Bugzilla – Attachment 88 Details for
Bug 172
Add multiple AuthorizedKeyFiles options
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Implement multiple authorized keys against CVS copy from openssh@anoncvs.be.openbsd.org:/cvs as of 2002/4/23
authorized-keys.20020423 (text/plain), 8.98 KB, created by
Alex Kiernan
on 2002-04-23 23:55:20 AEST
(
hide
)
Description:
Implement multiple authorized keys against CVS copy from openssh@anoncvs.be.openbsd.org:/cvs as of 2002/4/23
Filename:
MIME Type:
Creator:
Alex Kiernan
Created:
2002-04-23 23:55:20 AEST
Size:
8.98 KB
patch
obsolete
>? authorized-keys.20020423 >Index: auth-rsa.c >=================================================================== >RCS file: /cvs/openssh/auth-rsa.c,v >retrieving revision 1.46 >diff -u -r1.46 auth-rsa.c >--- auth-rsa.c 2 Apr 2002 20:43:13 -0000 1.46 >+++ auth-rsa.c 23 Apr 2002 11:11:13 -0000 >@@ -44,6 +44,8 @@ > */ > extern u_char session_id[16]; > >+static int auth_rsa_file(struct passwd *pw, BIGNUM *client_n, char *file, Key **rkey); >+ > /* > * The .ssh/authorized_keys file contains public keys, one per line, in the > * following format: >@@ -153,7 +155,31 @@ > int > auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) > { >- char line[8192], *file; >+ char *file; >+ int authorized = 0; >+ int authfileno = 0; >+ >+ /* no user given */ >+ if (pw == NULL) >+ return 0; >+ >+ /* Iterate over all authorized keys files. */ >+ while ((file = authorized_keys_file(pw, authfileno++)) != NULL) { >+ debug("trying public RSA key file %s", file); >+ authorized = auth_rsa_file(pw, client_n, file, rkey); >+ xfree(file); >+ if (authorized == 1) { >+ return 1; >+ } >+ } >+ return 0; >+} >+ >+/* Do the hard work in authenticating the client */ >+static int >+auth_rsa_file(struct passwd *pw, BIGNUM *client_n, char *file, Key **rkey) >+{ >+ char line[8192]; > int allowed = 0; > u_int bits; > FILE *f; >@@ -164,15 +190,10 @@ > /* Temporarily use the user's uid. */ > temporarily_use_uid(pw); > >- /* The authorized keys. */ >- file = authorized_keys_file(pw); >- debug("trying public RSA key file %s", file); >- > /* Fail quietly if file does not exist */ > if (stat(file, &st) < 0) { > /* Restore the privileged uid. */ > restore_uid(); >- xfree(file); > return (0); > } > /* Open the file containing the authorized keys. */ >@@ -180,12 +201,10 @@ > if (!f) { > /* Restore the privileged uid. */ > restore_uid(); >- xfree(file); > return (0); > } > if (options.strict_modes && > secure_filename(f, file, pw, line, sizeof(line)) != 0) { >- xfree(file); > fclose(f); > log("Authentication refused: %s", line); > restore_uid(); >@@ -267,7 +286,6 @@ > restore_uid(); > > /* Close the file. */ >- xfree(file); > fclose(f); > > /* return key if allowed */ >Index: auth.c >=================================================================== >RCS file: /cvs/openssh/auth.c,v >retrieving revision 1.51 >diff -u -r1.51 auth.c >--- auth.c 22 Mar 2002 03:08:31 -0000 1.51 >+++ auth.c 23 Apr 2002 11:11:13 -0000 >@@ -317,15 +317,11 @@ > } > > char * >-authorized_keys_file(struct passwd *pw) >+authorized_keys_file(struct passwd *pw, int n) > { >- return expand_filename(options.authorized_keys_file, pw); >-} >- >-char * >-authorized_keys_file2(struct passwd *pw) >-{ >- return expand_filename(options.authorized_keys_file2, pw); >+ if (n >= options.num_authorized_keys_files) >+ return NULL; >+ return expand_filename(options.authorized_keys_files[n], pw); > } > > /* return ok if key exists in sysfile or userfile */ >Index: auth.h >=================================================================== >RCS file: /cvs/openssh/auth.h,v >retrieving revision 1.38 >diff -u -r1.38 auth.h >--- auth.h 22 Mar 2002 02:50:08 -0000 1.38 >+++ auth.h 23 Apr 2002 11:11:13 -0000 >@@ -154,8 +154,7 @@ > struct passwd * auth_get_user(void); > > char *expand_filename(const char *, struct passwd *); >-char *authorized_keys_file(struct passwd *); >-char *authorized_keys_file2(struct passwd *); >+char *authorized_keys_file(struct passwd *, int n); > > int > secure_filename(FILE *, const char *, struct passwd *, char *, size_t); >Index: auth2.c >=================================================================== >RCS file: /cvs/openssh/auth2.c,v >retrieving revision 1.99 >diff -u -r1.99 auth2.c >--- auth2.c 4 Apr 2002 19:02:28 -0000 1.99 >+++ auth2.c 23 Apr 2002 11:11:13 -0000 >@@ -729,18 +729,16 @@ > { > int success; > char *file; >+ int authfileno = 0; > >- file = authorized_keys_file(pw); >- success = user_key_allowed2(pw, key, file); >- xfree(file); >- if (success) >- return success; >- >- /* try suffix "2" for backward compat, too */ >- file = authorized_keys_file2(pw); >- success = user_key_allowed2(pw, key, file); >- xfree(file); >- return success; >+ /* Iterate over all authorized_keys_files */ >+ while ((file = authorized_keys_file(pw, authfileno++) ) != NULL) { >+ success = user_key_allowed2(pw, key, file); >+ xfree(file); >+ if (success) >+ return success; >+ } >+ return 0; > } > > /* return 1 if given hostkey is allowed */ >Index: servconf.c >=================================================================== >RCS file: /cvs/openssh/servconf.c,v >retrieving revision 1.84 >diff -u -r1.84 servconf.c >--- servconf.c 13 Apr 2002 01:04:41 -0000 1.84 >+++ servconf.c 23 Apr 2002 11:11:13 -0000 >@@ -119,8 +119,7 @@ > options->verify_reverse_mapping = -1; > options->client_alive_interval = -1; > options->client_alive_count_max = -1; >- options->authorized_keys_file = NULL; >- options->authorized_keys_file2 = NULL; >+ options->num_authorized_keys_files = 0; > > /* Needs to be accessable in many places */ > use_privsep = -1; >@@ -240,15 +239,11 @@ > options->client_alive_interval = 0; > if (options->client_alive_count_max == -1) > options->client_alive_count_max = 3; >- if (options->authorized_keys_file2 == NULL) { >- /* authorized_keys_file2 falls back to authorized_keys_file */ >- if (options->authorized_keys_file != NULL) >- options->authorized_keys_file2 = options->authorized_keys_file; >- else >- options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; >- } >- if (options->authorized_keys_file == NULL) >- options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; >+ if (options->num_authorized_keys_files == 0) { >+ /* fill default authorized keys files */ >+ options->authorized_keys_files[options->num_authorized_keys_files++] = _PATH_SSH_USER_PERMITTED_KEYS; >+ options->authorized_keys_files[options->num_authorized_keys_files++] = _PATH_SSH_USER_PERMITTED_KEYS2; >+ } > > /* Turn privilege separation _off_ by default */ > if (use_privsep == -1) >@@ -284,7 +279,7 @@ > sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, > sBanner, sVerifyReverseMapping, sHostbasedAuthentication, > sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, >- sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, >+ sClientAliveCountMax, sAuthorizedKeysFile, > sUsePrivilegeSeparation, > sDeprecated > } ServerOpCodes; >@@ -360,7 +355,7 @@ > { "clientaliveinterval", sClientAliveInterval }, > { "clientalivecountmax", sClientAliveCountMax }, > { "authorizedkeysfile", sAuthorizedKeysFile }, >- { "authorizedkeysfile2", sAuthorizedKeysFile2 }, >+ { "authorizedkeysfile2", sAuthorizedKeysFile }, > { "useprivilegeseparation", sUsePrivilegeSeparation}, > { NULL, sBadOption } > }; >@@ -867,10 +862,13 @@ > * AuthorizedKeysFile /etc/ssh_keys/%u > */ > case sAuthorizedKeysFile: >- case sAuthorizedKeysFile2: >- charptr = (opcode == sAuthorizedKeysFile ) ? >- &options->authorized_keys_file : >- &options->authorized_keys_file2; >+ intptr = &options->num_authorized_keys_files; >+ if (*intptr >= MAX_AUTHKEYFILES) >+ fatal("%s line %d: too many authorized keys " >+ "files specified (max %d).", >+ filename, linenum, MAX_AUTHKEYFILES); >+ >+ charptr = &options->authorized_keys_files[*intptr]; > goto parse_filename; > > case sClientAliveInterval: >Index: servconf.h >=================================================================== >RCS file: /cvs/openssh/servconf.h,v >retrieving revision 1.48 >diff -u -r1.48 servconf.h >--- servconf.h 22 Mar 2002 03:11:50 -0000 1.48 >+++ servconf.h 23 Apr 2002 11:11:13 -0000 >@@ -24,6 +24,7 @@ > #define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */ > #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ > #define MAX_HOSTKEYS 256 /* Max # hostkeys. */ >+#define MAX_AUTHKEYFILES 256 /* Max # authorized_keys statements */ > > /* permit_root_login */ > #define PERMIT_NOT_SET -1 >@@ -127,8 +128,9 @@ > * disconnect the session > */ > >- char *authorized_keys_file; /* File containing public keys */ >- char *authorized_keys_file2; >+ char *authorized_keys_files[MAX_AUTHKEYFILES]; /* Files containing >+ * public keys */ >+ int num_authorized_keys_files; > int pam_authentication_via_kbd_int; > } ServerOptions; > >Index: sshd.8 >=================================================================== >RCS file: /cvs/openssh/sshd.8,v >retrieving revision 1.133 >diff -u -r1.133 sshd.8 >--- sshd.8 5 Apr 2002 22:18:50 -0000 1.133 >+++ sshd.8 23 Apr 2002 11:11:13 -0000 >@@ -371,7 +371,7 @@ > users from particular hosts. > .Pp > .It Cm AuthorizedKeysFile >-Specifies the file that contains the public keys that can be used >+Specifies a file that contains public keys that can be used > for user authentication. > .Cm AuthorizedKeysFile > may contain tokens of the form %T which are substituted during connection >@@ -381,8 +381,11 @@ > After expansion, > .Cm AuthorizedKeysFile > is taken to be an absolute path or one relative to the user's home >-directory. >-The default is >+directory. When multiple >+.Cm AuthorizedKeysFile >+are specified, they are >+checked in order for possible authentication keys until a successful >+match is found. The default is > .Dq .ssh/authorized_keys . > .It Cm Banner > In some jurisdictions, sending a warning message before authentication
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 172
:
48
| 88