Bugzilla – Attachment 48 Details for
Bug 172
Add multiple AuthorizedKeyFiles options
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Multiple AuthorizedKeyFile patch
20020318.diff (text/plain), 8.12 KB, created by
Alex Kiernan
on 2002-03-18 18:47:19 AEDT
(
hide
)
Description:
Multiple AuthorizedKeyFile patch
Filename:
MIME Type:
Creator:
Alex Kiernan
Created:
2002-03-18 18:47:19 AEDT
Size:
8.12 KB
patch
obsolete
>Index: auth-rsa.c >=================================================================== >RCS file: /cvs/openssh/auth-rsa.c,v >retrieving revision 1.41 >diff -u -r1.41 auth-rsa.c >--- auth-rsa.c 22 Jan 2002 12:16:33 -0000 1.41 >+++ auth-rsa.c 18 Mar 2002 07:37:08 -0000 >@@ -52,6 +52,8 @@ > * description of the options. > */ > >+static int auth_rsa_file(struct passwd *pw, BIGNUM *client_n, char *file); >+ > /* > * Performs the RSA authentication challenge-response dialog with the client, > * and returns true (non-zero) if the client gave the correct answer to >@@ -126,7 +128,31 @@ > int > auth_rsa(struct passwd *pw, BIGNUM *client_n) > { >- char line[8192], *file; >+ char *file; >+ int authorized = 0; >+ int authfileno = 0; >+ >+ /* no user given */ >+ if (pw == NULL) >+ return 0; >+ >+ /* Iterate over all authorized keys files. */ >+ while ((file = authorized_keys_file(pw, authfileno++)) != NULL) { >+ debug("trying public RSA key file %s", file); >+ authorized = auth_rsa_file(pw, client_n, file); >+ xfree(file); >+ if (authorized == 1) { >+ return 1; >+ } >+ } >+ return 0; >+} >+ >+/* Do the hard work in authenticating the client */ >+int >+auth_rsa_file(struct passwd *pw, BIGNUM *client_n, char *file) >+{ >+ char line[8192]; > int authenticated; > u_int bits; > FILE *f; >@@ -142,15 +168,10 @@ > /* Temporarily use the user's uid. */ > temporarily_use_uid(pw); > >- /* The authorized keys. */ >- file = authorized_keys_file(pw); >- debug("trying public RSA key file %s", file); >- > /* Fail quietly if file does not exist */ > if (stat(file, &st) < 0) { > /* Restore the privileged uid. */ > restore_uid(); >- xfree(file); > return 0; > } > /* Open the file containing the authorized keys. */ >@@ -160,12 +181,10 @@ > restore_uid(); > packet_send_debug("Could not open %.900s for reading.", file); > packet_send_debug("If your home is on an NFS volume, it may need to be world-readable."); >- xfree(file); > return 0; > } > if (options.strict_modes && > secure_filename(f, file, pw, line, sizeof(line)) != 0) { >- xfree(file); > fclose(f); > log("Authentication refused: %s", line); > packet_send_debug("Authentication refused: %s", line); >@@ -262,7 +281,6 @@ > fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); > verbose("Found matching %s key: %s", > key_type(key), fp); >- xfree(fp); > > break; > } >@@ -271,7 +289,6 @@ > restore_uid(); > > /* Close the file. */ >- xfree(file); > fclose(f); > > key_free(key); >Index: auth.c >=================================================================== >RCS file: /cvs/openssh/auth.c,v >retrieving revision 1.45 >diff -u -r1.45 auth.c >--- auth.c 5 Mar 2002 01:42:43 -0000 1.45 >+++ auth.c 18 Mar 2002 07:37:08 -0000 >@@ -315,15 +315,11 @@ > } > > char * >-authorized_keys_file(struct passwd *pw) >+authorized_keys_file(struct passwd *pw, int n) > { >- return expand_filename(options.authorized_keys_file, pw); >-} >- >-char * >-authorized_keys_file2(struct passwd *pw) >-{ >- return expand_filename(options.authorized_keys_file2, pw); >+ if (n >= options.num_authorized_keys_files) >+ return NULL; >+ return expand_filename(options.authorized_keys_files[n], pw); > } > > /* return ok if key exists in sysfile or userfile */ >Index: auth.h >=================================================================== >RCS file: /cvs/openssh/auth.h,v >retrieving revision 1.32 >diff -u -r1.32 auth.h >--- auth.h 13 Mar 2002 02:19:42 -0000 1.32 >+++ auth.h 18 Mar 2002 07:37:08 -0000 >@@ -140,8 +140,7 @@ > struct passwd * auth_get_user(void); > > char *expand_filename(const char *, struct passwd *); >-char *authorized_keys_file(struct passwd *); >-char *authorized_keys_file2(struct passwd *); >+char *authorized_keys_file(struct passwd *, int n); > > int > secure_filename(FILE *, const char *, struct passwd *, char *, size_t); >Index: auth2.c >=================================================================== >RCS file: /cvs/openssh/auth2.c,v >retrieving revision 1.93 >diff -u -r1.93 auth2.c >--- auth2.c 13 Mar 2002 02:19:42 -0000 1.93 >+++ auth2.c 18 Mar 2002 07:37:08 -0000 >@@ -735,18 +735,16 @@ > { > int success; > char *file; >+ int authfileno = 0; > >- file = authorized_keys_file(pw); >- success = user_key_allowed2(pw, key, file); >- xfree(file); >- if (success) >- return success; >- >- /* try suffix "2" for backward compat, too */ >- file = authorized_keys_file2(pw); >- success = user_key_allowed2(pw, key, file); >- xfree(file); >- return success; >+ /* Iterate over all authorized_keys_files */ >+ while ((file = authorized_keys_file(pw, authfileno++) ) != NULL) { >+ success = user_key_allowed2(pw, key, file); >+ xfree(file); >+ if (success) >+ return success; >+ } >+ return 0; > } > > /* return 1 if given hostkey is allowed */ >Index: servconf.c >=================================================================== >RCS file: /cvs/openssh/servconf.c,v >retrieving revision 1.79 >diff -u -r1.79 servconf.c >--- servconf.c 13 Mar 2002 02:19:43 -0000 1.79 >+++ servconf.c 18 Mar 2002 07:37:09 -0000 >@@ -108,8 +108,7 @@ > options->verify_reverse_mapping = -1; > options->client_alive_interval = -1; > options->client_alive_count_max = -1; >- options->authorized_keys_file = NULL; >- options->authorized_keys_file2 = NULL; >+ options->num_authorized_keys_files = 0; > } > > void >@@ -226,15 +225,11 @@ > options->client_alive_interval = 0; > if (options->client_alive_count_max == -1) > options->client_alive_count_max = 3; >- if (options->authorized_keys_file2 == NULL) { >- /* authorized_keys_file2 falls back to authorized_keys_file */ >- if (options->authorized_keys_file != NULL) >- options->authorized_keys_file2 = options->authorized_keys_file; >- else >- options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; >- } >- if (options->authorized_keys_file == NULL) >- options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; >+ if (options->num_authorized_keys_files == 0) { >+ /* fill default authorized keys files */ >+ options->authorized_keys_files[options->num_authorized_keys_files++] = _PATH_SSH_USER_PERMITTED_KEYS; >+ options->authorized_keys_files[options->num_authorized_keys_files++] = _PATH_SSH_USER_PERMITTED_KEYS2; >+ } > } > > /* Keyword tokens. */ >@@ -266,8 +261,8 @@ > sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, > sBanner, sVerifyReverseMapping, sHostbasedAuthentication, > sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, >- sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, >- sDeprecated >+ sClientAliveCountMax, sAuthorizedKeysFile, >+ sDeprecated > } ServerOpCodes; > > /* Textual representation of the tokens. */ >@@ -341,7 +336,7 @@ > { "clientaliveinterval", sClientAliveInterval }, > { "clientalivecountmax", sClientAliveCountMax }, > { "authorizedkeysfile", sAuthorizedKeysFile }, >- { "authorizedkeysfile2", sAuthorizedKeysFile2 }, >+ { "authorizedkeysfile2", sAuthorizedKeysFile }, > { NULL, sBadOption } > }; > >@@ -843,10 +838,13 @@ > * AuthorizedKeysFile /etc/ssh_keys/%u > */ > case sAuthorizedKeysFile: >- case sAuthorizedKeysFile2: >- charptr = (opcode == sAuthorizedKeysFile ) ? >- &options->authorized_keys_file : >- &options->authorized_keys_file2; >+ intptr = &options->num_authorized_keys_files; >+ if (*intptr >= MAX_AUTHKEYFILES) >+ fatal("%s line %d: too many authorized keys " >+ "files specified (max %d).", >+ filename, linenum, MAX_AUTHKEYFILES); >+ >+ charptr = &options->authorized_keys_files[*intptr]; > goto parse_filename; > > case sClientAliveInterval: >Index: servconf.h >=================================================================== >RCS file: /cvs/openssh/servconf.h,v >retrieving revision 1.45 >diff -u -r1.45 servconf.h >--- servconf.h 5 Mar 2002 01:53:05 -0000 1.45 >+++ servconf.h 18 Mar 2002 07:37:09 -0000 >@@ -24,6 +24,7 @@ > #define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */ > #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ > #define MAX_HOSTKEYS 256 /* Max # hostkeys. */ >+#define MAX_AUTHKEYFILES 256 /* Max # authorized_keys statements */ > > /* permit_root_login */ > #define PERMIT_NOT_SET -1 >@@ -127,8 +128,9 @@ > * disconnect the session > */ > >- char *authorized_keys_file; /* File containing public keys */ >- char *authorized_keys_file2; >+ char *authorized_keys_files[MAX_AUTHKEYFILES]; /* Files containing >+ * public keys */ >+ int num_authorized_keys_files; > int pam_authentication_via_kbd_int; > > } ServerOptions;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=48">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 172
: 48 |
88