blob: 2b3ecb10405dbcfad9886f51a3141ede0d99dbcc [file] [log] [blame]
Damien Miller20bdcd72013-07-18 16:10:09 +10001/* $OpenBSD: auth2-pubkey.c,v 1.38 2013/06/21 00:34:49 djm Exp $ */
Ben Lindstrom855bf3a2002-06-06 20:27:55 +00002/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26#include "includes.h"
Damien Millerf17883e2006-03-15 11:45:54 +110027
28#include <sys/types.h>
29#include <sys/stat.h>
Damien Miller09d3e122012-10-31 08:58:58 +110030#include <sys/wait.h>
Ben Lindstrom855bf3a2002-06-06 20:27:55 +000031
Damien Miller09d3e122012-10-31 08:58:58 +110032#include <errno.h>
Darren Tucker06db5842008-06-13 14:51:28 +100033#include <fcntl.h>
Darren Tucker737f7af2012-11-05 17:07:43 +110034#ifdef HAVE_PATHS_H
35# include <paths.h>
36#endif
Damien Miller9f2abc42006-07-10 20:53:08 +100037#include <pwd.h>
Damien Miller09d3e122012-10-31 08:58:58 +110038#include <signal.h>
Damien Millera7a73ee2006-08-05 11:37:59 +100039#include <stdio.h>
Damien Millerd7834352006-08-05 12:39:39 +100040#include <stdarg.h>
Damien Miller0a80ca12010-02-27 07:55:05 +110041#include <string.h>
42#include <time.h>
Darren Tuckerd9526a52008-06-14 09:01:24 +100043#include <unistd.h>
Damien Miller9f2abc42006-07-10 20:53:08 +100044
Damien Millerd7834352006-08-05 12:39:39 +100045#include "xmalloc.h"
Darren Tucker22cc7412004-12-06 22:47:41 +110046#include "ssh.h"
Ben Lindstrom855bf3a2002-06-06 20:27:55 +000047#include "ssh2.h"
Ben Lindstrom855bf3a2002-06-06 20:27:55 +000048#include "packet.h"
49#include "buffer.h"
50#include "log.h"
51#include "servconf.h"
52#include "compat.h"
Ben Lindstrom855bf3a2002-06-06 20:27:55 +000053#include "key.h"
Damien Millerd7834352006-08-05 12:39:39 +100054#include "hostfile.h"
55#include "auth.h"
Ben Lindstrom855bf3a2002-06-06 20:27:55 +000056#include "pathnames.h"
57#include "uidswap.h"
58#include "auth-options.h"
59#include "canohost.h"
Damien Millerd7834352006-08-05 12:39:39 +100060#ifdef GSSAPI
61#include "ssh-gss.h"
62#endif
Ben Lindstrom855bf3a2002-06-06 20:27:55 +000063#include "monitor_wrap.h"
Darren Tuckerf0f90982004-12-11 13:39:50 +110064#include "misc.h"
Damien Miller1aed65e2010-03-04 21:53:35 +110065#include "authfile.h"
Damien Miller30da3442010-05-10 11:58:03 +100066#include "match.h"
Ben Lindstrom855bf3a2002-06-06 20:27:55 +000067
68/* import */
69extern ServerOptions options;
70extern u_char *session_id2;
Darren Tucker502d3842003-06-28 12:38:01 +100071extern u_int session_id2_len;
Ben Lindstrom855bf3a2002-06-06 20:27:55 +000072
73static int
74userauth_pubkey(Authctxt *authctxt)
75{
76 Buffer b;
77 Key *key = NULL;
Damien Miller4ce189d2013-04-23 15:17:52 +100078 char *pkalg, *userstyle;
Ben Lindstrom855bf3a2002-06-06 20:27:55 +000079 u_char *pkblob, *sig;
80 u_int alen, blen, slen;
81 int have_sig, pktype;
82 int authenticated = 0;
83
84 if (!authctxt->valid) {
85 debug2("userauth_pubkey: disabled because of invalid user");
86 return 0;
87 }
88 have_sig = packet_get_char();
89 if (datafellows & SSH_BUG_PKAUTH) {
90 debug2("userauth_pubkey: SSH_BUG_PKAUTH");
91 /* no explicit pkalg given */
92 pkblob = packet_get_string(&blen);
93 buffer_init(&b);
94 buffer_append(&b, pkblob, blen);
95 /* so we have to extract the pkalg from the pkblob */
96 pkalg = buffer_get_string(&b, &alen);
97 buffer_free(&b);
98 } else {
99 pkalg = packet_get_string(&alen);
100 pkblob = packet_get_string(&blen);
101 }
102 pktype = key_type_from_name(pkalg);
103 if (pktype == KEY_UNSPEC) {
104 /* this is perfectly legal */
Damien Miller996acd22003-04-09 20:59:48 +1000105 logit("userauth_pubkey: unsupported public key algorithm: %s",
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000106 pkalg);
107 goto done;
108 }
109 key = key_from_blob(pkblob, blen);
110 if (key == NULL) {
111 error("userauth_pubkey: cannot decode key: %s", pkalg);
112 goto done;
113 }
114 if (key->type != pktype) {
115 error("userauth_pubkey: type mismatch for decoded key "
116 "(received %d, expected %d)", key->type, pktype);
117 goto done;
118 }
119 if (have_sig) {
120 sig = packet_get_string(&slen);
121 packet_check_eom();
122 buffer_init(&b);
123 if (datafellows & SSH_OLD_SESSIONID) {
124 buffer_append(&b, session_id2, session_id2_len);
125 } else {
126 buffer_put_string(&b, session_id2, session_id2_len);
127 }
128 /* reconstruct packet */
129 buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
Damien Miller4ce189d2013-04-23 15:17:52 +1000130 xasprintf(&userstyle, "%s%s%s", authctxt->user,
131 authctxt->style ? ":" : "",
132 authctxt->style ? authctxt->style : "");
133 buffer_put_cstring(&b, userstyle);
134 free(userstyle);
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000135 buffer_put_cstring(&b,
136 datafellows & SSH_BUG_PKSERVICE ?
137 "ssh-userauth" :
138 authctxt->service);
139 if (datafellows & SSH_BUG_PKAUTH) {
140 buffer_put_char(&b, have_sig);
141 } else {
142 buffer_put_cstring(&b, "publickey");
143 buffer_put_char(&b, have_sig);
144 buffer_put_cstring(&b, pkalg);
145 }
146 buffer_put_string(&b, pkblob, blen);
147#ifdef DEBUG_PK
148 buffer_dump(&b);
149#endif
Damien Miller20bdcd72013-07-18 16:10:09 +1000150 pubkey_auth_info(authctxt, key, NULL);
Darren Tucker74836ae2013-06-02 07:32:00 +1000151
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000152 /* test for correct signature */
153 authenticated = 0;
154 if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
155 PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
Damien Millerfb1310e2004-01-21 11:02:50 +1100156 buffer_len(&b))) == 1)
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000157 authenticated = 1;
Damien Millerfb1310e2004-01-21 11:02:50 +1100158 buffer_free(&b);
Darren Tuckera627d422013-06-02 07:31:17 +1000159 free(sig);
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000160 } else {
161 debug("test whether pkalg/pkblob are acceptable");
162 packet_check_eom();
163
164 /* XXX fake reply and always send PK_OK ? */
165 /*
166 * XXX this allows testing whether a user is allowed
167 * to login: if you happen to have a valid pubkey this
168 * message is sent. the message is NEVER sent at all
169 * if a user is not allowed to login. is this an
170 * issue? -markus
171 */
172 if (PRIVSEP(user_key_allowed(authctxt->pw, key))) {
173 packet_start(SSH2_MSG_USERAUTH_PK_OK);
174 packet_put_string(pkalg, alen);
175 packet_put_string(pkblob, blen);
176 packet_send();
177 packet_write_wait();
178 authctxt->postponed = 1;
179 }
180 }
181 if (authenticated != 1)
182 auth_clear_options();
183done:
184 debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
185 if (key != NULL)
186 key_free(key);
Darren Tuckera627d422013-06-02 07:31:17 +1000187 free(pkalg);
188 free(pkblob);
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000189 return authenticated;
190}
191
Darren Tucker74836ae2013-06-02 07:32:00 +1000192void
Damien Miller20bdcd72013-07-18 16:10:09 +1000193pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
Darren Tucker74836ae2013-06-02 07:32:00 +1000194{
Damien Miller20bdcd72013-07-18 16:10:09 +1000195 char *fp, *extra;
196 va_list ap;
197 int i;
198
199 extra = NULL;
200 if (fmt != NULL) {
201 va_start(ap, fmt);
202 i = vasprintf(&extra, fmt, ap);
203 va_end(ap);
204 if (i < 0 || extra == NULL)
205 fatal("%s: vasprintf failed", __func__);
206 }
Darren Tucker74836ae2013-06-02 07:32:00 +1000207
208 if (key_is_cert(key)) {
209 fp = key_fingerprint(key->cert->signature_key,
210 SSH_FP_MD5, SSH_FP_HEX);
Damien Miller20bdcd72013-07-18 16:10:09 +1000211 auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
Darren Tucker74836ae2013-06-02 07:32:00 +1000212 key_type(key), key->cert->key_id,
213 (unsigned long long)key->cert->serial,
Damien Miller20bdcd72013-07-18 16:10:09 +1000214 key_type(key->cert->signature_key), fp,
215 extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
Darren Tucker74836ae2013-06-02 07:32:00 +1000216 free(fp);
217 } else {
218 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
Damien Miller20bdcd72013-07-18 16:10:09 +1000219 auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
220 extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
Darren Tucker74836ae2013-06-02 07:32:00 +1000221 free(fp);
222 }
Damien Miller20bdcd72013-07-18 16:10:09 +1000223 free(extra);
Darren Tucker74836ae2013-06-02 07:32:00 +1000224}
225
Damien Miller30da3442010-05-10 11:58:03 +1000226static int
227match_principals_option(const char *principal_list, struct KeyCert *cert)
228{
229 char *result;
230 u_int i;
231
232 /* XXX percent_expand() sequences for authorized_principals? */
233
234 for (i = 0; i < cert->nprincipals; i++) {
235 if ((result = match_list(cert->principals[i],
236 principal_list, NULL)) != NULL) {
237 debug3("matched principal from key options \"%.100s\"",
238 result);
Darren Tuckera627d422013-06-02 07:31:17 +1000239 free(result);
Damien Miller30da3442010-05-10 11:58:03 +1000240 return 1;
241 }
242 }
243 return 0;
244}
245
246static int
Damien Miller6018a362010-07-02 13:35:19 +1000247match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
Damien Miller30da3442010-05-10 11:58:03 +1000248{
249 FILE *f;
Damien Miller6018a362010-07-02 13:35:19 +1000250 char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts;
Damien Miller30da3442010-05-10 11:58:03 +1000251 u_long linenum = 0;
252 u_int i;
253
254 temporarily_use_uid(pw);
255 debug("trying authorized principals file %s", file);
256 if ((f = auth_openprincipals(file, pw, options.strict_modes)) == NULL) {
257 restore_uid();
258 return 0;
259 }
260 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
Damien Miller6018a362010-07-02 13:35:19 +1000261 /* Skip leading whitespace. */
Damien Miller30da3442010-05-10 11:58:03 +1000262 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
263 ;
Damien Miller6018a362010-07-02 13:35:19 +1000264 /* Skip blank and comment lines. */
265 if ((ep = strchr(cp, '#')) != NULL)
266 *ep = '\0';
267 if (!*cp || *cp == '\n')
Damien Miller30da3442010-05-10 11:58:03 +1000268 continue;
Damien Miller6018a362010-07-02 13:35:19 +1000269 /* Trim trailing whitespace. */
270 ep = cp + strlen(cp) - 1;
271 while (ep > cp && (*ep == '\n' || *ep == ' ' || *ep == '\t'))
272 *ep-- = '\0';
273 /*
274 * If the line has internal whitespace then assume it has
275 * key options.
276 */
277 line_opts = NULL;
278 if ((ep = strrchr(cp, ' ')) != NULL ||
279 (ep = strrchr(cp, '\t')) != NULL) {
280 for (; *ep == ' ' || *ep == '\t'; ep++)
Damien Miller188ea812010-12-01 11:50:14 +1100281 ;
Damien Miller6018a362010-07-02 13:35:19 +1000282 line_opts = cp;
283 cp = ep;
284 }
Damien Miller30da3442010-05-10 11:58:03 +1000285 for (i = 0; i < cert->nprincipals; i++) {
286 if (strcmp(cp, cert->principals[i]) == 0) {
Darren Tuckeraf1a60e2011-10-02 18:59:59 +1100287 debug3("matched principal \"%.100s\" "
288 "from file \"%s\" on line %lu",
Damien Miller09d3e122012-10-31 08:58:58 +1100289 cert->principals[i], file, linenum);
Damien Miller6018a362010-07-02 13:35:19 +1000290 if (auth_parse_options(pw, line_opts,
291 file, linenum) != 1)
292 continue;
Damien Miller30da3442010-05-10 11:58:03 +1000293 fclose(f);
294 restore_uid();
295 return 1;
296 }
297 }
298 }
299 fclose(f);
300 restore_uid();
301 return 0;
Damien Miller09d3e122012-10-31 08:58:58 +1100302}
Damien Miller30da3442010-05-10 11:58:03 +1000303
Damien Miller09d3e122012-10-31 08:58:58 +1100304/*
305 * Checks whether key is allowed in authorized_keys-format file,
306 * returns 1 if the key is allowed or 0 otherwise.
307 */
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000308static int
Damien Miller09d3e122012-10-31 08:58:58 +1100309check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000310{
Darren Tucker22cc7412004-12-06 22:47:41 +1100311 char line[SSH_MAX_PUBKEY_BYTES];
Damien Miller0a80ca12010-02-27 07:55:05 +1100312 const char *reason;
Darren Tucker33c787f2008-07-02 22:37:30 +1000313 int found_key = 0;
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000314 u_long linenum = 0;
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000315 Key *found;
316 char *fp;
317
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000318 found_key = 0;
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000319
Darren Tucker74836ae2013-06-02 07:32:00 +1000320 found = NULL;
Darren Tucker22cc7412004-12-06 22:47:41 +1100321 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
Darren Tucker3f9fdc72004-06-22 12:56:01 +1000322 char *cp, *key_options = NULL;
Darren Tucker74836ae2013-06-02 07:32:00 +1000323 if (found != NULL)
324 key_free(found);
325 found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
Damien Miller0a80ca12010-02-27 07:55:05 +1100326 auth_clear_options();
327
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000328 /* Skip leading whitespace, empty and comment lines. */
329 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
330 ;
331 if (!*cp || *cp == '\n' || *cp == '#')
332 continue;
333
334 if (key_read(found, &cp) != 1) {
335 /* no key? check if there are options for this key */
336 int quoted = 0;
337 debug2("user_key_allowed: check options: '%s'", cp);
Darren Tucker3f9fdc72004-06-22 12:56:01 +1000338 key_options = cp;
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000339 for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
340 if (*cp == '\\' && cp[1] == '"')
341 cp++; /* Skip both */
342 else if (*cp == '"')
343 quoted = !quoted;
344 }
345 /* Skip remaining whitespace. */
346 for (; *cp == ' ' || *cp == '\t'; cp++)
347 ;
348 if (key_read(found, &cp) != 1) {
349 debug2("user_key_allowed: advance: '%s'", cp);
350 /* still no key? advance to next line*/
351 continue;
352 }
353 }
Damien Miller4e270b02010-04-16 15:56:21 +1000354 if (key_is_cert(key)) {
Damien Miller0a80ca12010-02-27 07:55:05 +1100355 if (!key_equal(found, key->cert->signature_key))
356 continue;
Damien Miller84399552010-05-21 14:58:12 +1000357 if (auth_parse_options(pw, key_options, file,
358 linenum) != 1)
359 continue;
360 if (!key_is_cert_authority)
361 continue;
Damien Miller0a80ca12010-02-27 07:55:05 +1100362 fp = key_fingerprint(found, SSH_FP_MD5,
363 SSH_FP_HEX);
Damien Millere513a912010-03-22 05:51:21 +1100364 debug("matching CA found: file %s, line %lu, %s %s",
365 file, linenum, key_type(found), fp);
Damien Miller30da3442010-05-10 11:58:03 +1000366 /*
367 * If the user has specified a list of principals as
368 * a key option, then prefer that list to matching
369 * their username in the certificate principals list.
370 */
371 if (authorized_principals != NULL &&
372 !match_principals_option(authorized_principals,
373 key->cert)) {
374 reason = "Certificate does not contain an "
375 "authorized principal";
376 fail_reason:
Darren Tuckera627d422013-06-02 07:31:17 +1000377 free(fp);
Damien Miller0a80ca12010-02-27 07:55:05 +1100378 error("%s", reason);
379 auth_debug_add("%s", reason);
380 continue;
381 }
Damien Miller30da3442010-05-10 11:58:03 +1000382 if (key_cert_check_authority(key, 0, 0,
383 authorized_principals == NULL ? pw->pw_name : NULL,
384 &reason) != 0)
385 goto fail_reason;
Damien Miller4e270b02010-04-16 15:56:21 +1000386 if (auth_cert_options(key, pw) != 0) {
Darren Tuckera627d422013-06-02 07:31:17 +1000387 free(fp);
Damien Miller0a80ca12010-02-27 07:55:05 +1100388 continue;
Damien Millere513a912010-03-22 05:51:21 +1100389 }
390 verbose("Accepted certificate ID \"%s\" "
391 "signed by %s CA %s via %s", key->cert->key_id,
392 key_type(found), fp, file);
Darren Tuckera627d422013-06-02 07:31:17 +1000393 free(fp);
Damien Miller0a80ca12010-02-27 07:55:05 +1100394 found_key = 1;
395 break;
Damien Miller84399552010-05-21 14:58:12 +1000396 } else if (key_equal(found, key)) {
397 if (auth_parse_options(pw, key_options, file,
398 linenum) != 1)
399 continue;
400 if (key_is_cert_authority)
401 continue;
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000402 found_key = 1;
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000403 fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
Darren Tucker74836ae2013-06-02 07:32:00 +1000404 debug("matching key found: file %s, line %lu %s %s",
405 file, linenum, key_type(found), fp);
Darren Tuckera627d422013-06-02 07:31:17 +1000406 free(fp);
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000407 break;
408 }
409 }
Darren Tucker74836ae2013-06-02 07:32:00 +1000410 if (found != NULL)
411 key_free(found);
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000412 if (!found_key)
413 debug2("key not found");
414 return found_key;
415}
416
Damien Miller1aed65e2010-03-04 21:53:35 +1100417/* Authenticate a certificate key against TrustedUserCAKeys */
418static int
419user_cert_trusted_ca(struct passwd *pw, Key *key)
420{
Damien Miller30da3442010-05-10 11:58:03 +1000421 char *ca_fp, *principals_file = NULL;
Damien Miller1aed65e2010-03-04 21:53:35 +1100422 const char *reason;
423 int ret = 0;
424
425 if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
426 return 0;
427
Damien Millere513a912010-03-22 05:51:21 +1100428 ca_fp = key_fingerprint(key->cert->signature_key,
429 SSH_FP_MD5, SSH_FP_HEX);
Damien Miller1aed65e2010-03-04 21:53:35 +1100430
431 if (key_in_file(key->cert->signature_key,
432 options.trusted_user_ca_keys, 1) != 1) {
433 debug2("%s: CA %s %s is not listed in %s", __func__,
434 key_type(key->cert->signature_key), ca_fp,
435 options.trusted_user_ca_keys);
436 goto out;
437 }
Damien Miller30da3442010-05-10 11:58:03 +1000438 /*
439 * If AuthorizedPrincipals is in use, then compare the certificate
440 * principals against the names in that file rather than matching
441 * against the username.
442 */
443 if ((principals_file = authorized_principals_file(pw)) != NULL) {
444 if (!match_principals_file(principals_file, pw, key->cert)) {
445 reason = "Certificate does not contain an "
446 "authorized principal";
447 fail_reason:
448 error("%s", reason);
449 auth_debug_add("%s", reason);
450 goto out;
451 }
Damien Miller1aed65e2010-03-04 21:53:35 +1100452 }
Damien Miller30da3442010-05-10 11:58:03 +1000453 if (key_cert_check_authority(key, 0, 1,
454 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
455 goto fail_reason;
Damien Miller4e270b02010-04-16 15:56:21 +1000456 if (auth_cert_options(key, pw) != 0)
Damien Miller1aed65e2010-03-04 21:53:35 +1100457 goto out;
458
Damien Millere513a912010-03-22 05:51:21 +1100459 verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s",
460 key->cert->key_id, key_type(key->cert->signature_key), ca_fp,
461 options.trusted_user_ca_keys);
Damien Miller1aed65e2010-03-04 21:53:35 +1100462 ret = 1;
463
464 out:
Darren Tuckera627d422013-06-02 07:31:17 +1000465 free(principals_file);
466 free(ca_fp);
Damien Miller1aed65e2010-03-04 21:53:35 +1100467 return ret;
468}
469
Damien Miller09d3e122012-10-31 08:58:58 +1100470/*
471 * Checks whether key is allowed in file.
472 * returns 1 if the key is allowed or 0 otherwise.
473 */
474static int
475user_key_allowed2(struct passwd *pw, Key *key, char *file)
476{
477 FILE *f;
478 int found_key = 0;
479
480 /* Temporarily use the user's uid. */
481 temporarily_use_uid(pw);
482
483 debug("trying public key file %s", file);
484 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) != NULL) {
485 found_key = check_authkeys_file(f, file, key, pw);
486 fclose(f);
487 }
488
489 restore_uid();
490 return found_key;
491}
492
493/*
494 * Checks whether key is allowed in output of command.
495 * returns 1 if the key is allowed or 0 otherwise.
496 */
497static int
498user_key_command_allowed2(struct passwd *user_pw, Key *key)
499{
500 FILE *f;
501 int ok, found_key = 0;
502 struct passwd *pw;
503 struct stat st;
504 int status, devnull, p[2], i;
505 pid_t pid;
Damien Millerd0d10992012-11-04 22:23:14 +1100506 char *username, errmsg[512];
Damien Miller09d3e122012-10-31 08:58:58 +1100507
508 if (options.authorized_keys_command == NULL ||
509 options.authorized_keys_command[0] != '/')
510 return 0;
511
Damien Millerd0d10992012-11-04 22:23:14 +1100512 if (options.authorized_keys_command_user == NULL) {
513 error("No user for AuthorizedKeysCommand specified, skipping");
514 return 0;
Damien Miller09d3e122012-10-31 08:58:58 +1100515 }
516
Damien Millerd0d10992012-11-04 22:23:14 +1100517 username = percent_expand(options.authorized_keys_command_user,
518 "u", user_pw->pw_name, (char *)NULL);
519 pw = getpwnam(username);
520 if (pw == NULL) {
Damien Miller4018dc02013-02-15 10:28:55 +1100521 error("AuthorizedKeysCommandUser \"%s\" not found: %s",
522 username, strerror(errno));
Damien Millerd0d10992012-11-04 22:23:14 +1100523 free(username);
524 return 0;
525 }
526 free(username);
527
Damien Miller09d3e122012-10-31 08:58:58 +1100528 temporarily_use_uid(pw);
529
530 if (stat(options.authorized_keys_command, &st) < 0) {
531 error("Could not stat AuthorizedKeysCommand \"%s\": %s",
532 options.authorized_keys_command, strerror(errno));
533 goto out;
534 }
535 if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0,
536 errmsg, sizeof(errmsg)) != 0) {
537 error("Unsafe AuthorizedKeysCommand: %s", errmsg);
538 goto out;
539 }
540
541 if (pipe(p) != 0) {
542 error("%s: pipe: %s", __func__, strerror(errno));
543 goto out;
544 }
545
Damien Miller1e854692012-11-14 19:04:02 +1100546 debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"",
547 options.authorized_keys_command, user_pw->pw_name, pw->pw_name);
Damien Miller09d3e122012-10-31 08:58:58 +1100548
549 /*
550 * Don't want to call this in the child, where it can fatal() and
551 * run cleanup_exit() code.
552 */
553 restore_uid();
554
555 switch ((pid = fork())) {
556 case -1: /* error */
557 error("%s: fork: %s", __func__, strerror(errno));
558 close(p[0]);
559 close(p[1]);
560 return 0;
561 case 0: /* child */
562 for (i = 0; i < NSIG; i++)
563 signal(i, SIG_DFL);
564
Damien Miller1e854692012-11-14 19:04:02 +1100565 if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
566 error("%s: open %s: %s", __func__, _PATH_DEVNULL,
567 strerror(errno));
568 _exit(1);
569 }
570 /* Keep stderr around a while longer to catch errors */
571 if (dup2(devnull, STDIN_FILENO) == -1 ||
572 dup2(p[1], STDOUT_FILENO) == -1) {
573 error("%s: dup2: %s", __func__, strerror(errno));
574 _exit(1);
575 }
Damien Millerd0d10992012-11-04 22:23:14 +1100576 closefrom(STDERR_FILENO + 1);
Damien Miller1e854692012-11-14 19:04:02 +1100577
Damien Miller09d3e122012-10-31 08:58:58 +1100578 /* Don't use permanently_set_uid() here to avoid fatal() */
579 if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
580 error("setresgid %u: %s", (u_int)pw->pw_gid,
581 strerror(errno));
582 _exit(1);
583 }
584 if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) {
585 error("setresuid %u: %s", (u_int)pw->pw_uid,
586 strerror(errno));
587 _exit(1);
588 }
Damien Miller1e854692012-11-14 19:04:02 +1100589 /* stdin is pointed to /dev/null at this point */
590 if (dup2(STDIN_FILENO, STDERR_FILENO) == -1) {
Damien Miller09d3e122012-10-31 08:58:58 +1100591 error("%s: dup2: %s", __func__, strerror(errno));
592 _exit(1);
593 }
Damien Miller09d3e122012-10-31 08:58:58 +1100594
595 execl(options.authorized_keys_command,
Damien Miller1e854692012-11-14 19:04:02 +1100596 options.authorized_keys_command, user_pw->pw_name, NULL);
Damien Miller09d3e122012-10-31 08:58:58 +1100597
598 error("AuthorizedKeysCommand %s exec failed: %s",
599 options.authorized_keys_command, strerror(errno));
600 _exit(127);
601 default: /* parent */
602 break;
603 }
604
605 temporarily_use_uid(pw);
606
607 close(p[1]);
608 if ((f = fdopen(p[0], "r")) == NULL) {
609 error("%s: fdopen: %s", __func__, strerror(errno));
610 close(p[0]);
611 /* Don't leave zombie child */
612 kill(pid, SIGTERM);
613 while (waitpid(pid, NULL, 0) == -1 && errno == EINTR)
614 ;
615 goto out;
616 }
617 ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
618 fclose(f);
619
620 while (waitpid(pid, &status, 0) == -1) {
621 if (errno != EINTR) {
622 error("%s: waitpid: %s", __func__, strerror(errno));
623 goto out;
624 }
625 }
626 if (WIFSIGNALED(status)) {
627 error("AuthorizedKeysCommand %s exited on signal %d",
628 options.authorized_keys_command, WTERMSIG(status));
629 goto out;
630 } else if (WEXITSTATUS(status) != 0) {
631 error("AuthorizedKeysCommand %s returned status %d",
632 options.authorized_keys_command, WEXITSTATUS(status));
633 goto out;
634 }
635 found_key = ok;
636 out:
637 restore_uid();
638 return found_key;
639}
640
641/*
642 * Check whether key authenticates and authorises the user.
643 */
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000644int
645user_key_allowed(struct passwd *pw, Key *key)
646{
Damien Millerd8478b62011-05-29 21:39:36 +1000647 u_int success, i;
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000648 char *file;
649
Damien Miller1aed65e2010-03-04 21:53:35 +1100650 if (auth_key_is_revoked(key))
651 return 0;
652 if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
653 return 0;
654
655 success = user_cert_trusted_ca(pw, key);
656 if (success)
657 return success;
658
Damien Miller09d3e122012-10-31 08:58:58 +1100659 success = user_key_command_allowed2(pw, key);
660 if (success > 0)
661 return success;
662
Damien Millerd8478b62011-05-29 21:39:36 +1000663 for (i = 0; !success && i < options.num_authkeys_files; i++) {
Damien Miller09d3e122012-10-31 08:58:58 +1100664
665 if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
666 continue;
Damien Millerd8478b62011-05-29 21:39:36 +1000667 file = expand_authorized_keys(
668 options.authorized_keys_files[i], pw);
Damien Miller09d3e122012-10-31 08:58:58 +1100669
Damien Millerd8478b62011-05-29 21:39:36 +1000670 success = user_key_allowed2(pw, key, file);
Darren Tuckera627d422013-06-02 07:31:17 +1000671 free(file);
Damien Millerd8478b62011-05-29 21:39:36 +1000672 }
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000673
Ben Lindstrom855bf3a2002-06-06 20:27:55 +0000674 return success;
675}
676
677Authmethod method_pubkey = {
678 "publickey",
679 userauth_pubkey,
680 &options.pubkey_authentication
681};