- djm@cvs.openbsd.org 2013/05/19 02:38:28
[auth2-pubkey.c] fix failure to recognise cert-authority keys if a key of a different type appeared in authorized_keys before it; ok markus@
This commit is contained in:
parent
a627d42e51
commit
74836ae0fa
|
@ -22,6 +22,10 @@
|
||||||
ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
|
ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
|
||||||
dns.c packet.c readpass.c authfd.c moduli.c]
|
dns.c packet.c readpass.c authfd.c moduli.c]
|
||||||
bye, bye xfree(); ok markus@
|
bye, bye xfree(); ok markus@
|
||||||
|
- djm@cvs.openbsd.org 2013/05/19 02:38:28
|
||||||
|
[auth2-pubkey.c]
|
||||||
|
fix failure to recognise cert-authority keys if a key of a different type
|
||||||
|
appeared in authorized_keys before it; ok markus@
|
||||||
|
|
||||||
20130529
|
20130529
|
||||||
- (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null
|
- (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: auth2-pubkey.c,v 1.36 2013/05/17 00:13:13 djm Exp $ */
|
/* $OpenBSD: auth2-pubkey.c,v 1.37 2013/05/19 02:38:28 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||||
*
|
*
|
||||||
|
@ -147,6 +147,8 @@ userauth_pubkey(Authctxt *authctxt)
|
||||||
#ifdef DEBUG_PK
|
#ifdef DEBUG_PK
|
||||||
buffer_dump(&b);
|
buffer_dump(&b);
|
||||||
#endif
|
#endif
|
||||||
|
pubkey_auth_info(authctxt, key);
|
||||||
|
|
||||||
/* test for correct signature */
|
/* test for correct signature */
|
||||||
authenticated = 0;
|
authenticated = 0;
|
||||||
if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
|
if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
|
||||||
|
@ -187,6 +189,26 @@ done:
|
||||||
return authenticated;
|
return authenticated;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
pubkey_auth_info(Authctxt *authctxt, const Key *key)
|
||||||
|
{
|
||||||
|
char *fp;
|
||||||
|
|
||||||
|
if (key_is_cert(key)) {
|
||||||
|
fp = key_fingerprint(key->cert->signature_key,
|
||||||
|
SSH_FP_MD5, SSH_FP_HEX);
|
||||||
|
auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s",
|
||||||
|
key_type(key), key->cert->key_id,
|
||||||
|
(unsigned long long)key->cert->serial,
|
||||||
|
key_type(key->cert->signature_key), fp);
|
||||||
|
free(fp);
|
||||||
|
} else {
|
||||||
|
fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
||||||
|
auth_info(authctxt, "%s %s", key_type(key), fp);
|
||||||
|
free(fp);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
match_principals_option(const char *principal_list, struct KeyCert *cert)
|
match_principals_option(const char *principal_list, struct KeyCert *cert)
|
||||||
{
|
{
|
||||||
|
@ -280,11 +302,13 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
|
||||||
char *fp;
|
char *fp;
|
||||||
|
|
||||||
found_key = 0;
|
found_key = 0;
|
||||||
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
|
|
||||||
|
|
||||||
|
found = NULL;
|
||||||
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
|
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
|
||||||
char *cp, *key_options = NULL;
|
char *cp, *key_options = NULL;
|
||||||
|
if (found != NULL)
|
||||||
|
key_free(found);
|
||||||
|
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
|
||||||
auth_clear_options();
|
auth_clear_options();
|
||||||
|
|
||||||
/* Skip leading whitespace, empty and comment lines. */
|
/* Skip leading whitespace, empty and comment lines. */
|
||||||
|
@ -362,16 +386,15 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
|
||||||
if (key_is_cert_authority)
|
if (key_is_cert_authority)
|
||||||
continue;
|
continue;
|
||||||
found_key = 1;
|
found_key = 1;
|
||||||
debug("matching key found: file %s, line %lu",
|
|
||||||
file, linenum);
|
|
||||||
fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
|
fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
|
||||||
verbose("Found matching %s key: %s",
|
debug("matching key found: file %s, line %lu %s %s",
|
||||||
key_type(found), fp);
|
file, linenum, key_type(found), fp);
|
||||||
free(fp);
|
free(fp);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
key_free(found);
|
if (found != NULL)
|
||||||
|
key_free(found);
|
||||||
if (!found_key)
|
if (!found_key)
|
||||||
debug2("key not found");
|
debug2("key not found");
|
||||||
return found_key;
|
return found_key;
|
||||||
|
|
Loading…
Reference in New Issue