summaryrefslogtreecommitdiff
path: root/auth2-pubkey.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2017-06-24 06:34:38 +0000
committerDamien Miller <djm@mindrot.org>2017-06-24 16:56:11 +1000
commit8f574959272ac7fe9239c4f5d10fd913f8920ab0 (patch)
tree51ab66a6011af6459e0d4ca15a4b4b78368607a1 /auth2-pubkey.c
parente2004d4bb7eb01c663dd3a3e7eb224f1ccdc9bba (diff)
upstream commit
refactor authentication logging optionally record successful auth methods and public credentials used in a file accessible to user sessions feedback and ok markus@ Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r--auth2-pubkey.c80
1 files changed, 4 insertions, 76 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 5794f1f4..1c59b5bb 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.67 2017/05/31 10:54:00 markus Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.68 2017/06/24 06:34:38 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -137,7 +137,7 @@ userauth_pubkey(struct ssh *ssh)
goto done;
}
fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
- if (auth2_userkey_already_used(authctxt, key)) {
+ if (auth2_key_already_used(authctxt, key)) {
logit("refusing previously-used %s key", sshkey_type(key));
goto done;
}
@@ -194,7 +194,6 @@ userauth_pubkey(struct ssh *ssh)
#ifdef DEBUG_PK
sshbuf_dump(b, stderr);
#endif
- pubkey_auth_info(authctxt, key, NULL);
/* test for correct signature */
authenticated = 0;
@@ -202,12 +201,10 @@ userauth_pubkey(struct ssh *ssh)
PRIVSEP(sshkey_verify(key, sig, slen, sshbuf_ptr(b),
sshbuf_len(b), ssh->compat)) == 0) {
authenticated = 1;
- /* Record the successful key to prevent reuse */
- auth2_record_userkey(authctxt, key);
- key = NULL; /* Don't free below */
}
sshbuf_free(b);
free(sig);
+ auth2_record_key(authctxt, authenticated, key);
} else {
debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
__func__, sshkey_type(key), fp);
@@ -237,8 +234,7 @@ userauth_pubkey(struct ssh *ssh)
auth_clear_options();
done:
debug2("%s: authenticated %d pkalg %s", __func__, authenticated, pkalg);
- if (key != NULL)
- sshkey_free(key);
+ sshkey_free(key);
free(userstyle);
free(pkalg);
free(pkblob);
@@ -246,44 +242,6 @@ done:
return authenticated;
}
-void
-pubkey_auth_info(Authctxt *authctxt, const struct sshkey *key,
- const char *fmt, ...)
-{
- char *fp, *extra;
- va_list ap;
- int i;
-
- extra = NULL;
- if (fmt != NULL) {
- va_start(ap, fmt);
- i = vasprintf(&extra, fmt, ap);
- va_end(ap);
- if (i < 0 || extra == NULL)
- fatal("%s: vasprintf failed", __func__);
- }
-
- if (sshkey_is_cert(key)) {
- fp = sshkey_fingerprint(key->cert->signature_key,
- options.fingerprint_hash, SSH_FP_DEFAULT);
- auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
- sshkey_type(key), key->cert->key_id,
- (unsigned long long)key->cert->serial,
- sshkey_type(key->cert->signature_key),
- fp == NULL ? "(null)" : fp,
- extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
- free(fp);
- } else {
- fp = sshkey_fingerprint(key, options.fingerprint_hash,
- SSH_FP_DEFAULT);
- auth_info(authctxt, "%s %s%s%s", sshkey_type(key),
- fp == NULL ? "(null)" : fp,
- extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
- free(fp);
- }
- free(extra);
-}
-
/*
* Splits 's' into an argument vector. Handles quoted string and basic
* escape characters (\\, \", \'). Caller must free the argument vector
@@ -1148,36 +1106,6 @@ user_key_allowed(struct passwd *pw, struct sshkey *key, int auth_attempt)
return success;
}
-/* Records a public key in the list of previously-successful keys */
-void
-auth2_record_userkey(Authctxt *authctxt, struct sshkey *key)
-{
- struct sshkey **tmp;
-
- if (authctxt->nprev_userkeys >= INT_MAX ||
- (tmp = recallocarray(authctxt->prev_userkeys,
- authctxt->nprev_userkeys, authctxt->nprev_userkeys + 1,
- sizeof(*tmp))) == NULL)
- fatal("%s: recallocarray failed", __func__);
- authctxt->prev_userkeys = tmp;
- authctxt->prev_userkeys[authctxt->nprev_userkeys] = key;
- authctxt->nprev_userkeys++;
-}
-
-/* Checks whether a key has already been used successfully for authentication */
-int
-auth2_userkey_already_used(Authctxt *authctxt, struct sshkey *key)
-{
- u_int i;
-
- for (i = 0; i < authctxt->nprev_userkeys; i++) {
- if (sshkey_equal_public(key, authctxt->prev_userkeys[i])) {
- return 1;
- }
- }
- return 0;
-}
-
Authmethod method_pubkey = {
"publickey",
userauth_pubkey,