auth2-pubkey.c 17.9 KB
Newer Older
1
/* $OpenBSD: auth2-pubkey.c,v 1.39 2013/12/30 23:52:27 djm Exp $ */
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
/*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"
27 28 29

#include <sys/types.h>
#include <sys/stat.h>
30
#include <sys/wait.h>
31

32
#include <errno.h>
33
#include <fcntl.h>
34 35 36
#ifdef HAVE_PATHS_H
# include <paths.h>
#endif
37
#include <pwd.h>
38
#include <signal.h>
39
#include <stdio.h>
40
#include <stdarg.h>
Damien Miller's avatar
Damien Miller committed
41 42
#include <string.h>
#include <time.h>
43
#include <unistd.h>
44

45
#include "xmalloc.h"
46
#include "ssh.h"
47 48 49 50 51 52 53
#include "ssh2.h"
#include "packet.h"
#include "buffer.h"
#include "log.h"
#include "servconf.h"
#include "compat.h"
#include "key.h"
54 55
#include "hostfile.h"
#include "auth.h"
56 57 58 59
#include "pathnames.h"
#include "uidswap.h"
#include "auth-options.h"
#include "canohost.h"
60 61 62
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
63
#include "monitor_wrap.h"
64
#include "misc.h"
65
#include "authfile.h"
66
#include "match.h"
67 68 69 70

/* import */
extern ServerOptions options;
extern u_char *session_id2;
71
extern u_int session_id2_len;
72 73 74 75 76 77

static int
userauth_pubkey(Authctxt *authctxt)
{
	Buffer b;
	Key *key = NULL;
78
	char *pkalg, *userstyle;
79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104
	u_char *pkblob, *sig;
	u_int alen, blen, slen;
	int have_sig, pktype;
	int authenticated = 0;

	if (!authctxt->valid) {
		debug2("userauth_pubkey: disabled because of invalid user");
		return 0;
	}
	have_sig = packet_get_char();
	if (datafellows & SSH_BUG_PKAUTH) {
		debug2("userauth_pubkey: SSH_BUG_PKAUTH");
		/* no explicit pkalg given */
		pkblob = packet_get_string(&blen);
		buffer_init(&b);
		buffer_append(&b, pkblob, blen);
		/* so we have to extract the pkalg from the pkblob */
		pkalg = buffer_get_string(&b, &alen);
		buffer_free(&b);
	} else {
		pkalg = packet_get_string(&alen);
		pkblob = packet_get_string(&blen);
	}
	pktype = key_type_from_name(pkalg);
	if (pktype == KEY_UNSPEC) {
		/* this is perfectly legal */
105
		logit("userauth_pubkey: unsupported public key algorithm: %s",
106 107 108 109 110 111 112 113 114 115 116 117 118
		    pkalg);
		goto done;
	}
	key = key_from_blob(pkblob, blen);
	if (key == NULL) {
		error("userauth_pubkey: cannot decode key: %s", pkalg);
		goto done;
	}
	if (key->type != pktype) {
		error("userauth_pubkey: type mismatch for decoded key "
		    "(received %d, expected %d)", key->type, pktype);
		goto done;
	}
119 120 121 122 123 124
	if (key_type_plain(key->type) == KEY_RSA &&
	    (datafellows & SSH_BUG_RSASIGMD5) != 0) {
		logit("Refusing RSA key because client uses unsafe "
		    "signature scheme");
		goto done;
	}
125 126 127 128 129 130 131 132 133 134 135
	if (have_sig) {
		sig = packet_get_string(&slen);
		packet_check_eom();
		buffer_init(&b);
		if (datafellows & SSH_OLD_SESSIONID) {
			buffer_append(&b, session_id2, session_id2_len);
		} else {
			buffer_put_string(&b, session_id2, session_id2_len);
		}
		/* reconstruct packet */
		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
136 137 138 139 140
		xasprintf(&userstyle, "%s%s%s", authctxt->user,
		    authctxt->style ? ":" : "",
		    authctxt->style ? authctxt->style : "");
		buffer_put_cstring(&b, userstyle);
		free(userstyle);
141 142 143 144 145 146 147 148 149 150 151 152 153 154 155
		buffer_put_cstring(&b,
		    datafellows & SSH_BUG_PKSERVICE ?
		    "ssh-userauth" :
		    authctxt->service);
		if (datafellows & SSH_BUG_PKAUTH) {
			buffer_put_char(&b, have_sig);
		} else {
			buffer_put_cstring(&b, "publickey");
			buffer_put_char(&b, have_sig);
			buffer_put_cstring(&b, pkalg);
		}
		buffer_put_string(&b, pkblob, blen);
#ifdef DEBUG_PK
		buffer_dump(&b);
#endif
156
		pubkey_auth_info(authctxt, key, NULL);
157

158 159 160 161
		/* test for correct signature */
		authenticated = 0;
		if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
		    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
162
		    buffer_len(&b))) == 1)
163
			authenticated = 1;
164
		buffer_free(&b);
165
		free(sig);
166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192
	} else {
		debug("test whether pkalg/pkblob are acceptable");
		packet_check_eom();

		/* XXX fake reply and always send PK_OK ? */
		/*
		 * XXX this allows testing whether a user is allowed
		 * to login: if you happen to have a valid pubkey this
		 * message is sent. the message is NEVER sent at all
		 * if a user is not allowed to login. is this an
		 * issue? -markus
		 */
		if (PRIVSEP(user_key_allowed(authctxt->pw, key))) {
			packet_start(SSH2_MSG_USERAUTH_PK_OK);
			packet_put_string(pkalg, alen);
			packet_put_string(pkblob, blen);
			packet_send();
			packet_write_wait();
			authctxt->postponed = 1;
		}
	}
	if (authenticated != 1)
		auth_clear_options();
done:
	debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
	if (key != NULL)
		key_free(key);
193 194
	free(pkalg);
	free(pkblob);
195 196 197
	return authenticated;
}

198
void
199
pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
200
{
201 202 203 204 205 206 207 208 209 210 211 212
	char *fp, *extra;
	va_list ap;
	int i;

	extra = NULL;
	if (fmt != NULL) {
		va_start(ap, fmt);
		i = vasprintf(&extra, fmt, ap);
		va_end(ap);
		if (i < 0 || extra == NULL)
			fatal("%s: vasprintf failed", __func__);	
	}
213 214 215 216

	if (key_is_cert(key)) {
		fp = key_fingerprint(key->cert->signature_key,
		    SSH_FP_MD5, SSH_FP_HEX);
217
		auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", 
218 219
		    key_type(key), key->cert->key_id,
		    (unsigned long long)key->cert->serial,
220 221
		    key_type(key->cert->signature_key), fp,
		    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
222 223 224
		free(fp);
	} else {
		fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
225 226
		auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
		    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
227 228
		free(fp);
	}
229
	free(extra);
230 231
}

232 233 234 235 236 237 238 239 240 241 242 243 244
static int
match_principals_option(const char *principal_list, struct KeyCert *cert)
{
	char *result;
	u_int i;

	/* XXX percent_expand() sequences for authorized_principals? */

	for (i = 0; i < cert->nprincipals; i++) {
		if ((result = match_list(cert->principals[i],
		    principal_list, NULL)) != NULL) {
			debug3("matched principal from key options \"%.100s\"",
			    result);
245
			free(result);
246 247 248 249 250 251 252
			return 1;
		}
	}
	return 0;
}

static int
253
match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
254 255
{
	FILE *f;
256
	char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts;
257 258 259 260 261 262 263 264 265 266
	u_long linenum = 0;
	u_int i;

	temporarily_use_uid(pw);
	debug("trying authorized principals file %s", file);
	if ((f = auth_openprincipals(file, pw, options.strict_modes)) == NULL) {
		restore_uid();
		return 0;
	}
	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
267
		/* Skip leading whitespace. */
268 269
		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
			;
270 271 272 273
		/* Skip blank and comment lines. */
		if ((ep = strchr(cp, '#')) != NULL)
			*ep = '\0';
		if (!*cp || *cp == '\n')
274
			continue;
275 276 277 278 279 280 281 282 283 284 285 286
		/* Trim trailing whitespace. */
		ep = cp + strlen(cp) - 1;
		while (ep > cp && (*ep == '\n' || *ep == ' ' || *ep == '\t'))
			*ep-- = '\0';
		/*
		 * If the line has internal whitespace then assume it has
		 * key options.
		 */
		line_opts = NULL;
		if ((ep = strrchr(cp, ' ')) != NULL ||
		    (ep = strrchr(cp, '\t')) != NULL) {
			for (; *ep == ' ' || *ep == '\t'; ep++)
Damien Miller's avatar
Damien Miller committed
287
				;
288 289 290
			line_opts = cp;
			cp = ep;
		}
291 292
		for (i = 0; i < cert->nprincipals; i++) {
			if (strcmp(cp, cert->principals[i]) == 0) {
293 294
				debug3("matched principal \"%.100s\" "
				    "from file \"%s\" on line %lu",
295
				    cert->principals[i], file, linenum);
296 297 298
				if (auth_parse_options(pw, line_opts,
				    file, linenum) != 1)
					continue;
299 300 301 302 303 304 305 306 307
				fclose(f);
				restore_uid();
				return 1;
			}
		}
	}
	fclose(f);
	restore_uid();
	return 0;
308
}
309

310 311 312 313
/*
 * Checks whether key is allowed in authorized_keys-format file,
 * returns 1 if the key is allowed or 0 otherwise.
 */
314
static int
315
check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
316
{
317
	char line[SSH_MAX_PUBKEY_BYTES];
Damien Miller's avatar
Damien Miller committed
318
	const char *reason;
319
	int found_key = 0;
320 321 322 323 324 325
	u_long linenum = 0;
	Key *found;
	char *fp;

	found_key = 0;

326
	found = NULL;
327
	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
328
		char *cp, *key_options = NULL;
329 330 331
		if (found != NULL)
			key_free(found);
		found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
Damien Miller's avatar
Damien Miller committed
332 333
		auth_clear_options();

334 335 336 337 338 339 340 341 342 343
		/* Skip leading whitespace, empty and comment lines. */
		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
			;
		if (!*cp || *cp == '\n' || *cp == '#')
			continue;

		if (key_read(found, &cp) != 1) {
			/* no key?  check if there are options for this key */
			int quoted = 0;
			debug2("user_key_allowed: check options: '%s'", cp);
344
			key_options = cp;
345 346 347 348 349 350 351 352 353 354 355 356 357 358 359
			for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
				if (*cp == '\\' && cp[1] == '"')
					cp++;	/* Skip both */
				else if (*cp == '"')
					quoted = !quoted;
			}
			/* Skip remaining whitespace. */
			for (; *cp == ' ' || *cp == '\t'; cp++)
				;
			if (key_read(found, &cp) != 1) {
				debug2("user_key_allowed: advance: '%s'", cp);
				/* still no key?  advance to next line*/
				continue;
			}
		}
360
		if (key_is_cert(key)) {
Damien Miller's avatar
Damien Miller committed
361 362
			if (!key_equal(found, key->cert->signature_key))
				continue;
363 364 365 366 367
			if (auth_parse_options(pw, key_options, file,
			    linenum) != 1)
				continue;
			if (!key_is_cert_authority)
				continue;
Damien Miller's avatar
Damien Miller committed
368 369
			fp = key_fingerprint(found, SSH_FP_MD5,
			    SSH_FP_HEX);
370 371
			debug("matching CA found: file %s, line %lu, %s %s",
			    file, linenum, key_type(found), fp);
372 373 374 375 376 377 378 379 380 381 382
			/*
			 * If the user has specified a list of principals as
			 * a key option, then prefer that list to matching
			 * their username in the certificate principals list.
			 */
			if (authorized_principals != NULL &&
			    !match_principals_option(authorized_principals,
			    key->cert)) {
				reason = "Certificate does not contain an "
				    "authorized principal";
 fail_reason:
383
				free(fp);
Damien Miller's avatar
Damien Miller committed
384 385 386 387
				error("%s", reason);
				auth_debug_add("%s", reason);
				continue;
			}
388 389 390 391
			if (key_cert_check_authority(key, 0, 0,
			    authorized_principals == NULL ? pw->pw_name : NULL,
			    &reason) != 0)
				goto fail_reason;
392
			if (auth_cert_options(key, pw) != 0) {
393
				free(fp);
Damien Miller's avatar
Damien Miller committed
394
				continue;
395 396 397 398
			}
			verbose("Accepted certificate ID \"%s\" "
			    "signed by %s CA %s via %s", key->cert->key_id,
			    key_type(found), fp, file);
399
			free(fp);
Damien Miller's avatar
Damien Miller committed
400 401
			found_key = 1;
			break;
402 403 404 405 406 407
		} else if (key_equal(found, key)) {
			if (auth_parse_options(pw, key_options, file,
			    linenum) != 1)
				continue;
			if (key_is_cert_authority)
				continue;
408 409
			found_key = 1;
			fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
410 411
			debug("matching key found: file %s, line %lu %s %s",
			    file, linenum, key_type(found), fp);
412
			free(fp);
413 414 415
			break;
		}
	}
416 417
	if (found != NULL)
		key_free(found);
418 419 420 421 422
	if (!found_key)
		debug2("key not found");
	return found_key;
}

423 424 425 426
/* Authenticate a certificate key against TrustedUserCAKeys */
static int
user_cert_trusted_ca(struct passwd *pw, Key *key)
{
427
	char *ca_fp, *principals_file = NULL;
428 429 430 431 432 433
	const char *reason;
	int ret = 0;

	if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
		return 0;

434 435
	ca_fp = key_fingerprint(key->cert->signature_key,
	    SSH_FP_MD5, SSH_FP_HEX);
436 437 438 439 440 441 442 443

	if (key_in_file(key->cert->signature_key,
	    options.trusted_user_ca_keys, 1) != 1) {
		debug2("%s: CA %s %s is not listed in %s", __func__,
		    key_type(key->cert->signature_key), ca_fp,
		    options.trusted_user_ca_keys);
		goto out;
	}
444 445 446 447 448 449 450 451 452 453 454 455 456 457
	/*
	 * If AuthorizedPrincipals is in use, then compare the certificate
	 * principals against the names in that file rather than matching
	 * against the username.
	 */
	if ((principals_file = authorized_principals_file(pw)) != NULL) {
		if (!match_principals_file(principals_file, pw, key->cert)) {
			reason = "Certificate does not contain an "
			    "authorized principal";
 fail_reason:
			error("%s", reason);
			auth_debug_add("%s", reason);
			goto out;
		}
458
	}
459 460 461
	if (key_cert_check_authority(key, 0, 1,
	    principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
		goto fail_reason;
462
	if (auth_cert_options(key, pw) != 0)
463 464
		goto out;

465 466 467
	verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s",
	    key->cert->key_id, key_type(key->cert->signature_key), ca_fp,
	    options.trusted_user_ca_keys);
468 469 470
	ret = 1;

 out:
471 472
	free(principals_file);
	free(ca_fp);
473 474 475
	return ret;
}

476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511
/*
 * Checks whether key is allowed in file.
 * returns 1 if the key is allowed or 0 otherwise.
 */
static int
user_key_allowed2(struct passwd *pw, Key *key, char *file)
{
	FILE *f;
	int found_key = 0;

	/* Temporarily use the user's uid. */
	temporarily_use_uid(pw);

	debug("trying public key file %s", file);
	if ((f = auth_openkeyfile(file, pw, options.strict_modes)) != NULL) {
		found_key = check_authkeys_file(f, file, key, pw);
		fclose(f);
	}

	restore_uid();
	return found_key;
}

/*
 * Checks whether key is allowed in output of command.
 * returns 1 if the key is allowed or 0 otherwise.
 */
static int
user_key_command_allowed2(struct passwd *user_pw, Key *key)
{
	FILE *f;
	int ok, found_key = 0;
	struct passwd *pw;
	struct stat st;
	int status, devnull, p[2], i;
	pid_t pid;
512
	char *username, errmsg[512];
513 514 515 516 517

	if (options.authorized_keys_command == NULL ||
	    options.authorized_keys_command[0] != '/')
		return 0;

518 519 520 521 522 523 524 525 526
	if (options.authorized_keys_command_user == NULL) {
		error("No user for AuthorizedKeysCommand specified, skipping");
		return 0;
	}

	username = percent_expand(options.authorized_keys_command_user,
	    "u", user_pw->pw_name, (char *)NULL);
	pw = getpwnam(username);
	if (pw == NULL) {
527 528
		error("AuthorizedKeysCommandUser \"%s\" not found: %s",
		    username, strerror(errno));
529 530
		free(username);
		return 0;
531
	}
532
	free(username);
533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551

	temporarily_use_uid(pw);

	if (stat(options.authorized_keys_command, &st) < 0) {
		error("Could not stat AuthorizedKeysCommand \"%s\": %s",
		    options.authorized_keys_command, strerror(errno));
		goto out;
	}
	if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0,
	    errmsg, sizeof(errmsg)) != 0) {
		error("Unsafe AuthorizedKeysCommand: %s", errmsg);
		goto out;
	}

	if (pipe(p) != 0) {
		error("%s: pipe: %s", __func__, strerror(errno));
		goto out;
	}

552 553
	debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"",
	    options.authorized_keys_command, user_pw->pw_name, pw->pw_name);
554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570

	/*
	 * Don't want to call this in the child, where it can fatal() and
	 * run cleanup_exit() code.
	 */
	restore_uid();

	switch ((pid = fork())) {
	case -1: /* error */
		error("%s: fork: %s", __func__, strerror(errno));
		close(p[0]);
		close(p[1]);
		return 0;
	case 0: /* child */
		for (i = 0; i < NSIG; i++)
			signal(i, SIG_DFL);

571 572 573 574 575 576 577 578 579 580 581
		if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
			error("%s: open %s: %s", __func__, _PATH_DEVNULL,
			    strerror(errno));
			_exit(1);
		}
		/* Keep stderr around a while longer to catch errors */
		if (dup2(devnull, STDIN_FILENO) == -1 ||
		    dup2(p[1], STDOUT_FILENO) == -1) {
			error("%s: dup2: %s", __func__, strerror(errno));
			_exit(1);
		}
582
		closefrom(STDERR_FILENO + 1);
583

584 585 586 587 588 589 590 591 592 593 594
		/* Don't use permanently_set_uid() here to avoid fatal() */
		if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
			error("setresgid %u: %s", (u_int)pw->pw_gid,
			    strerror(errno));
			_exit(1);
		}
		if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) {
			error("setresuid %u: %s", (u_int)pw->pw_uid,
			    strerror(errno));
			_exit(1);
		}
595 596
		/* stdin is pointed to /dev/null at this point */
		if (dup2(STDIN_FILENO, STDERR_FILENO) == -1) {
597 598 599 600 601
			error("%s: dup2: %s", __func__, strerror(errno));
			_exit(1);
		}

		execl(options.authorized_keys_command,
602
		    options.authorized_keys_command, user_pw->pw_name, NULL);
603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649

		error("AuthorizedKeysCommand %s exec failed: %s",
		    options.authorized_keys_command, strerror(errno));
		_exit(127);
	default: /* parent */
		break;
	}

	temporarily_use_uid(pw);

	close(p[1]);
	if ((f = fdopen(p[0], "r")) == NULL) {
		error("%s: fdopen: %s", __func__, strerror(errno));
		close(p[0]);
		/* Don't leave zombie child */
		kill(pid, SIGTERM);
		while (waitpid(pid, NULL, 0) == -1 && errno == EINTR)
			;
		goto out;
	}
	ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
	fclose(f);

	while (waitpid(pid, &status, 0) == -1) {
		if (errno != EINTR) {
			error("%s: waitpid: %s", __func__, strerror(errno));
			goto out;
		}
	}
	if (WIFSIGNALED(status)) {
		error("AuthorizedKeysCommand %s exited on signal %d",
		    options.authorized_keys_command, WTERMSIG(status));
		goto out;
	} else if (WEXITSTATUS(status) != 0) {
		error("AuthorizedKeysCommand %s returned status %d",
		    options.authorized_keys_command, WEXITSTATUS(status));
		goto out;
	}
	found_key = ok;
 out:
	restore_uid();
	return found_key;
}

/*
 * Check whether key authenticates and authorises the user.
 */
650 651 652
int
user_key_allowed(struct passwd *pw, Key *key)
{
Damien Miller's avatar
Damien Miller committed
653
	u_int success, i;
654 655
	char *file;

656 657 658 659 660 661 662 663 664
	if (auth_key_is_revoked(key))
		return 0;
	if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
		return 0;

	success = user_cert_trusted_ca(pw, key);
	if (success)
		return success;

665 666 667 668
	success = user_key_command_allowed2(pw, key);
	if (success > 0)
		return success;

Damien Miller's avatar
Damien Miller committed
669
	for (i = 0; !success && i < options.num_authkeys_files; i++) {
670 671 672

		if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
			continue;
Damien Miller's avatar
Damien Miller committed
673 674
		file = expand_authorized_keys(
		    options.authorized_keys_files[i], pw);
675

Damien Miller's avatar
Damien Miller committed
676
		success = user_key_allowed2(pw, key, file);
677
		free(file);
Damien Miller's avatar
Damien Miller committed
678
	}
679 680 681 682 683 684 685 686 687

	return success;
}

Authmethod method_pubkey = {
	"publickey",
	userauth_pubkey,
	&options.pubkey_authentication
};