diff -r 5cd44c531fd3 -r d77879a34d02 Makefile.in --- a/Makefile.in Sun Apr 29 03:51:50 2007 -0400 +++ b/Makefile.in Sun Apr 29 03:56:51 2007 -0400 @@ -89,7 +89,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ - audit.o audit-bsm.o platform.o + audit.o audit-bsm.o platform.o cdbauth.o MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5 diff -r 5cd44c531fd3 -r d77879a34d02 auth-rsa.c --- a/auth-rsa.c Sun Apr 29 03:51:50 2007 -0400 +++ b/auth-rsa.c Sun Apr 29 03:56:51 2007 -0400 @@ -175,6 +175,89 @@ auth_rsa_key_allowed(struct passwd *pw, u_long linenum = 0; struct stat st; Key *key; +#ifdef WITH_CDB_PUBKEY + cdbauth_key_t * k; +#endif + + +#ifdef WITH_CDB_PUBKEY_ + /* here is the job */ + key = key_new(KEY_RSA1); + + if (options.cdbpk.on) { + debug("[CDB] trying first uid=%s", pw->pw_name); + if ( (k = cdb_getuserkey(&options.cdbpk, pw->pw_name)) != NULL) { + for(i = 0; i < 1; i++) { + char *cp, *options = NULL; + + for (cp = k->key; *cp == ' ' || *cp == '\t'; cp++) + ; + if (!*cp || *cp == '\n' || *cp == '#') + continue; + + /* + * Check if there are options for this key, and if so, + * save their starting address and skip the option part + * for now. If there are no options, set the starting + * address to NULL. + */ + if (*cp < '0' || *cp > '9') { + int quoted = 0; + options = cp; + for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { + if (*cp == '\\' && cp[1] == '"') + cp++; /* Skip both */ + else if (*cp == '"') + quoted = !quoted; + } + } else + options = NULL; + + /* Parse the key from the line. */ + if (hostfile_read_key(&cp, &bits, key) == 0) { + debug("[CDB] line %d: non ssh1 key syntax", i); + continue; + } + /* cp now points to the comment part. */ + + /* Check if the we have found the desired key (identified by its modulus). */ + if (BN_cmp(key->rsa->n, client_n) != 0) + continue; + + /* check the real bits */ + if (bits != (unsigned int)BN_num_bits(key->rsa->n)) + logit("[CDB] Warning: cdb, line %lu: keysize mismatch: " + "actual %d vs. announced %d.", (unsigned long)i, BN_num_bits(key->rsa->n), bits); + + /* We have found the desired key. */ + /* + * If our options do not allow this key to be used, + * do not send challenge. + */ + if (!auth_parse_options(pw, options, "[cdb]", (unsigned long) i)) + continue; + + /* break out, this key is allowed */ + allowed = 1; + + /* add the return stuff etc... */ + + /* return key if allowed */ + if (allowed && rkey != NULL) + *rkey = key; + else + key_free(key); + + free(k->key); + free(k); + + return (allowed); + } + } else { + logit("[CDB] no keys found for '%s'!", pw->pw_name); + } + } +#endif /* Temporarily use the user's uid. */ temporarily_use_uid(pw); diff -r 5cd44c531fd3 -r d77879a34d02 auth2-pubkey.c --- a/auth2-pubkey.c Sun Apr 29 03:51:50 2007 -0400 +++ b/auth2-pubkey.c Sun Apr 29 03:56:51 2007 -0400 @@ -53,6 +53,10 @@ #include "monitor_wrap.h" #include "misc.h" +#ifdef WITH_CDB_PUBKEY +#include "cdbauth.h" +#endif + /* import */ extern ServerOptions options; extern u_char *session_id2; @@ -186,10 +190,82 @@ user_key_allowed2(struct passwd *pw, Key struct stat st; Key *found; char *fp; - +#ifdef WITH_CDB_PUBKEY + cdbauth_key_t * k; +#endif + + +#ifdef WITH_CDB_PUBKEY + found_key = 0; + found = key_new(key->type); + + if (options.cdbpk.on) { + debug("[CDB] trying first uid=%s",pw->pw_name); + + if ((k = cdbauth_getuserkey(&options.cdbpk, pw->pw_name)) != NULL) { + linenum = 0; + + debug("[cdb] found user entry in db"); + + while (cdbauth_read_keyfile_line(k, line, sizeof(line), &linenum) != -1) { + char *cp, *key_options = NULL; + + debug("[cdb] line: %s", line); + + /* Skip leading whitespace, empty and comment lines. */ + for (cp = line; *cp == ' ' || *cp == '\t'; cp++) + ; + if (!*cp || *cp == '\n' || *cp == '#') + continue; + + if (key_read(found, &cp) != 1) { + /* no key? check if there are options for this key */ + int quoted = 0; + debug2("[cdb] user_key_allowed: check options: '%s'", cp); + key_options = cp; + for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { + if (*cp == '\\' && cp[1] == '"') + cp++; /* Skip both */ + else if (*cp == '"') + quoted = !quoted; + } + /* Skip remaining whitespace. */ + for (; *cp == ' ' || *cp == '\t'; cp++) + ; + if (key_read(found, &cp) != 1) { + debug2("[cdb] user_key_allowed: advance: '%s'", cp); + /* still no key? advance to next line*/ + continue; + } + } + if (key_equal(found, key) && + auth_parse_options(pw, key_options, "[cdb]", linenum) == 1) { + found_key = 1; + + fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); + verbose("[cdb] Found matching %s key: %s", key_type(found), fp); + xfree(fp); + + cdbauth_free_key(k); + key_free(found); + return found_key; + } + } + + cdbauth_free_key(k); + key_free(found); + } + else { + debug("[CDB] no key entry found for '%s'", pw->pw_name); + } + } + + linenum = 0; +#endif + /* Temporarily use the user's uid. */ temporarily_use_uid(pw); - + debug("trying public key file %s", file); /* Fail quietly if file does not exist */ diff -r 5cd44c531fd3 -r d77879a34d02 servconf.c --- a/servconf.c Sun Apr 29 03:51:50 2007 -0400 +++ b/servconf.c Sun Apr 29 03:56:51 2007 -0400 @@ -39,6 +39,10 @@ #include "match.h" #include "channels.h" #include "groupaccess.h" + +#ifdef WITH_CDB_PUBKEY +#include "cdbauth.h" +#endif static void add_listen_addr(ServerOptions *, char *, u_short); static void add_one_listen_addr(ServerOptions *, char *, u_short); @@ -122,6 +126,12 @@ initialize_server_options(ServerOptions options->permit_tun = -1; options->num_permitted_opens = -1; options->adm_forced_command = NULL; + +#ifdef WITH_CDB_PUBKEY + options->cdbpk.on = -1; + options->cdbpk.pkfile = NULL; +#endif + } void @@ -249,6 +259,12 @@ fill_default_server_options(ServerOption options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; +#ifdef WITH_CDB_PUBKEY + if (options->cdbpk.on == -1) + options->cdbpk.on = _DEFAULT_CDBPK_ON; + if (options->cdbpk.pkfile == NULL) + options->cdbpk.pkfile = _DEFAULT_CDBPK_PKFILE; +#endif /* Turn privilege separation on by default */ if (use_privsep == -1) @@ -294,6 +310,9 @@ typedef enum { sMatch, sPermitOpen, sForceCommand, sUsePrivilegeSeparation, sDeprecated, sUnsupported +#ifdef WITH_CDB_PUBKEY + ,sCdbPublicKey, sCdbPkFile +#endif } ServerOpCodes; #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ @@ -397,6 +416,10 @@ static struct { { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL }, { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL }, +#ifdef WITH_CDB_PUBKEY + { _DEFAULT_CDBPK_TOKEN, sCdbPublicKey, SSHCFG_GLOBAL }, + { _DEFAULT_PKFILE_TOKEN, sCdbPkFile, SSHCFG_GLOBAL }, +#endif { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL }, { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL }, { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL }, @@ -1266,6 +1289,19 @@ parse_flag: while (arg) arg = strdelim(&cp); break; +#ifdef WITH_CDB_PUBKEY + case sCdbPublicKey: + intptr = &options->cdbpk.on; + goto parse_flag; + case sCdbPkFile: + arg = cp; + if (!arg || *arg == '\0') + fatal("%s line %d: missing CdbPkFile", filename, linenum); + arg[strlen(arg)] = '\0'; + options->cdbpk.pkfile = xstrdup(arg); + memset(arg, 0, strlen(arg)); + break; +#endif default: fatal("%s line %d: Missing handler for opcode %s (%d)", diff -r 5cd44c531fd3 -r d77879a34d02 servconf.h --- a/servconf.h Sun Apr 29 03:51:50 2007 -0400 +++ b/servconf.h Sun Apr 29 03:56:51 2007 -0400 @@ -15,6 +15,10 @@ #ifndef SERVCONF_H #define SERVCONF_H + +#ifdef WITH_CDB_PUBKEY +#include "cdbauth.h" +#endif #define MAX_PORTS 256 /* Max # ports. */ @@ -139,6 +143,9 @@ typedef struct { int use_pam; /* Enable auth via PAM */ int permit_tun; +#ifdef WITH_CDB_PUBKEY + cdb_opt_t cdbpk; +#endif int num_permitted_opens; } ServerOptions; diff -r 5cd44c531fd3 -r d77879a34d02 sshd.c --- a/sshd.c Sun Apr 29 03:51:50 2007 -0400 +++ b/sshd.c Sun Apr 29 03:56:51 2007 -0400 @@ -124,6 +124,10 @@ int deny_severity = LOG_WARNING; int deny_severity = LOG_WARNING; #endif /* LIBWRAP */ +#ifdef WITH_CDB_PUBKEY +#include "cdbauth.h" +#endif + #ifndef O_NOCTTY #define O_NOCTTY 0 #endif @@ -1429,6 +1433,11 @@ main(int ac, char **av) exit(1); } +#ifdef WITH_CDB_PUBKEY + /* XXX check reading of pkfile */ + if (options.cdbpk.on) { + } +#endif debug("sshd version %.100s", SSH_RELEASE); /* Store privilege separation user for later use if required. */ diff -r 5cd44c531fd3 -r d77879a34d02 cdbauth.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/cdbauth.c Sun Apr 29 03:56:51 2007 -0400 @@ -0,0 +1,74 @@ +#include "includes.h" + +#ifdef WITH_CDB_PUBKEY + +#include +#include +#include +#include + +#include "cdbauth.h" +#include "log.h" + +void cdbauth_free_key(cdbauth_key_t *k) { + fclose(k->fp); + cdb_free(&k->db); + free(k); +} + +cdbauth_key_t * cdbauth_getuserkey(cdbauth_opt_t *l, char * user) { + cdbauth_key_t *k = (cdbauth_key_t *) calloc (1, sizeof(cdbauth_key_t)); + + if ((!k) || (!l)) + return NULL; + + k->filename = l->pkfile; + + k->fp = fopen(k->filename, "r"); + if(k->fp == NULL) { + error("[CDB] unable to open db %s", l->pkfile); + free(k); + return NULL; + } + + cdb_init(&k->db, fileno(k->fp)); + if (cdb_find(&k->db, user, strlen(user)) > 0) { + k->size = cdb_datalen(&k->db); + k->pos = cdb_datapos(&k->db); + k->ending = k->pos + k->size; + fseek(k->fp, k->pos, SEEK_SET); +/* if(cdb_read(&cdb, k->key, k->len, cdb_datapos(&cdb)) == -1) { */ + } + else { + cdb_free(&k->db); + free(k); + k = NULL; + } + + return k; +} + + +/* + * Read an entire line from a public key file into a static buffer, discarding + * lines that exceed the buffer size. Returns 0 on success, -1 on failure. + */ +int +cdbauth_read_keyfile_line(cdbauth_key_t *key, char *buf, size_t bufsz, u_long *lineno) +{ + while (!CDBAUTH_END(key) && fgets(buf, bufsz, key->fp) != NULL) { + (*lineno)++; + if (buf[strlen(buf) - 1] == '\n') { + return 0; + } else { + debug("[cdb] line %lu exceeds size limit", *lineno); + /* discard remainder of line */ + while (fgetc(key->fp) != '\n' && !CDBAUTH_END(key)) + ; /* nothing */ + } + } + return -1; +} + +#endif /* WITH_CDB_PUBKEY */ + diff -r 5cd44c531fd3 -r d77879a34d02 cdbauth.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/cdbauth.h Sun Apr 29 03:56:51 2007 -0400 @@ -0,0 +1,41 @@ +#ifndef CDBAUTH_H +#define CDBAUTH_H + +#include +#include +#include "cdb.h" + +/* tokens in use for config */ +#define _DEFAULT_CDBPK_TOKEN "UseCDBPK" +#define _DEFAULT_PKFILE_TOKEN "CdbPkFile" + +/* default options */ +#define _DEFAULT_CDBPK_ON 0 +#define _DEFAULT_CDBPK_PKFILE "/etc/pubkeys.cdb" + +#define CDBAUTH_END(k) (ftell((k)->fp) >= (k)->ending) + +/* structures */ +typedef struct cdbauth_options { + int on; /* Use it or NOT */ + char * pkfile; /* CDB file to lookup public keys in */ +} cdbauth_opt_t; + + +typedef struct cdbauth_key { + int size; + int ending; + int pos; + FILE *fp; + char *filename; + + struct cdb db; +} cdbauth_key_t; + +/* function headers */ +cdbauth_key_t * cdbauth_getuserkey(cdbauth_opt_t *, char *); +void cdbauth_free_key(cdbauth_key_t *); +int cdbauth_read_keyfile_line(cdbauth_key_t *key, char *buf, size_t bufsz, u_long *lineno); + +#endif +