diff options
author | Markus Friedl <markus@cvs.openbsd.org> | 2000-06-06 19:32:15 +0000 |
---|---|---|
committer | Markus Friedl <markus@cvs.openbsd.org> | 2000-06-06 19:32:15 +0000 |
commit | d842878205b7be9983f2d4d7c82f9a8126269d20 (patch) | |
tree | d8099af40b7d7ae214734eda6358ccc8da628be8 | |
parent | 066f1322e6f5b02bc451ed7fa0303626cf50ca64 (diff) |
fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all
-rw-r--r-- | usr.bin/ssh/auth-rsa.c | 18 | ||||
-rw-r--r-- | usr.bin/ssh/hostfile.c | 4 | ||||
-rw-r--r-- | usr.bin/ssh/match.c | 12 | ||||
-rw-r--r-- | usr.bin/ssh/match.h | 4 |
4 files changed, 23 insertions, 15 deletions
diff --git a/usr.bin/ssh/auth-rsa.c b/usr.bin/ssh/auth-rsa.c index 78d28f0b8c8..f19a20a9978 100644 --- a/usr.bin/ssh/auth-rsa.c +++ b/usr.bin/ssh/auth-rsa.c @@ -16,7 +16,7 @@ */ #include "includes.h" -RCSID("$Id: auth-rsa.c,v 1.23 2000/04/29 18:11:51 markus Exp $"); +RCSID("$Id: auth-rsa.c,v 1.24 2000/06/06 19:32:13 markus Exp $"); #include "rsa.h" #include "packet.h" @@ -133,6 +133,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) unsigned long linenum = 0; struct stat st; RSA *pk; + int mname, mip; /* Temporarily use the user's uid. */ temporarily_use_uid(pw->pw_uid); @@ -390,10 +391,17 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) } patterns[i] = 0; options++; - if (!match_hostname(get_canonical_hostname(), patterns, - strlen(patterns)) && - !match_hostname(get_remote_ipaddr(), patterns, - strlen(patterns))) { + /* + * Deny access if we get a negative + * match for the hostname or the ip + * or if we get not match at all + */ + mname = match_hostname(get_canonical_hostname(), + patterns, strlen(patterns)); + mip = match_hostname(get_remote_ipaddr(), + patterns, strlen(patterns)); + if (mname == -1 || mip == -1 || + (mname != 1 && mip != 1)) { log("RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).", pw->pw_name, get_canonical_hostname(), get_remote_ipaddr()); diff --git a/usr.bin/ssh/hostfile.c b/usr.bin/ssh/hostfile.c index bac285da50f..f58e1d67d04 100644 --- a/usr.bin/ssh/hostfile.c +++ b/usr.bin/ssh/hostfile.c @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: hostfile.c,v 1.18 2000/04/29 18:11:52 markus Exp $"); +RCSID("$OpenBSD: hostfile.c,v 1.19 2000/06/06 19:32:13 markus Exp $"); #include "packet.h" #include "match.h" @@ -129,7 +129,7 @@ check_host_in_hostfile(const char *filename, const char *host, Key *key, Key *fo ; /* Check if the host name matches. */ - if (!match_hostname(host, cp, (unsigned int) (cp2 - cp))) + if (match_hostname(host, cp, (unsigned int) (cp2 - cp)) != 1) continue; /* Got a match. Skip host name. */ diff --git a/usr.bin/ssh/match.c b/usr.bin/ssh/match.c index 00dff8a8613..201e7870a9d 100644 --- a/usr.bin/ssh/match.c +++ b/usr.bin/ssh/match.c @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$Id: match.c,v 1.6 2000/04/14 10:30:31 markus Exp $"); +RCSID("$Id: match.c,v 1.7 2000/06/06 19:32:14 markus Exp $"); #include "ssh.h" @@ -84,8 +84,8 @@ match_pattern(const char *s, const char *pattern) /* * Tries to match the host name (which must be in all lowercase) against the * comma-separated sequence of subpatterns (each possibly preceded by ! to - * indicate negation). Returns true if there is a positive match; zero - * otherwise. + * indicate negation). Returns -1 if negation matches, 1 if there is + * a positive match, 0 if there is no match at all. */ int @@ -127,15 +127,15 @@ match_hostname(const char *host, const char *pattern, unsigned int len) /* Try to match the subpattern against the host name. */ if (match_pattern(host, sub)) { if (negated) - return 0; /* Fail */ + return -1; /* Negative */ else - got_positive = 1; + got_positive = 1; /* Positive */ } } /* * Return success if got a positive match. If there was a negative - * match, we have already returned zero and never get here. + * match, we have already returned -1 and never get here. */ return got_positive; } diff --git a/usr.bin/ssh/match.h b/usr.bin/ssh/match.h index 4625d97691f..8eac0a50229 100644 --- a/usr.bin/ssh/match.h +++ b/usr.bin/ssh/match.h @@ -10,8 +10,8 @@ int match_pattern(const char *s, const char *pattern); /* * Tries to match the host name (which must be in all lowercase) against the * comma-separated sequence of subpatterns (each possibly preceded by ! to - * indicate negation). Returns true if there is a positive match; zero - * otherwise. + * indicate negation). Returns -1 if negation matches, 1 if there is + * a positive match, 0 if there is no match at all. */ int match_hostname(const char *host, const char *pattern, unsigned int len); |