--- a/svr-authpubkey.c
+++ b/svr-authpubkey.c
-@@ -386,14 +386,19 @@ static int checkpubkey(const char* keyal
- goto out;
- }
+@@ -77,6 +77,13 @@ static void send_msg_userauth_pk_ok(cons
+ const unsigned char* keyblob, unsigned int keybloblen);
+ static int checkfileperm(char * filename);
-- /* we don't need to check pw and pw_dir for validity, since
-- * its been done in checkpubkeyperms. */
-- len = strlen(ses.authstate.pw_dir);
-- /* allocate max required pathname storage,
-- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-- filename = m_malloc(len + 22);
-- snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
-- ses.authstate.pw_dir);
-+ if (ses.authstate.pw_uid != 0) {
-+ /* we don't need to check pw and pw_dir for validity, since
-+ * its been done in checkpubkeyperms. */
-+ len = strlen(ses.authstate.pw_dir);
-+ /* allocate max required pathname storage,
-+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-+ filename = m_malloc(len + 22);
-+ snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
-+ ses.authstate.pw_dir);
-+ } else {
-+ filename = m_malloc(30);
-+ strncpy(filename, "/etc/dropbear/authorized_keys", 30);
-+ }
++static const char * const global_authkeys_dir = "/etc/dropbear";
++static const int n_global_authkeys_dir = 14; /* + 1 extra byte */
++static const char * const user_authkeys_dir = ".ssh";
++static const int n_user_authkeys_dir = 5; /* + 1 extra byte */
++static const char * const authkeys_file = "authorized_keys";
++static const int n_authkeys_file = 16; /* + 1 extra byte */
++
+ /* process a pubkey auth request, sending success or failure message as
+ * appropriate */
+ void svr_auth_pubkey(int valid_user) {
+@@ -439,14 +446,21 @@ static int checkpubkey(const char* keyal
+ if (checkpubkeyperms() == DROPBEAR_FAILURE) {
+ TRACE(("bad authorized_keys permissions, or file doesn't exist"))
+ } else {
+- /* we don't need to check pw and pw_dir for validity, since
+- * its been done in checkpubkeyperms. */
+- len = strlen(ses.authstate.pw_dir);
+- /* allocate max required pathname storage,
+- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+- filename = m_malloc(len + 22);
+- snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
+- ses.authstate.pw_dir);
++ if (ses.authstate.pw_uid == 0) {
++ len = n_global_authkeys_dir + n_authkeys_file;
++ filename = m_malloc(len);
++ snprintf(filename, len, "%s/%s", global_authkeys_dir, authkeys_file);
++ } else {
++ /* we don't need to check pw and pw_dir for validity, since
++ * its been done in checkpubkeyperms. */
++ len = strlen(ses.authstate.pw_dir);
++ /* allocate max required pathname storage,
++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
++ len += n_user_authkeys_dir + n_authkeys_file + 1;
++ filename = m_malloc(len);
++ snprintf(filename, len, "%s/%s/%s", ses.authstate.pw_dir,
++ user_authkeys_dir, authkeys_file);
++ }
- #if DROPBEAR_SVR_MULTIUSER
- /* open the file as the authenticating user. */
-@@ -474,27 +479,36 @@ static int checkpubkeyperms() {
+ authfile = fopen(filename, "r");
+ if (!authfile) {
+@@ -520,27 +534,41 @@ static int checkpubkeyperms() {
goto out;
}
- len += 22;
- filename = m_malloc(len);
- strlcpy(filename, ses.authstate.pw_dir, len);
--
++ if (ses.authstate.pw_uid == 0) {
++ if (checkfileperm(global_authkeys_dir) != DROPBEAR_SUCCESS) {
++ goto out;
++ }
+
- /* check ~ */
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out;
- }
-+ if (ses.authstate.pw_uid == 0) {
-+ if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) {
-+ goto out;
-+ }
-+ if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) {
-+ goto out;
-+ }
-+ } else {
-+ /* allocate max required pathname storage,
-+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-+ len += 22;
++ len = n_global_authkeys_dir + n_authkeys_file;
+ filename = m_malloc(len);
-+ strlcpy(filename, ses.authstate.pw_dir, len);
-+
-+ /* check ~ */
-+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
-+ goto out;
-+ }
- /* check ~/.ssh */
- strlcat(filename, "/.ssh", len);
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out;
- }
-+ /* check ~/.ssh */
-+ strlcat(filename, "/.ssh", len);
++ snprintf(filename, len, "%s/%s", global_authkeys_dir, authkeys_file);
+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+ goto out;
+ }
++ } else {
++ /* check ~ */
++ if (checkfileperm(ses.authstate.pw_dir) != DROPBEAR_SUCCESS) {
++ goto out;
++ }
- /* now check ~/.ssh/authorized_keys */
- strlcat(filename, "/authorized_keys", len);
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out;
++ /* allocate max required pathname storage,
++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
++ len += n_user_authkeys_dir + n_authkeys_file + 1;
++ filename = m_malloc(len);
++
++ /* check ~/.ssh */
++ snprintf(filename, len, "%s/%s", ses.authstate.pw_dir, user_authkeys_dir);
++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++ goto out;
++ }
++
+ /* now check ~/.ssh/authorized_keys */
-+ strlcat(filename, "/authorized_keys", len);
++ snprintf(filename, len, "%s/%s/%s", ses.authstate.pw_dir,
++ user_authkeys_dir, authkeys_file);
+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+ goto out;
+ }