Attachment #48 for bug #172

Lines 52-57 Link Here

(-)auth-rsa.c (-10 / +27 lines)
52	* description of the options.	52	* description of the options.
53	*/	53	*/
54		54
		55	static int auth_rsa_file(struct passwd pw, BIGNUM client_n, char *file);
		56
55	/*	57	/*
56	* Performs the RSA authentication challenge-response dialog with the client,	58	* Performs the RSA authentication challenge-response dialog with the client,
57	* and returns true (non-zero) if the client gave the correct answer to	59	* and returns true (non-zero) if the client gave the correct answer to
Lines 126-132 Link Here
126	int	128	int
127	auth_rsa(struct passwd pw, BIGNUM client_n)	129	auth_rsa(struct passwd pw, BIGNUM client_n)
128	{	130	{
129	char line[8192], *file;	131	char *file;
		132	int authorized = 0;
		133	int authfileno = 0;
		134
		135	/* no user given */
		136	if (pw == NULL)
		137	return 0;
		138
		139	/* Iterate over all authorized keys files. */
		140	while ((file = authorized_keys_file(pw, authfileno++)) != NULL) {
		141	debug("trying public RSA key file %s", file);
		142	authorized = auth_rsa_file(pw, client_n, file);
		143	xfree(file);
		144	if (authorized == 1) {
		145	return 1;
		146	}
		147	}
		148	return 0;
		149	}
		150
		151	/* Do the hard work in authenticating the client */
		152	int
		153	auth_rsa_file(struct passwd pw, BIGNUM client_n, char *file)
		154	{
		155	char line[8192];
130	int authenticated;	156	int authenticated;
131	u_int bits;	157	u_int bits;
132	FILE *f;	158	FILE *f;
Lines 142-156 Link Here
142	/* Temporarily use the user's uid. */	168	/* Temporarily use the user's uid. */
143	temporarily_use_uid(pw);	169	temporarily_use_uid(pw);
144		170
145	/* The authorized keys. */
146	file = authorized_keys_file(pw);
147	debug("trying public RSA key file %s", file);
148
149	/* Fail quietly if file does not exist */	171	/* Fail quietly if file does not exist */
150	if (stat(file, &st) < 0) {	172	if (stat(file, &st) < 0) {
151	/* Restore the privileged uid. */	173	/* Restore the privileged uid. */
152	restore_uid();	174	restore_uid();
153	xfree(file);
154	return 0;	175	return 0;
155	}	176	}
156	/* Open the file containing the authorized keys. */	177	/* Open the file containing the authorized keys. */
Lines 160-171 Link Here
160	restore_uid();	181	restore_uid();
161	packet_send_debug("Could not open %.900s for reading.", file);	182	packet_send_debug("Could not open %.900s for reading.", file);
162	packet_send_debug("If your home is on an NFS volume, it may need to be world-readable.");	183	packet_send_debug("If your home is on an NFS volume, it may need to be world-readable.");
163	xfree(file);
164	return 0;	184	return 0;
165	}	185	}
166	if (options.strict_modes &&	186	if (options.strict_modes &&
167	secure_filename(f, file, pw, line, sizeof(line)) != 0) {	187	secure_filename(f, file, pw, line, sizeof(line)) != 0) {
168	xfree(file);
169	fclose(f);	188	fclose(f);
170	log("Authentication refused: %s", line);	189	log("Authentication refused: %s", line);
171	packet_send_debug("Authentication refused: %s", line);	190	packet_send_debug("Authentication refused: %s", line);
Lines 262-268 Link Here
262	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);	281	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
263	verbose("Found matching %s key: %s",	282	verbose("Found matching %s key: %s",
264	key_type(key), fp);	283	key_type(key), fp);
265	xfree(fp);
266		284
267	break;	285	break;
268	}	286	}
Lines 271-277 Link Here
271	restore_uid();	289	restore_uid();
272		290
273	/* Close the file. */	291	/* Close the file. */
274	xfree(file);
275	fclose(f);	292	fclose(f);
276		293
277	key_free(key);	294	key_free(key);




}

char *
authorized_keys_file(struct passwd *pw, int n)
{
	if (n >= options.num_authorized_keys_files)
		return NULL;
	return expand_filename(options.authorized_keys_files[n], pw);
char *
authorized_keys_file2(struct passwd *pw)
{
	return expand_filename(options.authorized_keys_file2, pw);
}

/* return ok if key exists in sysfile or userfile */

Lines 140-147 Link Here

(-)auth.h (-2 / +1 lines)
140	struct passwd * auth_get_user(void);	140	struct passwd * auth_get_user(void);
141		141
142	char expand_filename(const char , struct passwd *);	142	char expand_filename(const char , struct passwd *);
143	char authorized_keys_file(struct passwd );	143	char authorized_keys_file(struct passwd , int n);
144	char authorized_keys_file2(struct passwd );
145		144
146	int	145	int
147	secure_filename(FILE , const char , struct passwd , char , size_t);	146	secure_filename(FILE , const char , struct passwd , char , size_t);




{
	int success;
	char *file;
	int authfileno = 0;

	/* Iterate over all authorized_keys_files */
	while ((file = authorized_keys_file(pw, authfileno++) ) != NULL) {
		success = user_key_allowed2(pw, key, file);
		xfree(file);
		if (success)
			return success;
	}
	return 0;
	success = user_key_allowed2(pw, key, file);
	xfree(file);
	return success;
}

/* return 1 if given hostkey is allowed */




	options->verify_reverse_mapping = -1;
	options->client_alive_interval = -1;
	options->client_alive_count_max = -1;
	options->num_authorized_keys_files = 0;
	options->authorized_keys_file2 = NULL;
}

void

		options->client_alive_interval = 0;
	if (options->client_alive_count_max == -1)
		options->client_alive_count_max = 3;
	if (options->num_authorized_keys_files == 0) {
	    	/* fill default authorized keys files */
		options->authorized_keys_files[options->num_authorized_keys_files++] = _PATH_SSH_USER_PERMITTED_KEYS;
		options->authorized_keys_files[options->num_authorized_keys_files++] = _PATH_SSH_USER_PERMITTED_KEYS2;	
 	}
			options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
	}
	if (options->authorized_keys_file == NULL)
		options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
}

/* Keyword tokens. */

	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
	sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
	sClientAliveCountMax, sAuthorizedKeysFile,
	sDeprecated 
} ServerOpCodes;

/* Textual representation of the tokens. */

	{ "clientaliveinterval", sClientAliveInterval },
	{ "clientalivecountmax", sClientAliveCountMax },
	{ "authorizedkeysfile", sAuthorizedKeysFile },
	{ "authorizedkeysfile2", sAuthorizedKeysFile },
	{ NULL, sBadOption }
};


	 * AuthorizedKeysFile	/etc/ssh_keys/%u
	 */
	case sAuthorizedKeysFile:
		intptr = &options->num_authorized_keys_files;
		if (*intptr >= MAX_AUTHKEYFILES)
			fatal("%s line %d: too many authorized keys "
			      "files specified (max %d).",
			      filename, linenum, MAX_AUTHKEYFILES);

		charptr = &options->authorized_keys_files[*intptr];
		goto parse_filename;

	case sClientAliveInterval:




#define MAX_DENY_GROUPS		256	/* Max # groups on deny list. */
#define MAX_SUBSYSTEMS		256	/* Max # subsystems. */
#define MAX_HOSTKEYS		256	/* Max # hostkeys. */
#define MAX_AUTHKEYFILES	256	/* Max # authorized_keys statements */

/* permit_root_login */
#define	PERMIT_NOT_SET		-1

					 * disconnect the session
					 */

	char   *authorized_keys_files[MAX_AUTHKEYFILES]; /* Files containing
							  * public keys */
	int	num_authorized_keys_files;
	int	pam_authentication_via_kbd_int;

}       ServerOptions;

Return to bug 172

Lines 315-329 Link Here

(-)auth.c (-8 / +4 lines)
315	}	315	}
316		316
317	char *	317	char *
318	authorized_keys_file(struct passwd *pw)	318	authorized_keys_file(struct passwd *pw, int n)
319	{	319	{
320	return expand_filename(options.authorized_keys_file, pw);	320	if (n >= options.num_authorized_keys_files)
321	}	321	return NULL;
322		322	return expand_filename(options.authorized_keys_files[n], pw);
323	char *
324	authorized_keys_file2(struct passwd *pw)
325	{
326	return expand_filename(options.authorized_keys_file2, pw);
327	}	323	}
328		324
329	/* return ok if key exists in sysfile or userfile */	325	/* return ok if key exists in sysfile or userfile */

Lines 735-752 Link Here

(-)auth2.c (-11 / +9 lines)
735	{	735	{
736	int success;	736	int success;
737	char *file;	737	char *file;
		738	int authfileno = 0;
738		739
739	file = authorized_keys_file(pw);	740	/* Iterate over all authorized_keys_files */
740	success = user_key_allowed2(pw, key, file);	741	while ((file = authorized_keys_file(pw, authfileno++) ) != NULL) {
741	xfree(file);	742	success = user_key_allowed2(pw, key, file);
742	if (success)	743	xfree(file);
743	return success;	744	if (success)
744		745	return success;
745	/* try suffix "2" for backward compat, too */	746	}
746	file = authorized_keys_file2(pw);	747	return 0;
747	success = user_key_allowed2(pw, key, file);
748	xfree(file);
749	return success;
750	}	748	}
751		749
752	/* return 1 if given hostkey is allowed */	750	/* return 1 if given hostkey is allowed */

Lines 108-115 Link Here

(-)servconf.c (-18 / +16 lines)
108	options->verify_reverse_mapping = -1;	108	options->verify_reverse_mapping = -1;
109	options->client_alive_interval = -1;	109	options->client_alive_interval = -1;
110	options->client_alive_count_max = -1;	110	options->client_alive_count_max = -1;
111	options->authorized_keys_file = NULL;	111	options->num_authorized_keys_files = 0;
112	options->authorized_keys_file2 = NULL;
113	}	112	}
114		113
115	void	114	void
Lines 226-240 Link Here
226	options->client_alive_interval = 0;	225	options->client_alive_interval = 0;
227	if (options->client_alive_count_max == -1)	226	if (options->client_alive_count_max == -1)
228	options->client_alive_count_max = 3;	227	options->client_alive_count_max = 3;
229	if (options->authorized_keys_file2 == NULL) {	228	if (options->num_authorized_keys_files == 0) {
230	/* authorized_keys_file2 falls back to authorized_keys_file */	229	/* fill default authorized keys files */
231	if (options->authorized_keys_file != NULL)	230	options->authorized_keys_files[options->num_authorized_keys_files++] = _PATH_SSH_USER_PERMITTED_KEYS;
232	options->authorized_keys_file2 = options->authorized_keys_file;	231	options->authorized_keys_files[options->num_authorized_keys_files++] = _PATH_SSH_USER_PERMITTED_KEYS2;
233	else	232	}
234	options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
235	}
236	if (options->authorized_keys_file == NULL)
237	options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
238	}	233	}
239		234
240	/* Keyword tokens. */	235	/* Keyword tokens. */
Lines 266-273 Link Here
266	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,	261	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
267	sBanner, sVerifyReverseMapping, sHostbasedAuthentication,	262	sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
268	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,	263	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
269	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,	264	sClientAliveCountMax, sAuthorizedKeysFile,
270	sDeprecated	265	sDeprecated
271	} ServerOpCodes;	266	} ServerOpCodes;
272		267
273	/* Textual representation of the tokens. */	268	/* Textual representation of the tokens. */
Lines 341-347 Link Here
341	{ "clientaliveinterval", sClientAliveInterval },	336	{ "clientaliveinterval", sClientAliveInterval },
342	{ "clientalivecountmax", sClientAliveCountMax },	337	{ "clientalivecountmax", sClientAliveCountMax },
343	{ "authorizedkeysfile", sAuthorizedKeysFile },	338	{ "authorizedkeysfile", sAuthorizedKeysFile },
344	{ "authorizedkeysfile2", sAuthorizedKeysFile2 },	339	{ "authorizedkeysfile2", sAuthorizedKeysFile },
345	{ NULL, sBadOption }	340	{ NULL, sBadOption }
346	};	341	};
347		342
Lines 843-852 Link Here
843	* AuthorizedKeysFile /etc/ssh_keys/%u	838	* AuthorizedKeysFile /etc/ssh_keys/%u
844	*/	839	*/
845	case sAuthorizedKeysFile:	840	case sAuthorizedKeysFile:
846	case sAuthorizedKeysFile2:	841	intptr = &options->num_authorized_keys_files;
847	charptr = (opcode == sAuthorizedKeysFile ) ?	842	if (*intptr >= MAX_AUTHKEYFILES)
848	&options->authorized_keys_file :	843	fatal("%s line %d: too many authorized keys "
849	&options->authorized_keys_file2;	844	"files specified (max %d).",
		845	filename, linenum, MAX_AUTHKEYFILES);
		846
		847	charptr = &options->authorized_keys_files[*intptr];
850	goto parse_filename;	848	goto parse_filename;
851		849
852	case sClientAliveInterval:	850	case sClientAliveInterval:

Lines 24-29 Link Here

(-)servconf.h (-2 / +4 lines)
24	#define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */	24	#define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */
25	#define MAX_SUBSYSTEMS 256 /* Max # subsystems. */	25	#define MAX_SUBSYSTEMS 256 /* Max # subsystems. */
26	#define MAX_HOSTKEYS 256 /* Max # hostkeys. */	26	#define MAX_HOSTKEYS 256 /* Max # hostkeys. */
		27	#define MAX_AUTHKEYFILES 256 /* Max # authorized_keys statements */
27		28
28	/* permit_root_login */	29	/* permit_root_login */
29	#define PERMIT_NOT_SET -1	30	#define PERMIT_NOT_SET -1
Lines 127-134 Link Here
127	* disconnect the session	128	* disconnect the session
128	*/	129	*/
129		130
130	char authorized_keys_file; / File containing public keys */	131	char authorized_keys_files[MAX_AUTHKEYFILES]; / Files containing
131	char *authorized_keys_file2;	132	* public keys */
		133	int num_authorized_keys_files;
132	int pam_authentication_via_kbd_int;	134	int pam_authentication_via_kbd_int;
133		135
134	} ServerOptions;	136	} ServerOptions;