version 1.156, 2022/05/27 05:01:25 |
version 1.157, 2022/05/27 05:02:46 |
|
|
fatal_f("failed to restrict session"); |
fatal_f("failed to restrict session"); |
sshauthopt_free(restricted); |
sshauthopt_free(restricted); |
} |
} |
|
|
int |
|
auth_authorise_keyopts(struct passwd *pw, struct sshauthopt *opts, |
|
int allow_cert_authority, const char *remote_ip, const char *remote_host, |
|
const char *loc) |
|
{ |
|
time_t now = time(NULL); |
|
char buf[64]; |
|
|
|
/* |
|
* Check keys/principals file expiry time. |
|
* NB. validity interval in certificate is handled elsewhere. |
|
*/ |
|
if (opts->valid_before && now > 0 && |
|
opts->valid_before < (uint64_t)now) { |
|
format_absolute_time(opts->valid_before, buf, sizeof(buf)); |
|
debug("%s: entry expired at %s", loc, buf); |
|
auth_debug_add("%s: entry expired at %s", loc, buf); |
|
return -1; |
|
} |
|
/* Consistency checks */ |
|
if (opts->cert_principals != NULL && !opts->cert_authority) { |
|
debug("%s: principals on non-CA key", loc); |
|
auth_debug_add("%s: principals on non-CA key", loc); |
|
/* deny access */ |
|
return -1; |
|
} |
|
/* cert-authority flag isn't valid in authorized_principals files */ |
|
if (!allow_cert_authority && opts->cert_authority) { |
|
debug("%s: cert-authority flag invalid here", loc); |
|
auth_debug_add("%s: cert-authority flag invalid here", loc); |
|
/* deny access */ |
|
return -1; |
|
} |
|
|
|
/* Perform from= checks */ |
|
if (opts->required_from_host_keys != NULL) { |
|
switch (match_host_and_ip(remote_host, remote_ip, |
|
opts->required_from_host_keys )) { |
|
case 1: |
|
/* Host name matches. */ |
|
break; |
|
case -1: |
|
default: |
|
debug("%s: invalid from criteria", loc); |
|
auth_debug_add("%s: invalid from criteria", loc); |
|
/* FALLTHROUGH */ |
|
case 0: |
|
logit("%s: Authentication tried for %.100s with " |
|
"correct key but not from a permitted " |
|
"host (host=%.200s, ip=%.200s, required=%.200s).", |
|
loc, pw->pw_name, remote_host, remote_ip, |
|
opts->required_from_host_keys); |
|
auth_debug_add("%s: Your host '%.200s' is not " |
|
"permitted to use this key for login.", |
|
loc, remote_host); |
|
/* deny access */ |
|
return -1; |
|
} |
|
} |
|
/* Check source-address restriction from certificate */ |
|
if (opts->required_from_host_cert != NULL) { |
|
switch (addr_match_cidr_list(remote_ip, |
|
opts->required_from_host_cert)) { |
|
case 1: |
|
/* accepted */ |
|
break; |
|
case -1: |
|
default: |
|
/* invalid */ |
|
error("%s: Certificate source-address invalid", loc); |
|
/* FALLTHROUGH */ |
|
case 0: |
|
logit("%s: Authentication tried for %.100s with valid " |
|
"certificate but not from a permitted source " |
|
"address (%.200s).", loc, pw->pw_name, remote_ip); |
|
auth_debug_add("%s: Your address '%.200s' is not " |
|
"permitted to use this certificate for login.", |
|
loc, remote_ip); |
|
return -1; |
|
} |
|
} |
|
/* |
|
* |
|
* XXX this is spammy. We should report remotely only for keys |
|
* that are successful in actual auth attempts, and not PK_OK |
|
* tests. |
|
*/ |
|
auth_log_authopts(loc, opts, 1); |
|
|
|
return 0; |
|
} |
|