- provos@cvs.openbsd.org 2001/06/22 21:28:53
[sshd.8]
document /etc/moduli
+ - markus@cvs.openbsd.org 2001/06/22 21:55:49
+ [auth2.c auth-rsa.c pathnames.h ssh.1 sshd.8 sshd_config
+ ssh-keygen.1]
+ merge authorized_keys2 into authorized_keys.
+ authorized_keys2 is used for backward compat.
+ (just append authorized_keys2 to authorized_keys).
20010622
- (stevesk) handle systems without pw_expire and pw_change.
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-rsa.c,v 1.41 2001/05/20 17:20:35 markus Exp $");
+RCSID("$OpenBSD: auth-rsa.c,v 1.42 2001/06/22 21:55:48 markus Exp $");
#include <openssl/rsa.h>
#include <openssl/md5.h>
/* Parse the key from the line. */
if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) {
- debug("%.100s, line %lu: bad key syntax",
- file, linenum);
- packet_send_debug("%.100s, line %lu: bad key syntax",
+ debug("%.100s, line %lu: non ssh1 key syntax",
file, linenum);
continue;
}
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.62 2001/06/07 19:57:53 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.63 2001/06/22 21:55:49 markus Exp $");
#include <openssl/evp.h>
/* return 1 if user allows given key */
int
-user_key_allowed(struct passwd *pw, Key *key)
+user_key_allowed2(struct passwd *pw, Key *key, char *file)
{
- char line[8192], *file;
+ char line[8192];
int found_key = 0;
FILE *f;
u_long linenum = 0;
/* Temporarily use the user's uid. */
temporarily_use_uid(pw);
- /* The authorized keys. */
- file = authorized_keys_file2(pw);
debug("trying public key file %s", file);
/* Fail quietly if file does not exist */
if (stat(file, &st) < 0) {
/* Restore the privileged uid. */
restore_uid();
- xfree(file);
return 0;
}
/* Open the file containing the authorized keys. */
if (!f) {
/* Restore the privileged uid. */
restore_uid();
- xfree(file);
return 0;
}
if (options.strict_modes &&
secure_filename(f, file, pw->pw_uid, line, sizeof(line)) != 0) {
- xfree(file);
fclose(f);
log("Authentication refused: %s", line);
restore_uid();
}
restore_uid();
fclose(f);
- xfree(file);
key_free(found);
if (!found_key)
debug2("key not found");
return found_key;
}
+/* check whether given key is in .ssh/authorized_keys* */
+int
+user_key_allowed(struct passwd *pw, Key *key)
+{
+ int success;
+ char *file;
+
+ file = authorized_keys_file(pw);
+ success = user_key_allowed2(pw, key, file);
+ xfree(file);
+ if (success)
+ return success;
+
+ /* try suffix "2" for backward compat, too */
+ file = authorized_keys_file2(pw);
+ success = user_key_allowed2(pw, key, file);
+ xfree(file);
+ return success;
+}
+
/* return 1 if given hostkey is allowed */
int
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
-/* $OpenBSD: pathnames.h,v 1.7 2001/06/22 21:27:08 provos Exp $ */
+/* $OpenBSD: pathnames.h,v 1.8 2001/06/22 21:55:49 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* running as root.)
*/
#define _PATH_SSH_USER_PERMITTED_KEYS ".ssh/authorized_keys"
+
+/* backward compat for protocol v2 */
#define _PATH_SSH_USER_PERMITTED_KEYS2 ".ssh/authorized_keys2"
/*
-.\" $OpenBSD: ssh-keygen.1,v 1.42 2001/06/03 19:36:44 markus Exp $
+.\" $OpenBSD: ssh-keygen.1,v 1.43 2001/06/22 21:55:49 markus Exp $
.\"
.\" -*- nroff -*-
.\"
.It Pa $HOME/.ssh/id_dsa.pub
Contains the protocol version 2 DSA public key for authentication.
The contents of this file should be added to
-.Pa $HOME/.ssh/authorized_keys2
+.Pa $HOME/.ssh/authorized_keys
on all machines
where you wish to log in using public key authentication.
There is no need to keep the contents of this file secret.
.It Pa $HOME/.ssh/id_rsa.pub
Contains the protocol version 2 RSA public key for authentication.
The contents of this file should be added to
-.Pa $HOME/.ssh/authorized_keys2
+.Pa $HOME/.ssh/authorized_keys
on all machines
where you wish to log in using public key authentication.
There is no need to keep the contents of this file secret.
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.114 2001/06/22 10:17:51 mpech Exp $
+.\" $OpenBSD: ssh.1,v 1.115 2001/06/22 21:55:49 markus Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
.Pa $HOME/.ssh/id_rsa ,
to sign the session identifier and sends the result to the server.
The server checks whether the matching public key is listed in
-.Pa $HOME/.ssh/authorized_keys2
+.Pa $HOME/.ssh/authorized_keys
and grants access if both the key is found and the signature is correct.
The session identifier is derived from a shared Diffie-Hellman value
and is only known to the client and the server.
and
.Pa $HOME/.ssh/id_rsa.pub
file should be added to
-.Pa $HOME/.ssh/authorized_keys2
+.Pa $HOME/.ssh/authorized_keys
on all machines
where you wish to log in using protocol version 2 DSA/RSA authentication.
These files are not
but the recommended permissions are read/write for the user, and not
accessible by others.
.It Pa $HOME/.ssh/authorized_keys
-Lists the RSA keys that can be used for logging in as this user.
+Lists the public keys (RSA/DSA) that can be used for logging in as this user.
The format of this file is described in the
.Xr sshd 8
manual page.
-In the simplest form the format is the same as the .pub
-identity files (that is, each line contains the number of bits in
-modulus, public exponent, modulus, and comment fields, separated by
-spaces).
-This file is not highly sensitive, but the recommended
-permissions are read/write for the user, and not accessible by others.
-.It Pa $HOME/.ssh/authorized_keys2
-Lists the public keys (RSA/DSA) that can be used for logging in as this user.
This file is not highly sensitive, but the recommended
permissions are read/write for the user, and not accessible by others.
.It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.129 2001/06/22 21:28:53 provos Exp $
+.\" $OpenBSD: sshd.8,v 1.130 2001/06/22 21:55:50 markus Exp $
.Dd September 25, 1999
.Dt SSHD 8
.Os
directory.
The default is
.Dq .ssh/authorized_keys
-.It Cm AuthorizedKeysFile2
-Specifies the file that contains the public keys that can be used
-for public key authentication in protocol version 2.
-.Cm AuthorizedKeysFile2
-may contain tokens of the form %T which are substituted during connection
-set-up. The following tokens are defined; %% is replaces by a literal '%',
-%h is replaced by the home directory of the user being authenticated and
-%u is replaced by the username of that user.
-After expansion,
-.Cm AuthorizedKeysFile2
-is taken to be an absolute path or one relative to the user's home
-directory.
-The default is
-.Dq .ssh/authorized_keys2
.It Cm Banner
In some jurisdictions, sending a warning message before authentication
may be relevant for getting legal protection.
.El
.Sh AUTHORIZED_KEYS FILE FORMAT
.Pa $HOME/.ssh/authorized_keys
-is the default file that lists the RSA keys that are
-permitted for RSA authentication in protocol version 1.
-.Cm AuthorizedKeysFile
-may be used to specify an alternative file.
-Similarly,
-.Pa $HOME/.ssh/authorized_keys2
-is the default file that lists the DSA and RSA keys that are
-permitted for public key authentication (PubkeyAuthentication)
+is the default file that lists the public keys that are
+permitted for RSA authentication in protocol version 1
+and for public key authentication (PubkeyAuthentication)
in protocol version 2.
-.Cm AuthorizedKeysFile2
+.Cm AuthorizedKeysFile
may be used to specify an alternative file.
.Pp
Each line of the file contains one
started last).
The content of this file is not sensitive; it can be world-readable.
.It Pa $HOME/.ssh/authorized_keys
-Lists the RSA keys that can be used to log into the user's account.
-This file must be readable by root (which may on some machines imply
-it being world-readable if the user's home directory resides on an NFS
-volume).
-It is recommended that it not be accessible by others.
-The format of this file is described above.
-Users will place the contents of their
-.Pa identity.pub
-files into this file, as described in
-.Xr ssh-keygen 1 .
-.It Pa $HOME/.ssh/authorized_keys2
Lists the public keys (RSA or DSA) that can be used to log into the user's account.
This file must be readable by root (which may on some machines imply
it being world-readable if the user's home directory resides on an NFS
It is recommended that it not be accessible by others.
The format of this file is described above.
Users will place the contents of their
+.Pa identity.pub ,
.Pa id_dsa.pub
and/or
.Pa id_rsa.pub
-# $OpenBSD: sshd_config,v 1.40 2001/05/31 13:08:04 markus Exp $
+# $OpenBSD: sshd_config,v 1.41 2001/06/22 21:55:50 markus Exp $
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
-#AuthorizedKeysFile2 %h/.ssh/authorized_keys2
# rhosts authentication should not be used
RhostsAuthentication no