summaryrefslogtreecommitdiff
path: root/auth2.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2000-06-18 14:50:44 +1000
committerDamien Miller <djm@mindrot.org>2000-06-18 14:50:44 +1000
commitf6d9e2218998559cb67aad55d3f4a0bf53600c41 (patch)
tree87ea430020c66c697e065c164951b3f74b730b76 /auth2.c
parent7b22d65034ac280e0b4eaa857c71b17ee3ad7d99 (diff)
- OpenBSD CVS updates:
- deraadt@cvs.openbsd.org 2000/06/17 09:58:46 [channels.c] everyone says "nix it" (remove protocol 2 debugging message) - markus@cvs.openbsd.org 2000/06/17 13:24:34 [sshconnect.c] allow extended server banners - markus@cvs.openbsd.org 2000/06/17 14:30:10 [sshconnect.c] missing atomicio, typo - jakob@cvs.openbsd.org 2000/06/17 16:52:34 [servconf.c servconf.h session.c sshd.8 sshd_config] add support for ssh v2 subsystems. ok markus@. - deraadt@cvs.openbsd.org 2000/06/17 18:57:48 [readconf.c servconf.c] include = in WHITESPACE; markus ok - markus@cvs.openbsd.org 2000/06/17 19:09:10 [auth2.c] implement bug compatibility with ssh-2.0.13 pubkey, server side - markus@cvs.openbsd.org 2000/06/17 21:00:28 [compat.c] initial support for ssh.com's 2.2.0 - markus@cvs.openbsd.org 2000/06/17 21:16:09 [scp.c] typo - markus@cvs.openbsd.org 2000/06/17 22:05:02 [auth-rsa.c auth2.c serverloop.c session.c auth-options.c auth-options.h] split auth-rsa option parsing into auth-options add options support to authorized_keys2 - markus@cvs.openbsd.org 2000/06/17 22:42:54 [session.c] typo
Diffstat (limited to 'auth2.c')
-rw-r--r--auth2.c61
1 files changed, 41 insertions, 20 deletions
diff --git a/auth2.c b/auth2.c
index 46c8c1f8..c7dcf195 100644
--- a/auth2.c
+++ b/auth2.c
@@ -27,7 +27,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.8 2000/05/08 17:42:24 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.10 2000/06/18 04:05:02 markus Exp $");
#include <openssl/dsa.h>
#include <openssl/rsa.h>
@@ -54,6 +54,7 @@ RCSID("$OpenBSD: auth2.c,v 1.8 2000/05/08 17:42:24 markus Exp $");
#include "dsa.h"
#include "uidswap.h"
+#include "auth-options.h"
/* import */
extern ServerOptions options;
@@ -69,7 +70,7 @@ void protocol_error(int type, int plen);
/* auth */
int ssh2_auth_none(struct passwd *pw);
int ssh2_auth_password(struct passwd *pw);
-int ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen);
+int ssh2_auth_pubkey(struct passwd *pw, char *service);
/* helper */
struct passwd* auth_set_user(char *u, char *s);
@@ -150,17 +151,14 @@ input_userauth_request(int type, int plen)
{
static void (*authlog) (const char *fmt,...) = verbose;
static int attempt = 0;
- unsigned int len, rlen;
+ unsigned int len;
int authenticated = 0;
- char *raw, *user, *service, *method, *authmsg = NULL;
+ char *user, *service, *method, *authmsg = NULL;
struct passwd *pw;
#ifdef WITH_AIXAUTHENTICATE
extern char *aixloginmsg;
#endif /* WITH_AIXAUTHENTICATE */
- raw = packet_get_raw(&rlen);
- if (plen != rlen)
- fatal("plen != rlen");
user = packet_get_string(&len);
service = packet_get_string(&len);
method = packet_get_string(&len);
@@ -180,7 +178,7 @@ input_userauth_request(int type, int plen)
} else if (strcmp(method, "password") == 0) {
authenticated = ssh2_auth_password(pw);
} else if (strcmp(method, "publickey") == 0) {
- authenticated = ssh2_auth_pubkey(pw, raw, rlen);
+ authenticated = ssh2_auth_pubkey(pw, service);
}
}
if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) {
@@ -277,7 +275,7 @@ ssh2_auth_password(struct passwd *pw)
return authenticated;
}
int
-ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen)
+ssh2_auth_pubkey(struct passwd *pw, char *service)
{
Buffer b;
Key *key;
@@ -290,10 +288,6 @@ ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen)
debug("pubkey auth disabled");
return 0;
}
- if (datafellows & SSH_BUG_PUBKEYAUTH) {
- log("bug compatibility with ssh-2.0.13 pubkey not implemented");
- return 0;
- }
have_sig = packet_get_char();
pkalg = packet_get_string(&alen);
if (strcmp(pkalg, KEX_DSS) != 0) {
@@ -309,10 +303,18 @@ ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen)
packet_done();
buffer_init(&b);
buffer_append(&b, session_id2, session_id2_len);
+
+ /* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- if (slen + 4 > rlen)
- fatal("bad rlen/slen");
- buffer_append(&b, raw, rlen - slen - 4);
+ buffer_put_cstring(&b, pw->pw_name);
+ buffer_put_cstring(&b,
+ datafellows & SSH_BUG_PUBKEYAUTH ?
+ "ssh-userauth" :
+ service);
+ buffer_put_cstring(&b, "publickey");
+ buffer_put_char(&b, have_sig);
+ buffer_put_cstring(&b, KEX_DSS);
+ buffer_put_string(&b, pkblob, blen);
#ifdef DEBUG_DSS
buffer_dump(&b);
#endif
@@ -471,17 +473,36 @@ user_dsa_key_allowed(struct passwd *pw, Key *key)
found = key_new(KEY_DSA);
while (fgets(line, sizeof(line), f)) {
- char *cp;
+ char *cp, *options = NULL;
linenum++;
/* Skip leading whitespace, empty and comment lines. */
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
;
if (!*cp || *cp == '\n' || *cp == '#')
continue;
+
bits = key_read(found, &cp);
- if (bits == 0)
- continue;
- if (key_equal(found, key)) {
+ if (bits == 0) {
+ /* no key? check if there are options for this key */
+ int quoted = 0;
+ options = cp;
+ for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
+ if (*cp == '\\' && cp[1] == '"')
+ cp++; /* Skip both */
+ else if (*cp == '"')
+ quoted = !quoted;
+ }
+ /* Skip remaining whitespace. */
+ for (; *cp == ' ' || *cp == '\t'; cp++)
+ ;
+ bits = key_read(found, &cp);
+ if (bits == 0) {
+ /* still no key? advance to next line*/
+ continue;
+ }
+ }
+ if (key_equal(found, key) &&
+ auth_parse_options(pw, options, linenum) == 1) {
found_key = 1;
debug("matching key found: file %s, line %ld",
file, linenum);