+/* $OpenBSD: auth2-pubkey.c,v 1.19 2008/07/03 21:46:58 otto Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2-pubkey.c,v 1.4 2003/06/24 08:23:46 markus Exp $");
-#include "ssh2.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <fcntl.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <unistd.h>
+
#include "xmalloc.h"
+#include "ssh.h"
+#include "ssh2.h"
#include "packet.h"
#include "buffer.h"
#include "log.h"
#include "servconf.h"
#include "compat.h"
-#include "bufaux.h"
-#include "auth.h"
#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
#include "pathnames.h"
#include "uidswap.h"
#include "auth-options.h"
#include "canohost.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
#include "monitor_wrap.h"
+#include "misc.h"
/* import */
extern ServerOptions options;
authenticated = 0;
if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
- buffer_len(&b))) == 1)
+ buffer_len(&b))) == 1)
authenticated = 1;
- buffer_clear(&b);
+ buffer_free(&b);
xfree(sig);
} else {
debug("test whether pkalg/pkblob are acceptable");
xfree(pkblob);
#ifdef HAVE_CYGWIN
if (check_nt_auth(0, authctxt->pw) == 0)
- return(0);
+ authenticated = 0;
#endif
return authenticated;
}
static int
user_key_allowed2(struct passwd *pw, Key *key, char *file)
{
- char line[8192];
+ char line[SSH_MAX_PUBKEY_BYTES];
int found_key = 0;
FILE *f;
u_long linenum = 0;
- struct stat st;
Key *found;
char *fp;
- if (pw == NULL)
- return 0;
-
/* Temporarily use the user's uid. */
temporarily_use_uid(pw);
debug("trying public key file %s", file);
+ f = auth_openkeyfile(file, pw, options.strict_modes);
- /* Fail quietly if file does not exist */
- if (stat(file, &st) < 0) {
- /* Restore the privileged uid. */
- restore_uid();
- return 0;
- }
- /* Open the file containing the authorized keys. */
- f = fopen(file, "r");
if (!f) {
- /* Restore the privileged uid. */
- restore_uid();
- return 0;
- }
- if (options.strict_modes &&
- secure_filename(f, file, pw, line, sizeof(line)) != 0) {
- fclose(f);
- logit("Authentication refused: %s", line);
restore_uid();
return 0;
}
found_key = 0;
found = key_new(key->type);
- while (fgets(line, sizeof(line), f)) {
- char *cp, *options = NULL;
- linenum++;
+ while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
+ char *cp, *key_options = NULL;
+
/* Skip leading whitespace, empty and comment lines. */
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
;
/* no key? check if there are options for this key */
int quoted = 0;
debug2("user_key_allowed: check options: '%s'", cp);
- options = cp;
+ key_options = cp;
for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
if (*cp == '\\' && cp[1] == '"')
cp++; /* Skip both */
}
}
if (key_equal(found, key) &&
- auth_parse_options(pw, options, file, linenum) == 1) {
+ auth_parse_options(pw, key_options, file, linenum) == 1) {
found_key = 1;
debug("matching key found: file %s, line %lu",
file, linenum);