/* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ int auth_key_is_revoked(Key *key) { char *key_fp; if (options.revoked_keys_file == NULL) return 0; switch (key_in_file(key, options.revoked_keys_file, 0)) { case 0: /* key not revoked */ return 0; case -1: /* Error opening revoked_keys_file: refuse all keys */ error("Revoked keys file is unreadable: refusing public key " "authentication"); return 1; case 1: /* Key revoked */ key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); error("WARNING: authentication attempt with a revoked " "%s key %s ", key_type(key), key_fp); xfree(key_fp); return 1; } fatal("key_in_file returned junk"); }
/* Authenticate a certificate key against TrustedUserCAKeys */ static int user_cert_trusted_ca(struct passwd *pw, Key *key) { char *ca_fp, *principals_file = NULL; const char *reason; int ret = 0; if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) return 0; ca_fp = key_fingerprint(key->cert->signature_key, SSH_FP_MD5, SSH_FP_HEX); if (key_in_file(key->cert->signature_key, options.trusted_user_ca_keys, 1) != 1) { debug2("%s: CA %s %s is not listed in %s", __func__, key_type(key->cert->signature_key), ca_fp, options.trusted_user_ca_keys); goto out; } /* * If AuthorizedPrincipals is in use, then compare the certificate * principals against the names in that file rather than matching * against the username. */ if ((principals_file = authorized_principals_file(pw)) != NULL) { if (!match_principals_file(principals_file, pw, key->cert)) { reason = "Certificate does not contain an " "authorized principal"; fail_reason: error("%s", reason); auth_debug_add("%s", reason); goto out; } } if (key_cert_check_authority(key, 0, 1, principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) goto fail_reason; if (auth_cert_options(key, pw) != 0) goto out; verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s", key->cert->key_id, key_type(key->cert->signature_key), ca_fp, options.trusted_user_ca_keys); ret = 1; out: if (principals_file != NULL) xfree(principals_file); if (ca_fp != NULL) xfree(ca_fp); return ret; }
/* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ int auth_key_is_revoked(Key *key, int hostkey) { char *key_fp; if (blacklisted_key(key, &key_fp) == 1) { if (options.permit_blacklisted_keys) { if (hostkey) error("Host key %s blacklisted (see " "ssh-vulnkey(1)); continuing anyway", key_fp); else logit("Public key %s from %s blacklisted (see " "ssh-vulnkey(1)); continuing anyway", key_fp, get_remote_ipaddr()); xfree(key_fp); } else { if (hostkey) error("Host key %s blacklisted (see " "ssh-vulnkey(1))", key_fp); else logit("Public key %s from %s blacklisted (see " "ssh-vulnkey(1))", key_fp, get_remote_ipaddr()); xfree(key_fp); return 1; } } if (options.revoked_keys_file == NULL) return 0; switch (key_in_file(key, options.revoked_keys_file, 0)) { case 0: /* key not revoked */ return 0; case -1: /* Error opening revoked_keys_file: refuse all keys */ error("Revoked keys file is unreadable: refusing public key " "authentication"); return 1; case 1: /* Key revoked */ key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); error("WARNING: authentication attempt with a revoked " "%s key %s ", key_type(key), key_fp); xfree(key_fp); return 1; } fatal("key_in_file returned junk"); }
/* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ int auth_key_is_revoked(Key *key) { char *key_fp; if (options.revoked_keys_file == NULL) return 0; switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) { case 0: return 0; /* Not revoked */ case -2: break; /* Not a KRL */ default: goto revoked; } debug3("%s: treating %s as a key list", __func__, options.revoked_keys_file); switch (key_in_file(key, options.revoked_keys_file, 0)) { case 0: /* key not revoked */ return 0; case -1: /* Error opening revoked_keys_file: refuse all keys */ error("Revoked keys file is unreadable: refusing public key " "authentication"); return 1; case 1: revoked: /* Key revoked */ key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); error("WARNING: authentication attempt with a revoked " "%s key %s ", key_type(key), key_fp); xfree(key_fp); return 1; } fatal("key_in_file returned junk"); }