If AuthorizedPrincipalsCommand is specified, however

AuthorizedPrincipalsFile is not (or is set to "none"), authentication will
potentially fail due to key_cert_check_authority() failing to locate a
principal that matches the username, even though an authorized principal
has already been matched in the output of the subprocess. Fix this by using
the same logic to determine if pw->pw_name should be passed, as is used to
determine if a authorized principal must be matched earlier on.

ok djm@

diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c
index 5beb44a..4d620ee 100644 (file)
--- a/usr.bin/ssh/auth2-pubkey.c
+++ b/usr.bin/ssh/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.52 2015/06/15 18:42:19 jsing Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.53 2015/06/15 18:44:22 jsing Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -828,7 +828,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
 {
        char *ca_fp, *principals_file = NULL;
        const char *reason;
-       int ret = 0, found_principal = 0;
+       int ret = 0, found_principal = 0, use_authorized_principals;
 
        if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
                return 0;
@@ -856,9 +856,10 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
        /* Try querying command if specified */
        if (!found_principal && match_principals_command(pw, key->cert))
                found_principal = 1;
-       /* If principals file or command specify, then require a match here */
-       if (!found_principal && (principals_file != NULL ||
-           options.authorized_principals_command != NULL)) {
+       /* If principals file or command is specified, then require a match */
+       use_authorized_principals = principals_file != NULL ||
+            options.authorized_principals_command != NULL;
+       if (!found_principal && use_authorized_principals) {
                reason = "Certificate does not contain an authorized principal";
  fail_reason:
                error("%s", reason);
@@ -866,7 +867,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
                goto out;
        }
        if (key_cert_check_authority(key, 0, 1,
-           principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
+           use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
                goto fail_reason;
        if (auth_cert_options(key, pw) != 0)
                goto out;