/* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
int
auth_key_is_revoked(Key *key, int hostkey)
{
char *key_fp;
if (blacklisted_key(key, &key_fp) == 1) {
if (options.permit_blacklisted_keys) {
if (hostkey)
error("Host key %s blacklisted (see "
"ssh-vulnkey(1)); continuing anyway",
key_fp);
else
logit("Public key %s from %s blacklisted (see "
"ssh-vulnkey(1)); continuing anyway",
key_fp, get_remote_ipaddr());
xfree(key_fp);
} else {
if (hostkey)
error("Host key %s blacklisted (see "
"ssh-vulnkey(1))", key_fp);
else
logit("Public key %s from %s blacklisted (see "
"ssh-vulnkey(1))",
key_fp, get_remote_ipaddr());
xfree(key_fp);
return 1;
}
}
if (options.revoked_keys_file == NULL)
return 0;
switch (key_in_file(key, options.revoked_keys_file, 0)) {
case 0:
/* key not revoked */
return 0;
case -1:
/* Error opening revoked_keys_file: refuse all keys */
error("Revoked keys file is unreadable: refusing public key "
"authentication");
return 1;
case 1:
/* Key revoked */
key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
error("WARNING: authentication attempt with a revoked "
"%s key %s ", key_type(key), key_fp);
xfree(key_fp);
return 1;
}
fatal("key_in_file returned junk");
}
int
do_key(Key *key, const char *comment)
{
char *blacklist_file;
struct stat st;
int ret = 1;
blacklist_file = blacklist_filename(key);
if (stat(blacklist_file, &st) < 0)
describe_key("Unknown (no blacklist information)",
key, comment);
else if (blacklisted_key(key)) {
describe_key("COMPROMISED", key, comment);
ret = 0;
} else
describe_key("Not blacklisted", key, comment);
xfree(blacklist_file);
return ret;
}
/* check whether given key is in .ssh/authorized_keys* */
int
user_key_allowed(struct passwd *pw, Key *key)
{
char *fp;
int success;
char *file;
if (blacklisted_key(key)) {
fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
if (options.permit_blacklisted_keys)
logit("Public key %s blacklisted (see "
"ssh-vulnkey(1)); continuing anyway", fp);
else
logit("Public key %s blacklisted (see "
"ssh-vulnkey(1))", fp);
xfree(fp);
if (!options.permit_blacklisted_keys)
return 0;
}
if (auth_key_is_revoked(key))
return 0;
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
return 0;
success = user_cert_trusted_ca(pw, key);
if (success)
return success;
file = authorized_keys_file(pw);
success = user_key_allowed2(pw, key, file);
xfree(file);
if (success)
return success;
/* try suffix "2" for backward compat, too */
file = authorized_keys_file2(pw);
success = user_key_allowed2(pw, key, file);
xfree(file);
return success;
}
/* check whether given key is in .ssh/authorized_keys* */
int
user_key_allowed(struct passwd *pw, Key *key)
{
char *fp;
u_int success, i;
char *file;
if (blacklisted_key(key)) {
fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
if (options.permit_blacklisted_keys)
logit("Public key %s blacklisted (see "
"ssh-vulnkey(1)); continuing anyway", fp);
else
logit("Public key %s blacklisted (see "
"ssh-vulnkey(1))", fp);
xfree(fp);
if (!options.permit_blacklisted_keys)
return 0;
}
if (auth_key_is_revoked(key))
return 0;
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
return 0;
success = user_cert_trusted_ca(pw, key);
if (success)
return success;
for (i = 0; !success && i < options.num_authkeys_files; i++) {
file = expand_authorized_keys(
options.authorized_keys_files[i], pw);
success = user_key_allowed2(pw, key, file);
xfree(file);
}
return success;
}
static int
rsa_key_allowed_in_file(struct passwd *pw, char *file,
const BIGNUM *client_n, Key **rkey)
{
char line[SSH_MAX_PUBKEY_BYTES];
int allowed = 0;
u_int bits;
FILE *f;
u_long linenum = 0;
Key *key;
debug("trying public RSA key file %s", file);
if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
return 0;
/*
* Go though the accepted keys, looking for the current key. If
* found, perform a challenge-response dialog to verify that the
* user really has the corresponding private key.
*/
key = key_new(KEY_RSA1);
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
char *cp;
char *key_options;
int keybits;
char *fp;
/* Skip leading whitespace, empty and comment lines. */
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
;
if (!*cp || *cp == '\n' || *cp == '#')
continue;
/*
* Check if there are options for this key, and if so,
* save their starting address and skip the option part
* for now. If there are no options, set the starting
* address to NULL.
*/
if (*cp < '0' || *cp > '9') {
int quoted = 0;
key_options = cp;
for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
if (*cp == '\\' && cp[1] == '"')
cp++; /* Skip both */
else if (*cp == '"')
quoted = !quoted;
}
} else
key_options = NULL;
/* Parse the key from the line. */
if (hostfile_read_key(&cp, &bits, key) == 0) {
debug("%.100s, line %lu: non ssh1 key syntax",
file, linenum);
continue;
}
/* cp now points to the comment part. */
/*
* Check if the we have found the desired key (identified
* by its modulus).
*/
if (BN_cmp(key->rsa->n, client_n) != 0)
continue;
/* check the real bits */
keybits = BN_num_bits(key->rsa->n);
if (keybits < 0 || bits != (u_int)keybits)
logit("Warning: %s, line %lu: keysize mismatch: "
"actual %d vs. announced %d.",
file, linenum, BN_num_bits(key->rsa->n), bits);
/* Never accept a revoked key */
if (auth_key_is_revoked(key))
break;
if (blacklisted_key(key)) {
fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
if (options.permit_blacklisted_keys)
logit("Public key %s blacklisted (see "
"ssh-vulnkey(1)); continuing anyway", fp);
else
logit("Public key %s blacklisted (see "
"ssh-vulnkey(1))", fp);
xfree(fp);
if (!options.permit_blacklisted_keys)
continue;
}
/* We have found the desired key. */
/*
* If our options do not allow this key to be used,
* do not send challenge.
*/
if (!auth_parse_options(pw, key_options, file, linenum))
continue;
if (key_is_cert_authority)
continue;
/* break out, this key is allowed */
allowed = 1;
break;
}
/* Close the file. */
fclose(f);
/* return key if allowed */
if (allowed && rkey != NULL)
*rkey = key;
else
key_free(key);
return allowed;
}
