version 1.148, 2020/10/16 13:26:13 |
version 1.149, 2020/10/18 11:32:01 |
|
|
error("WARNING: revoked key for %s attempted authentication", |
error("WARNING: revoked key for %s attempted authentication", |
host); |
host); |
else if (host_status == HOST_OK) |
else if (host_status == HOST_OK) |
debug("%s: key for %s found at %s:%ld", __func__, |
debug_f("key for %s found at %s:%ld", |
found->host, found->file, found->line); |
found->host, found->file, found->line); |
else |
else |
debug("%s: key for host %s not found", __func__, host); |
debug_f("key for host %s not found", host); |
|
|
free_hostkeys(hostkeys); |
free_hostkeys(hostkeys); |
|
|
|
|
if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, |
if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, |
SSH_FP_DEFAULT)) == NULL) { |
SSH_FP_DEFAULT)) == NULL) { |
r = SSH_ERR_ALLOC_FAIL; |
r = SSH_ERR_ALLOC_FAIL; |
error("%s: fingerprint key: %s", __func__, ssh_err(r)); |
error_fr(r, "fingerprint key"); |
goto out; |
goto out; |
} |
} |
|
|
|
|
sshkey_type(key), fp, options.revoked_keys_file); |
sshkey_type(key), fp, options.revoked_keys_file); |
goto out; |
goto out; |
default: |
default: |
error("Error checking authentication key %s %s in " |
error_r(r, "Error checking authentication key %s %s in " |
"revoked keys file %s: %s", sshkey_type(key), fp, |
"revoked keys file %s", sshkey_type(key), fp, |
options.revoked_keys_file, ssh_err(r)); |
options.revoked_keys_file); |
goto out; |
goto out; |
} |
} |
|
|
|
|
vsnprintf(buf, sizeof(buf), fmt, args); |
vsnprintf(buf, sizeof(buf), fmt, args); |
va_end(args); |
va_end(args); |
if ((r = sshbuf_put_cstring(auth_debug, buf)) != 0) |
if ((r = sshbuf_put_cstring(auth_debug, buf)) != 0) |
fatal("%s: sshbuf_put_cstring: %s", __func__, ssh_err(r)); |
fatal_fr(r, "sshbuf_put_cstring"); |
} |
} |
|
|
void |
void |
|
|
return; |
return; |
while (sshbuf_len(auth_debug) != 0) { |
while (sshbuf_len(auth_debug) != 0) { |
if ((r = sshbuf_get_cstring(auth_debug, &msg, NULL)) != 0) |
if ((r = sshbuf_get_cstring(auth_debug, &msg, NULL)) != 0) |
fatal("%s: sshbuf_get_cstring: %s", |
fatal_fr(r, "sshbuf_get_cstring"); |
__func__, ssh_err(r)); |
|
ssh_packet_send_debug(ssh, "%s", msg); |
ssh_packet_send_debug(ssh, "%s", msg); |
free(msg); |
free(msg); |
} |
} |
|
|
if (auth_debug != NULL) |
if (auth_debug != NULL) |
sshbuf_reset(auth_debug); |
sshbuf_reset(auth_debug); |
else if ((auth_debug = sshbuf_new()) == NULL) |
else if ((auth_debug = sshbuf_new()) == NULL) |
fatal("%s: sshbuf_new failed", __func__); |
fatal_f("sshbuf_new failed"); |
} |
} |
|
|
struct passwd * |
struct passwd * |
|
|
if (child != NULL) |
if (child != NULL) |
*child = NULL; |
*child = NULL; |
|
|
debug3("%s: %s command \"%s\" running as %s (flags 0x%x)", __func__, |
debug3_f("%s command \"%s\" running as %s (flags 0x%x)", |
tag, command, pw->pw_name, flags); |
tag, command, pw->pw_name, flags); |
|
|
/* Check consistency */ |
/* Check consistency */ |
if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0 && |
if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0 && |
(flags & SSH_SUBPROCESS_STDOUT_CAPTURE) != 0) { |
(flags & SSH_SUBPROCESS_STDOUT_CAPTURE) != 0) { |
error("%s: inconsistent flags", __func__); |
error_f("inconsistent flags"); |
return 0; |
return 0; |
} |
} |
if (((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) == 0) != (child == NULL)) { |
if (((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) == 0) != (child == NULL)) { |
error("%s: inconsistent flags/output", __func__); |
error_f("inconsistent flags/output"); |
return 0; |
return 0; |
} |
} |
|
|
|
|
return 0; |
return 0; |
} |
} |
/* Success */ |
/* Success */ |
debug3("%s: %s pid %ld", __func__, tag, (long)pid); |
debug3_f("%s pid %ld", tag, (long)pid); |
if (child != NULL) |
if (child != NULL) |
*child = f; |
*child = f; |
return pid; |
return pid; |
|
|
struct sshauthopt *old = auth_opts; |
struct sshauthopt *old = auth_opts; |
const char *emsg = NULL; |
const char *emsg = NULL; |
|
|
debug("%s: setting new authentication options", __func__); |
debug_f("setting new authentication options"); |
if ((auth_opts = sshauthopt_merge(old, opts, &emsg)) == NULL) { |
if ((auth_opts = sshauthopt_merge(old, opts, &emsg)) == NULL) { |
error("Inconsistent authentication options: %s", emsg); |
error("Inconsistent authentication options: %s", emsg); |
return -1; |
return -1; |
|
|
{ |
{ |
struct sshauthopt *restricted; |
struct sshauthopt *restricted; |
|
|
debug("%s: restricting session", __func__); |
debug_f("restricting session"); |
|
|
/* A blank sshauthopt defaults to permitting nothing */ |
/* A blank sshauthopt defaults to permitting nothing */ |
restricted = sshauthopt_new(); |
restricted = sshauthopt_new(); |
|
|
restricted->restricted = 1; |
restricted->restricted = 1; |
|
|
if (auth_activate_options(ssh, restricted) != 0) |
if (auth_activate_options(ssh, restricted) != 0) |
fatal("%s: failed to restrict session", __func__); |
fatal_f("failed to restrict session"); |
sshauthopt_free(restricted); |
sshauthopt_free(restricted); |
} |
} |
|
|
|
|
case -1: |
case -1: |
default: |
default: |
/* invalid */ |
/* invalid */ |
error("%s: Certificate source-address invalid", |
error("%s: Certificate source-address invalid", loc); |
loc); |
|
/* FALLTHROUGH */ |
/* FALLTHROUGH */ |
case 0: |
case 0: |
logit("%s: Authentication tried for %.100s with valid " |
logit("%s: Authentication tried for %.100s with valid " |