From d3a185709dfb8588ae7cacc079312d1fcc450e9c Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Wed, 7 Jun 2000 19:55:44 +1000
Subject:  - (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III   
 <tibbs@math.uh.edu>  - (djm) OpenBSD CVS updates:   - todd@cvs.openbsd.org   
  [sshconnect2.c]     teach protocol v2 to count login failures properly and
 also enable an     explanation of why the password prompt comes up again like
 v1; this is NOT     crypto   - markus@cvs.openbsd.org     [readconf.c
 readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8]    
 xauth_location support; pr 1234     [readconf.c sshconnect2.c]     typo,
 unused     [session.c]     allow use_login only for login sessions, otherwise
 remote commands are     execed with uid==0     [sshd.8]     document UseLogin
 better     [version.h]     OpenSSH 2.1.1     [auth-rsa.c]     fix
 match_hostname() logic for auth-rsa: deny access if we have a     negative
 match or no match at all     [channels.c hostfile.c match.c]     don't panic
 if mkdtemp fails for authfwd; jkb@yahoo-inc.com via     kris@FreeBSD.org

---
 auth-rsa.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

(limited to 'auth-rsa.c')

diff --git a/auth-rsa.c b/auth-rsa.c
index 22e3f01f..f01c5c92 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -16,7 +16,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: auth-rsa.c,v 1.19 2000/04/30 00:00:53 damien Exp $");
+RCSID("$Id: auth-rsa.c,v 1.20 2000/06/07 09:55:44 djm Exp $");
 
 #include "rsa.h"
 #include "packet.h"
@@ -133,6 +133,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 	unsigned long linenum = 0;
 	struct stat st;
 	RSA *pk;
+	int mname, mip;
 
 	/* Temporarily use the user's uid. */
 	temporarily_use_uid(pw->pw_uid);
@@ -390,10 +391,17 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 					}
 					patterns[i] = 0;
 					options++;
-					if (!match_hostname(get_canonical_hostname(), patterns,
-						     strlen(patterns)) &&
-					    !match_hostname(get_remote_ipaddr(), patterns,
-						     strlen(patterns))) {
+					/*
+					 * Deny access if we get a negative
+					 * match for the hostname or the ip
+					 * or if we get not match at all
+					 */
+					mname = match_hostname(get_canonical_hostname(),
+					    patterns, strlen(patterns));
+					mip = match_hostname(get_remote_ipaddr(),
+					    patterns, strlen(patterns));
+					if (mname == -1 || mip == -1 ||
+					    (mname != 1 && mip != 1)) {
 						log("RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
 						    pw->pw_name, get_canonical_hostname(),
 						    get_remote_ipaddr());
-- 
cgit v1.2.3