diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2022-05-27 05:02:46 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2022-05-27 16:38:03 +1000 |
| commit | c83d8c4d6f3ccceef84d46de107f6b71cda06359 (patch) | |
| tree | 81872e6e3f2382f879831c09ae21e422ed41b900 /auth.c | |
| parent | 3b0b142d2a0767d8cd838e2f3aefde8a0aaa41e1 (diff) | |
| download | openssh-git-c83d8c4d6f3ccceef84d46de107f6b71cda06359.tar.gz | |
upstream: split the low-level file handling functions out from
auth2-pubkey.c
Put them in a new auth2-pubkeyfile.c to make it easier to refer to them
(e.g. in unit/fuzz tests) without having to refer to everything else
pubkey auth brings in.
ok dtucker@
OpenBSD-Commit-ID: 3fdca2c61ad97dc1b8d4a7346816f83dc4ce2217
Diffstat (limited to 'auth.c')
| -rw-r--r-- | auth.c | 94 |
1 files changed, 1 insertions, 93 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.156 2022/05/27 05:01:25 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.157 2022/05/27 05:02:46 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -912,95 +912,3 @@ auth_restrict_session(struct ssh *ssh) fatal_f("failed to restrict session"); sshauthopt_free(restricted); } - -int -auth_authorise_keyopts(struct passwd *pw, struct sshauthopt *opts, - int allow_cert_authority, const char *remote_ip, const char *remote_host, - const char *loc) -{ - time_t now = time(NULL); - char buf[64]; - - /* - * Check keys/principals file expiry time. - * NB. validity interval in certificate is handled elsewhere. - */ - if (opts->valid_before && now > 0 && - opts->valid_before < (uint64_t)now) { - format_absolute_time(opts->valid_before, buf, sizeof(buf)); - debug("%s: entry expired at %s", loc, buf); - auth_debug_add("%s: entry expired at %s", loc, buf); - return -1; - } - /* Consistency checks */ - if (opts->cert_principals != NULL && !opts->cert_authority) { - debug("%s: principals on non-CA key", loc); - auth_debug_add("%s: principals on non-CA key", loc); - /* deny access */ - return -1; - } - /* cert-authority flag isn't valid in authorized_principals files */ - if (!allow_cert_authority && opts->cert_authority) { - debug("%s: cert-authority flag invalid here", loc); - auth_debug_add("%s: cert-authority flag invalid here", loc); - /* deny access */ - return -1; - } - - /* Perform from= checks */ - if (opts->required_from_host_keys != NULL) { - switch (match_host_and_ip(remote_host, remote_ip, - opts->required_from_host_keys )) { - case 1: - /* Host name matches. */ - break; - case -1: - default: - debug("%s: invalid from criteria", loc); - auth_debug_add("%s: invalid from criteria", loc); - /* FALLTHROUGH */ - case 0: - logit("%s: Authentication tried for %.100s with " - "correct key but not from a permitted " - "host (host=%.200s, ip=%.200s, required=%.200s).", - loc, pw->pw_name, remote_host, remote_ip, - opts->required_from_host_keys); - auth_debug_add("%s: Your host '%.200s' is not " - "permitted to use this key for login.", - loc, remote_host); - /* deny access */ - return -1; - } - } - /* Check source-address restriction from certificate */ - if (opts->required_from_host_cert != NULL) { - switch (addr_match_cidr_list(remote_ip, - opts->required_from_host_cert)) { - case 1: - /* accepted */ - break; - case -1: - default: - /* invalid */ - error("%s: Certificate source-address invalid", loc); - /* FALLTHROUGH */ - case 0: - logit("%s: Authentication tried for %.100s with valid " - "certificate but not from a permitted source " - "address (%.200s).", loc, pw->pw_name, remote_ip); - auth_debug_add("%s: Your address '%.200s' is not " - "permitted to use this certificate for login.", - loc, remote_ip); - return -1; - } - } - /* - * - * XXX this is spammy. We should report remotely only for keys - * that are successful in actual auth attempts, and not PK_OK - * tests. - */ - auth_log_authopts(loc, opts, 1); - - return 0; -} |