diff options
| author | Damien Miller <djm@mindrot.org> | 2012-12-03 09:49:52 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2012-12-03 09:49:52 +1100 |
| commit | cb6b68b209d8868a94a30b1a634beb1a65cb5265 (patch) | |
| tree | 049f0251f5ee3f2cb2fb236ba4ee5eb37b356351 /sshconnect2.c | |
| parent | cf6ef137b516a9f739b6e899ec5ef7306835530b (diff) | |
| download | openssh-git-cb6b68b209d8868a94a30b1a634beb1a65cb5265.tar.gz | |
- djm@cvs.openbsd.org 2012/12/02 20:26:11
[ssh_config.5 sshconnect2.c]
Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
This allows control of which keys are offered from tokens using
IdentityFile. ok markus@
Diffstat (limited to 'sshconnect2.c')
| -rw-r--r-- | sshconnect2.c | 29 |
1 files changed, 26 insertions, 3 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index 7c369d74..6791ea34 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.189 2012/06/22 12:30:26 dtucker Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.190 2012/12/02 20:26:11 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1359,7 +1359,7 @@ load_identity_file(char *filename) static void pubkey_prepare(Authctxt *authctxt) { - Identity *id; + Identity *id, *id2, *tmp; Idlist agent, files, *preferred; Key *key; AuthenticationConnection *ac; @@ -1371,7 +1371,7 @@ pubkey_prepare(Authctxt *authctxt) preferred = &authctxt->keys; TAILQ_INIT(preferred); /* preferred order of keys */ - /* list of keys stored in the filesystem */ + /* list of keys stored in the filesystem and PKCS#11 */ for (i = 0; i < options.num_identity_files; i++) { key = options.identity_keys[i]; if (key && key->type == KEY_RSA1) @@ -1384,6 +1384,29 @@ pubkey_prepare(Authctxt *authctxt) id->filename = xstrdup(options.identity_files[i]); TAILQ_INSERT_TAIL(&files, id, next); } + /* Prefer PKCS11 keys that are explicitly listed */ + TAILQ_FOREACH_SAFE(id, &files, next, tmp) { + if (id->key == NULL || (id->key->flags & KEY_FLAG_EXT) == 0) + continue; + found = 0; + TAILQ_FOREACH(id2, &files, next) { + if (id2->key == NULL || + (id2->key->flags & KEY_FLAG_EXT) != 0) + continue; + if (key_equal(id->key, id2->key)) { + TAILQ_REMOVE(&files, id, next); + TAILQ_INSERT_TAIL(preferred, id, next); + found = 1; + break; + } + } + /* If IdentitiesOnly set and key not found then don't use it */ + if (!found && options.identities_only) { + TAILQ_REMOVE(&files, id, next); + bzero(id, sizeof(id)); + free(id); + } + } /* list of keys supported by the agent */ if ((ac = ssh_get_authentication_connection())) { for (key = ssh_get_first_identity(ac, &comment, 2); |