From acb2059febaddd71ee06c2ebf63dcf211d9ab9f2 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 3 Jun 2022 04:47:21 +0000 Subject: [PATCH] upstream: move auth_openprincipals() and auth_openkeyfile() over to auth2-pubkeyfile.c too; they make more sense there. OpenBSD-Commit-ID: 9970d99f900e1117fdaab13e9e910a621b7c60ee --- auth.c | 58 +--------------------------------------------- auth.h | 6 ++--- auth2-pubkeyfile.c | 57 ++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 60 insertions(+), 61 deletions(-) diff --git a/auth.c b/auth.c index 9ad9034aa..13e8d7998 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.157 2022/05/27 05:02:46 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.158 2022/06/03 04:47:21 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -460,62 +460,6 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host, return host_status; } -static FILE * -auth_openfile(const char *file, struct passwd *pw, int strict_modes, - int log_missing, char *file_type) -{ - char line[1024]; - struct stat st; - int fd; - FILE *f; - - if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) { - if (log_missing || errno != ENOENT) - debug("Could not open %s '%s': %s", file_type, file, - strerror(errno)); - return NULL; - } - - if (fstat(fd, &st) == -1) { - close(fd); - return NULL; - } - if (!S_ISREG(st.st_mode)) { - logit("User %s %s %s is not a regular file", - pw->pw_name, file_type, file); - close(fd); - return NULL; - } - unset_nonblock(fd); - if ((f = fdopen(fd, "r")) == NULL) { - close(fd); - return NULL; - } - if (strict_modes && - safe_path_fd(fileno(f), file, pw, line, sizeof(line)) != 0) { - fclose(f); - logit("Authentication refused: %s", line); - auth_debug_add("Ignored %s: %s", file_type, line); - return NULL; - } - - return f; -} - - -FILE * -auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes) -{ - return auth_openfile(file, pw, strict_modes, 1, "authorized keys"); -} - -FILE * -auth_openprincipals(const char *file, struct passwd *pw, int strict_modes) -{ - return auth_openfile(file, pw, strict_modes, 0, - "authorized principals"); -} - struct passwd * getpwnamallow(struct ssh *ssh, const char *user) { diff --git a/auth.h b/auth.h index b8eec4a6a..b743406ea 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.104 2022/05/27 05:02:46 djm Exp $ */ +/* $OpenBSD: auth.h,v 1.105 2022/06/03 04:47:21 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -193,8 +193,6 @@ struct passwd * getpwnamallow(struct ssh *, const char *user); char *expand_authorized_keys(const char *, struct passwd *pw); char *authorized_principals_file(struct passwd *); -FILE *auth_openkeyfile(const char *, struct passwd *, int); -FILE *auth_openprincipals(const char *, struct passwd *, int); int auth_key_is_revoked(struct sshkey *); const char *auth_get_canonical_hostname(struct ssh *, int); @@ -237,6 +235,8 @@ int auth_check_authkey_line(struct passwd *, struct sshkey *, char *, const char *, const char *, const char *, struct sshauthopt **); int auth_check_authkeys_file(struct passwd *, FILE *, char *, struct sshkey *, const char *, const char *, struct sshauthopt **); +FILE *auth_openkeyfile(const char *, struct passwd *, int); +FILE *auth_openprincipals(const char *, struct passwd *, int); int sys_auth_passwd(struct ssh *, const char *); diff --git a/auth2-pubkeyfile.c b/auth2-pubkeyfile.c index a304d0953..911f01baf 100644 --- a/auth2-pubkeyfile.c +++ b/auth2-pubkeyfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkeyfile.c,v 1.1 2022/05/27 05:02:46 djm Exp $ */ +/* $OpenBSD: auth2-pubkeyfile.c,v 1.2 2022/06/03 04:47:21 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -439,4 +439,59 @@ auth_check_authkeys_file(struct passwd *pw, FILE *f, char *file, return found_key; } +static FILE * +auth_openfile(const char *file, struct passwd *pw, int strict_modes, + int log_missing, char *file_type) +{ + char line[1024]; + struct stat st; + int fd; + FILE *f; + + if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) { + if (log_missing || errno != ENOENT) + debug("Could not open %s '%s': %s", file_type, file, + strerror(errno)); + return NULL; + } + + if (fstat(fd, &st) == -1) { + close(fd); + return NULL; + } + if (!S_ISREG(st.st_mode)) { + logit("User %s %s %s is not a regular file", + pw->pw_name, file_type, file); + close(fd); + return NULL; + } + unset_nonblock(fd); + if ((f = fdopen(fd, "r")) == NULL) { + close(fd); + return NULL; + } + if (strict_modes && + safe_path_fd(fileno(f), file, pw, line, sizeof(line)) != 0) { + fclose(f); + logit("Authentication refused: %s", line); + auth_debug_add("Ignored %s: %s", file_type, line); + return NULL; + } + + return f; +} + + +FILE * +auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes) +{ + return auth_openfile(file, pw, strict_modes, 1, "authorized keys"); +} + +FILE * +auth_openprincipals(const char *file, struct passwd *pw, int strict_modes) +{ + return auth_openfile(file, pw, strict_modes, 0, + "authorized principals"); +}