From 8133225e0bf8eb862ac4198880595fada753fe4b Mon Sep 17 00:00:00 2001 From: jsing Date: Mon, 15 Jun 2015 18:44:22 +0000 Subject: [PATCH] If AuthorizedPrincipalsCommand is specified, however AuthorizedPrincipalsFile is not (or is set to "none"), authentication will potentially fail due to key_cert_check_authority() failing to locate a principal that matches the username, even though an authorized principal has already been matched in the output of the subprocess. Fix this by using the same logic to determine if pw->pw_name should be passed, as is used to determine if a authorized principal must be matched earlier on. ok djm@ --- usr.bin/ssh/auth2-pubkey.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c index 5beb44a3cc4..4d620ee9d84 100644 --- a/usr.bin/ssh/auth2-pubkey.c +++ b/usr.bin/ssh/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.52 2015/06/15 18:42:19 jsing Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.53 2015/06/15 18:44:22 jsing Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -828,7 +828,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) { char *ca_fp, *principals_file = NULL; const char *reason; - int ret = 0, found_principal = 0; + int ret = 0, found_principal = 0, use_authorized_principals; if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) return 0; @@ -856,9 +856,10 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) /* Try querying command if specified */ if (!found_principal && match_principals_command(pw, key->cert)) found_principal = 1; - /* If principals file or command specify, then require a match here */ - if (!found_principal && (principals_file != NULL || - options.authorized_principals_command != NULL)) { + /* If principals file or command is specified, then require a match */ + use_authorized_principals = principals_file != NULL || + options.authorized_principals_command != NULL; + if (!found_principal && use_authorized_principals) { reason = "Certificate does not contain an authorized principal"; fail_reason: error("%s", reason); @@ -866,7 +867,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) goto out; } if (key_cert_check_authority(key, 0, 1, - principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) + use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) goto fail_reason; if (auth_cert_options(key, pw) != 0) goto out; -- 2.20.1