Exemplo n.º 1
0
/* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
int
auth_key_is_revoked(Key *key, int hostkey)
{
    char *key_fp;

    if (blacklisted_key(key, &key_fp) == 1) {
        if (options.permit_blacklisted_keys) {
            if (hostkey)
                error("Host key %s blacklisted (see "
                      "ssh-vulnkey(1)); continuing anyway",
                      key_fp);
            else
                logit("Public key %s from %s blacklisted (see "
                      "ssh-vulnkey(1)); continuing anyway",
                      key_fp, get_remote_ipaddr());
            xfree(key_fp);
        } else {
            if (hostkey)
                error("Host key %s blacklisted (see "
                      "ssh-vulnkey(1))", key_fp);
            else
                logit("Public key %s from %s blacklisted (see "
                      "ssh-vulnkey(1))",
                      key_fp, get_remote_ipaddr());
            xfree(key_fp);
            return 1;
        }
    }

    if (options.revoked_keys_file == NULL)
        return 0;

    switch (key_in_file(key, options.revoked_keys_file, 0)) {
    case 0:
        /* key not revoked */
        return 0;
    case -1:
        /* Error opening revoked_keys_file: refuse all keys */
        error("Revoked keys file is unreadable: refusing public key "
              "authentication");
        return 1;
    case 1:
        /* Key revoked */
        key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
        error("WARNING: authentication attempt with a revoked "
              "%s key %s ", key_type(key), key_fp);
        xfree(key_fp);
        return 1;
    }
    fatal("key_in_file returned junk");
}
Exemplo n.º 2
0
int
do_key(Key *key, const char *comment)
{
	char *blacklist_file;
	struct stat st;
	int ret = 1;

	blacklist_file = blacklist_filename(key);
	if (stat(blacklist_file, &st) < 0)
		describe_key("Unknown (no blacklist information)",
		    key, comment);
	else if (blacklisted_key(key)) {
		describe_key("COMPROMISED", key, comment);
		ret = 0;
	} else
		describe_key("Not blacklisted", key, comment);
	xfree(blacklist_file);

	return ret;
}
Exemplo n.º 3
0
/* check whether given key is in .ssh/authorized_keys* */
int
user_key_allowed(struct passwd *pw, Key *key)
{
	char *fp;
	int success;
	char *file;

	if (blacklisted_key(key)) {
		fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
		if (options.permit_blacklisted_keys)
			logit("Public key %s blacklisted (see "
			    "ssh-vulnkey(1)); continuing anyway", fp);
		else
			logit("Public key %s blacklisted (see "
			    "ssh-vulnkey(1))", fp);
		xfree(fp);
		if (!options.permit_blacklisted_keys)
			return 0;
	}

	if (auth_key_is_revoked(key))
		return 0;
	if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
		return 0;

	success = user_cert_trusted_ca(pw, key);
	if (success)
		return success;

	file = authorized_keys_file(pw);
	success = user_key_allowed2(pw, key, file);
	xfree(file);
	if (success)
		return success;

	/* try suffix "2" for backward compat, too */
	file = authorized_keys_file2(pw);
	success = user_key_allowed2(pw, key, file);
	xfree(file);
	return success;
}
Exemplo n.º 4
0
/* check whether given key is in .ssh/authorized_keys* */
int
user_key_allowed(struct passwd *pw, Key *key)
{
	char *fp;
	u_int success, i;
	char *file;

	if (blacklisted_key(key)) {
		fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
		if (options.permit_blacklisted_keys)
			logit("Public key %s blacklisted (see "
			    "ssh-vulnkey(1)); continuing anyway", fp);
		else
			logit("Public key %s blacklisted (see "
			    "ssh-vulnkey(1))", fp);
		xfree(fp);
		if (!options.permit_blacklisted_keys)
			return 0;
	}

	if (auth_key_is_revoked(key))
		return 0;
	if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
		return 0;

	success = user_cert_trusted_ca(pw, key);
	if (success)
		return success;

	for (i = 0; !success && i < options.num_authkeys_files; i++) {
		file = expand_authorized_keys(
		    options.authorized_keys_files[i], pw);
		success = user_key_allowed2(pw, key, file);
		xfree(file);
	}

	return success;
}
Exemplo n.º 5
0
static int
rsa_key_allowed_in_file(struct passwd *pw, char *file,
    const BIGNUM *client_n, Key **rkey)
{
	char line[SSH_MAX_PUBKEY_BYTES];
	int allowed = 0;
	u_int bits;
	FILE *f;
	u_long linenum = 0;
	Key *key;

	debug("trying public RSA key file %s", file);
	if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
		return 0;

	/*
	 * Go though the accepted keys, looking for the current key.  If
	 * found, perform a challenge-response dialog to verify that the
	 * user really has the corresponding private key.
	 */
	key = key_new(KEY_RSA1);
	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
		char *cp;
		char *key_options;
		int keybits;
		char *fp;

		/* Skip leading whitespace, empty and comment lines. */
		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
			;
		if (!*cp || *cp == '\n' || *cp == '#')
			continue;

		/*
		 * Check if there are options for this key, and if so,
		 * save their starting address and skip the option part
		 * for now.  If there are no options, set the starting
		 * address to NULL.
		 */
		if (*cp < '0' || *cp > '9') {
			int quoted = 0;
			key_options = cp;
			for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
				if (*cp == '\\' && cp[1] == '"')
					cp++;	/* Skip both */
				else if (*cp == '"')
					quoted = !quoted;
			}
		} else
			key_options = NULL;

		/* Parse the key from the line. */
		if (hostfile_read_key(&cp, &bits, key) == 0) {
			debug("%.100s, line %lu: non ssh1 key syntax",
			    file, linenum);
			continue;
		}
		/* cp now points to the comment part. */

		/*
		 * Check if the we have found the desired key (identified
		 * by its modulus).
		 */
		if (BN_cmp(key->rsa->n, client_n) != 0)
			continue;

		/* check the real bits  */
		keybits = BN_num_bits(key->rsa->n);
		if (keybits < 0 || bits != (u_int)keybits)
			logit("Warning: %s, line %lu: keysize mismatch: "
			    "actual %d vs. announced %d.",
			    file, linenum, BN_num_bits(key->rsa->n), bits);

		/* Never accept a revoked key */
		if (auth_key_is_revoked(key))
			break;

		if (blacklisted_key(key)) {
			fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
			if (options.permit_blacklisted_keys)
				logit("Public key %s blacklisted (see "
				    "ssh-vulnkey(1)); continuing anyway", fp);
			else
				logit("Public key %s blacklisted (see "
				    "ssh-vulnkey(1))", fp);
			xfree(fp);
			if (!options.permit_blacklisted_keys)
				continue;
		}

		/* We have found the desired key. */
		/*
		 * If our options do not allow this key to be used,
		 * do not send challenge.
		 */
		if (!auth_parse_options(pw, key_options, file, linenum))
			continue;
		if (key_is_cert_authority)
			continue;
		/* break out, this key is allowed */
		allowed = 1;
		break;
	}

	/* Close the file. */
	fclose(f);

	/* return key if allowed */
	if (allowed && rkey != NULL)
		*rkey = key;
	else
		key_free(key);

	return allowed;
}