tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream: for public key authentication, check AuthorizedKeysFiles 

files before consulting AuthorizedKeysCommand; ok dtucker markus

OpenBSD-Commit-ID: 13652998bea5cb93668999c39c3c48e8429db8b3
This commit is contained in:
djm@openbsd.org 2019-06-14 03:39:59 +00:00 committed by Damien Miller
parent a5a5391498
commit c95b90d401
1 changed files with 18 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
auth2-pubkey.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-pubkey.c,v 1.88 2019/05/20 00:25:55 djm Exp $ */ /* $OpenBSD: auth2-pubkey.c,v 1.89 2019/06/14 03:39:59 djm Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
* *
@ -1014,9 +1014,10 @@ int
user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
int auth_attempt, struct sshauthopt **authoptsp) int auth_attempt, struct sshauthopt **authoptsp)
{ {
u_int success, i; u_int success = 0, i;
char *file; char *file;
struct sshauthopt *opts = NULL; struct sshauthopt *opts = NULL;
if (authoptsp != NULL) if (authoptsp != NULL)
*authoptsp = NULL; *authoptsp = NULL;
@ -1026,6 +1027,21 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
auth_key_is_revoked(key->cert->signature_key)) auth_key_is_revoked(key->cert->signature_key))
return 0; return 0;
for (i = 0; !success && i < options.num_authkeys_files; i++) {
if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
continue;
file = expand_authorized_keys(
options.authorized_keys_files[i], pw);
success = user_key_allowed2(ssh, pw, key, file, &opts);
free(file);
if (!success) {
sshauthopt_free(opts);
opts = NULL;
}
}
if (success)
goto out;
if ((success = user_cert_trusted_ca(ssh, pw, key, &opts)) != 0) if ((success = user_cert_trusted_ca(ssh, pw, key, &opts)) != 0)
goto out; goto out;
sshauthopt_free(opts); sshauthopt_free(opts);
@ -1036,15 +1052,6 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
sshauthopt_free(opts); sshauthopt_free(opts);
opts = NULL; opts = NULL;
for (i = 0; !success && i < options.num_authkeys_files; i++) {
if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
continue;
file = expand_authorized_keys(
options.authorized_keys_files[i], pw);
success = user_key_allowed2(ssh, pw, key, file, &opts);
free(file);
}
out: out:
if (success && authoptsp != NULL) { if (success && authoptsp != NULL) {
*authoptsp = opts; *authoptsp = opts;