annotate svr-authpubkey.c @ 1653:76189c9ffea2

External Public-Key Authentication API (#72) * Implemented dynamic loading of an external plug-in shared library to delegate public key authentication * Moved conditional compilation of the plugin infrastructure into the configure.ac script to be able to add -ldl to dropbear build only when the flag is enabled * Added tags file to the ignore list * Updated API to have the constructor to return function pointers in the pliugin instance. Added support for passing user name to the checkpubkey function. Added options to the session returned by the plugin and have dropbear to parse and process them * Added -rdynamic to the linker flags when EPKA is enabled * Changed the API to pass a previously created session to the checkPubKey function (created during preauth) * Added documentation to the API * Added parameter addrstring to plugin creation function * Modified the API to retrieve the auth options. Instead of having them as field of the EPKASession struct, they are stored internally (plugin-dependent) in the plugin/session and retrieved through a pointer to a function (in the session) * Changed option string to be a simple char * instead of unsigned char *
author fabriziobertocci <fabriziobertocci@gmail.com>
date Wed, 15 May 2019 09:43:57 -0400
parents 592a18dac250
children cc0fc5131c5c
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
1 /*
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
2 * Dropbear - a SSH2 server
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
3 *
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
4 * Copyright (c) 2002,2003 Matt Johnston
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
5 * All rights reserved.
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
6 *
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
8 * of this software and associated documentation files (the "Software"), to deal
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
9 * in the Software without restriction, including without limitation the rights
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
11 * copies of the Software, and to permit persons to whom the Software is
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
12 * furnished to do so, subject to the following conditions:
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
13 *
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
14 * The above copyright notice and this permission notice shall be included in
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
15 * all copies or substantial portions of the Software.
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
16 *
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
23 * SOFTWARE. */
475
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
24 /*
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
25 * This file incorporates work covered by the following copyright and
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
26 * permission notice:
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
27 *
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
28 * Copyright (c) 2000 Markus Friedl. All rights reserved.
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
29 *
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
30 * Redistribution and use in source and binary forms, with or without
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
31 * modification, are permitted provided that the following conditions
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
32 * are met:
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
33 * 1. Redistributions of source code must retain the above copyright
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
34 * notice, this list of conditions and the following disclaimer.
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
35 * 2. Redistributions in binary form must reproduce the above copyright
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
36 * notice, this list of conditions and the following disclaimer in the
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
37 * documentation and/or other materials provided with the distribution.
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
38 *
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
39 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
40 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
41 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
42 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
43 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
45 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
46 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
47 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
48 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
49 *
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
50 * This copyright and permission notice applies to the code parsing public keys
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
51 * options string which can also be found in OpenSSH auth2-pubkey.c file
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
52 * (user_key_allowed2). It has been adapted to work with buffers.
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
53 *
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
54 */
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
55
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
56 /* Process a pubkey auth request */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
57
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
58 #include "includes.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
59 #include "session.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
60 #include "dbutil.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
61 #include "buffer.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
62 #include "signkey.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
63 #include "auth.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
64 #include "ssh.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
65 #include "packet.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
66 #include "algo.h"
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
67
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
68 #if DROPBEAR_SVR_PUBKEY_AUTH
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
69
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
70 #define MIN_AUTHKEYS_LINE 10 /* "ssh-rsa AB" - short but doesn't matter */
51
095d689fed16 - Hostkey checking is mostly there, just aren't appending yet.
Matt Johnston <matt@ucc.asn.au>
parents: 44
diff changeset
71 #define MAX_AUTHKEYS_LINE 4200 /* max length of a line in authkeys */
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
72
1459
06d52bcb8094 Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents: 1376
diff changeset
73 static int checkpubkey(const char* algo, unsigned int algolen,
06d52bcb8094 Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents: 1376
diff changeset
74 const unsigned char* keyblob, unsigned int keybloblen);
1276
9169e4e7cbee fix empty C prototypes
Francois Perrad <francois.perrad@gadz.org>
parents: 1122
diff changeset
75 static int checkpubkeyperms(void);
1459
06d52bcb8094 Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents: 1376
diff changeset
76 static void send_msg_userauth_pk_ok(const char* algo, unsigned int algolen,
06d52bcb8094 Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents: 1376
diff changeset
77 const unsigned char* keyblob, unsigned int keybloblen);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
78 static int checkfileperm(char * filename);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
79
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
80 /* process a pubkey auth request, sending success or failure message as
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
81 * appropriate */
1616
5d2d1021ca00 Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1500
diff changeset
82 void svr_auth_pubkey(int valid_user) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
83
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
84 unsigned char testkey; /* whether we're just checking if a key is usable */
1110
83025b7063ec Turn checkpubkey() and send_msg_userauth_pk_ok()'s algo argument into char *
Gaël PORTAY <gael.portay@gmail.com>
parents: 1094
diff changeset
85 char* algo = NULL; /* pubkey algo */
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
86 unsigned int algolen;
70
b0316ce64e4b Merging in the changes from 0.41-0.43 main Dropbear tree
Matt Johnston <matt@ucc.asn.au>
parents: 68
diff changeset
87 unsigned char* keyblob = NULL;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
88 unsigned int keybloblen;
1059
703c7cdd2577 Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents: 853
diff changeset
89 unsigned int sign_payload_length;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
90 buffer * signbuf = NULL;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
91 sign_key * key = NULL;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
92 char* fp = NULL;
852
7540c0822374 Various cleanups and fixes for warnings
Matt Johnston <matt@ucc.asn.au>
parents: 762
diff changeset
93 enum signkey_type type = -1;
1653
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
94 int auth_failure = 1;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
95
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
96 TRACE(("enter pubkeyauth"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
97
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
98 /* 0 indicates user just wants to check if key can be used, 1 is an
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
99 * actual attempt*/
179
161557a9dde8 * fix longstanding bug with connections being closed on failure to
Matt Johnston <matt@ucc.asn.au>
parents: 165
diff changeset
100 testkey = (buf_getbool(ses.payload) == 0);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
101
1122
aaf576b27a10 Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents: 1110
diff changeset
102 algo = buf_getstring(ses.payload, &algolen);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
103 keybloblen = buf_getint(ses.payload);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
104 keyblob = buf_getptr(ses.payload, keybloblen);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
105
1616
5d2d1021ca00 Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1500
diff changeset
106 if (!valid_user) {
5d2d1021ca00 Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1500
diff changeset
107 /* Return failure once we have read the contents of the packet
5d2d1021ca00 Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1500
diff changeset
108 required to validate a public key.
5d2d1021ca00 Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1500
diff changeset
109 Avoids blind user enumeration though it isn't possible to prevent
5d2d1021ca00 Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1500
diff changeset
110 testing for user existence if the public key is known */
5d2d1021ca00 Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1500
diff changeset
111 send_msg_userauth_failure(0, 0);
5d2d1021ca00 Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1500
diff changeset
112 goto out;
5d2d1021ca00 Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1500
diff changeset
113 }
1653
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
114 #if DROPBEAR_EPKA
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
115 if (svr_ses.epka_instance != NULL) {
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
116 char *options_buf;
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
117 if (svr_ses.epka_instance->checkpubkey(
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
118 svr_ses.epka_instance,
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
119 &ses.epka_session,
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
120 algo,
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
121 algolen,
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
122 keyblob,
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
123 keybloblen,
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
124 ses.authstate.username) == DROPBEAR_SUCCESS) {
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
125 /* Success */
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
126 auth_failure = 0;
1616
5d2d1021ca00 Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents: 1500
diff changeset
127
1653
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
128 /* Options provided? */
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
129 options_buf = ses.epka_session->get_options(ses.epka_session);
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
130 if (options_buf) {
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
131 struct buf temp_buf = {
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
132 .data = (unsigned char *)options_buf,
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
133 .len = strlen(options_buf),
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
134 .pos = 0,
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
135 .size = 0
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
136 };
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
137 int ret = svr_add_pubkey_options(&temp_buf, 0, "N/A");
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
138 if (ret == DROPBEAR_FAILURE) {
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
139 /* Fail immediately as the plugin provided wrong options */
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
140 send_msg_userauth_failure(0, 0);
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
141 goto out;
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
142 }
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
143 }
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
144 }
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
145 }
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
146 #endif
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
147 /* check if the key is valid */
1653
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
148 if (auth_failure) {
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
149 auth_failure = checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE;
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
150 }
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
151
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
152 if (auth_failure) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
153 send_msg_userauth_failure(0, 0);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
154 goto out;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
155 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
156
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
157 /* let them know that the key is ok to use */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
158 if (testkey) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
159 send_msg_userauth_pk_ok(algo, algolen, keyblob, keybloblen);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
160 goto out;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
161 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
162
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
163 /* now we can actually verify the signature */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
164
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
165 /* get the key */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
166 key = new_sign_key();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
167 type = DROPBEAR_SIGNKEY_ANY;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
168 if (buf_get_pub_key(ses.payload, key, &type) == DROPBEAR_FAILURE) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
169 send_msg_userauth_failure(0, 1);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
170 goto out;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
171 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
172
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
173 /* create the data which has been signed - this a string containing
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
174 * session_id, concatenated with the payload packet up to the signature */
1059
703c7cdd2577 Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents: 853
diff changeset
175 assert(ses.payload_beginning <= ses.payload->pos);
703c7cdd2577 Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents: 853
diff changeset
176 sign_payload_length = ses.payload->pos - ses.payload_beginning;
762
a78a38e402d1 - Fix various hardcoded uses of SHA1
Matt Johnston <matt@ucc.asn.au>
parents: 761
diff changeset
177 signbuf = buf_new(ses.payload->pos + 4 + ses.session_id->len);
761
ac2158e3e403 ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents: 594
diff changeset
178 buf_putbufstring(signbuf, ses.session_id);
1059
703c7cdd2577 Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents: 853
diff changeset
179
703c7cdd2577 Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents: 853
diff changeset
180 /* The entire contents of the payload prior. */
703c7cdd2577 Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents: 853
diff changeset
181 buf_setpos(ses.payload, ses.payload_beginning);
703c7cdd2577 Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents: 853
diff changeset
182 buf_putbytes(signbuf,
703c7cdd2577 Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents: 853
diff changeset
183 buf_getptr(ses.payload, sign_payload_length),
703c7cdd2577 Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents: 853
diff changeset
184 sign_payload_length);
703c7cdd2577 Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents: 853
diff changeset
185 buf_incrpos(ses.payload, sign_payload_length);
703c7cdd2577 Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents: 853
diff changeset
186
44
45edf30ea0a6 Improved signkey code
Matt Johnston <matt@ucc.asn.au>
parents: 33
diff changeset
187 buf_setpos(signbuf, 0);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
188
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
189 /* ... and finally verify the signature */
51
095d689fed16 - Hostkey checking is mostly there, just aren't appending yet.
Matt Johnston <matt@ucc.asn.au>
parents: 44
diff changeset
190 fp = sign_key_fingerprint(keyblob, keybloblen);
761
ac2158e3e403 ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents: 594
diff changeset
191 if (buf_verify(ses.payload, key, signbuf) == DROPBEAR_SUCCESS) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
192 dropbear_log(LOG_NOTICE,
594
a98a2138364a Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents: 476
diff changeset
193 "Pubkey auth succeeded for '%s' with key %s from %s",
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 436
diff changeset
194 ses.authstate.pw_name, fp, svr_ses.addrstring);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
195 send_msg_userauth_success();
1653
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
196 #if DROPBEAR_EPKA
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
197 if ((ses.epka_session != NULL) && (svr_ses.epka_instance->auth_success != NULL)) {
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
198 /* Was authenticated through the external plugin. tell plugin that signature verification was ok */
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
199 svr_ses.epka_instance->auth_success(ses.epka_session);
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
200 }
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
201 #endif
76189c9ffea2 External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents: 1633
diff changeset
202
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
203 } else {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
204 dropbear_log(LOG_WARNING,
594
a98a2138364a Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents: 476
diff changeset
205 "Pubkey auth bad signature for '%s' with key %s from %s",
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 436
diff changeset
206 ses.authstate.pw_name, fp, svr_ses.addrstring);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
207 send_msg_userauth_failure(0, 1);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
208 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
209 m_free(fp);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
210
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
211 out:
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
212 /* cleanup stuff */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
213 if (signbuf) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
214 buf_free(signbuf);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
215 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
216 if (algo) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
217 m_free(algo);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
218 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
219 if (key) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
220 sign_key_free(key);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
221 key = NULL;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
222 }
1598
252b406d0e9a avoid leak of pubkey_options
Matt Johnston <matt@ucc.asn.au>
parents: 1558
diff changeset
223 /* Retain pubkey options only if auth succeeded */
252b406d0e9a avoid leak of pubkey_options
Matt Johnston <matt@ucc.asn.au>
parents: 1558
diff changeset
224 if (!ses.authstate.authdone) {
252b406d0e9a avoid leak of pubkey_options
Matt Johnston <matt@ucc.asn.au>
parents: 1558
diff changeset
225 svr_pubkey_options_cleanup();
252b406d0e9a avoid leak of pubkey_options
Matt Johnston <matt@ucc.asn.au>
parents: 1558
diff changeset
226 }
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
227 TRACE(("leave pubkeyauth"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
228 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
229
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
230 /* Reply that the key is valid for auth, this is sent when the user sends
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
231 * a straight copy of their pubkey to test, to avoid having to perform
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
232 * expensive signing operations with a worthless key */
1459
06d52bcb8094 Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents: 1376
diff changeset
233 static void send_msg_userauth_pk_ok(const char* algo, unsigned int algolen,
06d52bcb8094 Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents: 1376
diff changeset
234 const unsigned char* keyblob, unsigned int keybloblen) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
235
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
236 TRACE(("enter send_msg_userauth_pk_ok"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
237 CHECKCLEARTOWRITE();
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
238
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
239 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_PK_OK);
1122
aaf576b27a10 Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents: 1110
diff changeset
240 buf_putstring(ses.writepayload, algo, algolen);
aaf576b27a10 Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents: 1110
diff changeset
241 buf_putstring(ses.writepayload, (const char*)keyblob, keybloblen);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
242
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
243 encrypt_packet();
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
244 TRACE(("leave send_msg_userauth_pk_ok"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
245
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
246 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
247
1459
06d52bcb8094 Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents: 1376
diff changeset
248 static int checkpubkey_line(buffer* line, int line_num, const char* filename,
1368
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
249 const char* algo, unsigned int algolen,
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
250 const unsigned char* keyblob, unsigned int keybloblen) {
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
251 buffer *options_buf = NULL;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
252 unsigned int pos, len;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
253 int ret = DROPBEAR_FAILURE;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
254
1376
9e9c8d37fd56 limit input size
Matt Johnston <matt@ucc.asn.au>
parents: 1372
diff changeset
255 if (line->len < MIN_AUTHKEYS_LINE || line->len > MAX_AUTHKEYS_LINE) {
1452
15d4b821bcc9 fix checkpubkey_line function name for TRACE
Matt Johnston <matt@ucc.asn.au>
parents: 1451
diff changeset
256 TRACE(("checkpubkey_line: bad line length %d", line->len))
1600
dc7c9fdb3716 don't allow null characters in authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1598
diff changeset
257 goto out;
dc7c9fdb3716 don't allow null characters in authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1598
diff changeset
258 }
dc7c9fdb3716 don't allow null characters in authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1598
diff changeset
259
dc7c9fdb3716 don't allow null characters in authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1598
diff changeset
260 if (memchr(line->data, 0x0, line->len) != NULL) {
dc7c9fdb3716 don't allow null characters in authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1598
diff changeset
261 TRACE(("checkpubkey_line: bad line has null char"))
dc7c9fdb3716 don't allow null characters in authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1598
diff changeset
262 goto out;
1368
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
263 }
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
264
1372
de1d895b1cae don't exit encountering short lines
Matt Johnston <matt@ucc.asn.au>
parents: 1368
diff changeset
265 /* compare the algorithm. +3 so we have enough bytes to read a space and some base64 characters too. */
de1d895b1cae don't exit encountering short lines
Matt Johnston <matt@ucc.asn.au>
parents: 1368
diff changeset
266 if (line->pos + algolen+3 > line->len) {
de1d895b1cae don't exit encountering short lines
Matt Johnston <matt@ucc.asn.au>
parents: 1368
diff changeset
267 goto out;
de1d895b1cae don't exit encountering short lines
Matt Johnston <matt@ucc.asn.au>
parents: 1368
diff changeset
268 }
1368
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
269 /* check the key type */
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
270 if (strncmp((const char *) buf_getptr(line, algolen), algo, algolen) != 0) {
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
271 int is_comment = 0;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
272 unsigned char *options_start = NULL;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
273 int options_len = 0;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
274 int escape, quoted;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
275
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
276 /* skip over any comments or leading whitespace */
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
277 while (line->pos < line->len) {
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
278 const char c = buf_getbyte(line);
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
279 if (c == ' ' || c == '\t') {
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
280 continue;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
281 } else if (c == '#') {
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
282 is_comment = 1;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
283 break;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
284 }
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
285 buf_incrpos(line, -1);
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
286 break;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
287 }
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
288 if (is_comment) {
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
289 /* next line */
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
290 goto out;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
291 }
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
292
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
293 /* remember start of options */
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
294 options_start = buf_getptr(line, 1);
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
295 quoted = 0;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
296 escape = 0;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
297 options_len = 0;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
298
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
299 /* figure out where the options are */
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
300 while (line->pos < line->len) {
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
301 const char c = buf_getbyte(line);
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
302 if (!quoted && (c == ' ' || c == '\t')) {
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
303 break;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
304 }
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
305 escape = (!escape && c == '\\');
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
306 if (!escape && c == '"') {
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
307 quoted = !quoted;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
308 }
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
309 options_len++;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
310 }
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
311 options_buf = buf_new(options_len);
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
312 buf_putbytes(options_buf, options_start, options_len);
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
313
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
314 /* compare the algorithm. +3 so we have enough bytes to read a space and some base64 characters too. */
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
315 if (line->pos + algolen+3 > line->len) {
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
316 goto out;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
317 }
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
318 if (strncmp((const char *) buf_getptr(line, algolen), algo, algolen) != 0) {
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
319 goto out;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
320 }
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
321 }
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
322 buf_incrpos(line, algolen);
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
323
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
324 /* check for space (' ') character */
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
325 if (buf_getbyte(line) != ' ') {
1452
15d4b821bcc9 fix checkpubkey_line function name for TRACE
Matt Johnston <matt@ucc.asn.au>
parents: 1451
diff changeset
326 TRACE(("checkpubkey_line: space character expected, isn't there"))
1368
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
327 goto out;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
328 }
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
329
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
330 /* truncate the line at the space after the base64 data */
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
331 pos = line->pos;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
332 for (len = 0; line->pos < line->len; len++) {
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
333 if (buf_getbyte(line) == ' ') break;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
334 }
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
335 buf_setpos(line, pos);
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
336 buf_setlen(line, line->pos + len);
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
337
1452
15d4b821bcc9 fix checkpubkey_line function name for TRACE
Matt Johnston <matt@ucc.asn.au>
parents: 1451
diff changeset
338 TRACE(("checkpubkey_line: line pos = %d len = %d", line->pos, line->len))
1368
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
339
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
340 ret = cmp_base64_key(keyblob, keybloblen, (const unsigned char *) algo, algolen, line, NULL);
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
341
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
342 if (ret == DROPBEAR_SUCCESS && options_buf) {
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
343 ret = svr_add_pubkey_options(options_buf, line_num, filename);
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
344 }
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
345
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
346 out:
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
347 if (options_buf) {
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
348 buf_free(options_buf);
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
349 }
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
350 return ret;
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
351 }
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
352
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
353
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
354 /* Checks whether a specified publickey (and associated algorithm) is an
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
355 * acceptable key for authentication */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
356 /* Returns DROPBEAR_SUCCESS if key is ok for auth, DROPBEAR_FAILURE otherwise */
1459
06d52bcb8094 Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents: 1376
diff changeset
357 static int checkpubkey(const char* algo, unsigned int algolen,
06d52bcb8094 Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents: 1376
diff changeset
358 const unsigned char* keyblob, unsigned int keybloblen) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
359
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
360 FILE * authfile = NULL;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
361 char * filename = NULL;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
362 int ret = DROPBEAR_FAILURE;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
363 buffer * line = NULL;
1368
10df23099071 split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents: 1342
diff changeset
364 unsigned int len;
476
df7f7da7f6e4 - Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents: 475
diff changeset
365 int line_num;
1330
0d889b068123 switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
366 uid_t origuid;
0d889b068123 switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
367 gid_t origgid;
475
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
368
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
369 TRACE(("enter checkpubkey"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
370
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
371 /* check that we can use the algo */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
372 if (have_algo(algo, algolen, sshhostkey) == DROPBEAR_FAILURE) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
373 dropbear_log(LOG_WARNING,
594
a98a2138364a Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents: 476
diff changeset
374 "Pubkey auth attempt with unknown algo for '%s' from %s",
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 436
diff changeset
375 ses.authstate.pw_name, svr_ses.addrstring);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
376 goto out;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
377 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
378
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
379 /* check file permissions, also whether file exists */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
380 if (checkpubkeyperms() == DROPBEAR_FAILURE) {
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
381 TRACE(("bad authorized_keys permissions, or file doesn't exist"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
382 goto out;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
383 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
384
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
385 /* we don't need to check pw and pw_dir for validity, since
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
386 * its been done in checkpubkeyperms. */
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 436
diff changeset
387 len = strlen(ses.authstate.pw_dir);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
388 /* allocate max required pathname storage,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
389 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
390 filename = m_malloc(len + 22);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
391 snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 436
diff changeset
392 ses.authstate.pw_dir);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
393
1633
592a18dac250 Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents: 1630
diff changeset
394 #if DROPBEAR_SVR_MULTIUSER
1330
0d889b068123 switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
395 /* open the file as the authenticating user. */
0d889b068123 switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
396 origuid = getuid();
0d889b068123 switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
397 origgid = getgid();
0d889b068123 switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
398 if ((setegid(ses.authstate.pw_gid)) < 0 ||
0d889b068123 switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
399 (seteuid(ses.authstate.pw_uid)) < 0) {
0d889b068123 switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
400 dropbear_exit("Failed to set euid");
0d889b068123 switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
401 }
1633
592a18dac250 Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents: 1630
diff changeset
402 #endif
1330
0d889b068123 switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
403
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
404 authfile = fopen(filename, "r");
1330
0d889b068123 switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
405
1633
592a18dac250 Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents: 1630
diff changeset
406 #if DROPBEAR_SVR_MULTIUSER
1330
0d889b068123 switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
407 if ((seteuid(origuid)) < 0 ||
0d889b068123 switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
408 (setegid(origgid)) < 0) {
0d889b068123 switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
409 dropbear_exit("Failed to revert euid");
0d889b068123 switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
410 }
1633
592a18dac250 Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents: 1630
diff changeset
411 #endif
1330
0d889b068123 switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents: 1276
diff changeset
412
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
413 if (authfile == NULL) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
414 goto out;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
415 }
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
416 TRACE(("checkpubkey: opened authorized_keys OK"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
417
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
418 line = buf_new(MAX_AUTHKEYS_LINE);
476
df7f7da7f6e4 - Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents: 475
diff changeset
419 line_num = 0;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
420
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
421 /* iterate through the lines */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
422 do {
51
095d689fed16 - Hostkey checking is mostly there, just aren't appending yet.
Matt Johnston <matt@ucc.asn.au>
parents: 44
diff changeset
423 if (buf_getline(line, authfile) == DROPBEAR_FAILURE) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
424 /* EOF reached */
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
425 TRACE(("checkpubkey: authorized_keys EOF reached"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
426 break;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
427 }
476
df7f7da7f6e4 - Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents: 475
diff changeset
428 line_num++;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
429
1451
7e95ab97d2b0 fix pubkey authentication return value
Matt Johnston <matt@ucc.asn.au>
parents: 1376
diff changeset
430 ret = checkpubkey_line(line, line_num, filename, algo, algolen, keyblob, keybloblen);
7e95ab97d2b0 fix pubkey authentication return value
Matt Johnston <matt@ucc.asn.au>
parents: 1376
diff changeset
431 if (ret == DROPBEAR_SUCCESS) {
51
095d689fed16 - Hostkey checking is mostly there, just aren't appending yet.
Matt Johnston <matt@ucc.asn.au>
parents: 44
diff changeset
432 break;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
433 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
434
51
095d689fed16 - Hostkey checking is mostly there, just aren't appending yet.
Matt Johnston <matt@ucc.asn.au>
parents: 44
diff changeset
435 /* We continue to the next line otherwise */
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
436
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
437 } while (1);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
438
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
439 out:
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
440 if (authfile) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
441 fclose(authfile);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
442 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
443 if (line) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
444 buf_free(line);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
445 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
446 m_free(filename);
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
447 TRACE(("leave checkpubkey: ret=%d", ret))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
448 return ret;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
449 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
450
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
451
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
452 /* Returns DROPBEAR_SUCCESS if file permissions for pubkeys are ok,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
453 * DROPBEAR_FAILURE otherwise.
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
454 * Checks that the user's homedir, ~/.ssh, and
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
455 * ~/.ssh/authorized_keys are all owned by either root or the user, and are
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
456 * g-w, o-w */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
457 static int checkpubkeyperms() {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
458
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
459 char* filename = NULL;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
460 int ret = DROPBEAR_FAILURE;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
461 unsigned int len;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
462
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
463 TRACE(("enter checkpubkeyperms"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
464
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 436
diff changeset
465 if (ses.authstate.pw_dir == NULL) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
466 goto out;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
467 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
468
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 436
diff changeset
469 if ((len = strlen(ses.authstate.pw_dir)) == 0) {
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
470 goto out;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
471 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
472
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
473 /* allocate max required pathname storage,
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
474 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
1630
9579377b5f8b use strlcpy & strlcat (#74)
François Perrad <francois.perrad@gadz.org>
parents: 1617
diff changeset
475 len += 22;
9579377b5f8b use strlcpy & strlcat (#74)
François Perrad <francois.perrad@gadz.org>
parents: 1617
diff changeset
476 filename = m_malloc(len);
9579377b5f8b use strlcpy & strlcat (#74)
François Perrad <francois.perrad@gadz.org>
parents: 1617
diff changeset
477 strlcpy(filename, ses.authstate.pw_dir, len);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
478
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
479 /* check ~ */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
480 if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
481 goto out;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
482 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
483
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
484 /* check ~/.ssh */
1630
9579377b5f8b use strlcpy & strlcat (#74)
François Perrad <francois.perrad@gadz.org>
parents: 1617
diff changeset
485 strlcat(filename, "/.ssh", len);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
486 if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
487 goto out;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
488 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
489
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
490 /* now check ~/.ssh/authorized_keys */
1630
9579377b5f8b use strlcpy & strlcat (#74)
François Perrad <francois.perrad@gadz.org>
parents: 1617
diff changeset
491 strlcat(filename, "/authorized_keys", len);
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
492 if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
493 goto out;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
494 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
495
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
496 /* file looks ok, return success */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
497 ret = DROPBEAR_SUCCESS;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
498
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
499 out:
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
500 m_free(filename);
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
501
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
502 TRACE(("leave checkpubkeyperms"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
503 return ret;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
504 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
505
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
506 /* Checks that a file is owned by the user or root, and isn't writable by
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
507 * group or other */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
508 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
509 static int checkfileperm(char * filename) {
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
510 struct stat filestat;
248
bf64e666f99b Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents: 241
diff changeset
511 int badperm = 0;
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
512
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
513 TRACE(("enter checkfileperm(%s)", filename))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
514
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
515 if (stat(filename, &filestat) != 0) {
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
516 TRACE(("leave checkfileperm: stat() != 0"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
517 return DROPBEAR_FAILURE;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
518 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
519 /* check ownership - user or root only*/
464
4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents: 436
diff changeset
520 if (filestat.st_uid != ses.authstate.pw_uid
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
521 && filestat.st_uid != 0) {
248
bf64e666f99b Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents: 241
diff changeset
522 badperm = 1;
bf64e666f99b Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents: 241
diff changeset
523 TRACE(("wrong ownership"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
524 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
525 /* check permissions - don't want group or others +w */
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
526 if (filestat.st_mode & (S_IWGRP | S_IWOTH)) {
248
bf64e666f99b Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents: 241
diff changeset
527 badperm = 1;
bf64e666f99b Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents: 241
diff changeset
528 TRACE(("wrong perms"))
bf64e666f99b Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents: 241
diff changeset
529 }
bf64e666f99b Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents: 241
diff changeset
530 if (badperm) {
bf64e666f99b Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents: 241
diff changeset
531 if (!ses.authstate.perm_warn) {
bf64e666f99b Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents: 241
diff changeset
532 ses.authstate.perm_warn = 1;
bf64e666f99b Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents: 241
diff changeset
533 dropbear_log(LOG_INFO, "%s must be owned by user or root, and not writable by others", filename);
bf64e666f99b Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents: 241
diff changeset
534 }
bf64e666f99b Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents: 241
diff changeset
535 TRACE(("leave checkfileperm: failure perms/owner"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
536 return DROPBEAR_FAILURE;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
537 }
248
bf64e666f99b Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents: 241
diff changeset
538
165
0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents: 158
diff changeset
539 TRACE(("leave checkfileperm: success"))
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
540 return DROPBEAR_SUCCESS;
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
541 }
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
542
1558
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents: 1511
diff changeset
543 #if DROPBEAR_FUZZ
1511
5916af64acd4 merge from main
Matt Johnston <matt@ucc.asn.au>
parents: 1500
diff changeset
544 int fuzz_checkpubkey_line(buffer* line, int line_num, char* filename,
5916af64acd4 merge from main
Matt Johnston <matt@ucc.asn.au>
parents: 1500
diff changeset
545 const char* algo, unsigned int algolen,
5916af64acd4 merge from main
Matt Johnston <matt@ucc.asn.au>
parents: 1500
diff changeset
546 const unsigned char* keyblob, unsigned int keybloblen) {
5916af64acd4 merge from main
Matt Johnston <matt@ucc.asn.au>
parents: 1500
diff changeset
547 return checkpubkey_line(line, line_num, filename, algo, algolen, keyblob, keybloblen);
5916af64acd4 merge from main
Matt Johnston <matt@ucc.asn.au>
parents: 1500
diff changeset
548 }
475
52a644e7b8e1 * Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents: 464
diff changeset
549 #endif
1511
5916af64acd4 merge from main
Matt Johnston <matt@ucc.asn.au>
parents: 1500
diff changeset
550
5916af64acd4 merge from main
Matt Johnston <matt@ucc.asn.au>
parents: 1500
diff changeset
551 #endif