summaryrefslogtreecommitdiffstats
path: root/crypto/openssh/auth.c
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/openssh/auth.c')
-rw-r--r--crypto/openssh/auth.c61
1 files changed, 51 insertions, 10 deletions
diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c
index 2b6e09a..06ca760 100644
--- a/crypto/openssh/auth.c
+++ b/crypto/openssh/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.75 2006/08/03 03:34:41 deraadt Exp $ */
+/* $OpenBSD: auth.c,v 1.79 2008/07/02 12:03:51 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -33,6 +33,7 @@ __RCSID("$FreeBSD$");
#include <netinet/in.h>
#include <errno.h>
+#include <fcntl.h>
#ifdef HAVE_PATHS_H
# include <paths.h>
#endif
@@ -49,6 +50,7 @@ __RCSID("$FreeBSD$");
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
+#include <unistd.h>
#include "xmalloc.h"
#include "match.h"
@@ -114,15 +116,14 @@ allowed_user(struct passwd * pw)
#endif /* USE_SHADOW */
/* grab passwd field for locked account check */
+ passwd = pw->pw_passwd;
#ifdef USE_SHADOW
if (spw != NULL)
-#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
+#ifdef USE_LIBIAF
passwd = get_iaf_password(pw);
#else
passwd = spw->sp_pwdp;
-#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
-#else
- passwd = pw->pw_passwd;
+#endif /* USE_LIBIAF */
#endif
/* check for locked account */
@@ -142,9 +143,9 @@ allowed_user(struct passwd * pw)
if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
locked = 1;
#endif
-#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
+#ifdef USE_LIBIAF
free(passwd);
-#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
+#endif /* USE_LIBIAF */
if (locked) {
logit("User %.100s not allowed because account is locked",
pw->pw_name);
@@ -411,7 +412,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
*
* Returns 0 on success and -1 on failure
*/
-int
+static int
secure_filename(FILE *f, const char *file, struct passwd *pw,
char *err, size_t errlen)
{
@@ -471,6 +472,46 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
return 0;
}
+FILE *
+auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes)
+{
+ char line[1024];
+ struct stat st;
+ int fd;
+ FILE *f;
+
+ /*
+ * Open the file containing the authorized keys
+ * Fail quietly if file does not exist
+ */
+ if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1)
+ return NULL;
+
+ if (fstat(fd, &st) < 0) {
+ close(fd);
+ return NULL;
+ }
+ if (!S_ISREG(st.st_mode)) {
+ logit("User %s authorized keys %s is not a regular file",
+ pw->pw_name, file);
+ close(fd);
+ return NULL;
+ }
+ unset_nonblock(fd);
+ if ((f = fdopen(fd, "r")) == NULL) {
+ close(fd);
+ return NULL;
+ }
+ if (options.strict_modes &&
+ secure_filename(f, file, pw, line, sizeof(line)) != 0) {
+ fclose(f);
+ logit("Authentication refused: %s", line);
+ return NULL;
+ }
+
+ return f;
+}
+
struct passwd *
getpwnamallow(const char *user)
{
@@ -570,8 +611,8 @@ fakepw(void)
fake.pw_passwd =
"$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
fake.pw_gecos = "NOUSER";
- fake.pw_uid = privsep_pw->pw_uid;
- fake.pw_gid = privsep_pw->pw_gid;
+ fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid;
+ fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid;
#ifdef HAVE_PW_CLASS_IN_PASSWD
fake.pw_class = "";
#endif
OpenPOWER on IntegriCloud