mirror of
https://github.com/openssh/openssh-portable.git
synced 2026-01-12 00:04:08 +08:00
upstream: allow glob(3) patterns for sshd_config AuthorizedKeysFile
and AuthorizedPrincipalsFile directives; bz2755 ok dtucker OpenBSD-Commit-ID: 3e3e05a17fca39bba78b993a07b44664519adf7f
This commit is contained in:
djm@openbsd.org
committed by
Damien Miller
Damien Miller
parent
9a9ffee6e1
commit
85f0c1e75e
@@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth2-pubkey.c,v 1.120 2024/05/17 00:30:23 djm Exp $ */
|
||||
/* $OpenBSD: auth2-pubkey.c,v 1.121 2024/12/06 16:24:27 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2010 Damien Miller. All rights reserved.
|
||||
@@ -41,6 +41,11 @@
|
||||
#include <time.h>
|
||||
#include <unistd.h>
|
||||
#include <limits.h>
|
||||
#ifdef USE_SYSTEM_GLOB
|
||||
# include <glob.h>
|
||||
#else
|
||||
# include "openbsd-compat/glob.h"
|
||||
#endif
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
@@ -319,20 +324,51 @@ match_principals_file(struct passwd *pw, char *file,
|
||||
struct sshkey_cert *cert, struct sshauthopt **authoptsp)
|
||||
{
|
||||
FILE *f;
|
||||
int success;
|
||||
int r, success = 0;
|
||||
size_t i;
|
||||
glob_t gl;
|
||||
struct sshauthopt *opts = NULL;
|
||||
|
||||
if (authoptsp != NULL)
|
||||
*authoptsp = NULL;
|
||||
|
||||
temporarily_use_uid(pw);
|
||||
debug("trying authorized principals file %s", file);
|
||||
if ((f = auth_openprincipals(file, pw, options.strict_modes)) == NULL) {
|
||||
restore_uid();
|
||||
return 0;
|
||||
}
|
||||
success = auth_process_principals(f, file, cert, authoptsp);
|
||||
fclose(f);
|
||||
r = glob(file, 0, NULL, &gl);
|
||||
restore_uid();
|
||||
if (r != 0) {
|
||||
if (r != GLOB_NOMATCH) {
|
||||
logit_f("glob \"%s\" failed", file);
|
||||
}
|
||||
return 0;
|
||||
} else if (gl.gl_pathc > INT_MAX) {
|
||||
fatal_f("too many glob results for \"%s\"", file);
|
||||
} else if (gl.gl_pathc > 1) {
|
||||
debug2_f("glob \"%s\" returned %zu matches", file,
|
||||
gl.gl_pathc);
|
||||
}
|
||||
for (i = 0; !success && i < gl.gl_pathc; i++) {
|
||||
temporarily_use_uid(pw);
|
||||
debug("trying authorized principals file %s", file);
|
||||
if ((f = auth_openprincipals(gl.gl_pathv[i], pw,
|
||||
options.strict_modes)) == NULL) {
|
||||
restore_uid();
|
||||
continue;
|
||||
}
|
||||
success = auth_process_principals(f, gl.gl_pathv[i],
|
||||
cert, &opts);
|
||||
fclose(f);
|
||||
restore_uid();
|
||||
if (!success) {
|
||||
sshauthopt_free(opts);
|
||||
opts = NULL;
|
||||
}
|
||||
}
|
||||
globfree(&gl);
|
||||
if (success && authoptsp != NULL) {
|
||||
*authoptsp = opts;
|
||||
opts = NULL;
|
||||
}
|
||||
sshauthopt_free(opts);
|
||||
return success;
|
||||
}
|
||||
|
||||
@@ -753,7 +789,7 @@ int
|
||||
user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
|
||||
int auth_attempt, struct sshauthopt **authoptsp)
|
||||
{
|
||||
u_int success = 0, i;
|
||||
u_int success = 0, i, j;
|
||||
char *file, *conn_id;
|
||||
struct sshauthopt *opts = NULL;
|
||||
const char *rdomain, *remote_ip, *remote_host;
|
||||
@@ -776,17 +812,37 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
|
||||
remote_ip, ssh_remote_port(ssh));
|
||||
|
||||
for (i = 0; !success && i < options.num_authkeys_files; i++) {
|
||||
int r;
|
||||
glob_t gl;
|
||||
|
||||
if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
|
||||
continue;
|
||||
file = expand_authorized_keys(
|
||||
options.authorized_keys_files[i], pw);
|
||||
success = user_key_allowed2(pw, key, file,
|
||||
remote_ip, remote_host, &opts);
|
||||
free(file);
|
||||
if (!success) {
|
||||
sshauthopt_free(opts);
|
||||
opts = NULL;
|
||||
temporarily_use_uid(pw);
|
||||
r = glob(file, 0, NULL, &gl);
|
||||
restore_uid();
|
||||
if (r != 0) {
|
||||
if (r != GLOB_NOMATCH) {
|
||||
logit_f("glob \"%s\" failed", file);
|
||||
}
|
||||
continue;
|
||||
} else if (gl.gl_pathc > INT_MAX) {
|
||||
fatal_f("too many glob results for \"%s\"", file);
|
||||
} else if (gl.gl_pathc > 1) {
|
||||
debug2_f("glob \"%s\" returned %zu matches", file,
|
||||
gl.gl_pathc);
|
||||
}
|
||||
for (j = 0; !success && j < gl.gl_pathc; j++) {
|
||||
success = user_key_allowed2(pw, key, gl.gl_pathv[j],
|
||||
remote_ip, remote_host, &opts);
|
||||
if (!success) {
|
||||
sshauthopt_free(opts);
|
||||
opts = NULL;
|
||||
}
|
||||
}
|
||||
free(file);
|
||||
globfree(&gl);
|
||||
}
|
||||
if (success)
|
||||
goto out;
|
||||
|
||||
@@ -33,8 +33,8 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.379 2024/12/05 22:45:03 naddy Exp $
|
||||
.Dd $Mdocdate: December 5 2024 $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.380 2024/12/06 16:24:27 djm Exp $
|
||||
.Dd $Mdocdate: December 6 2024 $
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@@ -279,7 +279,7 @@ The format is described in the AUTHORIZED_KEYS FILE FORMAT section of
|
||||
.Xr sshd 8 .
|
||||
Arguments to
|
||||
.Cm AuthorizedKeysFile
|
||||
accept the tokens described in the
|
||||
may include wildcards and accept the tokens described in the
|
||||
.Sx TOKENS
|
||||
section.
|
||||
After expansion,
|
||||
@@ -348,7 +348,7 @@ are ignored.
|
||||
.Pp
|
||||
Arguments to
|
||||
.Cm AuthorizedPrincipalsFile
|
||||
accept the tokens described in the
|
||||
may include wildcards and accept the tokens described in the
|
||||
.Sx TOKENS
|
||||
section.
|
||||
After expansion,
|
||||
|
||||
Reference in New Issue
Block a user