Bugzilla – Attachment 1855 Details for
Bug 1776
Hostbased authentication with certificates
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Add certificate support for hostbased authentication
hostbased-with-certificates.diff (text/plain), 6.74 KB, created by
Iain Morgan
on 2010-06-05 03:41:57 AEST
(
hide
)
Description:
Add certificate support for hostbased authentication
Filename:
MIME Type:
Creator:
Iain Morgan
Created:
2010-06-05 03:41:57 AEST
Size:
6.74 KB
patch
obsolete
>Index: auth.c >=================================================================== >RCS file: /cvs/openssh/auth.c,v >retrieving revision 1.141 >diff -u -b -r1.141 auth.c >--- auth.c 10 May 2010 01:58:03 -0000 1.141 >+++ auth.c 4 Jun 2010 16:54:12 -0000 >@@ -385,7 +385,7 @@ > HostStatus host_status; > > /* Check if we know the host and its host key. */ >- found = key_new(key->type); >+ found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); > host_status = check_host_in_hostfile(sysfile, host, key, found, NULL); > > if (host_status != HOST_OK && userfile != NULL) { >Index: auth2-hostbased.c >=================================================================== >RCS file: /cvs/openssh/auth2-hostbased.c,v >retrieving revision 1.13 >diff -u -b -r1.13 auth2-hostbased.c >--- auth2-hostbased.c 4 Mar 2010 10:53:35 -0000 1.13 >+++ auth2-hostbased.c 4 Jun 2010 16:54:13 -0000 >@@ -141,7 +141,7 @@ > hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, > Key *key) > { >- const char *resolvedname, *ipaddr, *lookup; >+ const char *resolvedname, *ipaddr, *lookup, *reason; > HostStatus host_status; > int len; > >@@ -174,6 +174,13 @@ > } > debug2("userauth_hostbased: access allowed by auth_rhosts2"); > >+ if (key_is_cert(key) && >+ key_cert_check_authority(key, 1, 0, lookup, &reason)) { >+ error("%s", reason); >+ auth_debug_add("%s", reason); >+ return 0; >+ } >+ > host_status = check_key_in_hostfiles(pw, key, lookup, > _PATH_SSH_SYSTEM_HOSTFILE, > options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE); >@@ -184,6 +191,11 @@ > _PATH_SSH_SYSTEM_HOSTFILE2, > options.ignore_user_known_hosts ? NULL : > _PATH_SSH_USER_HOSTFILE2); >+ >+ if (key_is_cert(key) && host_status == HOST_OK) >+ verbose("Accepted %s certificate, ID \"%s\", " >+ "from %s, client user %s", key_cert_type(key), >+ key->cert->key_id, lookup, cuser); > > return (host_status == HOST_OK); > } >Index: authfile.c >=================================================================== >RCS file: /cvs/openssh/authfile.c,v >retrieving revision 1.82 >diff -u -b -r1.82 authfile.c >--- authfile.c 4 Mar 2010 10:53:35 -0000 1.82 >+++ authfile.c 4 Jun 2010 16:54:13 -0000 >@@ -693,6 +693,64 @@ > return NULL; > } > >+/* Load the certificate associated with the named private key */ >+Key * >+key_load_cert(const char *filename) >+{ >+ Key *pub; >+ char file[MAXPATHLEN]; >+ >+ pub = key_new(KEY_UNSPEC); >+ if ((strlcpy(file, filename, sizeof file) < sizeof(file)) && >+ (strlcat(file, "-cert.pub", sizeof file) < sizeof(file)) && >+ (key_try_load_public(pub, file, NULL) == 1)) >+ return pub; >+ key_free(pub); >+ return NULL; >+} >+ >+/* Load private key and certificate */ >+Key * >+key_load_private_cert(int type, const char *filename, const char *passphrase, >+ int *perm_ok) >+{ >+ Key *key, *pub; >+ >+ switch (type) { >+ case KEY_RSA: >+ case KEY_DSA: >+ break; >+ default: >+ error("%s: unsupported key type", __func__); >+ return NULL; >+ } >+ >+ if ((key = key_load_private_type(type, filename, >+ passphrase, NULL, perm_ok)) == NULL) >+ return NULL; >+ >+ if ((pub = key_load_cert(filename)) == NULL) { >+ key_free(key); >+ return NULL; >+ } >+ >+ /* Make sure the private key matches the certificate */ >+ if (key_equal_public(key, pub) == 0) { >+ error("%s: certificate does not match private key %s", >+ __func__, filename); >+ } else if (key_to_certified(key, key_cert_is_legacy(pub)) != 0) { >+ error("%s: key_to_certified failed", __func__); >+ } else { >+ key_cert_copy(pub, key); >+ key_free(pub); >+ return key; >+ } >+ >+ key_free(key); >+ key_free(pub); >+ return NULL; >+} >+ > /* > * Returns 1 if the specified "key" is listed in the file "filename", > * 0 if the key is not listed or -1 on error. >Index: authfile.h >=================================================================== >RCS file: /cvs/openssh/authfile.h,v >retrieving revision 1.12 >diff -u -b -r1.12 authfile.h >--- authfile.h 4 Mar 2010 10:53:35 -0000 1.12 >+++ authfile.h 4 Jun 2010 16:54:13 -0000 >@@ -16,9 +16,11 @@ > #define AUTHFILE_H > > int key_save_private(Key *, const char *, const char *, const char *); >+Key *key_load_cert(const char *); > Key *key_load_public(const char *, char **); > Key *key_load_public_type(int, const char *, char **); > Key *key_load_private(const char *, const char *, char **); >+Key *key_load_private_cert(int, const char *, const char *, int *); > Key *key_load_private_type(int, const char *, const char *, char **, int *); > Key *key_load_private_pem(int, int, const char *, char **); > int key_perm_ok(int, const char *); >Index: ssh-keysign.c >=================================================================== >RCS file: /cvs/openssh/ssh-keysign.c,v >retrieving revision 1.38 >diff -u -b -r1.38 ssh-keysign.c >--- ssh-keysign.c 13 Jan 2010 11:43:34 -0000 1.38 >+++ ssh-keysign.c 4 Jun 2010 16:54:13 -0000 >@@ -232,7 +232,7 @@ > found = 0; > for (i = 0; i < 2; i++) { > if (keys[i] != NULL && >- key_equal(key, keys[i])) { >+ key_equal_public(key, keys[i])) { > found = 1; > break; > } >Index: ssh.c >=================================================================== >RCS file: /cvs/openssh/ssh.c,v >retrieving revision 1.330 >diff -u -b -r1.330 ssh.c >--- ssh.c 21 May 2010 04:57:35 -0000 1.330 >+++ ssh.c 4 Jun 2010 16:54:13 -0000 >@@ -763,26 +763,34 @@ > sensitive_data.external_keysign = 0; > if (options.rhosts_rsa_authentication || > options.hostbased_authentication) { >- sensitive_data.nkeys = 3; >+ sensitive_data.nkeys = 5; > sensitive_data.keys = xcalloc(sensitive_data.nkeys, > sizeof(Key)); > > PRIV_START; > sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, > _PATH_HOST_KEY_FILE, "", NULL, NULL); >- sensitive_data.keys[1] = key_load_private_type(KEY_DSA, >+ sensitive_data.keys[1] = key_load_private_cert(KEY_DSA, >+ _PATH_HOST_DSA_KEY_FILE, "", NULL); >+ sensitive_data.keys[2] = key_load_private_cert(KEY_RSA, >+ _PATH_HOST_RSA_KEY_FILE, "", NULL); >+ sensitive_data.keys[3] = key_load_private_type(KEY_DSA, > _PATH_HOST_DSA_KEY_FILE, "", NULL, NULL); >- sensitive_data.keys[2] = key_load_private_type(KEY_RSA, >+ sensitive_data.keys[4] = key_load_private_type(KEY_RSA, > _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL); > PRIV_END; > > if (options.hostbased_authentication == 1 && > sensitive_data.keys[0] == NULL && >- sensitive_data.keys[1] == NULL && >- sensitive_data.keys[2] == NULL) { >- sensitive_data.keys[1] = key_load_public( >+ sensitive_data.keys[3] == NULL && >+ sensitive_data.keys[4] == NULL) { >+ sensitive_data.keys[1] = key_load_cert( >+ _PATH_HOST_DSA_KEY_FILE); >+ sensitive_data.keys[2] = key_load_cert( >+ _PATH_HOST_RSA_KEY_FILE); >+ sensitive_data.keys[3] = key_load_public( > _PATH_HOST_DSA_KEY_FILE, NULL); >- sensitive_data.keys[2] = key_load_public( >+ sensitive_data.keys[4] = key_load_public( > _PATH_HOST_RSA_KEY_FILE, NULL); > sensitive_data.external_keysign = 1; > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1855">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1776
: 1855