summaryrefslogtreecommitdiff
path: root/usr.bin/ssh/auth.c
diff options
context:
space:
mode:
Diffstat (limited to 'usr.bin/ssh/auth.c')
-rw-r--r--usr.bin/ssh/auth.c94
1 files changed, 1 insertions, 93 deletions
diff --git a/usr.bin/ssh/auth.c b/usr.bin/ssh/auth.c
index 9fff5c1156e..93b56340d6a 100644
--- a/usr.bin/ssh/auth.c
+++ b/usr.bin/ssh/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.156 2022/05/27 05:01:25 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.157 2022/05/27 05:02:46 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -833,95 +833,3 @@ auth_restrict_session(struct ssh *ssh)
fatal_f("failed to restrict session");
sshauthopt_free(restricted);
}
-
-int
-auth_authorise_keyopts(struct passwd *pw, struct sshauthopt *opts,
- int allow_cert_authority, const char *remote_ip, const char *remote_host,
- const char *loc)
-{
- time_t now = time(NULL);
- char buf[64];
-
- /*
- * Check keys/principals file expiry time.
- * NB. validity interval in certificate is handled elsewhere.
- */
- if (opts->valid_before && now > 0 &&
- opts->valid_before < (uint64_t)now) {
- format_absolute_time(opts->valid_before, buf, sizeof(buf));
- debug("%s: entry expired at %s", loc, buf);
- auth_debug_add("%s: entry expired at %s", loc, buf);
- return -1;
- }
- /* Consistency checks */
- if (opts->cert_principals != NULL && !opts->cert_authority) {
- debug("%s: principals on non-CA key", loc);
- auth_debug_add("%s: principals on non-CA key", loc);
- /* deny access */
- return -1;
- }
- /* cert-authority flag isn't valid in authorized_principals files */
- if (!allow_cert_authority && opts->cert_authority) {
- debug("%s: cert-authority flag invalid here", loc);
- auth_debug_add("%s: cert-authority flag invalid here", loc);
- /* deny access */
- return -1;
- }
-
- /* Perform from= checks */
- if (opts->required_from_host_keys != NULL) {
- switch (match_host_and_ip(remote_host, remote_ip,
- opts->required_from_host_keys )) {
- case 1:
- /* Host name matches. */
- break;
- case -1:
- default:
- debug("%s: invalid from criteria", loc);
- auth_debug_add("%s: invalid from criteria", loc);
- /* FALLTHROUGH */
- case 0:
- logit("%s: Authentication tried for %.100s with "
- "correct key but not from a permitted "
- "host (host=%.200s, ip=%.200s, required=%.200s).",
- loc, pw->pw_name, remote_host, remote_ip,
- opts->required_from_host_keys);
- auth_debug_add("%s: Your host '%.200s' is not "
- "permitted to use this key for login.",
- loc, remote_host);
- /* deny access */
- return -1;
- }
- }
- /* Check source-address restriction from certificate */
- if (opts->required_from_host_cert != NULL) {
- switch (addr_match_cidr_list(remote_ip,
- opts->required_from_host_cert)) {
- case 1:
- /* accepted */
- break;
- case -1:
- default:
- /* invalid */
- error("%s: Certificate source-address invalid", loc);
- /* FALLTHROUGH */
- case 0:
- logit("%s: Authentication tried for %.100s with valid "
- "certificate but not from a permitted source "
- "address (%.200s).", loc, pw->pw_name, remote_ip);
- auth_debug_add("%s: Your address '%.200s' is not "
- "permitted to use this certificate for login.",
- loc, remote_ip);
- return -1;
- }
- }
- /*
- *
- * XXX this is spammy. We should report remotely only for keys
- * that are successful in actual auth attempts, and not PK_OK
- * tests.
- */
- auth_log_authopts(loc, opts, 1);
-
- return 0;
-}