summaryrefslogtreecommitdiff
path: root/auth-rsa.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2000-06-07 19:55:44 +1000
committerDamien Miller <djm@mindrot.org>2000-06-07 19:55:44 +1000
commitd3a185709dfb8588ae7cacc079312d1fcc450e9c (patch)
tree8e9798d35f76171481f034720767e507e6bbd6f9 /auth-rsa.c
parente37bfc19f7263b838896ae403e55aa703a06b69a (diff)
downloadopenssh-git-d3a185709dfb8588ae7cacc079312d1fcc450e9c.tar.gz
- (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III
<tibbs@math.uh.edu> - (djm) OpenBSD CVS updates: - todd@cvs.openbsd.org [sshconnect2.c] teach protocol v2 to count login failures properly and also enable an explanation of why the password prompt comes up again like v1; this is NOT crypto - markus@cvs.openbsd.org [readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8] xauth_location support; pr 1234 [readconf.c sshconnect2.c] typo, unused [session.c] allow use_login only for login sessions, otherwise remote commands are execed with uid==0 [sshd.8] document UseLogin better [version.h] OpenSSH 2.1.1 [auth-rsa.c] fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all [channels.c hostfile.c match.c] don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via kris@FreeBSD.org
Diffstat (limited to 'auth-rsa.c')
-rw-r--r--auth-rsa.c18
1 files changed, 13 insertions, 5 deletions
diff --git a/auth-rsa.c b/auth-rsa.c
index 22e3f01f..f01c5c92 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -16,7 +16,7 @@
*/
#include "includes.h"
-RCSID("$Id: auth-rsa.c,v 1.19 2000/04/30 00:00:53 damien Exp $");
+RCSID("$Id: auth-rsa.c,v 1.20 2000/06/07 09:55:44 djm Exp $");
#include "rsa.h"
#include "packet.h"
@@ -133,6 +133,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
unsigned long linenum = 0;
struct stat st;
RSA *pk;
+ int mname, mip;
/* Temporarily use the user's uid. */
temporarily_use_uid(pw->pw_uid);
@@ -390,10 +391,17 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
}
patterns[i] = 0;
options++;
- if (!match_hostname(get_canonical_hostname(), patterns,
- strlen(patterns)) &&
- !match_hostname(get_remote_ipaddr(), patterns,
- strlen(patterns))) {
+ /*
+ * Deny access if we get a negative
+ * match for the hostname or the ip
+ * or if we get not match at all
+ */
+ mname = match_hostname(get_canonical_hostname(),
+ patterns, strlen(patterns));
+ mip = match_hostname(get_remote_ipaddr(),
+ patterns, strlen(patterns));
+ if (mname == -1 || mip == -1 ||
+ (mname != 1 && mip != 1)) {
log("RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
pw->pw_name, get_canonical_hostname(),
get_remote_ipaddr());