changeset 248:bf64e666f99b

Log when pubkey auth fails because of bad pubkey perms/ownership
author Matt Johnston <matt@ucc.asn.au>
date Tue, 20 Sep 2005 08:59:46 +0000
parents b24730e11c83
children efbaf6b03837
files auth.h svr-authpubkey.c
diffstat 2 files changed, 16 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/auth.h	Tue Sep 06 04:04:51 2005 +0000
+++ b/auth.h	Tue Sep 20 08:59:46 2005 +0000
@@ -77,6 +77,9 @@
 	unsigned authdone : 1; /* 0 if we haven't authed, 1 if we have. Applies for
 							  client and server (though has differing [obvious]
 							  meanings). */
+	unsigned perm_warn : 1; /* Server only, set if bad permissions on 
+							   ~/.ssh/authorized_keys have already been
+							   logged. */
 
 	/* These are only used for the server */
 	char *printableuser; /* stripped of control chars, used for logs etc */
--- a/svr-authpubkey.c	Tue Sep 06 04:04:51 2005 +0000
+++ b/svr-authpubkey.c	Tue Sep 20 08:59:46 2005 +0000
@@ -311,6 +311,7 @@
 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
 static int checkfileperm(char * filename) {
 	struct stat filestat;
+	int badperm = 0;
 
 	TRACE(("enter checkfileperm(%s)", filename))
 
@@ -321,14 +322,23 @@
 	/* check ownership - user or root only*/
 	if (filestat.st_uid != ses.authstate.pw->pw_uid
 			&& filestat.st_uid != 0) {
-		TRACE(("leave checkfileperm: wrong ownership"))
-		return DROPBEAR_FAILURE;
+		badperm = 1;
+		TRACE(("wrong ownership"))
 	}
 	/* check permissions - don't want group or others +w */
 	if (filestat.st_mode & (S_IWGRP | S_IWOTH)) {
-		TRACE(("leave checkfileperm: wrong perms"))
+		badperm = 1;
+		TRACE(("wrong perms"))
+	}
+	if (badperm) {
+		if (!ses.authstate.perm_warn) {
+			ses.authstate.perm_warn = 1;
+			dropbear_log(LOG_INFO, "%s must be owned by user or root, and not writable by others", filename);
+		}
+		TRACE(("leave checkfileperm: failure perms/owner"))
 		return DROPBEAR_FAILURE;
 	}
+
 	TRACE(("leave checkfileperm: success"))
 	return DROPBEAR_SUCCESS;
 }