diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2019-06-14 03:39:59 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-06-14 13:42:31 +1000 |
| commit | c95b90d40170473825904be561b1eafba354f376 (patch) | |
| tree | b3d7fff27ab43df4ee994a359bfc4c7fdf4acc94 /auth2-pubkey.c | |
| parent | a5a53914989ddd3521b6edc452bc3291784a4f4f (diff) | |
| download | openssh-git-c95b90d40170473825904be561b1eafba354f376.tar.gz | |
upstream: for public key authentication, check AuthorizedKeysFiles
files before consulting AuthorizedKeysCommand; ok dtucker markus
OpenBSD-Commit-ID: 13652998bea5cb93668999c39c3c48e8429db8b3
Diffstat (limited to 'auth2-pubkey.c')
| -rw-r--r-- | auth2-pubkey.c | 29 |
1 files changed, 18 insertions, 11 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 3422b518..4e01b605 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.88 2019/05/20 00:25:55 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.89 2019/06/14 03:39:59 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -1014,9 +1014,10 @@ int user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, int auth_attempt, struct sshauthopt **authoptsp) { - u_int success, i; + u_int success = 0, i; char *file; struct sshauthopt *opts = NULL; + if (authoptsp != NULL) *authoptsp = NULL; @@ -1026,6 +1027,21 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, auth_key_is_revoked(key->cert->signature_key)) return 0; + for (i = 0; !success && i < options.num_authkeys_files; i++) { + if (strcasecmp(options.authorized_keys_files[i], "none") == 0) + continue; + file = expand_authorized_keys( + options.authorized_keys_files[i], pw); + success = user_key_allowed2(ssh, pw, key, file, &opts); + free(file); + if (!success) { + sshauthopt_free(opts); + opts = NULL; + } + } + if (success) + goto out; + if ((success = user_cert_trusted_ca(ssh, pw, key, &opts)) != 0) goto out; sshauthopt_free(opts); @@ -1036,15 +1052,6 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, sshauthopt_free(opts); opts = NULL; - for (i = 0; !success && i < options.num_authkeys_files; i++) { - if (strcasecmp(options.authorized_keys_files[i], "none") == 0) - continue; - file = expand_authorized_keys( - options.authorized_keys_files[i], pw); - success = user_key_allowed2(ssh, pw, key, file, &opts); - free(file); - } - out: if (success && authoptsp != NULL) { *authoptsp = opts; |