diff options
author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2018-08-28 10:47:58 +0000 |
---|---|---|
committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2018-08-28 10:47:58 +0000 |
commit | d46065df2d60bfbd08939733bd79b2a440d6fbc8 (patch) | |
tree | 720921fc9471de3c67f5b8dc1404c8f6c6a02cb1 /auth.c | |
parent | 3d0e42005d3bf786341ab96cfa1788bc601faa12 (diff) |
Notes
Diffstat (limited to 'auth.c')
-rw-r--r-- | auth.c | 63 |
1 files changed, 39 insertions, 24 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.127 2018/03/12 00:52:01 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.132 2018/07/11 08:19:35 martijn Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -55,10 +55,10 @@ #include "match.h" #include "groupaccess.h" #include "log.h" -#include "buffer.h" +#include "sshbuf.h" #include "misc.h" #include "servconf.h" -#include "key.h" +#include "sshkey.h" #include "hostfile.h" #include "auth.h" #include "auth-options.h" @@ -79,13 +79,12 @@ /* import */ extern ServerOptions options; extern int use_privsep; -extern Buffer loginmsg; +extern struct sshbuf *loginmsg; extern struct passwd *privsep_pw; extern struct sshauthopt *auth_opts; /* Debugging messages */ -Buffer auth_debug; -int auth_debug_init; +static struct sshbuf *auth_debug; /* * Check if the user is allowed to log in via ssh. If user is listed @@ -281,7 +280,7 @@ format_method_key(Authctxt *authctxt) if (key == NULL) return NULL; - if (key_is_cert(key)) { + if (sshkey_is_cert(key)) { fp = sshkey_fingerprint(key->cert->signature_key, options.fingerprint_hash, SSH_FP_DEFAULT); xasprintf(&ret, "%s ID %s (serial %llu) CA %s %s%s%s", @@ -422,11 +421,13 @@ auth_root_allowed(struct ssh *ssh, const char *method) char * expand_authorized_keys(const char *filename, struct passwd *pw) { - char *file, ret[PATH_MAX]; + char *file, uidstr[32], ret[PATH_MAX]; int i; + snprintf(uidstr, sizeof(uidstr), "%llu", + (unsigned long long)pw->pw_uid); file = percent_expand(filename, "h", pw->pw_dir, - "u", pw->pw_name, (char *)NULL); + "u", pw->pw_name, "U", uidstr, (char *)NULL); /* * Ensure that filename starts anchored. If not, be backward @@ -670,26 +671,32 @@ auth_debug_add(const char *fmt,...) { char buf[1024]; va_list args; + int r; - if (!auth_debug_init) + if (auth_debug == NULL) return; va_start(args, fmt); vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); - buffer_put_cstring(&auth_debug, buf); + if ((r = sshbuf_put_cstring(auth_debug, buf)) != 0) + fatal("%s: sshbuf_put_cstring: %s", __func__, ssh_err(r)); } void auth_debug_send(void) { + struct ssh *ssh = active_state; /* XXX */ char *msg; + int r; - if (!auth_debug_init) + if (auth_debug == NULL) return; - while (buffer_len(&auth_debug)) { - msg = buffer_get_string(&auth_debug, NULL); - packet_send_debug("%s", msg); + while (sshbuf_len(auth_debug) != 0) { + if ((r = sshbuf_get_cstring(auth_debug, &msg, NULL)) != 0) + fatal("%s: sshbuf_get_cstring: %s", + __func__, ssh_err(r)); + ssh_packet_send_debug(ssh, "%s", msg); free(msg); } } @@ -697,12 +704,10 @@ auth_debug_send(void) void auth_debug_reset(void) { - if (auth_debug_init) - buffer_clear(&auth_debug); - else { - buffer_init(&auth_debug); - auth_debug_init = 1; - } + if (auth_debug != NULL) + sshbuf_reset(auth_debug); + else if ((auth_debug = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); } struct passwd * @@ -843,7 +848,7 @@ auth_get_canonical_hostname(struct ssh *ssh, int use_dns) } /* - * Runs command in a subprocess wuth a minimal environment. + * Runs command in a subprocess with a minimal environment. * Returns pid on success, 0 on failure. * The child stdout and stderr maybe captured, left attached or sent to * /dev/null depending on the contents of flags. @@ -1003,17 +1008,20 @@ auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote) int do_env = options.permit_user_env && opts->nenv > 0; int do_permitopen = opts->npermitopen > 0 && (options.allow_tcp_forwarding & FORWARD_LOCAL) != 0; + int do_permitlisten = opts->npermitlisten > 0 && + (options.allow_tcp_forwarding & FORWARD_REMOTE) != 0; size_t i; char msg[1024], buf[64]; snprintf(buf, sizeof(buf), "%d", opts->force_tun_device); /* Try to keep this alphabetically sorted */ - snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s", + snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s%s", opts->permit_agent_forwarding_flag ? " agent-forwarding" : "", opts->force_command == NULL ? "" : " command", do_env ? " environment" : "", opts->valid_before == 0 ? "" : "expires", do_permitopen ? " permitopen" : "", + do_permitlisten ? " permitlisten" : "", opts->permit_port_forwarding_flag ? " port-forwarding" : "", opts->cert_principals == NULL ? "" : " principals", opts->permit_pty_flag ? " pty" : "", @@ -1047,12 +1055,18 @@ auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote) } if (opts->force_command != NULL) debug("%s: forced command: \"%s\"", loc, opts->force_command); - if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) { + if (do_permitopen) { for (i = 0; i < opts->npermitopen; i++) { debug("%s: permitted open: %s", loc, opts->permitopen[i]); } } + if (do_permitlisten) { + for (i = 0; i < opts->npermitlisten; i++) { + debug("%s: permitted listen: %s", + loc, opts->permitlisten[i]); + } + } } /* Activate a new set of key/cert options; merging with what is there. */ @@ -1080,6 +1094,7 @@ auth_restrict_session(struct ssh *ssh) /* A blank sshauthopt defaults to permitting nothing */ restricted = sshauthopt_new(); + restricted->permit_pty_flag = 1; restricted->restricted = 1; if (auth_activate_options(ssh, restricted) != 0) |