctxt *authctxt)
* if a user is not allowed to login. is this an * if a user is not allowed to login. is this an
* issue? -markus * issue? -markus
*/ */
if (PRIVSEP(user_key_allowed(authctxt->pw, key))) { if (PRIVSEP(user_key_allowed(authctxt->pw, key, 0))) {
packet_start(SSH2_MSG_USERAUTH_PK_OK); packet_start(SSH2_MSG_USERAUTH_PK_OK);
packet_put_string(pkalg, alen); packet_put_string(pkalg, alen);
packet_put_string(pkblob, blen); packet_put_string(pkblob, blen);
@ -671,7 +671,7 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
* Check whether key authenticates and authorises the user. * Check whether key authenticates and authorises the user.
*/ */
int int
user_key_allowed(struct passwd *pw, Key *key) user_key_allowed(struct passwd *pw, Key *key, int auth_attempt)
{ {
u_int success, i; u_int success, i;
char *file; char *file;

6
monitor.c
View File

@ -1185,7 +1185,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
Key *key; Key *key;
char *cuser, *chost; char *cuser, *chost;
u_char *blob; u_char *blob;
u_int bloblen; u_int bloblen, pubkey_auth_attempt;
enum mm_keytype type = 0; enum mm_keytype type = 0;
int allowed = 0; int allowed = 0;
@ -1195,6 +1195,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
cuser = buffer_get_string(m, NULL); cuser = buffer_get_string(m, NULL);
chost = buffer_get_string(m, NULL); chost = buffer_get_string(m, NULL);
blob = buffer_get_string(m, &bloblen); blob = buffer_get_string(m, &bloblen);
pubkey_auth_attempt = buffer_get_int(m);
key = key_from_blob(blob, bloblen); key = key_from_blob(blob, bloblen);
@ -1220,7 +1221,8 @@ mm_answer_keyallowed(int sock, Buffer *m)
pubkey_auth_attempt); pubkey_auth_attempt);
pubkey_auth_info(authctxt, key, NULL); pubkey_auth_info(authctxt, key, NULL);
auth_method = "publickey"; auth_method = "publickey";
if (options.pubkey_authentication && allowed != 1) if (options.pubkey_authentication &&
(!pubkey_auth_attempt || allowed != 1))
auth_clear_options(); auth_clear_options();
break; break;
case MM_HOSTKEY: case MM_HOSTKEY:

15
monitor_wrap.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor_wrap.c,v 1.84 2015/02/16 22:13:32 djm Exp $ */ /* $OpenBSD: monitor_wrap.c,v 1.85 2015/05/01 03:23:51 djm Exp $ */
/* /*
* Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org> * Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -371,16 +371,17 @@ mm_auth_password(Authctxt *authctxt, char *password)
} }
int int
mm_user_key_allowed(struct passwd *pw, Key *key) mm_user_key_allowed(struct passwd *pw, Key *key, int pubkey_auth_attempt)
{ {
return (mm_key_allowed(MM_USERKEY, NULL, NULL, key)); return (mm_key_allowed(MM_USERKEY, NULL, NULL, key,
pubkey_auth_attempt));
} }
int int
mm_hostbased_key_allowed(struct passwd *pw, char *user, char *host, mm_hostbased_key_allowed(struct passwd *pw, char *user, char *host,
Key *key) Key *key)
{ {
return (mm_key_allowed(MM_HOSTKEY, user, host, key)); return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0));
} }
int int
@ -390,13 +391,14 @@ mm_auth_rhosts_rsa_key_allowed(struct passwd *pw, char *user,
int ret; int ret;
key->type = KEY_RSA; /* XXX hack for key_to_blob */ key->type = KEY_RSA; /* XXX hack for key_to_blob */
ret = mm_key_allowed(MM_RSAHOSTKEY, user, host, key); ret = mm_key_allowed(MM_RSAHOSTKEY, user, host, key, 0);
key->type = KEY_RSA1; key->type = KEY_RSA1;
return (ret); return (ret);
} }
int int
mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key) mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key,
int pubkey_auth_attempt)
{ {
Buffer m; Buffer m;
u_char *blob; u_char *blob;
@ -414,6 +416,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key)
buffer_put_cstring(&m, user ? user : ""); buffer_put_cstring(&m, user ? user : "");
buffer_put_cstring(&m, host ? host : ""); buffer_put_cstring(&m, host ? host : "");
buffer_put_string(&m, blob, len); buffer_put_string(&m, blob, len);
buffer_put_int(&m, pubkey_auth_attempt);
free(blob); free(blob);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m);

6
monitor_wrap.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor_wrap.h,v 1.26 2015/02/16 22:13:32 djm Exp $ */ /* $OpenBSD: monitor_wrap.h,v 1.27 2015/05/01 03:23:51 djm Exp $ */
/* /*
* Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@ -45,8 +45,8 @@ void mm_inform_authserv(char *, char *);
struct passwd *mm_getpwnamallow(const char *); struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void); char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *); int mm_auth_password(struct Authctxt *, char *);
int mm_key_allowed(enum mm_keytype, char *, char *, Key *); int mm_key_allowed(enum mm_keytype, char *, char *, Key *, int);
int mm_user_key_allowed(struct passwd *, Key *); int mm_user_key_allowed(struct passwd *, Key *, int);
int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *); int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *);
int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int); int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int);