Attachment #663 for bug #884




 * following format:
 *   options bits e n comment
 * where bits, e and n are decimal numbers,
 * and comment is any string of characters up to newline.
 * See the documentation for a description of the options.
 * description of the options.
 */

BIGNUM *

int
auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
{
	char *line, *file, err[2048];
	int allowed = 0;
	u_int bits;
	FILE *f;

		return (0);
	}
	if (options.strict_modes &&
	    secure_filename(f, file, pw, err, sizeof(err)) != 0) {
		xfree(file);
		fclose(f);
		logit("Authentication refused: %s", err);
		restore_uid();
		return (0);
	}

	 * found, perform a challenge-response dialog to verify that the
	 * user really has the corresponding private key.
	 */
	while ((line = fgetline(f))) {
		char *cp;
		char *key_options;


		/* Skip leading whitespace, empty and comment lines. */
		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
			;
		if (!*cp || *cp == '\n' || *cp == '#') {
			xfree(line);
			continue;
		}

		/*
		 * Check if there are options for this key, and if so,

		if (hostfile_read_key(&cp, &bits, key) == 0) {
			debug("%.100s, line %lu: non ssh1 key syntax",
			    file, linenum);
			xfree(line);
			continue;
		}
		/* cp now points to the comment part. */

		 * If our options do not allow this key to be used,
		 * do not send challenge.
		 */
		if (!auth_parse_options(pw, key_options, file, linenum)) {
			xfree(line);
			continue;
		}

		/* break out, this key is allowed */
		allowed = 1;
		xfree(line);
		break;
	}





#include "auth-options.h"
#include "canohost.h"
#include "monitor_wrap.h"
#include "misc.h"

/* import */
extern ServerOptions options;

static int
user_key_allowed2(struct passwd *pw, Key *key, char *file)
{
	char *line, err[2048];
	int found_key = 0;
	FILE *f;
	u_long linenum = 0;

		return 0;
	}
	if (options.strict_modes &&
	    secure_filename(f, file, pw, err, sizeof(err)) != 0) {
		fclose(f);
		logit("Authentication refused: %s", err);
		restore_uid();
		return 0;
	}

	found_key = 0;
	found = key_new(key->type);

	while (line = fgetline(f)) {
		char *cp, *key_options = NULL;
		linenum++;
		/* Skip leading whitespace, empty and comment lines. */
		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
			;
		if (!*cp || *cp == '\n' || *cp == '#') {
			xfree(line);
			continue;
		}

		if (key_read(found, &cp) != 1) {
			/* no key?  check if there are options for this key */

			if (key_read(found, &cp) != 1) {
				debug2("user_key_allowed: advance: '%s'", cp);
				/* still no key?  advance to next line*/
				xfree(line);
				continue;
			}
		}

			verbose("Found matching %s key: %s",
			    key_type(found), fp);
			xfree(fp);
			xfree(line);
			break;
		}
	}




#include "log.h"
#include "authfile.h"
#include "rsa.h"
#include "misc.h"

/* Version identification string for SSH v1 identity files. */
static const char authfile_id_string[] =

key_try_load_public(Key *k, const char *filename, char **commentp)
{
	FILE *f;
	char *line;
	char *cp;

	f = fopen(filename, "r");
	if (f != NULL) {
		while ((line = fgetline(f))) {
			line[sizeof(line)-1] = '\0';
			cp = line;
			switch (*cp) {
			case '#':
			case '\n':
			case '\0':
				xfree(line);
				continue;
			}
			/* Skip leading whitespace. */

					if (commentp)
						*commentp=xstrdup(filename);
					fclose(f);
					xfree(line);
					return 1;
				}
			}




#include "misc.h"
#include "log.h"
#include "xmalloc.h"
#include "buffer.h"

/* remove newline at end of string */
char *

	args->nalloc = nalloc;
	args->list[args->num++] = xstrdup(buf);
	args->list[args->num] = NULL;
}

/*
 * get a line from a FILE, allocating enough space to hold it
 */
char *
fgetline(FILE *f)
{
	Buffer buf;
	char *line, tmp[1024];
	size_t len;

	buffer_init(&buf);
	while (1) {
		if (fgets(tmp, sizeof(tmp), f) == NULL)
			break;
		len = strlen(tmp);
		buffer_append(&buf, tmp, len);
		debug("%s: len %d string '%s'", __func__, len, tmp);
		if (tmp[len - 1] == '\n')
			break;
	}

	if (buffer_len(&buf) == 0) {
		line = NULL;
	} else {
		buffer_append(&buf, "\0", 1);
		line = xstrdup(buffer_ptr(&buf));
		/* XXX: zero buffer too? */
	}
	buffer_free(&buf);
	return line;
}

Lines 23-28 int a2port(const char *); Link Here

(-)misc.h (+1 lines)
23	char cleanhostname(char );	23	char cleanhostname(char );
24	char colon(char );	24	char colon(char );
25	long convtime(const char *);	25	long convtime(const char *);
		26	char fgetline(FILE );
26		27
27	struct passwd pwcopy(struct passwd );	28	struct passwd pwcopy(struct passwd );
28		29

Return to bug 884

Lines 48-56 extern u_char session_id[16]; Link Here

(-)auth-rsa.c (-9 / +14 lines)
48	* following format:	48	* following format:
49	* options bits e n comment	49	* options bits e n comment
50	* where bits, e and n are decimal numbers,	50	* where bits, e and n are decimal numbers,
51	* and comment is any string of characters up to newline. The maximum	51	* and comment is any string of characters up to newline.
52	* length of a line is 8000 characters. See the documentation for a	52	* See the documentation for a description of the options.
53	* description of the options.
54	*/	53	*/
55		54
56	BIGNUM *	55	BIGNUM *
Lines 152-158 auth_rsa_challenge_dialog(Key *key) Link Here
152	int	151	int
153	auth_rsa_key_allowed(struct passwd pw, BIGNUM client_n, Key **rkey)	152	auth_rsa_key_allowed(struct passwd pw, BIGNUM client_n, Key **rkey)
154	{	153	{
155	char line[8192], *file;	154	char line, file, err[2048];
156	int allowed = 0;	155	int allowed = 0;
157	u_int bits;	156	u_int bits;
158	FILE *f;	157	FILE *f;
Lines 183-192 auth_rsa_key_allowed(struct passwd *pw, Link Here
183	return (0);	182	return (0);
184	}	183	}
185	if (options.strict_modes &&	184	if (options.strict_modes &&
186	secure_filename(f, file, pw, line, sizeof(line)) != 0) {	185	secure_filename(f, file, pw, err, sizeof(err)) != 0) {
187	xfree(file);	186	xfree(file);
188	fclose(f);	187	fclose(f);
189	logit("Authentication refused: %s", line);	188	logit("Authentication refused: %s", err);
190	restore_uid();	189	restore_uid();
191	return (0);	190	return (0);
192	}	191	}
Lines 201-207 auth_rsa_key_allowed(struct passwd *pw, Link Here
201	* found, perform a challenge-response dialog to verify that the	200	* found, perform a challenge-response dialog to verify that the
202	* user really has the corresponding private key.	201	* user really has the corresponding private key.
203	*/	202	*/
204	while (fgets(line, sizeof(line), f)) {	203	while ((line = fgetline(f))) {
205	char *cp;	204	char *cp;
206	char *key_options;	205	char *key_options;
207		206
Lines 210-217 auth_rsa_key_allowed(struct passwd *pw, Link Here
210	/* Skip leading whitespace, empty and comment lines. */	209	/* Skip leading whitespace, empty and comment lines. */
211	for (cp = line; cp == ' ' \|\| cp == '\t'; cp++)	210	for (cp = line; cp == ' ' \|\| cp == '\t'; cp++)
212	;	211	;
213	if (!cp \|\| cp == '\n' \|\| *cp == '#')	212	if (!cp \|\| cp == '\n' \|\| *cp == '#') {
		213	xfree(line);
214	continue;	214	continue;
		215	}
215		216
216	/*	217	/*
217	* Check if there are options for this key, and if so,	218	* Check if there are options for this key, and if so,
Lines 235-240 auth_rsa_key_allowed(struct passwd *pw, Link Here
235	if (hostfile_read_key(&cp, &bits, key) == 0) {	236	if (hostfile_read_key(&cp, &bits, key) == 0) {
236	debug("%.100s, line %lu: non ssh1 key syntax",	237	debug("%.100s, line %lu: non ssh1 key syntax",
237	file, linenum);	238	file, linenum);
		239	xfree(line);
238	continue;	240	continue;
239	}	241	}
240	/* cp now points to the comment part. */	242	/* cp now points to the comment part. */
Lines 254-264 auth_rsa_key_allowed(struct passwd *pw, Link Here
254	* If our options do not allow this key to be used,	256	* If our options do not allow this key to be used,
255	* do not send challenge.	257	* do not send challenge.
256	*/	258	*/
257	if (!auth_parse_options(pw, key_options, file, linenum))	259	if (!auth_parse_options(pw, key_options, file, linenum)) {
		260	xfree(line);
258	continue;	261	continue;
		262	}
259		263
260	/* break out, this key is allowed */	264	/* break out, this key is allowed */
261	allowed = 1;	265	allowed = 1;
		266	xfree(line);
262	break;	267	break;
263	}	268	}
264		269

Lines 40-45 RCSID("$OpenBSD: auth2-pubkey.c,v 1.7 20 Link Here

(-)auth2-pubkey.c (-5 / +10 lines)
40	#include "auth-options.h"	40	#include "auth-options.h"
41	#include "canohost.h"	41	#include "canohost.h"
42	#include "monitor_wrap.h"	42	#include "monitor_wrap.h"
		43	#include "misc.h"
43		44
44	/* import */	45	/* import */
45	extern ServerOptions options;	46	extern ServerOptions options;
Lines 163-169 done: Link Here
163	static int	164	static int
164	user_key_allowed2(struct passwd pw, Key key, char *file)	165	user_key_allowed2(struct passwd pw, Key key, char *file)
165	{	166	{
166	char line[8192];	167	char *line, err[2048];
167	int found_key = 0;	168	int found_key = 0;
168	FILE *f;	169	FILE *f;
169	u_long linenum = 0;	170	u_long linenum = 0;
Lines 190-198 user_key_allowed2(struct passwd *pw, Key Link Here
190	return 0;	191	return 0;
191	}	192	}
192	if (options.strict_modes &&	193	if (options.strict_modes &&
193	secure_filename(f, file, pw, line, sizeof(line)) != 0) {	194	secure_filename(f, file, pw, err, sizeof(err)) != 0) {
194	fclose(f);	195	fclose(f);
195	logit("Authentication refused: %s", line);	196	logit("Authentication refused: %s", err);
196	restore_uid();	197	restore_uid();
197	return 0;	198	return 0;
198	}	199	}
Lines 200-213 user_key_allowed2(struct passwd *pw, Key Link Here
200	found_key = 0;	201	found_key = 0;
201	found = key_new(key->type);	202	found = key_new(key->type);
202		203
203	while (fgets(line, sizeof(line), f)) {	204	while (line = fgetline(f)) {
204	char cp, key_options = NULL;	205	char cp, key_options = NULL;
205	linenum++;	206	linenum++;
206	/* Skip leading whitespace, empty and comment lines. */	207	/* Skip leading whitespace, empty and comment lines. */
207	for (cp = line; cp == ' ' \|\| cp == '\t'; cp++)	208	for (cp = line; cp == ' ' \|\| cp == '\t'; cp++)
208	;	209	;
209	if (!cp \|\| cp == '\n' \|\| *cp == '#')	210	if (!cp \|\| cp == '\n' \|\| *cp == '#') {
		211	xfree(line);
210	continue;	212	continue;
		213	}
211		214
212	if (key_read(found, &cp) != 1) {	215	if (key_read(found, &cp) != 1) {
213	/* no key? check if there are options for this key */	216	/* no key? check if there are options for this key */
Lines 226-231 user_key_allowed2(struct passwd *pw, Key Link Here
226	if (key_read(found, &cp) != 1) {	229	if (key_read(found, &cp) != 1) {
227	debug2("user_key_allowed: advance: '%s'", cp);	230	debug2("user_key_allowed: advance: '%s'", cp);
228	/* still no key? advance to next line*/	231	/* still no key? advance to next line*/
		232	xfree(line);
229	continue;	233	continue;
230	}	234	}
231	}	235	}
Lines 238-243 user_key_allowed2(struct passwd *pw, Key Link Here
238	verbose("Found matching %s key: %s",	242	verbose("Found matching %s key: %s",
239	key_type(found), fp);	243	key_type(found), fp);
240	xfree(fp);	244	xfree(fp);
		245	xfree(line);
241	break;	246	break;
242	}	247	}
243	}	248	}

Lines 51-56 RCSID("$OpenBSD: authfile.c,v 1.57 2004/ Link Here

(-)authfile.c (-3 / +5 lines)
51	#include "log.h"	51	#include "log.h"
52	#include "authfile.h"	52	#include "authfile.h"
53	#include "rsa.h"	53	#include "rsa.h"
		54	#include "misc.h"
54		55
55	/* Version identification string for SSH v1 identity files. */	56	/* Version identification string for SSH v1 identity files. */
56	static const char authfile_id_string[] =	57	static const char authfile_id_string[] =
Lines 595-612 static int Link Here
595	key_try_load_public(Key k, const char filename, char **commentp)	596	key_try_load_public(Key k, const char filename, char **commentp)
596	{	597	{
597	FILE *f;	598	FILE *f;
598	char line[4096];	599	char *line;
599	char *cp;	600	char *cp;
600		601
601	f = fopen(filename, "r");	602	f = fopen(filename, "r");
602	if (f != NULL) {	603	if (f != NULL) {
603	while (fgets(line, sizeof(line), f)) {	604	while ((line = fgetline(f))) {
604	line[sizeof(line)-1] = '\0';
605	cp = line;	605	cp = line;
606	switch (*cp) {	606	switch (*cp) {
607	case '#':	607	case '#':
608	case '\n':	608	case '\n':
609	case '\0':	609	case '\0':
		610	xfree(line);
610	continue;	611	continue;
611	}	612	}
612	/* Skip leading whitespace. */	613	/* Skip leading whitespace. */
Lines 617-622 key_try_load_public(Key k, const char Link Here
617	if (commentp)	618	if (commentp)
618	*commentp=xstrdup(filename);	619	*commentp=xstrdup(filename);
619	fclose(f);	620	fclose(f);
		621	xfree(line);
620	return 1;	622	return 1;
621	}	623	}
622	}	624	}

Lines 28-33 RCSID("$OpenBSD: misc.c,v 1.24 2004/06/1 Link Here

(-)misc.c (+33 lines)
28	#include "misc.h"	28	#include "misc.h"
29	#include "log.h"	29	#include "log.h"
30	#include "xmalloc.h"	30	#include "xmalloc.h"
		31	#include "buffer.h"
31		32
32	/* remove newline at end of string */	33	/* remove newline at end of string */
33	char *	34	char *
Lines 325-328 addargs(arglist args, char fmt, ...) Link Here
325	args->nalloc = nalloc;	326	args->nalloc = nalloc;
326	args->list[args->num++] = xstrdup(buf);	327	args->list[args->num++] = xstrdup(buf);
327	args->list[args->num] = NULL;	328	args->list[args->num] = NULL;
		329	}
		330
		331	/*
		332	* get a line from a FILE, allocating enough space to hold it
		333	*/
		334	char *
		335	fgetline(FILE *f)
		336	{
		337	Buffer buf;
		338	char *line, tmp[1024];
		339	size_t len;
		340
		341	buffer_init(&buf);
		342	while (1) {
		343	if (fgets(tmp, sizeof(tmp), f) == NULL)
		344	break;
		345	len = strlen(tmp);
		346	buffer_append(&buf, tmp, len);
		347	debug("%s: len %d string '%s'", __func__, len, tmp);
		348	if (tmp[len - 1] == '\n')
		349	break;
		350	}
		351
		352	if (buffer_len(&buf) == 0) {
		353	line = NULL;
		354	} else {
		355	buffer_append(&buf, "\0", 1);
		356	line = xstrdup(buffer_ptr(&buf));
		357	/* XXX: zero buffer too? */
		358	}
		359	buffer_free(&buf);
		360	return line;
328	}	361	}