--- a/src/svr-authpubkey.c +++ b/src/svr-authpubkey.c @@ -78,6 +78,13 @@ static void send_msg_userauth_pk_ok(cons const unsigned char* keyblob, unsigned int keybloblen); static int checkfileperm(char * filename); +static const char * const global_authkeys_dir = "/etc/dropbear"; +static const int n_global_authkeys_dir = 14; /* + 1 extra byte */ +static const char * const user_authkeys_dir = ".ssh"; +static const int n_user_authkeys_dir = 5; /* + 1 extra byte */ +static const char * const authkeys_file = "authorized_keys"; +static const int n_authkeys_file = 16; /* + 1 extra byte */ + /* process a pubkey auth request, sending success or failure message as * appropriate */ void svr_auth_pubkey(int valid_user) { @@ -462,14 +469,21 @@ static int checkpubkey(const char* keyal if (checkpubkeyperms() == DROPBEAR_FAILURE) { TRACE(("bad authorized_keys permissions, or file doesn't exist")) } else { - /* we don't need to check pw and pw_dir for validity, since - * its been done in checkpubkeyperms. */ - len = strlen(ses.authstate.pw_dir); - /* allocate max required pathname storage, - * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ - filename = m_malloc(len + 22); - snprintf(filename, len + 22, "%s/.ssh/authorized_keys", - ses.authstate.pw_dir); + if (ses.authstate.pw_uid == 0) { + len = n_global_authkeys_dir + n_authkeys_file; + filename = m_malloc(len); + snprintf(filename, len, "%s/%s", global_authkeys_dir, authkeys_file); + } else { + /* we don't need to check pw and pw_dir for validity, since + * its been done in checkpubkeyperms. */ + len = strlen(ses.authstate.pw_dir); + /* allocate max required pathname storage, + * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ + len += n_user_authkeys_dir + n_authkeys_file + 1; + filename = m_malloc(len); + snprintf(filename, len, "%s/%s/%s", ses.authstate.pw_dir, + user_authkeys_dir, authkeys_file); + } authfile = fopen(filename, "r"); if (!authfile) { @@ -543,27 +557,41 @@ static int checkpubkeyperms() { goto out; } - /* allocate max required pathname storage, - * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ - len += 22; - filename = m_malloc(len); - strlcpy(filename, ses.authstate.pw_dir, len); + if (ses.authstate.pw_uid == 0) { + if (checkfileperm(global_authkeys_dir) != DROPBEAR_SUCCESS) { + goto out; + } - /* check ~ */ - if (checkfileperm(filename) != DROPBEAR_SUCCESS) { - goto out; - } + len = n_global_authkeys_dir + n_authkeys_file; + filename = m_malloc(len); - /* check ~/.ssh */ - strlcat(filename, "/.ssh", len); - if (checkfileperm(filename) != DROPBEAR_SUCCESS) { - goto out; - } + snprintf(filename, len, "%s/%s", global_authkeys_dir, authkeys_file); + if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + goto out; + } + } else { + /* check ~ */ + if (checkfileperm(ses.authstate.pw_dir) != DROPBEAR_SUCCESS) { + goto out; + } - /* now check ~/.ssh/authorized_keys */ - strlcat(filename, "/authorized_keys", len); - if (checkfileperm(filename) != DROPBEAR_SUCCESS) { - goto out; + /* allocate max required pathname storage, + * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ + len += n_user_authkeys_dir + n_authkeys_file + 1; + filename = m_malloc(len); + + /* check ~/.ssh */ + snprintf(filename, len, "%s/%s", ses.authstate.pw_dir, user_authkeys_dir); + if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + goto out; + } + + /* now check ~/.ssh/authorized_keys */ + snprintf(filename, len, "%s/%s/%s", ses.authstate.pw_dir, + user_authkeys_dir, authkeys_file); + if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + goto out; + } } /* file looks ok, return success */