summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2019-06-14 03:40:00 +0000
committerDamien Miller <djm@cvs.openbsd.org>2019-06-14 03:40:00 +0000
commit722b10b5a25dd8d31060c85c1e0f86e7b9748feb (patch)
treecb2fb3f960e0f247e1e0400c729f3eb3e6c602ec /usr.bin
parent85a2cb49c61dbc7a147cbb40adf63184c7b87a21 (diff)
for public key authentication, check AuthorizedKeysFiles files before
consulting AuthorizedKeysCommand; ok dtucker markus
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/auth2-pubkey.c29
1 files changed, 18 insertions, 11 deletions
diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c
index e628a4eebbd..46f39672df6 100644
--- a/usr.bin/ssh/auth2-pubkey.c
+++ b/usr.bin/ssh/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.88 2019/05/20 00:25:55 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.89 2019/06/14 03:39:59 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -1011,9 +1011,10 @@ int
user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
int auth_attempt, struct sshauthopt **authoptsp)
{
- u_int success, i;
+ u_int success = 0, i;
char *file;
struct sshauthopt *opts = NULL;
+
if (authoptsp != NULL)
*authoptsp = NULL;
@@ -1023,6 +1024,21 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
auth_key_is_revoked(key->cert->signature_key))
return 0;
+ for (i = 0; !success && i < options.num_authkeys_files; i++) {
+ if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
+ continue;
+ file = expand_authorized_keys(
+ options.authorized_keys_files[i], pw);
+ success = user_key_allowed2(ssh, pw, key, file, &opts);
+ free(file);
+ if (!success) {
+ sshauthopt_free(opts);
+ opts = NULL;
+ }
+ }
+ if (success)
+ goto out;
+
if ((success = user_cert_trusted_ca(ssh, pw, key, &opts)) != 0)
goto out;
sshauthopt_free(opts);
@@ -1033,15 +1049,6 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
sshauthopt_free(opts);
opts = NULL;
- for (i = 0; !success && i < options.num_authkeys_files; i++) {
- if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
- continue;
- file = expand_authorized_keys(
- options.authorized_keys_files[i], pw);
- success = user_key_allowed2(ssh, pw, key, file, &opts);
- free(file);
- }
-
out:
if (success && authoptsp != NULL) {
*authoptsp = opts;