1*7c478bd9Sstevel@tonic-gate /* 2*7c478bd9Sstevel@tonic-gate * Copyright (c) 2000 Markus Friedl. All rights reserved. 3*7c478bd9Sstevel@tonic-gate * 4*7c478bd9Sstevel@tonic-gate * Redistribution and use in source and binary forms, with or without 5*7c478bd9Sstevel@tonic-gate * modification, are permitted provided that the following conditions 6*7c478bd9Sstevel@tonic-gate * are met: 7*7c478bd9Sstevel@tonic-gate * 1. Redistributions of source code must retain the above copyright 8*7c478bd9Sstevel@tonic-gate * notice, this list of conditions and the following disclaimer. 9*7c478bd9Sstevel@tonic-gate * 2. Redistributions in binary form must reproduce the above copyright 10*7c478bd9Sstevel@tonic-gate * notice, this list of conditions and the following disclaimer in the 11*7c478bd9Sstevel@tonic-gate * documentation and/or other materials provided with the distribution. 12*7c478bd9Sstevel@tonic-gate * 13*7c478bd9Sstevel@tonic-gate * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 14*7c478bd9Sstevel@tonic-gate * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15*7c478bd9Sstevel@tonic-gate * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16*7c478bd9Sstevel@tonic-gate * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17*7c478bd9Sstevel@tonic-gate * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18*7c478bd9Sstevel@tonic-gate * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19*7c478bd9Sstevel@tonic-gate * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20*7c478bd9Sstevel@tonic-gate * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21*7c478bd9Sstevel@tonic-gate * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22*7c478bd9Sstevel@tonic-gate * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23*7c478bd9Sstevel@tonic-gate */ 24*7c478bd9Sstevel@tonic-gate /* 25*7c478bd9Sstevel@tonic-gate * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 26*7c478bd9Sstevel@tonic-gate * Use is subject to license terms. 27*7c478bd9Sstevel@tonic-gate */ 28*7c478bd9Sstevel@tonic-gate 29*7c478bd9Sstevel@tonic-gate #include "includes.h" 30*7c478bd9Sstevel@tonic-gate RCSID("$OpenBSD: auth2-pubkey.c,v 1.2 2002/05/31 11:35:15 markus Exp $"); 31*7c478bd9Sstevel@tonic-gate 32*7c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 33*7c478bd9Sstevel@tonic-gate 34*7c478bd9Sstevel@tonic-gate #include "ssh2.h" 35*7c478bd9Sstevel@tonic-gate #include "xmalloc.h" 36*7c478bd9Sstevel@tonic-gate #include "packet.h" 37*7c478bd9Sstevel@tonic-gate #include "buffer.h" 38*7c478bd9Sstevel@tonic-gate #include "log.h" 39*7c478bd9Sstevel@tonic-gate #include "servconf.h" 40*7c478bd9Sstevel@tonic-gate #include "compat.h" 41*7c478bd9Sstevel@tonic-gate #include "bufaux.h" 42*7c478bd9Sstevel@tonic-gate #include "auth.h" 43*7c478bd9Sstevel@tonic-gate #include "key.h" 44*7c478bd9Sstevel@tonic-gate #include "pathnames.h" 45*7c478bd9Sstevel@tonic-gate #include "uidswap.h" 46*7c478bd9Sstevel@tonic-gate #include "auth-options.h" 47*7c478bd9Sstevel@tonic-gate #include "canohost.h" 48*7c478bd9Sstevel@tonic-gate #include "monitor_wrap.h" 49*7c478bd9Sstevel@tonic-gate 50*7c478bd9Sstevel@tonic-gate #ifdef USE_PAM 51*7c478bd9Sstevel@tonic-gate #include <security/pam_appl.h> 52*7c478bd9Sstevel@tonic-gate #include "auth-pam.h" 53*7c478bd9Sstevel@tonic-gate #endif /* USE_PAM */ 54*7c478bd9Sstevel@tonic-gate 55*7c478bd9Sstevel@tonic-gate /* import */ 56*7c478bd9Sstevel@tonic-gate extern ServerOptions options; 57*7c478bd9Sstevel@tonic-gate extern u_char *session_id2; 58*7c478bd9Sstevel@tonic-gate extern int session_id2_len; 59*7c478bd9Sstevel@tonic-gate 60*7c478bd9Sstevel@tonic-gate static void 61*7c478bd9Sstevel@tonic-gate userauth_pubkey(Authctxt *authctxt) 62*7c478bd9Sstevel@tonic-gate { 63*7c478bd9Sstevel@tonic-gate Buffer b; 64*7c478bd9Sstevel@tonic-gate Key *key = NULL; 65*7c478bd9Sstevel@tonic-gate char *pkalg; 66*7c478bd9Sstevel@tonic-gate u_char *pkblob, *sig; 67*7c478bd9Sstevel@tonic-gate u_int alen, blen, slen; 68*7c478bd9Sstevel@tonic-gate int have_sig, pktype; 69*7c478bd9Sstevel@tonic-gate int authenticated = 0; 70*7c478bd9Sstevel@tonic-gate 71*7c478bd9Sstevel@tonic-gate if (!authctxt || !authctxt->method) 72*7c478bd9Sstevel@tonic-gate fatal("%s: missing context", __func__); 73*7c478bd9Sstevel@tonic-gate 74*7c478bd9Sstevel@tonic-gate have_sig = packet_get_char(); 75*7c478bd9Sstevel@tonic-gate if (datafellows & SSH_BUG_PKAUTH) { 76*7c478bd9Sstevel@tonic-gate debug2("userauth_pubkey: SSH_BUG_PKAUTH"); 77*7c478bd9Sstevel@tonic-gate /* no explicit pkalg given */ 78*7c478bd9Sstevel@tonic-gate pkblob = packet_get_string(&blen); 79*7c478bd9Sstevel@tonic-gate buffer_init(&b); 80*7c478bd9Sstevel@tonic-gate buffer_append(&b, pkblob, blen); 81*7c478bd9Sstevel@tonic-gate /* so we have to extract the pkalg from the pkblob */ 82*7c478bd9Sstevel@tonic-gate pkalg = buffer_get_string(&b, &alen); 83*7c478bd9Sstevel@tonic-gate buffer_free(&b); 84*7c478bd9Sstevel@tonic-gate } else { 85*7c478bd9Sstevel@tonic-gate pkalg = packet_get_string(&alen); 86*7c478bd9Sstevel@tonic-gate pkblob = packet_get_string(&blen); 87*7c478bd9Sstevel@tonic-gate } 88*7c478bd9Sstevel@tonic-gate pktype = key_type_from_name(pkalg); 89*7c478bd9Sstevel@tonic-gate if (pktype == KEY_UNSPEC) { 90*7c478bd9Sstevel@tonic-gate /* this is perfectly legal */ 91*7c478bd9Sstevel@tonic-gate log("userauth_pubkey: unsupported public key algorithm: %s", 92*7c478bd9Sstevel@tonic-gate pkalg); 93*7c478bd9Sstevel@tonic-gate goto done; 94*7c478bd9Sstevel@tonic-gate } 95*7c478bd9Sstevel@tonic-gate key = key_from_blob(pkblob, blen); 96*7c478bd9Sstevel@tonic-gate if (key == NULL) { 97*7c478bd9Sstevel@tonic-gate error("userauth_pubkey: cannot decode key: %s", pkalg); 98*7c478bd9Sstevel@tonic-gate goto done; 99*7c478bd9Sstevel@tonic-gate } 100*7c478bd9Sstevel@tonic-gate if (key->type != pktype) { 101*7c478bd9Sstevel@tonic-gate error("userauth_pubkey: type mismatch for decoded key " 102*7c478bd9Sstevel@tonic-gate "(received %d, expected %d)", key->type, pktype); 103*7c478bd9Sstevel@tonic-gate goto done; 104*7c478bd9Sstevel@tonic-gate } 105*7c478bd9Sstevel@tonic-gate 106*7c478bd9Sstevel@tonic-gate /* Detect and count abandonment */ 107*7c478bd9Sstevel@tonic-gate if (authctxt->method->method_data) { 108*7c478bd9Sstevel@tonic-gate Key *prev_key; 109*7c478bd9Sstevel@tonic-gate unsigned char *prev_pkblob; 110*7c478bd9Sstevel@tonic-gate int prev_blen; 111*7c478bd9Sstevel@tonic-gate 112*7c478bd9Sstevel@tonic-gate /* 113*7c478bd9Sstevel@tonic-gate * Check for earlier test of a key that was allowed but 114*7c478bd9Sstevel@tonic-gate * not followed up with a pubkey req for the same pubkey 115*7c478bd9Sstevel@tonic-gate * and with a signature. 116*7c478bd9Sstevel@tonic-gate */ 117*7c478bd9Sstevel@tonic-gate prev_key = authctxt->method->method_data; 118*7c478bd9Sstevel@tonic-gate if ((prev_blen = key_to_blob(prev_key, 119*7c478bd9Sstevel@tonic-gate &prev_pkblob, NULL))) { 120*7c478bd9Sstevel@tonic-gate if (prev_blen != blen || 121*7c478bd9Sstevel@tonic-gate memcmp(prev_pkblob, pkblob, blen) != 0) { 122*7c478bd9Sstevel@tonic-gate authctxt->method->abandons++; 123*7c478bd9Sstevel@tonic-gate authctxt->method->attempts++; 124*7c478bd9Sstevel@tonic-gate } 125*7c478bd9Sstevel@tonic-gate } 126*7c478bd9Sstevel@tonic-gate key_free(prev_key); 127*7c478bd9Sstevel@tonic-gate authctxt->method->method_data = NULL; 128*7c478bd9Sstevel@tonic-gate } 129*7c478bd9Sstevel@tonic-gate 130*7c478bd9Sstevel@tonic-gate if (have_sig) { 131*7c478bd9Sstevel@tonic-gate sig = packet_get_string(&slen); 132*7c478bd9Sstevel@tonic-gate packet_check_eom(); 133*7c478bd9Sstevel@tonic-gate buffer_init(&b); 134*7c478bd9Sstevel@tonic-gate if (datafellows & SSH_OLD_SESSIONID) { 135*7c478bd9Sstevel@tonic-gate buffer_append(&b, session_id2, session_id2_len); 136*7c478bd9Sstevel@tonic-gate } else { 137*7c478bd9Sstevel@tonic-gate buffer_put_string(&b, session_id2, session_id2_len); 138*7c478bd9Sstevel@tonic-gate } 139*7c478bd9Sstevel@tonic-gate /* reconstruct packet */ 140*7c478bd9Sstevel@tonic-gate buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); 141*7c478bd9Sstevel@tonic-gate buffer_put_cstring(&b, authctxt->user); 142*7c478bd9Sstevel@tonic-gate buffer_put_cstring(&b, 143*7c478bd9Sstevel@tonic-gate datafellows & SSH_BUG_PKSERVICE ? 144*7c478bd9Sstevel@tonic-gate "ssh-userauth" : 145*7c478bd9Sstevel@tonic-gate authctxt->service); 146*7c478bd9Sstevel@tonic-gate if (datafellows & SSH_BUG_PKAUTH) { 147*7c478bd9Sstevel@tonic-gate buffer_put_char(&b, have_sig); 148*7c478bd9Sstevel@tonic-gate } else { 149*7c478bd9Sstevel@tonic-gate buffer_put_cstring(&b, "publickey"); 150*7c478bd9Sstevel@tonic-gate buffer_put_char(&b, have_sig); 151*7c478bd9Sstevel@tonic-gate buffer_put_cstring(&b, pkalg); 152*7c478bd9Sstevel@tonic-gate } 153*7c478bd9Sstevel@tonic-gate buffer_put_string(&b, pkblob, blen); 154*7c478bd9Sstevel@tonic-gate #ifdef DEBUG_PK 155*7c478bd9Sstevel@tonic-gate buffer_dump(&b); 156*7c478bd9Sstevel@tonic-gate #endif 157*7c478bd9Sstevel@tonic-gate /* test for correct signature */ 158*7c478bd9Sstevel@tonic-gate if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && 159*7c478bd9Sstevel@tonic-gate PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), 160*7c478bd9Sstevel@tonic-gate buffer_len(&b))) == 1) 161*7c478bd9Sstevel@tonic-gate authenticated = 1; 162*7c478bd9Sstevel@tonic-gate authctxt->method->postponed = 0; 163*7c478bd9Sstevel@tonic-gate buffer_clear(&b); 164*7c478bd9Sstevel@tonic-gate xfree(sig); 165*7c478bd9Sstevel@tonic-gate } else { 166*7c478bd9Sstevel@tonic-gate debug("test whether pkalg/pkblob are acceptable"); 167*7c478bd9Sstevel@tonic-gate packet_check_eom(); 168*7c478bd9Sstevel@tonic-gate 169*7c478bd9Sstevel@tonic-gate /* XXX fake reply and always send PK_OK ? */ 170*7c478bd9Sstevel@tonic-gate /* 171*7c478bd9Sstevel@tonic-gate * XXX this allows testing whether a user is allowed 172*7c478bd9Sstevel@tonic-gate * to login: if you happen to have a valid pubkey this 173*7c478bd9Sstevel@tonic-gate * message is sent. the message is NEVER sent at all 174*7c478bd9Sstevel@tonic-gate * if a user is not allowed to login. is this an 175*7c478bd9Sstevel@tonic-gate * issue? -markus 176*7c478bd9Sstevel@tonic-gate */ 177*7c478bd9Sstevel@tonic-gate if (PRIVSEP(user_key_allowed(authctxt->pw, key))) { 178*7c478bd9Sstevel@tonic-gate packet_start(SSH2_MSG_USERAUTH_PK_OK); 179*7c478bd9Sstevel@tonic-gate packet_put_string(pkalg, alen); 180*7c478bd9Sstevel@tonic-gate packet_put_string(pkblob, blen); 181*7c478bd9Sstevel@tonic-gate packet_send(); 182*7c478bd9Sstevel@tonic-gate packet_write_wait(); 183*7c478bd9Sstevel@tonic-gate authctxt->method->postponed = 1; 184*7c478bd9Sstevel@tonic-gate /* 185*7c478bd9Sstevel@tonic-gate * Remember key that was tried so we can 186*7c478bd9Sstevel@tonic-gate * correctly detect abandonment. See above. 187*7c478bd9Sstevel@tonic-gate */ 188*7c478bd9Sstevel@tonic-gate authctxt->method->method_data = (void *) key; 189*7c478bd9Sstevel@tonic-gate key = NULL; 190*7c478bd9Sstevel@tonic-gate } 191*7c478bd9Sstevel@tonic-gate } 192*7c478bd9Sstevel@tonic-gate if (authenticated != 1) 193*7c478bd9Sstevel@tonic-gate auth_clear_options(); 194*7c478bd9Sstevel@tonic-gate 195*7c478bd9Sstevel@tonic-gate done: 196*7c478bd9Sstevel@tonic-gate /* 197*7c478bd9Sstevel@tonic-gate * XXX TODO: add config options for specifying users for whom 198*7c478bd9Sstevel@tonic-gate * this userauth is insufficient and what userauths may 199*7c478bd9Sstevel@tonic-gate * continue. 200*7c478bd9Sstevel@tonic-gate */ 201*7c478bd9Sstevel@tonic-gate #ifdef USE_PAM 202*7c478bd9Sstevel@tonic-gate if (authenticated) { 203*7c478bd9Sstevel@tonic-gate if (!do_pam_non_initial_userauth(authctxt)) 204*7c478bd9Sstevel@tonic-gate authenticated = 0; 205*7c478bd9Sstevel@tonic-gate } 206*7c478bd9Sstevel@tonic-gate #endif /* USE_PAM */ 207*7c478bd9Sstevel@tonic-gate 208*7c478bd9Sstevel@tonic-gate debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); 209*7c478bd9Sstevel@tonic-gate if (key != NULL) 210*7c478bd9Sstevel@tonic-gate key_free(key); 211*7c478bd9Sstevel@tonic-gate xfree(pkalg); 212*7c478bd9Sstevel@tonic-gate xfree(pkblob); 213*7c478bd9Sstevel@tonic-gate #ifdef HAVE_CYGWIN 214*7c478bd9Sstevel@tonic-gate if (check_nt_auth(0, authctxt->pw) == 0) 215*7c478bd9Sstevel@tonic-gate return; 216*7c478bd9Sstevel@tonic-gate #endif 217*7c478bd9Sstevel@tonic-gate if (authenticated) 218*7c478bd9Sstevel@tonic-gate authctxt->method->authenticated = 1; 219*7c478bd9Sstevel@tonic-gate } 220*7c478bd9Sstevel@tonic-gate 221*7c478bd9Sstevel@tonic-gate /* return 1 if user allows given key */ 222*7c478bd9Sstevel@tonic-gate static int 223*7c478bd9Sstevel@tonic-gate user_key_allowed2(struct passwd *pw, Key *key, char *file) 224*7c478bd9Sstevel@tonic-gate { 225*7c478bd9Sstevel@tonic-gate char line[8192]; 226*7c478bd9Sstevel@tonic-gate int found_key = 0; 227*7c478bd9Sstevel@tonic-gate FILE *f; 228*7c478bd9Sstevel@tonic-gate u_long linenum = 0; 229*7c478bd9Sstevel@tonic-gate struct stat st; 230*7c478bd9Sstevel@tonic-gate Key *found; 231*7c478bd9Sstevel@tonic-gate char *fp; 232*7c478bd9Sstevel@tonic-gate 233*7c478bd9Sstevel@tonic-gate if (pw == NULL) 234*7c478bd9Sstevel@tonic-gate return 0; 235*7c478bd9Sstevel@tonic-gate 236*7c478bd9Sstevel@tonic-gate /* Temporarily use the user's uid. */ 237*7c478bd9Sstevel@tonic-gate temporarily_use_uid(pw); 238*7c478bd9Sstevel@tonic-gate 239*7c478bd9Sstevel@tonic-gate debug("trying public key file %s", file); 240*7c478bd9Sstevel@tonic-gate 241*7c478bd9Sstevel@tonic-gate /* Fail quietly if file does not exist */ 242*7c478bd9Sstevel@tonic-gate if (stat(file, &st) < 0) { 243*7c478bd9Sstevel@tonic-gate /* Restore the privileged uid. */ 244*7c478bd9Sstevel@tonic-gate restore_uid(); 245*7c478bd9Sstevel@tonic-gate return 0; 246*7c478bd9Sstevel@tonic-gate } 247*7c478bd9Sstevel@tonic-gate /* Open the file containing the authorized keys. */ 248*7c478bd9Sstevel@tonic-gate f = fopen(file, "r"); 249*7c478bd9Sstevel@tonic-gate if (!f) { 250*7c478bd9Sstevel@tonic-gate /* Restore the privileged uid. */ 251*7c478bd9Sstevel@tonic-gate restore_uid(); 252*7c478bd9Sstevel@tonic-gate return 0; 253*7c478bd9Sstevel@tonic-gate } 254*7c478bd9Sstevel@tonic-gate if (options.strict_modes && 255*7c478bd9Sstevel@tonic-gate secure_filename(f, file, pw, line, sizeof(line)) != 0) { 256*7c478bd9Sstevel@tonic-gate (void) fclose(f); 257*7c478bd9Sstevel@tonic-gate log("Authentication refused: %s", line); 258*7c478bd9Sstevel@tonic-gate restore_uid(); 259*7c478bd9Sstevel@tonic-gate return 0; 260*7c478bd9Sstevel@tonic-gate } 261*7c478bd9Sstevel@tonic-gate 262*7c478bd9Sstevel@tonic-gate found_key = 0; 263*7c478bd9Sstevel@tonic-gate found = key_new(key->type); 264*7c478bd9Sstevel@tonic-gate 265*7c478bd9Sstevel@tonic-gate while (fgets(line, sizeof(line), f)) { 266*7c478bd9Sstevel@tonic-gate char *cp, *options = NULL; 267*7c478bd9Sstevel@tonic-gate linenum++; 268*7c478bd9Sstevel@tonic-gate /* Skip leading whitespace, empty and comment lines. */ 269*7c478bd9Sstevel@tonic-gate for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 270*7c478bd9Sstevel@tonic-gate ; 271*7c478bd9Sstevel@tonic-gate if (!*cp || *cp == '\n' || *cp == '#') 272*7c478bd9Sstevel@tonic-gate continue; 273*7c478bd9Sstevel@tonic-gate 274*7c478bd9Sstevel@tonic-gate if (key_read(found, &cp) != 1) { 275*7c478bd9Sstevel@tonic-gate /* no key? check if there are options for this key */ 276*7c478bd9Sstevel@tonic-gate int quoted = 0; 277*7c478bd9Sstevel@tonic-gate debug2("user_key_allowed: check options: '%s'", cp); 278*7c478bd9Sstevel@tonic-gate options = cp; 279*7c478bd9Sstevel@tonic-gate for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { 280*7c478bd9Sstevel@tonic-gate if (*cp == '\\' && cp[1] == '"') 281*7c478bd9Sstevel@tonic-gate cp++; /* Skip both */ 282*7c478bd9Sstevel@tonic-gate else if (*cp == '"') 283*7c478bd9Sstevel@tonic-gate quoted = !quoted; 284*7c478bd9Sstevel@tonic-gate } 285*7c478bd9Sstevel@tonic-gate /* Skip remaining whitespace. */ 286*7c478bd9Sstevel@tonic-gate for (; *cp == ' ' || *cp == '\t'; cp++) 287*7c478bd9Sstevel@tonic-gate ; 288*7c478bd9Sstevel@tonic-gate if (key_read(found, &cp) != 1) { 289*7c478bd9Sstevel@tonic-gate debug2("user_key_allowed: advance: '%s'", cp); 290*7c478bd9Sstevel@tonic-gate /* still no key? advance to next line*/ 291*7c478bd9Sstevel@tonic-gate continue; 292*7c478bd9Sstevel@tonic-gate } 293*7c478bd9Sstevel@tonic-gate } 294*7c478bd9Sstevel@tonic-gate if (key_equal(found, key) && 295*7c478bd9Sstevel@tonic-gate auth_parse_options(pw, options, file, linenum) == 1) { 296*7c478bd9Sstevel@tonic-gate found_key = 1; 297*7c478bd9Sstevel@tonic-gate debug("matching key found: file %s, line %lu", 298*7c478bd9Sstevel@tonic-gate file, linenum); 299*7c478bd9Sstevel@tonic-gate fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); 300*7c478bd9Sstevel@tonic-gate verbose("Found matching %s key: %s", 301*7c478bd9Sstevel@tonic-gate key_type(found), fp); 302*7c478bd9Sstevel@tonic-gate xfree(fp); 303*7c478bd9Sstevel@tonic-gate break; 304*7c478bd9Sstevel@tonic-gate } 305*7c478bd9Sstevel@tonic-gate } 306*7c478bd9Sstevel@tonic-gate restore_uid(); 307*7c478bd9Sstevel@tonic-gate (void) fclose(f); 308*7c478bd9Sstevel@tonic-gate key_free(found); 309*7c478bd9Sstevel@tonic-gate if (!found_key) 310*7c478bd9Sstevel@tonic-gate debug2("key not found"); 311*7c478bd9Sstevel@tonic-gate return found_key; 312*7c478bd9Sstevel@tonic-gate } 313*7c478bd9Sstevel@tonic-gate 314*7c478bd9Sstevel@tonic-gate /* check whether given key is in .ssh/authorized_keys* */ 315*7c478bd9Sstevel@tonic-gate int 316*7c478bd9Sstevel@tonic-gate user_key_allowed(struct passwd *pw, Key *key) 317*7c478bd9Sstevel@tonic-gate { 318*7c478bd9Sstevel@tonic-gate int success; 319*7c478bd9Sstevel@tonic-gate char *file; 320*7c478bd9Sstevel@tonic-gate 321*7c478bd9Sstevel@tonic-gate if (pw == NULL) 322*7c478bd9Sstevel@tonic-gate return 0; 323*7c478bd9Sstevel@tonic-gate 324*7c478bd9Sstevel@tonic-gate file = authorized_keys_file(pw); 325*7c478bd9Sstevel@tonic-gate success = user_key_allowed2(pw, key, file); 326*7c478bd9Sstevel@tonic-gate xfree(file); 327*7c478bd9Sstevel@tonic-gate if (success) 328*7c478bd9Sstevel@tonic-gate return success; 329*7c478bd9Sstevel@tonic-gate 330*7c478bd9Sstevel@tonic-gate /* try suffix "2" for backward compat, too */ 331*7c478bd9Sstevel@tonic-gate file = authorized_keys_file2(pw); 332*7c478bd9Sstevel@tonic-gate success = user_key_allowed2(pw, key, file); 333*7c478bd9Sstevel@tonic-gate xfree(file); 334*7c478bd9Sstevel@tonic-gate return success; 335*7c478bd9Sstevel@tonic-gate } 336*7c478bd9Sstevel@tonic-gate 337*7c478bd9Sstevel@tonic-gate static 338*7c478bd9Sstevel@tonic-gate void 339*7c478bd9Sstevel@tonic-gate userauth_pubkey_abandon(Authctxt *authctxt, Authmethod *method) 340*7c478bd9Sstevel@tonic-gate { 341*7c478bd9Sstevel@tonic-gate if (!authctxt || !method) 342*7c478bd9Sstevel@tonic-gate return; 343*7c478bd9Sstevel@tonic-gate 344*7c478bd9Sstevel@tonic-gate if (method->method_data) { 345*7c478bd9Sstevel@tonic-gate method->abandons++; 346*7c478bd9Sstevel@tonic-gate method->attempts++; 347*7c478bd9Sstevel@tonic-gate key_free((Key *) method->method_data); 348*7c478bd9Sstevel@tonic-gate method->method_data = NULL; 349*7c478bd9Sstevel@tonic-gate } 350*7c478bd9Sstevel@tonic-gate } 351*7c478bd9Sstevel@tonic-gate 352*7c478bd9Sstevel@tonic-gate Authmethod method_pubkey = { 353*7c478bd9Sstevel@tonic-gate "publickey", 354*7c478bd9Sstevel@tonic-gate &options.pubkey_authentication, 355*7c478bd9Sstevel@tonic-gate userauth_pubkey, 356*7c478bd9Sstevel@tonic-gate userauth_pubkey_abandon, 357*7c478bd9Sstevel@tonic-gate NULL, NULL, /* method data and hist data */ 358*7c478bd9Sstevel@tonic-gate 0, /* not initial userauth */ 359*7c478bd9Sstevel@tonic-gate 0, 0, 0, /* counters */ 360*7c478bd9Sstevel@tonic-gate 0, 0, 0, 0, 0, 0 /* state */ 361*7c478bd9Sstevel@tonic-gate }; 362