Ticket #3984: 27989-Fix-key-checker.patch

File 27989-Fix-key-checker.patch, 3.5 KB (added by bshi, 8 years ago)

Bug fix against SVN 27989

  • twisted/conch/checkers.py

    diff --git twisted/conch/checkers.py twisted/conch/checkers.py
    index 7855fc9..d62436f 100644
    class SSHPublicKeyDatabase: 
    127127                return failure.Failure(UnauthorizedLogin('error while verifying key'))
    128128        return failure.Failure(UnauthorizedLogin("unable to verify key"))
    129129
     130    def getAuthorizedKeysFiles(self, credentials):
     131        """
     132        On OpenSSH servers, the default location of the file containing the
     133        list of authorized public keys is "$HOME/.ssh/authorized_keys"[1].
     134
     135        Note: do we want to include authorized_keys2?  It's been deprecated
     136        since 2001[2].
     137
     138        [1] http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config
     139        [2] http://marc.info/?m=100508718416162
     140
     141        @return: A list of absolute paths to files with the authorized keys.
     142        """
     143        root = os.path.join(pwd.getpwnam(credentials.username).pw_dir, '.ssh')
     144        files = ['authorized_keys', 'authorized_keys2']
     145        return [os.path.join(root, f) for f in files]
     146
    130147    def checkKey(self, credentials):
    131148        """
    132         Retrieve the keys of the user specified by the credentials, and check
    133         if one matches the blob in the credentials.
     149        Retrieve files containing authorized keys and check against user
     150        credentials.
    134151        """
    135         sshDir = os.path.expanduser(
    136             os.path.join("~", credentials.username, ".ssh"))
    137         if sshDir.startswith('~'): # didn't expand
    138             return False
    139152        uid, gid = os.geteuid(), os.getegid()
    140153        ouid, ogid = pwd.getpwnam(credentials.username)[2:4]
    141         for name in ['authorized_keys2', 'authorized_keys']:
    142             filename = os.path.join(sshDir, name)
     154        for filename in self.getAuthorizedKeysFiles(credentials):
    143155            if not os.path.exists(filename):
    144156                continue
    145157            try:
  • twisted/conch/test/test_checkers.py

    diff --git twisted/conch/test/test_checkers.py twisted/conch/test/test_checkers.py
    index 945a063..4052b30 100644
    from twisted.cred.checkers import InMemoryUsernamePasswordDatabaseDontUse 
    1818from twisted.cred.credentials import UsernamePassword, IUsernamePassword, \
    1919    SSHPrivateKey, ISSHPrivateKey
    2020from twisted.cred.error import UnhandledCredentials, UnauthorizedLogin
     21from twisted.python.fakepwd import UserDatabase
    2122from twisted.test.test_process import MockOS
    2223
    2324try:
    class SSHPublicKeyDatabaseTestCase(TestCase): 
    4445
    4546    def setUp(self):
    4647        self.checker = SSHPublicKeyDatabase()
    47         self.sshDir = FilePath(self.mktemp())
    48         self.sshDir.makedirs()
    49 
    5048        self.key1 = base64.encodestring("foobar")
    5149        self.key2 = base64.encodestring("eggspam")
    5250        self.content = "t1 %s foo\nt2 %s egg\n" % (self.key1, self.key2)
    5351
    5452        self.mockos = MockOS()
    55         self.mockos.path = self.sshDir.path
    56         self.patch(os.path, "expanduser", self.mockos.expanduser)
    57         self.patch(pwd, "getpwnam", self.mockos.getpwnam)
     53        self.mockos.path = FilePath(self.mktemp())
     54        self.mockos.path.makedirs()
     55        self.sshDir = self.mockos.path.child('.ssh')
     56        self.sshDir.makedirs()
     57
     58        userdb = UserDatabase()
     59        userdb.addUser('user', 'password', 1, 2, 'first last',
     60                self.mockos.path.path, '/bin/shell')
     61
     62        self.patch(pwd, "getpwnam", userdb.getpwnam)
    5863        self.patch(os, "seteuid", self.mockos.seteuid)
    5964        self.patch(os, "setegid", self.mockos.setegid)
    6065