summaryrefslogtreecommitdiff
path: root/auth2.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2000-11-13 22:57:25 +1100
committerDamien Miller <djm@mindrot.org>2000-11-13 22:57:25 +1100
commit0bc1bd814e3c2b5e92d6f595930051960d17f47f (patch)
tree176c7dc2844ecc2c1de0f72d221449556ffa5209 /auth2.c
parent559d383037b0872fcde4e6c40188b649c574be74 (diff)
- (djm) Merge OpenBSD changes:
- markus@cvs.openbsd.org 2000/11/06 16:04:56 [channels.c channels.h clientloop.c nchan.c serverloop.c] [session.c ssh.c] agent forwarding and -R for ssh2, based on work from jhuuskon@messi.uku.fi - markus@cvs.openbsd.org 2000/11/06 16:13:27 [ssh.c sshconnect.c sshd.c] do not disabled rhosts(rsa) if server port > 1024; from pekkas@netcore.fi - markus@cvs.openbsd.org 2000/11/06 16:16:35 [sshconnect.c] downgrade client to 1.3 if server is 1.4; help from mdb@juniper.net - markus@cvs.openbsd.org 2000/11/09 18:04:40 [auth1.c] typo; from mouring@pconline.com - markus@cvs.openbsd.org 2000/11/12 12:03:28 [ssh-agent.c] off-by-one when removing a key from the agent - markus@cvs.openbsd.org 2000/11/12 12:50:39 [auth-rh-rsa.c auth2.c authfd.c authfd.h] [authfile.c hostfile.c kex.c kex.h key.c key.h myproposal.h] [readconf.c readconf.h rsa.c rsa.h servconf.c servconf.h ssh-add.c] [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config] [sshconnect1.c sshconnect2.c sshd.8 sshd.c sshd_config ssh-dss.c] [ssh-dss.h ssh-rsa.c ssh-rsa.h dsa.c dsa.h] add support for RSA to SSH2. please test. there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2. you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys. SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before. - (djm) Fix up Makefile and Redhat init script to create RSA host keys - (djm) Change to interim version
Diffstat (limited to 'auth2.c')
-rw-r--r--auth2.c38
1 files changed, 19 insertions, 19 deletions
diff --git a/auth2.c b/auth2.c
index d51a1a76..46bf07c8 100644
--- a/auth2.c
+++ b/auth2.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.21 2000/11/12 19:50:37 markus Exp $");
#ifdef HAVE_OSF_SIA
# include <sia.h>
@@ -52,7 +52,6 @@ RCSID("$OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $");
#include "key.h"
#include "kex.h"
-#include "dsa.h"
#include "uidswap.h"
#include "auth-options.h"
@@ -89,7 +88,7 @@ void protocol_error(int type, int plen, void *ctxt);
/* helper */
Authmethod *authmethod_lookup(const char *name);
struct passwd *pwcopy(struct passwd *pw);
-int user_dsa_key_allowed(struct passwd *pw, Key *key);
+int user_key_allowed(struct passwd *pw, Key *key);
char *authmethods_get(void);
/* auth */
@@ -104,7 +103,7 @@ Authmethod authmethods[] = {
&one},
{"publickey",
userauth_pubkey,
- &options.dsa_authentication},
+ &options.pubkey_authentication},
{"keyboard-interactive",
userauth_kbdint,
&options.kbd_interactive_authentication},
@@ -422,7 +421,7 @@ userauth_pubkey(Authctxt *authctxt)
Key *key;
char *pkalg, *pkblob, *sig;
unsigned int alen, blen, slen;
- int have_sig;
+ int have_sig, pktype;
int authenticated = 0;
if (!authctxt->valid) {
@@ -431,13 +430,14 @@ userauth_pubkey(Authctxt *authctxt)
}
have_sig = packet_get_char();
pkalg = packet_get_string(&alen);
- if (strcmp(pkalg, KEX_DSS) != 0) {
- log("bad pkalg %s", pkalg); /*XXX*/
+ pktype = key_type_from_name(pkalg);
+ if (pktype == KEY_UNSPEC) {
+ log("bad pkalg %s", pkalg);
xfree(pkalg);
return 0;
}
pkblob = packet_get_string(&blen);
- key = dsa_key_from_blob(pkblob, blen);
+ key = key_from_blob(pkblob, blen);
if (key != NULL) {
if (have_sig) {
sig = packet_get_string(&slen);
@@ -457,14 +457,14 @@ userauth_pubkey(Authctxt *authctxt)
authctxt->service);
buffer_put_cstring(&b, "publickey");
buffer_put_char(&b, have_sig);
- buffer_put_cstring(&b, KEX_DSS);
+ buffer_put_cstring(&b, key_ssh_name(key));
buffer_put_string(&b, pkblob, blen);
-#ifdef DEBUG_DSS
+#ifdef DEBUG_PK
buffer_dump(&b);
#endif
/* test for correct signature */
- if (user_dsa_key_allowed(authctxt->pw, key) &&
- dsa_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
+ if (user_key_allowed(authctxt->pw, key) &&
+ key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
authenticated = 1;
buffer_clear(&b);
xfree(sig);
@@ -480,7 +480,7 @@ userauth_pubkey(Authctxt *authctxt)
* if a user is not allowed to login. is this an
* issue? -markus
*/
- if (user_dsa_key_allowed(authctxt->pw, key)) {
+ if (user_key_allowed(authctxt->pw, key)) {
packet_start(SSH2_MSG_USERAUTH_PK_OK);
packet_put_string(pkalg, alen);
packet_put_string(pkblob, blen);
@@ -493,6 +493,7 @@ userauth_pubkey(Authctxt *authctxt)
auth_clear_options();
key_free(key);
}
+ debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
xfree(pkalg);
xfree(pkblob);
#ifdef HAVE_CYGWIN
@@ -560,11 +561,10 @@ authmethod_lookup(const char *name)
/* return 1 if user allows given key */
int
-user_dsa_key_allowed(struct passwd *pw, Key *key)
+user_key_allowed(struct passwd *pw, Key *key)
{
char line[8192], file[1024];
int found_key = 0;
- unsigned int bits = -1;
FILE *f;
unsigned long linenum = 0;
struct stat st;
@@ -645,10 +645,10 @@ user_dsa_key_allowed(struct passwd *pw, Key *key)
if (!*cp || *cp == '\n' || *cp == '#')
continue;
- bits = key_read(found, &cp);
- if (bits == 0) {
+ if (key_read(found, &cp) == -1) {
/* no key? check if there are options for this key */
int quoted = 0;
+ debug2("user_key_allowed: check options: '%s'", cp);
options = cp;
for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
if (*cp == '\\' && cp[1] == '"')
@@ -659,8 +659,8 @@ user_dsa_key_allowed(struct passwd *pw, Key *key)
/* Skip remaining whitespace. */
for (; *cp == ' ' || *cp == '\t'; cp++)
;
- bits = key_read(found, &cp);
- if (bits == 0) {
+ if (key_read(found, &cp) == -1) {
+ debug2("user_key_allowed: advance: '%s'", cp);
/* still no key? advance to next line*/
continue;
}