diff options
author | djm@openbsd.org <djm@openbsd.org> | 2024-12-06 17:24:27 +0100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2024-12-07 11:19:02 +0100 |
commit | 85f0c1e75e8f6c5d83b8070918ee2f6ab16d403e (patch) | |
tree | 0d367a345158e4ad0b0543497df368cc1f512f94 | |
parent | upstream: support VersionAddendum in the client, mirroring the (diff) | |
download | openssh-85f0c1e75e8f6c5d83b8070918ee2f6ab16d403e.tar.xz openssh-85f0c1e75e8f6c5d83b8070918ee2f6ab16d403e.zip |
upstream: allow glob(3) patterns for sshd_config AuthorizedKeysFile
and AuthorizedPrincipalsFile directives; bz2755 ok dtucker
OpenBSD-Commit-ID: 3e3e05a17fca39bba78b993a07b44664519adf7f
-rw-r--r-- | auth2-pubkey.c | 86 | ||||
-rw-r--r-- | sshd_config.5 | 8 |
2 files changed, 75 insertions, 19 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 7580db78d..c1fef9046 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.120 2024/05/17 00:30:23 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.121 2024/12/06 16:24:27 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -41,6 +41,11 @@ #include <time.h> #include <unistd.h> #include <limits.h> +#ifdef USE_SYSTEM_GLOB +# include <glob.h> +#else +# include "openbsd-compat/glob.h" +#endif #include "xmalloc.h" #include "ssh.h" @@ -319,20 +324,51 @@ match_principals_file(struct passwd *pw, char *file, struct sshkey_cert *cert, struct sshauthopt **authoptsp) { FILE *f; - int success; + int r, success = 0; + size_t i; + glob_t gl; + struct sshauthopt *opts = NULL; if (authoptsp != NULL) *authoptsp = NULL; temporarily_use_uid(pw); - debug("trying authorized principals file %s", file); - if ((f = auth_openprincipals(file, pw, options.strict_modes)) == NULL) { - restore_uid(); + r = glob(file, 0, NULL, &gl); + restore_uid(); + if (r != 0) { + if (r != GLOB_NOMATCH) { + logit_f("glob \"%s\" failed", file); + } return 0; + } else if (gl.gl_pathc > INT_MAX) { + fatal_f("too many glob results for \"%s\"", file); + } else if (gl.gl_pathc > 1) { + debug2_f("glob \"%s\" returned %zu matches", file, + gl.gl_pathc); + } + for (i = 0; !success && i < gl.gl_pathc; i++) { + temporarily_use_uid(pw); + debug("trying authorized principals file %s", file); + if ((f = auth_openprincipals(gl.gl_pathv[i], pw, + options.strict_modes)) == NULL) { + restore_uid(); + continue; + } + success = auth_process_principals(f, gl.gl_pathv[i], + cert, &opts); + fclose(f); + restore_uid(); + if (!success) { + sshauthopt_free(opts); + opts = NULL; + } } - success = auth_process_principals(f, file, cert, authoptsp); - fclose(f); - restore_uid(); + globfree(&gl); + if (success && authoptsp != NULL) { + *authoptsp = opts; + opts = NULL; + } + sshauthopt_free(opts); return success; } @@ -753,7 +789,7 @@ int user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, int auth_attempt, struct sshauthopt **authoptsp) { - u_int success = 0, i; + u_int success = 0, i, j; char *file, *conn_id; struct sshauthopt *opts = NULL; const char *rdomain, *remote_ip, *remote_host; @@ -776,17 +812,37 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, remote_ip, ssh_remote_port(ssh)); for (i = 0; !success && i < options.num_authkeys_files; i++) { + int r; + glob_t gl; + if (strcasecmp(options.authorized_keys_files[i], "none") == 0) continue; file = expand_authorized_keys( options.authorized_keys_files[i], pw); - success = user_key_allowed2(pw, key, file, - remote_ip, remote_host, &opts); - free(file); - if (!success) { - sshauthopt_free(opts); - opts = NULL; + temporarily_use_uid(pw); + r = glob(file, 0, NULL, &gl); + restore_uid(); + if (r != 0) { + if (r != GLOB_NOMATCH) { + logit_f("glob \"%s\" failed", file); + } + continue; + } else if (gl.gl_pathc > INT_MAX) { + fatal_f("too many glob results for \"%s\"", file); + } else if (gl.gl_pathc > 1) { + debug2_f("glob \"%s\" returned %zu matches", file, + gl.gl_pathc); } + for (j = 0; !success && j < gl.gl_pathc; j++) { + success = user_key_allowed2(pw, key, gl.gl_pathv[j], + remote_ip, remote_host, &opts); + if (!success) { + sshauthopt_free(opts); + opts = NULL; + } + } + free(file); + globfree(&gl); } if (success) goto out; diff --git a/sshd_config.5 b/sshd_config.5 index ab71970b9..c3d76bc62 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.379 2024/12/05 22:45:03 naddy Exp $ -.Dd $Mdocdate: December 5 2024 $ +.\" $OpenBSD: sshd_config.5,v 1.380 2024/12/06 16:24:27 djm Exp $ +.Dd $Mdocdate: December 6 2024 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -279,7 +279,7 @@ The format is described in the AUTHORIZED_KEYS FILE FORMAT section of .Xr sshd 8 . Arguments to .Cm AuthorizedKeysFile -accept the tokens described in the +may include wildcards and accept the tokens described in the .Sx TOKENS section. After expansion, @@ -348,7 +348,7 @@ are ignored. .Pp Arguments to .Cm AuthorizedPrincipalsFile -accept the tokens described in the +may include wildcards and accept the tokens described in the .Sx TOKENS section. After expansion, |