Mercurial > dropbear
annotate svr-authpubkey.c @ 1653:76189c9ffea2
External Public-Key Authentication API (#72)
* Implemented dynamic loading of an external plug-in shared library to delegate public key authentication
* Moved conditional compilation of the plugin infrastructure into the configure.ac script to be able to add -ldl to dropbear build only when the flag is enabled
* Added tags file to the ignore list
* Updated API to have the constructor to return function pointers in the pliugin instance. Added support for passing user name to the checkpubkey function. Added options to the session returned by the plugin and have dropbear to parse and process them
* Added -rdynamic to the linker flags when EPKA is enabled
* Changed the API to pass a previously created session to the checkPubKey function (created during preauth)
* Added documentation to the API
* Added parameter addrstring to plugin creation function
* Modified the API to retrieve the auth options. Instead of having them as field of the EPKASession struct, they are stored internally (plugin-dependent) in the plugin/session and retrieved through a pointer to a function (in the session)
* Changed option string to be a simple char * instead of unsigned char *
author | fabriziobertocci <fabriziobertocci@gmail.com> |
---|---|
date | Wed, 15 May 2019 09:43:57 -0400 |
parents | 592a18dac250 |
children | cc0fc5131c5c |
rev | line source |
---|---|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
1 /* |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
2 * Dropbear - a SSH2 server |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
3 * |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
4 * Copyright (c) 2002,2003 Matt Johnston |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
5 * All rights reserved. |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
6 * |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
7 * Permission is hereby granted, free of charge, to any person obtaining a copy |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
8 * of this software and associated documentation files (the "Software"), to deal |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
9 * in the Software without restriction, including without limitation the rights |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
11 * copies of the Software, and to permit persons to whom the Software is |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
12 * furnished to do so, subject to the following conditions: |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
13 * |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
14 * The above copyright notice and this permission notice shall be included in |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
15 * all copies or substantial portions of the Software. |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
16 * |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
23 * SOFTWARE. */ |
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
24 /* |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
25 * This file incorporates work covered by the following copyright and |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
26 * permission notice: |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
27 * |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
28 * Copyright (c) 2000 Markus Friedl. All rights reserved. |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
29 * |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
30 * Redistribution and use in source and binary forms, with or without |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
31 * modification, are permitted provided that the following conditions |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
32 * are met: |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
33 * 1. Redistributions of source code must retain the above copyright |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
34 * notice, this list of conditions and the following disclaimer. |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
35 * 2. Redistributions in binary form must reproduce the above copyright |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
36 * notice, this list of conditions and the following disclaimer in the |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
37 * documentation and/or other materials provided with the distribution. |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
38 * |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
39 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
40 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
41 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
42 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
43 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
45 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
46 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
47 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
48 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
49 * |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
50 * This copyright and permission notice applies to the code parsing public keys |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
51 * options string which can also be found in OpenSSH auth2-pubkey.c file |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
52 * (user_key_allowed2). It has been adapted to work with buffers. |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
53 * |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
54 */ |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
55 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
56 /* Process a pubkey auth request */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
57 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
58 #include "includes.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
59 #include "session.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
60 #include "dbutil.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
61 #include "buffer.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
62 #include "signkey.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
63 #include "auth.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
64 #include "ssh.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
65 #include "packet.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
66 #include "algo.h" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
67 |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
68 #if DROPBEAR_SVR_PUBKEY_AUTH |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
69 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
70 #define MIN_AUTHKEYS_LINE 10 /* "ssh-rsa AB" - short but doesn't matter */ |
51
095d689fed16
- Hostkey checking is mostly there, just aren't appending yet.
Matt Johnston <matt@ucc.asn.au>
parents:
44
diff
changeset
|
71 #define MAX_AUTHKEYS_LINE 4200 /* max length of a line in authkeys */ |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
72 |
1459
06d52bcb8094
Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents:
1376
diff
changeset
|
73 static int checkpubkey(const char* algo, unsigned int algolen, |
06d52bcb8094
Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents:
1376
diff
changeset
|
74 const unsigned char* keyblob, unsigned int keybloblen); |
1276
9169e4e7cbee
fix empty C prototypes
Francois Perrad <francois.perrad@gadz.org>
parents:
1122
diff
changeset
|
75 static int checkpubkeyperms(void); |
1459
06d52bcb8094
Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents:
1376
diff
changeset
|
76 static void send_msg_userauth_pk_ok(const char* algo, unsigned int algolen, |
06d52bcb8094
Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents:
1376
diff
changeset
|
77 const unsigned char* keyblob, unsigned int keybloblen); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
78 static int checkfileperm(char * filename); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
79 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
80 /* process a pubkey auth request, sending success or failure message as |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
81 * appropriate */ |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1500
diff
changeset
|
82 void svr_auth_pubkey(int valid_user) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
83 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
84 unsigned char testkey; /* whether we're just checking if a key is usable */ |
1110
83025b7063ec
Turn checkpubkey() and send_msg_userauth_pk_ok()'s algo argument into char *
Gaël PORTAY <gael.portay@gmail.com>
parents:
1094
diff
changeset
|
85 char* algo = NULL; /* pubkey algo */ |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
86 unsigned int algolen; |
70
b0316ce64e4b
Merging in the changes from 0.41-0.43 main Dropbear tree
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
87 unsigned char* keyblob = NULL; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
88 unsigned int keybloblen; |
1059
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
89 unsigned int sign_payload_length; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
90 buffer * signbuf = NULL; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
91 sign_key * key = NULL; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
92 char* fp = NULL; |
852
7540c0822374
Various cleanups and fixes for warnings
Matt Johnston <matt@ucc.asn.au>
parents:
762
diff
changeset
|
93 enum signkey_type type = -1; |
1653
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
94 int auth_failure = 1; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
95 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
96 TRACE(("enter pubkeyauth")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
97 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
98 /* 0 indicates user just wants to check if key can be used, 1 is an |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
99 * actual attempt*/ |
179
161557a9dde8
* fix longstanding bug with connections being closed on failure to
Matt Johnston <matt@ucc.asn.au>
parents:
165
diff
changeset
|
100 testkey = (buf_getbool(ses.payload) == 0); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
101 |
1122
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
1110
diff
changeset
|
102 algo = buf_getstring(ses.payload, &algolen); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
103 keybloblen = buf_getint(ses.payload); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
104 keyblob = buf_getptr(ses.payload, keybloblen); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
105 |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1500
diff
changeset
|
106 if (!valid_user) { |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1500
diff
changeset
|
107 /* Return failure once we have read the contents of the packet |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1500
diff
changeset
|
108 required to validate a public key. |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1500
diff
changeset
|
109 Avoids blind user enumeration though it isn't possible to prevent |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1500
diff
changeset
|
110 testing for user existence if the public key is known */ |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1500
diff
changeset
|
111 send_msg_userauth_failure(0, 0); |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1500
diff
changeset
|
112 goto out; |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1500
diff
changeset
|
113 } |
1653
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
114 #if DROPBEAR_EPKA |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
115 if (svr_ses.epka_instance != NULL) { |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
116 char *options_buf; |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
117 if (svr_ses.epka_instance->checkpubkey( |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
118 svr_ses.epka_instance, |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
119 &ses.epka_session, |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
120 algo, |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
121 algolen, |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
122 keyblob, |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
123 keybloblen, |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
124 ses.authstate.username) == DROPBEAR_SUCCESS) { |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
125 /* Success */ |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
126 auth_failure = 0; |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1500
diff
changeset
|
127 |
1653
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
128 /* Options provided? */ |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
129 options_buf = ses.epka_session->get_options(ses.epka_session); |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
130 if (options_buf) { |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
131 struct buf temp_buf = { |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
132 .data = (unsigned char *)options_buf, |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
133 .len = strlen(options_buf), |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
134 .pos = 0, |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
135 .size = 0 |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
136 }; |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
137 int ret = svr_add_pubkey_options(&temp_buf, 0, "N/A"); |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
138 if (ret == DROPBEAR_FAILURE) { |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
139 /* Fail immediately as the plugin provided wrong options */ |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
140 send_msg_userauth_failure(0, 0); |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
141 goto out; |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
142 } |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
143 } |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
144 } |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
145 } |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
146 #endif |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
147 /* check if the key is valid */ |
1653
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
148 if (auth_failure) { |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
149 auth_failure = checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE; |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
150 } |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
151 |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
152 if (auth_failure) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
153 send_msg_userauth_failure(0, 0); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
154 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
155 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
156 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
157 /* let them know that the key is ok to use */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
158 if (testkey) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
159 send_msg_userauth_pk_ok(algo, algolen, keyblob, keybloblen); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
160 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
161 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
162 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
163 /* now we can actually verify the signature */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
164 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
165 /* get the key */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
166 key = new_sign_key(); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
167 type = DROPBEAR_SIGNKEY_ANY; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
168 if (buf_get_pub_key(ses.payload, key, &type) == DROPBEAR_FAILURE) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
169 send_msg_userauth_failure(0, 1); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
170 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
171 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
172 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
173 /* create the data which has been signed - this a string containing |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
174 * session_id, concatenated with the payload packet up to the signature */ |
1059
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
175 assert(ses.payload_beginning <= ses.payload->pos); |
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
176 sign_payload_length = ses.payload->pos - ses.payload_beginning; |
762
a78a38e402d1
- Fix various hardcoded uses of SHA1
Matt Johnston <matt@ucc.asn.au>
parents:
761
diff
changeset
|
177 signbuf = buf_new(ses.payload->pos + 4 + ses.session_id->len); |
761
ac2158e3e403
ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents:
594
diff
changeset
|
178 buf_putbufstring(signbuf, ses.session_id); |
1059
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
179 |
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
180 /* The entire contents of the payload prior. */ |
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
181 buf_setpos(ses.payload, ses.payload_beginning); |
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
182 buf_putbytes(signbuf, |
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
183 buf_getptr(ses.payload, sign_payload_length), |
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
184 sign_payload_length); |
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
185 buf_incrpos(ses.payload, sign_payload_length); |
703c7cdd2577
Fix pubkey auth after change to reuse ses.readbuf as ses.payload
Matt Johnston <matt@ucc.asn.au>
parents:
853
diff
changeset
|
186 |
44 | 187 buf_setpos(signbuf, 0); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
188 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
189 /* ... and finally verify the signature */ |
51
095d689fed16
- Hostkey checking is mostly there, just aren't appending yet.
Matt Johnston <matt@ucc.asn.au>
parents:
44
diff
changeset
|
190 fp = sign_key_fingerprint(keyblob, keybloblen); |
761
ac2158e3e403
ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents:
594
diff
changeset
|
191 if (buf_verify(ses.payload, key, signbuf) == DROPBEAR_SUCCESS) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
192 dropbear_log(LOG_NOTICE, |
594
a98a2138364a
Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents:
476
diff
changeset
|
193 "Pubkey auth succeeded for '%s' with key %s from %s", |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
436
diff
changeset
|
194 ses.authstate.pw_name, fp, svr_ses.addrstring); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
195 send_msg_userauth_success(); |
1653
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
196 #if DROPBEAR_EPKA |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
197 if ((ses.epka_session != NULL) && (svr_ses.epka_instance->auth_success != NULL)) { |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
198 /* Was authenticated through the external plugin. tell plugin that signature verification was ok */ |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
199 svr_ses.epka_instance->auth_success(ses.epka_session); |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
200 } |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
201 #endif |
76189c9ffea2
External Public-Key Authentication API (#72)
fabriziobertocci <fabriziobertocci@gmail.com>
parents:
1633
diff
changeset
|
202 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
203 } else { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
204 dropbear_log(LOG_WARNING, |
594
a98a2138364a
Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents:
476
diff
changeset
|
205 "Pubkey auth bad signature for '%s' with key %s from %s", |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
436
diff
changeset
|
206 ses.authstate.pw_name, fp, svr_ses.addrstring); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
207 send_msg_userauth_failure(0, 1); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
208 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
209 m_free(fp); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
210 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
211 out: |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
212 /* cleanup stuff */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
213 if (signbuf) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
214 buf_free(signbuf); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
215 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
216 if (algo) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
217 m_free(algo); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
218 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
219 if (key) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
220 sign_key_free(key); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
221 key = NULL; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
222 } |
1598
252b406d0e9a
avoid leak of pubkey_options
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
223 /* Retain pubkey options only if auth succeeded */ |
252b406d0e9a
avoid leak of pubkey_options
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
224 if (!ses.authstate.authdone) { |
252b406d0e9a
avoid leak of pubkey_options
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
225 svr_pubkey_options_cleanup(); |
252b406d0e9a
avoid leak of pubkey_options
Matt Johnston <matt@ucc.asn.au>
parents:
1558
diff
changeset
|
226 } |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
227 TRACE(("leave pubkeyauth")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
228 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
229 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
230 /* Reply that the key is valid for auth, this is sent when the user sends |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
231 * a straight copy of their pubkey to test, to avoid having to perform |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
232 * expensive signing operations with a worthless key */ |
1459
06d52bcb8094
Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents:
1376
diff
changeset
|
233 static void send_msg_userauth_pk_ok(const char* algo, unsigned int algolen, |
06d52bcb8094
Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents:
1376
diff
changeset
|
234 const unsigned char* keyblob, unsigned int keybloblen) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
235 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
236 TRACE(("enter send_msg_userauth_pk_ok")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
237 CHECKCLEARTOWRITE(); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
238 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
239 buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_PK_OK); |
1122
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
1110
diff
changeset
|
240 buf_putstring(ses.writepayload, algo, algolen); |
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
1110
diff
changeset
|
241 buf_putstring(ses.writepayload, (const char*)keyblob, keybloblen); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
242 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
243 encrypt_packet(); |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
244 TRACE(("leave send_msg_userauth_pk_ok")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
245 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
246 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
247 |
1459
06d52bcb8094
Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents:
1376
diff
changeset
|
248 static int checkpubkey_line(buffer* line, int line_num, const char* filename, |
1368
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
249 const char* algo, unsigned int algolen, |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
250 const unsigned char* keyblob, unsigned int keybloblen) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
251 buffer *options_buf = NULL; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
252 unsigned int pos, len; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
253 int ret = DROPBEAR_FAILURE; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
254 |
1376 | 255 if (line->len < MIN_AUTHKEYS_LINE || line->len > MAX_AUTHKEYS_LINE) { |
1452
15d4b821bcc9
fix checkpubkey_line function name for TRACE
Matt Johnston <matt@ucc.asn.au>
parents:
1451
diff
changeset
|
256 TRACE(("checkpubkey_line: bad line length %d", line->len)) |
1600
dc7c9fdb3716
don't allow null characters in authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1598
diff
changeset
|
257 goto out; |
dc7c9fdb3716
don't allow null characters in authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1598
diff
changeset
|
258 } |
dc7c9fdb3716
don't allow null characters in authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1598
diff
changeset
|
259 |
dc7c9fdb3716
don't allow null characters in authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1598
diff
changeset
|
260 if (memchr(line->data, 0x0, line->len) != NULL) { |
dc7c9fdb3716
don't allow null characters in authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1598
diff
changeset
|
261 TRACE(("checkpubkey_line: bad line has null char")) |
dc7c9fdb3716
don't allow null characters in authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1598
diff
changeset
|
262 goto out; |
1368
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
263 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
264 |
1372
de1d895b1cae
don't exit encountering short lines
Matt Johnston <matt@ucc.asn.au>
parents:
1368
diff
changeset
|
265 /* compare the algorithm. +3 so we have enough bytes to read a space and some base64 characters too. */ |
de1d895b1cae
don't exit encountering short lines
Matt Johnston <matt@ucc.asn.au>
parents:
1368
diff
changeset
|
266 if (line->pos + algolen+3 > line->len) { |
de1d895b1cae
don't exit encountering short lines
Matt Johnston <matt@ucc.asn.au>
parents:
1368
diff
changeset
|
267 goto out; |
de1d895b1cae
don't exit encountering short lines
Matt Johnston <matt@ucc.asn.au>
parents:
1368
diff
changeset
|
268 } |
1368
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
269 /* check the key type */ |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
270 if (strncmp((const char *) buf_getptr(line, algolen), algo, algolen) != 0) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
271 int is_comment = 0; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
272 unsigned char *options_start = NULL; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
273 int options_len = 0; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
274 int escape, quoted; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
275 |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
276 /* skip over any comments or leading whitespace */ |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
277 while (line->pos < line->len) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
278 const char c = buf_getbyte(line); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
279 if (c == ' ' || c == '\t') { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
280 continue; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
281 } else if (c == '#') { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
282 is_comment = 1; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
283 break; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
284 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
285 buf_incrpos(line, -1); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
286 break; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
287 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
288 if (is_comment) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
289 /* next line */ |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
290 goto out; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
291 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
292 |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
293 /* remember start of options */ |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
294 options_start = buf_getptr(line, 1); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
295 quoted = 0; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
296 escape = 0; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
297 options_len = 0; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
298 |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
299 /* figure out where the options are */ |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
300 while (line->pos < line->len) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
301 const char c = buf_getbyte(line); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
302 if (!quoted && (c == ' ' || c == '\t')) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
303 break; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
304 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
305 escape = (!escape && c == '\\'); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
306 if (!escape && c == '"') { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
307 quoted = !quoted; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
308 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
309 options_len++; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
310 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
311 options_buf = buf_new(options_len); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
312 buf_putbytes(options_buf, options_start, options_len); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
313 |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
314 /* compare the algorithm. +3 so we have enough bytes to read a space and some base64 characters too. */ |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
315 if (line->pos + algolen+3 > line->len) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
316 goto out; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
317 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
318 if (strncmp((const char *) buf_getptr(line, algolen), algo, algolen) != 0) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
319 goto out; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
320 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
321 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
322 buf_incrpos(line, algolen); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
323 |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
324 /* check for space (' ') character */ |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
325 if (buf_getbyte(line) != ' ') { |
1452
15d4b821bcc9
fix checkpubkey_line function name for TRACE
Matt Johnston <matt@ucc.asn.au>
parents:
1451
diff
changeset
|
326 TRACE(("checkpubkey_line: space character expected, isn't there")) |
1368
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
327 goto out; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
328 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
329 |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
330 /* truncate the line at the space after the base64 data */ |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
331 pos = line->pos; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
332 for (len = 0; line->pos < line->len; len++) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
333 if (buf_getbyte(line) == ' ') break; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
334 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
335 buf_setpos(line, pos); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
336 buf_setlen(line, line->pos + len); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
337 |
1452
15d4b821bcc9
fix checkpubkey_line function name for TRACE
Matt Johnston <matt@ucc.asn.au>
parents:
1451
diff
changeset
|
338 TRACE(("checkpubkey_line: line pos = %d len = %d", line->pos, line->len)) |
1368
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
339 |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
340 ret = cmp_base64_key(keyblob, keybloblen, (const unsigned char *) algo, algolen, line, NULL); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
341 |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
342 if (ret == DROPBEAR_SUCCESS && options_buf) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
343 ret = svr_add_pubkey_options(options_buf, line_num, filename); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
344 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
345 |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
346 out: |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
347 if (options_buf) { |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
348 buf_free(options_buf); |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
349 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
350 return ret; |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
351 } |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
352 |
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
353 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
354 /* Checks whether a specified publickey (and associated algorithm) is an |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
355 * acceptable key for authentication */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
356 /* Returns DROPBEAR_SUCCESS if key is ok for auth, DROPBEAR_FAILURE otherwise */ |
1459
06d52bcb8094
Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents:
1376
diff
changeset
|
357 static int checkpubkey(const char* algo, unsigned int algolen, |
06d52bcb8094
Pointer parameter could be declared as pointing to const
Francois Perrad <francois.perrad@gadz.org>
parents:
1376
diff
changeset
|
358 const unsigned char* keyblob, unsigned int keybloblen) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
359 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
360 FILE * authfile = NULL; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
361 char * filename = NULL; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
362 int ret = DROPBEAR_FAILURE; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
363 buffer * line = NULL; |
1368
10df23099071
split out checkpubkey_line() separately
Matt Johnston <matt@ucc.asn.au>
parents:
1342
diff
changeset
|
364 unsigned int len; |
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
365 int line_num; |
1330
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
366 uid_t origuid; |
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
367 gid_t origgid; |
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
368 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
369 TRACE(("enter checkpubkey")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
370 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
371 /* check that we can use the algo */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
372 if (have_algo(algo, algolen, sshhostkey) == DROPBEAR_FAILURE) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
373 dropbear_log(LOG_WARNING, |
594
a98a2138364a
Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents:
476
diff
changeset
|
374 "Pubkey auth attempt with unknown algo for '%s' from %s", |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
436
diff
changeset
|
375 ses.authstate.pw_name, svr_ses.addrstring); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
376 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
377 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
378 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
379 /* check file permissions, also whether file exists */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
380 if (checkpubkeyperms() == DROPBEAR_FAILURE) { |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
381 TRACE(("bad authorized_keys permissions, or file doesn't exist")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
382 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
383 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
384 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
385 /* we don't need to check pw and pw_dir for validity, since |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
386 * its been done in checkpubkeyperms. */ |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
436
diff
changeset
|
387 len = strlen(ses.authstate.pw_dir); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
388 /* allocate max required pathname storage, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
389 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
390 filename = m_malloc(len + 22); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
391 snprintf(filename, len + 22, "%s/.ssh/authorized_keys", |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
436
diff
changeset
|
392 ses.authstate.pw_dir); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
393 |
1633
592a18dac250
Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents:
1630
diff
changeset
|
394 #if DROPBEAR_SVR_MULTIUSER |
1330
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
395 /* open the file as the authenticating user. */ |
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
396 origuid = getuid(); |
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
397 origgid = getgid(); |
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
398 if ((setegid(ses.authstate.pw_gid)) < 0 || |
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
399 (seteuid(ses.authstate.pw_uid)) < 0) { |
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
400 dropbear_exit("Failed to set euid"); |
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
401 } |
1633
592a18dac250
Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents:
1630
diff
changeset
|
402 #endif |
1330
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
403 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
404 authfile = fopen(filename, "r"); |
1330
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
405 |
1633
592a18dac250
Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents:
1630
diff
changeset
|
406 #if DROPBEAR_SVR_MULTIUSER |
1330
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
407 if ((seteuid(origuid)) < 0 || |
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
408 (setegid(origgid)) < 0) { |
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
409 dropbear_exit("Failed to revert euid"); |
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
410 } |
1633
592a18dac250
Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents:
1630
diff
changeset
|
411 #endif |
1330
0d889b068123
switch user when opening authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
1276
diff
changeset
|
412 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
413 if (authfile == NULL) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
414 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
415 } |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
416 TRACE(("checkpubkey: opened authorized_keys OK")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
417 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
418 line = buf_new(MAX_AUTHKEYS_LINE); |
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
419 line_num = 0; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
420 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
421 /* iterate through the lines */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
422 do { |
51
095d689fed16
- Hostkey checking is mostly there, just aren't appending yet.
Matt Johnston <matt@ucc.asn.au>
parents:
44
diff
changeset
|
423 if (buf_getline(line, authfile) == DROPBEAR_FAILURE) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
424 /* EOF reached */ |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
425 TRACE(("checkpubkey: authorized_keys EOF reached")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
426 break; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
427 } |
476
df7f7da7f6e4
- Rework pubkey options to be more careful about buffer lengths. Needs review.
Matt Johnston <matt@ucc.asn.au>
parents:
475
diff
changeset
|
428 line_num++; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
429 |
1451
7e95ab97d2b0
fix pubkey authentication return value
Matt Johnston <matt@ucc.asn.au>
parents:
1376
diff
changeset
|
430 ret = checkpubkey_line(line, line_num, filename, algo, algolen, keyblob, keybloblen); |
7e95ab97d2b0
fix pubkey authentication return value
Matt Johnston <matt@ucc.asn.au>
parents:
1376
diff
changeset
|
431 if (ret == DROPBEAR_SUCCESS) { |
51
095d689fed16
- Hostkey checking is mostly there, just aren't appending yet.
Matt Johnston <matt@ucc.asn.au>
parents:
44
diff
changeset
|
432 break; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
433 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
434 |
51
095d689fed16
- Hostkey checking is mostly there, just aren't appending yet.
Matt Johnston <matt@ucc.asn.au>
parents:
44
diff
changeset
|
435 /* We continue to the next line otherwise */ |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
436 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
437 } while (1); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
438 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
439 out: |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
440 if (authfile) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
441 fclose(authfile); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
442 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
443 if (line) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
444 buf_free(line); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
445 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
446 m_free(filename); |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
447 TRACE(("leave checkpubkey: ret=%d", ret)) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
448 return ret; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
449 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
450 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
451 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
452 /* Returns DROPBEAR_SUCCESS if file permissions for pubkeys are ok, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
453 * DROPBEAR_FAILURE otherwise. |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
454 * Checks that the user's homedir, ~/.ssh, and |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
455 * ~/.ssh/authorized_keys are all owned by either root or the user, and are |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
456 * g-w, o-w */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
457 static int checkpubkeyperms() { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
458 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
459 char* filename = NULL; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
460 int ret = DROPBEAR_FAILURE; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
461 unsigned int len; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
462 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
463 TRACE(("enter checkpubkeyperms")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
464 |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
436
diff
changeset
|
465 if (ses.authstate.pw_dir == NULL) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
466 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
467 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
468 |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
436
diff
changeset
|
469 if ((len = strlen(ses.authstate.pw_dir)) == 0) { |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
470 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
471 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
472 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
473 /* allocate max required pathname storage, |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
474 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ |
1630
9579377b5f8b
use strlcpy & strlcat (#74)
François Perrad <francois.perrad@gadz.org>
parents:
1617
diff
changeset
|
475 len += 22; |
9579377b5f8b
use strlcpy & strlcat (#74)
François Perrad <francois.perrad@gadz.org>
parents:
1617
diff
changeset
|
476 filename = m_malloc(len); |
9579377b5f8b
use strlcpy & strlcat (#74)
François Perrad <francois.perrad@gadz.org>
parents:
1617
diff
changeset
|
477 strlcpy(filename, ses.authstate.pw_dir, len); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
478 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
479 /* check ~ */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
480 if (checkfileperm(filename) != DROPBEAR_SUCCESS) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
481 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
482 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
483 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
484 /* check ~/.ssh */ |
1630
9579377b5f8b
use strlcpy & strlcat (#74)
François Perrad <francois.perrad@gadz.org>
parents:
1617
diff
changeset
|
485 strlcat(filename, "/.ssh", len); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
486 if (checkfileperm(filename) != DROPBEAR_SUCCESS) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
487 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
488 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
489 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
490 /* now check ~/.ssh/authorized_keys */ |
1630
9579377b5f8b
use strlcpy & strlcat (#74)
François Perrad <francois.perrad@gadz.org>
parents:
1617
diff
changeset
|
491 strlcat(filename, "/authorized_keys", len); |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
492 if (checkfileperm(filename) != DROPBEAR_SUCCESS) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
493 goto out; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
494 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
495 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
496 /* file looks ok, return success */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
497 ret = DROPBEAR_SUCCESS; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
498 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
499 out: |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
500 m_free(filename); |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
501 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
502 TRACE(("leave checkpubkeyperms")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
503 return ret; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
504 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
505 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
506 /* Checks that a file is owned by the user or root, and isn't writable by |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
507 * group or other */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
508 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
509 static int checkfileperm(char * filename) { |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
510 struct stat filestat; |
248
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
511 int badperm = 0; |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
512 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
513 TRACE(("enter checkfileperm(%s)", filename)) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
514 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
515 if (stat(filename, &filestat) != 0) { |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
516 TRACE(("leave checkfileperm: stat() != 0")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
517 return DROPBEAR_FAILURE; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
518 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
519 /* check ownership - user or root only*/ |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
436
diff
changeset
|
520 if (filestat.st_uid != ses.authstate.pw_uid |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
521 && filestat.st_uid != 0) { |
248
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
522 badperm = 1; |
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
523 TRACE(("wrong ownership")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
524 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
525 /* check permissions - don't want group or others +w */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
526 if (filestat.st_mode & (S_IWGRP | S_IWOTH)) { |
248
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
527 badperm = 1; |
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
528 TRACE(("wrong perms")) |
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
529 } |
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
530 if (badperm) { |
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
531 if (!ses.authstate.perm_warn) { |
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
532 ses.authstate.perm_warn = 1; |
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
533 dropbear_log(LOG_INFO, "%s must be owned by user or root, and not writable by others", filename); |
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
534 } |
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
535 TRACE(("leave checkfileperm: failure perms/owner")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
536 return DROPBEAR_FAILURE; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
537 } |
248
bf64e666f99b
Log when pubkey auth fails because of bad pubkey perms/ownership
Matt Johnston <matt@ucc.asn.au>
parents:
241
diff
changeset
|
538 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
539 TRACE(("leave checkfileperm: success")) |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
540 return DROPBEAR_SUCCESS; |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
541 } |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
542 |
1558
2f64cb3d3007
- #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents:
1511
diff
changeset
|
543 #if DROPBEAR_FUZZ |
1511 | 544 int fuzz_checkpubkey_line(buffer* line, int line_num, char* filename, |
545 const char* algo, unsigned int algolen, | |
546 const unsigned char* keyblob, unsigned int keybloblen) { | |
547 return checkpubkey_line(line, line_num, filename, algo, algolen, keyblob, keybloblen); | |
548 } | |
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
549 #endif |
1511 | 550 |
551 #endif |