version 1.57, 2001/05/18 14:13:28 |
version 1.58, 2001/05/20 17:20:35 |
|
|
int |
int |
user_key_allowed(struct passwd *pw, Key *key) |
user_key_allowed(struct passwd *pw, Key *key) |
{ |
{ |
char line[8192], file[MAXPATHLEN]; |
char line[8192], *file; |
int found_key = 0; |
int found_key = 0; |
FILE *f; |
FILE *f; |
u_long linenum = 0; |
u_long linenum = 0; |
|
|
temporarily_use_uid(pw); |
temporarily_use_uid(pw); |
|
|
/* The authorized keys. */ |
/* The authorized keys. */ |
snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir, |
file = authorized_keys_file2(pw); |
_PATH_SSH_USER_PERMITTED_KEYS2); |
debug("trying public key file %s", file); |
|
|
/* Fail quietly if file does not exist */ |
/* Fail quietly if file does not exist */ |
if (stat(file, &st) < 0) { |
if (stat(file, &st) < 0) { |
/* Restore the privileged uid. */ |
/* Restore the privileged uid. */ |
restore_uid(); |
restore_uid(); |
|
xfree(file); |
return 0; |
return 0; |
} |
} |
/* Open the file containing the authorized keys. */ |
/* Open the file containing the authorized keys. */ |
|
|
if (!f) { |
if (!f) { |
/* Restore the privileged uid. */ |
/* Restore the privileged uid. */ |
restore_uid(); |
restore_uid(); |
|
xfree(file); |
return 0; |
return 0; |
} |
} |
if (options.strict_modes) { |
if (options.strict_modes && |
int fail = 0; |
secure_filename(f, file, pw->pw_uid, line, sizeof(line)) != 0) { |
char buf[1024]; |
xfree(file); |
/* Check open file in order to avoid open/stat races */ |
fclose(f); |
if (fstat(fileno(f), &st) < 0 || |
log("Authentication refused: %s", line); |
(st.st_uid != 0 && st.st_uid != pw->pw_uid) || |
restore_uid(); |
(st.st_mode & 022) != 0) { |
return 0; |
snprintf(buf, sizeof buf, |
|
"%s authentication refused for %.100s: " |
|
"bad ownership or modes for '%s'.", |
|
key_type(key), pw->pw_name, file); |
|
fail = 1; |
|
} else { |
|
/* Check path to _PATH_SSH_USER_PERMITTED_KEYS */ |
|
int i; |
|
static const char *check[] = { |
|
"", _PATH_SSH_USER_DIR, NULL |
|
}; |
|
for (i = 0; check[i]; i++) { |
|
snprintf(line, sizeof line, "%.500s/%.100s", |
|
pw->pw_dir, check[i]); |
|
if (stat(line, &st) < 0 || |
|
(st.st_uid != 0 && st.st_uid != pw->pw_uid) || |
|
(st.st_mode & 022) != 0) { |
|
snprintf(buf, sizeof buf, |
|
"%s authentication refused for %.100s: " |
|
"bad ownership or modes for '%s'.", |
|
key_type(key), pw->pw_name, line); |
|
fail = 1; |
|
break; |
|
} |
|
} |
|
} |
|
if (fail) { |
|
fclose(f); |
|
log("%s", buf); |
|
restore_uid(); |
|
return 0; |
|
} |
|
} |
} |
|
|
found_key = 0; |
found_key = 0; |
found = key_new(key->type); |
found = key_new(key->type); |
|
|
|
|
} |
} |
restore_uid(); |
restore_uid(); |
fclose(f); |
fclose(f); |
|
xfree(file); |
key_free(found); |
key_free(found); |
if (!found_key) |
if (!found_key) |
debug2("key not found"); |
debug2("key not found"); |