Commit cb2cb159 authored by Matt Johnston's avatar Matt Johnston
Browse files

Log when pubkey auth fails because of bad pubkey perms/ownership

--HG--
extra : convert_revision : 43e1a0c8365776577acd814d708027fcddcb02ef
parent 35105316
......@@ -77,6 +77,9 @@ struct AuthState {
unsigned authdone : 1; /* 0 if we haven't authed, 1 if we have. Applies for
client and server (though has differing [obvious]
meanings). */
unsigned perm_warn : 1; /* Server only, set if bad permissions on
~/.ssh/authorized_keys have already been
logged. */
/* These are only used for the server */
char *printableuser; /* stripped of control chars, used for logs etc */
......
......@@ -311,6 +311,7 @@ out:
/* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
static int checkfileperm(char * filename) {
struct stat filestat;
int badperm = 0;
TRACE(("enter checkfileperm(%s)", filename))
......@@ -321,14 +322,23 @@ static int checkfileperm(char * filename) {
/* check ownership - user or root only*/
if (filestat.st_uid != ses.authstate.pw->pw_uid
&& filestat.st_uid != 0) {
TRACE(("leave checkfileperm: wrong ownership"))
return DROPBEAR_FAILURE;
badperm = 1;
TRACE(("wrong ownership"))
}
/* check permissions - don't want group or others +w */
if (filestat.st_mode & (S_IWGRP | S_IWOTH)) {
TRACE(("leave checkfileperm: wrong perms"))
badperm = 1;
TRACE(("wrong perms"))
}
if (badperm) {
if (!ses.authstate.perm_warn) {
ses.authstate.perm_warn = 1;
dropbear_log(LOG_INFO, "%s must be owned by user or root, and not writable by others", filename);
}
TRACE(("leave checkfileperm: failure perms/owner"))
return DROPBEAR_FAILURE;
}
TRACE(("leave checkfileperm: success"))
return DROPBEAR_SUCCESS;
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment