summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2000-06-06 19:32:15 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2000-06-06 19:32:15 +0000
commitd842878205b7be9983f2d4d7c82f9a8126269d20 (patch)
treed8099af40b7d7ae214734eda6358ccc8da628be8
parent066f1322e6f5b02bc451ed7fa0303626cf50ca64 (diff)
fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all
-rw-r--r--usr.bin/ssh/auth-rsa.c18
-rw-r--r--usr.bin/ssh/hostfile.c4
-rw-r--r--usr.bin/ssh/match.c12
-rw-r--r--usr.bin/ssh/match.h4
4 files changed, 23 insertions, 15 deletions
diff --git a/usr.bin/ssh/auth-rsa.c b/usr.bin/ssh/auth-rsa.c
index 78d28f0b8c8..f19a20a9978 100644
--- a/usr.bin/ssh/auth-rsa.c
+++ b/usr.bin/ssh/auth-rsa.c
@@ -16,7 +16,7 @@
*/
#include "includes.h"
-RCSID("$Id: auth-rsa.c,v 1.23 2000/04/29 18:11:51 markus Exp $");
+RCSID("$Id: auth-rsa.c,v 1.24 2000/06/06 19:32:13 markus Exp $");
#include "rsa.h"
#include "packet.h"
@@ -133,6 +133,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
unsigned long linenum = 0;
struct stat st;
RSA *pk;
+ int mname, mip;
/* Temporarily use the user's uid. */
temporarily_use_uid(pw->pw_uid);
@@ -390,10 +391,17 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
}
patterns[i] = 0;
options++;
- if (!match_hostname(get_canonical_hostname(), patterns,
- strlen(patterns)) &&
- !match_hostname(get_remote_ipaddr(), patterns,
- strlen(patterns))) {
+ /*
+ * Deny access if we get a negative
+ * match for the hostname or the ip
+ * or if we get not match at all
+ */
+ mname = match_hostname(get_canonical_hostname(),
+ patterns, strlen(patterns));
+ mip = match_hostname(get_remote_ipaddr(),
+ patterns, strlen(patterns));
+ if (mname == -1 || mip == -1 ||
+ (mname != 1 && mip != 1)) {
log("RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
pw->pw_name, get_canonical_hostname(),
get_remote_ipaddr());
diff --git a/usr.bin/ssh/hostfile.c b/usr.bin/ssh/hostfile.c
index bac285da50f..f58e1d67d04 100644
--- a/usr.bin/ssh/hostfile.c
+++ b/usr.bin/ssh/hostfile.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: hostfile.c,v 1.18 2000/04/29 18:11:52 markus Exp $");
+RCSID("$OpenBSD: hostfile.c,v 1.19 2000/06/06 19:32:13 markus Exp $");
#include "packet.h"
#include "match.h"
@@ -129,7 +129,7 @@ check_host_in_hostfile(const char *filename, const char *host, Key *key, Key *fo
;
/* Check if the host name matches. */
- if (!match_hostname(host, cp, (unsigned int) (cp2 - cp)))
+ if (match_hostname(host, cp, (unsigned int) (cp2 - cp)) != 1)
continue;
/* Got a match. Skip host name. */
diff --git a/usr.bin/ssh/match.c b/usr.bin/ssh/match.c
index 00dff8a8613..201e7870a9d 100644
--- a/usr.bin/ssh/match.c
+++ b/usr.bin/ssh/match.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-RCSID("$Id: match.c,v 1.6 2000/04/14 10:30:31 markus Exp $");
+RCSID("$Id: match.c,v 1.7 2000/06/06 19:32:14 markus Exp $");
#include "ssh.h"
@@ -84,8 +84,8 @@ match_pattern(const char *s, const char *pattern)
/*
* Tries to match the host name (which must be in all lowercase) against the
* comma-separated sequence of subpatterns (each possibly preceded by ! to
- * indicate negation). Returns true if there is a positive match; zero
- * otherwise.
+ * indicate negation). Returns -1 if negation matches, 1 if there is
+ * a positive match, 0 if there is no match at all.
*/
int
@@ -127,15 +127,15 @@ match_hostname(const char *host, const char *pattern, unsigned int len)
/* Try to match the subpattern against the host name. */
if (match_pattern(host, sub)) {
if (negated)
- return 0; /* Fail */
+ return -1; /* Negative */
else
- got_positive = 1;
+ got_positive = 1; /* Positive */
}
}
/*
* Return success if got a positive match. If there was a negative
- * match, we have already returned zero and never get here.
+ * match, we have already returned -1 and never get here.
*/
return got_positive;
}
diff --git a/usr.bin/ssh/match.h b/usr.bin/ssh/match.h
index 4625d97691f..8eac0a50229 100644
--- a/usr.bin/ssh/match.h
+++ b/usr.bin/ssh/match.h
@@ -10,8 +10,8 @@ int match_pattern(const char *s, const char *pattern);
/*
* Tries to match the host name (which must be in all lowercase) against the
* comma-separated sequence of subpatterns (each possibly preceded by ! to
- * indicate negation). Returns true if there is a positive match; zero
- * otherwise.
+ * indicate negation). Returns -1 if negation matches, 1 if there is
+ * a positive match, 0 if there is no match at all.
*/
int match_hostname(const char *host, const char *pattern, unsigned int len);