check that ssh public key received over the wire is sane

This commit is contained in:
Joey Hess 2012-09-10 18:18:55 -04:00
parent c20d6f4189
commit a41255723c
2 changed files with 35 additions and 10 deletions

View file

@ -83,6 +83,19 @@ sshTranscript opts input = do
return ()
return (transcript, ok)
{- Ensure that the ssh public key doesn't include any ssh options, like
- command=foo, or other weirdness -}
validateSshPubKey :: SshPubKey -> IO ()
validateSshPubKey pubkey = do
let ws = words pubkey
when (length ws > 3 || length ws < 2) $
error $ "wrong number of words in ssh public key " ++ pubkey
let (ssh, keytype) = separate (== '-') (ws !! 0)
unless (ssh == "ssh" && all isAlphaNum keytype) $
error $ "bad ssh public key prefix " ++ ws !! 0
when (length ws == 3) $
unless (all (\c -> isAlphaNum c || c == '@') (ws !! 2)) $
error $ "bad comment in ssh public key " ++ pubkey
makeAuthorizedKeys :: Bool -> SshPubKey -> IO Bool
makeAuthorizedKeys rsynconly pubkey = boolSystem "sh"