diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2010-11-08 10:45:44 +0000 |
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2010-11-08 10:45:44 +0000 |
| commit | 3a927e69c380468bb32766c99aa7caf86de401a4 (patch) | |
| tree | a92a6ad754f3ce37585ea89bd5d2693dbc5991ef /auth2-hostbased.c | |
| parent | f276912e6fa1da1174ba900a7e5d6447d71fc8e7 (diff) | |
| download | src-3a927e69c380468bb32766c99aa7caf86de401a4.tar.gz src-3a927e69c380468bb32766c99aa7caf86de401a4.zip | |
Vendor import of OpenSSH 5.6p1vendor/openssh/5.6p1
Notes
Notes:
svn path=/vendor-crypto/openssh/dist/; revision=214979
svn path=/vendor-crypto/openssh/5.6p1/; revision=214980; tag=vendor/openssh/5.6p1
Diffstat (limited to 'auth2-hostbased.c')
| -rw-r--r-- | auth2-hostbased.c | 31 |
1 files changed, 28 insertions, 3 deletions
diff --git a/auth2-hostbased.c b/auth2-hostbased.c index 721646520fec..cdf442f97c2c 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.13 2010/03/04 10:36:03 djm Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.14 2010/08/04 05:42:47 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -141,9 +141,10 @@ int hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, Key *key) { - const char *resolvedname, *ipaddr, *lookup; + const char *resolvedname, *ipaddr, *lookup, *reason; HostStatus host_status; int len; + char *fp; if (auth_key_is_revoked(key)) return 0; @@ -174,16 +175,40 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, } debug2("userauth_hostbased: access allowed by auth_rhosts2"); + if (key_is_cert(key) && + key_cert_check_authority(key, 1, 0, lookup, &reason)) { + error("%s", reason); + auth_debug_add("%s", reason); + return 0; + } + host_status = check_key_in_hostfiles(pw, key, lookup, _PATH_SSH_SYSTEM_HOSTFILE, options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE); /* backward compat if no key has been found. */ - if (host_status == HOST_NEW) + if (host_status == HOST_NEW) { host_status = check_key_in_hostfiles(pw, key, lookup, _PATH_SSH_SYSTEM_HOSTFILE2, options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE2); + } + + if (host_status == HOST_OK) { + if (key_is_cert(key)) { + fp = key_fingerprint(key->cert->signature_key, + SSH_FP_MD5, SSH_FP_HEX); + verbose("Accepted certificate ID \"%s\" signed by " + "%s CA %s from %s@%s", key->cert->key_id, + key_type(key->cert->signature_key), fp, + cuser, lookup); + } else { + fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + verbose("Accepted %s public key %s from %s@%s", + key_type(key), fp, cuser, lookup); + } + xfree(fp); + } return (host_status == HOST_OK); } |