-/* $OpenBSD: auth2-pubkey.c,v 1.120 2024/05/17 00:30:23 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.121 2024/12/06 16:24:27 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
#include <time.h>
#include <unistd.h>
#include <limits.h>
+#ifdef USE_SYSTEM_GLOB
+# include <glob.h>
+#else
+# include "openbsd-compat/glob.h"
+#endif
#include "xmalloc.h"
#include "ssh.h"
struct sshkey_cert *cert, struct sshauthopt **authoptsp)
{
FILE *f;
- int success;
+ int r, success = 0;
+ size_t i;
+ glob_t gl;
+ struct sshauthopt *opts = NULL;
if (authoptsp != NULL)
*authoptsp = NULL;
temporarily_use_uid(pw);
- debug("trying authorized principals file %s", file);
- if ((f = auth_openprincipals(file, pw, options.strict_modes)) == NULL) {
- restore_uid();
+ r = glob(file, 0, NULL, &gl);
+ restore_uid();
+ if (r != 0) {
+ if (r != GLOB_NOMATCH) {
+ logit_f("glob \"%s\" failed", file);
+ }
return 0;
+ } else if (gl.gl_pathc > INT_MAX) {
+ fatal_f("too many glob results for \"%s\"", file);
+ } else if (gl.gl_pathc > 1) {
+ debug2_f("glob \"%s\" returned %zu matches", file,
+ gl.gl_pathc);
+ }
+ for (i = 0; !success && i < gl.gl_pathc; i++) {
+ temporarily_use_uid(pw);
+ debug("trying authorized principals file %s", file);
+ if ((f = auth_openprincipals(gl.gl_pathv[i], pw,
+ options.strict_modes)) == NULL) {
+ restore_uid();
+ continue;
+ }
+ success = auth_process_principals(f, gl.gl_pathv[i],
+ cert, &opts);
+ fclose(f);
+ restore_uid();
+ if (!success) {
+ sshauthopt_free(opts);
+ opts = NULL;
+ }
}
- success = auth_process_principals(f, file, cert, authoptsp);
- fclose(f);
- restore_uid();
+ globfree(&gl);
+ if (success && authoptsp != NULL) {
+ *authoptsp = opts;
+ opts = NULL;
+ }
+ sshauthopt_free(opts);
return success;
}
user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
int auth_attempt, struct sshauthopt **authoptsp)
{
- u_int success = 0, i;
+ u_int success = 0, i, j;
char *file, *conn_id;
struct sshauthopt *opts = NULL;
const char *rdomain, *remote_ip, *remote_host;
remote_ip, ssh_remote_port(ssh));
for (i = 0; !success && i < options.num_authkeys_files; i++) {
+ int r;
+ glob_t gl;
+
if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
continue;
file = expand_authorized_keys(
options.authorized_keys_files[i], pw);
- success = user_key_allowed2(pw, key, file,
- remote_ip, remote_host, &opts);
- free(file);
- if (!success) {
- sshauthopt_free(opts);
- opts = NULL;
+ temporarily_use_uid(pw);
+ r = glob(file, 0, NULL, &gl);
+ restore_uid();
+ if (r != 0) {
+ if (r != GLOB_NOMATCH) {
+ logit_f("glob \"%s\" failed", file);
+ }
+ continue;
+ } else if (gl.gl_pathc > INT_MAX) {
+ fatal_f("too many glob results for \"%s\"", file);
+ } else if (gl.gl_pathc > 1) {
+ debug2_f("glob \"%s\" returned %zu matches", file,
+ gl.gl_pathc);
}
+ for (j = 0; !success && j < gl.gl_pathc; j++) {
+ success = user_key_allowed2(pw, key, gl.gl_pathv[j],
+ remote_ip, remote_host, &opts);
+ if (!success) {
+ sshauthopt_free(opts);
+ opts = NULL;
+ }
+ }
+ free(file);
+ globfree(&gl);
}
if (success)
goto out;
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.379 2024/12/05 22:45:03 naddy Exp $
-.Dd $Mdocdate: December 5 2024 $
+.\" $OpenBSD: sshd_config.5,v 1.380 2024/12/06 16:24:27 djm Exp $
+.Dd $Mdocdate: December 6 2024 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
.Xr sshd 8 .
Arguments to
.Cm AuthorizedKeysFile
-accept the tokens described in the
+may include wildcards and accept the tokens described in the
.Sx TOKENS
section.
After expansion,
.Pp
Arguments to
.Cm AuthorizedPrincipalsFile
-accept the tokens described in the
+may include wildcards and accept the tokens described in the
.Sx TOKENS
section.
After expansion,
projects / thirdparty / openssh-portable.git / commitdiff
