xref: /openbmc/qemu/qga/commands-windows-ssh.c (revision 05caa062)
1 /*
2  * QEMU Guest Agent win32-specific command implementations for SSH keys.
3  * The implementation is opinionated and expects the SSH implementation to
4  * be OpenSSH.
5  *
6  * Copyright Schweitzer Engineering Laboratories. 2024
7  *
8  * Authors:
9  *  Aidan Leuck <aidan_leuck@selinc.com>
10  *
11  * This work is licensed under the terms of the GNU GPL, version 2 or later.
12  * See the COPYING file in the top-level directory.
13  */
14 
15 #include "qemu/osdep.h"
16 #include <aclapi.h>
17 #include <qga-qapi-types.h>
18 
19 #include "commands-common-ssh.h"
20 #include "commands-windows-ssh.h"
21 #include "guest-agent-core.h"
22 #include "limits.h"
23 #include "lmaccess.h"
24 #include "lmapibuf.h"
25 #include "lmerr.h"
26 #include "qapi/error.h"
27 
28 #include "qga-qapi-commands.h"
29 #include "sddl.h"
30 #include "shlobj.h"
31 #include "userenv.h"
32 
33 #define AUTHORIZED_KEY_FILE "authorized_keys"
34 #define AUTHORIZED_KEY_FILE_ADMIN "administrators_authorized_keys"
35 #define LOCAL_SYSTEM_SID "S-1-5-18"
36 #define ADMIN_SID "S-1-5-32-544"
37 
38 /*
39  * Frees userInfo structure. This implements the g_auto cleanup
40  * for the structure.
41  */
42 void free_userInfo(PWindowsUserInfo info)
43 {
44     g_free(info->sshDirectory);
45     g_free(info->authorizedKeyFile);
46     LocalFree(info->SSID);
47     g_free(info->username);
48     g_free(info);
49 }
50 
51 /*
52  * Gets the admin SSH folder for OpenSSH. OpenSSH does not store
53  * the authorized_key file in the users home directory for security reasons and
54  * instead stores it at %PROGRAMDATA%/ssh. This function returns the path to
55  * that directory on the users machine
56  *
57  * parameters:
58  * errp -> error structure to set when an error occurs
59  * returns: The path to the ssh folder in %PROGRAMDATA% or NULL if an error
60  * occurred.
61  */
62 static char *get_admin_ssh_folder(Error **errp)
63 {
64     /* Allocate memory for the program data path */
65     g_autofree char *programDataPath = NULL;
66     char *authkeys_path = NULL;
67     PWSTR pgDataW = NULL;
68     g_autoptr(GError) gerr = NULL;
69 
70     /* Get the KnownFolderPath on the machine. */
71     HRESULT folderResult =
72         SHGetKnownFolderPath(&FOLDERID_ProgramData, 0, NULL, &pgDataW);
73     if (folderResult != S_OK) {
74         error_setg(errp, "Failed to retrieve ProgramData folder");
75         return NULL;
76     }
77 
78     /* Convert from a wide string back to a standard character string. */
79     programDataPath = g_utf16_to_utf8(pgDataW, -1, NULL, NULL, &gerr);
80     CoTaskMemFree(pgDataW);
81     if (!programDataPath) {
82         error_setg(errp,
83                    "Failed converting ProgramData folder path to UTF-16 %s",
84                    gerr->message);
85         return NULL;
86     }
87 
88     /* Build the path to the file. */
89     authkeys_path = g_build_filename(programDataPath, "ssh", NULL);
90     return authkeys_path;
91 }
92 
93 /*
94  * Gets the path to the SSH folder for the specified user. If the user is an
95  * admin it returns the ssh folder located at %PROGRAMDATA%/ssh. If the user is
96  * not an admin it returns %USERPROFILE%/.ssh
97  *
98  * parameters:
99  * username -> Username to get the SSH folder for
100  * isAdmin -> Whether the user is an admin or not
101  * errp -> Error structure to set any errors that occur.
102  * returns: path to the ssh folder as a string.
103  */
104 static char *get_ssh_folder(const char *username, const bool isAdmin,
105                             Error **errp)
106 {
107     DWORD maxSize = MAX_PATH;
108     g_autofree char *profilesDir = g_new0(char, maxSize);
109 
110     if (isAdmin) {
111         return get_admin_ssh_folder(errp);
112     }
113 
114     /* If not an Admin the SSH key is in the user directory. */
115     /* Get the user profile directory on the machine. */
116     BOOL ret = GetProfilesDirectory(profilesDir, &maxSize);
117     if (!ret) {
118         error_setg_win32(errp, GetLastError(),
119                          "failed to retrieve profiles directory");
120         return NULL;
121     }
122 
123     /* Builds the filename */
124     return g_build_filename(profilesDir, username, ".ssh", NULL);
125 }
126 
127 /*
128  * Creates an entry for the user so they can access the ssh folder in their
129  * userprofile.
130  *
131  * parameters:
132  * userInfo -> Information about the current user
133  * pACL -> Pointer to an ACL structure
134  * errp -> Error structure to set any errors that occur
135  * returns -> 1 on success, 0 otherwise
136  */
137 static bool create_acl_user(PWindowsUserInfo userInfo, PACL *pACL, Error **errp)
138 {
139     const int aclSize = 1;
140     PACL newACL = NULL;
141     EXPLICIT_ACCESS eAccess[1];
142     PSID userPSID = NULL;
143 
144     /* Get a pointer to the internal SID object in Windows */
145     bool converted = ConvertStringSidToSid(userInfo->SSID, &userPSID);
146     if (!converted) {
147         error_setg_win32(errp, GetLastError(), "failed to retrieve user %s SID",
148                          userInfo->username);
149         goto error;
150     }
151 
152     /* Set the permissions for the user. */
153     eAccess[0].grfAccessPermissions = GENERIC_ALL;
154     eAccess[0].grfAccessMode = SET_ACCESS;
155     eAccess[0].grfInheritance = NO_INHERITANCE;
156     eAccess[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
157     eAccess[0].Trustee.TrusteeType = TRUSTEE_IS_USER;
158     eAccess[0].Trustee.ptstrName = (LPTSTR)userPSID;
159 
160     /* Set the ACL entries */
161     DWORD setResult;
162 
163     /*
164      * If we are given a pointer that is already initialized, then we can merge
165      * the existing entries instead of overwriting them.
166      */
167     if (*pACL) {
168         setResult = SetEntriesInAcl(aclSize, eAccess, *pACL, &newACL);
169     } else {
170         setResult = SetEntriesInAcl(aclSize, eAccess, NULL, &newACL);
171     }
172 
173     if (setResult != ERROR_SUCCESS) {
174         error_setg_win32(errp, GetLastError(),
175                          "failed to set ACL entries for user %s %lu",
176                          userInfo->username, setResult);
177         goto error;
178     }
179 
180     /* Free any old memory since we are going to overwrite the users pointer. */
181     LocalFree(*pACL);
182     *pACL = newACL;
183 
184     LocalFree(userPSID);
185     return true;
186 error:
187     LocalFree(userPSID);
188     return false;
189 }
190 
191 /*
192  * Creates a base ACL for both normal users and admins to share
193  * pACL -> Pointer to an ACL structure
194  * errp -> Error structure to set any errors that occur
195  * returns: 1 on success, 0 otherwise
196  */
197 static bool create_acl_base(PACL *pACL, Error **errp)
198 {
199     PSID adminGroupPSID = NULL;
200     PSID systemPSID = NULL;
201 
202     const int aclSize = 2;
203     EXPLICIT_ACCESS eAccess[2];
204 
205     /* Create an entry for the system user. */
206     const char *systemSID = LOCAL_SYSTEM_SID;
207     bool converted = ConvertStringSidToSid(systemSID, &systemPSID);
208     if (!converted) {
209         error_setg_win32(errp, GetLastError(), "failed to retrieve system SID");
210         goto error;
211     }
212 
213     /* set permissions for system user */
214     eAccess[0].grfAccessPermissions = GENERIC_ALL;
215     eAccess[0].grfAccessMode = SET_ACCESS;
216     eAccess[0].grfInheritance = NO_INHERITANCE;
217     eAccess[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
218     eAccess[0].Trustee.TrusteeType = TRUSTEE_IS_USER;
219     eAccess[0].Trustee.ptstrName = (LPTSTR)systemPSID;
220 
221     /* Create an entry for the admin user. */
222     const char *adminSID = ADMIN_SID;
223     converted = ConvertStringSidToSid(adminSID, &adminGroupPSID);
224     if (!converted) {
225         error_setg_win32(errp, GetLastError(), "failed to retrieve Admin SID");
226         goto error;
227     }
228 
229     /* Set permissions for admin group. */
230     eAccess[1].grfAccessPermissions = GENERIC_ALL;
231     eAccess[1].grfAccessMode = SET_ACCESS;
232     eAccess[1].grfInheritance = NO_INHERITANCE;
233     eAccess[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
234     eAccess[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
235     eAccess[1].Trustee.ptstrName = (LPTSTR)adminGroupPSID;
236 
237     /* Put the entries in an ACL object. */
238     PACL pNewACL = NULL;
239     DWORD setResult;
240 
241     /*
242      *If we are given a pointer that is already initialized, then we can merge
243      *the existing entries instead of overwriting them.
244      */
245     if (*pACL) {
246         setResult = SetEntriesInAcl(aclSize, eAccess, *pACL, &pNewACL);
247     } else {
248         setResult = SetEntriesInAcl(aclSize, eAccess, NULL, &pNewACL);
249     }
250 
251     if (setResult != ERROR_SUCCESS) {
252         error_setg_win32(errp, GetLastError(),
253                          "failed to set base ACL entries for system user and "
254                          "admin group %lu",
255                          setResult);
256         goto error;
257     }
258 
259     LocalFree(adminGroupPSID);
260     LocalFree(systemPSID);
261 
262     /* Free any old memory since we are going to overwrite the users pointer. */
263     LocalFree(*pACL);
264 
265     *pACL = pNewACL;
266 
267     return true;
268 
269 error:
270     LocalFree(adminGroupPSID);
271     LocalFree(systemPSID);
272     return false;
273 }
274 
275 /*
276  * Sets the access control on the authorized_keys file and any ssh folders that
277  * need to be created. For administrators the required permissions on the
278  * file/folders are that only administrators and the LocalSystem account can
279  * access the folders. For normal user accounts only the specified user,
280  * LocalSystem and Administrators can have access to the key.
281  *
282  * parameters:
283  * userInfo -> pointer to structure that contains information about the user
284  * PACL -> pointer to an access control structure that will be set upon
285  * successful completion of the function.
286  * errp -> error structure that will be set upon error.
287  * returns: 1 upon success 0 upon failure.
288  */
289 static bool create_acl(PWindowsUserInfo userInfo, PACL *pACL, Error **errp)
290 {
291     /*
292      * Creates a base ACL that both admins and users will share
293      * This adds the Administrators group and the SYSTEM group
294      */
295     if (!create_acl_base(pACL, errp)) {
296         return false;
297     }
298 
299     /*
300      * If the user is not an admin give the user creating the key permission to
301      * access the file.
302      */
303     if (!userInfo->isAdmin) {
304         if (!create_acl_user(userInfo, pACL, errp)) {
305             return false;
306         }
307 
308         return true;
309     }
310 
311     return true;
312 }
313 /*
314  * Create the SSH directory for the user and d sets appropriate permissions.
315  * In general the directory will be %PROGRAMDATA%/ssh if the user is an admin.
316  * %USERPOFILE%/.ssh if not an admin
317  *
318  * parameters:
319  * userInfo -> Contains information about the user
320  * errp -> Structure that will contain errors if the function fails.
321  * returns: zero upon failure, 1 upon success
322  */
323 static bool create_ssh_directory(WindowsUserInfo *userInfo, Error **errp)
324 {
325     PACL pNewACL = NULL;
326     g_autofree PSECURITY_DESCRIPTOR pSD = NULL;
327 
328     /* Gets the appropriate ACL for the user */
329     if (!create_acl(userInfo, &pNewACL, errp)) {
330         goto error;
331     }
332 
333     /* Allocate memory for a security descriptor */
334     pSD = g_malloc(SECURITY_DESCRIPTOR_MIN_LENGTH);
335     if (!InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION)) {
336         error_setg_win32(errp, GetLastError(),
337                          "Failed to initialize security descriptor");
338         goto error;
339     }
340 
341     /* Associate the security descriptor with the ACL permissions. */
342     if (!SetSecurityDescriptorDacl(pSD, TRUE, pNewACL, FALSE)) {
343         error_setg_win32(errp, GetLastError(),
344                          "Failed to set security descriptor ACL");
345         goto error;
346     }
347 
348     /* Set the security attributes on the folder */
349     SECURITY_ATTRIBUTES sAttr;
350     sAttr.bInheritHandle = FALSE;
351     sAttr.nLength = sizeof(SECURITY_ATTRIBUTES);
352     sAttr.lpSecurityDescriptor = pSD;
353 
354     /* Create the directory with the created permissions */
355     BOOL created = CreateDirectory(userInfo->sshDirectory, &sAttr);
356     if (!created) {
357         error_setg_win32(errp, GetLastError(), "failed to create directory %s",
358                          userInfo->sshDirectory);
359         goto error;
360     }
361 
362     /* Free memory */
363     LocalFree(pNewACL);
364     return true;
365 error:
366     LocalFree(pNewACL);
367     return false;
368 }
369 
370 /*
371  * Sets permissions on the authorized_key_file that is created.
372  *
373  * parameters: userInfo -> Information about the user
374  * errp -> error structure that will contain errors upon failure
375  * returns: 1 upon success, zero upon failure.
376  */
377 static bool set_file_permissions(PWindowsUserInfo userInfo, Error **errp)
378 {
379     PACL pACL = NULL;
380     PSID userPSID;
381 
382     /* Creates the access control structure */
383     if (!create_acl(userInfo, &pACL, errp)) {
384         goto error;
385     }
386 
387     /* Get the PSID structure for the user based off the string SID. */
388     bool converted = ConvertStringSidToSid(userInfo->SSID, &userPSID);
389     if (!converted) {
390         error_setg_win32(errp, GetLastError(), "failed to retrieve user %s SID",
391                          userInfo->username);
392         goto error;
393     }
394 
395     /* Prevents permissions from being inherited and use the DACL provided. */
396     const SE_OBJECT_TYPE securityBitFlags =
397         DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION;
398 
399     /* Set the ACL on the file. */
400     if (SetNamedSecurityInfo(userInfo->authorizedKeyFile, SE_FILE_OBJECT,
401                              securityBitFlags, userPSID, NULL, pACL,
402                              NULL) != ERROR_SUCCESS) {
403         error_setg_win32(errp, GetLastError(),
404                          "failed to set file security for file %s",
405                          userInfo->authorizedKeyFile);
406         goto error;
407     }
408 
409     LocalFree(pACL);
410     LocalFree(userPSID);
411     return true;
412 
413 error:
414     LocalFree(pACL);
415     LocalFree(userPSID);
416 
417     return false;
418 }
419 
420 /*
421  * Writes the specified keys to the authenticated keys file.
422  * parameters:
423  * userInfo: Information about the user we are writing the authkeys file to.
424  * authkeys: Array of keys to write to disk
425  * errp: Error structure that will contain any errors if they occur.
426  * returns: 1 if successful, 0 otherwise.
427  */
428 static bool write_authkeys(WindowsUserInfo *userInfo, GStrv authkeys,
429                            Error **errp)
430 {
431     g_autofree char *contents = NULL;
432     g_autoptr(GError) err = NULL;
433 
434     contents = g_strjoinv("\n", authkeys);
435 
436     if (!g_file_set_contents(userInfo->authorizedKeyFile, contents, -1, &err)) {
437         error_setg(errp, "failed to write to '%s': %s",
438                    userInfo->authorizedKeyFile, err->message);
439         return false;
440     }
441 
442     if (!set_file_permissions(userInfo, errp)) {
443         return false;
444     }
445 
446     return true;
447 }
448 
449 /*
450  * Retrieves information about a Windows user by their username
451  *
452  * parameters:
453  * userInfo -> Double pointer to a WindowsUserInfo structure. Upon success, it
454  * will be allocated with information about the user and need to be freed.
455  * username -> Name of the user to lookup.
456  * errp -> Contains any errors that occur.
457  * returns: 1 upon success, 0 upon failure.
458  */
459 static bool get_user_info(PWindowsUserInfo *userInfo, const char *username,
460                           Error **errp)
461 {
462     DWORD infoLevel = 4;
463     LPUSER_INFO_4 uBuf = NULL;
464     g_autofree wchar_t *wideUserName = NULL;
465     g_autoptr(GError) gerr = NULL;
466     PSID psid = NULL;
467 
468     /*
469      * Converts a string to a Windows wide string since the GetNetUserInfo
470      * function requires it.
471      */
472     wideUserName = g_utf8_to_utf16(username, -1, NULL, NULL, &gerr);
473     if (!wideUserName) {
474         goto error;
475     }
476 
477     /* allocate data */
478     PWindowsUserInfo uData = g_new0(WindowsUserInfo, 1);
479 
480     /* Set pointer so it can be cleaned up by the callee, even upon error. */
481     *userInfo = uData;
482 
483     /* Find the information */
484     NET_API_STATUS result =
485         NetUserGetInfo(NULL, wideUserName, infoLevel, (LPBYTE *)&uBuf);
486     if (result != NERR_Success) {
487         /* Give a friendlier error message if the user was not found. */
488         if (result == NERR_UserNotFound) {
489             error_setg(errp, "User %s was not found", username);
490             goto error;
491         }
492 
493         error_setg(errp,
494                    "Received unexpected error when asking for user info: Error "
495                    "Code %lu",
496                    result);
497         goto error;
498     }
499 
500     /* Get information from the buffer returned by NetUserGetInfo. */
501     uData->username = g_strdup(username);
502     uData->isAdmin = uBuf->usri4_priv == USER_PRIV_ADMIN;
503     psid = uBuf->usri4_user_sid;
504 
505     char *sidStr = NULL;
506 
507     /*
508      * We store the string representation of the SID not SID structure in
509      * memory. Callees wanting to use the SID structure should call
510      * ConvertStringSidToSID.
511      */
512     if (!ConvertSidToStringSid(psid, &sidStr)) {
513         error_setg_win32(errp, GetLastError(),
514                          "failed to get SID string for user %s", username);
515         goto error;
516     }
517 
518     /* Store the SSID */
519     uData->SSID = sidStr;
520 
521     /* Get the SSH folder for the user. */
522     char *sshFolder = get_ssh_folder(username, uData->isAdmin, errp);
523     if (sshFolder == NULL) {
524         goto error;
525     }
526 
527     /* Get the authorized key file path */
528     const char *authorizedKeyFile =
529         uData->isAdmin ? AUTHORIZED_KEY_FILE_ADMIN : AUTHORIZED_KEY_FILE;
530     char *authorizedKeyPath =
531         g_build_filename(sshFolder, authorizedKeyFile, NULL);
532     uData->sshDirectory = sshFolder;
533     uData->authorizedKeyFile = authorizedKeyPath;
534 
535     /* Free */
536     NetApiBufferFree(uBuf);
537     return true;
538 error:
539     if (uBuf) {
540         NetApiBufferFree(uBuf);
541     }
542 
543     return false;
544 }
545 
546 /*
547  * Gets the list of authorized keys for a user.
548  *
549  * parameters:
550  * username -> Username to retrieve the keys for.
551  * errp -> Error structure that will display any errors through QMP.
552  * returns: List of keys associated with the user.
553  */
554 GuestAuthorizedKeys *qmp_guest_ssh_get_authorized_keys(const char *username,
555                                                        Error **errp)
556 {
557     GuestAuthorizedKeys *keys = NULL;
558     g_auto(GStrv) authKeys = NULL;
559     g_autoptr(GuestAuthorizedKeys) ret = NULL;
560     g_auto(PWindowsUserInfo) userInfo = NULL;
561 
562     /* Gets user information */
563     if (!get_user_info(&userInfo, username, errp)) {
564         return NULL;
565     }
566 
567     /* Reads authkeys for the user */
568     authKeys = read_authkeys(userInfo->authorizedKeyFile, errp);
569     if (authKeys == NULL) {
570         return NULL;
571     }
572 
573     /* Set the GuestAuthorizedKey struct with keys from the file */
574     ret = g_new0(GuestAuthorizedKeys, 1);
575     for (int i = 0; authKeys[i] != NULL; i++) {
576         g_strstrip(authKeys[i]);
577         if (!authKeys[i][0] || authKeys[i][0] == '#') {
578             continue;
579         }
580 
581         QAPI_LIST_PREPEND(ret->keys, g_strdup(authKeys[i]));
582     }
583 
584     /*
585      * Steal the pointer because it is up for the callee to deallocate the
586      * memory.
587      */
588     keys = g_steal_pointer(&ret);
589     return keys;
590 }
591 
592 /*
593  * Adds an ssh key for a user.
594  *
595  * parameters:
596  * username -> User to add the SSH key to
597  * strList -> Array of keys to add to the list
598  * has_reset -> Whether the keys have been reset
599  * reset -> Boolean to reset the keys (If this is set the existing list will be
600  * cleared) and the other key reset. errp -> Pointer to an error structure that
601  * will get returned over QMP if anything goes wrong.
602  */
603 void qmp_guest_ssh_add_authorized_keys(const char *username, strList *keys,
604                                        bool has_reset, bool reset, Error **errp)
605 {
606     g_auto(PWindowsUserInfo) userInfo = NULL;
607     g_auto(GStrv) authkeys = NULL;
608     strList *k;
609     size_t nkeys, nauthkeys;
610 
611     /* Make sure the keys given are valid */
612     if (!check_openssh_pub_keys(keys, &nkeys, errp)) {
613         return;
614     }
615 
616     /* Gets user information */
617     if (!get_user_info(&userInfo, username, errp)) {
618         return;
619     }
620 
621     /* Determine whether we should reset the keys */
622     reset = has_reset && reset;
623     if (!reset) {
624         /* Read existing keys into memory */
625         authkeys = read_authkeys(userInfo->authorizedKeyFile, NULL);
626     }
627 
628     /* Check that the SSH key directory exists for the user. */
629     if (!g_file_test(userInfo->sshDirectory, G_FILE_TEST_IS_DIR)) {
630         BOOL success = create_ssh_directory(userInfo, errp);
631         if (!success) {
632             return;
633         }
634     }
635 
636     /* Reallocates the buffer to fit the new keys. */
637     nauthkeys = authkeys ? g_strv_length(authkeys) : 0;
638     authkeys = g_realloc_n(authkeys, nauthkeys + nkeys + 1, sizeof(char *));
639 
640     /* zero out the memory for the reallocated buffer */
641     memset(authkeys + nauthkeys, 0, (nkeys + 1) * sizeof(char *));
642 
643     /* Adds the keys */
644     for (k = keys; k != NULL; k = k->next) {
645         /* Check that the key doesn't already exist */
646         if (g_strv_contains((const gchar *const *)authkeys, k->value)) {
647             continue;
648         }
649 
650         authkeys[nauthkeys++] = g_strdup(k->value);
651     }
652 
653     /* Write the authkeys to the file. */
654     write_authkeys(userInfo, authkeys, errp);
655 }
656 
657 /*
658  * Removes an SSH key for a user
659  *
660  * parameters:
661  * username -> Username to remove the key from
662  * strList -> List of strings to remove
663  * errp -> Contains any errors that occur.
664  */
665 void qmp_guest_ssh_remove_authorized_keys(const char *username, strList *keys,
666                                           Error **errp)
667 {
668     g_auto(PWindowsUserInfo) userInfo = NULL;
669     g_autofree struct passwd *p = NULL;
670     g_autofree GStrv new_keys = NULL; /* do not own the strings */
671     g_auto(GStrv) authkeys = NULL;
672     GStrv a;
673     size_t nkeys = 0;
674 
675     /* Validates the keys passed in by the user */
676     if (!check_openssh_pub_keys(keys, NULL, errp)) {
677         return;
678     }
679 
680     /* Gets user information */
681     if (!get_user_info(&userInfo, username, errp)) {
682         return;
683     }
684 
685     /* Reads the authkeys for the user */
686     authkeys = read_authkeys(userInfo->authorizedKeyFile, errp);
687     if (authkeys == NULL) {
688         return;
689     }
690 
691     /* Create a new buffer to hold the keys */
692     new_keys = g_new0(char *, g_strv_length(authkeys) + 1);
693     for (a = authkeys; *a != NULL; a++) {
694         strList *k;
695 
696         /* Filters out keys that are equal to ones the user specified. */
697         for (k = keys; k != NULL; k = k->next) {
698             if (g_str_equal(k->value, *a)) {
699                 break;
700             }
701         }
702 
703         if (k != NULL) {
704             continue;
705         }
706 
707         new_keys[nkeys++] = *a;
708     }
709 
710     /* Write the new authkeys to the file. */
711     write_authkeys(userInfo, new_keys, errp);
712 }
713