=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/auth.c,v retrieving revision 1.156 retrieving revision 1.157 diff -u -r1.156 -r1.157 --- src/usr.bin/ssh/auth.c 2022/05/27 05:01:25 1.156 +++ src/usr.bin/ssh/auth.c 2022/05/27 05:02:46 1.157 @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.156 2022/05/27 05:01:25 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.157 2022/05/27 05:02:46 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -832,96 +832,4 @@ if (auth_activate_options(ssh, restricted) != 0) fatal_f("failed to restrict session"); sshauthopt_free(restricted); -} - -int -auth_authorise_keyopts(struct passwd *pw, struct sshauthopt *opts, - int allow_cert_authority, const char *remote_ip, const char *remote_host, - const char *loc) -{ - time_t now = time(NULL); - char buf[64]; - - /* - * Check keys/principals file expiry time. - * NB. validity interval in certificate is handled elsewhere. - */ - if (opts->valid_before && now > 0 && - opts->valid_before < (uint64_t)now) { - format_absolute_time(opts->valid_before, buf, sizeof(buf)); - debug("%s: entry expired at %s", loc, buf); - auth_debug_add("%s: entry expired at %s", loc, buf); - return -1; - } - /* Consistency checks */ - if (opts->cert_principals != NULL && !opts->cert_authority) { - debug("%s: principals on non-CA key", loc); - auth_debug_add("%s: principals on non-CA key", loc); - /* deny access */ - return -1; - } - /* cert-authority flag isn't valid in authorized_principals files */ - if (!allow_cert_authority && opts->cert_authority) { - debug("%s: cert-authority flag invalid here", loc); - auth_debug_add("%s: cert-authority flag invalid here", loc); - /* deny access */ - return -1; - } - - /* Perform from= checks */ - if (opts->required_from_host_keys != NULL) { - switch (match_host_and_ip(remote_host, remote_ip, - opts->required_from_host_keys )) { - case 1: - /* Host name matches. */ - break; - case -1: - default: - debug("%s: invalid from criteria", loc); - auth_debug_add("%s: invalid from criteria", loc); - /* FALLTHROUGH */ - case 0: - logit("%s: Authentication tried for %.100s with " - "correct key but not from a permitted " - "host (host=%.200s, ip=%.200s, required=%.200s).", - loc, pw->pw_name, remote_host, remote_ip, - opts->required_from_host_keys); - auth_debug_add("%s: Your host '%.200s' is not " - "permitted to use this key for login.", - loc, remote_host); - /* deny access */ - return -1; - } - } - /* Check source-address restriction from certificate */ - if (opts->required_from_host_cert != NULL) { - switch (addr_match_cidr_list(remote_ip, - opts->required_from_host_cert)) { - case 1: - /* accepted */ - break; - case -1: - default: - /* invalid */ - error("%s: Certificate source-address invalid", loc); - /* FALLTHROUGH */ - case 0: - logit("%s: Authentication tried for %.100s with valid " - "certificate but not from a permitted source " - "address (%.200s).", loc, pw->pw_name, remote_ip); - auth_debug_add("%s: Your address '%.200s' is not " - "permitted to use this certificate for login.", - loc, remote_ip); - return -1; - } - } - /* - * - * XXX this is spammy. We should report remotely only for keys - * that are successful in actual auth attempts, and not PK_OK - * tests. - */ - auth_log_authopts(loc, opts, 1); - - return 0; }