Attachment #2438 for bug #2081




	struct stat st;
	int status, devnull, p[2], i;
	pid_t pid;
	char *username, *keytext, errmsg[512];

	if (options.authorized_keys_command == NULL ||
	    options.authorized_keys_command[0] != '/')

		for (i = 0; i < NSIG; i++)
			signal(i, SIG_DFL);

		keytext = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
		if (setenv(SSH_KEY_FINGERPRINT_ENV_NAME, keytext, 1) == -1) {
			error("%s: setenv: %s", __func__, strerror(errno));
			_exit(1);
		}

		if (!key_write_str(key, &keytext)) {
			error("%s: key_write_str: %s", __func__,
			    strerror(errno));
			_exit(1);
		}
		if (setenv(SSH_KEY_ENV_NAME, keytext, 1) == -1) {
			error("%s: setenv: %s", __func__, strerror(errno));
			_exit(1);
		}
		free(keytext);

		if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
			error("%s: open %s: %s", __func__, _PATH_DEVNULL,
			    strerror(errno));




}

static int
write_bignum(char **s, BIGNUM *num)
{
	*s = BN_bn2dec(num);
	if (*s == NULL) {
		error("write_bignum: BN_bn2dec() failed");
		return 0;
	}
	fprintf(f, " %s", buf);
	OPENSSL_free(buf);
	return 1;
}
#endif

}

int
key_write_str(const Key *key, char **s)
{
	int n, success = 0;
#ifdef WITH_SSH1
	u_int bits = 0;
	char *se = NULL, *sn = NULL;
#endif
	u_int len;
	u_char *blob;

			return 0;
		/* size of modulus 'n' */
		bits = BN_num_bits(key->rsa->n);
		if (!write_bignum(&se, key->rsa->e) ||
		    !write_bignum(&sn, key->rsa->n)) {
			error("key_write_str: failed for RSA key");
			goto done;
		}
		xasprintf(s, "%u %s %s", bits, se, sn);
		success = 1;
done:
		if (se != NULL)
			OPENSSL_free(se);
		if (sn != NULL)
			OPENSSL_free(sn);
		return success;
#endif
#ifdef WITH_OPENSSL
	case KEY_DSA:

	uu = xmalloc(2*len);
	n = uuencode(blob, len, uu, 2*len);
	if (n > 0) {
		xasprintf(s, "%s %s", key_ssh_name(key), uu);
		success = 1;
	}
	free(blob);

	return success;
}

int
key_write(const Key *key, FILE *f)
{
	char *s;

	if (!key_write_str(key, &s))
		return 0;
	fputs(s, f);
	free(s);

	return 1;
}

const char *
key_cert_type(const Key *k)
{

Lines 106-111 char key_fingerprint(const Key , enum fp_type, enum fp_rep); Link Here

(-)key.h (+1 lines)
106	u_char key_fingerprint_raw(const Key , enum fp_type, u_int *);	106	u_char key_fingerprint_raw(const Key , enum fp_type, u_int *);
107	const char key_type(const Key );	107	const char key_type(const Key );
108	const char key_cert_type(const Key );	108	const char key_cert_type(const Key );
		109	int key_write_str(const Key , char *);
109	int key_write(const Key , FILE );	110	int key_write(const Key , FILE );
110	int key_read(Key , char *);	111	int key_read(Key , char *);
111	u_int key_size(const Key *);	112	u_int key_size(const Key *);





/* Listen backlog for sshd, ssh-agent and forwarding sockets */
#define SSH_LISTEN_BACKLOG		128

/*
 * Name of the environment variable containing the incoming key passed
 * to AuthorizedKeysCommand.
 */
#define SSH_KEY_ENV_NAME "SSH_KEY"

/*
 * Name of the environment variable containing the incoming key fingerprint
 * passed to AuthorizedKeysCommand.
 */
#define SSH_KEY_FINGERPRINT_ENV_NAME "SSH_KEY_FINGERPRINT"

Lines 203-208 It will be invoked with a single argument of the username Link Here

(-)sshd_config.5 (+5 lines)
203	being authenticated, and should produce on standard output zero or	203	being authenticated, and should produce on standard output zero or
204	more lines of authorized_keys output (see AUTHORIZED_KEYS in	204	more lines of authorized_keys output (see AUTHORIZED_KEYS in
205	.Xr sshd 8 ) .	205	.Xr sshd 8 ) .
		206	The key being used for authentication (the key's type and the key text itself,
		207	separated by a space) will be available in the
		208	.Ev SSH_KEY
		209	environment variable, and the fingerprint of the key will be available in the
		210	.Ev SSH_KEY_FINGERPRINT environment variable.
206	If a key supplied by AuthorizedKeysCommand does not successfully authenticate	211	If a key supplied by AuthorizedKeysCommand does not successfully authenticate
207	and authorize the user then public key authentication continues using the usual	212	and authorize the user then public key authentication continues using the usual
208	.Cm AuthorizedKeysFile	213	.Cm AuthorizedKeysFile

Return to bug 2081

Lines 509-515 user_key_command_allowed2(struct passwd user_pw, Key key) Link Here

(-)auth2-pubkey.c (-1 / +18 lines)
509	struct stat st;	509	struct stat st;
510	int status, devnull, p[2], i;	510	int status, devnull, p[2], i;
511	pid_t pid;	511	pid_t pid;
512	char *username, errmsg[512];	512	char username, keytext, errmsg[512];
513		513
514	if (options.authorized_keys_command == NULL \|\|	514	if (options.authorized_keys_command == NULL \|\|
515	options.authorized_keys_command[0] != '/')	515	options.authorized_keys_command[0] != '/')
Lines 568-573 user_key_command_allowed2(struct passwd user_pw, Key key) Link Here
568	for (i = 0; i < NSIG; i++)	568	for (i = 0; i < NSIG; i++)
569	signal(i, SIG_DFL);	569	signal(i, SIG_DFL);
570		570
		571	keytext = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
		572	if (setenv(SSH_KEY_FINGERPRINT_ENV_NAME, keytext, 1) == -1) {
		573	error("%s: setenv: %s", __func__, strerror(errno));
		574	_exit(1);
		575	}
		576
		577	if (!key_write_str(key, &keytext)) {
		578	error("%s: key_write_str: %s", __func__,
		579	strerror(errno));
		580	_exit(1);
		581	}
		582	if (setenv(SSH_KEY_ENV_NAME, keytext, 1) == -1) {
		583	error("%s: setenv: %s", __func__, strerror(errno));
		584	_exit(1);
		585	}
		586	free(keytext);
		587
571	if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {	588	if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
572	error("%s: open %s: %s", __func__, _PATH_DEVNULL,	589	error("%s: open %s: %s", __func__, _PATH_DEVNULL,
573	strerror(errno));	590	strerror(errno));

Lines 691-705 read_bignum(char *cpp, BIGNUM value) Link Here

(-)key.c (-13 / +32 lines)
691	}	691	}
692		692
693	static int	693	static int
694	write_bignum(FILE f, BIGNUM num)	694	write_bignum(char *s, BIGNUM num)
695	{	695	{
696	char *buf = BN_bn2dec(num);	696	*s = BN_bn2dec(num);
697	if (buf == NULL) {	697	if (*s == NULL) {
698	error("write_bignum: BN_bn2dec() failed");	698	error("write_bignum: BN_bn2dec() failed");
699	return 0;	699	return 0;
700	}	700	}
701	fprintf(f, " %s", buf);
702	OPENSSL_free(buf);
703	return 1;	701	return 1;
704	}	702	}
705	#endif	703	#endif
Lines 889-899 key_read(Key ret, char *cpp) Link Here
889	}	887	}
890		888
891	int	889	int
892	key_write(const Key key, FILE f)	890	key_write_str(const Key key, char *s)
893	{	891	{
894	int n, success = 0;	892	int n, success = 0;
895	#ifdef WITH_SSH1	893	#ifdef WITH_SSH1
896	u_int bits = 0;	894	u_int bits = 0;
		895	char se = NULL, sn = NULL;
897	#endif	896	#endif
898	u_int len;	897	u_int len;
899	u_char *blob;	898	u_char *blob;
Lines 917-928 key_write(const Key key, FILE f) Link Here
917	return 0;	916	return 0;
918	/* size of modulus 'n' */	917	/* size of modulus 'n' */
919	bits = BN_num_bits(key->rsa->n);	918	bits = BN_num_bits(key->rsa->n);
920	fprintf(f, "%u", bits);	919	if (!write_bignum(&se, key->rsa->e) \|\|
921	if (write_bignum(f, key->rsa->e) &&	920	!write_bignum(&sn, key->rsa->n)) {
922	write_bignum(f, key->rsa->n))	921	error("key_write_str: failed for RSA key");
923	return 1;	922	goto done;
924	error("key_write: failed for RSA key");	923	}
925	return 0;	924	xasprintf(s, "%u %s %s", bits, se, sn);
		925	success = 1;
		926	done:
		927	if (se != NULL)
		928	OPENSSL_free(se);
		929	if (sn != NULL)
		930	OPENSSL_free(sn);
		931	return success;
926	#endif	932	#endif
927	#ifdef WITH_OPENSSL	933	#ifdef WITH_OPENSSL
928	case KEY_DSA:	934	case KEY_DSA:
Lines 958-964 key_write(const Key key, FILE f) Link Here
958	uu = xmalloc(2*len);	964	uu = xmalloc(2*len);
959	n = uuencode(blob, len, uu, 2*len);	965	n = uuencode(blob, len, uu, 2*len);
960	if (n > 0) {	966	if (n > 0) {
961	fprintf(f, "%s %s", key_ssh_name(key), uu);	967	xasprintf(s, "%s %s", key_ssh_name(key), uu);
962	success = 1;	968	success = 1;
963	}	969	}
964	free(blob);	970	free(blob);
Lines 967-972 key_write(const Key key, FILE f) Link Here
967	return success;	973	return success;
968	}	974	}
969		975
		976	int
		977	key_write(const Key key, FILE f)
		978	{
		979	char *s;
		980
		981	if (!key_write_str(key, &s))
		982	return 0;
		983	fputs(s, f);
		984	free(s);
		985
		986	return 1;
		987	}
		988
970	const char *	989	const char *
971	key_cert_type(const Key *k)	990	key_cert_type(const Key *k)
972	{	991	{

Lines 97-99 Link Here

(-)ssh.h (+12 lines)
97		97
98	/* Listen backlog for sshd, ssh-agent and forwarding sockets */	98	/* Listen backlog for sshd, ssh-agent and forwarding sockets */
99	#define SSH_LISTEN_BACKLOG 128	99	#define SSH_LISTEN_BACKLOG 128
		100
		101	/*
		102	* Name of the environment variable containing the incoming key passed
		103	* to AuthorizedKeysCommand.
		104	*/
		105	#define SSH_KEY_ENV_NAME "SSH_KEY"
		106
		107	/*
		108	* Name of the environment variable containing the incoming key fingerprint
		109	* passed to AuthorizedKeysCommand.
		110	*/
		111	#define SSH_KEY_FINGERPRINT_ENV_NAME "SSH_KEY_FINGERPRINT"