| version 1.148, 2020/10/16 13:26:13 |
version 1.149, 2020/10/18 11:32:01 |
|
|
| error("WARNING: revoked key for %s attempted authentication", |
error("WARNING: revoked key for %s attempted authentication", |
| host); |
host); |
| else if (host_status == HOST_OK) |
else if (host_status == HOST_OK) |
| debug("%s: key for %s found at %s:%ld", __func__, |
debug_f("key for %s found at %s:%ld", |
| found->host, found->file, found->line); |
found->host, found->file, found->line); |
| else |
else |
| debug("%s: key for host %s not found", __func__, host); |
debug_f("key for host %s not found", host); |
| |
|
| free_hostkeys(hostkeys); |
free_hostkeys(hostkeys); |
| |
|
|
|
| if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, |
if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, |
| SSH_FP_DEFAULT)) == NULL) { |
SSH_FP_DEFAULT)) == NULL) { |
| r = SSH_ERR_ALLOC_FAIL; |
r = SSH_ERR_ALLOC_FAIL; |
| error("%s: fingerprint key: %s", __func__, ssh_err(r)); |
error_fr(r, "fingerprint key"); |
| goto out; |
goto out; |
| } |
} |
| |
|
|
|
| sshkey_type(key), fp, options.revoked_keys_file); |
sshkey_type(key), fp, options.revoked_keys_file); |
| goto out; |
goto out; |
| default: |
default: |
| error("Error checking authentication key %s %s in " |
error_r(r, "Error checking authentication key %s %s in " |
| "revoked keys file %s: %s", sshkey_type(key), fp, |
"revoked keys file %s", sshkey_type(key), fp, |
| options.revoked_keys_file, ssh_err(r)); |
options.revoked_keys_file); |
| goto out; |
goto out; |
| } |
} |
| |
|
|
|
| vsnprintf(buf, sizeof(buf), fmt, args); |
vsnprintf(buf, sizeof(buf), fmt, args); |
| va_end(args); |
va_end(args); |
| if ((r = sshbuf_put_cstring(auth_debug, buf)) != 0) |
if ((r = sshbuf_put_cstring(auth_debug, buf)) != 0) |
| fatal("%s: sshbuf_put_cstring: %s", __func__, ssh_err(r)); |
fatal_fr(r, "sshbuf_put_cstring"); |
| } |
} |
| |
|
| void |
void |
|
|
| return; |
return; |
| while (sshbuf_len(auth_debug) != 0) { |
while (sshbuf_len(auth_debug) != 0) { |
| if ((r = sshbuf_get_cstring(auth_debug, &msg, NULL)) != 0) |
if ((r = sshbuf_get_cstring(auth_debug, &msg, NULL)) != 0) |
| fatal("%s: sshbuf_get_cstring: %s", |
fatal_fr(r, "sshbuf_get_cstring"); |
| __func__, ssh_err(r)); |
|
| ssh_packet_send_debug(ssh, "%s", msg); |
ssh_packet_send_debug(ssh, "%s", msg); |
| free(msg); |
free(msg); |
| } |
} |
|
|
| if (auth_debug != NULL) |
if (auth_debug != NULL) |
| sshbuf_reset(auth_debug); |
sshbuf_reset(auth_debug); |
| else if ((auth_debug = sshbuf_new()) == NULL) |
else if ((auth_debug = sshbuf_new()) == NULL) |
| fatal("%s: sshbuf_new failed", __func__); |
fatal_f("sshbuf_new failed"); |
| } |
} |
| |
|
| struct passwd * |
struct passwd * |
|
|
| if (child != NULL) |
if (child != NULL) |
| *child = NULL; |
*child = NULL; |
| |
|
| debug3("%s: %s command \"%s\" running as %s (flags 0x%x)", __func__, |
debug3_f("%s command \"%s\" running as %s (flags 0x%x)", |
| tag, command, pw->pw_name, flags); |
tag, command, pw->pw_name, flags); |
| |
|
| /* Check consistency */ |
/* Check consistency */ |
| if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0 && |
if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0 && |
| (flags & SSH_SUBPROCESS_STDOUT_CAPTURE) != 0) { |
(flags & SSH_SUBPROCESS_STDOUT_CAPTURE) != 0) { |
| error("%s: inconsistent flags", __func__); |
error_f("inconsistent flags"); |
| return 0; |
return 0; |
| } |
} |
| if (((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) == 0) != (child == NULL)) { |
if (((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) == 0) != (child == NULL)) { |
| error("%s: inconsistent flags/output", __func__); |
error_f("inconsistent flags/output"); |
| return 0; |
return 0; |
| } |
} |
| |
|
|
|
| return 0; |
return 0; |
| } |
} |
| /* Success */ |
/* Success */ |
| debug3("%s: %s pid %ld", __func__, tag, (long)pid); |
debug3_f("%s pid %ld", tag, (long)pid); |
| if (child != NULL) |
if (child != NULL) |
| *child = f; |
*child = f; |
| return pid; |
return pid; |
|
|
| struct sshauthopt *old = auth_opts; |
struct sshauthopt *old = auth_opts; |
| const char *emsg = NULL; |
const char *emsg = NULL; |
| |
|
| debug("%s: setting new authentication options", __func__); |
debug_f("setting new authentication options"); |
| if ((auth_opts = sshauthopt_merge(old, opts, &emsg)) == NULL) { |
if ((auth_opts = sshauthopt_merge(old, opts, &emsg)) == NULL) { |
| error("Inconsistent authentication options: %s", emsg); |
error("Inconsistent authentication options: %s", emsg); |
| return -1; |
return -1; |
|
|
| { |
{ |
| struct sshauthopt *restricted; |
struct sshauthopt *restricted; |
| |
|
| debug("%s: restricting session", __func__); |
debug_f("restricting session"); |
| |
|
| /* A blank sshauthopt defaults to permitting nothing */ |
/* A blank sshauthopt defaults to permitting nothing */ |
| restricted = sshauthopt_new(); |
restricted = sshauthopt_new(); |
|
|
| restricted->restricted = 1; |
restricted->restricted = 1; |
| |
|
| if (auth_activate_options(ssh, restricted) != 0) |
if (auth_activate_options(ssh, restricted) != 0) |
| fatal("%s: failed to restrict session", __func__); |
fatal_f("failed to restrict session"); |
| sshauthopt_free(restricted); |
sshauthopt_free(restricted); |
| } |
} |
| |
|
|
|
| case -1: |
case -1: |
| default: |
default: |
| /* invalid */ |
/* invalid */ |
| error("%s: Certificate source-address invalid", |
error("%s: Certificate source-address invalid", loc); |
| loc); |
|
| /* FALLTHROUGH */ |
/* FALLTHROUGH */ |
| case 0: |
case 0: |
| logit("%s: Authentication tried for %.100s with valid " |
logit("%s: Authentication tried for %.100s with valid " |
![[BACK]](/icons/back.gif){kind=icon}
Return to auth.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh