Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 596dbca82f3f567fb3d2d69af4b4e1d3ba1e6403^! / . / auth2-pubkey.c
commit596dbca82f3f567fb3d2d69af4b4e1d3ba1e6403[log] [tgz]
authorjsing@openbsd.org <jsing@openbsd.org>Mon Jun 15 18:44:22 2015 +0000
committerDamien Miller <djm@mindrot.org>Wed Jun 17 22:12:05 2015 +1000
tree83d8c183a65709172408da4b4473fe90ab9efca3
parentaff3e94c0d75d0d0fa84ea392b50ab04f8c57905 [diff] [blame]
upstream commit

If AuthorizedPrincipalsCommand is specified, however
 AuthorizedPrincipalsFile is not (or is set to "none"), authentication will
 potentially fail due to key_cert_check_authority() failing to locate a
 principal that matches the username, even though an authorized principal has
 already been matched in the output of the subprocess. Fix this by using the
 same logic to determine if pw->pw_name should be passed, as is used to
 determine if a authorized principal must be matched earlier on.

ok djm@

Upstream-ID: 43b42302ec846b0ea68aceb40677245391b9409d

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index c820c28..5aa319c 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.52 2015/06/15 18:42:19 jsing Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.53 2015/06/15 18:44:22 jsing Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -831,7 +831,7 @@
 {
 	char *ca_fp, *principals_file = NULL;
 	const char *reason;
-	int ret = 0, found_principal = 0;
+	int ret = 0, found_principal = 0, use_authorized_principals;
 
 	if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
 		return 0;
@@ -859,9 +859,10 @@
 	/* Try querying command if specified */
 	if (!found_principal && match_principals_command(pw, key->cert))
 		found_principal = 1;
-	/* If principals file or command specify, then require a match here */
-	if (!found_principal && (principals_file != NULL ||
-	    options.authorized_principals_command != NULL)) {
+	/* If principals file or command is specified, then require a match */
+	use_authorized_principals = principals_file != NULL ||
+            options.authorized_principals_command != NULL;
+	if (!found_principal && use_authorized_principals) {
 		reason = "Certificate does not contain an authorized principal";
  fail_reason:
 		error("%s", reason);
@@ -869,7 +870,7 @@
 		goto out;
 	}
 	if (key_cert_check_authority(key, 0, 1,
-	    principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
+	    use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
 		goto fail_reason;
 	if (auth_cert_options(key, pw) != 0)
 		goto out;