| version 1.42, 2019/11/25 00:51:37 |
version 1.43, 2020/10/18 11:32:01 |
|
|
| (r = sshpkt_get_cstring(ssh, &chost, NULL)) != 0 || |
(r = sshpkt_get_cstring(ssh, &chost, NULL)) != 0 || |
| (r = sshpkt_get_cstring(ssh, &cuser, NULL)) != 0 || |
(r = sshpkt_get_cstring(ssh, &cuser, NULL)) != 0 || |
| (r = sshpkt_get_string(ssh, &sig, &slen)) != 0) |
(r = sshpkt_get_string(ssh, &sig, &slen)) != 0) |
| fatal("%s: packet parsing: %s", __func__, ssh_err(r)); |
fatal_fr(r, "parse packet"); |
| |
|
| debug("%s: cuser %s chost %s pkalg %s slen %zu", __func__, |
debug_f("cuser %s chost %s pkalg %s slen %zu", |
| cuser, chost, pkalg, slen); |
cuser, chost, pkalg, slen); |
| #ifdef DEBUG_PK |
#ifdef DEBUG_PK |
| debug("signature:"); |
debug("signature:"); |
|
|
| pktype = sshkey_type_from_name(pkalg); |
pktype = sshkey_type_from_name(pkalg); |
| if (pktype == KEY_UNSPEC) { |
if (pktype == KEY_UNSPEC) { |
| /* this is perfectly legal */ |
/* this is perfectly legal */ |
| logit("%s: unsupported public key algorithm: %s", |
logit_f("unsupported public key algorithm: %s", |
| __func__, pkalg); |
pkalg); |
| goto done; |
goto done; |
| } |
} |
| if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { |
if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { |
| error("%s: key_from_blob: %s", __func__, ssh_err(r)); |
error_fr(r, "key_from_blob"); |
| goto done; |
goto done; |
| } |
} |
| if (key == NULL) { |
if (key == NULL) { |
| error("%s: cannot decode key: %s", __func__, pkalg); |
error_f("cannot decode key: %s", pkalg); |
| goto done; |
goto done; |
| } |
} |
| if (key->type != pktype) { |
if (key->type != pktype) { |
| error("%s: type mismatch for decoded key " |
error_f("type mismatch for decoded key " |
| "(received %d, expected %d)", __func__, key->type, pktype); |
"(received %d, expected %d)", key->type, pktype); |
| goto done; |
goto done; |
| } |
} |
| if (sshkey_type_plain(key->type) == KEY_RSA && |
if (sshkey_type_plain(key->type) == KEY_RSA && |
|
|
| goto done; |
goto done; |
| } |
} |
| if (match_pattern_list(pkalg, options.hostbased_key_types, 0) != 1) { |
if (match_pattern_list(pkalg, options.hostbased_key_types, 0) != 1) { |
| logit("%s: key type %s not in HostbasedAcceptedKeyTypes", |
logit_f("key type %s not in HostbasedAcceptedKeyTypes", |
| __func__, sshkey_type(key)); |
sshkey_type(key)); |
| goto done; |
goto done; |
| } |
} |
| if ((r = sshkey_check_cert_sigtype(key, |
if ((r = sshkey_check_cert_sigtype(key, |
| options.ca_sign_algorithms)) != 0) { |
options.ca_sign_algorithms)) != 0) { |
| logit("%s: certificate signature algorithm %s: %s", __func__, |
logit_fr(r, "certificate signature algorithm %s", |
| (key->cert == NULL || key->cert->signature_type == NULL) ? |
(key->cert == NULL || key->cert->signature_type == NULL) ? |
| "(null)" : key->cert->signature_type, ssh_err(r)); |
"(null)" : key->cert->signature_type); |
| goto done; |
goto done; |
| } |
} |
| |
|
| if (!authctxt->valid || authctxt->user == NULL) { |
if (!authctxt->valid || authctxt->user == NULL) { |
| debug2("%s: disabled because of invalid user", __func__); |
debug2_f("disabled because of invalid user"); |
| goto done; |
goto done; |
| } |
} |
| |
|
| if ((b = sshbuf_new()) == NULL) |
if ((b = sshbuf_new()) == NULL) |
| fatal("%s: sshbuf_new failed", __func__); |
fatal_f("sshbuf_new failed"); |
| /* reconstruct packet */ |
/* reconstruct packet */ |
| if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 || |
if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 || |
| (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || |
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || |
|
|
| (r = sshbuf_put_string(b, pkblob, blen)) != 0 || |
(r = sshbuf_put_string(b, pkblob, blen)) != 0 || |
| (r = sshbuf_put_cstring(b, chost)) != 0 || |
(r = sshbuf_put_cstring(b, chost)) != 0 || |
| (r = sshbuf_put_cstring(b, cuser)) != 0) |
(r = sshbuf_put_cstring(b, cuser)) != 0) |
| fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
fatal_fr(r, "reconstruct packet"); |
| #ifdef DEBUG_PK |
#ifdef DEBUG_PK |
| sshbuf_dump(b, stderr); |
sshbuf_dump(b, stderr); |
| #endif |
#endif |
|
|
| auth2_record_key(authctxt, authenticated, key); |
auth2_record_key(authctxt, authenticated, key); |
| sshbuf_free(b); |
sshbuf_free(b); |
| done: |
done: |
| debug2("%s: authenticated %d", __func__, authenticated); |
debug2_f("authenticated %d", authenticated); |
| sshkey_free(key); |
sshkey_free(key); |
| free(pkalg); |
free(pkalg); |
| free(pkblob); |
free(pkblob); |
|
|
| resolvedname = auth_get_canonical_hostname(ssh, options.use_dns); |
resolvedname = auth_get_canonical_hostname(ssh, options.use_dns); |
| ipaddr = ssh_remote_ipaddr(ssh); |
ipaddr = ssh_remote_ipaddr(ssh); |
| |
|
| debug2("%s: chost %s resolvedname %s ipaddr %s", __func__, |
debug2_f("chost %s resolvedname %s ipaddr %s", |
| chost, resolvedname, ipaddr); |
chost, resolvedname, ipaddr); |
| |
|
| if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') { |
if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') { |
|
|
| |
|
| if (options.hostbased_uses_name_from_packet_only) { |
if (options.hostbased_uses_name_from_packet_only) { |
| if (auth_rhosts2(pw, cuser, chost, chost) == 0) { |
if (auth_rhosts2(pw, cuser, chost, chost) == 0) { |
| debug2("%s: auth_rhosts2 refused " |
debug2_f("auth_rhosts2 refused user \"%.100s\" " |
| "user \"%.100s\" host \"%.100s\" (from packet)", |
"host \"%.100s\" (from packet)", cuser, chost); |
| __func__, cuser, chost); |
|
| return 0; |
return 0; |
| } |
} |
| lookup = chost; |
lookup = chost; |
|
|
| "client sends %s, but we resolve %s to %s", |
"client sends %s, but we resolve %s to %s", |
| chost, ipaddr, resolvedname); |
chost, ipaddr, resolvedname); |
| if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0) { |
if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0) { |
| debug2("%s: auth_rhosts2 refused " |
debug2_f("auth_rhosts2 refused " |
| "user \"%.100s\" host \"%.100s\" addr \"%.100s\"", |
"user \"%.100s\" host \"%.100s\" addr \"%.100s\"", |
| __func__, cuser, resolvedname, ipaddr); |
cuser, resolvedname, ipaddr); |
| return 0; |
return 0; |
| } |
} |
| lookup = resolvedname; |
lookup = resolvedname; |
| } |
} |
| debug2("%s: access allowed by auth_rhosts2", __func__); |
debug2_f("access allowed by auth_rhosts2"); |
| |
|
| if (sshkey_is_cert(key) && |
if (sshkey_is_cert(key) && |
| sshkey_cert_check_authority(key, 1, 0, lookup, &reason)) { |
sshkey_cert_check_authority(key, 1, 0, lookup, &reason)) { |
|
|
| if (sshkey_is_cert(key)) { |
if (sshkey_is_cert(key)) { |
| if ((fp = sshkey_fingerprint(key->cert->signature_key, |
if ((fp = sshkey_fingerprint(key->cert->signature_key, |
| options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) |
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) |
| fatal("%s: sshkey_fingerprint fail", __func__); |
fatal_f("sshkey_fingerprint fail"); |
| verbose("Accepted certificate ID \"%s\" signed by " |
verbose("Accepted certificate ID \"%s\" signed by " |
| "%s CA %s from %s@%s", key->cert->key_id, |
"%s CA %s from %s@%s", key->cert->key_id, |
| sshkey_type(key->cert->signature_key), fp, |
sshkey_type(key->cert->signature_key), fp, |
|
|
| } else { |
} else { |
| if ((fp = sshkey_fingerprint(key, |
if ((fp = sshkey_fingerprint(key, |
| options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) |
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) |
| fatal("%s: sshkey_fingerprint fail", __func__); |
fatal_f("sshkey_fingerprint fail"); |
| verbose("Accepted %s public key %s from %s@%s", |
verbose("Accepted %s public key %s from %s@%s", |
| sshkey_type(key), fp, cuser, lookup); |
sshkey_type(key), fp, cuser, lookup); |
| } |
} |
![[BACK]](/icons/back.gif){kind=icon}
Return to auth2-hostbased.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh