summaryrefslogtreecommitdiffstats
path: root/auth2-hostbased.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2010-08-05 05:04:50 +0200
committerDamien Miller <djm@mindrot.org>2010-08-05 05:04:50 +0200
commitc158331f8c7e059c6c1d099bffc7f5fc6087ddbd (patch)
treef1998f0fb52e5fb666ee67064a424af45e941f6b /auth2-hostbased.c
parent - djm@cvs.openbsd.org 2010/08/04 05:40:39 (diff)
downloadopenssh-c158331f8c7e059c6c1d099bffc7f5fc6087ddbd.tar.xz
openssh-c158331f8c7e059c6c1d099bffc7f5fc6087ddbd.zip
- djm@cvs.openbsd.org 2010/08/04 05:42:47
[auth.c auth2-hostbased.c authfile.c authfile.h ssh-keysign.8] [ssh-keysign.c ssh.c] enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
Diffstat (limited to 'auth2-hostbased.c')
-rw-r--r--auth2-hostbased.c31
1 files changed, 28 insertions, 3 deletions
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 721646520..cdf442f97 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-hostbased.c,v 1.13 2010/03/04 10:36:03 djm Exp $ */
+/* $OpenBSD: auth2-hostbased.c,v 1.14 2010/08/04 05:42:47 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -141,9 +141,10 @@ int
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
Key *key)
{
- const char *resolvedname, *ipaddr, *lookup;
+ const char *resolvedname, *ipaddr, *lookup, *reason;
HostStatus host_status;
int len;
+ char *fp;
if (auth_key_is_revoked(key))
return 0;
@@ -174,16 +175,40 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
}
debug2("userauth_hostbased: access allowed by auth_rhosts2");
+ if (key_is_cert(key) &&
+ key_cert_check_authority(key, 1, 0, lookup, &reason)) {
+ error("%s", reason);
+ auth_debug_add("%s", reason);
+ return 0;
+ }
+
host_status = check_key_in_hostfiles(pw, key, lookup,
_PATH_SSH_SYSTEM_HOSTFILE,
options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
/* backward compat if no key has been found. */
- if (host_status == HOST_NEW)
+ if (host_status == HOST_NEW) {
host_status = check_key_in_hostfiles(pw, key, lookup,
_PATH_SSH_SYSTEM_HOSTFILE2,
options.ignore_user_known_hosts ? NULL :
_PATH_SSH_USER_HOSTFILE2);
+ }
+
+ if (host_status == HOST_OK) {
+ if (key_is_cert(key)) {
+ fp = key_fingerprint(key->cert->signature_key,
+ SSH_FP_MD5, SSH_FP_HEX);
+ verbose("Accepted certificate ID \"%s\" signed by "
+ "%s CA %s from %s@%s", key->cert->key_id,
+ key_type(key->cert->signature_key), fp,
+ cuser, lookup);
+ } else {
+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ verbose("Accepted %s public key %s from %s@%s",
+ key_type(key), fp, cuser, lookup);
+ }
+ xfree(fp);
+ }
return (host_status == HOST_OK);
}