From 38374349c8379780857836d698dbad11a33522c5 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 3 Jun 2022 04:47:21 +0000 Subject: [PATCH] move auth_openprincipals() and auth_openkeyfile() over to auth2-pubkeyfile.c too; they make more sense there. --- usr.bin/ssh/auth.c | 58 +--------------------------------- usr.bin/ssh/auth.h | 6 ++-- usr.bin/ssh/auth2-pubkeyfile.c | 57 ++++++++++++++++++++++++++++++++- 3 files changed, 60 insertions(+), 61 deletions(-) diff --git a/usr.bin/ssh/auth.c b/usr.bin/ssh/auth.c index 93b56340d6a..4cb50e58102 100644 --- a/usr.bin/ssh/auth.c +++ b/usr.bin/ssh/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.157 2022/05/27 05:02:46 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.158 2022/06/03 04:47:21 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -412,62 +412,6 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host, return host_status; } -static FILE * -auth_openfile(const char *file, struct passwd *pw, int strict_modes, - int log_missing, char *file_type) -{ - char line[1024]; - struct stat st; - int fd; - FILE *f; - - if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) { - if (log_missing || errno != ENOENT) - debug("Could not open %s '%s': %s", file_type, file, - strerror(errno)); - return NULL; - } - - if (fstat(fd, &st) == -1) { - close(fd); - return NULL; - } - if (!S_ISREG(st.st_mode)) { - logit("User %s %s %s is not a regular file", - pw->pw_name, file_type, file); - close(fd); - return NULL; - } - unset_nonblock(fd); - if ((f = fdopen(fd, "r")) == NULL) { - close(fd); - return NULL; - } - if (strict_modes && - safe_path_fd(fileno(f), file, pw, line, sizeof(line)) != 0) { - fclose(f); - logit("Authentication refused: %s", line); - auth_debug_add("Ignored %s: %s", file_type, line); - return NULL; - } - - return f; -} - - -FILE * -auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes) -{ - return auth_openfile(file, pw, strict_modes, 1, "authorized keys"); -} - -FILE * -auth_openprincipals(const char *file, struct passwd *pw, int strict_modes) -{ - return auth_openfile(file, pw, strict_modes, 0, - "authorized principals"); -} - struct passwd * getpwnamallow(struct ssh *ssh, const char *user) { diff --git a/usr.bin/ssh/auth.h b/usr.bin/ssh/auth.h index 0ae5c07c950..b347307c233 100644 --- a/usr.bin/ssh/auth.h +++ b/usr.bin/ssh/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.104 2022/05/27 05:02:46 djm Exp $ */ +/* $OpenBSD: auth.h,v 1.105 2022/06/03 04:47:21 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -174,8 +174,6 @@ struct passwd * getpwnamallow(struct ssh *, const char *user); char *expand_authorized_keys(const char *, struct passwd *pw); char *authorized_principals_file(struct passwd *); -FILE *auth_openkeyfile(const char *, struct passwd *, int); -FILE *auth_openprincipals(const char *, struct passwd *, int); int auth_key_is_revoked(struct sshkey *); const char *auth_get_canonical_hostname(struct ssh *, int); @@ -218,5 +216,7 @@ int auth_check_authkey_line(struct passwd *, struct sshkey *, char *, const char *, const char *, const char *, struct sshauthopt **); int auth_check_authkeys_file(struct passwd *, FILE *, char *, struct sshkey *, const char *, const char *, struct sshauthopt **); +FILE *auth_openkeyfile(const char *, struct passwd *, int); +FILE *auth_openprincipals(const char *, struct passwd *, int); #endif diff --git a/usr.bin/ssh/auth2-pubkeyfile.c b/usr.bin/ssh/auth2-pubkeyfile.c index ac0ad73d951..7a41fc6c965 100644 --- a/usr.bin/ssh/auth2-pubkeyfile.c +++ b/usr.bin/ssh/auth2-pubkeyfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkeyfile.c,v 1.1 2022/05/27 05:02:46 djm Exp $ */ +/* $OpenBSD: auth2-pubkeyfile.c,v 1.2 2022/06/03 04:47:21 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -438,4 +438,59 @@ auth_check_authkeys_file(struct passwd *pw, FILE *f, char *file, return found_key; } +static FILE * +auth_openfile(const char *file, struct passwd *pw, int strict_modes, + int log_missing, char *file_type) +{ + char line[1024]; + struct stat st; + int fd; + FILE *f; + + if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) { + if (log_missing || errno != ENOENT) + debug("Could not open %s '%s': %s", file_type, file, + strerror(errno)); + return NULL; + } + + if (fstat(fd, &st) == -1) { + close(fd); + return NULL; + } + if (!S_ISREG(st.st_mode)) { + logit("User %s %s %s is not a regular file", + pw->pw_name, file_type, file); + close(fd); + return NULL; + } + unset_nonblock(fd); + if ((f = fdopen(fd, "r")) == NULL) { + close(fd); + return NULL; + } + if (strict_modes && + safe_path_fd(fileno(f), file, pw, line, sizeof(line)) != 0) { + fclose(f); + logit("Authentication refused: %s", line); + auth_debug_add("Ignored %s: %s", file_type, line); + return NULL; + } + + return f; +} + + +FILE * +auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes) +{ + return auth_openfile(file, pw, strict_modes, 1, "authorized keys"); +} + +FILE * +auth_openprincipals(const char *file, struct passwd *pw, int strict_modes) +{ + return auth_openfile(file, pw, strict_modes, 0, + "authorized principals"); +} -- 2.20.1