xref: /titanic_50/usr/src/cmd/ssh/sshd/auth2-pubkey.c (revision 7c478bd95313f5f23a4c958a745db2134aa03244)
1*7c478bd9Sstevel@tonic-gate /*
2*7c478bd9Sstevel@tonic-gate  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
3*7c478bd9Sstevel@tonic-gate  *
4*7c478bd9Sstevel@tonic-gate  * Redistribution and use in source and binary forms, with or without
5*7c478bd9Sstevel@tonic-gate  * modification, are permitted provided that the following conditions
6*7c478bd9Sstevel@tonic-gate  * are met:
7*7c478bd9Sstevel@tonic-gate  * 1. Redistributions of source code must retain the above copyright
8*7c478bd9Sstevel@tonic-gate  *    notice, this list of conditions and the following disclaimer.
9*7c478bd9Sstevel@tonic-gate  * 2. Redistributions in binary form must reproduce the above copyright
10*7c478bd9Sstevel@tonic-gate  *    notice, this list of conditions and the following disclaimer in the
11*7c478bd9Sstevel@tonic-gate  *    documentation and/or other materials provided with the distribution.
12*7c478bd9Sstevel@tonic-gate  *
13*7c478bd9Sstevel@tonic-gate  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14*7c478bd9Sstevel@tonic-gate  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15*7c478bd9Sstevel@tonic-gate  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16*7c478bd9Sstevel@tonic-gate  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17*7c478bd9Sstevel@tonic-gate  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18*7c478bd9Sstevel@tonic-gate  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19*7c478bd9Sstevel@tonic-gate  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20*7c478bd9Sstevel@tonic-gate  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21*7c478bd9Sstevel@tonic-gate  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22*7c478bd9Sstevel@tonic-gate  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23*7c478bd9Sstevel@tonic-gate  */
24*7c478bd9Sstevel@tonic-gate /*
25*7c478bd9Sstevel@tonic-gate  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
26*7c478bd9Sstevel@tonic-gate  * Use is subject to license terms.
27*7c478bd9Sstevel@tonic-gate  */
28*7c478bd9Sstevel@tonic-gate 
29*7c478bd9Sstevel@tonic-gate #include "includes.h"
30*7c478bd9Sstevel@tonic-gate RCSID("$OpenBSD: auth2-pubkey.c,v 1.2 2002/05/31 11:35:15 markus Exp $");
31*7c478bd9Sstevel@tonic-gate 
32*7c478bd9Sstevel@tonic-gate #pragma ident	"%Z%%M%	%I%	%E% SMI"
33*7c478bd9Sstevel@tonic-gate 
34*7c478bd9Sstevel@tonic-gate #include "ssh2.h"
35*7c478bd9Sstevel@tonic-gate #include "xmalloc.h"
36*7c478bd9Sstevel@tonic-gate #include "packet.h"
37*7c478bd9Sstevel@tonic-gate #include "buffer.h"
38*7c478bd9Sstevel@tonic-gate #include "log.h"
39*7c478bd9Sstevel@tonic-gate #include "servconf.h"
40*7c478bd9Sstevel@tonic-gate #include "compat.h"
41*7c478bd9Sstevel@tonic-gate #include "bufaux.h"
42*7c478bd9Sstevel@tonic-gate #include "auth.h"
43*7c478bd9Sstevel@tonic-gate #include "key.h"
44*7c478bd9Sstevel@tonic-gate #include "pathnames.h"
45*7c478bd9Sstevel@tonic-gate #include "uidswap.h"
46*7c478bd9Sstevel@tonic-gate #include "auth-options.h"
47*7c478bd9Sstevel@tonic-gate #include "canohost.h"
48*7c478bd9Sstevel@tonic-gate #include "monitor_wrap.h"
49*7c478bd9Sstevel@tonic-gate 
50*7c478bd9Sstevel@tonic-gate #ifdef USE_PAM
51*7c478bd9Sstevel@tonic-gate #include <security/pam_appl.h>
52*7c478bd9Sstevel@tonic-gate #include "auth-pam.h"
53*7c478bd9Sstevel@tonic-gate #endif /* USE_PAM */
54*7c478bd9Sstevel@tonic-gate 
55*7c478bd9Sstevel@tonic-gate /* import */
56*7c478bd9Sstevel@tonic-gate extern ServerOptions options;
57*7c478bd9Sstevel@tonic-gate extern u_char *session_id2;
58*7c478bd9Sstevel@tonic-gate extern int session_id2_len;
59*7c478bd9Sstevel@tonic-gate 
60*7c478bd9Sstevel@tonic-gate static void
61*7c478bd9Sstevel@tonic-gate userauth_pubkey(Authctxt *authctxt)
62*7c478bd9Sstevel@tonic-gate {
63*7c478bd9Sstevel@tonic-gate 	Buffer b;
64*7c478bd9Sstevel@tonic-gate 	Key *key = NULL;
65*7c478bd9Sstevel@tonic-gate 	char *pkalg;
66*7c478bd9Sstevel@tonic-gate 	u_char *pkblob, *sig;
67*7c478bd9Sstevel@tonic-gate 	u_int alen, blen, slen;
68*7c478bd9Sstevel@tonic-gate 	int have_sig, pktype;
69*7c478bd9Sstevel@tonic-gate 	int authenticated = 0;
70*7c478bd9Sstevel@tonic-gate 
71*7c478bd9Sstevel@tonic-gate 	if (!authctxt || !authctxt->method)
72*7c478bd9Sstevel@tonic-gate 		fatal("%s: missing context", __func__);
73*7c478bd9Sstevel@tonic-gate 
74*7c478bd9Sstevel@tonic-gate 	have_sig = packet_get_char();
75*7c478bd9Sstevel@tonic-gate 	if (datafellows & SSH_BUG_PKAUTH) {
76*7c478bd9Sstevel@tonic-gate 		debug2("userauth_pubkey: SSH_BUG_PKAUTH");
77*7c478bd9Sstevel@tonic-gate 		/* no explicit pkalg given */
78*7c478bd9Sstevel@tonic-gate 		pkblob = packet_get_string(&blen);
79*7c478bd9Sstevel@tonic-gate 		buffer_init(&b);
80*7c478bd9Sstevel@tonic-gate 		buffer_append(&b, pkblob, blen);
81*7c478bd9Sstevel@tonic-gate 		/* so we have to extract the pkalg from the pkblob */
82*7c478bd9Sstevel@tonic-gate 		pkalg = buffer_get_string(&b, &alen);
83*7c478bd9Sstevel@tonic-gate 		buffer_free(&b);
84*7c478bd9Sstevel@tonic-gate 	} else {
85*7c478bd9Sstevel@tonic-gate 		pkalg = packet_get_string(&alen);
86*7c478bd9Sstevel@tonic-gate 		pkblob = packet_get_string(&blen);
87*7c478bd9Sstevel@tonic-gate 	}
88*7c478bd9Sstevel@tonic-gate 	pktype = key_type_from_name(pkalg);
89*7c478bd9Sstevel@tonic-gate 	if (pktype == KEY_UNSPEC) {
90*7c478bd9Sstevel@tonic-gate 		/* this is perfectly legal */
91*7c478bd9Sstevel@tonic-gate 		log("userauth_pubkey: unsupported public key algorithm: %s",
92*7c478bd9Sstevel@tonic-gate 		    pkalg);
93*7c478bd9Sstevel@tonic-gate 		goto done;
94*7c478bd9Sstevel@tonic-gate 	}
95*7c478bd9Sstevel@tonic-gate 	key = key_from_blob(pkblob, blen);
96*7c478bd9Sstevel@tonic-gate 	if (key == NULL) {
97*7c478bd9Sstevel@tonic-gate 		error("userauth_pubkey: cannot decode key: %s", pkalg);
98*7c478bd9Sstevel@tonic-gate 		goto done;
99*7c478bd9Sstevel@tonic-gate 	}
100*7c478bd9Sstevel@tonic-gate 	if (key->type != pktype) {
101*7c478bd9Sstevel@tonic-gate 		error("userauth_pubkey: type mismatch for decoded key "
102*7c478bd9Sstevel@tonic-gate 		    "(received %d, expected %d)", key->type, pktype);
103*7c478bd9Sstevel@tonic-gate 		goto done;
104*7c478bd9Sstevel@tonic-gate 	}
105*7c478bd9Sstevel@tonic-gate 
106*7c478bd9Sstevel@tonic-gate 	/* Detect and count abandonment */
107*7c478bd9Sstevel@tonic-gate 	if (authctxt->method->method_data) {
108*7c478bd9Sstevel@tonic-gate 		Key	*prev_key;
109*7c478bd9Sstevel@tonic-gate 		unsigned char	*prev_pkblob;
110*7c478bd9Sstevel@tonic-gate 		int	 prev_blen;
111*7c478bd9Sstevel@tonic-gate 
112*7c478bd9Sstevel@tonic-gate 		/*
113*7c478bd9Sstevel@tonic-gate 		 * Check for earlier test of a key that was allowed but
114*7c478bd9Sstevel@tonic-gate 		 * not followed up with a pubkey req for the same pubkey
115*7c478bd9Sstevel@tonic-gate 		 * and with a signature.
116*7c478bd9Sstevel@tonic-gate 		 */
117*7c478bd9Sstevel@tonic-gate 		prev_key = authctxt->method->method_data;
118*7c478bd9Sstevel@tonic-gate 		if ((prev_blen = key_to_blob(prev_key,
119*7c478bd9Sstevel@tonic-gate 			    &prev_pkblob, NULL))) {
120*7c478bd9Sstevel@tonic-gate 			if (prev_blen != blen ||
121*7c478bd9Sstevel@tonic-gate 			    memcmp(prev_pkblob, pkblob, blen) != 0) {
122*7c478bd9Sstevel@tonic-gate 				authctxt->method->abandons++;
123*7c478bd9Sstevel@tonic-gate 				authctxt->method->attempts++;
124*7c478bd9Sstevel@tonic-gate 			}
125*7c478bd9Sstevel@tonic-gate 		}
126*7c478bd9Sstevel@tonic-gate 		key_free(prev_key);
127*7c478bd9Sstevel@tonic-gate 		authctxt->method->method_data = NULL;
128*7c478bd9Sstevel@tonic-gate 	}
129*7c478bd9Sstevel@tonic-gate 
130*7c478bd9Sstevel@tonic-gate 	if (have_sig) {
131*7c478bd9Sstevel@tonic-gate 		sig = packet_get_string(&slen);
132*7c478bd9Sstevel@tonic-gate 		packet_check_eom();
133*7c478bd9Sstevel@tonic-gate 		buffer_init(&b);
134*7c478bd9Sstevel@tonic-gate 		if (datafellows & SSH_OLD_SESSIONID) {
135*7c478bd9Sstevel@tonic-gate 			buffer_append(&b, session_id2, session_id2_len);
136*7c478bd9Sstevel@tonic-gate 		} else {
137*7c478bd9Sstevel@tonic-gate 			buffer_put_string(&b, session_id2, session_id2_len);
138*7c478bd9Sstevel@tonic-gate 		}
139*7c478bd9Sstevel@tonic-gate 		/* reconstruct packet */
140*7c478bd9Sstevel@tonic-gate 		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
141*7c478bd9Sstevel@tonic-gate 		buffer_put_cstring(&b, authctxt->user);
142*7c478bd9Sstevel@tonic-gate 		buffer_put_cstring(&b,
143*7c478bd9Sstevel@tonic-gate 		    datafellows & SSH_BUG_PKSERVICE ?
144*7c478bd9Sstevel@tonic-gate 		    "ssh-userauth" :
145*7c478bd9Sstevel@tonic-gate 		    authctxt->service);
146*7c478bd9Sstevel@tonic-gate 		if (datafellows & SSH_BUG_PKAUTH) {
147*7c478bd9Sstevel@tonic-gate 			buffer_put_char(&b, have_sig);
148*7c478bd9Sstevel@tonic-gate 		} else {
149*7c478bd9Sstevel@tonic-gate 			buffer_put_cstring(&b, "publickey");
150*7c478bd9Sstevel@tonic-gate 			buffer_put_char(&b, have_sig);
151*7c478bd9Sstevel@tonic-gate 			buffer_put_cstring(&b, pkalg);
152*7c478bd9Sstevel@tonic-gate 		}
153*7c478bd9Sstevel@tonic-gate 		buffer_put_string(&b, pkblob, blen);
154*7c478bd9Sstevel@tonic-gate #ifdef DEBUG_PK
155*7c478bd9Sstevel@tonic-gate 		buffer_dump(&b);
156*7c478bd9Sstevel@tonic-gate #endif
157*7c478bd9Sstevel@tonic-gate 		/* test for correct signature */
158*7c478bd9Sstevel@tonic-gate 		if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
159*7c478bd9Sstevel@tonic-gate 		    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
160*7c478bd9Sstevel@tonic-gate 				buffer_len(&b))) == 1)
161*7c478bd9Sstevel@tonic-gate 			authenticated = 1;
162*7c478bd9Sstevel@tonic-gate 		authctxt->method->postponed = 0;
163*7c478bd9Sstevel@tonic-gate 		buffer_clear(&b);
164*7c478bd9Sstevel@tonic-gate 		xfree(sig);
165*7c478bd9Sstevel@tonic-gate 	} else {
166*7c478bd9Sstevel@tonic-gate 		debug("test whether pkalg/pkblob are acceptable");
167*7c478bd9Sstevel@tonic-gate 		packet_check_eom();
168*7c478bd9Sstevel@tonic-gate 
169*7c478bd9Sstevel@tonic-gate 		/* XXX fake reply and always send PK_OK ? */
170*7c478bd9Sstevel@tonic-gate 		/*
171*7c478bd9Sstevel@tonic-gate 		 * XXX this allows testing whether a user is allowed
172*7c478bd9Sstevel@tonic-gate 		 * to login: if you happen to have a valid pubkey this
173*7c478bd9Sstevel@tonic-gate 		 * message is sent. the message is NEVER sent at all
174*7c478bd9Sstevel@tonic-gate 		 * if a user is not allowed to login. is this an
175*7c478bd9Sstevel@tonic-gate 		 * issue? -markus
176*7c478bd9Sstevel@tonic-gate 		 */
177*7c478bd9Sstevel@tonic-gate 		if (PRIVSEP(user_key_allowed(authctxt->pw, key))) {
178*7c478bd9Sstevel@tonic-gate 			packet_start(SSH2_MSG_USERAUTH_PK_OK);
179*7c478bd9Sstevel@tonic-gate 			packet_put_string(pkalg, alen);
180*7c478bd9Sstevel@tonic-gate 			packet_put_string(pkblob, blen);
181*7c478bd9Sstevel@tonic-gate 			packet_send();
182*7c478bd9Sstevel@tonic-gate 			packet_write_wait();
183*7c478bd9Sstevel@tonic-gate 			authctxt->method->postponed = 1;
184*7c478bd9Sstevel@tonic-gate 			/*
185*7c478bd9Sstevel@tonic-gate 			 * Remember key that was tried so we can
186*7c478bd9Sstevel@tonic-gate 			 * correctly detect abandonment.  See above.
187*7c478bd9Sstevel@tonic-gate 			 */
188*7c478bd9Sstevel@tonic-gate 			authctxt->method->method_data = (void *) key;
189*7c478bd9Sstevel@tonic-gate 			key = NULL;
190*7c478bd9Sstevel@tonic-gate 		}
191*7c478bd9Sstevel@tonic-gate 	}
192*7c478bd9Sstevel@tonic-gate 	if (authenticated != 1)
193*7c478bd9Sstevel@tonic-gate 		auth_clear_options();
194*7c478bd9Sstevel@tonic-gate 
195*7c478bd9Sstevel@tonic-gate done:
196*7c478bd9Sstevel@tonic-gate 	/*
197*7c478bd9Sstevel@tonic-gate 	 * XXX TODO: add config options for specifying users for whom
198*7c478bd9Sstevel@tonic-gate 	 * this userauth is insufficient and what userauths may
199*7c478bd9Sstevel@tonic-gate 	 * continue.
200*7c478bd9Sstevel@tonic-gate 	 */
201*7c478bd9Sstevel@tonic-gate #ifdef USE_PAM
202*7c478bd9Sstevel@tonic-gate 	if (authenticated) {
203*7c478bd9Sstevel@tonic-gate 		if (!do_pam_non_initial_userauth(authctxt))
204*7c478bd9Sstevel@tonic-gate 			authenticated = 0;
205*7c478bd9Sstevel@tonic-gate 	}
206*7c478bd9Sstevel@tonic-gate #endif /* USE_PAM */
207*7c478bd9Sstevel@tonic-gate 
208*7c478bd9Sstevel@tonic-gate 	debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
209*7c478bd9Sstevel@tonic-gate 	if (key != NULL)
210*7c478bd9Sstevel@tonic-gate 		key_free(key);
211*7c478bd9Sstevel@tonic-gate 	xfree(pkalg);
212*7c478bd9Sstevel@tonic-gate 	xfree(pkblob);
213*7c478bd9Sstevel@tonic-gate #ifdef HAVE_CYGWIN
214*7c478bd9Sstevel@tonic-gate 	if (check_nt_auth(0, authctxt->pw) == 0)
215*7c478bd9Sstevel@tonic-gate 		return;
216*7c478bd9Sstevel@tonic-gate #endif
217*7c478bd9Sstevel@tonic-gate 	if (authenticated)
218*7c478bd9Sstevel@tonic-gate 		authctxt->method->authenticated = 1;
219*7c478bd9Sstevel@tonic-gate }
220*7c478bd9Sstevel@tonic-gate 
221*7c478bd9Sstevel@tonic-gate /* return 1 if user allows given key */
222*7c478bd9Sstevel@tonic-gate static int
223*7c478bd9Sstevel@tonic-gate user_key_allowed2(struct passwd *pw, Key *key, char *file)
224*7c478bd9Sstevel@tonic-gate {
225*7c478bd9Sstevel@tonic-gate 	char line[8192];
226*7c478bd9Sstevel@tonic-gate 	int found_key = 0;
227*7c478bd9Sstevel@tonic-gate 	FILE *f;
228*7c478bd9Sstevel@tonic-gate 	u_long linenum = 0;
229*7c478bd9Sstevel@tonic-gate 	struct stat st;
230*7c478bd9Sstevel@tonic-gate 	Key *found;
231*7c478bd9Sstevel@tonic-gate 	char *fp;
232*7c478bd9Sstevel@tonic-gate 
233*7c478bd9Sstevel@tonic-gate 	if (pw == NULL)
234*7c478bd9Sstevel@tonic-gate 		return 0;
235*7c478bd9Sstevel@tonic-gate 
236*7c478bd9Sstevel@tonic-gate 	/* Temporarily use the user's uid. */
237*7c478bd9Sstevel@tonic-gate 	temporarily_use_uid(pw);
238*7c478bd9Sstevel@tonic-gate 
239*7c478bd9Sstevel@tonic-gate 	debug("trying public key file %s", file);
240*7c478bd9Sstevel@tonic-gate 
241*7c478bd9Sstevel@tonic-gate 	/* Fail quietly if file does not exist */
242*7c478bd9Sstevel@tonic-gate 	if (stat(file, &st) < 0) {
243*7c478bd9Sstevel@tonic-gate 		/* Restore the privileged uid. */
244*7c478bd9Sstevel@tonic-gate 		restore_uid();
245*7c478bd9Sstevel@tonic-gate 		return 0;
246*7c478bd9Sstevel@tonic-gate 	}
247*7c478bd9Sstevel@tonic-gate 	/* Open the file containing the authorized keys. */
248*7c478bd9Sstevel@tonic-gate 	f = fopen(file, "r");
249*7c478bd9Sstevel@tonic-gate 	if (!f) {
250*7c478bd9Sstevel@tonic-gate 		/* Restore the privileged uid. */
251*7c478bd9Sstevel@tonic-gate 		restore_uid();
252*7c478bd9Sstevel@tonic-gate 		return 0;
253*7c478bd9Sstevel@tonic-gate 	}
254*7c478bd9Sstevel@tonic-gate 	if (options.strict_modes &&
255*7c478bd9Sstevel@tonic-gate 	    secure_filename(f, file, pw, line, sizeof(line)) != 0) {
256*7c478bd9Sstevel@tonic-gate 		(void) fclose(f);
257*7c478bd9Sstevel@tonic-gate 		log("Authentication refused: %s", line);
258*7c478bd9Sstevel@tonic-gate 		restore_uid();
259*7c478bd9Sstevel@tonic-gate 		return 0;
260*7c478bd9Sstevel@tonic-gate 	}
261*7c478bd9Sstevel@tonic-gate 
262*7c478bd9Sstevel@tonic-gate 	found_key = 0;
263*7c478bd9Sstevel@tonic-gate 	found = key_new(key->type);
264*7c478bd9Sstevel@tonic-gate 
265*7c478bd9Sstevel@tonic-gate 	while (fgets(line, sizeof(line), f)) {
266*7c478bd9Sstevel@tonic-gate 		char *cp, *options = NULL;
267*7c478bd9Sstevel@tonic-gate 		linenum++;
268*7c478bd9Sstevel@tonic-gate 		/* Skip leading whitespace, empty and comment lines. */
269*7c478bd9Sstevel@tonic-gate 		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
270*7c478bd9Sstevel@tonic-gate 			;
271*7c478bd9Sstevel@tonic-gate 		if (!*cp || *cp == '\n' || *cp == '#')
272*7c478bd9Sstevel@tonic-gate 			continue;
273*7c478bd9Sstevel@tonic-gate 
274*7c478bd9Sstevel@tonic-gate 		if (key_read(found, &cp) != 1) {
275*7c478bd9Sstevel@tonic-gate 			/* no key?  check if there are options for this key */
276*7c478bd9Sstevel@tonic-gate 			int quoted = 0;
277*7c478bd9Sstevel@tonic-gate 			debug2("user_key_allowed: check options: '%s'", cp);
278*7c478bd9Sstevel@tonic-gate 			options = cp;
279*7c478bd9Sstevel@tonic-gate 			for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
280*7c478bd9Sstevel@tonic-gate 				if (*cp == '\\' && cp[1] == '"')
281*7c478bd9Sstevel@tonic-gate 					cp++;	/* Skip both */
282*7c478bd9Sstevel@tonic-gate 				else if (*cp == '"')
283*7c478bd9Sstevel@tonic-gate 					quoted = !quoted;
284*7c478bd9Sstevel@tonic-gate 			}
285*7c478bd9Sstevel@tonic-gate 			/* Skip remaining whitespace. */
286*7c478bd9Sstevel@tonic-gate 			for (; *cp == ' ' || *cp == '\t'; cp++)
287*7c478bd9Sstevel@tonic-gate 				;
288*7c478bd9Sstevel@tonic-gate 			if (key_read(found, &cp) != 1) {
289*7c478bd9Sstevel@tonic-gate 				debug2("user_key_allowed: advance: '%s'", cp);
290*7c478bd9Sstevel@tonic-gate 				/* still no key?  advance to next line*/
291*7c478bd9Sstevel@tonic-gate 				continue;
292*7c478bd9Sstevel@tonic-gate 			}
293*7c478bd9Sstevel@tonic-gate 		}
294*7c478bd9Sstevel@tonic-gate 		if (key_equal(found, key) &&
295*7c478bd9Sstevel@tonic-gate 		    auth_parse_options(pw, options, file, linenum) == 1) {
296*7c478bd9Sstevel@tonic-gate 			found_key = 1;
297*7c478bd9Sstevel@tonic-gate 			debug("matching key found: file %s, line %lu",
298*7c478bd9Sstevel@tonic-gate 			    file, linenum);
299*7c478bd9Sstevel@tonic-gate 			fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
300*7c478bd9Sstevel@tonic-gate 			verbose("Found matching %s key: %s",
301*7c478bd9Sstevel@tonic-gate 			    key_type(found), fp);
302*7c478bd9Sstevel@tonic-gate 			xfree(fp);
303*7c478bd9Sstevel@tonic-gate 			break;
304*7c478bd9Sstevel@tonic-gate 		}
305*7c478bd9Sstevel@tonic-gate 	}
306*7c478bd9Sstevel@tonic-gate 	restore_uid();
307*7c478bd9Sstevel@tonic-gate 	(void) fclose(f);
308*7c478bd9Sstevel@tonic-gate 	key_free(found);
309*7c478bd9Sstevel@tonic-gate 	if (!found_key)
310*7c478bd9Sstevel@tonic-gate 		debug2("key not found");
311*7c478bd9Sstevel@tonic-gate 	return found_key;
312*7c478bd9Sstevel@tonic-gate }
313*7c478bd9Sstevel@tonic-gate 
314*7c478bd9Sstevel@tonic-gate /* check whether given key is in .ssh/authorized_keys* */
315*7c478bd9Sstevel@tonic-gate int
316*7c478bd9Sstevel@tonic-gate user_key_allowed(struct passwd *pw, Key *key)
317*7c478bd9Sstevel@tonic-gate {
318*7c478bd9Sstevel@tonic-gate 	int success;
319*7c478bd9Sstevel@tonic-gate 	char *file;
320*7c478bd9Sstevel@tonic-gate 
321*7c478bd9Sstevel@tonic-gate 	if (pw == NULL)
322*7c478bd9Sstevel@tonic-gate 		return 0;
323*7c478bd9Sstevel@tonic-gate 
324*7c478bd9Sstevel@tonic-gate 	file = authorized_keys_file(pw);
325*7c478bd9Sstevel@tonic-gate 	success = user_key_allowed2(pw, key, file);
326*7c478bd9Sstevel@tonic-gate 	xfree(file);
327*7c478bd9Sstevel@tonic-gate 	if (success)
328*7c478bd9Sstevel@tonic-gate 		return success;
329*7c478bd9Sstevel@tonic-gate 
330*7c478bd9Sstevel@tonic-gate 	/* try suffix "2" for backward compat, too */
331*7c478bd9Sstevel@tonic-gate 	file = authorized_keys_file2(pw);
332*7c478bd9Sstevel@tonic-gate 	success = user_key_allowed2(pw, key, file);
333*7c478bd9Sstevel@tonic-gate 	xfree(file);
334*7c478bd9Sstevel@tonic-gate 	return success;
335*7c478bd9Sstevel@tonic-gate }
336*7c478bd9Sstevel@tonic-gate 
337*7c478bd9Sstevel@tonic-gate static
338*7c478bd9Sstevel@tonic-gate void
339*7c478bd9Sstevel@tonic-gate userauth_pubkey_abandon(Authctxt *authctxt, Authmethod *method)
340*7c478bd9Sstevel@tonic-gate {
341*7c478bd9Sstevel@tonic-gate 	if (!authctxt || !method)
342*7c478bd9Sstevel@tonic-gate 		return;
343*7c478bd9Sstevel@tonic-gate 
344*7c478bd9Sstevel@tonic-gate 	if (method->method_data) {
345*7c478bd9Sstevel@tonic-gate 		method->abandons++;
346*7c478bd9Sstevel@tonic-gate 		method->attempts++;
347*7c478bd9Sstevel@tonic-gate 		key_free((Key *) method->method_data);
348*7c478bd9Sstevel@tonic-gate 		method->method_data = NULL;
349*7c478bd9Sstevel@tonic-gate 	}
350*7c478bd9Sstevel@tonic-gate }
351*7c478bd9Sstevel@tonic-gate 
352*7c478bd9Sstevel@tonic-gate Authmethod method_pubkey = {
353*7c478bd9Sstevel@tonic-gate 	"publickey",
354*7c478bd9Sstevel@tonic-gate 	&options.pubkey_authentication,
355*7c478bd9Sstevel@tonic-gate 	userauth_pubkey,
356*7c478bd9Sstevel@tonic-gate 	userauth_pubkey_abandon,
357*7c478bd9Sstevel@tonic-gate 	NULL, NULL,	    /* method data and hist data */
358*7c478bd9Sstevel@tonic-gate 	0,		    /* not initial userauth */
359*7c478bd9Sstevel@tonic-gate 	0, 0, 0,	    /* counters */
360*7c478bd9Sstevel@tonic-gate 	0, 0, 0, 0, 0, 0    /* state */
361*7c478bd9Sstevel@tonic-gate };
362