From 7818e56d625e05b7b3a727cb8784e4adbece4bbb Mon Sep 17 00:00:00 2001 From: "Jan F. Chadima" Date: Wed, 7 Jul 2010 13:48:36 +0000 Subject: [PATCH] - merged with newer bugzilla's version of authorized keys command patch --- openssh-5.5p1-authorized-keys-command.patch | 440 +++++++++++ openssh-5.5p1-kuserok.patch | 22 +- ...pka-ldap.patch => openssh-5.5p1-ldap.patch | 682 ++---------------- openssh.spec | 11 +- 4 files changed, 538 insertions(+), 617 deletions(-) create mode 100644 openssh-5.5p1-authorized-keys-command.patch rename openssh-5.5p1-pka-ldap.patch => openssh-5.5p1-ldap.patch (81%) diff --git a/openssh-5.5p1-authorized-keys-command.patch b/openssh-5.5p1-authorized-keys-command.patch new file mode 100644 index 0000000..8be37fd --- /dev/null +++ b/openssh-5.5p1-authorized-keys-command.patch @@ -0,0 +1,440 @@ +diff -ruN openssh-5.5p1.orig/auth2-pubkey.c openssh-5.5p1/auth2-pubkey.c +--- openssh-5.5p1.orig/auth2-pubkey.c 2010-03-21 14:51:21.000000000 -0400 ++++ openssh-5.5p1/auth2-pubkey.c 2010-07-03 20:23:43.000000000 -0400 +@@ -27,6 +27,7 @@ + + #include + #include ++#include + + #include + #include +@@ -178,27 +178,15 @@ + + /* return 1 if user allows given key */ + static int +-user_key_allowed2(struct passwd *pw, Key *key, char *file) ++user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw) + { + char line[SSH_MAX_PUBKEY_BYTES]; + const char *reason; + int found_key = 0; +- FILE *f; + u_long linenum = 0; + Key *found; + char *fp; + +- /* Temporarily use the user's uid. */ +- temporarily_use_uid(pw); +- +- debug("trying public key file %s", file); +- f = auth_openkeyfile(file, pw, options.strict_modes); +- +- if (!f) { +- restore_uid(); +- return 0; +- } +- + found_key = 0; + found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); + +@@ -273,8 +261,6 @@ + break; + } + } +- restore_uid(); +- fclose(f); + key_free(found); + if (!found_key) + debug2("key not found"); +@@ -321,13 +307,191 @@ + return ret; + } + +-/* check whether given key is in .ssh/authorized_keys* */ ++/* return 1 if user allows given key */ ++static int ++user_key_allowed2(struct passwd *pw, Key *key, char *file) ++{ ++ FILE *f; ++ int found_key = 0; ++ ++ /* Temporarily use the user's uid. */ ++ temporarily_use_uid(pw); ++ ++ debug("trying public key file %s", file); ++ f = auth_openkeyfile(file, pw, options.strict_modes); ++ ++ if (f) { ++ found_key = user_search_key_in_file (f, file, key, pw); ++ fclose(f); ++ } ++ ++ restore_uid(); ++ return found_key; ++} ++ ++#ifdef WITH_AUTHORIZED_KEYS_COMMAND ++ ++#define WHITESPACE " \t\r\n" ++ ++/* return 1 if user allows given key */ ++static int ++user_key_via_command_allowed2(struct passwd *pw, Key *key) ++{ ++ FILE *f; ++ int found_key = 0; ++ char *progname = NULL; ++ char *cp; ++ struct passwd *runas_pw; ++ struct stat st; ++ int childdescriptors[2], i; ++ pid_t pstat, pid, child; ++ ++ if (options.authorized_keys_command == NULL || options.authorized_keys_command[0] != '/') ++ return -1; ++ ++ /* get the run as identity from config */ ++ runas_pw = (options.authorized_keys_command_runas == NULL)? pw ++ : getpwnam (options.authorized_keys_command_runas); ++ if (!runas_pw) { ++ error("%s: getpwnam(\"%s\"): %s", __func__, ++ options.authorized_keys_command_runas, strerror(errno)); ++ return 0; ++ } ++ ++ /* Temporarily use the specified uid. */ ++ if (runas_pw->pw_uid != 0) ++ temporarily_use_uid(runas_pw); ++ ++ progname = xstrdup(options.authorized_keys_command); ++ ++ debug3("%s: checking program '%s'", __func__, progname); ++ ++ if (stat (progname, &st) < 0) { ++ error("%s: stat(\"%s\"): %s", __func__, ++ progname, strerror(errno)); ++ goto go_away; ++ } ++ ++ if (st.st_uid != 0 || (st.st_mode & 022) != 0) { ++ error("bad ownership or modes for AuthorizedKeysCommand \"%s\"", ++ progname); ++ goto go_away; ++ } ++ ++ if (!S_ISREG(st.st_mode)) { ++ error("AuthorizedKeysCommand \"%s\" is not a regular file", ++ progname); ++ goto go_away; ++ } ++ ++ /* ++ * Descend the path, checking that each component is a ++ * root-owned directory with strict permissions. ++ */ ++ do { ++ if ((cp = strrchr(progname, '/')) == NULL) ++ break; ++ else ++ *cp = '\0'; ++ ++ debug3("%s: checking component '%s'", __func__, (*progname == '\0' ? "/" : progname)); ++ ++ if (stat((*progname == '\0' ? "/" : progname), &st) != 0) { ++ error("%s: stat(\"%s\"): %s", __func__, ++ progname, strerror(errno)); ++ goto go_away; ++ } ++ if (st.st_uid != 0 || (st.st_mode & 022) != 0) { ++ error("bad ownership or modes for AuthorizedKeysCommand path component \"%s\"", ++ progname); ++ goto go_away; ++ } ++ if (!S_ISDIR(st.st_mode)) { ++ error("AuthorizedKeysCommand path component \"%s\" is not a directory", ++ progname); ++ goto go_away; ++ } ++ } while (1); ++ ++ /* open the pipe and read the keys */ ++ if (pipe(childdescriptors)) { ++ error("failed to pipe(2) for AuthorizedKeysCommand: %s", ++ strerror(errno)); ++ goto go_away; ++ } ++ ++ child = fork(); ++ if (child == -1) { ++ error("failed to fork(2) for AuthorizedKeysCommand: %s", ++ strerror(errno)); ++ goto go_away; ++ } else if (child == 0) { ++ /* we're in the child process here -- we should never return from this block. */ ++ /* permanently drop privs in child process */ ++ if (runas_pw->pw_uid != 0) { ++ restore_uid(); ++ permanently_set_uid(runas_pw); ++ } ++ ++ close(childdescriptors[0]); ++ /* put the write end of the pipe on stdout (FD 1) */ ++ if (dup2(childdescriptors[1], 1) == -1) { ++ error("failed to dup2(2) from AuthorizedKeysCommand: %s", ++ strerror(errno)); ++ _exit(127); ++ } ++ ++ debug3("about to execl() AuthorizedKeysCommand: \"%s\" \"%s\"", options.authorized_keys_command, pw->pw_name); ++ /* see session.c:child_close_fds() */ ++ for (i = 3; i < 64; ++i) { ++ close(i); ++ } ++ ++ execl(options.authorized_keys_command, options.authorized_keys_command, pw->pw_name, NULL); ++ ++ /* if we got here, it didn't work */ ++ error("failed to execl AuthorizedKeysCommand: %s", strerror(errno)); /* this won't work because we closed the fds above */ ++ _exit(127); ++ } ++ ++ close(childdescriptors[1]); ++ f = fdopen(childdescriptors[0], "r"); ++ if (!f) { ++ error("%s: could not buffer FDs from AuthorizedKeysCommand (\"%s\", \"r\"): %s", __func__, ++ options.authorized_keys_command, strerror (errno)); ++ goto go_away; ++ } ++ ++ found_key = user_search_key_in_file (f, options.authorized_keys_command, key, pw); ++ fclose (f); ++ do { ++ pid = waitpid(child, &pstat, 0); ++ } while (pid == -1 && errno == EINTR); ++ ++ /* what about the return value from the child process? */ ++go_away: ++ if (progname) ++ xfree (progname); ++ ++ if (runas_pw->pw_uid != 0) ++ restore_uid(); ++ return found_key; ++} ++#endif ++ ++/* check whether given key is in 0) ++ return success; ++#endif ++ + if (auth_key_is_revoked(key)) + return 0; + if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) +diff -ruN openssh-5.5p1.orig/configure.ac openssh-5.5p1/configure.ac +--- openssh-5.5p1.orig/configure.ac 2010-04-10 08:58:01.000000000 -0400 ++++ openssh-5.5p1/configure.ac 2010-07-03 19:57:42.000000000 -0400 +@@ -1346,6 +1346,18 @@ + esac ] + ) + ++# Check whether user wants AuthorizedKeysCommand support ++AKC_MSG="no" ++AC_ARG_WITH(authorized-keys-command, ++ [ --with-authorized-keys-command Enable AuthorizedKeysCommand support], ++ [ ++ if test "x$withval" != "xno" ; then ++ AC_DEFINE([WITH_AUTHORIZED_KEYS_COMMAND], 1, [Enable AuthorizedKeysCommand support]) ++ AKC_MSG="yes" ++ fi ++ ] ++) ++ + dnl Checks for library functions. Please keep in alphabetical order + AC_CHECK_FUNCS( \ + arc4random \ +@@ -4181,6 +4193,7 @@ + echo " Smartcard support: $SCARD_MSG" + echo " S/KEY support: $SKEY_MSG" + echo " TCP Wrappers support: $TCPW_MSG" ++echo " AuthorizedKeysCommand support: $AKC_MSG" + echo " MD5 password support: $MD5_MSG" + echo " libedit support: $LIBEDIT_MSG" + echo " Solaris process contract support: $SPC_MSG" +diff -ruN openssh-5.5p1.orig/servconf.c openssh-5.5p1/servconf.c +--- openssh-5.5p1.orig/servconf.c 2010-03-25 19:40:04.000000000 -0400 ++++ openssh-5.5p1/servconf.c 2010-07-03 19:59:07.000000000 -0400 +@@ -128,6 +128,8 @@ + options->num_permitted_opens = -1; + options->adm_forced_command = NULL; + options->chroot_directory = NULL; ++ options->authorized_keys_command = NULL; ++ options->authorized_keys_command_runas = NULL; + options->zero_knowledge_password_authentication = -1; + options->revoked_keys_file = NULL; + options->trusted_user_ca_keys = NULL; +@@ -311,6 +313,7 @@ + sUsePrivilegeSeparation, sAllowAgentForwarding, + sZeroKnowledgePasswordAuthentication, sHostCertificate, + sRevokedKeys, sTrustedUserCAKeys, ++ sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs, + sDeprecated, sUnsupported + } ServerOpCodes; + +@@ -432,6 +435,13 @@ + { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, + { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, + { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, ++#ifdef WITH_AUTHORIZED_KEYS_COMMAND ++ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, ++ { "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL }, ++#else ++ { "authorizedkeyscommand", sUnsupported, SSHCFG_ALL }, ++ { "authorizedkeyscommandrunas", sUnsupported, SSHCFG_ALL }, ++#endif + { NULL, sBadOption, 0 } + }; + +@@ -1345,6 +1355,20 @@ + charptr = &options->revoked_keys_file; + goto parse_filename; + ++ case sAuthorizedKeysCommand: ++ len = strspn(cp, WHITESPACE); ++ if (*activep && options->authorized_keys_command == NULL) ++ options->authorized_keys_command = xstrdup(cp + len); ++ return 0; ++ ++ case sAuthorizedKeysCommandRunAs: ++ charptr = &options->authorized_keys_command_runas; ++ ++ arg = strdelim(&cp); ++ if (*activep && *charptr == NULL) ++ *charptr = xstrdup(arg); ++ break; ++ + case sDeprecated: + logit("%s line %d: Deprecated option %s", + filename, linenum, arg); +@@ -1438,6 +1462,8 @@ + M_CP_INTOPT(gss_authentication); + M_CP_INTOPT(rsa_authentication); + M_CP_INTOPT(pubkey_authentication); ++ M_CP_STROPT(authorized_keys_command); ++ M_CP_STROPT(authorized_keys_command_runas); + M_CP_INTOPT(kerberos_authentication); + M_CP_INTOPT(hostbased_authentication); + M_CP_INTOPT(kbd_interactive_authentication); +@@ -1682,6 +1708,8 @@ + dump_cfg_string(sChrootDirectory, o->chroot_directory); + dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); + dump_cfg_string(sRevokedKeys, o->revoked_keys_file); ++ dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); ++ dump_cfg_string(sAuthorizedKeysCommandRunAs, o->authorized_keys_command_runas); + + /* string arguments requiring a lookup */ + dump_cfg_string(sLogLevel, log_level_name(o->log_level)); +diff -ruN openssh-5.5p1.orig/servconf.h openssh-5.5p1/servconf.h +--- openssh-5.5p1.orig/servconf.h 2010-03-04 05:53:35.000000000 -0500 ++++ openssh-5.5p1/servconf.h 2010-07-03 19:57:42.000000000 -0400 +@@ -156,6 +156,8 @@ + char *chroot_directory; + char *revoked_keys_file; + char *trusted_user_ca_keys; ++ char *authorized_keys_command; ++ char *authorized_keys_command_runas; + } ServerOptions; + + void initialize_server_options(ServerOptions *); +diff -ruN openssh-5.5p1.orig/sshd_config openssh-5.5p1/sshd_config +--- openssh-5.5p1.orig/sshd_config 2009-10-11 06:51:09.000000000 -0400 ++++ openssh-5.5p1/sshd_config 2010-07-03 19:57:42.000000000 -0400 +@@ -44,6 +44,8 @@ + #RSAAuthentication yes + #PubkeyAuthentication yes + #AuthorizedKeysFile .ssh/authorized_keys ++#AuthorizedKeysCommand none ++#AuthorizedKeysCommandRunAs nobody + + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts + #RhostsRSAAuthentication no +diff -ruN openssh-5.5p1.orig/sshd_config.0 openssh-5.5p1/sshd_config.0 +--- openssh-5.5p1.orig/sshd_config.0 2010-04-15 20:17:12.000000000 -0400 ++++ openssh-5.5p1/sshd_config.0 2010-07-03 19:57:42.000000000 -0400 +@@ -352,7 +352,8 @@ + KbdInteractiveAuthentication, KerberosAuthentication, + MaxAuthTries, MaxSessions, PasswordAuthentication, + PermitEmptyPasswords, PermitOpen, PermitRootLogin, +- PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication, ++ PubkeyAuthentication, AuthorizedKeysCommand, AuthorizedKeysCommandRunAs, ++ RhostsRSAAuthentication, RSAAuthentication, + X11DisplayOffset, X11Forwarding and X11UseLocalHost. + + MaxAuthTries +@@ -467,6 +468,23 @@ + this file is not readable, then public key authentication will be + refused for all users. + ++ AuthorizedKeysCommand ++ ++ Specifies a program to be used for lookup of the user's ++ public keys. The program will be invoked with its first ++ argument the name of the user being authorized, and should produce ++ on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS ++ in sshd(8)). By default (or when set to the empty string) there is no ++ AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully ++ authorize the user, authorization falls through to the ++ AuthorizedKeysFile. Note that this option has an effect ++ only with PubkeyAuthentication turned on. ++ ++ AuthorizedKeysCommandRunAs ++ Specifies the user under whose account the AuthorizedKeysCommand is run. ++ Empty string (the default value) means the user being authorized ++ is used. ++ + RhostsRSAAuthentication + Specifies whether rhosts or /etc/hosts.equiv authentication to- + gether with successful RSA host authentication is allowed. The +diff -ruN openssh-5.5p1.orig/sshd_config.5 openssh-5.5p1/sshd_config.5 +--- openssh-5.5p1.orig/sshd_config.5 2010-03-04 18:41:45.000000000 -0500 ++++ openssh-5.5p1/sshd_config.5 2010-07-03 19:57:42.000000000 -0400 +@@ -618,6 +618,9 @@ + .Cm KerberosAuthentication , + .Cm MaxAuthTries , + .Cm MaxSessions , ++.Cm PubkeyAuthentication , ++.Cm AuthorizedKeysCommand , ++.Cm AuthorizedKeysCommandRunAs , + .Cm PasswordAuthentication , + .Cm PermitEmptyPasswords , + .Cm PermitOpen , +@@ -819,6 +822,20 @@ + Keys listed in this file will be refused for public key authentication. + Note that if this file is not readable, then public key authentication will + be refused for all users. ++.It Cm AuthorizedKeysCommand ++Specifies a program to be used for lookup of the user's ++public keys. The program will be invoked with its first ++argument the name of the user being authorized, and should produce ++on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS ++in sshd(8)). By default (or when set to the empty string) there is no ++AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully ++authorize the user, authorization falls through to the ++AuthorizedKeysFile. Note that this option has an effect ++only with PubkeyAuthentication turned on. ++.It Cm AuthorizedKeysCommandRunAs ++Specifies the user under whose account the AuthorizedKeysCommand is run. Empty ++string (the default value) means the user being authorized is used. ++.Dq + .It Cm RhostsRSAAuthentication + Specifies whether rhosts or /etc/hosts.equiv authentication together + with successful RSA host authentication is allowed. diff --git a/openssh-5.5p1-kuserok.patch b/openssh-5.5p1-kuserok.patch index a43cb39..2390745 100644 --- a/openssh-5.5p1-kuserok.patch +++ b/openssh-5.5p1-kuserok.patch @@ -1,6 +1,6 @@ diff -up openssh-5.5p1/auth-krb5.c.kuserok openssh-5.5p1/auth-krb5.c ---- openssh-5.5p1/auth-krb5.c.kuserok 2010-06-08 11:40:10.000000000 +0200 -+++ openssh-5.5p1/auth-krb5.c 2010-06-08 11:40:11.000000000 +0200 +--- openssh-5.5p1/auth-krb5.c.kuserok 2010-07-07 13:12:01.000000000 +0200 ++++ openssh-5.5p1/auth-krb5.c 2010-07-07 13:12:03.000000000 +0200 @@ -146,9 +146,11 @@ auth_krb5_password(Authctxt *authctxt, c if (problem) goto out; @@ -17,8 +17,8 @@ diff -up openssh-5.5p1/auth-krb5.c.kuserok openssh-5.5p1/auth-krb5.c problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache); diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c ---- openssh-5.5p1/servconf.c.kuserok 2010-06-08 11:40:10.000000000 +0200 -+++ openssh-5.5p1/servconf.c 2010-06-08 11:46:20.000000000 +0200 +--- openssh-5.5p1/servconf.c.kuserok 2010-07-07 13:12:02.000000000 +0200 ++++ openssh-5.5p1/servconf.c 2010-07-07 13:12:04.000000000 +0200 @@ -137,6 +137,7 @@ initialize_server_options(ServerOptions options->zero_knowledge_password_authentication = -1; options->revoked_keys_file = NULL; @@ -87,8 +87,8 @@ diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); diff -up openssh-5.5p1/servconf.h.kuserok openssh-5.5p1/servconf.h ---- openssh-5.5p1/servconf.h.kuserok 2010-06-08 11:40:10.000000000 +0200 -+++ openssh-5.5p1/servconf.h 2010-06-08 11:40:11.000000000 +0200 +--- openssh-5.5p1/servconf.h.kuserok 2010-07-07 13:12:02.000000000 +0200 ++++ openssh-5.5p1/servconf.h 2010-07-07 13:12:04.000000000 +0200 @@ -157,6 +157,7 @@ typedef struct { int num_permitted_opens; @@ -98,8 +98,8 @@ diff -up openssh-5.5p1/servconf.h.kuserok openssh-5.5p1/servconf.h char *revoked_keys_file; char *trusted_user_ca_keys; diff -up openssh-5.5p1/sshd_config.5.kuserok openssh-5.5p1/sshd_config.5 ---- openssh-5.5p1/sshd_config.5.kuserok 2010-06-08 11:40:10.000000000 +0200 -+++ openssh-5.5p1/sshd_config.5 2010-06-08 11:40:11.000000000 +0200 +--- openssh-5.5p1/sshd_config.5.kuserok 2010-07-07 13:12:03.000000000 +0200 ++++ openssh-5.5p1/sshd_config.5 2010-07-07 13:21:02.000000000 +0200 @@ -519,6 +519,10 @@ Specifies whether to automatically destr file on logout. The default is @@ -118,10 +118,10 @@ diff -up openssh-5.5p1/sshd_config.5.kuserok openssh-5.5p1/sshd_config.5 +.Cm KerberosUseKuserok , .Cm MaxAuthTries , .Cm MaxSessions , - .Cm PasswordAuthentication , + .Cm PubkeyAuthentication , diff -up openssh-5.5p1/sshd_config.kuserok openssh-5.5p1/sshd_config ---- openssh-5.5p1/sshd_config.kuserok 2010-06-08 11:40:10.000000000 +0200 -+++ openssh-5.5p1/sshd_config 2010-06-08 11:40:11.000000000 +0200 +--- openssh-5.5p1/sshd_config.kuserok 2010-07-07 13:12:03.000000000 +0200 ++++ openssh-5.5p1/sshd_config 2010-07-07 13:12:04.000000000 +0200 @@ -72,6 +72,7 @@ ChallengeResponseAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes diff --git a/openssh-5.5p1-pka-ldap.patch b/openssh-5.5p1-ldap.patch similarity index 81% rename from openssh-5.5p1-pka-ldap.patch rename to openssh-5.5p1-ldap.patch index 850c53f..172477f 100644 --- a/openssh-5.5p1-pka-ldap.patch +++ b/openssh-5.5p1-ldap.patch @@ -1,385 +1,10 @@ -diff -up openssh-5.5p1/auth2-pubkey.c.pka openssh-5.5p1/auth2-pubkey.c ---- openssh-5.5p1/auth2-pubkey.c.pka 2010-05-20 07:11:47.000000000 +0200 -+++ openssh-5.5p1/auth2-pubkey.c 2010-05-20 07:11:47.000000000 +0200 -@@ -186,27 +186,15 @@ done: - - /* return 1 if user allows given key */ - static int --user_key_allowed2(struct passwd *pw, Key *key, char *file) -+user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw) - { - char line[SSH_MAX_PUBKEY_BYTES]; - const char *reason; - int found_key = 0; -- FILE *f; - u_long linenum = 0; - Key *found; - char *fp; - -- /* Temporarily use the user's uid. */ -- temporarily_use_uid(pw); -- -- debug("trying public key file %s", file); -- f = auth_openkeyfile(file, pw, options.strict_modes); -- -- if (!f) { -- restore_uid(); -- return 0; -- } -- - found_key = 0; - found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); - -@@ -281,8 +269,6 @@ user_key_allowed2(struct passwd *pw, Key - break; - } - } -- restore_uid(); -- fclose(f); - key_free(found); - if (!found_key) - debug2("key not found"); -@@ -329,13 +315,153 @@ user_cert_trusted_ca(struct passwd *pw, - return ret; - } - --/* check whether given key is in .ssh/authorized_keys* */ -+/* return 1 if user allows given key */ -+static int -+user_key_allowed2(struct passwd *pw, Key *key, char *file) -+{ -+ FILE *f; -+ int found_key = 0; -+ -+ /* Temporarily use the user's uid. */ -+ temporarily_use_uid(pw); -+ -+ debug("trying public key file %s", file); -+ f = auth_openkeyfile(file, pw, options.strict_modes); -+ -+ if (f) { -+ found_key = user_search_key_in_file (f, file, key, pw); -+ fclose(f); -+ } -+ -+ restore_uid(); -+ return found_key; -+} -+ -+#ifdef WITH_PUBKEY_AGENT -+ -+#define WHITESPACE " \t\r\n" -+ -+/* return 1 if user allows given key */ -+static int -+user_key_via_agent_allowed2(struct passwd *pw, Key *key) -+{ -+ FILE *f; -+ int found_key = 0; -+ char *pubkey_agent_string = NULL; -+ char *tmp_pubkey_agent_string = NULL; -+ char *progname; -+ char *cp; -+ struct passwd *runas_pw; -+ struct stat st; -+ -+ if (options.pubkey_agent == NULL || options.pubkey_agent[0] != '/') -+ return -1; -+ -+ /* get the run as identity from config */ -+ runas_pw = (options.pubkey_agent_runas == NULL)? pw -+ : getpwnam (options.pubkey_agent_runas); -+ if (!runas_pw) { -+ error("%s: getpwnam(\"%s\"): %s", __func__, -+ options.pubkey_agent_runas, strerror(errno)); -+ return 0; -+ } -+ -+ /* Temporarily use the specified uid. */ -+ if (runas_pw->pw_uid != 0) -+ temporarily_use_uid(runas_pw); -+ -+ pubkey_agent_string = percent_expand(options.pubkey_agent, -+ "h", pw->pw_dir, "u", pw->pw_name, (char *)NULL); -+ -+ /* Test whether agent can be modified by non root user */ -+ tmp_pubkey_agent_string = xstrdup (pubkey_agent_string); -+ progname = strtok (tmp_pubkey_agent_string, WHITESPACE); -+ -+ debug3("%s: checking program '%s'", __func__, progname); -+ -+ if (stat (progname, &st) < 0) { -+ error("%s: stat(\"%s\"): %s", __func__, -+ progname, strerror(errno)); -+ goto go_away; -+ } -+ -+ if (st.st_uid != 0 || (st.st_mode & 022) != 0) { -+ error("bad ownership or modes for pubkey agent \"%s\"", -+ progname); -+ goto go_away; -+ } -+ -+ if (!S_ISREG(st.st_mode)) { -+ error("pubkey agent \"%s\" is not a regular file", -+ progname); -+ goto go_away; -+ } -+ -+ /* -+ * Descend the path, checking that each component is a -+ * root-owned directory with strict permissions. -+ */ -+ do { -+ if ((cp = strrchr(progname, '/')) == NULL) -+ break; -+ else -+ *cp = '\0'; -+ -+ debug3("%s: checking component '%s'", __func__, progname); -+ -+ if (stat(progname, &st) != 0) { -+ error("%s: stat(\"%s\"): %s", __func__, -+ progname, strerror(errno)); -+ goto go_away; -+ } -+ if (st.st_uid != 0 || (st.st_mode & 022) != 0) { -+ error("bad ownership or modes for pubkey agent path component \"%s\"", -+ progname); -+ goto go_away; -+ } -+ if (!S_ISDIR(st.st_mode)) { -+ error("pubkey agent path component \"%s\" is not a directory", -+ progname); -+ goto go_away; -+ } -+ } while (0); -+ -+ /* open the pipe and read the keys */ -+ f = popen (pubkey_agent_string, "r"); -+ if (!f) { -+ error("%s: popen (\"%s\", \"r\"): %s", __func__, -+ pubkey_agent_string, strerror (errno)); -+ goto go_away; -+ } -+ -+ found_key = user_search_key_in_file (f, options.pubkey_agent, key, pw); -+ pclose (f); -+ -+go_away: -+ if (tmp_pubkey_agent_string) -+ xfree (tmp_pubkey_agent_string); -+ if (pubkey_agent_string) -+ xfree (pubkey_agent_string); -+ -+ if (runas_pw->pw_uid != 0) -+ restore_uid(); -+ return found_key; -+} -+#endif -+ -+/* check whether given key is in = 0) -+ return success; -+#endif -+ - if (auth_key_is_revoked(key)) - return 0; - if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) -diff -up openssh-5.5p1/config.h.in.pka openssh-5.5p1/config.h.in ---- openssh-5.5p1/config.h.in.pka 2010-04-16 02:17:09.000000000 +0200 -+++ openssh-5.5p1/config.h.in 2010-05-20 07:11:47.000000000 +0200 -@@ -1,5 +1,8 @@ - /* config.h.in. Generated from configure.ac by autoheader. */ - -+/* Define if building universal (internal helper macro) */ -+#undef AC_APPLE_UNIVERSAL_BUILD -+ - /* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address - */ - #undef AIX_GETNAMEINFO_HACK -@@ -536,6 +539,57 @@ - /* Define to 1 if you have the header file. */ - #undef HAVE_LASTLOG_H - -+/* Define to 1 if you have the header file. */ -+#undef HAVE_LBER_H -+ -+/* Define to 1 if you have the `ldapssl_init' function. */ -+#undef HAVE_LDAPSSL_INIT -+ -+/* Define to 1 if you have the `ldap_controls_free' function. */ -+#undef HAVE_LDAP_CONTROLS_FREE -+ -+/* Define to 1 if you have the `ldap_get_lderrno' function. */ -+#undef HAVE_LDAP_GET_LDERRNO -+ -+/* Define to 1 if you have the `ldap_get_option' function. */ -+#undef HAVE_LDAP_GET_OPTION -+ -+/* Define to 1 if you have the header file. */ -+#undef HAVE_LDAP_H -+ -+/* Define to 1 if you have the `ldap_init' function. */ -+#undef HAVE_LDAP_INIT -+ -+/* Define to 1 if you have the `ldap_initialize' function. */ -+#undef HAVE_LDAP_INITIALIZE -+ -+/* Define to 1 if you have the `ldap_memfree' function. */ -+#undef HAVE_LDAP_MEMFREE -+ -+/* Define to 1 if you have the `ldap_parse_result' function. */ -+#undef HAVE_LDAP_PARSE_RESULT -+ -+/* Define to 1 if you have the `ldap_pvt_tls_set_option' function. */ -+#undef HAVE_LDAP_PVT_TLS_SET_OPTION -+ -+/* Define to 1 if you have the `ldap_set_lderrno' function. */ -+#undef HAVE_LDAP_SET_LDERRNO -+ -+/* Define to 1 if you have the `ldap_set_option' function. */ -+#undef HAVE_LDAP_SET_OPTION -+ -+/* Define to 1 if you have the `ldap_set_rebind_proc' function. */ -+#undef HAVE_LDAP_SET_REBIND_PROC -+ -+/* Define to 1 if you have the header file. */ -+#undef HAVE_LDAP_SSL_H -+ -+/* Define to 1 if you have the `ldap_start_tls_s' function. */ -+#undef HAVE_LDAP_START_TLS_S -+ -+/* Define to 1 if you have the header file. */ -+#undef HAVE_LIBAUDIT_H -+ - /* Define to 1 if you have the `bsm' library (-lbsm). */ - #undef HAVE_LIBBSM - -@@ -575,6 +629,9 @@ - /* Define to 1 if you have the header file. */ - #undef HAVE_LIMITS_H - -+/* Define if you want Linux audit support. */ -+#undef HAVE_LINUX_AUDIT -+ - /* Define to 1 if you have the header file. */ - #undef HAVE_LINUX_IF_TUN_H - -@@ -771,6 +828,9 @@ - /* Define to 1 if you have the `setgroups' function. */ - #undef HAVE_SETGROUPS - -+/* Define to 1 if you have the `setkeycreatecon' function. */ -+#undef HAVE_SETKEYCREATECON -+ - /* Define to 1 if you have the `setlogin' function. */ - #undef HAVE_SETLOGIN - -@@ -921,13 +981,13 @@ - /* define if you have struct sockaddr_in6 data type */ - #undef HAVE_STRUCT_SOCKADDR_IN6 - --/* Define to 1 if `sin6_scope_id' is member of `struct sockaddr_in6'. */ -+/* Define to 1 if `sin6_scope_id' is a member of `struct sockaddr_in6'. */ - #undef HAVE_STRUCT_SOCKADDR_IN6_SIN6_SCOPE_ID - - /* define if you have struct sockaddr_storage data type */ - #undef HAVE_STRUCT_SOCKADDR_STORAGE - --/* Define to 1 if `st_blksize' is member of `struct stat'. */ -+/* Define to 1 if `st_blksize' is a member of `struct stat'. */ - #undef HAVE_STRUCT_STAT_ST_BLKSIZE - - /* Define to 1 if the system has the type `struct timespec'. */ -@@ -1191,6 +1251,9 @@ - /* Define if pututxline updates lastlog too */ - #undef LASTLOG_WRITE_PUTUTXLINE - -+/* number arguments of ldap_set_rebind_proc */ -+#undef LDAP_SET_REBIND_PROC_ARGS -+ - /* Define if you want TCP Wrappers support */ - #undef LIBWRAP - -@@ -1274,6 +1337,9 @@ - /* Define to the one symbol short name of this package. */ - #undef PACKAGE_TARNAME - -+/* Define to the home page for this package. */ -+#undef PACKAGE_URL -+ - /* Define to the version of this package. */ - #undef PACKAGE_VERSION - -@@ -1360,6 +1426,10 @@ - /* Prepend the address family to IP tunnel traffic */ - #undef SSH_TUN_PREPEND_AF - -+/* Define to your vendor patch level, if it has been modified from the -+ upstream source release. */ -+#undef SSH_VENDOR_PATCHLEVEL -+ - /* Define to 1 if you have the ANSI C header files. */ - #undef STDC_HEADERS - -@@ -1418,12 +1488,26 @@ - /* Define if you want IRIX project management */ - #undef WITH_IRIX_PROJECT - -+/* Enable LDAP pubkey support */ -+#undef WITH_LDAP_PUBKEY -+ -+/* Enable pubkey agent support */ -+#undef WITH_PUBKEY_AGENT -+ - /* Define if you want SELinux support. */ - #undef WITH_SELINUX - --/* Define to 1 if your processor stores words with the most significant byte -- first (like Motorola and SPARC, unlike Intel and VAX). */ --#undef WORDS_BIGENDIAN -+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most -+ significant byte first (like Motorola and SPARC, unlike Intel). */ -+#if defined AC_APPLE_UNIVERSAL_BUILD -+# if defined __BIG_ENDIAN__ -+# define WORDS_BIGENDIAN 1 -+# endif -+#else -+# ifndef WORDS_BIGENDIAN -+# undef WORDS_BIGENDIAN -+# endif -+#endif - - /* Define if xauth is found in your path */ - #undef XAUTH_PATH -diff -up openssh-5.5p1/configure.ac.pka openssh-5.5p1/configure.ac ---- openssh-5.5p1/configure.ac.pka 2010-05-20 07:11:47.000000000 +0200 -+++ openssh-5.5p1/configure.ac 2010-05-20 07:11:47.000000000 +0200 -@@ -1346,6 +1346,118 @@ AC_ARG_WITH(audit, - esac ] +diff -up openssh-5.5p1/configure.ac.ldap openssh-5.5p1/configure.ac +--- openssh-5.5p1/configure.ac.ldap 2010-07-07 14:36:34.000000000 +0200 ++++ openssh-5.5p1/configure.ac 2010-07-07 14:36:34.000000000 +0200 +@@ -1358,6 +1358,106 @@ AC_ARG_WITH(authorized-keys-command, + ] ) -+# Check whether user wants pubkey agent support -+PKA_MSG="no" -+AC_ARG_WITH(pka, -+ [ --with-pka Enable pubkey agent support], -+ [ -+ if test "x$withval" != "xno" ; then -+ AC_DEFINE([WITH_PUBKEY_AGENT], 1, [Enable pubkey agent support]) -+ PKA_MSG="yes" -+ fi -+ ] -+) -+ +# Check whether user wants LDAP support +LDAP_MSG="no" +INSTALL_SSH_LDAP_HELPER="" @@ -483,18 +108,9 @@ diff -up openssh-5.5p1/configure.ac.pka openssh-5.5p1/configure.ac dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS( \ arc4random \ -@@ -4202,6 +4314,8 @@ echo " Linux audit support - echo " Smartcard support: $SCARD_MSG" - echo " S/KEY support: $SKEY_MSG" - echo " TCP Wrappers support: $TCPW_MSG" -+echo " PKA support: $PKA_MSG" -+echo " LDAP support: $LDAP_MSG" - echo " MD5 password support: $MD5_MSG" - echo " libedit support: $LIBEDIT_MSG" - echo " Solaris process contract support: $SPC_MSG" -diff -up openssh-5.5p1/ldapbody.c.pka openssh-5.5p1/ldapbody.c ---- openssh-5.5p1/ldapbody.c.pka 2010-05-20 07:11:47.000000000 +0200 -+++ openssh-5.5p1/ldapbody.c 2010-05-20 07:11:47.000000000 +0200 +diff -up openssh-5.5p1/ldapbody.c.ldap openssh-5.5p1/ldapbody.c +--- openssh-5.5p1/ldapbody.c.ldap 2010-07-07 14:36:34.000000000 +0200 ++++ openssh-5.5p1/ldapbody.c 2010-07-07 14:36:34.000000000 +0200 @@ -0,0 +1,494 @@ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -990,9 +606,9 @@ diff -up openssh-5.5p1/ldapbody.c.pka openssh-5.5p1/ldapbody.c + return; +} + -diff -up openssh-5.5p1/ldapbody.h.pka openssh-5.5p1/ldapbody.h ---- openssh-5.5p1/ldapbody.h.pka 2010-05-20 07:11:47.000000000 +0200 -+++ openssh-5.5p1/ldapbody.h 2010-05-20 07:11:47.000000000 +0200 +diff -up openssh-5.5p1/ldapbody.h.ldap openssh-5.5p1/ldapbody.h +--- openssh-5.5p1/ldapbody.h.ldap 2010-07-07 14:36:34.000000000 +0200 ++++ openssh-5.5p1/ldapbody.h 2010-07-07 14:36:34.000000000 +0200 @@ -0,0 +1,37 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1031,9 +647,9 @@ diff -up openssh-5.5p1/ldapbody.h.pka openssh-5.5p1/ldapbody.h + +#endif /* LDAPBODY_H */ + -diff -up openssh-5.5p1/ldapconf.c.pka openssh-5.5p1/ldapconf.c ---- openssh-5.5p1/ldapconf.c.pka 2010-05-20 07:11:47.000000000 +0200 -+++ openssh-5.5p1/ldapconf.c 2010-05-20 07:11:47.000000000 +0200 +diff -up openssh-5.5p1/ldapconf.c.ldap openssh-5.5p1/ldapconf.c +--- openssh-5.5p1/ldapconf.c.ldap 2010-07-07 14:36:34.000000000 +0200 ++++ openssh-5.5p1/ldapconf.c 2010-07-07 14:36:34.000000000 +0200 @@ -0,0 +1,682 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1717,9 +1333,9 @@ diff -up openssh-5.5p1/ldapconf.c.pka openssh-5.5p1/ldapconf.c + dump_cfg_string(lSSH_Filter, options.ssh_filter); +} + -diff -up openssh-5.5p1/ldapconf.h.pka openssh-5.5p1/ldapconf.h ---- openssh-5.5p1/ldapconf.h.pka 2010-05-20 07:11:47.000000000 +0200 -+++ openssh-5.5p1/ldapconf.h 2010-05-20 07:11:47.000000000 +0200 +diff -up openssh-5.5p1/ldapconf.h.ldap openssh-5.5p1/ldapconf.h +--- openssh-5.5p1/ldapconf.h.ldap 2010-07-07 14:36:34.000000000 +0200 ++++ openssh-5.5p1/ldapconf.h 2010-07-07 14:36:34.000000000 +0200 @@ -0,0 +1,71 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1792,11 +1408,11 @@ diff -up openssh-5.5p1/ldapconf.h.pka openssh-5.5p1/ldapconf.h +void dump_config(void); + +#endif /* LDAPCONF_H */ -diff -up openssh-5.5p1/ldap.conf.pka openssh-5.5p1/ldap.conf ---- openssh-5.5p1/ldap.conf.pka 2010-05-20 07:11:47.000000000 +0200 -+++ openssh-5.5p1/ldap.conf 2010-05-20 07:11:47.000000000 +0200 +diff -up openssh-5.5p1/ldap.conf.ldap openssh-5.5p1/ldap.conf +--- openssh-5.5p1/ldap.conf.ldap 2010-07-07 14:36:34.000000000 +0200 ++++ openssh-5.5p1/ldap.conf 2010-07-07 14:36:34.000000000 +0200 @@ -0,0 +1,88 @@ -+# $Id: ldap.conf,v 1.0 2010/03/13 21:41:34 jfch Exp $ ++# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# +# This is the example configuration file for the OpenSSH +# LDAP backend @@ -1884,9 +1500,9 @@ diff -up openssh-5.5p1/ldap.conf.pka openssh-5.5p1/ldap.conf +#tls_cert +#tls_key + -diff -up openssh-5.5p1/ldap-helper.c.pka openssh-5.5p1/ldap-helper.c ---- openssh-5.5p1/ldap-helper.c.pka 2010-05-20 07:11:47.000000000 +0200 -+++ openssh-5.5p1/ldap-helper.c 2010-05-20 07:11:47.000000000 +0200 +diff -up openssh-5.5p1/ldap-helper.c.ldap openssh-5.5p1/ldap-helper.c +--- openssh-5.5p1/ldap-helper.c.ldap 2010-07-07 14:36:34.000000000 +0200 ++++ openssh-5.5p1/ldap-helper.c 2010-07-07 14:36:34.000000000 +0200 @@ -0,0 +1,154 @@ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2042,9 +1658,9 @@ diff -up openssh-5.5p1/ldap-helper.c.pka openssh-5.5p1/ldap-helper.c +void *buffer_get_string(Buffer *b, u_int *l) {} +void buffer_put_string(Buffer *b, const void *f, u_int l) {} + -diff -up openssh-5.5p1/ldap-helper.h.pka openssh-5.5p1/ldap-helper.h ---- openssh-5.5p1/ldap-helper.h.pka 2010-05-20 07:11:47.000000000 +0200 -+++ openssh-5.5p1/ldap-helper.h 2010-05-20 07:11:47.000000000 +0200 +diff -up openssh-5.5p1/ldap-helper.h.ldap openssh-5.5p1/ldap-helper.h +--- openssh-5.5p1/ldap-helper.h.ldap 2010-07-07 14:36:34.000000000 +0200 ++++ openssh-5.5p1/ldap-helper.h 2010-07-07 14:36:34.000000000 +0200 @@ -0,0 +1,32 @@ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2078,9 +1694,9 @@ diff -up openssh-5.5p1/ldap-helper.h.pka openssh-5.5p1/ldap-helper.h +extern int config_warning_config_file; + +#endif /* LDAP_HELPER_H */ -diff -up openssh-5.5p1/ldapincludes.h.pka openssh-5.5p1/ldapincludes.h ---- openssh-5.5p1/ldapincludes.h.pka 2010-05-20 07:11:47.000000000 +0200 -+++ openssh-5.5p1/ldapincludes.h 2010-05-20 07:11:47.000000000 +0200 +diff -up openssh-5.5p1/ldapincludes.h.ldap openssh-5.5p1/ldapincludes.h +--- openssh-5.5p1/ldapincludes.h.ldap 2010-07-07 14:36:34.000000000 +0200 ++++ openssh-5.5p1/ldapincludes.h 2010-07-07 14:36:34.000000000 +0200 @@ -0,0 +1,41 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2123,9 +1739,9 @@ diff -up openssh-5.5p1/ldapincludes.h.pka openssh-5.5p1/ldapincludes.h +#endif + +#endif /* LDAPINCLUDES_H */ -diff -up openssh-5.5p1/ldapmisc.c.pka openssh-5.5p1/ldapmisc.c ---- openssh-5.5p1/ldapmisc.c.pka 2010-05-20 07:11:47.000000000 +0200 -+++ openssh-5.5p1/ldapmisc.c 2010-05-20 07:11:47.000000000 +0200 +diff -up openssh-5.5p1/ldapmisc.c.ldap openssh-5.5p1/ldapmisc.c +--- openssh-5.5p1/ldapmisc.c.ldap 2010-07-07 14:36:34.000000000 +0200 ++++ openssh-5.5p1/ldapmisc.c 2010-07-07 14:36:34.000000000 +0200 @@ -0,0 +1,79 @@ + +#include "ldapincludes.h" @@ -2206,9 +1822,9 @@ diff -up openssh-5.5p1/ldapmisc.c.pka openssh-5.5p1/ldapmisc.c +} +#endif + -diff -up openssh-5.5p1/ldapmisc.h.pka openssh-5.5p1/ldapmisc.h ---- openssh-5.5p1/ldapmisc.h.pka 2010-05-20 07:11:47.000000000 +0200 -+++ openssh-5.5p1/ldapmisc.h 2010-05-20 07:11:47.000000000 +0200 +diff -up openssh-5.5p1/ldapmisc.h.ldap openssh-5.5p1/ldapmisc.h +--- openssh-5.5p1/ldapmisc.h.ldap 2010-07-07 14:36:35.000000000 +0200 ++++ openssh-5.5p1/ldapmisc.h 2010-07-07 14:36:35.000000000 +0200 @@ -0,0 +1,35 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2245,9 +1861,9 @@ diff -up openssh-5.5p1/ldapmisc.h.pka openssh-5.5p1/ldapmisc.h + +#endif /* LDAPMISC_H */ + -diff -up openssh-5.5p1/lpk-user-example.txt.pka openssh-5.5p1/lpk-user-example.txt ---- openssh-5.5p1/lpk-user-example.txt.pka 2010-05-20 07:11:47.000000000 +0200 -+++ openssh-5.5p1/lpk-user-example.txt 2010-05-20 07:11:47.000000000 +0200 +diff -up openssh-5.5p1/lpk-user-example.txt.ldap openssh-5.5p1/lpk-user-example.txt +--- openssh-5.5p1/lpk-user-example.txt.ldap 2010-07-07 14:36:35.000000000 +0200 ++++ openssh-5.5p1/lpk-user-example.txt 2010-07-07 14:36:35.000000000 +0200 @@ -0,0 +1,117 @@ + +Post to ML -> User Made Quick Install Doc. @@ -2366,9 +1982,9 @@ diff -up openssh-5.5p1/lpk-user-example.txt.pka openssh-5.5p1/lpk-user-example.t +puTTY). Login should succeed. + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -diff -up openssh-5.5p1/Makefile.in.pka openssh-5.5p1/Makefile.in ---- openssh-5.5p1/Makefile.in.pka 2010-03-13 22:41:34.000000000 +0100 -+++ openssh-5.5p1/Makefile.in 2010-05-20 07:11:48.000000000 +0200 +diff -up openssh-5.5p1/Makefile.in.ldap openssh-5.5p1/Makefile.in +--- openssh-5.5p1/Makefile.in.ldap 2010-03-13 22:41:34.000000000 +0100 ++++ openssh-5.5p1/Makefile.in 2010-07-07 14:36:35.000000000 +0200 @@ -26,6 +26,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign @@ -2388,9 +2004,26 @@ diff -up openssh-5.5p1/Makefile.in.pka openssh-5.5p1/Makefile.in LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ -@@ -93,8 +95,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw +@@ -74,11 +76,11 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b + monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ + kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ + entropy.o gss-genr.o umac.o jpake.o schnorr.o \ +- ssh-pkcs11.o ++ ssh-pkcs11.o + + SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ + sshconnect.o sshconnect1.o sshconnect2.o mux.o \ +- roaming_common.o roaming_client.o ++ roaming_common.o roaming_client.o + + SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ + sshpty.o sshlogin.o servconf.o serverloop.o \ +@@ -91,10 +93,10 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw + auth2-gss.o gss-serv.o gss-serv-krb5.o \ + loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ - roaming_common.o roaming_serv.o +- roaming_common.o roaming_serv.o ++ roaming_common.o roaming_serv.o -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 @@ -2452,9 +2085,9 @@ diff -up openssh-5.5p1/Makefile.in.pka openssh-5.5p1/Makefile.in -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 tests interop-tests: $(TARGETS) -diff -up openssh-5.5p1/openssh-lpk-openldap.schema.pka openssh-5.5p1/openssh-lpk-openldap.schema ---- openssh-5.5p1/openssh-lpk-openldap.schema.pka 2010-05-20 07:11:48.000000000 +0200 -+++ openssh-5.5p1/openssh-lpk-openldap.schema 2010-05-20 07:11:48.000000000 +0200 +diff -up openssh-5.5p1/openssh-lpk-openldap.schema.ldap openssh-5.5p1/openssh-lpk-openldap.schema +--- openssh-5.5p1/openssh-lpk-openldap.schema.ldap 2010-07-07 14:36:35.000000000 +0200 ++++ openssh-5.5p1/openssh-lpk-openldap.schema 2010-07-07 14:36:35.000000000 +0200 @@ -0,0 +1,21 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2477,9 +2110,9 @@ diff -up openssh-5.5p1/openssh-lpk-openldap.schema.pka openssh-5.5p1/openssh-lpk + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff -up openssh-5.5p1/openssh-lpk-sun.schema.pka openssh-5.5p1/openssh-lpk-sun.schema ---- openssh-5.5p1/openssh-lpk-sun.schema.pka 2010-05-20 07:11:48.000000000 +0200 -+++ openssh-5.5p1/openssh-lpk-sun.schema 2010-05-20 07:11:48.000000000 +0200 +diff -up openssh-5.5p1/openssh-lpk-sun.schema.ldap openssh-5.5p1/openssh-lpk-sun.schema +--- openssh-5.5p1/openssh-lpk-sun.schema.ldap 2010-07-07 14:36:35.000000000 +0200 ++++ openssh-5.5p1/openssh-lpk-sun.schema 2010-07-07 14:36:35.000000000 +0200 @@ -0,0 +1,23 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2504,9 +2137,9 @@ diff -up openssh-5.5p1/openssh-lpk-sun.schema.pka openssh-5.5p1/openssh-lpk-sun. + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff -up openssh-5.5p1/README.lpk.pka openssh-5.5p1/README.lpk ---- openssh-5.5p1/README.lpk.pka 2010-05-20 07:11:48.000000000 +0200 -+++ openssh-5.5p1/README.lpk 2010-05-20 07:11:48.000000000 +0200 +diff -up openssh-5.5p1/README.lpk.ldap openssh-5.5p1/README.lpk +--- openssh-5.5p1/README.lpk.ldap 2010-07-07 14:36:35.000000000 +0200 ++++ openssh-5.5p1/README.lpk 2010-07-07 14:36:35.000000000 +0200 @@ -0,0 +1,274 @@ +OpenSSH LDAP PUBLIC KEY PATCH +Copyright (c) 2003 Eric AUGE (eau@phear.org) @@ -2626,8 +2259,8 @@ diff -up openssh-5.5p1/README.lpk.pka openssh-5.5p1/README.lpk + + 2 tokens are added to sshd_config : + # here is the new patched ldap related tokens -+ PubkeyAgent /usr/libexec/openssh/ssh-ldap-helper -s %u -+ PubkeyAgentRunAs nobody ++ AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-helper -s %u ++ AuthorizedKeysCommandRunAs nobody + + The LDAP configuratin is read from common /etc/ldap.conf configuration file. +There is also one optional parameter in the LDAP configuration file, SSH_Filter, which is a LDAP filter limiting keys to be searched. @@ -2782,166 +2415,9 @@ diff -up openssh-5.5p1/README.lpk.pka openssh-5.5p1/README.lpk +- CONTACT : + Jan F. Chadima + -diff -up openssh-5.5p1/servconf.c.pka openssh-5.5p1/servconf.c ---- openssh-5.5p1/servconf.c.pka 2010-05-20 07:11:47.000000000 +0200 -+++ openssh-5.5p1/servconf.c 2010-05-20 07:11:48.000000000 +0200 -@@ -129,6 +129,8 @@ initialize_server_options(ServerOptions - options->num_permitted_opens = -1; - options->adm_forced_command = NULL; - options->chroot_directory = NULL; -+ options->pubkey_agent = NULL; -+ options->pubkey_agent_runas = NULL; - options->zero_knowledge_password_authentication = -1; - options->revoked_keys_file = NULL; - options->trusted_user_ca_keys = NULL; -@@ -315,6 +317,7 @@ typedef enum { - sUsePrivilegeSeparation, sAllowAgentForwarding, - sZeroKnowledgePasswordAuthentication, sHostCertificate, - sRevokedKeys, sTrustedUserCAKeys, -+ sPubkeyAgent, sPubkeyAgentRunAs, - sDeprecated, sUnsupported - } ServerOpCodes; - -@@ -437,6 +440,13 @@ static struct { - { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, - { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, - { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, -+#ifdef WITH_PUBKEY_AGENT -+ { "pubkeyagent", sPubkeyAgent, SSHCFG_ALL }, -+ { "pubkeyagentrunas", sPubkeyAgentRunAs, SSHCFG_ALL }, -+#else -+ { "pubkeyagent", sUnsupported, SSHCFG_ALL }, -+ { "pubkeyagentrunas", sUnsupported, SSHCFG_ALL }, -+#endif - { NULL, sBadOption, 0 } - }; - -@@ -1354,6 +1364,20 @@ process_server_config_line(ServerOptions - charptr = &options->revoked_keys_file; - goto parse_filename; - -+ case sPubkeyAgent: -+ len = strspn(cp, WHITESPACE); -+ if (*activep && options->pubkey_agent == NULL) -+ options->pubkey_agent = xstrdup(cp + len); -+ return 0; -+ -+ case sPubkeyAgentRunAs: -+ charptr = &options->pubkey_agent_runas; -+ -+ arg = strdelim(&cp); -+ if (*activep && *charptr == NULL) -+ *charptr = xstrdup(arg); -+ break; -+ - case sDeprecated: - logit("%s line %d: Deprecated option %s", - filename, linenum, arg); -@@ -1447,6 +1471,8 @@ copy_set_server_options(ServerOptions *d - M_CP_INTOPT(gss_authentication); - M_CP_INTOPT(rsa_authentication); - M_CP_INTOPT(pubkey_authentication); -+ M_CP_STROPT(pubkey_agent); -+ M_CP_STROPT(pubkey_agent_runas); - M_CP_INTOPT(kerberos_authentication); - M_CP_INTOPT(hostbased_authentication); - M_CP_INTOPT(kbd_interactive_authentication); -@@ -1692,6 +1718,8 @@ dump_config(ServerOptions *o) - dump_cfg_string(sChrootDirectory, o->chroot_directory); - dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); - dump_cfg_string(sRevokedKeys, o->revoked_keys_file); -+ dump_cfg_string(sPubkeyAgent, o->pubkey_agent); -+ dump_cfg_string(sPubkeyAgentRunAs, o->pubkey_agent_runas); - - /* string arguments requiring a lookup */ - dump_cfg_string(sLogLevel, log_level_name(o->log_level)); -diff -up openssh-5.5p1/servconf.h.pka openssh-5.5p1/servconf.h ---- openssh-5.5p1/servconf.h.pka 2010-05-20 07:11:47.000000000 +0200 -+++ openssh-5.5p1/servconf.h 2010-05-20 07:11:48.000000000 +0200 -@@ -157,6 +157,8 @@ typedef struct { - char *chroot_directory; - char *revoked_keys_file; - char *trusted_user_ca_keys; -+ char *pubkey_agent; -+ char *pubkey_agent_runas; - } ServerOptions; - - void initialize_server_options(ServerOptions *); -diff -up openssh-5.5p1/sshd_config.0.pka openssh-5.5p1/sshd_config.0 ---- openssh-5.5p1/sshd_config.0.pka 2010-05-20 07:11:47.000000000 +0200 -+++ openssh-5.5p1/sshd_config.0 2010-05-20 07:11:48.000000000 +0200 -@@ -352,7 +352,8 @@ DESCRIPTION - KbdInteractiveAuthentication, KerberosAuthentication, - MaxAuthTries, MaxSessions, PasswordAuthentication, - PermitEmptyPasswords, PermitOpen, PermitRootLogin, -- PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication, -+ PubkeyAuthentication, PubkeyAgent, PubkeyAgentRunAs, -+ RhostsRSAAuthentication, RSAAuthentication, - X11DisplayOffset, X11Forwarding and X11UseLocalHost. - - MaxAuthTries -@@ -467,6 +468,17 @@ DESCRIPTION - this file is not readable, then public key authentication will be - refused for all users. - -+ PubkeyAgent -+ Specifies which agent is used for lookup of the user's public -+ keys. Empty string means to use the authorized_keys file. By -+ default there is no PubkeyAgent set. Note that this option has -+ an effect only with PubkeyAuthentication switched on. -+ -+ PubkeyAgentRunAs -+ Specifies the user under whose account the PubkeyAgent is run. -+ Empty string (the default value) means the user being authorized -+ is used. -+ - RhostsRSAAuthentication - Specifies whether rhosts or /etc/hosts.equiv authentication to- - gether with successful RSA host authentication is allowed. The -diff -up openssh-5.5p1/sshd_config.5.pka openssh-5.5p1/sshd_config.5 ---- openssh-5.5p1/sshd_config.5.pka 2010-05-20 07:11:47.000000000 +0200 -+++ openssh-5.5p1/sshd_config.5 2010-05-20 07:11:48.000000000 +0200 -@@ -623,6 +623,8 @@ Available keywords are - .Cm PermitOpen , - .Cm PermitRootLogin , - .Cm PubkeyAuthentication , -+.Cm PubkeyAgent , -+.Cm PubkeyAgentRunAs , - .Cm RhostsRSAAuthentication , - .Cm RSAAuthentication , - .Cm X11DisplayOffset , -@@ -819,6 +821,16 @@ Specifies a list of revoked public keys. - Keys listed in this file will be refused for public key authentication. - Note that if this file is not readable, then public key authentication will - be refused for all users. -+.It Cm PubkeyAgent -+Specifies which agent is used for lookup of the user's public -+keys. Empty string means to use the authorized_keys file. -+By default there is no PubkeyAgent set. -+Note that this option has an effect only with PubkeyAuthentication -+switched on. -+.It Cm PubkeyAgentRunAs -+Specifies the user under whose account the PubkeyAgent is run. Empty -+string (the default value) means the user being authorized is used. -+.Dq - .It Cm RhostsRSAAuthentication - Specifies whether rhosts or /etc/hosts.equiv authentication together - with successful RSA host authentication is allowed. -diff -up openssh-5.5p1/sshd_config.pka openssh-5.5p1/sshd_config ---- openssh-5.5p1/sshd_config.pka 2010-05-20 07:11:47.000000000 +0200 -+++ openssh-5.5p1/sshd_config 2010-05-20 07:11:48.000000000 +0200 -@@ -45,6 +45,8 @@ SyslogFacility AUTHPRIV - #RSAAuthentication yes - #PubkeyAuthentication yes - #AuthorizedKeysFile .ssh/authorized_keys -+#PubkeyAgent none -+#PubkeyAgentRunAs nobody - - # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts - #RhostsRSAAuthentication no -diff -up openssh-5.5p1/ssh-ldap.conf.5.pka openssh-5.5p1/ssh-ldap.conf.5 ---- openssh-5.5p1/ssh-ldap.conf.5.pka 2010-05-20 07:11:48.000000000 +0200 -+++ openssh-5.5p1/ssh-ldap.conf.5 2010-05-20 08:22:10.000000000 +0200 +diff -up openssh-5.5p1/ssh-ldap.conf.5.ldap openssh-5.5p1/ssh-ldap.conf.5 +--- openssh-5.5p1/ssh-ldap.conf.5.ldap 2010-07-07 14:36:35.000000000 +0200 ++++ openssh-5.5p1/ssh-ldap.conf.5 2010-07-07 14:36:35.000000000 +0200 @@ -0,0 +1,373 @@ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" @@ -3316,9 +2792,9 @@ diff -up openssh-5.5p1/ssh-ldap.conf.5.pka openssh-5.5p1/ssh-ldap.conf.5 +OpenSSH 5.5 + PKA-LDAP . +.Sh AUTHORS +.An Jan F. Chadima Aq jchadima@redhat.com -diff -up openssh-5.5p1/ssh-ldap-helper.8.pka openssh-5.5p1/ssh-ldap-helper.8 ---- openssh-5.5p1/ssh-ldap-helper.8.pka 2010-05-20 07:11:48.000000000 +0200 -+++ openssh-5.5p1/ssh-ldap-helper.8 2010-05-20 07:21:14.000000000 +0200 +diff -up openssh-5.5p1/ssh-ldap-helper.8.ldap openssh-5.5p1/ssh-ldap-helper.8 +--- openssh-5.5p1/ssh-ldap-helper.8.ldap 2010-07-07 14:36:35.000000000 +0200 ++++ openssh-5.5p1/ssh-ldap-helper.8 2010-07-07 14:36:35.000000000 +0200 @@ -0,0 +1,78 @@ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" @@ -3357,7 +2833,7 @@ diff -up openssh-5.5p1/ssh-ldap-helper.8.pka openssh-5.5p1/ssh-ldap-helper.8 +sshd configuration file +.Pa /etc/ssh/sshd_config +by setting -+.Cm PubkeyAgent ++.Cm AuthorizedKeysCommand +to +.Dq /usr/libexec/ssh-ldap-helper -s %u . +.Pp diff --git a/openssh.spec b/openssh.spec index 0d30bc0..9108eab 100644 --- a/openssh.spec +++ b/openssh.spec @@ -70,7 +70,7 @@ %endif # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 -%define openssh_rel 17 +%define openssh_rel 18 %define openssh_ver 5.5p1 %define pam_ssh_agent_rel 26 %define pam_ssh_agent_ver 0.9.2 @@ -106,7 +106,8 @@ Patch13: openssh-5.5p1-mls.patch Patch16: openssh-5.3p1-audit.patch Patch18: openssh-5.4p1-pam_selinux.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1663 -Patch20: openssh-5.5p1-pka-ldap.patch +Patch20: openssh-5.5p1-authorized-keys-command.patch +Patch21: openssh-5.5p1-ldap.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1668 Patch23: openssh-5.5p1-keygen.patch Patch24: openssh-4.3p1-fromto-remote.patch @@ -286,7 +287,8 @@ popd %patch18 -p1 -b .pam_selinux %endif -%patch20 -p1 -b .pka +%patch20 -p1 -b .akc +%patch21 -p1 -b .ldap %patch23 -p1 -b .keygen %patch24 -p1 -b .fromto-remote %patch27 -p1 -b .log-chroot @@ -586,6 +588,9 @@ fi %endif %changelog +* Wed Jul 7 2010 Jan F. Chadima - 5.5p1-18 + 0.9.2-26 +- merged with newer bugzilla's version of authorized keys command patch + * Wed Jun 30 2010 Jan F. Chadima - 5.5p1-17 + 0.9.2-26 - improved the x11 patch according to upstream (#598671)