diff --git a/auth.h b/auth.h index b743406ea..6d2d39762 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.105 2022/06/03 04:47:21 djm Exp $ */ +/* $OpenBSD: auth.h,v 1.106 2022/06/15 16:08:25 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -135,8 +135,8 @@ int auth_password(struct ssh *, const char *); int hostbased_key_allowed(struct ssh *, struct passwd *, const char *, char *, struct sshkey *); -int user_key_allowed(struct passwd *, struct sshkey *, int, - const char *, const char *, struct sshauthopt **); +int user_key_allowed(struct ssh *ssh, struct passwd *, struct sshkey *, + int, struct sshauthopt **); int auth2_key_already_used(Authctxt *, const struct sshkey *); /* diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 952af119e..962fd3420 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.115 2022/05/27 05:02:46 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.116 2022/06/15 16:08:25 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -98,9 +98,6 @@ userauth_pubkey(struct ssh *ssh, const char *method) int req_presence = 0, req_verify = 0, authenticated = 0; struct sshauthopt *authopts = NULL; struct sshkey_sig_details *sig_details = NULL; - const char *remote_ip = ssh_remote_ipaddr(ssh); - const char *remote_host = auth_get_canonical_hostname(ssh, - options.use_dns); hostbound = strcmp(method, "publickey-hostbound-v00@openssh.com") == 0; @@ -223,8 +220,7 @@ userauth_pubkey(struct ssh *ssh, const char *method) #endif /* test for correct signature */ authenticated = 0; - if (PRIVSEP(user_key_allowed(pw, key, 1, remote_ip, - remote_host, &authopts)) && + if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && PRIVSEP(sshkey_verify(key, sig, slen, sshbuf_ptr(b), sshbuf_len(b), (ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL, @@ -286,8 +282,7 @@ userauth_pubkey(struct ssh *ssh, const char *method) * if a user is not allowed to login. is this an * issue? -markus */ - if (PRIVSEP(user_key_allowed(pw, key, 0, remote_ip, - remote_host, NULL))) { + if (PRIVSEP(user_key_allowed(ssh, pw, key, 0, NULL))) { if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_PK_OK)) != 0 || (r = sshpkt_put_cstring(ssh, pkalg)) != 0 || @@ -751,13 +746,15 @@ user_key_command_allowed2(struct passwd *user_pw, struct sshkey *key, * Check whether key authenticates and authorises the user. */ int -user_key_allowed(struct passwd *pw, struct sshkey *key, - int auth_attempt, const char *remote_ip, const char *remote_host, - struct sshauthopt **authoptsp) +user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, + int auth_attempt, struct sshauthopt **authoptsp) { u_int success = 0, i; char *file; struct sshauthopt *opts = NULL; + const char *remote_ip = ssh_remote_ipaddr(ssh); + const char *remote_host = auth_get_canonical_hostname(ssh, + options.use_dns); if (authoptsp != NULL) *authoptsp = NULL; diff --git a/monitor.c b/monitor.c index 022126094..91e0e6245 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.233 2022/05/27 05:01:25 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.234 2022/06/15 16:08:25 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -1151,9 +1151,6 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct sshbuf *m) u_int type = 0; int r, allowed = 0; struct sshauthopt *opts = NULL; - const char *remote_ip = ssh_remote_ipaddr(ssh); - const char *remote_host = auth_get_canonical_hostname(ssh, - options.use_dns); debug3_f("entering"); if ((r = sshbuf_get_u32(m, &type)) != 0 || @@ -1179,8 +1176,8 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct sshbuf *m) if (!key_base_type_match(auth_method, key, options.pubkey_accepted_algos)) break; - allowed = user_key_allowed(authctxt->pw, key, - pubkey_auth_attempt, remote_ip, remote_host, &opts); + allowed = user_key_allowed(ssh, authctxt->pw, key, + pubkey_auth_attempt, &opts); break; case MM_HOSTKEY: auth_method = "hostbased"; diff --git a/monitor_wrap.c b/monitor_wrap.c index 925985a83..b2c85205e 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.124 2022/05/27 05:01:25 djm Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.125 2022/06/15 16:08:25 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -434,9 +434,8 @@ mm_auth_password(struct ssh *ssh, char *password) } int -mm_user_key_allowed(struct passwd *pw, struct sshkey *key, - int pubkey_auth_attempt, const char *remote_ip, const char *remote_host, - struct sshauthopt **authoptp) +mm_user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, + int pubkey_auth_attempt, struct sshauthopt **authoptp) { return (mm_key_allowed(MM_USERKEY, NULL, NULL, key, pubkey_auth_attempt, authoptp)); diff --git a/monitor_wrap.h b/monitor_wrap.h index c5a75b9a3..0df49c25b 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.h,v 1.48 2022/05/27 05:01:25 djm Exp $ */ +/* $OpenBSD: monitor_wrap.h,v 1.49 2022/06/15 16:08:25 djm Exp $ */ /* * Copyright 2002 Niels Provos @@ -54,8 +54,8 @@ char *mm_auth2_read_banner(void); int mm_auth_password(struct ssh *, char *); int mm_key_allowed(enum mm_keytype, const char *, const char *, struct sshkey *, int, struct sshauthopt **); -int mm_user_key_allowed(struct passwd *, struct sshkey *, int, - const char *, const char *, struct sshauthopt **); +int mm_user_key_allowed(struct ssh *ssh, struct passwd *, struct sshkey *, int, + struct sshauthopt **); int mm_hostbased_key_allowed(struct ssh *, struct passwd *, const char *, const char *, struct sshkey *); int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,