search for: auth_clear_opt

...rsion: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy: cjwatson at debian.org Created an attachment (id=1509) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1509) call auth_clear_options in privileged process https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/161047 reports a problem with forced commands when used with public-key authentication but expecting password authentication also to work without the forced command. Briefly, it may be reproduced on a single machine a...

...tion sharing. Cheers, Han Holl --- auth-options.c.orig Fri Feb 9 14:14:51 2001 +++ auth-options.c Fri Feb 9 14:18:43 2001 @@ -57,11 +57,12 @@ auth_parse_options(struct passwd *pw, char *options, unsigned long linenum) { const char *cp; - if (!options) - return 1; /* reset options */ auth_clear_options(); + + if (!options) + return 1; while (*options && *options != ' ' && *options != '\t') { cp = "no-port-forwarding";

...file, linenum) == 1) { - found_key = 1; - debug("matching key found: file %s, line %lu", - file, linenum); - break; + if (key_equal(found, key) || key_match(found, key)) { + found_key = auth_parse_options(pw, options, file, linenum); + if (found_key != 0) + break; + auth_clear_options(); } } restore_uid(); fclose(f); key_free(found); - if (!found_key) + if (found_key == 0) debug2("key not found"); + else if (found_key > 0) { + debug("matching key found: file %s, line %lu", + file, linenum); + auth_set_key_env(key); + } else + de...

Attached is a patch which adds a log= directive to authorized_keys. The text in the log="text" directive is appended to the log line, so you can easily tell which key is matched. For instance the line: log="hello world!",no-agent-forwarding,command="/bin/true",no-pty, no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:7" ssh-rsa AAAAB3Nza....xcgaK9xXoU=

...ude "key.h" + /* Linked list of custom environment strings */ struct envstring { struct envstring *next; @@ -37,6 +39,9 @@ int auth_parse_options(struct passwd *pw, char *options, char *file, u_long linenum); + +void +auth_set_key_env(Key *k); /* reset options flags */ void auth_clear_options(void); Index: 2_9_p2.1/auth-options.c --- 2_9_p2.1/auth-options.c Thu, 03 May 2001 16:12:13 -0400 jd (OpenSSH/k/22_auth-optio 1.1 644) +++ 2_9_p2_w_named_keys.2/auth-options.c Tue, 03 Jul 2001 13:57:30 -0400 willian (OpenSSH/k/22_auth-optio 1.1.1.1 644) @@ -55,8 +55,43 @@ channel_clear_permit...

.../* + * Assume that the comment field contains the real name of the + * person who owns the key. + */ + packet_send_debug("RSA authentication of %s as user %s accepted.", + comment, pw->pw_name); + } else auth_clear_options(); diff -ru openssh-3.1p1/auth.h openssh-3.1p1-mods/auth.h - --- openssh-3.1p1/auth.h Thu May 9 12:18:26 2002 +++ openssh-3.1p1-mods/auth.h Thu May 9 12:19:54 2002 @@ -94,7 +94,7 @@ int auth_rhosts_rsa(struct passwd *, const char *, Key *); int auth_password(Authctxt...

...m(); + + if (PRIVSEP(user_cert_key_allowed(authctxt->pw, key))) { + packet_start(SSH2_MSG_USERAUTH_PK_OK); + packet_put_string(pkalg, alen); + packet_put_string(pkblob, blen); + packet_send(); + packet_write_wait(); + authctxt->postponed = 1; + } + } + if (authenticated != 1) + auth_clear_options(); +done: + debug2("userauth_certkey: authenticated %d pkalg %s", authenticated, pkalg); + if (key != NULL) + key_free(key); + xfree(pkalg); + xfree(pkblob); + return authenticated; +} + +/* check whether given key is signed by certificate */ +int +user_cert_key_allowed(struct passwd...