mirror of git://anongit.mindrot.org/openssh.git
upstream commit
switch auth2-hostbased.c to modern APIs; ok djm@ Upstream-ID: 146af25c36daeeb83d5dbbb8ca52b5d25de88f4e
This commit is contained in:
markus@openbsd.org
Damien Miller
parent
2ae666a8fc
commit
eb76698b91
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: auth2-hostbased.c,v 1.28 2017/05/30 14:10:53 markus Exp $ */
|
/* $OpenBSD: auth2-hostbased.c,v 1.29 2017/05/30 14:25:42 markus Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||||
*
|
*
|
||||||
|
|
@ -39,7 +39,7 @@
|
||||||
#include "misc.h"
|
#include "misc.h"
|
||||||
#include "servconf.h"
|
#include "servconf.h"
|
||||||
#include "compat.h"
|
#include "compat.h"
|
||||||
#include "key.h"
|
#include "sshkey.h"
|
||||||
#include "hostfile.h"
|
#include "hostfile.h"
|
||||||
#include "auth.h"
|
#include "auth.h"
|
||||||
#include "canohost.h"
|
#include "canohost.h"
|
||||||
|
|
@ -48,6 +48,7 @@
|
||||||
#endif
|
#endif
|
||||||
#include "monitor_wrap.h"
|
#include "monitor_wrap.h"
|
||||||
#include "pathnames.h"
|
#include "pathnames.h"
|
||||||
|
#include "ssherr.h"
|
||||||
#include "match.h"
|
#include "match.h"
|
||||||
|
|
||||||
/* import */
|
/* import */
|
||||||
|
|
@ -58,52 +59,54 @@ extern u_int session_id2_len;
|
||||||
static int
|
static int
|
||||||
userauth_hostbased(Authctxt *authctxt)
|
userauth_hostbased(Authctxt *authctxt)
|
||||||
{
|
{
|
||||||
Buffer b;
|
struct ssh *ssh = active_state; /* XXX */
|
||||||
|
struct sshbuf *b;
|
||||||
struct sshkey *key = NULL;
|
struct sshkey *key = NULL;
|
||||||
char *pkalg, *cuser, *chost, *service;
|
char *pkalg, *cuser, *chost, *service;
|
||||||
u_char *pkblob, *sig;
|
u_char *pkblob, *sig;
|
||||||
u_int alen, blen, slen;
|
size_t alen, blen, slen;
|
||||||
int pktype;
|
int r, pktype, authenticated = 0;
|
||||||
int authenticated = 0;
|
|
||||||
|
|
||||||
if (!authctxt->valid) {
|
if (!authctxt->valid) {
|
||||||
debug2("userauth_hostbased: disabled because of invalid user");
|
debug2("%s: disabled because of invalid user", __func__);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
pkalg = packet_get_string(&alen);
|
/* XXX use sshkey_froms() */
|
||||||
pkblob = packet_get_string(&blen);
|
if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 ||
|
||||||
chost = packet_get_string(NULL);
|
(r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||
|
||||||
cuser = packet_get_string(NULL);
|
(r = sshpkt_get_cstring(ssh, &chost, NULL)) != 0 ||
|
||||||
sig = packet_get_string(&slen);
|
(r = sshpkt_get_cstring(ssh, &cuser, NULL)) != 0 ||
|
||||||
|
(r = sshpkt_get_string(ssh, &sig, &slen)) != 0)
|
||||||
|
fatal("%s: packet parsing: %s", __func__, ssh_err(r));
|
||||||
|
|
||||||
debug("userauth_hostbased: cuser %s chost %s pkalg %s slen %d",
|
debug("%s: cuser %s chost %s pkalg %s slen %zu", __func__,
|
||||||
cuser, chost, pkalg, slen);
|
cuser, chost, pkalg, slen);
|
||||||
#ifdef DEBUG_PK
|
#ifdef DEBUG_PK
|
||||||
debug("signature:");
|
debug("signature:");
|
||||||
buffer_init(&b);
|
sshbuf_dump_data(sig, siglen, stderr);
|
||||||
buffer_append(&b, sig, slen);
|
|
||||||
buffer_dump(&b);
|
|
||||||
buffer_free(&b);
|
|
||||||
#endif
|
#endif
|
||||||
pktype = key_type_from_name(pkalg);
|
pktype = sshkey_type_from_name(pkalg);
|
||||||
if (pktype == KEY_UNSPEC) {
|
if (pktype == KEY_UNSPEC) {
|
||||||
/* this is perfectly legal */
|
/* this is perfectly legal */
|
||||||
logit("userauth_hostbased: unsupported "
|
logit("%s: unsupported public key algorithm: %s",
|
||||||
"public key algorithm: %s", pkalg);
|
__func__, pkalg);
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
|
||||||
|
error("%s: key_from_blob: %s", __func__, ssh_err(r));
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
key = key_from_blob(pkblob, blen);
|
|
||||||
if (key == NULL) {
|
if (key == NULL) {
|
||||||
error("userauth_hostbased: cannot decode key: %s", pkalg);
|
error("%s: cannot decode key: %s", __func__, pkalg);
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
if (key->type != pktype) {
|
if (key->type != pktype) {
|
||||||
error("userauth_hostbased: type mismatch for decoded key "
|
error("%s: type mismatch for decoded key "
|
||||||
"(received %d, expected %d)", key->type, pktype);
|
"(received %d, expected %d)", __func__, key->type, pktype);
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
if (key_type_plain(key->type) == KEY_RSA &&
|
if (sshkey_type_plain(key->type) == KEY_RSA &&
|
||||||
(datafellows & SSH_BUG_RSASIGMD5) != 0) {
|
(ssh->compat & SSH_BUG_RSASIGMD5) != 0) {
|
||||||
error("Refusing RSA key because peer uses unsafe "
|
error("Refusing RSA key because peer uses unsafe "
|
||||||
"signature format");
|
"signature format");
|
||||||
goto done;
|
goto done;
|
||||||
|
|
@ -115,21 +118,23 @@ userauth_hostbased(Authctxt *authctxt)
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
|
service = ssh->compat & SSH_BUG_HBSERVICE ? "ssh-userauth" :
|
||||||
authctxt->service;
|
authctxt->service;
|
||||||
buffer_init(&b);
|
if ((b = sshbuf_new()) == NULL)
|
||||||
buffer_put_string(&b, session_id2, session_id2_len);
|
fatal("%s: sshbuf_new failed", __func__);
|
||||||
/* reconstruct packet */
|
/* reconstruct packet */
|
||||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 ||
|
||||||
buffer_put_cstring(&b, authctxt->user);
|
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||||
buffer_put_cstring(&b, service);
|
(r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
|
||||||
buffer_put_cstring(&b, "hostbased");
|
(r = sshbuf_put_cstring(b, service)) != 0 ||
|
||||||
buffer_put_string(&b, pkalg, alen);
|
(r = sshbuf_put_cstring(b, "hostbased")) != 0 ||
|
||||||
buffer_put_string(&b, pkblob, blen);
|
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
|
||||||
buffer_put_cstring(&b, chost);
|
(r = sshbuf_put_string(b, pkblob, blen)) != 0 ||
|
||||||
buffer_put_cstring(&b, cuser);
|
(r = sshbuf_put_cstring(b, chost)) != 0 ||
|
||||||
|
(r = sshbuf_put_cstring(b, cuser)) != 0)
|
||||||
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
#ifdef DEBUG_PK
|
#ifdef DEBUG_PK
|
||||||
buffer_dump(&b);
|
sshbuf_dump(b, stderr);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
pubkey_auth_info(authctxt, key,
|
pubkey_auth_info(authctxt, key,
|
||||||
|
|
@ -138,15 +143,15 @@ userauth_hostbased(Authctxt *authctxt)
|
||||||
/* test for allowed key and correct signature */
|
/* test for allowed key and correct signature */
|
||||||
authenticated = 0;
|
authenticated = 0;
|
||||||
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
|
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
|
||||||
PRIVSEP(sshkey_verify(key, sig, slen, buffer_ptr(&b),
|
PRIVSEP(sshkey_verify(key, sig, slen,
|
||||||
buffer_len(&b), 0)) == 0)
|
sshbuf_ptr(b), sshbuf_len(b), ssh->compat)) == 0)
|
||||||
authenticated = 1;
|
authenticated = 1;
|
||||||
|
|
||||||
buffer_free(&b);
|
sshbuf_free(b);
|
||||||
done:
|
done:
|
||||||
debug2("userauth_hostbased: authenticated %d", authenticated);
|
debug2("%s: authenticated %d", __func__, authenticated);
|
||||||
if (key != NULL)
|
if (key != NULL)
|
||||||
key_free(key);
|
sshkey_free(key);
|
||||||
free(pkalg);
|
free(pkalg);
|
||||||
free(pkblob);
|
free(pkblob);
|
||||||
free(cuser);
|
free(cuser);
|
||||||
|
|
@ -203,8 +208,8 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
|
||||||
}
|
}
|
||||||
debug2("%s: access allowed by auth_rhosts2", __func__);
|
debug2("%s: access allowed by auth_rhosts2", __func__);
|
||||||
|
|
||||||
if (key_is_cert(key) &&
|
if (sshkey_is_cert(key) &&
|
||||||
key_cert_check_authority(key, 1, 0, lookup, &reason)) {
|
sshkey_cert_check_authority(key, 1, 0, lookup, &reason)) {
|
||||||
error("%s", reason);
|
error("%s", reason);
|
||||||
auth_debug_add("%s", reason);
|
auth_debug_add("%s", reason);
|
||||||
return 0;
|
return 0;
|
||||||
|
|
@ -223,20 +228,20 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
|
||||||
}
|
}
|
||||||
|
|
||||||
if (host_status == HOST_OK) {
|
if (host_status == HOST_OK) {
|
||||||
if (key_is_cert(key)) {
|
if (sshkey_is_cert(key)) {
|
||||||
if ((fp = sshkey_fingerprint(key->cert->signature_key,
|
if ((fp = sshkey_fingerprint(key->cert->signature_key,
|
||||||
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
|
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
|
||||||
fatal("%s: sshkey_fingerprint fail", __func__);
|
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||||
verbose("Accepted certificate ID \"%s\" signed by "
|
verbose("Accepted certificate ID \"%s\" signed by "
|
||||||
"%s CA %s from %s@%s", key->cert->key_id,
|
"%s CA %s from %s@%s", key->cert->key_id,
|
||||||
key_type(key->cert->signature_key), fp,
|
sshkey_type(key->cert->signature_key), fp,
|
||||||
cuser, lookup);
|
cuser, lookup);
|
||||||
} else {
|
} else {
|
||||||
if ((fp = sshkey_fingerprint(key,
|
if ((fp = sshkey_fingerprint(key,
|
||||||
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
|
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
|
||||||
fatal("%s: sshkey_fingerprint fail", __func__);
|
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||||
verbose("Accepted %s public key %s from %s@%s",
|
verbose("Accepted %s public key %s from %s@%s",
|
||||||
key_type(key), fp, cuser, lookup);
|
sshkey_type(key), fp, cuser, lookup);
|
||||||
}
|
}
|
||||||
free(fp);
|
free(fp);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue