- dtucker@cvs.openbsd.org 2004/12/06 11:41:03
[auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h ssh.h sshd.8]
Discard over-length authorized_keys entries rather than complaining when
they don't decode. bz #884, with & ok djm@
This commit is contained in:
Darren Tucker
parent
16e254d179
commit
22cc741096
|
|
@ -17,6 +17,10 @@
|
|||
- describe ls flags as a list
|
||||
- other minor improvements
|
||||
ok jmc, djm
|
||||
- dtucker@cvs.openbsd.org 2004/12/06 11:41:03
|
||||
[auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h ssh.h sshd.8]
|
||||
Discard over-length authorized_keys entries rather than complaining when
|
||||
they don't decode. bz #884, with & ok djm@
|
||||
|
||||
20041203
|
||||
- (dtucker) OpenBSD CVS Sync
|
||||
|
|
@ -1890,4 +1894,4 @@
|
|||
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
|
||||
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
|
||||
|
||||
$Id: ChangeLog,v 1.3589 2004/12/06 11:46:45 dtucker Exp $
|
||||
$Id: ChangeLog,v 1.3590 2004/12/06 11:47:41 dtucker Exp $
|
||||
|
|
|
|||
10
auth-rsa.c
10
auth-rsa.c
|
|
@ -14,7 +14,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth-rsa.c,v 1.60 2004/06/21 17:36:31 avsm Exp $");
|
||||
RCSID("$OpenBSD: auth-rsa.c,v 1.61 2004/12/06 11:41:03 dtucker Exp $");
|
||||
|
||||
#include <openssl/rsa.h>
|
||||
#include <openssl/md5.h>
|
||||
|
|
@ -49,7 +49,7 @@ extern u_char session_id[16];
|
|||
* options bits e n comment
|
||||
* where bits, e and n are decimal numbers,
|
||||
* and comment is any string of characters up to newline. The maximum
|
||||
* length of a line is 8000 characters. See the documentation for a
|
||||
* length of a line is SSH_MAX_PUBKEY_BYTES characters. See sshd(8) for a
|
||||
* description of the options.
|
||||
*/
|
||||
|
||||
|
|
@ -152,7 +152,7 @@ auth_rsa_challenge_dialog(Key *key)
|
|||
int
|
||||
auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
|
||||
{
|
||||
char line[8192], *file;
|
||||
char line[SSH_MAX_PUBKEY_BYTES], *file;
|
||||
int allowed = 0;
|
||||
u_int bits;
|
||||
FILE *f;
|
||||
|
|
@ -201,12 +201,10 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
|
|||
* found, perform a challenge-response dialog to verify that the
|
||||
* user really has the corresponding private key.
|
||||
*/
|
||||
while (fgets(line, sizeof(line), f)) {
|
||||
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
|
||||
char *cp;
|
||||
char *key_options;
|
||||
|
||||
linenum++;
|
||||
|
||||
/* Skip leading whitespace, empty and comment lines. */
|
||||
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
|
||||
;
|
||||
|
|
|
|||
|
|
@ -23,8 +23,9 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth2-pubkey.c,v 1.7 2004/06/21 17:36:31 avsm Exp $");
|
||||
RCSID("$OpenBSD: auth2-pubkey.c,v 1.8 2004/12/06 11:41:03 dtucker Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "ssh2.h"
|
||||
#include "xmalloc.h"
|
||||
#include "packet.h"
|
||||
|
|
@ -167,7 +168,7 @@ done:
|
|||
static int
|
||||
user_key_allowed2(struct passwd *pw, Key *key, char *file)
|
||||
{
|
||||
char line[8192];
|
||||
char line[SSH_MAX_PUBKEY_BYTES];
|
||||
int found_key = 0;
|
||||
FILE *f;
|
||||
u_long linenum = 0;
|
||||
|
|
@ -204,9 +205,9 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
|
|||
found_key = 0;
|
||||
found = key_new(key->type);
|
||||
|
||||
while (fgets(line, sizeof(line), f)) {
|
||||
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
|
||||
char *cp, *key_options = NULL;
|
||||
linenum++;
|
||||
|
||||
/* Skip leading whitespace, empty and comment lines. */
|
||||
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
|
||||
;
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: authfile.c,v 1.58 2004/08/23 11:48:09 djm Exp $");
|
||||
RCSID("$OpenBSD: authfile.c,v 1.59 2004/12/06 11:41:03 dtucker Exp $");
|
||||
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
|
|
@ -601,13 +601,14 @@ static int
|
|||
key_try_load_public(Key *k, const char *filename, char **commentp)
|
||||
{
|
||||
FILE *f;
|
||||
char line[4096];
|
||||
char line[SSH_MAX_PUBKEY_BYTES];
|
||||
char *cp;
|
||||
int linenum = 0;
|
||||
|
||||
f = fopen(filename, "r");
|
||||
if (f != NULL) {
|
||||
while (fgets(line, sizeof(line), f)) {
|
||||
line[sizeof(line)-1] = '\0';
|
||||
while (read_keyfile_line(f, filename, line, sizeof(line),
|
||||
&linenum) != -1) {
|
||||
cp = line;
|
||||
switch (*cp) {
|
||||
case '#':
|
||||
|
|
|
|||
25
misc.c
25
misc.c
|
|
@ -23,7 +23,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: misc.c,v 1.25 2004/08/11 21:43:05 avsm Exp $");
|
||||
RCSID("$OpenBSD: misc.c,v 1.26 2004/12/06 11:41:03 dtucker Exp $");
|
||||
|
||||
#include "misc.h"
|
||||
#include "log.h"
|
||||
|
|
@ -332,3 +332,26 @@ addargs(arglist *args, char *fmt, ...)
|
|||
args->list[args->num++] = xstrdup(buf);
|
||||
args->list[args->num] = NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
* Read an entire line from a public key file into a static buffer, discarding
|
||||
* lines that exceed the buffer size. Returns 0 on success, -1 on failure.
|
||||
*/
|
||||
int
|
||||
read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
|
||||
int *lineno)
|
||||
{
|
||||
while (fgets(buf, bufsz, f) != NULL) {
|
||||
(*lineno)++;
|
||||
if (buf[strlen(buf) - 1] == '\n' || feof(f)) {
|
||||
return 0;
|
||||
} else {
|
||||
debug("%s: %s line %d exceeds size limit", __func__,
|
||||
filename, lineno);
|
||||
/* discard remainder of line */
|
||||
while(fgetc(f) != '\n' && !feof(f))
|
||||
; /* nothing */
|
||||
}
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
|
|
|
|||
3
misc.h
3
misc.h
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: misc.h,v 1.18 2004/10/29 22:53:56 djm Exp $ */
|
||||
/* $OpenBSD: misc.h,v 1.19 2004/12/06 11:41:03 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
|
@ -47,3 +47,4 @@ char *tilde_expand_filename(const char *, uid_t);
|
|||
|
||||
char *read_passphrase(const char *, int);
|
||||
int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
|
||||
int read_keyfile_line(FILE *, const char *, char *, size_t, int *);
|
||||
|
|
|
|||
9
ssh.h
9
ssh.h
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh.h,v 1.75 2003/12/02 17:01:15 markus Exp $ */
|
||||
/* $OpenBSD: ssh.h,v 1.76 2004/12/06 11:41:03 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
|
@ -39,6 +39,13 @@
|
|||
*/
|
||||
#define SSH_MAX_IDENTITY_FILES 100
|
||||
|
||||
/*
|
||||
* Maximum length of lines in authorized_keys file.
|
||||
* Current value permits 16kbit RSA and RSA1 keys and 8kbit DSA keys, with
|
||||
* some room for options and comments.
|
||||
*/
|
||||
#define SSH_MAX_PUBKEY_BYTES 8192
|
||||
|
||||
/*
|
||||
* Major protocol version. Different version indicates major incompatibility
|
||||
* that prevents communication.
|
||||
|
|
|
|||
6
sshd.8
6
sshd.8
|
|
@ -34,7 +34,7 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd.8,v 1.202 2004/08/26 16:00:55 markus Exp $
|
||||
.\" $OpenBSD: sshd.8,v 1.203 2004/12/06 11:41:03 dtucker Exp $
|
||||
.Dd September 25, 1999
|
||||
.Dt SSHD 8
|
||||
.Os
|
||||
|
|
@ -420,7 +420,9 @@ or
|
|||
.Dq ssh-rsa .
|
||||
.Pp
|
||||
Note that lines in this file are usually several hundred bytes long
|
||||
(because of the size of the public key encoding).
|
||||
(because of the size of the public key encoding) up to a limit of
|
||||
8 kilobytes, which permits DSA keys up to 8 kilobits and RSA
|
||||
keys up to 16 kilobits.
|
||||
You don't want to type them in; instead, copy the
|
||||
.Pa identity.pub ,
|
||||
.Pa id_dsa.pub
|
||||
|
|
|
|||
Loading…
Reference in New Issue