RepoMirrors/openssh
1
0
Fork 0
mirror of git://anongit.mindrot.org/openssh.git synced 2025-01-03 00:02:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

- markus@cvs.openbsd.org 2001/06/22 21:55:49

Browse Source 
[auth2.c auth-rsa.c pathnames.h ssh.1 sshd.8 sshd_config
      ssh-keygen.1]
     merge authorized_keys2 into authorized_keys.
     authorized_keys2 is used for backward compat.
     (just append authorized_keys2 to authorized_keys).
This commit is contained in:
Ben Lindstrom 2001-06-25 04:17:12 +00:00
parent ae1c51c208
commit f96704d4ef
8 changed files with 49 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ChangeLog
View File

@ -19,6 +19,12 @@
- provos@cvs.openbsd.org 2001/06/22 21:28:53 - provos@cvs.openbsd.org 2001/06/22 21:28:53
[sshd.8] [sshd.8]
document /etc/moduli document /etc/moduli
- markus@cvs.openbsd.org 2001/06/22 21:55:49
[auth2.c auth-rsa.c pathnames.h ssh.1 sshd.8 sshd_config
ssh-keygen.1]
merge authorized_keys2 into authorized_keys.
authorized_keys2 is used for backward compat.
(just append authorized_keys2 to authorized_keys).
20010622 20010622
- (stevesk) handle systems without pw_expire and pw_change. - (stevesk) handle systems without pw_expire and pw_change.
@ -5703,4 +5709,4 @@
- Wrote replacements for strlcpy and mkdtemp - Wrote replacements for strlcpy and mkdtemp
- Released 1.0pre1 - Released 1.0pre1
$Id: ChangeLog,v 1.1301 2001/06/25 04:14:59 mouring Exp $ $Id: ChangeLog,v 1.1302 2001/06/25 04:17:12 mouring Exp $

6
auth-rsa.c
View File

@ -14,7 +14,7 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: auth-rsa.c,v 1.41 2001/05/20 17:20:35 markus Exp $"); RCSID("$OpenBSD: auth-rsa.c,v 1.42 2001/06/22 21:55:48 markus Exp $");
#include <openssl/rsa.h> #include <openssl/rsa.h>
#include <openssl/md5.h> #include <openssl/md5.h>
@ -211,9 +211,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
/* Parse the key from the line. */ /* Parse the key from the line. */
if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) { if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) {
debug("%.100s, line %lu: bad key syntax", debug("%.100s, line %lu: non ssh1 key syntax",
file, linenum);
packet_send_debug("%.100s, line %lu: bad key syntax",
file, linenum); file, linenum);
continue; continue;
} }

32
auth2.c
View File

@ -23,7 +23,7 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: auth2.c,v 1.62 2001/06/07 19:57:53 markus Exp $"); RCSID("$OpenBSD: auth2.c,v 1.63 2001/06/22 21:55:49 markus Exp $");
#include <openssl/evp.h> #include <openssl/evp.h>
@ -650,9 +650,9 @@ authmethod_lookup(const char *name)
/* return 1 if user allows given key */ /* return 1 if user allows given key */
int int
user_key_allowed(struct passwd *pw, Key *key) user_key_allowed2(struct passwd *pw, Key *key, char *file)
{ {
char line[8192], *file; char line[8192];
int found_key = 0; int found_key = 0;
FILE *f; FILE *f;
u_long linenum = 0; u_long linenum = 0;
@ -665,15 +665,12 @@ user_key_allowed(struct passwd *pw, Key *key)
/* Temporarily use the user's uid. */ /* Temporarily use the user's uid. */
temporarily_use_uid(pw); temporarily_use_uid(pw);
/* The authorized keys. */
file = authorized_keys_file2(pw);
debug("trying public key file %s", file); debug("trying public key file %s", file);
/* Fail quietly if file does not exist */ /* Fail quietly if file does not exist */
if (stat(file, &st) < 0) { if (stat(file, &st) < 0) {
/* Restore the privileged uid. */ /* Restore the privileged uid. */
restore_uid(); restore_uid();
xfree(file);
return 0; return 0;
} }
/* Open the file containing the authorized keys. */ /* Open the file containing the authorized keys. */
@ -681,12 +678,10 @@ user_key_allowed(struct passwd *pw, Key *key)
if (!f) { if (!f) {
/* Restore the privileged uid. */ /* Restore the privileged uid. */
restore_uid(); restore_uid();
xfree(file);
return 0; return 0;
} }
if (options.strict_modes && if (options.strict_modes &&
secure_filename(f, file, pw->pw_uid, line, sizeof(line)) != 0) { secure_filename(f, file, pw->pw_uid, line, sizeof(line)) != 0) {
xfree(file);
fclose(f); fclose(f);
log("Authentication refused: %s", line); log("Authentication refused: %s", line);
restore_uid(); restore_uid();
@ -735,13 +730,32 @@ user_key_allowed(struct passwd *pw, Key *key)
} }
restore_uid(); restore_uid();
fclose(f); fclose(f);
xfree(file);
key_free(found); key_free(found);
if (!found_key) if (!found_key)
debug2("key not found"); debug2("key not found");
return found_key; return found_key;
} }
/* check whether given key is in .ssh/authorized_keys* */
int
user_key_allowed(struct passwd *pw, Key *key)
{
int success;
char *file;
file = authorized_keys_file(pw);
success = user_key_allowed2(pw, key, file);
xfree(file);
if (success)
return success;
/* try suffix "2" for backward compat, too */
file = authorized_keys_file2(pw);
success = user_key_allowed2(pw, key, file);
xfree(file);
return success;
}
/* return 1 if given hostkey is allowed */ /* return 1 if given hostkey is allowed */
int int
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,

4
pathnames.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pathnames.h,v 1.7 2001/06/22 21:27:08 provos Exp $ */ /* $OpenBSD: pathnames.h,v 1.8 2001/06/22 21:55:49 markus Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -89,6 +89,8 @@
* running as root.) * running as root.)
*/ */
#define _PATH_SSH_USER_PERMITTED_KEYS ".ssh/authorized_keys" #define _PATH_SSH_USER_PERMITTED_KEYS ".ssh/authorized_keys"
/* backward compat for protocol v2 */
#define _PATH_SSH_USER_PERMITTED_KEYS2 ".ssh/authorized_keys2" #define _PATH_SSH_USER_PERMITTED_KEYS2 ".ssh/authorized_keys2"
/* /*

6
ssh-keygen.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keygen.1,v 1.42 2001/06/03 19:36:44 markus Exp $ .\" $OpenBSD: ssh-keygen.1,v 1.43 2001/06/22 21:55:49 markus Exp $
.\" .\"
.\" -*- nroff -*- .\" -*- nroff -*-
.\" .\"
@ -233,7 +233,7 @@ will read this file when a login attempt is made.
.It Pa $HOME/.ssh/id_dsa.pub .It Pa $HOME/.ssh/id_dsa.pub
Contains the protocol version 2 DSA public key for authentication. Contains the protocol version 2 DSA public key for authentication.
The contents of this file should be added to The contents of this file should be added to
.Pa $HOME/.ssh/authorized_keys2 .Pa $HOME/.ssh/authorized_keys
on all machines on all machines
where you wish to log in using public key authentication. where you wish to log in using public key authentication.
There is no need to keep the contents of this file secret. There is no need to keep the contents of this file secret.
@ -251,7 +251,7 @@ will read this file when a login attempt is made.
.It Pa $HOME/.ssh/id_rsa.pub .It Pa $HOME/.ssh/id_rsa.pub
Contains the protocol version 2 RSA public key for authentication. Contains the protocol version 2 RSA public key for authentication.
The contents of this file should be added to The contents of this file should be added to
.Pa $HOME/.ssh/authorized_keys2 .Pa $HOME/.ssh/authorized_keys
on all machines on all machines
where you wish to log in using public key authentication. where you wish to log in using public key authentication.
There is no need to keep the contents of this file secret. There is no need to keep the contents of this file secret.

16
ssh.1
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: ssh.1,v 1.114 2001/06/22 10:17:51 mpech Exp $ .\" $OpenBSD: ssh.1,v 1.115 2001/06/22 21:55:49 markus Exp $
.Dd September 25, 1999 .Dd September 25, 1999
.Dt SSH 1 .Dt SSH 1
.Os .Os
@ -224,7 +224,7 @@ or
.Pa $HOME/.ssh/id_rsa , .Pa $HOME/.ssh/id_rsa ,
to sign the session identifier and sends the result to the server. to sign the session identifier and sends the result to the server.
The server checks whether the matching public key is listed in The server checks whether the matching public key is listed in
.Pa $HOME/.ssh/authorized_keys2 .Pa $HOME/.ssh/authorized_keys
and grants access if both the key is found and the signature is correct. and grants access if both the key is found and the signature is correct.
The session identifier is derived from a shared Diffie-Hellman value The session identifier is derived from a shared Diffie-Hellman value
and is only known to the client and the server. and is only known to the client and the server.
@ -1224,7 +1224,7 @@ The contents of the
and and
.Pa $HOME/.ssh/id_rsa.pub .Pa $HOME/.ssh/id_rsa.pub
file should be added to file should be added to
.Pa $HOME/.ssh/authorized_keys2 .Pa $HOME/.ssh/authorized_keys
on all machines on all machines
where you wish to log in using protocol version 2 DSA/RSA authentication. where you wish to log in using protocol version 2 DSA/RSA authentication.
These files are not These files are not
@ -1242,18 +1242,10 @@ This file does not usually contain any sensitive information,
but the recommended permissions are read/write for the user, and not but the recommended permissions are read/write for the user, and not
accessible by others. accessible by others.
.It Pa $HOME/.ssh/authorized_keys .It Pa $HOME/.ssh/authorized_keys
Lists the RSA keys that can be used for logging in as this user. Lists the public keys (RSA/DSA) that can be used for logging in as this user.
The format of this file is described in the The format of this file is described in the
.Xr sshd 8 .Xr sshd 8
manual page. manual page.
In the simplest form the format is the same as the .pub
identity files (that is, each line contains the number of bits in
modulus, public exponent, modulus, and comment fields, separated by
spaces).
This file is not highly sensitive, but the recommended
permissions are read/write for the user, and not accessible by others.
.It Pa $HOME/.ssh/authorized_keys2
Lists the public keys (RSA/DSA) that can be used for logging in as this user.
This file is not highly sensitive, but the recommended This file is not highly sensitive, but the recommended
permissions are read/write for the user, and not accessible by others. permissions are read/write for the user, and not accessible by others.
.It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2 .It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2

41
sshd.8
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd.8,v 1.129 2001/06/22 21:28:53 provos Exp $ .\" $OpenBSD: sshd.8,v 1.130 2001/06/22 21:55:50 markus Exp $
.Dd September 25, 1999 .Dd September 25, 1999
.Dt SSHD 8 .Dt SSHD 8
.Os .Os
@ -345,20 +345,6 @@ is taken to be an absolute path or one relative to the user's home
directory. directory.
The default is The default is
.Dq .ssh/authorized_keys .Dq .ssh/authorized_keys
.It Cm AuthorizedKeysFile2
Specifies the file that contains the public keys that can be used
for public key authentication in protocol version 2.
.Cm AuthorizedKeysFile2
may contain tokens of the form %T which are substituted during connection
set-up. The following tokens are defined; %% is replaces by a literal '%',
%h is replaced by the home directory of the user being authenticated and
%u is replaced by the username of that user.
After expansion,
.Cm AuthorizedKeysFile2
is taken to be an absolute path or one relative to the user's home
directory.
The default is
.Dq .ssh/authorized_keys2
.It Cm Banner .It Cm Banner
In some jurisdictions, sending a warning message before authentication In some jurisdictions, sending a warning message before authentication
may be relevant for getting legal protection. may be relevant for getting legal protection.
@ -921,16 +907,11 @@ Runs user's shell or command.
.El .El
.Sh AUTHORIZED_KEYS FILE FORMAT .Sh AUTHORIZED_KEYS FILE FORMAT
.Pa $HOME/.ssh/authorized_keys .Pa $HOME/.ssh/authorized_keys
is the default file that lists the RSA keys that are is the default file that lists the public keys that are
permitted for RSA authentication in protocol version 1. permitted for RSA authentication in protocol version 1
.Cm AuthorizedKeysFile and for public key authentication (PubkeyAuthentication)
may be used to specify an alternative file.
Similarly,
.Pa $HOME/.ssh/authorized_keys2
is the default file that lists the DSA and RSA keys that are
permitted for public key authentication (PubkeyAuthentication)
in protocol version 2. in protocol version 2.
.Cm AuthorizedKeysFile2 .Cm AuthorizedKeysFile
may be used to specify an alternative file. may be used to specify an alternative file.
.Pp .Pp
Each line of the file contains one Each line of the file contains one
@ -1133,17 +1114,6 @@ concurrently for different ports, this contains the pid of the one
started last). started last).
The content of this file is not sensitive; it can be world-readable. The content of this file is not sensitive; it can be world-readable.
.It Pa $HOME/.ssh/authorized_keys .It Pa $HOME/.ssh/authorized_keys
Lists the RSA keys that can be used to log into the user's account.
This file must be readable by root (which may on some machines imply
it being world-readable if the user's home directory resides on an NFS
volume).
It is recommended that it not be accessible by others.
The format of this file is described above.
Users will place the contents of their
.Pa identity.pub
files into this file, as described in
.Xr ssh-keygen 1 .
.It Pa $HOME/.ssh/authorized_keys2
Lists the public keys (RSA or DSA) that can be used to log into the user's account. Lists the public keys (RSA or DSA) that can be used to log into the user's account.
This file must be readable by root (which may on some machines imply This file must be readable by root (which may on some machines imply
it being world-readable if the user's home directory resides on an NFS it being world-readable if the user's home directory resides on an NFS
@ -1151,6 +1121,7 @@ volume).
It is recommended that it not be accessible by others. It is recommended that it not be accessible by others.
The format of this file is described above. The format of this file is described above.
Users will place the contents of their Users will place the contents of their
.Pa identity.pub ,
.Pa id_dsa.pub .Pa id_dsa.pub
and/or and/or
.Pa id_rsa.pub .Pa id_rsa.pub

3
sshd_config
View File

@ -1,4 +1,4 @@
# $OpenBSD: sshd_config,v 1.40 2001/05/31 13:08:04 markus Exp $ # $OpenBSD: sshd_config,v 1.41 2001/06/22 21:55:50 markus Exp $
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
@ -34,7 +34,6 @@ StrictModes yes
RSAAuthentication yes RSAAuthentication yes
PubkeyAuthentication yes PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys #AuthorizedKeysFile %h/.ssh/authorized_keys
#AuthorizedKeysFile2 %h/.ssh/authorized_keys2
# rhosts authentication should not be used # rhosts authentication should not be used
RhostsAuthentication no RhostsAuthentication no