Attachment #2191 for bug #1663




	return host_status;
}


/*
 * Check a given path for security. This is defined as all components
 * of the path to the file must be owned by either the owner of
 * of the file or root and no directories must be group or world writable.
 *
 * XXX Should any specific check be done for sym links ?
 *
 * Takes an the file name, its stat information (preferably from fstat() to
 * avoid races), the uid of the expected owner, their home directory and an
 * error buffer plus max size as arguments.
 *
 * Returns 0 on success and -1 on failure
 */
int
auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
    uid_t uid, char *err, size_t errlen)
{
	uid_t uid = pw->pw_uid;
	char buf[MAXPATHLEN], homedir[MAXPATHLEN];
	char *cp;
	int comparehome = 0;
	struct stat st;

	if (realpath(name, buf) == NULL) {
		snprintf(err, errlen, "realpath %s failed: %s", name,
		    strerror(errno));
		return -1;
	}
	if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL)
		comparehome = 1;

	if (!S_ISREG(stp->st_mode)) {
		snprintf(err, errlen, "%s is not a regular file", buf);
		return -1;
	}
	if ((stp->st_uid != 0 && stp->st_uid != uid) ||
	    (stp->st_mode & 022) != 0) {
		snprintf(err, errlen, "bad ownership or modes for file %s",
		    buf);
		return -1;

	return 0;
}

/*
 * Version of secure_path() that accepts an open file descriptor to
 * avoid races.
 *
 * Returns 0 on success and -1 on failure
 */
static int
secure_filename(FILE *f, const char *file, struct passwd *pw,
    char *err, size_t errlen)
{
	uid_t uid = pw->pw_uid;
	char buf[MAXPATHLEN], homedir[MAXPATHLEN];
	char *cp;
	int comparehome = 0;
	struct stat st;

	/* check the open file to avoid races */
	if (fstat(fileno(f), &st) < 0) {
		snprintf(err, errlen, "cannot stat file %s: %s",
		    buf, strerror(errno));
		return -1;
	}
	return auth_secure_path(file, &st, pw->pw_dir, pw->pw_uid, err, errlen);
}

static FILE *
auth_openfile(const char *file, struct passwd *pw, int strict_modes,
    int log_missing, char *file_type)

Lines 111-116 int auth_rhosts_rsa_key_allowed(struct passwd , char , char , Key ); Link Here

(-)auth.h (+4 lines)
111	int hostbased_key_allowed(struct passwd , const char , char , Key );	111	int hostbased_key_allowed(struct passwd , const char , char , Key );
112	int user_key_allowed(struct passwd , Key );	112	int user_key_allowed(struct passwd , Key );
113		113
		114	struct stat;
		115	int auth_secure_path(const char , struct stat , const char *, uid_t,
		116	char *, size_t);
		117
114	#ifdef KRB5	118	#ifdef KRB5
115	int auth_krb5(Authctxt authctxt, krb5_data auth, char *client, krb5_data );	119	int auth_krb5(Authctxt authctxt, krb5_data auth, char *client, krb5_data );
116	int auth_krb5_tgt(Authctxt authctxt, krb5_data tgt);	120	int auth_krb5_tgt(Authctxt authctxt, krb5_data tgt);





#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>

#include <errno.h>
#include <fcntl.h>
#include <paths.h>
#include <pwd.h>
#include <signal.h>
#include <stdio.h>
#include <stdarg.h>
#include <string.h>

			if (strcmp(cp, cert->principals[i]) == 0) {
				debug3("matched principal \"%.100s\" "
				    "from file \"%s\" on line %lu",
				    cert->principals[i], file, linenum);
				if (auth_parse_options(pw, line_opts,
				    file, linenum) != 1)
					continue;

	fclose(f);
	restore_uid();
	return 0;
}

/*
 * Checks whether key is allowed in authorized_keys-format file,
 * returns 1 if the key is allowed or 0 otherwise.
 */
static int
check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
{
	char line[SSH_MAX_PUBKEY_BYTES];
	const char *reason;
	int found_key = 0;
	FILE *f;
	u_long linenum = 0;
	Key *found;
	char *fp;

	/* Temporarily use the user's uid. */
	temporarily_use_uid(pw);

	debug("trying public key file %s", file);
	f = auth_openkeyfile(file, pw, options.strict_modes);

	if (!f) {
		restore_uid();
		return 0;
	}

	found_key = 0;
	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);


			break;
		}
	}
	restore_uid();
	fclose(f);
	key_free(found);
	if (!found_key)
		debug2("key not found");

	return ret;
}

/*
 * Checks whether key is allowed in file.
 * returns 1 if the key is allowed or 0 otherwise.
 */
static int
user_key_allowed2(struct passwd *pw, Key *key, char *file)
{
	FILE *f;
	int found_key = 0;

	/* Temporarily use the user's uid. */
	temporarily_use_uid(pw);

	debug("trying public key file %s", file);
	if ((f = auth_openkeyfile(file, pw, options.strict_modes)) != NULL) {
		found_key = check_authkeys_file(f, file, key, pw);
		fclose(f);
	}

	restore_uid();
	return found_key;
}

/*
 * Checks whether key is allowed in output of command.
 * returns 1 if the key is allowed or 0 otherwise.
 */
static int
user_key_command_allowed2(struct passwd *user_pw, Key *key)
{
	FILE *f;
	int ok, found_key = 0;
	struct passwd *pw;
	struct stat st;
	int status, devnull, p[2], i;
	pid_t pid;
	char errmsg[512];

	if (options.authorized_keys_command == NULL ||
	    options.authorized_keys_command[0] != '/')
		return 0;

	/* If no user specified to run commands the default to target user */
	if (options.authorized_keys_command_user == NULL)
		pw = user_pw;
	else {
		pw = getpwnam(options.authorized_keys_command_user);
		if (pw == NULL) {
			error("AuthorizedKeyCommandUser \"%s\" not found: %s",
			    options.authorized_keys_command, strerror(errno));
			return 0;
		}
	}

	temporarily_use_uid(pw);

	if (stat(options.authorized_keys_command, &st) < 0) {
		error("Could not stat AuthorizedKeysCommand \"%s\": %s",
		    options.authorized_keys_command, strerror(errno));
		goto out;
	}
	if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0,
	    errmsg, sizeof(errmsg)) != 0) {
		error("Unsafe AuthorizedKeysCommand: %s", errmsg);
		goto out;
	}

	/* open the pipe and read the keys */
	if (pipe(p) != 0) {
		error("%s: pipe: %s", __func__, strerror(errno));
		goto out;
	}

	debug3("Running AuthorizedKeysCommand: \"%s\" as \"%s\"",
	    options.authorized_keys_command, pw->pw_name);

	/*
	 * Don't want to call this in the child, where it can fatal() and
	 * run cleanup_exit() code.
	 */
	restore_uid();

	switch ((pid = fork())) {
	case -1: /* error */
		error("%s: fork: %s", __func__, strerror(errno));
		close(p[0]);
		close(p[1]);
		return 0;
	case 0: /* child */
		for (i = 0; i < NSIG; i++)
			signal(i, SIG_DFL);

		/* Don't use permanently_set_uid() here to avoid fatal() */
		if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
			error("setresgid %u: %s", (u_int)pw->pw_gid,
			    strerror(errno));
			_exit(1);
		}
		if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) {
			error("setresuid %u: %s", (u_int)pw->pw_uid,
			    strerror(errno));
			_exit(1);
		}

		close(p[0]);
		if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
			error("%s: open %s: %s", __func__, _PATH_DEVNULL,
			    strerror(errno));
			_exit(1);
		}
		if (dup2(devnull, STDIN_FILENO) == -1 ||
		    dup2(p[1], STDOUT_FILENO) == -1 ||
		    dup2(devnull, STDERR_FILENO) == -1) {
			error("%s: dup2: %s", __func__, strerror(errno));
			_exit(1);
		}
		closefrom(STDERR_FILENO + 1);

		execl(options.authorized_keys_command,
		    options.authorized_keys_command, pw->pw_name, NULL);

		error("AuthorizedKeysCommand %s exec failed: %s",
		    options.authorized_keys_command, strerror(errno));
		_exit(127);
	default: /* parent */
		break;
	}

	temporarily_use_uid(pw);

	close(p[1]);
	if ((f = fdopen(p[0], "r")) == NULL) {
		error("%s: fdopen: %s", __func__, strerror(errno));
		close(p[0]);
		/* Don't leave zombie child */
		while (waitpid(pid, NULL, 0) == -1 && errno == EINTR)
			;
		goto out;
	}
	ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
	fclose(f);

	while (waitpid(pid, &status, 0) == -1) {
		if (errno != EINTR) {
			error("%s: waitpid: %s", __func__, strerror(errno));
			goto out;
		}
	}
	if (WIFSIGNALED(status)) {
		error("AuthorizedKeysCommand %s exited on signal %d",
		    options.authorized_keys_command, WTERMSIG(status));
		goto out;
	} else if (WEXITSTATUS(status) != 0) {
		error("AuthorizedKeysCommand %s returned status %d",
		    options.authorized_keys_command, WEXITSTATUS(status));
		goto out;
	}
	found_key = ok;
 out:
	restore_uid();
	return found_key;
}

/*
 * Check whether key authenticates and authorises the user.
 */
int
user_key_allowed(struct passwd *pw, Key *key)
{

	if (success)
		return success;

	success = user_key_command_allowed2(pw, key);
	if (success > 0)
		return success;

	for (i = 0; !success && i < options.num_authkeys_files; i++) {
		file = expand_authorized_keys(
		    options.authorized_keys_files[i], pw);

Lines 128-133 initialize_server_options(ServerOptions *options) Link Here

(-)servconf.c (+29 lines)
128	options->num_permitted_opens = -1;	128	options->num_permitted_opens = -1;
129	options->adm_forced_command = NULL;	129	options->adm_forced_command = NULL;
130	options->chroot_directory = NULL;	130	options->chroot_directory = NULL;
		131	options->authorized_keys_command = NULL;
		132	options->authorized_keys_command_user = NULL;
131	options->zero_knowledge_password_authentication = -1;	133	options->zero_knowledge_password_authentication = -1;
132	options->revoked_keys_file = NULL;	134	options->revoked_keys_file = NULL;
133	options->trusted_user_ca_keys = NULL;	135	options->trusted_user_ca_keys = NULL;
Lines 302-307 typedef enum { Link Here
302	sZeroKnowledgePasswordAuthentication, sHostCertificate,	304	sZeroKnowledgePasswordAuthentication, sHostCertificate,
303	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,	305	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
304	sKexAlgorithms, sIPQoS, sVersionAddendum,	306	sKexAlgorithms, sIPQoS, sVersionAddendum,
		307	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
305	sDeprecated, sUnsupported	308	sDeprecated, sUnsupported
306	} ServerOpCodes;	309	} ServerOpCodes;
307		310
Lines 414-419 static struct { Link Here
414	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },	417	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
415	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },	418	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
416	{ "ipqos", sIPQoS, SSHCFG_ALL },	419	{ "ipqos", sIPQoS, SSHCFG_ALL },
		420	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
		421	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
417	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },	422	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
418	{ NULL, sBadOption, 0 }	423	{ NULL, sBadOption, 0 }
419	};	424	};
Lines 1453-1458 process_server_config_line(ServerOptions options, char line, Link Here
1453	}	1458	}
1454	return 0;	1459	return 0;
1455		1460
		1461	case sAuthorizedKeysCommand:
		1462	len = strspn(cp, WHITESPACE);
		1463	if (*activep && options->authorized_keys_command == NULL) {
		1464	options->authorized_keys_command = xstrdup(cp + len);
		1465	if (*options->authorized_keys_command != '/') {
		1466	fatal("%.200s line %d: AuthorizedKeysCommand "
		1467	"must be an absolute path",
		1468	filename, linenum);
		1469	}
		1470	}
		1471	return 0;
		1472
		1473	case sAuthorizedKeysCommandUser:
		1474	charptr = &options->authorized_keys_command_user;
		1475
		1476	arg = strdelim(&cp);
		1477	if (activep && charptr == NULL)
		1478	*charptr = xstrdup(arg);
		1479	break;
		1480
1456	case sDeprecated:	1481	case sDeprecated:
1457	logit("%s line %d: Deprecated option %s",	1482	logit("%s line %d: Deprecated option %s",
1458	filename, linenum, arg);	1483	filename, linenum, arg);
Lines 1603-1608 copy_set_server_options(ServerOptions dst, ServerOptions src, int preauth) Link Here
1603	M_CP_INTOPT(hostbased_uses_name_from_packet_only);	1628	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1604	M_CP_INTOPT(kbd_interactive_authentication);	1629	M_CP_INTOPT(kbd_interactive_authentication);
1605	M_CP_INTOPT(zero_knowledge_password_authentication);	1630	M_CP_INTOPT(zero_knowledge_password_authentication);
		1631	M_CP_STROPT(authorized_keys_command);
		1632	M_CP_STROPT(authorized_keys_command_user);
1606	M_CP_INTOPT(permit_root_login);	1633	M_CP_INTOPT(permit_root_login);
1607	M_CP_INTOPT(permit_empty_passwd);	1634	M_CP_INTOPT(permit_empty_passwd);
1608		1635
Lines 1858-1863 dump_config(ServerOptions *o) Link Here
1858	dump_cfg_string(sAuthorizedPrincipalsFile,	1885	dump_cfg_string(sAuthorizedPrincipalsFile,
1859	o->authorized_principals_file);	1886	o->authorized_principals_file);
1860	dump_cfg_string(sVersionAddendum, o->version_addendum);	1887	dump_cfg_string(sVersionAddendum, o->version_addendum);
		1888	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
		1889	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
1861		1890
1862	/* string arguments requiring a lookup */	1891	/* string arguments requiring a lookup */
1863	dump_cfg_string(sLogLevel, log_level_name(o->log_level));	1892	dump_cfg_string(sLogLevel, log_level_name(o->log_level));

Lines 164-169 typedef struct { Link Here

(-)servconf.h (+2 lines)
164	char *revoked_keys_file;	164	char *revoked_keys_file;
165	char *trusted_user_ca_keys;	165	char *trusted_user_ca_keys;
166	char *authorized_principals_file;	166	char *authorized_principals_file;
		167	char *authorized_keys_command;
		168	char *authorized_keys_command_user;
167		169
168	char version_addendum; / Appended to SSH banner */	170	char version_addendum; / Appended to SSH banner */
169	} ServerOptions;	171	} ServerOptions;

Lines 336-344 main_sigchld_handler(int sig) Link Here

(-)sshd.c (+11 lines)
336	static void	336	static void
337	grace_alarm_handler(int sig)	337	grace_alarm_handler(int sig)
338	{	338	{
		339	pid_t pgid;
		340
339	if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)	341	if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
340	kill(pmonitor->m_pid, SIGALRM);	342	kill(pmonitor->m_pid, SIGALRM);
341		343
		344	/*
		345	* Try to kill any processes that we have spawned, E.g. authorized
		346	* keys command helpers.
		347	*/
		348	if ((pgid = getpgid(0)) == getpid()) {
		349	signal(SIGTERM, SIG_IGN);
		350	killpg(pgid, SIGTERM);
		351	}
		352
342	/* Log error and exit. */	353	/* Log error and exit. */
343	sigdie("Timeout before authentication for %s", get_remote_ipaddr());	354	sigdie("Timeout before authentication for %s", get_remote_ipaddr());
344	}	355	}

Lines 49-54 AuthorizedKeysFile .ssh/authorized_keys Link Here

(-)sshd_config (+3 lines)
49		49
50	#AuthorizedPrincipalsFile none	50	#AuthorizedPrincipalsFile none
51		51
		52	#AuthorizedKeysCommand none
		53	#AuthorizedKeysCommandRunAs nobody
		54
52	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts	55	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
53	#RhostsRSAAuthentication no	56	#RhostsRSAAuthentication no
54	# similar for protocol version 2	57	# similar for protocol version 2

Lines 151-156 See Link Here

(-)sshd_config.5 (+16 lines)
151	in	151	in
152	.Xr ssh_config 5	152	.Xr ssh_config 5
153	for more information on patterns.	153	for more information on patterns.
		154	.It Cm AuthorizedKeysCommand
		155	Specifies a program to be used for lookup of the user's public keys.
		156	The program will be invoked with a single argument of the username
		157	being authenticated, and should produce on standard output zero or
		158	more lines of authorized_keys output (see AUTHORIZED_KEYS in
		159	.Xr sshd 8 )
		160	If a key supplied by AuthorizedKeysCommand does not successfully authenticate
		161	and authorize the user then public key authentication continues using the usual
		162	.Cm AuthorizedKeysFile
		163	files.
		164	By default, no AuthorizedKeysCommand is run.
		165	.It Cm AuthorizedKeysCommandUser
		166	Specifies the user under whose account the AuthorizedKeysCommand is run.
		167	The default is the user being authenticated.
154	.It Cm AuthorizedKeysFile	168	.It Cm AuthorizedKeysFile
155	Specifies the file that contains the public keys that can be used	169	Specifies the file that contains the public keys that can be used
156	for user authentication.	170	for user authentication.
Lines 713-718 Available keywords are Link Here
713	.Cm AllowTcpForwarding ,	727	.Cm AllowTcpForwarding ,
714	.Cm AllowUsers ,	728	.Cm AllowUsers ,
715	.Cm AuthorizedKeysFile ,	729	.Cm AuthorizedKeysFile ,
		730	.Cm AuthorizedKeysCommand ,
		731	.Cm AuthorizedKeysCommandUser ,
716	.Cm AuthorizedPrincipalsFile ,	732	.Cm AuthorizedPrincipalsFile ,
717	.Cm Banner ,	733	.Cm Banner ,
718	.Cm ChrootDirectory ,	734	.Cm ChrootDirectory ,

Return to bug 1663

Lines 319-359 check_key_in_hostfiles(struct passwd pw, Key key, const char *host, Link Here

(-)auth.c (-14 / +40 lines)
319	return host_status;	319	return host_status;
320	}	320	}
321		321
322
323	/*	322	/*
324	* Check a given file for security. This is defined as all components	323	* Check a given path for security. This is defined as all components
325	* of the path to the file must be owned by either the owner of	324	* of the path to the file must be owned by either the owner of
326	* of the file or root and no directories must be group or world writable.	325	* of the file or root and no directories must be group or world writable.
327	*	326	*
328	* XXX Should any specific check be done for sym links ?	327	* XXX Should any specific check be done for sym links ?
329	*	328	*
330	* Takes an open file descriptor, the file name, a uid and and	329	* Takes an the file name, its stat information (preferably from fstat() to
		330	* avoid races), the uid of the expected owner, their home directory and an
331	* error buffer plus max size as arguments.	331	* error buffer plus max size as arguments.
332	*	332	*
333	* Returns 0 on success and -1 on failure	333	* Returns 0 on success and -1 on failure
334	*/	334	*/
335	static int	335	int
336	secure_filename(FILE f, const char file, struct passwd *pw,	336	auth_secure_path(const char name, struct stat stp, const char *pw_dir,
337	char *err, size_t errlen)	337	uid_t uid, char *err, size_t errlen)
338	{	338	{
339	uid_t uid = pw->pw_uid;
340	char buf[MAXPATHLEN], homedir[MAXPATHLEN];	339	char buf[MAXPATHLEN], homedir[MAXPATHLEN];
341	char *cp;	340	char *cp;
342	int comparehome = 0;	341	int comparehome = 0;
343	struct stat st;	342	struct stat st;
344		343
345	if (realpath(file, buf) == NULL) {	344	if (realpath(name, buf) == NULL) {
346	snprintf(err, errlen, "realpath %s failed: %s", file,	345	snprintf(err, errlen, "realpath %s failed: %s", name,
347	strerror(errno));	346	strerror(errno));
348	return -1;	347	return -1;
349	}	348	}
350	if (realpath(pw->pw_dir, homedir) != NULL)	349	if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL)
351	comparehome = 1;	350	comparehome = 1;
352		351
353	/* check the open file to avoid races */	352	if (!S_ISREG(stp->st_mode)) {
354	if (fstat(fileno(f), &st) < 0 \|\|	353	snprintf(err, errlen, "%s is not a regular file", buf);
355	(st.st_uid != 0 && st.st_uid != uid) \|\|	354	return -1;
356	(st.st_mode & 022) != 0) {	355	}
		356	if ((stp->st_uid != 0 && stp->st_uid != uid) \|\|
		357	(stp->st_mode & 022) != 0) {
357	snprintf(err, errlen, "bad ownership or modes for file %s",	358	snprintf(err, errlen, "bad ownership or modes for file %s",
358	buf);	359	buf);
359	return -1;	360	return -1;
Lines 389-394 secure_filename(FILE f, const char file, struct passwd *pw, Link Here
389	return 0;	390	return 0;
390	}	391	}
391		392
		393	/*
		394	* Version of secure_path() that accepts an open file descriptor to
		395	* avoid races.
		396	*
		397	* Returns 0 on success and -1 on failure
		398	*/
		399	static int
		400	secure_filename(FILE f, const char file, struct passwd *pw,
		401	char *err, size_t errlen)
		402	{
		403	uid_t uid = pw->pw_uid;
		404	char buf[MAXPATHLEN], homedir[MAXPATHLEN];
		405	char *cp;
		406	int comparehome = 0;
		407	struct stat st;
		408
		409	/* check the open file to avoid races */
		410	if (fstat(fileno(f), &st) < 0) {
		411	snprintf(err, errlen, "cannot stat file %s: %s",
		412	buf, strerror(errno));
		413	return -1;
		414	}
		415	return auth_secure_path(file, &st, pw->pw_dir, pw->pw_uid, err, errlen);
		416	}
		417
392	static FILE *	418	static FILE *
393	auth_openfile(const char file, struct passwd pw, int strict_modes,	419	auth_openfile(const char file, struct passwd pw, int strict_modes,
394	int log_missing, char *file_type)	420	int log_missing, char *file_type)

Lines 26-34 Link Here

(-)auth2-pubkey.c (-19 / +181 lines)
26		26
27	#include <sys/types.h>	27	#include <sys/types.h>
28	#include <sys/stat.h>	28	#include <sys/stat.h>
		29	#include <sys/wait.h>
29		30
		31	#include <errno.h>
30	#include <fcntl.h>	32	#include <fcntl.h>
		33	#include <paths.h>
31	#include <pwd.h>	34	#include <pwd.h>
		35	#include <signal.h>
32	#include <stdio.h>	36	#include <stdio.h>
33	#include <stdarg.h>	37	#include <stdarg.h>
34	#include <string.h>	38	#include <string.h>
Lines 239-245 match_principals_file(char file, struct passwd pw, struct KeyCert *cert) Link Here
239	if (strcmp(cp, cert->principals[i]) == 0) {	243	if (strcmp(cp, cert->principals[i]) == 0) {
240	debug3("matched principal \"%.100s\" "	244	debug3("matched principal \"%.100s\" "
241	"from file \"%s\" on line %lu",	245	"from file \"%s\" on line %lu",
242	cert->principals[i], file, linenum);	246	cert->principals[i], file, linenum);
243	if (auth_parse_options(pw, line_opts,	247	if (auth_parse_options(pw, line_opts,
244	file, linenum) != 1)	248	file, linenum) != 1)
245	continue;	249	continue;
Lines 252-282 match_principals_file(char file, struct passwd pw, struct KeyCert *cert) Link Here
252	fclose(f);	256	fclose(f);
253	restore_uid();	257	restore_uid();
254	return 0;	258	return 0;
255	}	259	}
256		260
257	/* return 1 if user allows given key */	261	/*
		262	* Checks whether key is allowed in authorized_keys-format file,
		263	* returns 1 if the key is allowed or 0 otherwise.
		264	*/
258	static int	265	static int
259	user_key_allowed2(struct passwd pw, Key key, char *file)	266	check_authkeys_file(FILE f, char file, Key* key, struct passwd *pw)
260	{	267	{
261	char line[SSH_MAX_PUBKEY_BYTES];	268	char line[SSH_MAX_PUBKEY_BYTES];
262	const char *reason;	269	const char *reason;
263	int found_key = 0;	270	int found_key = 0;
264	FILE *f;
265	u_long linenum = 0;	271	u_long linenum = 0;
266	Key *found;	272	Key *found;
267	char *fp;	273	char *fp;
268		274
269	/* Temporarily use the user's uid. */
270	temporarily_use_uid(pw);
271
272	debug("trying public key file %s", file);
273	f = auth_openkeyfile(file, pw, options.strict_modes);
274
275	if (!f) {
276	restore_uid();
277	return 0;
278	}
279
280	found_key = 0;	275	found_key = 0;
281	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);	276	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
282		277
Lines 369-376 user_key_allowed2(struct passwd pw, Key key, char *file) Link Here
369	break;	364	break;
370	}	365	}
371	}	366	}
372	restore_uid();
373	fclose(f);
374	key_free(found);	367	key_free(found);
375	if (!found_key)	368	if (!found_key)
376	debug2("key not found");	369	debug2("key not found");
Lines 432-438 user_cert_trusted_ca(struct passwd pw, Key key) Link Here
432	return ret;	425	return ret;
433	}	426	}
434		427
435	/* check whether given key is in .ssh/authorized_keys* */	428	/*
		429	* Checks whether key is allowed in file.
		430	* returns 1 if the key is allowed or 0 otherwise.
		431	*/
		432	static int
		433	user_key_allowed2(struct passwd pw, Key key, char *file)
		434	{
		435	FILE *f;
		436	int found_key = 0;
		437
		438	/* Temporarily use the user's uid. */
		439	temporarily_use_uid(pw);
		440
		441	debug("trying public key file %s", file);
		442	if ((f = auth_openkeyfile(file, pw, options.strict_modes)) != NULL) {
		443	found_key = check_authkeys_file(f, file, key, pw);
		444	fclose(f);
		445	}
		446
		447	restore_uid();
		448	return found_key;
		449	}
		450
		451	/*
		452	* Checks whether key is allowed in output of command.
		453	* returns 1 if the key is allowed or 0 otherwise.
		454	*/
		455	static int
		456	user_key_command_allowed2(struct passwd user_pw, Key key)
		457	{
		458	FILE *f;
		459	int ok, found_key = 0;
		460	struct passwd *pw;
		461	struct stat st;
		462	int status, devnull, p[2], i;
		463	pid_t pid;
		464	char errmsg[512];
		465
		466	if (options.authorized_keys_command == NULL \|\|
		467	options.authorized_keys_command[0] != '/')
		468	return 0;
		469
		470	/* If no user specified to run commands the default to target user */
		471	if (options.authorized_keys_command_user == NULL)
		472	pw = user_pw;
		473	else {
		474	pw = getpwnam(options.authorized_keys_command_user);
		475	if (pw == NULL) {
		476	error("AuthorizedKeyCommandUser \"%s\" not found: %s",
		477	options.authorized_keys_command, strerror(errno));
		478	return 0;
		479	}
		480	}
		481
		482	temporarily_use_uid(pw);
		483
		484	if (stat(options.authorized_keys_command, &st) < 0) {
		485	error("Could not stat AuthorizedKeysCommand \"%s\": %s",
		486	options.authorized_keys_command, strerror(errno));
		487	goto out;
		488	}
		489	if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0,
		490	errmsg, sizeof(errmsg)) != 0) {
		491	error("Unsafe AuthorizedKeysCommand: %s", errmsg);
		492	goto out;
493	}
494
495	/* open the pipe and read the keys */
496	if (pipe(p) != 0) {
497	error("%s: pipe: %s", __func__, strerror(errno));
498	goto out;
499	}
500
501	debug3("Running AuthorizedKeysCommand: \"%s\" as \"%s\"",
502	options.authorized_keys_command, pw->pw_name);
503
504	/*
505	* Don't want to call this in the child, where it can fatal() and
506	* run cleanup_exit() code.
507	*/
508	restore_uid();
509
510	switch ((pid = fork())) {
511	case -1: /* error */
512	error("%s: fork: %s", __func__, strerror(errno));
513	close(p[0]);
514	close(p[1]);
515	return 0;
516	case 0: /* child */
517	for (i = 0; i < NSIG; i++)
518	signal(i, SIG_DFL);
519
520	/* Don't use permanently_set_uid() here to avoid fatal() */
521	if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
522	error("setresgid %u: %s", (u_int)pw->pw_gid,
523	strerror(errno));
524	_exit(1);
525	}
526	if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) {
527	error("setresuid %u: %s", (u_int)pw->pw_uid,
528	strerror(errno));
529	_exit(1);
530	}
531
532	close(p[0]);
533	if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
534	error("%s: open %s: %s", __func__, _PATH_DEVNULL,
535	strerror(errno));
536	_exit(1);
537	}
538	if (dup2(devnull, STDIN_FILENO) == -1 \|\|
539	dup2(p[1], STDOUT_FILENO) == -1 \|\|
540	dup2(devnull, STDERR_FILENO) == -1) {
541	error("%s: dup2: %s", __func__, strerror(errno));
542	_exit(1);
543	}
544	closefrom(STDERR_FILENO + 1);
545
546	execl(options.authorized_keys_command,
547	options.authorized_keys_command, pw->pw_name, NULL);
548
549	error("AuthorizedKeysCommand %s exec failed: %s",
550	options.authorized_keys_command, strerror(errno));
551	_exit(127);
552	default: /* parent */
553	break;
554	}
555
556	temporarily_use_uid(pw);
557
558	close(p[1]);
559	if ((f = fdopen(p[0], "r")) == NULL) {
560	error("%s: fdopen: %s", __func__, strerror(errno));
561	close(p[0]);
562	/* Don't leave zombie child */
563	while (waitpid(pid, NULL, 0) == -1 && errno == EINTR)
564	;
565	goto out;
566	}
567	ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
568	fclose(f);
569
570	while (waitpid(pid, &status, 0) == -1) {
571	if (errno != EINTR) {
572	error("%s: waitpid: %s", __func__, strerror(errno));
573	goto out;
574	}
575	}
576	if (WIFSIGNALED(status)) {
577	error("AuthorizedKeysCommand %s exited on signal %d",
578	options.authorized_keys_command, WTERMSIG(status));
579	goto out;
580	} else if (WEXITSTATUS(status) != 0) {
581	error("AuthorizedKeysCommand %s returned status %d",
582	options.authorized_keys_command, WEXITSTATUS(status));
583	goto out;
584	}
585	found_key = ok;
586	out:
587	restore_uid();
588	return found_key;
589	}
590
591	/*
592	* Check whether key authenticates and authorises the user.
593	*/
436	int	594	int
437	user_key_allowed(struct passwd pw, Key key)	595	user_key_allowed(struct passwd pw, Key key)
438	{	596	{
Lines 448-453 user_key_allowed(struct passwd pw, Key key) Link Here
448	if (success)	606	if (success)
449	return success;	607	return success;
450		608
		609	success = user_key_command_allowed2(pw, key);
		610	if (success > 0)
		611	return success;
		612
451	for (i = 0; !success && i < options.num_authkeys_files; i++) {	613	for (i = 0; !success && i < options.num_authkeys_files; i++) {
452	file = expand_authorized_keys(	614	file = expand_authorized_keys(
453	options.authorized_keys_files[i], pw);	615	options.authorized_keys_files[i], pw);