mirror of
git://anongit.mindrot.org/openssh.git
synced 2025-01-03 00:02:05 +00:00
- dtucker@cvs.openbsd.org 2006/04/25 08:02:27
[authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c]
Prevent ssh from trying to open private keys with bad permissions more than
once or prompting for their passphrases (which it subsequently ignores
anyway), similar to a previous change in ssh-add. bz #1186, ok djm@
This commit is contained in:
Darren Tucker
parent
d8093e49bf
commit
232b76f9f8
10
ChangeLog
10
ChangeLog
@ -1,3 +1,11 @@
|
||||
20050506
|
||||
- (dtucker) OpenBSD CVS Syn
|
||||
- dtucker@cvs.openbsd.org 2006/04/25 08:02:27
|
||||
[authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c]
|
||||
Prevent ssh from trying to open private keys with bad permissions more than
|
||||
once or prompting for their passphrases (which it subsequently ignores
|
||||
anyway), similar to a previous change in ssh-add. bz #1186, ok djm@
|
||||
|
||||
20060504
|
||||
- (dtucker) [auth-pam.c groupaccess.c monitor.c monitor_wrap.c scard-opensc.c
|
||||
session.c ssh-rand-helper.c sshd.c openbsd-compat/bsd-cygwin_util.c
|
||||
@ -4594,4 +4602,4 @@
|
||||
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
|
||||
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
|
||||
|
||||
$Id: ChangeLog,v 1.4320 2006/05/04 06:24:34 dtucker Exp $
|
||||
$Id: ChangeLog,v 1.4321 2006/05/06 07:41:51 dtucker Exp $
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: authfile.c,v 1.66 2006/03/25 13:17:01 djm Exp $ */
|
||||
/* $OpenBSD: authfile.c,v 1.67 2006/04/25 08:02:27 dtucker Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -538,7 +538,7 @@ key_perm_ok(int fd, const char *filename)
|
||||
|
||||
Key *
|
||||
key_load_private_type(int type, const char *filename, const char *passphrase,
|
||||
char **commentp)
|
||||
char **commentp, int *perm_ok)
|
||||
{
|
||||
int fd;
|
||||
|
||||
@ -546,10 +546,14 @@ key_load_private_type(int type, const char *filename, const char *passphrase,
|
||||
if (fd < 0)
|
||||
return NULL;
|
||||
if (!key_perm_ok(fd, filename)) {
|
||||
if (perm_ok != NULL)
|
||||
*perm_ok = 0;
|
||||
error("bad permissions: ignore key: %s", filename);
|
||||
close(fd);
|
||||
return NULL;
|
||||
}
|
||||
if (perm_ok != NULL)
|
||||
*perm_ok = 1;
|
||||
switch (type) {
|
||||
case KEY_RSA1:
|
||||
return key_load_private_rsa1(fd, filename, passphrase,
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: authfile.h,v 1.12 2006/03/25 22:22:42 djm Exp $ */
|
||||
/* $OpenBSD: authfile.h,v 1.13 2006/04/25 08:02:27 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -19,7 +19,7 @@ int key_save_private(Key *, const char *, const char *, const char *);
|
||||
Key *key_load_public(const char *, char **);
|
||||
Key *key_load_public_type(int, const char *, char **);
|
||||
Key *key_load_private(const char *, const char *, char **);
|
||||
Key *key_load_private_type(int, const char *, const char *, char **);
|
||||
Key *key_load_private_type(int, const char *, const char *, char **, int *);
|
||||
Key *key_load_private_pem(int, int, const char *, char **);
|
||||
int key_perm_ok(int, const char *);
|
||||
|
||||
|
||||
8
ssh.c
8
ssh.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssh.c,v 1.275 2006/03/30 10:41:25 djm Exp $ */
|
||||
/* $OpenBSD: ssh.c,v 1.276 2006/04/25 08:02:27 dtucker Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -693,11 +693,11 @@ main(int ac, char **av)
|
||||
|
||||
PRIV_START;
|
||||
sensitive_data.keys[0] = key_load_private_type(KEY_RSA1,
|
||||
_PATH_HOST_KEY_FILE, "", NULL);
|
||||
_PATH_HOST_KEY_FILE, "", NULL, NULL);
|
||||
sensitive_data.keys[1] = key_load_private_type(KEY_DSA,
|
||||
_PATH_HOST_DSA_KEY_FILE, "", NULL);
|
||||
_PATH_HOST_DSA_KEY_FILE, "", NULL, NULL);
|
||||
sensitive_data.keys[2] = key_load_private_type(KEY_RSA,
|
||||
_PATH_HOST_RSA_KEY_FILE, "", NULL);
|
||||
_PATH_HOST_RSA_KEY_FILE, "", NULL, NULL);
|
||||
PRIV_END;
|
||||
|
||||
if (options.hostbased_authentication == 1 &&
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sshconnect1.c,v 1.64 2006/03/25 13:17:02 djm Exp $ */
|
||||
/* $OpenBSD: sshconnect1.c,v 1.65 2006/04/25 08:02:27 dtucker Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -197,7 +197,7 @@ try_rsa_authentication(int idx)
|
||||
BIGNUM *challenge;
|
||||
Key *public, *private;
|
||||
char buf[300], *passphrase, *comment, *authfile;
|
||||
int i, type, quit;
|
||||
int i, perm_ok = 1, type, quit;
|
||||
|
||||
public = options.identity_keys[idx];
|
||||
authfile = options.identity_files[idx];
|
||||
@ -243,15 +243,16 @@ try_rsa_authentication(int idx)
|
||||
if (public->flags & KEY_FLAG_EXT)
|
||||
private = public;
|
||||
else
|
||||
private = key_load_private_type(KEY_RSA1, authfile, "", NULL);
|
||||
if (private == NULL && !options.batch_mode) {
|
||||
private = key_load_private_type(KEY_RSA1, authfile, "", NULL,
|
||||
&perm_ok);
|
||||
if (private == NULL && !options.batch_mode && perm_ok) {
|
||||
snprintf(buf, sizeof(buf),
|
||||
"Enter passphrase for RSA key '%.100s': ", comment);
|
||||
for (i = 0; i < options.number_of_password_prompts; i++) {
|
||||
passphrase = read_passphrase(buf, 0);
|
||||
if (strcmp(passphrase, "") != 0) {
|
||||
private = key_load_private_type(KEY_RSA1,
|
||||
authfile, passphrase, NULL);
|
||||
authfile, passphrase, NULL, NULL);
|
||||
quit = 0;
|
||||
} else {
|
||||
debug2("no passphrase given, try next key");
|
||||
@ -268,7 +269,7 @@ try_rsa_authentication(int idx)
|
||||
xfree(comment);
|
||||
|
||||
if (private == NULL) {
|
||||
if (!options.batch_mode)
|
||||
if (!options.batch_mode && perm_ok)
|
||||
error("Bad passphrase.");
|
||||
|
||||
/* Send a dummy response packet to avoid protocol error. */
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sshconnect2.c,v 1.151 2006/03/25 13:17:02 djm Exp $ */
|
||||
/* $OpenBSD: sshconnect2.c,v 1.152 2006/04/25 08:02:27 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -970,14 +970,16 @@ load_identity_file(char *filename)
|
||||
{
|
||||
Key *private;
|
||||
char prompt[300], *passphrase;
|
||||
int quit, i;
|
||||
int perm_ok, quit, i;
|
||||
struct stat st;
|
||||
|
||||
if (stat(filename, &st) < 0) {
|
||||
debug3("no such identity: %s", filename);
|
||||
return NULL;
|
||||
}
|
||||
private = key_load_private_type(KEY_UNSPEC, filename, "", NULL);
|
||||
private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok);
|
||||
if (!perm_ok)
|
||||
return NULL;
|
||||
if (private == NULL) {
|
||||
if (options.batch_mode)
|
||||
return NULL;
|
||||
@ -986,8 +988,8 @@ load_identity_file(char *filename)
|
||||
for (i = 0; i < options.number_of_password_prompts; i++) {
|
||||
passphrase = read_passphrase(prompt, 0);
|
||||
if (strcmp(passphrase, "") != 0) {
|
||||
private = key_load_private_type(KEY_UNSPEC, filename,
|
||||
passphrase, NULL);
|
||||
private = key_load_private_type(KEY_UNSPEC,
|
||||
filename, passphrase, NULL, NULL);
|
||||
quit = 0;
|
||||
} else {
|
||||
debug2("no passphrase given, try next key");
|
||||
|
||||
Loading…
Reference in New Issue
Block a user