src/usr.bin/ssh/auth-options.c - diff

Return to auth-options.c CVS log

Up to [local] / src / usr.bin / ssh

version 1.71, 2016/03/07 19:02:43

version 1.72, 2016/11/30 02:57:40

Line 598

* options so this must be called after auth_parse_options().

int

auth_cert_options(struct sshkey *k, struct passwd *pw)

auth_cert_options(struct sshkey *k, struct passwd *pw, const char **reason)

{

int cert_no_port_forwarding_flag = 1;

int cert_no_agent_forwarding_flag = 1;

Line 608

char *cert_forced_command = NULL;

int cert_source_address_done = 0;

*reason = "invalid certificate options";

/* Separate options and extensions for v01 certs */

if (parse_option_list(k->cert->critical, pw,

OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,

Line 629

Line 631

no_x11_forwarding_flag |= cert_no_x11_forwarding_flag;

no_pty_flag |= cert_no_pty_flag;

no_user_rc |= cert_no_user_rc;

/* CA-specified forced command supersedes key option */

if (cert_forced_command != NULL) {

* Only permit both CA and key option forced-command if they match.

free(forced_command);

* Otherwise refuse the certificate.

if (cert_forced_command != NULL && forced_command != NULL) {

if (strcmp(forced_command, cert_forced_command) == 0) {

free(forced_command);

forced_command = cert_forced_command;

} else {

*reason = "certificate and key options forced command "

"do not match";

free(cert_forced_command);

return -1;

}

} else if (cert_forced_command != NULL)

forced_command = cert_forced_command;

}

/* success */

*reason = NULL;

return 0;

}