Hosting Provided By

PRIVSEP annoys me.

From: ¶«·½ ó»ÎÄ <phanix(at)hotmail.com>
Date: Fri Mar 28 2003 - 02:42:06 EST

I added a new authentication method to openssh called ICCAuthentication(IC card).
When server receives SSH_CMSG_AUTH_ICC, it reads the rsa public key file in the user's home dir(e. g. /home/peter/.icc/authorized_key), gets the pubkey,
generates an 32 8-bit long random number, encrypts it with the pubkey, and send
it to the client as an challenge, just like RSAAuthentication. The client then
decrypts the challenge with the private key in the user's IC card, and send a
response to the server.

Here is the auth_icc_prepare_key() function in my auth-icc.c. This function gets the pubkey in the ~/.icc/authorized_key file.

int
auth_icc_prepare_key(struct passwd *pw, Key **rkey) {

	char line[8192], file[MAXPATHLEN];
	u_char n_e[131];
	FILE *f;
	struct stat st;
	Key *key;

	/* Temporarily use the user's uid. */


	temporarily_use_uid(pw);


	/* The authorized key file. */


	snprintf( file, sizeof file, "%.500s/%.100s", pw->pw_dir,
			_PATH_SSH_USER_ICC_PERMITTED_KEY );
	
	debug("trying public RSA key file %s", file);
	

	/* Fail quietly if file does not exist */


         /* If UsePriviledgeSeperation is yes, stat() always fails. */
	if (stat(file, &st) < 0) {
		/* Restore the privileged uid. */
		debug("Public key file does not exist.");
		restore_uid();
		return 0;
	}
	

	/* Open the file containing the authorized keys. */


	f = fopen(file, "r");
	if (!f) {
		packet_send_debug("Could not open file %.900s
                                     for reading.",file);
		packet_send_debug("If your home is on an NFS volume,
                                     it may need to be world-readable.");
		/* Restore the privileged uid. */
		restore_uid();
		return 0;
	}

	if (options.strict_modes &&
	    secure_filename(f, file, pw, line, sizeof(line)) != 0) {
		fclose(f);
		log("Authentication refused: %s", line);
		restore_uid();
		return 0;
	}

	key = key_new(KEY_RSA);

	/* 

	 * Get the public key from the file. If ok, perform a
	 * challenge-response dialog to verify that the user has
	 * the right IC card.
	 */
	if( fread( n_e, 131, 1, f ) < 1 ) {
		restore_uid();
		packet_send_debug("Read file %.900s error.",file);
		return 0;
	}
	key->rsa->n = BN_bin2bn( n_e, 128, NULL );
	key->rsa->e = BN_bin2bn( n_e+128, 3, NULL );
	


	/* Restore the privileged uid. */


	restore_uid();


	/* Close the file. */


	fclose(f);

	/* return key if allowed */


	if ( rkey != NULL ) {
		*rkey = key;
		return 1;
	} else {
		key_free(key);
		return 0;
	}

}

Everything is ok if in sshd_config: "UsePriviledgeSeperation no". If I set "UsePriviledgeSeperation" yes, the stat() in the function always returns <0, but the file does exists.
I set the file as:
/home/peter/.icc/authorized_key peter.peter rw-r--r--

Why in privsep the sshd cannot access the file? Please help me.
Thank you.

xhtech. Beijing

ÏíÓÃÊÀ½çÉÏ×î´óµÄµç×ÓÓÊ¼þÏµÍ³¡ª MSN Hotmail¡£ http://www.hotmail.com Received on Fri Mar 28 11:29:49 2003

This message: [ Message body ]
Next message: Sriram S. - CTD, Chennai.: "How to configure .rhosts or .shosts so as not to ask password"
Previous message: Alf Nicolaysen: "Re: SSH 3.2.3 - Problem executing Make"
Next in thread: Temp: "RE: PRIVSEP annoys me."
Reply: Temp: "RE: PRIVSEP annoys me."
Reply: Markus Friedl: "Re: PRIVSEP annoys me."
Reply: James Dennis: "Re: PRIVSEP annoys me."
Reply: Chris Macneill: "RE: PRIVSEP annoys me. - Part 2"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:56 EDT

Do you need help?