- djm@cvs.openbsd.org 2010/06/29 23:16:46

[auth2-pubkey.c sshd_config.5]
     allow key options (command="..." and friends) in AuthorizedPrincipals;
     ok markus@

ChangeLog

@@ -10,6 +10,10 @@
      [ssh-keygen.1 ssh-keygen.c]
      allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys;
      bz#1749; ok markus@
+   - djm@cvs.openbsd.org 2010/06/29 23:16:46
+     [auth2-pubkey.c sshd_config.5]
+     allow key options (command="..." and friends) in AuthorizedPrincipals;
+     ok markus@
 
 20100627
  - (tim) [openbsd-compat/port-uw.c] Reorder includes. auth-options.h now needs

auth2-pubkey.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.25 2010/05/20 11:25:26 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.26 2010/06/29 23:16:46 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -198,10 +198,10 @@ match_principals_option(const char *principal_list, struct KeyCert *cert)
 }
 
 static int
-match_principals_file(const char *file, struct passwd *pw, struct KeyCert *cert)
+match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
 {
 	FILE *f;
-	char line[SSH_MAX_PUBKEY_BYTES], *cp;
+	char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts;
 	u_long linenum = 0;
 	u_int i;
 
@@ -212,17 +212,37 @@ match_principals_file(const char *file, struct passwd *pw, struct KeyCert *cert)
 		return 0;
 	}
 	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
-		/* Skip leading whitespace, empty and comment lines. */
+		/* Skip leading whitespace. */
 		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
 			;
-		if (!*cp || *cp == '\n' || *cp == '#')
+		/* Skip blank and comment lines. */
+		if ((ep = strchr(cp, '#')) != NULL)
+			*ep = '\0';
+		if (!*cp || *cp == '\n')
 			continue;
-		line[strcspn(line, "\n")] = '\0';
-
+		/* Trim trailing whitespace. */
+		ep = cp + strlen(cp) - 1;
+		while (ep > cp && (*ep == '\n' || *ep == ' ' || *ep == '\t'))
+			*ep-- = '\0';
+		/*
+		 * If the line has internal whitespace then assume it has
+		 * key options.
+		 */
+		line_opts = NULL;
+		if ((ep = strrchr(cp, ' ')) != NULL ||
+		    (ep = strrchr(cp, '\t')) != NULL) {
+			for (; *ep == ' ' || *ep == '\t'; ep++)
+				;;
+			line_opts = cp;
+			cp = ep;
+		}
 		for (i = 0; i < cert->nprincipals; i++) {
 			if (strcmp(cp, cert->principals[i]) == 0) {
 				debug3("matched principal from file \"%.100s\"",
 			    	    cert->principals[i]);
+				if (auth_parse_options(pw, line_opts,
+				    file, linenum) != 1)
+					continue;
 				fclose(f);
 				restore_uid();
 				return 1;

sshd_config.5

@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.123 2010/06/22 04:22:59 djm Exp $
-.Dd $Mdocdate: June 22 2010 $
+.\" $OpenBSD: sshd_config.5,v 1.124 2010/06/29 23:16:46 djm Exp $
+.Dd $Mdocdate: June 29 2010 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -155,6 +155,10 @@ for more information on patterns.
 .It Cm AuthorizedKeysFile
 Specifies the file that contains the public keys that can be used
 for user authentication.
+The format is described in the
+.Sx AUTHORIZED_KEYS FILE FORMAT
+section of
+.Xr sshd 8 .
 .Cm AuthorizedKeysFile
 may contain tokens of the form %T which are substituted during connection
 setup.
@@ -174,7 +178,12 @@ When using certificates signed by a key listed in
 .Cm TrustedUserCAKeys ,
 this file lists names, one of which must appear in the certificate for it
 to be accepted for authentication.
-Names are listed one per line; empty lines and comments starting with
+Names are listed one per line preceeded by key options (as described
+in
+.Sx AUTHORIZED_KEYS FILE FORMAT
+in
+.Xr sshd 8 ).
+Empty lines and comments starting with
 .Ql #
 are ignored.
 .Pp