# HG changeset patch # User Matt Johnston # Date 1127206786 0 # Node ID bf64e666f99b936c71edb596595842bb0592ee89 # Parent b24730e11c830cf2aebfd8311bcb94413d6f7540 Log when pubkey auth fails because of bad pubkey perms/ownership diff -r b24730e11c83 -r bf64e666f99b auth.h --- a/auth.h Tue Sep 06 04:04:51 2005 +0000 +++ b/auth.h Tue Sep 20 08:59:46 2005 +0000 @@ -77,6 +77,9 @@ unsigned authdone : 1; /* 0 if we haven't authed, 1 if we have. Applies for client and server (though has differing [obvious] meanings). */ + unsigned perm_warn : 1; /* Server only, set if bad permissions on + ~/.ssh/authorized_keys have already been + logged. */ /* These are only used for the server */ char *printableuser; /* stripped of control chars, used for logs etc */ diff -r b24730e11c83 -r bf64e666f99b svr-authpubkey.c --- a/svr-authpubkey.c Tue Sep 06 04:04:51 2005 +0000 +++ b/svr-authpubkey.c Tue Sep 20 08:59:46 2005 +0000 @@ -311,6 +311,7 @@ /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ static int checkfileperm(char * filename) { struct stat filestat; + int badperm = 0; TRACE(("enter checkfileperm(%s)", filename)) @@ -321,14 +322,23 @@ /* check ownership - user or root only*/ if (filestat.st_uid != ses.authstate.pw->pw_uid && filestat.st_uid != 0) { - TRACE(("leave checkfileperm: wrong ownership")) - return DROPBEAR_FAILURE; + badperm = 1; + TRACE(("wrong ownership")) } /* check permissions - don't want group or others +w */ if (filestat.st_mode & (S_IWGRP | S_IWOTH)) { - TRACE(("leave checkfileperm: wrong perms")) + badperm = 1; + TRACE(("wrong perms")) + } + if (badperm) { + if (!ses.authstate.perm_warn) { + ses.authstate.perm_warn = 1; + dropbear_log(LOG_INFO, "%s must be owned by user or root, and not writable by others", filename); + } + TRACE(("leave checkfileperm: failure perms/owner")) return DROPBEAR_FAILURE; } + TRACE(("leave checkfileperm: success")) return DROPBEAR_SUCCESS; }