1 /* $OpenBSD: auth2-pubkey.c,v 1.15 2006/08/03 03:34:41 deraadt Exp $ */
3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 #include <sys/types.h>
47 #include "pathnames.h"
49 #include "auth-options.h"
54 #include "monitor_wrap.h"
58 extern ServerOptions options
;
59 extern u_char
*session_id2
;
60 extern u_int session_id2_len
;
63 userauth_pubkey(Authctxt
*authctxt
)
69 u_int alen
, blen
, slen
;
71 int authenticated
= 0;
73 if (!authctxt
->valid
) {
74 debug2("userauth_pubkey: disabled because of invalid user");
77 have_sig
= packet_get_char();
78 if (datafellows
& SSH_BUG_PKAUTH
) {
79 debug2("userauth_pubkey: SSH_BUG_PKAUTH");
80 /* no explicit pkalg given */
81 pkblob
= packet_get_string(&blen
);
83 buffer_append(&b
, pkblob
, blen
);
84 /* so we have to extract the pkalg from the pkblob */
85 pkalg
= buffer_get_string(&b
, &alen
);
88 pkalg
= packet_get_string(&alen
);
89 pkblob
= packet_get_string(&blen
);
91 pktype
= key_type_from_name(pkalg
);
92 if (pktype
== KEY_UNSPEC
) {
93 /* this is perfectly legal */
94 logit("userauth_pubkey: unsupported public key algorithm: %s",
98 key
= key_from_blob(pkblob
, blen
);
100 error("userauth_pubkey: cannot decode key: %s", pkalg
);
103 if (key
->type
!= pktype
) {
104 error("userauth_pubkey: type mismatch for decoded key "
105 "(received %d, expected %d)", key
->type
, pktype
);
109 sig
= packet_get_string(&slen
);
112 if (datafellows
& SSH_OLD_SESSIONID
) {
113 buffer_append(&b
, session_id2
, session_id2_len
);
115 buffer_put_string(&b
, session_id2
, session_id2_len
);
117 /* reconstruct packet */
118 buffer_put_char(&b
, SSH2_MSG_USERAUTH_REQUEST
);
119 buffer_put_cstring(&b
, authctxt
->user
);
120 buffer_put_cstring(&b
,
121 datafellows
& SSH_BUG_PKSERVICE
?
124 if (datafellows
& SSH_BUG_PKAUTH
) {
125 buffer_put_char(&b
, have_sig
);
127 buffer_put_cstring(&b
, "publickey");
128 buffer_put_char(&b
, have_sig
);
129 buffer_put_cstring(&b
, pkalg
);
131 buffer_put_string(&b
, pkblob
, blen
);
135 /* test for correct signature */
137 if (PRIVSEP(user_key_allowed(authctxt
->pw
, key
)) &&
138 PRIVSEP(key_verify(key
, sig
, slen
, buffer_ptr(&b
),
139 buffer_len(&b
))) == 1)
144 debug("test whether pkalg/pkblob are acceptable");
147 /* XXX fake reply and always send PK_OK ? */
149 * XXX this allows testing whether a user is allowed
150 * to login: if you happen to have a valid pubkey this
151 * message is sent. the message is NEVER sent at all
152 * if a user is not allowed to login. is this an
155 if (PRIVSEP(user_key_allowed(authctxt
->pw
, key
))) {
156 packet_start(SSH2_MSG_USERAUTH_PK_OK
);
157 packet_put_string(pkalg
, alen
);
158 packet_put_string(pkblob
, blen
);
161 authctxt
->postponed
= 1;
164 if (authenticated
!= 1)
165 auth_clear_options();
167 debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated
, pkalg
);
173 if (check_nt_auth(0, authctxt
->pw
) == 0)
176 return authenticated
;
179 /* return 1 if user allows given key */
181 user_key_allowed2(struct passwd
*pw
, Key
*key
, char *file
)
183 char line
[SSH_MAX_PUBKEY_BYTES
];
191 /* Temporarily use the user's uid. */
192 temporarily_use_uid(pw
);
194 debug("trying public key file %s", file
);
196 /* Fail quietly if file does not exist */
197 if (stat(file
, &st
) < 0) {
198 /* Restore the privileged uid. */
202 /* Open the file containing the authorized keys. */
203 f
= fopen(file
, "r");
205 /* Restore the privileged uid. */
209 if (options
.strict_modes
&&
210 secure_filename(f
, file
, pw
, line
, sizeof(line
)) != 0) {
212 logit("Authentication refused: %s", line
);
218 found
= key_new(key
->type
);
220 while (read_keyfile_line(f
, file
, line
, sizeof(line
), &linenum
) != -1) {
221 char *cp
, *key_options
= NULL
;
223 /* Skip leading whitespace, empty and comment lines. */
224 for (cp
= line
; *cp
== ' ' || *cp
== '\t'; cp
++)
226 if (!*cp
|| *cp
== '\n' || *cp
== '#')
229 if (key_read(found
, &cp
) != 1) {
230 /* no key? check if there are options for this key */
232 debug2("user_key_allowed: check options: '%s'", cp
);
234 for (; *cp
&& (quoted
|| (*cp
!= ' ' && *cp
!= '\t')); cp
++) {
235 if (*cp
== '\\' && cp
[1] == '"')
236 cp
++; /* Skip both */
240 /* Skip remaining whitespace. */
241 for (; *cp
== ' ' || *cp
== '\t'; cp
++)
243 if (key_read(found
, &cp
) != 1) {
244 debug2("user_key_allowed: advance: '%s'", cp
);
245 /* still no key? advance to next line*/
249 if (key_equal(found
, key
) &&
250 auth_parse_options(pw
, key_options
, file
, linenum
) == 1) {
252 debug("matching key found: file %s, line %lu",
254 fp
= key_fingerprint(found
, SSH_FP_MD5
, SSH_FP_HEX
);
255 verbose("Found matching %s key: %s",
256 key_type(found
), fp
);
265 debug2("key not found");
269 /* check whether given key is in .ssh/authorized_keys* */
271 user_key_allowed(struct passwd
*pw
, Key
*key
)
277 if (blacklisted_key(key
)) {
278 fp
= key_fingerprint(key
, SSH_FP_MD5
, SSH_FP_HEX
);
279 if (options
.permit_blacklisted_keys
)
280 logit("Public key %s blacklisted (see "
281 "ssh-vulnkey(1)); continuing anyway", fp
);
283 logit("Public key %s blacklisted (see "
284 "ssh-vulnkey(1))", fp
);
286 if (!options
.permit_blacklisted_keys
)
290 file
= authorized_keys_file(pw
);
291 success
= user_key_allowed2(pw
, key
, file
);
296 /* try suffix "2" for backward compat, too */
297 file
= authorized_keys_file2(pw
);
298 success
= user_key_allowed2(pw
, key
, file
);
303 Authmethod method_pubkey
= {
306 &options
.pubkey_authentication