Attachment 1526 Details for Bug 1348 – Update patch, without secure_filename relocation, update to -current.

[patch] Update patch, without secure_filename relocation, update to -current.

openbsd-sshd-authorized_keys_dedupe.patch (text/plain), 4.80 KB, created by Darren Tucker on 2008-06-15 05:02:15 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Darren Tucker

Created: 2008-06-15 05:02:15 AEST

Size: 4.80 KB

patch

obsolete

>Index: auth-rsa.c
>===================================================================
>RCS file: /cvs/src/usr.bin/ssh/auth-rsa.c,v
>retrieving revision 1.72
>diff -u -p -r1.72 auth-rsa.c
>--- auth-rsa.c	6 Nov 2006 21:25:27 -0000	1.72
>+++ auth-rsa.c	14 Jun 2008 05:54:30 -0000
>@@ -170,7 +170,6 @@ auth_rsa_key_allowed(struct passwd *pw, 
> 	u_int bits;
> 	FILE *f;
> 	u_long linenum = 0;
>-	struct stat st;
> 	Key *key;
> 
> 	/* Temporarily use the user's uid. */
>@@ -179,27 +178,9 @@ auth_rsa_key_allowed(struct passwd *pw, 
> 	/* The authorized keys. */
> 	file = authorized_keys_file(pw);
> 	debug("trying public RSA key file %s", file);
>-
>-	/* Fail quietly if file does not exist */
>-	if (stat(file, &st) < 0) {
>-		/* Restore the privileged uid. */
>-		restore_uid();
>-		xfree(file);
>-		return (0);
>-	}
>-	/* Open the file containing the authorized keys. */
>-	f = fopen(file, "r");
>+	f = auth_openkeyfile(file, pw, options.strict_modes);
> 	if (!f) {
>-		/* Restore the privileged uid. */
>-		restore_uid();
>-		xfree(file);
>-		return (0);
>-	}
>-	if (options.strict_modes &&
>-	    secure_filename(f, file, pw, line, sizeof(line)) != 0) {
> 		xfree(file);
>-		fclose(f);
>-		logit("Authentication refused: %s", line);
> 		restore_uid();
> 		return (0);
> 	}
>Index: auth.c
>===================================================================
>RCS file: /cvs/src/usr.bin/ssh/auth.c,v
>retrieving revision 1.78
>diff -u -p -r1.78 auth.c
>--- auth.c	21 Sep 2007 08:15:29 -0000	1.78
>+++ auth.c	14 Jun 2008 05:53:27 -0000
>@@ -28,6 +28,7 @@
> #include <sys/param.h>
> 
> #include <errno.h>
>+#include <fcntl.h>
> #include <libgen.h>
> #include <login_cap.h>
> #include <paths.h>
>@@ -319,7 +320,7 @@ check_key_in_hostfiles(struct passwd *pw
>  *
>  * Returns 0 on success and -1 on failure
>  */
>-int
>+static int
> secure_filename(FILE *f, const char *file, struct passwd *pw,
>     char *err, size_t errlen)
> {
>@@ -377,6 +378,46 @@ secure_filename(FILE *f, const char *fil
> 			break;
> 	}
> 	return 0;
>+}
>+
>+FILE *
>+auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes)
>+{
>+	char line[1024];
>+	struct stat st;
>+	int fd;
>+	FILE *f;
>+
>+	/*
>+	 * Open the file containing the authorized keys
>+	 * Fail quietly if file does not exist
>+	 */
>+	if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1)
>+		return NULL;
>+
>+	if (fstat(fd, &st) < 0) {
>+		close(fd);
>+		return NULL;
>+	}
>+	if (!S_ISREG(st.st_mode)) {
>+		logit("User %s authorized keys %s is not a regular file",
>+		    pw->pw_name, file);
>+		close(fd);
>+		return NULL;
>+	}
>+	unset_nonblock(fd);
>+	if ((f = fdopen(fd, "r")) == NULL) {
>+		close(fd);
>+		return NULL;
>+	}
>+	if (options.strict_modes &&
>+	    secure_filename(f, file, pw, line, sizeof(line)) != 0) {
>+		fclose(f);
>+		logit("Authentication refused: %s", line);
>+		return NULL;
>+	}
>+
>+	return f;
> }
> 
> struct passwd *
>Index: auth.h
>===================================================================
>RCS file: /cvs/src/usr.bin/ssh/auth.h,v
>retrieving revision 1.60
>diff -u -p -r1.60 auth.h
>--- auth.h	21 Sep 2007 08:15:29 -0000	1.60
>+++ auth.h	14 Jun 2008 05:53:43 -0000
>@@ -143,8 +143,7 @@ int	verify_response(Authctxt *, const ch
> char	*authorized_keys_file(struct passwd *);
> char	*authorized_keys_file2(struct passwd *);
> 
>-int
>-secure_filename(FILE *, const char *, struct passwd *, char *, size_t);
>+FILE	*auth_openkeyfile(const char *, struct passwd *, int);
> 
> HostStatus
> check_key_in_hostfiles(struct passwd *, Key *, const char *,
>Index: auth2-pubkey.c
>===================================================================
>RCS file: /cvs/src/usr.bin/ssh/auth2-pubkey.c,v
>retrieving revision 1.17
>diff -u -p -r1.17 auth2-pubkey.c
>--- auth2-pubkey.c	13 Jun 2008 14:18:51 -0000	1.17
>+++ auth2-pubkey.c	14 Jun 2008 05:53:59 -0000
>@@ -177,10 +177,9 @@ static int
> user_key_allowed2(struct passwd *pw, Key *key, char *file)
> {
> 	char line[SSH_MAX_PUBKEY_BYTES];
>-	int found_key = 0, fd;
>+	int found_key = 0;
> 	FILE *f;
> 	u_long linenum = 0;
>-	struct stat st;
> 	Key *found;
> 	char *fp;
> 
>@@ -188,37 +187,10 @@ user_key_allowed2(struct passwd *pw, Key
> 	temporarily_use_uid(pw);
> 
> 	debug("trying public key file %s", file);
>+	f = auth_openkeyfile(file, pw, options.strict_modes);
> 
>-	/*
>-	 * Open the file containing the authorized keys
>-	 * Fail quietly if file does not exist
>-	 */
>-	if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) {
>-		restore_uid();
>-		return 0;
>-	}
>-	if (fstat(fd, &st) < 0) {
>-		close(fd);
>-		restore_uid();
>-		return 0;
>-	}
>-	if (!S_ISREG(st.st_mode)) {
>-		logit("User %s authorized keys %s is not a regular file",
>-		    pw->pw_name, file);
>-		close(fd);
>-		restore_uid();
>-		return 0;
>-	}
>-	unset_nonblock(fd);
>-	if ((f = fdopen(fd, "r")) == NULL) {
>-		close(fd);
>-		restore_uid();
>-		return 0;
>-	}
>-	if (options.strict_modes &&
>-	    secure_filename(f, file, pw, line, sizeof(line)) != 0) {
>-		fclose(f);
>-		logit("Authentication refused: %s", line);
>+	if (!f) {
>+		xfree(file);
> 		restore_uid();
> 		return 0;
> 	}

Actions: View | Diff

Attachments on bug 1348: 1334 | 1526