- /* Correct response. The client has been successfully authenticated.
- Note that we have not yet processed the options; this will be reset
- if the options cause the authentication to be rejected. */
- authenticated = 1;
-
- /* RSA part of authentication was accepted. Now process the options. */
- if (options)
- {
- while (*options && *options != ' ' && *options != '\t')
- {
- cp = "no-port-forwarding";
- if (strncmp(options, cp, strlen(cp)) == 0)
- {
- packet_send_debug("Port forwarding disabled.");
- no_port_forwarding_flag = 1;
- options += strlen(cp);
- goto next_option;
- }
- cp = "no-agent-forwarding";
- if (strncmp(options, cp, strlen(cp)) == 0)
- {
- packet_send_debug("Agent forwarding disabled.");
- no_agent_forwarding_flag = 1;
- options += strlen(cp);
- goto next_option;
- }
- cp = "no-X11-forwarding";
- if (strncmp(options, cp, strlen(cp)) == 0)
- {
- packet_send_debug("X11 forwarding disabled.");
- no_x11_forwarding_flag = 1;
- options += strlen(cp);
- goto next_option;
- }
- cp = "no-pty";
- if (strncmp(options, cp, strlen(cp)) == 0)
- {
- packet_send_debug("Pty allocation disabled.");
- no_pty_flag = 1;
- options += strlen(cp);
- goto next_option;
- }
- cp = "command=\"";
- if (strncmp(options, cp, strlen(cp)) == 0)
- {
- int i;
- options += strlen(cp);
- forced_command = xmalloc(strlen(options) + 1);
- i = 0;
- while (*options)
- {
- if (*options == '"')
- break;
- if (*options == '\\' && options[1] == '"')
- {
- options += 2;
- forced_command[i++] = '"';
- continue;
- }
- forced_command[i++] = *options++;
- }
- if (!*options)
- {
- debug("%.100s, line %lu: missing end quote",
- SSH_USER_PERMITTED_KEYS, linenum);
- packet_send_debug("%.100s, line %lu: missing end quote",
- SSH_USER_PERMITTED_KEYS, linenum);
- continue;
- }
- forced_command[i] = 0;
- packet_send_debug("Forced command: %.900s", forced_command);
- options++;
- goto next_option;
- }
- cp = "environment=\"";
- if (strncmp(options, cp, strlen(cp)) == 0)
- {
- int i;
- char *s;
- struct envstring *new_envstring;
- options += strlen(cp);
- s = xmalloc(strlen(options) + 1);
- i = 0;
- while (*options)
- {
- if (*options == '"')
- break;
- if (*options == '\\' && options[1] == '"')
- {
- options += 2;
- s[i++] = '"';
- continue;
- }
- s[i++] = *options++;
- }
- if (!*options)
- {
- debug("%.100s, line %lu: missing end quote",
- SSH_USER_PERMITTED_KEYS, linenum);
- packet_send_debug("%.100s, line %lu: missing end quote",
- SSH_USER_PERMITTED_KEYS, linenum);
- continue;
- }
- s[i] = 0;
- packet_send_debug("Adding to environment: %.900s", s);
- debug("Adding to environment: %.900s", s);
- options++;
- new_envstring = xmalloc(sizeof(struct envstring));
- new_envstring->s = s;
- new_envstring->next = custom_environment;
- custom_environment = new_envstring;
- goto next_option;
- }
- cp = "from=\"";
- if (strncmp(options, cp, strlen(cp)) == 0)
- {
- char *patterns = xmalloc(strlen(options) + 1);
- int i;
- options += strlen(cp);
- i = 0;
- while (*options)
- {
- if (*options == '"')
- break;
- if (*options == '\\' && options[1] == '"')
- {
- options += 2;
- patterns[i++] = '"';
- continue;
+ /* Flag indicating whether the key is allowed. */
+ allowed = 0;
+
+ key = key_new(KEY_RSA1);
+
+ /*
+ * Go though the accepted keys, looking for the current key. If
+ * found, perform a challenge-response dialog to verify that the
+ * user really has the corresponding private key.
+ */
+ while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
+ char *cp;
+ char *key_options;
+ int keybits;
+
+ /* Skip leading whitespace, empty and comment lines. */
+ for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
+ ;
+ if (!*cp || *cp == '\n' || *cp == '#')
+ continue;
+
+ /*
+ * Check if there are options for this key, and if so,
+ * save their starting address and skip the option part
+ * for now. If there are no options, set the starting
+ * address to NULL.
+ */
+ if (*cp < '0' || *cp > '9') {
+ int quoted = 0;
+ key_options = cp;
+ for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
+ if (*cp == '\\' && cp[1] == '"')
+ cp++; /* Skip both */
+ else if (*cp == '"')
+ quoted = !quoted;