*/
#include "includes.h"
-RCSID("$OpenBSD: auth-rsa.c,v 1.38 2001/01/21 19:05:42 markus Exp $");
+RCSID("$OpenBSD: auth-rsa.c,v 1.44 2001/07/23 18:14:58 stevesk Exp $");
#include <openssl/rsa.h>
#include <openssl/md5.h>
int
auth_rsa(struct passwd *pw, BIGNUM *client_n)
{
- char line[8192], file[MAXPATHLEN];
+ char line[8192], *file;
int authenticated;
u_int bits;
FILE *f;
return 0;
/* Temporarily use the user's uid. */
- temporarily_use_uid(pw->pw_uid);
+ temporarily_use_uid(pw);
/* The authorized keys. */
- snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir,
- _PATH_SSH_USER_PERMITTED_KEYS);
+ file = authorized_keys_file(pw);
+ debug("trying public RSA key file %s", file);
/* Fail quietly if file does not exist */
if (stat(file, &st) < 0) {
/* Restore the privileged uid. */
restore_uid();
+ xfree(file);
return 0;
}
/* Open the file containing the authorized keys. */
restore_uid();
packet_send_debug("Could not open %.900s for reading.", file);
packet_send_debug("If your home is on an NFS volume, it may need to be world-readable.");
+ xfree(file);
return 0;
}
- if (options.strict_modes) {
- int fail = 0;
- char buf[1024];
- /* Check open file in order to avoid open/stat races */
- if (fstat(fileno(f), &st) < 0 ||
- (st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
- (st.st_mode & 022) != 0) {
- snprintf(buf, sizeof buf, "RSA authentication refused for %.100s: "
- "bad ownership or modes for '%s'.", pw->pw_name, file);
- fail = 1;
- } else {
- /* Check path to _PATH_SSH_USER_PERMITTED_KEYS */
- int i;
- static const char *check[] = {
- "", _PATH_SSH_USER_DIR, NULL
- };
- for (i = 0; check[i]; i++) {
- snprintf(line, sizeof line, "%.500s/%.100s", pw->pw_dir, check[i]);
- if (stat(line, &st) < 0 ||
- (st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
- (st.st_mode & 022) != 0) {
- snprintf(buf, sizeof buf, "RSA authentication refused for %.100s: "
- "bad ownership or modes for '%s'.", pw->pw_name, line);
- fail = 1;
- break;
- }
- }
- }
- if (fail) {
- fclose(f);
- log("%s",buf);
- packet_send_debug("%s",buf);
- restore_uid();
- return 0;
- }
+ if (options.strict_modes &&
+ secure_filename(f, file, pw, line, sizeof(line)) != 0) {
+ xfree(file);
+ fclose(f);
+ log("Authentication refused: %s", line);
+ packet_send_debug("Authentication refused: %s", line);
+ restore_uid();
+ return 0;
}
/* Flag indicating whether authentication has succeeded. */
authenticated = 0;
/* Parse the key from the line. */
if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) {
- debug("%.100s, line %lu: bad key syntax",
- file, linenum);
- packet_send_debug("%.100s, line %lu: bad key syntax",
+ debug("%.100s, line %lu: non ssh1 key syntax",
file, linenum);
continue;
}
/* check the real bits */
if (bits != BN_num_bits(pk->n))
- log("Warning: %s, line %ld: keysize mismatch: "
+ log("Warning: %s, line %lu: keysize mismatch: "
"actual %d vs. announced %d.",
file, linenum, BN_num_bits(pk->n), bits);
restore_uid();
/* Close the file. */
+ xfree(file);
fclose(f);
RSA_free(pk);