| auth2-pubkey.c (204917) | auth2-pubkey.c (207319) |
|---|---|
| 1/* $OpenBSD: auth2-pubkey.c,v 1.21 2010/03/04 10:36:03 djm Exp $ */ | 1/* $OpenBSD: auth2-pubkey.c,v 1.22 2010/03/10 23:27:17 djm Exp $ */ |
| 2/* 3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. --- 225 unchanged lines hidden (view full) --- 235 } 236 if (auth_parse_options(pw, key_options, file, linenum) != 1) 237 continue; 238 if (key->type == KEY_RSA_CERT || key->type == KEY_DSA_CERT) { 239 if (!key_is_cert_authority) 240 continue; 241 if (!key_equal(found, key->cert->signature_key)) 242 continue; | 2/* 3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. --- 225 unchanged lines hidden (view full) --- 235 } 236 if (auth_parse_options(pw, key_options, file, linenum) != 1) 237 continue; 238 if (key->type == KEY_RSA_CERT || key->type == KEY_DSA_CERT) { 239 if (!key_is_cert_authority) 240 continue; 241 if (!key_equal(found, key->cert->signature_key)) 242 continue; |
| 243 debug("matching CA found: file %s, line %lu", 244 file, linenum); | |
| 245 fp = key_fingerprint(found, SSH_FP_MD5, 246 SSH_FP_HEX); | 243 fp = key_fingerprint(found, SSH_FP_MD5, 244 SSH_FP_HEX); |
| 247 verbose("Found matching %s CA: %s", 248 key_type(found), fp); 249 xfree(fp); | 245 debug("matching CA found: file %s, line %lu, %s %s", 246 file, linenum, key_type(found), fp); |
| 250 if (key_cert_check_authority(key, 0, 0, pw->pw_name, 251 &reason) != 0) { | 247 if (key_cert_check_authority(key, 0, 0, pw->pw_name, 248 &reason) != 0) { |
| 249 xfree(fp); |
|
| 252 error("%s", reason); 253 auth_debug_add("%s", reason); 254 continue; 255 } 256 if (auth_cert_constraints(&key->cert->constraints, | 250 error("%s", reason); 251 auth_debug_add("%s", reason); 252 continue; 253 } 254 if (auth_cert_constraints(&key->cert->constraints, |
| 257 pw) != 0) | 255 pw) != 0) { 256 xfree(fp); |
| 258 continue; | 257 continue; |
| 258 } 259 verbose("Accepted certificate ID \"%s\" " 260 "signed by %s CA %s via %s", key->cert->key_id, 261 key_type(found), fp, file); 262 xfree(fp); |
|
| 259 found_key = 1; 260 break; 261 } else if (!key_is_cert_authority && key_equal(found, key)) { 262 found_key = 1; 263 debug("matching key found: file %s, line %lu", 264 file, linenum); 265 fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); 266 verbose("Found matching %s key: %s", --- 9 unchanged lines hidden (view full) --- 276 debug2("key not found"); 277 return found_key; 278} 279 280/* Authenticate a certificate key against TrustedUserCAKeys */ 281static int 282user_cert_trusted_ca(struct passwd *pw, Key *key) 283{ | 263 found_key = 1; 264 break; 265 } else if (!key_is_cert_authority && key_equal(found, key)) { 266 found_key = 1; 267 debug("matching key found: file %s, line %lu", 268 file, linenum); 269 fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); 270 verbose("Found matching %s key: %s", --- 9 unchanged lines hidden (view full) --- 280 debug2("key not found"); 281 return found_key; 282} 283 284/* Authenticate a certificate key against TrustedUserCAKeys */ 285static int 286user_cert_trusted_ca(struct passwd *pw, Key *key) 287{ |
| 284 char *key_fp, *ca_fp; | 288 char *ca_fp; |
| 285 const char *reason; 286 int ret = 0; 287 288 if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) 289 return 0; 290 | 289 const char *reason; 290 int ret = 0; 291 292 if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) 293 return 0; 294 |
| 291 key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); 292 ca_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | 295 ca_fp = key_fingerprint(key->cert->signature_key, 296 SSH_FP_MD5, SSH_FP_HEX); |
| 293 294 if (key_in_file(key->cert->signature_key, 295 options.trusted_user_ca_keys, 1) != 1) { 296 debug2("%s: CA %s %s is not listed in %s", __func__, 297 key_type(key->cert->signature_key), ca_fp, 298 options.trusted_user_ca_keys); 299 goto out; 300 } 301 if (key_cert_check_authority(key, 0, 1, pw->pw_name, &reason) != 0) { 302 error("%s", reason); 303 auth_debug_add("%s", reason); 304 goto out; 305 } 306 if (auth_cert_constraints(&key->cert->constraints, pw) != 0) 307 goto out; 308 | 297 298 if (key_in_file(key->cert->signature_key, 299 options.trusted_user_ca_keys, 1) != 1) { 300 debug2("%s: CA %s %s is not listed in %s", __func__, 301 key_type(key->cert->signature_key), ca_fp, 302 options.trusted_user_ca_keys); 303 goto out; 304 } 305 if (key_cert_check_authority(key, 0, 1, pw->pw_name, &reason) != 0) { 306 error("%s", reason); 307 auth_debug_add("%s", reason); 308 goto out; 309 } 310 if (auth_cert_constraints(&key->cert->constraints, pw) != 0) 311 goto out; 312 |
| 309 verbose("%s certificate %s allowed by trusted %s key %s", 310 key_type(key), key_fp, key_type(key->cert->signature_key), ca_fp); | 313 verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s", 314 key->cert->key_id, key_type(key->cert->signature_key), ca_fp, 315 options.trusted_user_ca_keys); |
| 311 ret = 1; 312 313 out: | 316 ret = 1; 317 318 out: |
| 314 if (key_fp != NULL) 315 xfree(key_fp); | |
| 316 if (ca_fp != NULL) 317 xfree(ca_fp); 318 return ret; 319} 320 321/* check whether given key is in .ssh/authorized_keys* */ 322int 323user_key_allowed(struct passwd *pw, Key *key) --- 31 unchanged lines hidden --- | 319 if (ca_fp != NULL) 320 xfree(ca_fp); 321 return ret; 322} 323 324/* check whether given key is in .ssh/authorized_keys* */ 325int 326user_key_allowed(struct passwd *pw, Key *key) --- 31 unchanged lines hidden --- |