This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit c95b90d40170473825904be561b1eafba354f376
Author: djm@openbsd.org <djm@openbsd.org>
Date: Fri Jun 14 03:39:59 2019 +0000
upstream: for public key authentication, check AuthorizedKeysFiles
files before consulting AuthorizedKeysCommand; ok dtucker markus
OpenBSD-Commit-ID: 13652998bea5cb93668999c39c3c48e8429db8b3
---
auth2-pubkey.c | 31 +++++++++++++++++++------------
1 file changed, 19 insertions(+), 12 deletions(-)
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 3422b518..4e01b605 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.88 2019/05/20 00:25:55 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.89 2019/06/14 03:39:59 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -1014,9 +1014,10 @@ int
user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
int auth_attempt, struct sshauthopt **authoptsp)
{
- u_int success, i;
+ u_int success = 0, i;
char *file;
struct sshauthopt *opts = NULL;
+
if (authoptsp != NULL)
*authoptsp = NULL;
@@ -1026,16 +1027,6 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
auth_key_is_revoked(key->cert->signature_key))
return 0;
- if ((success = user_cert_trusted_ca(ssh, pw, key, &opts)) != 0)
- goto out;
- sshauthopt_free(opts);
- opts = NULL;
-
- if ((success = user_key_command_allowed2(ssh, pw, key, &opts)) != 0)
- goto out;
- sshauthopt_free(opts);
- opts = NULL;
-
for (i = 0; !success && i < options.num_authkeys_files; i++) {
if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
continue;
@@ -1043,7 +1034,23 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
options.authorized_keys_files[i], pw);
success = user_key_allowed2(ssh, pw, key, file, &opts);
free(file);
+ if (!success) {
+ sshauthopt_free(opts);
+ opts = NULL;
+ }
}
+ if (success)
+ goto out;
+
+ if ((success = user_cert_trusted_ca(ssh, pw, key, &opts)) != 0)
+ goto out;
+ sshauthopt_free(opts);
+ opts = NULL;
+
+ if ((success = user_key_command_allowed2(ssh, pw, key, &opts)) != 0)
+ goto out;
+ sshauthopt_free(opts);
+ opts = NULL;
out:
if (success && authoptsp != NULL) {
--
To stop receiving notification emails like this one, please contact
djm@mindrot.org.
_______________________________________________
openssh-commits mailing list
openssh-commits@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-commits
djm pushed a commit to branch master
in repository openssh.
commit c95b90d40170473825904be561b1eafba354f376
Author: djm@openbsd.org <djm@openbsd.org>
Date: Fri Jun 14 03:39:59 2019 +0000
upstream: for public key authentication, check AuthorizedKeysFiles
files before consulting AuthorizedKeysCommand; ok dtucker markus
OpenBSD-Commit-ID: 13652998bea5cb93668999c39c3c48e8429db8b3
---
auth2-pubkey.c | 31 +++++++++++++++++++------------
1 file changed, 19 insertions(+), 12 deletions(-)
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 3422b518..4e01b605 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.88 2019/05/20 00:25:55 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.89 2019/06/14 03:39:59 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -1014,9 +1014,10 @@ int
user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
int auth_attempt, struct sshauthopt **authoptsp)
{
- u_int success, i;
+ u_int success = 0, i;
char *file;
struct sshauthopt *opts = NULL;
+
if (authoptsp != NULL)
*authoptsp = NULL;
@@ -1026,16 +1027,6 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
auth_key_is_revoked(key->cert->signature_key))
return 0;
- if ((success = user_cert_trusted_ca(ssh, pw, key, &opts)) != 0)
- goto out;
- sshauthopt_free(opts);
- opts = NULL;
-
- if ((success = user_key_command_allowed2(ssh, pw, key, &opts)) != 0)
- goto out;
- sshauthopt_free(opts);
- opts = NULL;
-
for (i = 0; !success && i < options.num_authkeys_files; i++) {
if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
continue;
@@ -1043,7 +1034,23 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
options.authorized_keys_files[i], pw);
success = user_key_allowed2(ssh, pw, key, file, &opts);
free(file);
+ if (!success) {
+ sshauthopt_free(opts);
+ opts = NULL;
+ }
}
+ if (success)
+ goto out;
+
+ if ((success = user_cert_trusted_ca(ssh, pw, key, &opts)) != 0)
+ goto out;
+ sshauthopt_free(opts);
+ opts = NULL;
+
+ if ((success = user_key_command_allowed2(ssh, pw, key, &opts)) != 0)
+ goto out;
+ sshauthopt_free(opts);
+ opts = NULL;
out:
if (success && authoptsp != NULL) {
--
To stop receiving notification emails like this one, please contact
djm@mindrot.org.
_______________________________________________
openssh-commits mailing list
openssh-commits@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-commits