| version 1.156, 2022/05/27 05:01:25 |
version 1.157, 2022/05/27 05:02:46 |
|
|
| fatal_f("failed to restrict session"); |
fatal_f("failed to restrict session"); |
| sshauthopt_free(restricted); |
sshauthopt_free(restricted); |
| } |
} |
| |
|
| int |
|
| auth_authorise_keyopts(struct passwd *pw, struct sshauthopt *opts, |
|
| int allow_cert_authority, const char *remote_ip, const char *remote_host, |
|
| const char *loc) |
|
| { |
|
| time_t now = time(NULL); |
|
| char buf[64]; |
|
| |
|
| /* |
|
| * Check keys/principals file expiry time. |
|
| * NB. validity interval in certificate is handled elsewhere. |
|
| */ |
|
| if (opts->valid_before && now > 0 && |
|
| opts->valid_before < (uint64_t)now) { |
|
| format_absolute_time(opts->valid_before, buf, sizeof(buf)); |
|
| debug("%s: entry expired at %s", loc, buf); |
|
| auth_debug_add("%s: entry expired at %s", loc, buf); |
|
| return -1; |
|
| } |
|
| /* Consistency checks */ |
|
| if (opts->cert_principals != NULL && !opts->cert_authority) { |
|
| debug("%s: principals on non-CA key", loc); |
|
| auth_debug_add("%s: principals on non-CA key", loc); |
|
| /* deny access */ |
|
| return -1; |
|
| } |
|
| /* cert-authority flag isn't valid in authorized_principals files */ |
|
| if (!allow_cert_authority && opts->cert_authority) { |
|
| debug("%s: cert-authority flag invalid here", loc); |
|
| auth_debug_add("%s: cert-authority flag invalid here", loc); |
|
| /* deny access */ |
|
| return -1; |
|
| } |
|
| |
|
| /* Perform from= checks */ |
|
| if (opts->required_from_host_keys != NULL) { |
|
| switch (match_host_and_ip(remote_host, remote_ip, |
|
| opts->required_from_host_keys )) { |
|
| case 1: |
|
| /* Host name matches. */ |
|
| break; |
|
| case -1: |
|
| default: |
|
| debug("%s: invalid from criteria", loc); |
|
| auth_debug_add("%s: invalid from criteria", loc); |
|
| /* FALLTHROUGH */ |
|
| case 0: |
|
| logit("%s: Authentication tried for %.100s with " |
|
| "correct key but not from a permitted " |
|
| "host (host=%.200s, ip=%.200s, required=%.200s).", |
|
| loc, pw->pw_name, remote_host, remote_ip, |
|
| opts->required_from_host_keys); |
|
| auth_debug_add("%s: Your host '%.200s' is not " |
|
| "permitted to use this key for login.", |
|
| loc, remote_host); |
|
| /* deny access */ |
|
| return -1; |
|
| } |
|
| } |
|
| /* Check source-address restriction from certificate */ |
|
| if (opts->required_from_host_cert != NULL) { |
|
| switch (addr_match_cidr_list(remote_ip, |
|
| opts->required_from_host_cert)) { |
|
| case 1: |
|
| /* accepted */ |
|
| break; |
|
| case -1: |
|
| default: |
|
| /* invalid */ |
|
| error("%s: Certificate source-address invalid", loc); |
|
| /* FALLTHROUGH */ |
|
| case 0: |
|
| logit("%s: Authentication tried for %.100s with valid " |
|
| "certificate but not from a permitted source " |
|
| "address (%.200s).", loc, pw->pw_name, remote_ip); |
|
| auth_debug_add("%s: Your address '%.200s' is not " |
|
| "permitted to use this certificate for login.", |
|
| loc, remote_ip); |
|
| return -1; |
|
| } |
|
| } |
|
| /* |
|
| * |
|
| * XXX this is spammy. We should report remotely only for keys |
|
| * that are successful in actual auth attempts, and not PK_OK |
|
| * tests. |
|
| */ |
|
| auth_log_authopts(loc, opts, 1); |
|
| |
|
| return 0; |
|
| } |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to auth.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh