[PATCH] Public keys options
Frédéric Moulins
ffrrrr at gmail.com
Sun May 25 17:50:29 WST 2008
Hello,
the following patch allow to skip options of public keys in authorized_keys file.
authorized_keys file still must respect :
* no whitespace at the begining of a line.
* only one space or tab character between options and algorithm type.
Code has been copied and adapted from OpenSSH function user_key_allowed2 in auth2-pubkey.c.
I would like to use at least the 'command' option. If I understand well, options should be kept in a session structure after the key has been validated to be available later to fill a channel session structure during its creation. Is it right ?
(...Is it right that a channel session structure is the good place for such options ?... that a channel session correspond to a ssh connection and that no channel session exists at the time authorized_keys is read ?... many questions :) )
I tried to pass a 'command' option to 'chansess->cmd' variable without success. I think I don't get the way 'sessioncommand' is triggered, yet (pty-req, shell, exec,...). How would you do to pass the 'command' option ?
Regards
fred
Here is the patch against dropbear-0.50 from up to date ubuntu package :
--- dropbear-0.50.orig/svr-authpubkey.c 2007-08-08 17:39:37.000000000 +0200
+++ dropbear-0.50/svr-authpubkey.c 2008-05-25 00:51:46.000000000 +0200
@@ -158,8 +158,8 @@
char * filename = NULL;
int ret = DROPBEAR_FAILURE;
buffer * line = NULL;
- unsigned int len, pos;
-
+ unsigned int len, start, pos, quoted;
+
TRACE(("enter checkpubkey"))
/* check that we can use the algo */
@@ -202,16 +202,43 @@
TRACE(("checkpubkey: authorized_keys EOF reached"))
break;
}
-
- if (line->len < MIN_AUTHKEYS_LINE) {
- TRACE(("checkpubkey: line too short"))
- continue; /* line is too short for it to be a valid key */
+ if (line->len < MIN_AUTHKEYS_LINE) {
+ TRACE(("checkpubkey: line too short"))
+ continue; /* line is too short for it to be a valid key */
}
- /* check the key type - this also stops us from using keys
- * which have options with them */
+ /* check the key type - will fail if there are options */
if (strncmp(buf_getptr(line, algolen), algo, algolen) != 0) {
- continue;
+ /* there may be options or a commented line */
+ if ('#' == line->data[line->pos]) continue;
+ /* no comment, skip to next space character */
+ len = 0;
+ start = pos = line->pos;
+ quoted = 0;
+ while (line->data[pos]
+ && (quoted || (line->data[pos] != ' '
+ && line->data[pos] != '\t'
+ && line->data[pos] != '\n'
+ && line->data[pos] != '\r'))) {
+ pos++;
+ if (line->data[pos] == '\\'
+ && line->data[pos+1] == '"') {
+ pos++; /* skip both */
+ } else if (line->data[pos] == '"')
+ quoted = !quoted;
+ } /* line->data[pos] == ['\0'|' '|'\t'] */
+
+ /* skip line if there is nothing left */
+ if (pos >= line->len) continue;
+ /* skip line if it begins with a space or tab character */
+ if (pos == line->pos) continue;
+ /* set the position of the line after what we have read */
+ buf_setpos(line, pos+1);
+ /* give a second chance to the algo */
+ if (line->pos + algolen > line->len) continue;
+ if (strncmp(buf_getptr(line, algolen), algo, algolen) != 0) {
+ continue;
+ }
}
buf_incrpos(line, algolen);
More information about the Dropbear
mailing list