version 1.52, 2015/06/15 18:42:19 |
version 1.53, 2015/06/15 18:44:22 |
|
|
{ |
{ |
char *ca_fp, *principals_file = NULL; |
char *ca_fp, *principals_file = NULL; |
const char *reason; |
const char *reason; |
int ret = 0, found_principal = 0; |
int ret = 0, found_principal = 0, use_authorized_principals; |
|
|
if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) |
if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) |
return 0; |
return 0; |
|
|
/* Try querying command if specified */ |
/* Try querying command if specified */ |
if (!found_principal && match_principals_command(pw, key->cert)) |
if (!found_principal && match_principals_command(pw, key->cert)) |
found_principal = 1; |
found_principal = 1; |
/* If principals file or command specify, then require a match here */ |
/* If principals file or command is specified, then require a match */ |
if (!found_principal && (principals_file != NULL || |
use_authorized_principals = principals_file != NULL || |
options.authorized_principals_command != NULL)) { |
options.authorized_principals_command != NULL; |
|
if (!found_principal && use_authorized_principals) { |
reason = "Certificate does not contain an authorized principal"; |
reason = "Certificate does not contain an authorized principal"; |
fail_reason: |
fail_reason: |
error("%s", reason); |
error("%s", reason); |
|
|
goto out; |
goto out; |
} |
} |
if (key_cert_check_authority(key, 0, 1, |
if (key_cert_check_authority(key, 0, 1, |
principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) |
use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) |
goto fail_reason; |
goto fail_reason; |
if (auth_cert_options(key, pw) != 0) |
if (auth_cert_options(key, pw) != 0) |
goto out; |
goto out; |