auth2-pubkey.c File Reference

#include "includes.h"
#include "ssh.h"
#include "ssh2.h"
#include "xmalloc.h"
#include "packet.h"
#include "buffer.h"
#include "log.h"
#include "servconf.h"
#include "compat.h"
#include "bufaux.h"
#include "auth.h"
#include "key.h"
#include "pathnames.h"
#include "uidswap.h"
#include "auth-options.h"
#include "canohost.h"
#include "monitor_wrap.h"
#include "misc.h"

Go to the source code of this file.

Functions
	RCSID ("$OpenBSD: auth2-pubkey.c,v 1.9 2004/12/11 01:48:56 dtucker Exp $")
static int	userauth_pubkey (Authctxt *authctxt)
static int	user_key_allowed2 (struct passwd *pw, Key *key, char *file)
int	user_key_allowed (struct passwd *pw, Key *key)
Variables
ServerOptions	options
u_char *	session_id2
u_int	session_id2_len
Authmethod	method_pubkey

---

Function Documentation

RCSID (  "$OpenBSD: auth2-pubkey.  c, v 1.9 2004/12/11 01:48:56 dtucker Exp $"  )

int user_key_allowed (  struct passwd *  pw, Key *  key )

Definition at line 260 of file auth2-pubkey.c. References authorized_keys_file(), authorized_keys_file2(), file, user_key_allowed2(), and xfree(). { int success; char *file; file = authorized_keys_file(pw); success = user_key_allowed2(pw, key, file); xfree(file); if (success) return success; /* try suffix "2" for backward compat, too */ file = authorized_keys_file2(pw); success = user_key_allowed2(pw, key, file); xfree(file); return success; }

static int user_key_allowed2 (  struct passwd *  pw, Key *  key, char *  file )  [static]

Definition at line 170 of file auth2-pubkey.c. References auth_parse_options(), debug(), debug2(), key_equal(), key_fingerprint(), key_free(), key_new(), key_read(), key_type(), logit(), read_keyfile_line(), restore_uid(), secure_filename(), SSH_FP_HEX, SSH_FP_MD5, SSH_MAX_PUBKEY_BYTES, ServerOptions::strict_modes, temporarily_use_uid(), Key::type, verbose(), and xfree(). Referenced by user_key_allowed(). { char line[SSH_MAX_PUBKEY_BYTES]; int found_key = 0; FILE *f; u_long linenum = 0; struct stat st; Key *found; char *fp; /* Temporarily use the user's uid. */ temporarily_use_uid(pw); debug("trying public key file %s", file); /* Fail quietly if file does not exist */ if (stat(file, &st) < 0) { /* Restore the privileged uid. */ restore_uid(); return 0; } /* Open the file containing the authorized keys. */ f = fopen(file, "r"); if (!f) { /* Restore the privileged uid. */ restore_uid(); return 0; } if (options.strict_modes && secure_filename(f, file, pw, line, sizeof(line)) != 0) { fclose(f); logit("Authentication refused: %s", line); restore_uid(); return 0; } found_key = 0; found = key_new(key->type); while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { char *cp, *key_options = NULL; /* Skip leading whitespace, empty and comment lines. */ for (cp = line; *cp == ' ' || *cp == '\t'; cp++) ; if (!*cp || *cp == '\n' || *cp == '#') continue; if (key_read(found, &cp) != 1) { /* no key? check if there are options for this key */ int quoted = 0; debug2("user_key_allowed: check options: '%s'", cp); key_options = cp; for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { if (*cp == '\\' && cp[1] == '"') cp++; /* Skip both */ else if (*cp == '"') quoted = !quoted; } /* Skip remaining whitespace. */ for (; *cp == ' ' || *cp == '\t'; cp++) ; if (key_read(found, &cp) != 1) { debug2("user_key_allowed: advance: '%s'", cp); /* still no key? advance to next line*/ continue; } } if (key_equal(found, key) && auth_parse_options(pw, key_options, file, linenum) == 1) { found_key = 1; debug("matching key found: file %s, line %lu", file, linenum); fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); verbose("Found matching %s key: %s", key_type(found), fp); xfree(fp); break; } } restore_uid(); fclose(f); key_free(found); if (!found_key) debug2("key not found"); return found_key; }

static int userauth_pubkey (  Authctxt *  authctxt  )  [static]

Definition at line 52 of file auth2-pubkey.c. References auth_clear_options(), buffer_append(), buffer_dump(), buffer_free(), buffer_get_string(), buffer_init(), buffer_len(), buffer_ptr(), buffer_put_char(), buffer_put_cstring(), buffer_put_string(), datafellows, debug(), debug2(), error(), key_free(), key_from_blob(), key_type_from_name(), KEY_UNSPEC, key_verify(), logit(), packet_check_eom, packet_get_char(), packet_get_string(), packet_put_string(), packet_send(), packet_start(), packet_write_wait(), Authctxt::postponed, PRIVSEP, Authctxt::pw, Authctxt::service, session_id2, session_id2_len, SSH2_MSG_USERAUTH_PK_OK, SSH2_MSG_USERAUTH_REQUEST, SSH_BUG_PKAUTH, SSH_BUG_PKSERVICE, SSH_OLD_SESSIONID, Key::type, Authctxt::user, user_key_allowed(), Authctxt::valid, and xfree(). { Buffer b; Key *key = NULL; char *pkalg; u_char *pkblob, *sig; u_int alen, blen, slen; int have_sig, pktype; int authenticated = 0; if (!authctxt->valid) { debug2("userauth_pubkey: disabled because of invalid user"); return 0; } have_sig = packet_get_char(); if (datafellows & SSH_BUG_PKAUTH) { debug2("userauth_pubkey: SSH_BUG_PKAUTH"); /* no explicit pkalg given */ pkblob = packet_get_string(&blen); buffer_init(&b); buffer_append(&b, pkblob, blen); /* so we have to extract the pkalg from the pkblob */ pkalg = buffer_get_string(&b, &alen); buffer_free(&b); } else { pkalg = packet_get_string(&alen); pkblob = packet_get_string(&blen); } pktype = key_type_from_name(pkalg); if (pktype == KEY_UNSPEC) { /* this is perfectly legal */ logit("userauth_pubkey: unsupported public key algorithm: %s", pkalg); goto done; } key = key_from_blob(pkblob, blen); if (key == NULL) { error("userauth_pubkey: cannot decode key: %s", pkalg); goto done; } if (key->type != pktype) { error("userauth_pubkey: type mismatch for decoded key " "(received %d, expected %d)", key->type, pktype); goto done; } if (have_sig) { sig = packet_get_string(&slen); packet_check_eom(); buffer_init(&b); if (datafellows & SSH_OLD_SESSIONID) { buffer_append(&b, session_id2, session_id2_len); } else { buffer_put_string(&b, session_id2, session_id2_len); } /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); buffer_put_cstring(&b, authctxt->user); buffer_put_cstring(&b, datafellows & SSH_BUG_PKSERVICE ? "ssh-userauth" : authctxt->service); if (datafellows & SSH_BUG_PKAUTH) { buffer_put_char(&b, have_sig); } else { buffer_put_cstring(&b, "publickey"); buffer_put_char(&b, have_sig); buffer_put_cstring(&b, pkalg); } buffer_put_string(&b, pkblob, blen); #ifdef DEBUG_PK buffer_dump(&b); #endif /* test for correct signature */ authenticated = 0; if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b))) == 1) authenticated = 1; buffer_free(&b); xfree(sig); } else { debug("test whether pkalg/pkblob are acceptable"); packet_check_eom(); /* XXX fake reply and always send PK_OK ? */ /* * XXX this allows testing whether a user is allowed * to login: if you happen to have a valid pubkey this * message is sent. the message is NEVER sent at all * if a user is not allowed to login. is this an * issue? -markus */ if (PRIVSEP(user_key_allowed(authctxt->pw, key))) { packet_start(SSH2_MSG_USERAUTH_PK_OK); packet_put_string(pkalg, alen); packet_put_string(pkblob, blen); packet_send(); packet_write_wait(); authctxt->postponed = 1; } } if (authenticated != 1) auth_clear_options(); done: debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); if (key != NULL) key_free(key); xfree(pkalg); xfree(pkblob); #ifdef HAVE_CYGWIN if (check_nt_auth(0, authctxt->pw) == 0) authenticated = 0; #endif return authenticated; }

---

Variable Documentation

Authmethod method_pubkey

Initial value: { "publickey", userauth_pubkey, &options.pubkey_authentication } Definition at line 278 of file auth2-pubkey.c.

ServerOptions options

Definition at line 110 of file ssh.c.

u_char* session_id2

Definition at line 66 of file sshconnect2.c.

u_int session_id2_len

Definition at line 67 of file sshconnect2.c.

---

© sourcejam.com 2005-2008