version 1.79, 2010/12/03 23:55:27 |
version 1.80, 2011/05/23 03:30:07 |
|
|
return (success); |
return (success); |
} |
} |
|
|
/* |
static int |
* check if there's user key matching client_n, |
rsa_key_allowed_in_file(struct passwd *pw, char *file, |
* return key if login is allowed, NULL otherwise |
const BIGNUM *client_n, Key **rkey) |
*/ |
|
|
|
int |
|
auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) |
|
{ |
{ |
char line[SSH_MAX_PUBKEY_BYTES], *file; |
char line[SSH_MAX_PUBKEY_BYTES]; |
int allowed = 0; |
int allowed = 0; |
u_int bits; |
u_int bits; |
FILE *f; |
FILE *f; |
u_long linenum = 0; |
u_long linenum = 0; |
Key *key; |
Key *key; |
|
|
/* Temporarily use the user's uid. */ |
|
temporarily_use_uid(pw); |
|
|
|
/* The authorized keys. */ |
|
file = authorized_keys_file(pw); |
|
debug("trying public RSA key file %s", file); |
debug("trying public RSA key file %s", file); |
f = auth_openkeyfile(file, pw, options.strict_modes); |
if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) |
if (!f) { |
return 0; |
xfree(file); |
|
restore_uid(); |
|
return (0); |
|
} |
|
|
|
/* Flag indicating whether the key is allowed. */ |
|
allowed = 0; |
|
|
|
key = key_new(KEY_RSA1); |
|
|
|
/* |
/* |
* Go though the accepted keys, looking for the current key. If |
* Go though the accepted keys, looking for the current key. If |
* found, perform a challenge-response dialog to verify that the |
* found, perform a challenge-response dialog to verify that the |
* user really has the corresponding private key. |
* user really has the corresponding private key. |
*/ |
*/ |
|
key = key_new(KEY_RSA1); |
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
char *cp; |
char *cp; |
char *key_options; |
char *key_options; |
|
|
} |
} |
/* cp now points to the comment part. */ |
/* cp now points to the comment part. */ |
|
|
/* Check if the we have found the desired key (identified by its modulus). */ |
/* |
|
* Check if the we have found the desired key (identified |
|
* by its modulus). |
|
*/ |
if (BN_cmp(key->rsa->n, client_n) != 0) |
if (BN_cmp(key->rsa->n, client_n) != 0) |
continue; |
continue; |
|
|
|
|
break; |
break; |
} |
} |
|
|
/* Restore the privileged uid. */ |
|
restore_uid(); |
|
|
|
/* Close the file. */ |
/* Close the file. */ |
xfree(file); |
|
fclose(f); |
fclose(f); |
|
|
/* return key if allowed */ |
/* return key if allowed */ |
|
|
*rkey = key; |
*rkey = key; |
else |
else |
key_free(key); |
key_free(key); |
return (allowed); |
|
|
return allowed; |
|
} |
|
|
|
/* |
|
* check if there's user key matching client_n, |
|
* return key if login is allowed, NULL otherwise |
|
*/ |
|
|
|
int |
|
auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) |
|
{ |
|
char *file; |
|
u_int i, allowed = 0; |
|
|
|
temporarily_use_uid(pw); |
|
|
|
for (i = 0; !allowed && i < options.num_authkeys_files; i++) { |
|
file = expand_authorized_keys( |
|
options.authorized_keys_files[i], pw); |
|
allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey); |
|
xfree(file); |
|
} |
|
|
|
restore_uid(); |
|
|
|
return allowed; |
} |
} |
|
|
/* |
/* |