forked from rpms/openssh
adapt openssh-6.1p1-akc.patch to the upstream version - https://bugzilla.mindrot.org/show_bug.cgi?id=1663
This commit is contained in:
parent
52c8eca4d9
commit
f7f8b483b0
@ -1,6 +1,24 @@
|
||||
diff -up openssh-5.9p0/HOWTO.ssh-keycat.keycat openssh-5.9p0/HOWTO.ssh-keycat
|
||||
--- openssh-5.9p0/HOWTO.ssh-keycat.keycat 2011-08-31 11:51:49.886087176 +0200
|
||||
+++ openssh-5.9p0/HOWTO.ssh-keycat 2011-08-31 11:51:49.890087179 +0200
|
||||
diff -up openssh-6.1p1/auth2-pubkey.c.keycat openssh-6.1p1/auth2-pubkey.c
|
||||
--- openssh-6.1p1/auth2-pubkey.c.keycat 2012-11-01 13:37:59.000000000 +0100
|
||||
+++ openssh-6.1p1/auth2-pubkey.c 2012-11-01 14:03:47.402279914 +0100
|
||||
@@ -564,6 +564,14 @@ user_key_command_allowed2(struct passwd
|
||||
}
|
||||
closefrom(STDERR_FILENO + 1);
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (ssh_selinux_setup_env_variables() < 0) {
|
||||
+ error ("failed to copy environment: %s",
|
||||
+ strerror(errno));
|
||||
+ _exit(127);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
execl(options.authorized_keys_command,
|
||||
options.authorized_keys_command, pw->pw_name, NULL);
|
||||
|
||||
diff -up openssh-6.1p1/HOWTO.ssh-keycat.keycat openssh-6.1p1/HOWTO.ssh-keycat
|
||||
--- openssh-6.1p1/HOWTO.ssh-keycat.keycat 2012-11-01 13:37:59.417280097 +0100
|
||||
+++ openssh-6.1p1/HOWTO.ssh-keycat 2012-11-01 13:37:59.417280097 +0100
|
||||
@@ -0,0 +1,12 @@
|
||||
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
|
||||
+of an user in any environment. This includes environments with
|
||||
@ -14,9 +32,9 @@ diff -up openssh-5.9p0/HOWTO.ssh-keycat.keycat openssh-5.9p0/HOWTO.ssh-keycat
|
||||
+ PubkeyAuthentication yes
|
||||
+
|
||||
+
|
||||
diff -up openssh-5.9p0/Makefile.in.keycat openssh-5.9p0/Makefile.in
|
||||
--- openssh-5.9p0/Makefile.in.keycat 2011-08-31 11:51:48.367122382 +0200
|
||||
+++ openssh-5.9p0/Makefile.in 2011-08-31 12:03:46.433088864 +0200
|
||||
diff -up openssh-6.1p1/Makefile.in.keycat openssh-6.1p1/Makefile.in
|
||||
--- openssh-6.1p1/Makefile.in.keycat 2012-11-01 13:37:59.413280097 +0100
|
||||
+++ openssh-6.1p1/Makefile.in 2012-11-01 13:37:59.418280097 +0100
|
||||
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||
@ -34,7 +52,7 @@ diff -up openssh-5.9p0/Makefile.in.keycat openssh-5.9p0/Makefile.in
|
||||
|
||||
LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
|
||||
canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
|
||||
@@ -167,6 +168,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
||||
@@ -168,6 +169,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
||||
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
||||
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
@ -44,7 +62,7 @@ diff -up openssh-5.9p0/Makefile.in.keycat openssh-5.9p0/Makefile.in
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@@ -266,6 +270,7 @@ install-files:
|
||||
@@ -267,6 +271,7 @@ install-files:
|
||||
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
|
||||
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||
fi
|
||||
@ -52,28 +70,10 @@ diff -up openssh-5.9p0/Makefile.in.keycat openssh-5.9p0/Makefile.in
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
diff -up openssh-5.9p0/auth2-pubkey.c.keycat openssh-5.9p0/auth2-pubkey.c
|
||||
--- openssh-5.9p0/auth2-pubkey.c.keycat 2011-08-31 11:51:47.066149816 +0200
|
||||
+++ openssh-5.9p0/auth2-pubkey.c 2011-08-31 11:51:50.143087097 +0200
|
||||
@@ -579,6 +579,14 @@ user_key_via_command_allowed2(struct pas
|
||||
close(i);
|
||||
}
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (ssh_selinux_setup_env_variables() < 0) {
|
||||
+ error ("failed to copy environment: %s",
|
||||
+ strerror(errno));
|
||||
+ _exit(127);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
execl(options.authorized_keys_command, options.authorized_keys_command, pw->pw_name, NULL);
|
||||
|
||||
/* if we got here, it didn't work */
|
||||
diff -up openssh-5.9p0/openbsd-compat/port-linux.c.keycat openssh-5.9p0/openbsd-compat/port-linux.c
|
||||
--- openssh-5.9p0/openbsd-compat/port-linux.c.keycat 2011-08-31 11:51:46.275119773 +0200
|
||||
+++ openssh-5.9p0/openbsd-compat/port-linux.c 2011-08-31 11:51:50.240087963 +0200
|
||||
@@ -313,7 +313,7 @@ ssh_selinux_getctxbyname(char *pwname,
|
||||
diff -up openssh-6.1p1/openbsd-compat/port-linux.c.keycat openssh-6.1p1/openbsd-compat/port-linux.c
|
||||
--- openssh-6.1p1/openbsd-compat/port-linux.c.keycat 2012-11-01 13:37:59.367280097 +0100
|
||||
+++ openssh-6.1p1/openbsd-compat/port-linux.c 2012-11-01 13:37:59.419280097 +0100
|
||||
@@ -315,7 +315,7 @@ ssh_selinux_getctxbyname(char *pwname,
|
||||
|
||||
/* Setup environment variables for pam_selinux */
|
||||
static int
|
||||
@ -82,7 +82,7 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.c.keycat openssh-5.9p0/openbsd-
|
||||
{
|
||||
const char *reqlvl;
|
||||
char *role;
|
||||
@@ -324,16 +324,16 @@ ssh_selinux_setup_pam_variables(void)
|
||||
@@ -326,16 +326,16 @@ ssh_selinux_setup_pam_variables(void)
|
||||
|
||||
ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
|
||||
@ -102,7 +102,7 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.c.keycat openssh-5.9p0/openbsd-
|
||||
|
||||
if (role != NULL)
|
||||
xfree(role);
|
||||
@@ -341,6 +341,24 @@ ssh_selinux_setup_pam_variables(void)
|
||||
@@ -343,6 +343,24 @@ ssh_selinux_setup_pam_variables(void)
|
||||
return rv;
|
||||
}
|
||||
|
||||
@ -127,9 +127,9 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.c.keycat openssh-5.9p0/openbsd-
|
||||
/* Set the execution context to the default for the specified user */
|
||||
void
|
||||
ssh_selinux_setup_exec_context(char *pwname)
|
||||
diff -up openssh-5.9p0/ssh-keycat.c.keycat openssh-5.9p0/ssh-keycat.c
|
||||
--- openssh-5.9p0/ssh-keycat.c.keycat 2011-08-31 11:51:50.354136025 +0200
|
||||
+++ openssh-5.9p0/ssh-keycat.c 2011-08-31 11:51:50.359087309 +0200
|
||||
diff -up openssh-6.1p1/ssh-keycat.c.keycat openssh-6.1p1/ssh-keycat.c
|
||||
--- openssh-6.1p1/ssh-keycat.c.keycat 2012-11-01 13:37:59.420280097 +0100
|
||||
+++ openssh-6.1p1/ssh-keycat.c 2012-11-01 13:37:59.420280097 +0100
|
||||
@@ -0,0 +1,238 @@
|
||||
+/*
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
|
@ -1,8 +1,8 @@
|
||||
diff -up openssh-6.0p1/configure.ac.ldap openssh-6.0p1/configure.ac
|
||||
--- openssh-6.0p1/configure.ac.ldap 2012-08-06 20:41:38.392454225 +0200
|
||||
+++ openssh-6.0p1/configure.ac 2012-08-06 20:41:38.398454202 +0200
|
||||
@@ -1523,6 +1523,106 @@ AC_ARG_WITH(authorized-keys-command,
|
||||
]
|
||||
diff -up openssh-6.1p1/configure.ac.ldap openssh-6.1p1/configure.ac
|
||||
--- openssh-6.1p1/configure.ac.ldap 2012-07-06 03:49:29.000000000 +0200
|
||||
+++ openssh-6.1p1/configure.ac 2012-11-01 13:35:14.830280116 +0100
|
||||
@@ -1512,6 +1512,106 @@ AC_ARG_WITH([audit],
|
||||
esac ]
|
||||
)
|
||||
|
||||
+# Check whether user wants LDAP support
|
||||
@ -108,9 +108,9 @@ diff -up openssh-6.0p1/configure.ac.ldap openssh-6.0p1/configure.ac
|
||||
dnl Checks for library functions. Please keep in alphabetical order
|
||||
AC_CHECK_FUNCS([ \
|
||||
arc4random \
|
||||
diff -up openssh-6.0p1/HOWTO.ldap-keys.ldap openssh-6.0p1/HOWTO.ldap-keys
|
||||
--- openssh-6.0p1/HOWTO.ldap-keys.ldap 2012-08-06 20:41:38.399454198 +0200
|
||||
+++ openssh-6.0p1/HOWTO.ldap-keys 2012-08-06 20:41:38.399454198 +0200
|
||||
diff -up openssh-6.1p1/HOWTO.ldap-keys.ldap openssh-6.1p1/HOWTO.ldap-keys
|
||||
--- openssh-6.1p1/HOWTO.ldap-keys.ldap 2012-11-01 12:57:17.915280385 +0100
|
||||
+++ openssh-6.1p1/HOWTO.ldap-keys 2012-11-01 12:57:17.915280385 +0100
|
||||
@@ -0,0 +1,108 @@
|
||||
+
|
||||
+HOW TO START
|
||||
@ -220,9 +220,9 @@ diff -up openssh-6.0p1/HOWTO.ldap-keys.ldap openssh-6.0p1/HOWTO.ldap-keys
|
||||
+5) Author
|
||||
+ Jan F. Chadima <jchadima@redhat.com>
|
||||
+
|
||||
diff -up openssh-6.0p1/ldapbody.c.ldap openssh-6.0p1/ldapbody.c
|
||||
--- openssh-6.0p1/ldapbody.c.ldap 2012-08-06 20:41:38.399454198 +0200
|
||||
+++ openssh-6.0p1/ldapbody.c 2012-08-06 20:41:38.399454198 +0200
|
||||
diff -up openssh-6.1p1/ldapbody.c.ldap openssh-6.1p1/ldapbody.c
|
||||
--- openssh-6.1p1/ldapbody.c.ldap 2012-11-01 12:57:17.916280385 +0100
|
||||
+++ openssh-6.1p1/ldapbody.c 2012-11-01 12:57:17.916280385 +0100
|
||||
@@ -0,0 +1,494 @@
|
||||
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -718,9 +718,9 @@ diff -up openssh-6.0p1/ldapbody.c.ldap openssh-6.0p1/ldapbody.c
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
diff -up openssh-6.0p1/ldapbody.h.ldap openssh-6.0p1/ldapbody.h
|
||||
--- openssh-6.0p1/ldapbody.h.ldap 2012-08-06 20:41:38.399454198 +0200
|
||||
+++ openssh-6.0p1/ldapbody.h 2012-08-06 20:41:38.400454194 +0200
|
||||
diff -up openssh-6.1p1/ldapbody.h.ldap openssh-6.1p1/ldapbody.h
|
||||
--- openssh-6.1p1/ldapbody.h.ldap 2012-11-01 12:57:17.916280385 +0100
|
||||
+++ openssh-6.1p1/ldapbody.h 2012-11-01 12:57:17.916280385 +0100
|
||||
@@ -0,0 +1,37 @@
|
||||
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -759,9 +759,9 @@ diff -up openssh-6.0p1/ldapbody.h.ldap openssh-6.0p1/ldapbody.h
|
||||
+
|
||||
+#endif /* LDAPBODY_H */
|
||||
+
|
||||
diff -up openssh-6.0p1/ldapconf.c.ldap openssh-6.0p1/ldapconf.c
|
||||
--- openssh-6.0p1/ldapconf.c.ldap 2012-08-06 20:41:38.400454194 +0200
|
||||
+++ openssh-6.0p1/ldapconf.c 2012-08-06 20:41:38.400454194 +0200
|
||||
diff -up openssh-6.1p1/ldapconf.c.ldap openssh-6.1p1/ldapconf.c
|
||||
--- openssh-6.1p1/ldapconf.c.ldap 2012-11-01 12:57:17.917280385 +0100
|
||||
+++ openssh-6.1p1/ldapconf.c 2012-11-01 12:57:17.917280385 +0100
|
||||
@@ -0,0 +1,682 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1445,9 +1445,9 @@ diff -up openssh-6.0p1/ldapconf.c.ldap openssh-6.0p1/ldapconf.c
|
||||
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
|
||||
+}
|
||||
+
|
||||
diff -up openssh-6.0p1/ldapconf.h.ldap openssh-6.0p1/ldapconf.h
|
||||
--- openssh-6.0p1/ldapconf.h.ldap 2012-08-06 20:41:38.400454194 +0200
|
||||
+++ openssh-6.0p1/ldapconf.h 2012-08-06 20:41:38.400454194 +0200
|
||||
diff -up openssh-6.1p1/ldapconf.h.ldap openssh-6.1p1/ldapconf.h
|
||||
--- openssh-6.1p1/ldapconf.h.ldap 2012-11-01 12:57:17.918280385 +0100
|
||||
+++ openssh-6.1p1/ldapconf.h 2012-11-01 12:57:17.918280385 +0100
|
||||
@@ -0,0 +1,71 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1520,9 +1520,9 @@ diff -up openssh-6.0p1/ldapconf.h.ldap openssh-6.0p1/ldapconf.h
|
||||
+void dump_config(void);
|
||||
+
|
||||
+#endif /* LDAPCONF_H */
|
||||
diff -up openssh-6.0p1/ldap.conf.ldap openssh-6.0p1/ldap.conf
|
||||
--- openssh-6.0p1/ldap.conf.ldap 2012-08-06 20:41:38.401454190 +0200
|
||||
+++ openssh-6.0p1/ldap.conf 2012-08-06 20:41:38.401454190 +0200
|
||||
diff -up openssh-6.1p1/ldap.conf.ldap openssh-6.1p1/ldap.conf
|
||||
--- openssh-6.1p1/ldap.conf.ldap 2012-11-01 12:57:17.918280385 +0100
|
||||
+++ openssh-6.1p1/ldap.conf 2012-11-01 12:57:17.918280385 +0100
|
||||
@@ -0,0 +1,88 @@
|
||||
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
|
||||
+#
|
||||
@ -1612,9 +1612,9 @@ diff -up openssh-6.0p1/ldap.conf.ldap openssh-6.0p1/ldap.conf
|
||||
+#tls_cert
|
||||
+#tls_key
|
||||
+
|
||||
diff -up openssh-6.0p1/ldap-helper.c.ldap openssh-6.0p1/ldap-helper.c
|
||||
--- openssh-6.0p1/ldap-helper.c.ldap 2012-08-06 20:41:38.401454190 +0200
|
||||
+++ openssh-6.0p1/ldap-helper.c 2012-08-06 20:41:38.401454190 +0200
|
||||
diff -up openssh-6.1p1/ldap-helper.c.ldap openssh-6.1p1/ldap-helper.c
|
||||
--- openssh-6.1p1/ldap-helper.c.ldap 2012-11-01 12:57:17.919280385 +0100
|
||||
+++ openssh-6.1p1/ldap-helper.c 2012-11-01 12:57:17.919280385 +0100
|
||||
@@ -0,0 +1,155 @@
|
||||
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1771,9 +1771,9 @@ diff -up openssh-6.0p1/ldap-helper.c.ldap openssh-6.0p1/ldap-helper.c
|
||||
+void *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
|
||||
+void buffer_put_string(Buffer *b, const void *f, u_int l) {}
|
||||
+
|
||||
diff -up openssh-6.0p1/ldap-helper.h.ldap openssh-6.0p1/ldap-helper.h
|
||||
--- openssh-6.0p1/ldap-helper.h.ldap 2012-08-06 20:41:38.401454190 +0200
|
||||
+++ openssh-6.0p1/ldap-helper.h 2012-08-06 20:41:38.401454190 +0200
|
||||
diff -up openssh-6.1p1/ldap-helper.h.ldap openssh-6.1p1/ldap-helper.h
|
||||
--- openssh-6.1p1/ldap-helper.h.ldap 2012-11-01 12:57:17.919280385 +0100
|
||||
+++ openssh-6.1p1/ldap-helper.h 2012-11-01 12:57:17.919280385 +0100
|
||||
@@ -0,0 +1,32 @@
|
||||
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1807,9 +1807,9 @@ diff -up openssh-6.0p1/ldap-helper.h.ldap openssh-6.0p1/ldap-helper.h
|
||||
+extern int config_warning_config_file;
|
||||
+
|
||||
+#endif /* LDAP_HELPER_H */
|
||||
diff -up openssh-6.0p1/ldapincludes.h.ldap openssh-6.0p1/ldapincludes.h
|
||||
--- openssh-6.0p1/ldapincludes.h.ldap 2012-08-06 20:41:38.402454186 +0200
|
||||
+++ openssh-6.0p1/ldapincludes.h 2012-08-06 20:41:38.402454186 +0200
|
||||
diff -up openssh-6.1p1/ldapincludes.h.ldap openssh-6.1p1/ldapincludes.h
|
||||
--- openssh-6.1p1/ldapincludes.h.ldap 2012-11-01 12:57:17.920280385 +0100
|
||||
+++ openssh-6.1p1/ldapincludes.h 2012-11-01 12:57:17.920280385 +0100
|
||||
@@ -0,0 +1,41 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1852,9 +1852,9 @@ diff -up openssh-6.0p1/ldapincludes.h.ldap openssh-6.0p1/ldapincludes.h
|
||||
+#endif
|
||||
+
|
||||
+#endif /* LDAPINCLUDES_H */
|
||||
diff -up openssh-6.0p1/ldapmisc.c.ldap openssh-6.0p1/ldapmisc.c
|
||||
--- openssh-6.0p1/ldapmisc.c.ldap 2012-08-06 20:41:38.402454186 +0200
|
||||
+++ openssh-6.0p1/ldapmisc.c 2012-08-06 20:41:38.402454186 +0200
|
||||
diff -up openssh-6.1p1/ldapmisc.c.ldap openssh-6.1p1/ldapmisc.c
|
||||
--- openssh-6.1p1/ldapmisc.c.ldap 2012-11-01 12:57:17.920280385 +0100
|
||||
+++ openssh-6.1p1/ldapmisc.c 2012-11-01 12:57:17.920280385 +0100
|
||||
@@ -0,0 +1,79 @@
|
||||
+
|
||||
+#include "ldapincludes.h"
|
||||
@ -1935,9 +1935,9 @@ diff -up openssh-6.0p1/ldapmisc.c.ldap openssh-6.0p1/ldapmisc.c
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
diff -up openssh-6.0p1/ldapmisc.h.ldap openssh-6.0p1/ldapmisc.h
|
||||
--- openssh-6.0p1/ldapmisc.h.ldap 2012-08-06 20:41:38.402454186 +0200
|
||||
+++ openssh-6.0p1/ldapmisc.h 2012-08-06 20:41:38.402454186 +0200
|
||||
diff -up openssh-6.1p1/ldapmisc.h.ldap openssh-6.1p1/ldapmisc.h
|
||||
--- openssh-6.1p1/ldapmisc.h.ldap 2012-11-01 12:57:17.921280385 +0100
|
||||
+++ openssh-6.1p1/ldapmisc.h 2012-11-01 12:57:17.921280385 +0100
|
||||
@@ -0,0 +1,35 @@
|
||||
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1974,9 +1974,9 @@ diff -up openssh-6.0p1/ldapmisc.h.ldap openssh-6.0p1/ldapmisc.h
|
||||
+
|
||||
+#endif /* LDAPMISC_H */
|
||||
+
|
||||
diff -up openssh-6.0p1/Makefile.in.ldap openssh-6.0p1/Makefile.in
|
||||
--- openssh-6.0p1/Makefile.in.ldap 2012-08-06 20:41:38.336454444 +0200
|
||||
+++ openssh-6.0p1/Makefile.in 2012-08-06 20:41:38.403454183 +0200
|
||||
diff -up openssh-6.1p1/Makefile.in.ldap openssh-6.1p1/Makefile.in
|
||||
--- openssh-6.1p1/Makefile.in.ldap 2012-11-01 12:57:17.750280385 +0100
|
||||
+++ openssh-6.1p1/Makefile.in 2012-11-01 12:57:17.922280385 +0100
|
||||
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
|
||||
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
@ -2071,9 +2071,9 @@ diff -up openssh-6.0p1/Makefile.in.ldap openssh-6.0p1/Makefile.in
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||
|
||||
tests interop-tests: $(TARGETS)
|
||||
diff -up openssh-6.0p1/openssh-lpk-openldap.schema.ldap openssh-6.0p1/openssh-lpk-openldap.schema
|
||||
--- openssh-6.0p1/openssh-lpk-openldap.schema.ldap 2012-08-06 20:41:38.404454179 +0200
|
||||
+++ openssh-6.0p1/openssh-lpk-openldap.schema 2012-08-06 20:41:38.404454179 +0200
|
||||
diff -up openssh-6.1p1/openssh-lpk-openldap.schema.ldap openssh-6.1p1/openssh-lpk-openldap.schema
|
||||
--- openssh-6.1p1/openssh-lpk-openldap.schema.ldap 2012-11-01 12:57:17.922280385 +0100
|
||||
+++ openssh-6.1p1/openssh-lpk-openldap.schema 2012-11-01 12:57:17.922280385 +0100
|
||||
@@ -0,0 +1,21 @@
|
||||
+#
|
||||
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
||||
@ -2096,9 +2096,9 @@ diff -up openssh-6.0p1/openssh-lpk-openldap.schema.ldap openssh-6.0p1/openssh-lp
|
||||
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
||||
+ MUST ( sshPublicKey $ uid )
|
||||
+ )
|
||||
diff -up openssh-6.0p1/openssh-lpk-sun.schema.ldap openssh-6.0p1/openssh-lpk-sun.schema
|
||||
--- openssh-6.0p1/openssh-lpk-sun.schema.ldap 2012-08-06 20:41:38.404454179 +0200
|
||||
+++ openssh-6.0p1/openssh-lpk-sun.schema 2012-08-06 20:41:38.404454179 +0200
|
||||
diff -up openssh-6.1p1/openssh-lpk-sun.schema.ldap openssh-6.1p1/openssh-lpk-sun.schema
|
||||
--- openssh-6.1p1/openssh-lpk-sun.schema.ldap 2012-11-01 12:57:17.922280385 +0100
|
||||
+++ openssh-6.1p1/openssh-lpk-sun.schema 2012-11-01 12:57:17.922280385 +0100
|
||||
@@ -0,0 +1,23 @@
|
||||
+#
|
||||
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
||||
@ -2123,9 +2123,9 @@ diff -up openssh-6.0p1/openssh-lpk-sun.schema.ldap openssh-6.0p1/openssh-lpk-sun
|
||||
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
||||
+ MUST ( sshPublicKey $ uid )
|
||||
+ )
|
||||
diff -up openssh-6.0p1/ssh-ldap.conf.5.ldap openssh-6.0p1/ssh-ldap.conf.5
|
||||
--- openssh-6.0p1/ssh-ldap.conf.5.ldap 2012-08-06 20:41:38.405454175 +0200
|
||||
+++ openssh-6.0p1/ssh-ldap.conf.5 2012-08-06 20:41:38.405454175 +0200
|
||||
diff -up openssh-6.1p1/ssh-ldap.conf.5.ldap openssh-6.1p1/ssh-ldap.conf.5
|
||||
--- openssh-6.1p1/ssh-ldap.conf.5.ldap 2012-11-01 12:57:17.923280385 +0100
|
||||
+++ openssh-6.1p1/ssh-ldap.conf.5 2012-11-01 12:57:17.923280385 +0100
|
||||
@@ -0,0 +1,376 @@
|
||||
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
|
||||
+.\"
|
||||
@ -2503,9 +2503,9 @@ diff -up openssh-6.0p1/ssh-ldap.conf.5.ldap openssh-6.0p1/ssh-ldap.conf.5
|
||||
+OpenSSH 5.5 + PKA-LDAP .
|
||||
+.Sh AUTHORS
|
||||
+.An Jan F. Chadima Aq jchadima@redhat.com
|
||||
diff -up openssh-6.0p1/ssh-ldap-helper.8.ldap openssh-6.0p1/ssh-ldap-helper.8
|
||||
--- openssh-6.0p1/ssh-ldap-helper.8.ldap 2012-08-06 20:41:38.405454175 +0200
|
||||
+++ openssh-6.0p1/ssh-ldap-helper.8 2012-08-06 20:41:38.405454175 +0200
|
||||
diff -up openssh-6.1p1/ssh-ldap-helper.8.ldap openssh-6.1p1/ssh-ldap-helper.8
|
||||
--- openssh-6.1p1/ssh-ldap-helper.8.ldap 2012-11-01 12:57:17.924280385 +0100
|
||||
+++ openssh-6.1p1/ssh-ldap-helper.8 2012-11-01 12:57:17.924280385 +0100
|
||||
@@ -0,0 +1,79 @@
|
||||
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
|
||||
+.\"
|
||||
@ -2586,9 +2586,9 @@ diff -up openssh-6.0p1/ssh-ldap-helper.8.ldap openssh-6.0p1/ssh-ldap-helper.8
|
||||
+OpenSSH 5.5 + PKA-LDAP .
|
||||
+.Sh AUTHORS
|
||||
+.An Jan F. Chadima Aq jchadima@redhat.com
|
||||
diff -up openssh-6.0p1/ssh-ldap-wrapper.ldap openssh-6.0p1/ssh-ldap-wrapper
|
||||
--- openssh-6.0p1/ssh-ldap-wrapper.ldap 2012-08-06 20:41:38.405454175 +0200
|
||||
+++ openssh-6.0p1/ssh-ldap-wrapper 2012-08-06 20:41:38.405454175 +0200
|
||||
diff -up openssh-6.1p1/ssh-ldap-wrapper.ldap openssh-6.1p1/ssh-ldap-wrapper
|
||||
--- openssh-6.1p1/ssh-ldap-wrapper.ldap 2012-11-01 12:57:17.924280385 +0100
|
||||
+++ openssh-6.1p1/ssh-ldap-wrapper 2012-11-01 12:57:17.924280385 +0100
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
|
@ -1,20 +1,148 @@
|
||||
diff -up openssh-6.1p1/auth.c.akc openssh-6.1p1/auth.c
|
||||
--- openssh-6.1p1/auth.c.akc 2012-11-02 14:00:49.181077248 +0100
|
||||
+++ openssh-6.1p1/auth.c 2012-11-02 14:00:49.253077860 +0100
|
||||
@@ -413,39 +413,41 @@ check_key_in_hostfiles(struct passwd *pw
|
||||
|
||||
|
||||
/*
|
||||
- * Check a given file for security. This is defined as all components
|
||||
+ * Check a given path for security. This is defined as all components
|
||||
* of the path to the file must be owned by either the owner of
|
||||
* of the file or root and no directories must be group or world writable.
|
||||
*
|
||||
* XXX Should any specific check be done for sym links ?
|
||||
*
|
||||
- * Takes an open file descriptor, the file name, a uid and and
|
||||
+ * Takes an the file name, its stat information (preferably from fstat() to
|
||||
+ * avoid races), the uid of the expected owner, their home directory and an
|
||||
* error buffer plus max size as arguments.
|
||||
*
|
||||
* Returns 0 on success and -1 on failure
|
||||
*/
|
||||
-static int
|
||||
-secure_filename(FILE *f, const char *file, struct passwd *pw,
|
||||
- char *err, size_t errlen)
|
||||
+int
|
||||
+auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
|
||||
+ uid_t uid, char *err, size_t errlen)
|
||||
{
|
||||
- uid_t uid = pw->pw_uid;
|
||||
char buf[MAXPATHLEN], homedir[MAXPATHLEN];
|
||||
char *cp;
|
||||
int comparehome = 0;
|
||||
struct stat st;
|
||||
|
||||
- if (realpath(file, buf) == NULL) {
|
||||
- snprintf(err, errlen, "realpath %s failed: %s", file,
|
||||
+ if (realpath(name, buf) == NULL) {
|
||||
+ snprintf(err, errlen, "realpath %s failed: %s", name,
|
||||
strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
- if (realpath(pw->pw_dir, homedir) != NULL)
|
||||
+ if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL)
|
||||
comparehome = 1;
|
||||
|
||||
- /* check the open file to avoid races */
|
||||
- if (fstat(fileno(f), &st) < 0 ||
|
||||
- (st.st_uid != 0 && st.st_uid != uid) ||
|
||||
- (st.st_mode & 022) != 0) {
|
||||
+ if (!S_ISREG(stp->st_mode)) {
|
||||
+ snprintf(err, errlen, "%s is not a regular file", buf);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ if ((stp->st_uid != 0 && stp->st_uid != uid) ||
|
||||
+ (stp->st_mode & 022) != 0) {
|
||||
snprintf(err, errlen, "bad ownership or modes for file %s",
|
||||
buf);
|
||||
return -1;
|
||||
@@ -481,6 +483,31 @@ secure_filename(FILE *f, const char *fil
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Version of secure_path() that accepts an open file descriptor to
|
||||
+ * avoid races.
|
||||
+ *
|
||||
+ * Returns 0 on success and -1 on failure
|
||||
+ */
|
||||
+static int
|
||||
+secure_filename(FILE *f, const char *file, struct passwd *pw,
|
||||
+ char *err, size_t errlen)
|
||||
+{
|
||||
+ uid_t uid = pw->pw_uid;
|
||||
+ char buf[MAXPATHLEN], homedir[MAXPATHLEN];
|
||||
+ char *cp;
|
||||
+ int comparehome = 0;
|
||||
+ struct stat st;
|
||||
+
|
||||
+ /* check the open file to avoid races */
|
||||
+ if (fstat(fileno(f), &st) < 0) {
|
||||
+ snprintf(err, errlen, "cannot stat file %s: %s",
|
||||
+ buf, strerror(errno));
|
||||
+ return -1;
|
||||
+ }
|
||||
+ return auth_secure_path(file, &st, pw->pw_dir, pw->pw_uid, err, errlen);
|
||||
+}
|
||||
+
|
||||
static FILE *
|
||||
auth_openfile(const char *file, struct passwd *pw, int strict_modes,
|
||||
int log_missing, char *file_type)
|
||||
diff -up openssh-6.1p1/auth.h.akc openssh-6.1p1/auth.h
|
||||
--- openssh-6.1p1/auth.h.akc 2012-11-02 14:00:49.239077742 +0100
|
||||
+++ openssh-6.1p1/auth.h 2012-11-02 14:00:49.253077860 +0100
|
||||
@@ -123,6 +123,10 @@ int auth_rhosts_rsa_key_allowed(struct
|
||||
int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
|
||||
int user_key_allowed(struct passwd *, Key *);
|
||||
|
||||
+struct stat;
|
||||
+int auth_secure_path(const char *, struct stat *, const char *, uid_t,
|
||||
+ char *, size_t);
|
||||
+
|
||||
#ifdef KRB5
|
||||
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
|
||||
int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
|
||||
diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
|
||||
--- openssh-6.1p1/auth2-pubkey.c.akc 2012-09-14 20:20:48.459445650 +0200
|
||||
+++ openssh-6.1p1/auth2-pubkey.c 2012-09-14 20:20:48.520446072 +0200
|
||||
@@ -27,6 +27,7 @@
|
||||
--- openssh-6.1p1/auth2-pubkey.c.akc 2012-11-02 14:00:49.241077758 +0100
|
||||
+++ openssh-6.1p1/auth2-pubkey.c 2012-11-02 14:00:49.252077852 +0100
|
||||
@@ -27,9 +27,13 @@
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
+#include <sys/wait.h>
|
||||
|
||||
+#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
+#include <paths.h>
|
||||
#include <pwd.h>
|
||||
@@ -277,27 +278,15 @@ match_principals_file(char *file, struct
|
||||
+#include <signal.h>
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
@@ -260,7 +264,7 @@ match_principals_file(char *file, struct
|
||||
if (strcmp(cp, cert->principals[i]) == 0) {
|
||||
debug3("matched principal \"%.100s\" "
|
||||
"from file \"%s\" on line %lu",
|
||||
- cert->principals[i], file, linenum);
|
||||
+ cert->principals[i], file, linenum);
|
||||
if (auth_parse_options(pw, line_opts,
|
||||
file, linenum) != 1)
|
||||
continue;
|
||||
@@ -273,31 +277,22 @@ match_principals_file(char *file, struct
|
||||
fclose(f);
|
||||
restore_uid();
|
||||
return 0;
|
||||
-}
|
||||
+}
|
||||
|
||||
/* return 1 if user allows given key */
|
||||
-/* return 1 if user allows given key */
|
||||
+/*
|
||||
+ * Checks whether key is allowed in authorized_keys-format file,
|
||||
+ * returns 1 if the key is allowed or 0 otherwise.
|
||||
+ */
|
||||
static int
|
||||
-user_key_allowed2(struct passwd *pw, Key *key, char *file)
|
||||
+user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw)
|
||||
+check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
|
||||
{
|
||||
char line[SSH_MAX_PUBKEY_BYTES];
|
||||
const char *reason;
|
||||
@ -38,7 +166,7 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
|
||||
found_key = 0;
|
||||
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
|
||||
|
||||
@@ -390,8 +379,6 @@ user_key_allowed2(struct passwd *pw, Key
|
||||
@@ -390,8 +385,6 @@ user_key_allowed2(struct passwd *pw, Key
|
||||
break;
|
||||
}
|
||||
}
|
||||
@ -47,12 +175,15 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
|
||||
key_free(found);
|
||||
if (!found_key)
|
||||
debug2("key not found");
|
||||
@@ -453,13 +440,191 @@ user_cert_trusted_ca(struct passwd *pw,
|
||||
@@ -453,7 +446,173 @@ user_cert_trusted_ca(struct passwd *pw,
|
||||
return ret;
|
||||
}
|
||||
|
||||
-/* check whether given key is in .ssh/authorized_keys* */
|
||||
+/* return 1 if user allows given key */
|
||||
+/*
|
||||
+ * Checks whether key is allowed in file.
|
||||
+ * returns 1 if the key is allowed or 0 otherwise.
|
||||
+ */
|
||||
+static int
|
||||
+user_key_allowed2(struct passwd *pw, Key *key, char *file)
|
||||
+{
|
||||
@ -63,10 +194,8 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
|
||||
+ temporarily_use_uid(pw);
|
||||
+
|
||||
+ debug("trying public key file %s", file);
|
||||
+ f = auth_openkeyfile(file, pw, options.strict_modes);
|
||||
+
|
||||
+ if (f) {
|
||||
+ found_key = user_search_key_in_file (f, file, key, pw);
|
||||
+ if ((f = auth_openkeyfile(file, pw, options.strict_modes)) != NULL) {
|
||||
+ found_key = check_authkeys_file(f, file, key, pw);
|
||||
+ fclose(f);
|
||||
+ }
|
||||
+
|
||||
@ -74,211 +203,173 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
|
||||
+ return found_key;
|
||||
+}
|
||||
+
|
||||
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
|
||||
+
|
||||
+#define WHITESPACE " \t\r\n"
|
||||
+
|
||||
+/* return 1 if user allows given key */
|
||||
+static int
|
||||
+user_key_via_command_allowed2(struct passwd *pw, Key *key)
|
||||
+{
|
||||
+ FILE *f;
|
||||
+ int found_key = 0;
|
||||
+ char *progname = NULL;
|
||||
+ char *cp;
|
||||
+ struct passwd *runas_pw;
|
||||
+ struct stat st;
|
||||
+ int childdescriptors[2], i;
|
||||
+ pid_t pstat, pid, child;
|
||||
+
|
||||
+ if (options.authorized_keys_command == NULL || options.authorized_keys_command[0] != '/')
|
||||
+ return 0;
|
||||
+
|
||||
+ /* get the run as identity from config */
|
||||
+ runas_pw = (options.authorized_keys_command_runas == NULL)? pw
|
||||
+ : getpwnam (options.authorized_keys_command_runas);
|
||||
+ if (!runas_pw) {
|
||||
+ error("%s: getpwnam(\"%s\"): %s", __func__,
|
||||
+ options.authorized_keys_command_runas, strerror(errno));
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ /* Temporarily use the specified uid. */
|
||||
+ if (runas_pw->pw_uid != 0)
|
||||
+ temporarily_use_uid(runas_pw);
|
||||
+
|
||||
+ progname = xstrdup(options.authorized_keys_command);
|
||||
+
|
||||
+ debug3("%s: checking program '%s'", __func__, progname);
|
||||
+
|
||||
+ if (stat (progname, &st) < 0) {
|
||||
+ error("%s: stat(\"%s\"): %s", __func__,
|
||||
+ progname, strerror(errno));
|
||||
+ goto go_away;
|
||||
+ }
|
||||
+
|
||||
+ if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
|
||||
+ error("bad ownership or modes for AuthorizedKeysCommand \"%s\"",
|
||||
+ progname);
|
||||
+ goto go_away;
|
||||
+ }
|
||||
+
|
||||
+ if (!S_ISREG(st.st_mode)) {
|
||||
+ error("AuthorizedKeysCommand \"%s\" is not a regular file",
|
||||
+ progname);
|
||||
+ goto go_away;
|
||||
+ }
|
||||
+
|
||||
+/*
|
||||
+ * Descend the path, checking that each component is a
|
||||
+ * root-owned directory with strict permissions.
|
||||
+ * Checks whether key is allowed in output of command.
|
||||
+ * returns 1 if the key is allowed or 0 otherwise.
|
||||
+ */
|
||||
+ do {
|
||||
+ if ((cp = strrchr(progname, '/')) == NULL)
|
||||
+ break;
|
||||
+ else
|
||||
+ *cp = '\0';
|
||||
+static int
|
||||
+user_key_command_allowed2(struct passwd *user_pw, Key *key)
|
||||
+{
|
||||
+ FILE *f;
|
||||
+ int ok, found_key = 0;
|
||||
+ struct passwd *pw;
|
||||
+ struct stat st;
|
||||
+ int status, devnull, p[2], i;
|
||||
+ pid_t pid;
|
||||
+ char errmsg[512];
|
||||
+
|
||||
+ debug3("%s: checking component '%s'", __func__, (*progname == '\0' ? "/" : progname));
|
||||
+ if (options.authorized_keys_command == NULL ||
|
||||
+ options.authorized_keys_command[0] != '/')
|
||||
+ return 0;
|
||||
+
|
||||
+ if (stat((*progname == '\0' ? "/" : progname), &st) != 0) {
|
||||
+ error("%s: stat(\"%s\"): %s", __func__,
|
||||
+ progname, strerror(errno));
|
||||
+ goto go_away;
|
||||
+ /* If no user specified to run commands the default to target user */
|
||||
+ if (options.authorized_keys_command_user == NULL)
|
||||
+ pw = user_pw;
|
||||
+ else {
|
||||
+ pw = getpwnam(options.authorized_keys_command_user);
|
||||
+ if (pw == NULL) {
|
||||
+ error("AuthorizedKeyCommandUser \"%s\" not found: %s",
|
||||
+ options.authorized_keys_command, strerror(errno));
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
|
||||
+ error("bad ownership or modes for AuthorizedKeysCommand path component \"%s\"",
|
||||
+ progname);
|
||||
+ goto go_away;
|
||||
+ }
|
||||
+ if (!S_ISDIR(st.st_mode)) {
|
||||
+ error("AuthorizedKeysCommand path component \"%s\" is not a directory",
|
||||
+ progname);
|
||||
+ goto go_away;
|
||||
+
|
||||
+ temporarily_use_uid(pw);
|
||||
+ if (stat(options.authorized_keys_command, &st) < 0) {
|
||||
+ error("Could not stat AuthorizedKeysCommand \"%s\": %s",
|
||||
+ options.authorized_keys_command, strerror(errno));
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0,
|
||||
+ errmsg, sizeof(errmsg)) != 0) {
|
||||
+ error("Unsafe AuthorizedKeysCommand: %s", errmsg);
|
||||
+ goto out;
|
||||
+ }
|
||||
+ } while (1);
|
||||
+
|
||||
+ /* open the pipe and read the keys */
|
||||
+ if (pipe(childdescriptors)) {
|
||||
+ error("failed to pipe(2) for AuthorizedKeysCommand: %s",
|
||||
+ strerror(errno));
|
||||
+ goto go_away;
|
||||
+ if (pipe(p) != 0) {
|
||||
+ error("%s: pipe: %s", __func__, strerror(errno));
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ child = fork();
|
||||
+ if (child == -1) {
|
||||
+ error("failed to fork(2) for AuthorizedKeysCommand: %s",
|
||||
+ strerror(errno));
|
||||
+ goto go_away;
|
||||
+ } else if (child == 0) {
|
||||
+ /* we're in the child process here -- we should never return from this block. */
|
||||
+ /* permanently drop privs in child process */
|
||||
+ if (runas_pw->pw_uid != 0) {
|
||||
+ debug3("Running AuthorizedKeysCommand: \"%s\" as \"%s\"",
|
||||
+ options.authorized_keys_command, pw->pw_name);
|
||||
+
|
||||
+ /*
|
||||
+ * Don't want to call this in the child, where it can fatal() and
|
||||
+ * run cleanup_exit() code.
|
||||
+ */
|
||||
+ restore_uid();
|
||||
+ permanently_set_uid(runas_pw);
|
||||
+ }
|
||||
+
|
||||
+ close(childdescriptors[0]);
|
||||
+ /* put the write end of the pipe on stdout (FD 1) */
|
||||
+ if (dup2(childdescriptors[1], 1) == -1) {
|
||||
+ error("failed to dup2(2) from AuthorizedKeysCommand: %s",
|
||||
+ switch ((pid = fork())) {
|
||||
+ case -1: /* error */
|
||||
+ error("%s: fork: %s", __func__, strerror(errno));
|
||||
+ close(p[0]);
|
||||
+ close(p[1]);
|
||||
+ return 0;
|
||||
+ case 0: /* child */
|
||||
+ for (i = 0; i < NSIG; i++)
|
||||
+ signal(i, SIG_DFL);
|
||||
+
|
||||
+ /* Don't use permanently_set_uid() here to avoid fatal() */
|
||||
+ if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
|
||||
+ error("setresgid %u: %s", (u_int)pw->pw_gid,
|
||||
+ strerror(errno));
|
||||
+ _exit(127);
|
||||
+ _exit(1);
|
||||
+ }
|
||||
+ if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) {
|
||||
+ error("setresuid %u: %s", (u_int)pw->pw_uid,
|
||||
+ strerror(errno));
|
||||
+ _exit(1);
|
||||
+ }
|
||||
+
|
||||
+ debug3("about to execl() AuthorizedKeysCommand: \"%s\" \"%s\"", options.authorized_keys_command, pw->pw_name);
|
||||
+ /* see session.c:child_close_fds() */
|
||||
+ for (i = 3; i < 64; ++i) {
|
||||
+ close(i);
|
||||
+ close(p[0]);
|
||||
+ if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
|
||||
+ error("%s: open %s: %s", __func__, _PATH_DEVNULL,
|
||||
+ strerror(errno));
|
||||
+ _exit(1);
|
||||
+ }
|
||||
+
|
||||
+ execl(options.authorized_keys_command, options.authorized_keys_command, pw->pw_name, NULL);
|
||||
+
|
||||
+ /* if we got here, it didn't work */
|
||||
+ error("failed to execl AuthorizedKeysCommand: %s", strerror(errno)); /* this won't work because we closed the fds above */
|
||||
+ _exit(127);
|
||||
+ if (dup2(devnull, STDIN_FILENO) == -1 ||
|
||||
+ dup2(p[1], STDOUT_FILENO) == -1 ||
|
||||
+ dup2(devnull, STDERR_FILENO) == -1) {
|
||||
+ error("%s: dup2: %s", __func__, strerror(errno));
|
||||
+ _exit(1);
|
||||
+ }
|
||||
+ closefrom(STDERR_FILENO + 1);
|
||||
+
|
||||
+ close(childdescriptors[1]);
|
||||
+ f = fdopen(childdescriptors[0], "r");
|
||||
+ if (!f) {
|
||||
+ error("%s: could not buffer FDs from AuthorizedKeysCommand (\"%s\", \"r\"): %s", __func__,
|
||||
+ execl(options.authorized_keys_command,
|
||||
+ options.authorized_keys_command, pw->pw_name, NULL);
|
||||
+
|
||||
+ error("AuthorizedKeysCommand %s exec failed: %s",
|
||||
+ options.authorized_keys_command, strerror(errno));
|
||||
+ goto go_away;
|
||||
+ _exit(127);
|
||||
+ default: /* parent */
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ found_key = user_search_key_in_file (f, options.authorized_keys_command, key, pw);
|
||||
+ temporarily_use_uid(pw);
|
||||
+
|
||||
+ close(p[1]);
|
||||
+ if ((f = fdopen(p[0], "r")) == NULL) {
|
||||
+ error("%s: fdopen: %s", __func__, strerror(errno));
|
||||
+ close(p[0]);
|
||||
+ /* Don't leave zombie child */
|
||||
+ while (waitpid(pid, NULL, 0) == -1 && errno == EINTR)
|
||||
+ ;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
|
||||
+ fclose(f);
|
||||
+ do {
|
||||
+ pid = waitpid(child, &pstat, 0);
|
||||
+ } while (pid == -1 && errno == EINTR);
|
||||
+
|
||||
+ /* what about the return value from the child process? */
|
||||
+go_away:
|
||||
+ if (progname)
|
||||
+ xfree (progname);
|
||||
+
|
||||
+ if (runas_pw->pw_uid != 0)
|
||||
+ while (waitpid(pid, &status, 0) == -1) {
|
||||
+ if (errno != EINTR) {
|
||||
+ error("%s: waitpid: %s", __func__, strerror(errno));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ }
|
||||
+ if (WIFSIGNALED(status)) {
|
||||
+ error("AuthorizedKeysCommand %s exited on signal %d",
|
||||
+ options.authorized_keys_command, WTERMSIG(status));
|
||||
+ goto out;
|
||||
+ } else if (WEXITSTATUS(status) != 0) {
|
||||
+ error("AuthorizedKeysCommand %s returned status %d",
|
||||
+ options.authorized_keys_command, WEXITSTATUS(status));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ found_key = ok;
|
||||
+ out:
|
||||
+ restore_uid();
|
||||
+
|
||||
+ return found_key;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+/* check whether given key is in <AuthorizedKeysCommand or .ssh/authorized_keys* */
|
||||
+/*
|
||||
+ * Check whether key authenticates and authorises the user.
|
||||
+ */
|
||||
int
|
||||
user_key_allowed(struct passwd *pw, Key *key)
|
||||
{
|
||||
u_int success, i;
|
||||
char *file;
|
||||
@@ -469,6 +628,10 @@ user_key_allowed(struct passwd *pw, Key
|
||||
if (success)
|
||||
return success;
|
||||
|
||||
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
|
||||
+ success = user_key_via_command_allowed2(pw, key);
|
||||
+ success = user_key_command_allowed2(pw, key);
|
||||
+ if (success > 0)
|
||||
+ return success;
|
||||
+#endif
|
||||
+
|
||||
if (auth_key_is_revoked(key))
|
||||
return 0;
|
||||
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
|
||||
diff -up openssh-6.1p1/configure.ac.akc openssh-6.1p1/configure.ac
|
||||
--- openssh-6.1p1/configure.ac.akc 2012-07-06 03:49:29.000000000 +0200
|
||||
+++ openssh-6.1p1/configure.ac 2012-09-14 20:20:48.525446106 +0200
|
||||
@@ -1512,6 +1512,18 @@ AC_ARG_WITH([audit],
|
||||
esac ]
|
||||
)
|
||||
|
||||
+# Check whether user wants AuthorizedKeysCommand support
|
||||
+AKC_MSG="no"
|
||||
+AC_ARG_WITH(authorized-keys-command,
|
||||
+ [ --with-authorized-keys-command Enable AuthorizedKeysCommand support],
|
||||
+ [
|
||||
+ if test "x$withval" != "xno" ; then
|
||||
+ AC_DEFINE([WITH_AUTHORIZED_KEYS_COMMAND], 1, [Enable AuthorizedKeysCommand support])
|
||||
+ AKC_MSG="yes"
|
||||
+ fi
|
||||
+ ]
|
||||
+)
|
||||
+
|
||||
dnl Checks for library functions. Please keep in alphabetical order
|
||||
AC_CHECK_FUNCS([ \
|
||||
arc4random \
|
||||
@@ -4407,6 +4419,7 @@ echo " SELinux support
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
echo " TCP Wrappers support: $TCPW_MSG"
|
||||
+echo " AuthorizedKeysCommand support: $AKC_MSG"
|
||||
echo " MD5 password support: $MD5_MSG"
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
for (i = 0; !success && i < options.num_authkeys_files; i++) {
|
||||
file = expand_authorized_keys(
|
||||
options.authorized_keys_files[i], pw);
|
||||
diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
|
||||
--- openssh-6.1p1/servconf.c.akc 2012-09-14 20:20:48.138443423 +0200
|
||||
+++ openssh-6.1p1/servconf.c 2012-09-14 20:27:34.546107295 +0200
|
||||
--- openssh-6.1p1/servconf.c.akc 2012-11-02 14:00:49.186077290 +0100
|
||||
+++ openssh-6.1p1/servconf.c 2012-11-02 14:26:32.086138017 +0100
|
||||
@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions
|
||||
options->num_permitted_opens = -1;
|
||||
options->adm_forced_command = NULL;
|
||||
options->chroot_directory = NULL;
|
||||
+ options->authorized_keys_command = NULL;
|
||||
+ options->authorized_keys_command_runas = NULL;
|
||||
+ options->authorized_keys_command_user = NULL;
|
||||
options->zero_knowledge_password_authentication = -1;
|
||||
options->revoked_keys_file = NULL;
|
||||
options->trusted_user_ca_keys = NULL;
|
||||
@ -286,43 +377,40 @@ diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
|
||||
sZeroKnowledgePasswordAuthentication, sHostCertificate,
|
||||
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
||||
sKexAlgorithms, sIPQoS, sVersionAddendum,
|
||||
+ sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs,
|
||||
+ sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
||||
sDeprecated, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
||||
@@ -461,6 +464,14 @@ static struct {
|
||||
@@ -460,6 +463,9 @@ static struct {
|
||||
{ "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
|
||||
{ "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
|
||||
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
||||
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
|
||||
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
|
||||
+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
|
||||
+ { "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL },
|
||||
+#else
|
||||
+ { "authorizedkeyscommand", sUnsupported, SSHCFG_ALL },
|
||||
+ { "authorizedkeyscommandrunas", sUnsupported, SSHCFG_ALL },
|
||||
+#endif
|
||||
+
|
||||
+ { "authorizedkeyscommandrunas", sAuthorizedKeysCommandUser, SSHCFG_ALL },
|
||||
+ { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
|
||||
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
|
||||
{ NULL, sBadOption, 0 }
|
||||
};
|
||||
|
||||
@@ -1532,6 +1543,24 @@ process_server_config_line(ServerOptions
|
||||
@@ -1532,6 +1538,26 @@ process_server_config_line(ServerOptions
|
||||
}
|
||||
return 0;
|
||||
|
||||
+ case sAuthorizedKeysCommand:
|
||||
+ len = strspn(cp, WHITESPACE);
|
||||
+ if (*activep && options->authorized_keys_command == NULL)
|
||||
+ if (*activep && options->authorized_keys_command == NULL) {
|
||||
+ options->authorized_keys_command = xstrdup(cp + len);
|
||||
+ if (*options->authorized_keys_command != '/') {
|
||||
+ fatal("%.200s line %d: AuthorizedKeysCommand "
|
||||
+ "must be an absolute path",
|
||||
+ filename, linenum);
|
||||
+ }
|
||||
+ }
|
||||
+ return 0;
|
||||
+
|
||||
+ case sAuthorizedKeysCommandRunAs:
|
||||
+ charptr = &options->authorized_keys_command_runas;
|
||||
+ case sAuthorizedKeysCommandUser:
|
||||
+ charptr = &options->authorized_keys_command_user;
|
||||
+
|
||||
+ arg = strdelim(&cp);
|
||||
+ if (!arg || *arg == '\0')
|
||||
+ fatal("%s line %d: missing account.",
|
||||
+ filename, linenum);
|
||||
+
|
||||
+ if (*activep && *charptr == NULL)
|
||||
+ *charptr = xstrdup(arg);
|
||||
+ break;
|
||||
@ -330,52 +418,76 @@ diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
|
||||
case sDeprecated:
|
||||
logit("%s line %d: Deprecated option %s",
|
||||
filename, linenum, arg);
|
||||
@@ -1682,6 +1711,8 @@ copy_set_server_options(ServerOptions *d
|
||||
@@ -1682,6 +1708,8 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(hostbased_uses_name_from_packet_only);
|
||||
M_CP_INTOPT(kbd_interactive_authentication);
|
||||
M_CP_INTOPT(zero_knowledge_password_authentication);
|
||||
+ M_CP_STROPT(authorized_keys_command);
|
||||
+ M_CP_STROPT(authorized_keys_command_runas);
|
||||
+ M_CP_STROPT(authorized_keys_command_user);
|
||||
M_CP_INTOPT(permit_root_login);
|
||||
M_CP_INTOPT(permit_empty_passwd);
|
||||
|
||||
@@ -1942,6 +1973,8 @@ dump_config(ServerOptions *o)
|
||||
@@ -1942,6 +1970,8 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_string(sAuthorizedPrincipalsFile,
|
||||
o->authorized_principals_file);
|
||||
dump_cfg_string(sVersionAddendum, o->version_addendum);
|
||||
+ dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
|
||||
+ dump_cfg_string(sAuthorizedKeysCommandRunAs, o->authorized_keys_command_runas);
|
||||
+ dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
|
||||
|
||||
/* string arguments requiring a lookup */
|
||||
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
|
||||
diff -up openssh-6.1p1/servconf.h.akc openssh-6.1p1/servconf.h
|
||||
--- openssh-6.1p1/servconf.h.akc 2012-09-14 20:20:48.000000000 +0200
|
||||
+++ openssh-6.1p1/servconf.h 2012-09-14 20:23:16.691844577 +0200
|
||||
--- openssh-6.1p1/servconf.h.akc 2012-11-02 14:00:49.186077290 +0100
|
||||
+++ openssh-6.1p1/servconf.h 2012-11-02 14:00:49.254077869 +0100
|
||||
@@ -169,6 +169,8 @@ typedef struct {
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
char *authorized_principals_file;
|
||||
+ char *authorized_keys_command;
|
||||
+ char *authorized_keys_command_runas;
|
||||
+ char *authorized_keys_command_user;
|
||||
|
||||
char *version_addendum; /* Appended to SSH banner */
|
||||
} ServerOptions;
|
||||
diff -up openssh-6.1p1/sshd.c.akc openssh-6.1p1/sshd.c
|
||||
--- openssh-6.1p1/sshd.c.akc 2012-11-02 14:00:49.249077826 +0100
|
||||
+++ openssh-6.1p1/sshd.c 2012-11-02 14:00:49.254077869 +0100
|
||||
@@ -366,9 +366,20 @@ main_sigchld_handler(int sig)
|
||||
static void
|
||||
grace_alarm_handler(int sig)
|
||||
{
|
||||
+ pid_t pgid;
|
||||
+
|
||||
if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
|
||||
kill(pmonitor->m_pid, SIGALRM);
|
||||
|
||||
+ /*
|
||||
+ * Try to kill any processes that we have spawned, E.g. authorized
|
||||
+ * keys command helpers.
|
||||
+ */
|
||||
+ if ((pgid = getpgid(0)) == getpid()) {
|
||||
+ signal(SIGTERM, SIG_IGN);
|
||||
+ killpg(pgid, SIGTERM);
|
||||
+ }
|
||||
+
|
||||
/* Log error and exit. */
|
||||
sigdie("Timeout before authentication for %s", get_remote_ipaddr());
|
||||
}
|
||||
diff -up openssh-6.1p1/sshd_config.akc openssh-6.1p1/sshd_config
|
||||
--- openssh-6.1p1/sshd_config.akc 2012-07-31 04:21:34.000000000 +0200
|
||||
+++ openssh-6.1p1/sshd_config 2012-09-14 20:30:46.950095769 +0200
|
||||
+++ openssh-6.1p1/sshd_config 2012-11-02 14:00:49.255077878 +0100
|
||||
@@ -49,6 +49,9 @@
|
||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
|
||||
+#AuthorizedKeysCommand none
|
||||
+#AuthorizedKeysCommandRunAs nobody
|
||||
+#AuthorizedKeysCommandUser nobody
|
||||
+
|
||||
#AuthorizedPrincipalsFile none
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0
|
||||
--- openssh-6.1p1/sshd_config.0.akc 2012-08-29 02:53:04.000000000 +0200
|
||||
+++ openssh-6.1p1/sshd_config.0 2012-09-14 20:32:23.539624859 +0200
|
||||
+++ openssh-6.1p1/sshd_config.0 2012-11-02 14:00:49.255077878 +0100
|
||||
@@ -71,6 +71,23 @@ DESCRIPTION
|
||||
|
||||
See PATTERNS in ssh_config(5) for more information on patterns.
|
||||
@ -411,38 +523,39 @@ diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0
|
||||
GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
|
||||
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
|
||||
diff -up openssh-6.1p1/sshd_config.5.akc openssh-6.1p1/sshd_config.5
|
||||
--- openssh-6.1p1/sshd_config.5.akc 2012-09-14 20:20:48.142443448 +0200
|
||||
+++ openssh-6.1p1/sshd_config.5 2012-09-14 20:29:56.003873873 +0200
|
||||
@@ -151,6 +151,19 @@ See
|
||||
--- openssh-6.1p1/sshd_config.5.akc 2012-11-02 14:00:49.187077299 +0100
|
||||
+++ openssh-6.1p1/sshd_config.5 2012-11-02 14:00:49.255077878 +0100
|
||||
@@ -151,6 +151,20 @@ See
|
||||
in
|
||||
.Xr ssh_config 5
|
||||
for more information on patterns.
|
||||
+.It Cm AuthorizedKeysCommand
|
||||
+Specifies a program to be used for lookup of the user's
|
||||
+public keys. The program will be invoked with its first
|
||||
+argument the name of the user being authorized, and should produce
|
||||
+on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS
|
||||
+in sshd(8)). By default (or when set to the empty string) there is no
|
||||
+AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully
|
||||
+authorize the user, authorization falls through to the
|
||||
+AuthorizedKeysFile. Note that this option has an effect
|
||||
+only with PubkeyAuthentication turned on.
|
||||
+.It Cm AuthorizedKeysCommandRunAs
|
||||
+Specifies the user under whose account the AuthorizedKeysCommand is run. Empty
|
||||
+string (the default value) means the user being authorized is used.
|
||||
+Specifies a program to be used for lookup of the user's public keys.
|
||||
+The program will be invoked with a single argument of the username
|
||||
+being authenticated, and should produce on standard output zero or
|
||||
+more lines of authorized_keys output (see AUTHORIZED_KEYS in
|
||||
+.Xr sshd 8 )
|
||||
+If a key supplied by AuthorizedKeysCommand does not successfully authenticate
|
||||
+and authorize the user then public key authentication continues using the usual
|
||||
+.Cm AuthorizedKeysFile
|
||||
+files.
|
||||
+By default, no AuthorizedKeysCommand is run.
|
||||
+.It Cm AuthorizedKeysCommandUser
|
||||
+Specifies the user under whose account the AuthorizedKeysCommand is run.
|
||||
+The default is the user being authenticated.
|
||||
.It Cm AuthorizedKeysFile
|
||||
Specifies the file that contains the public keys that can be used
|
||||
for user authentication.
|
||||
@@ -712,6 +725,8 @@ Available keywords are
|
||||
@@ -712,6 +726,8 @@ Available keywords are
|
||||
.Cm AllowTcpForwarding ,
|
||||
.Cm AllowUsers ,
|
||||
.Cm AuthorizedKeysFile ,
|
||||
+.Cm AuthorizedKeysCommand ,
|
||||
+.Cm AuthorizedKeysCommandRunAs ,
|
||||
+.Cm AuthorizedKeysCommandUser ,
|
||||
.Cm AuthorizedPrincipalsFile ,
|
||||
.Cm Banner ,
|
||||
.Cm ChrootDirectory ,
|
||||
@@ -726,6 +741,7 @@ Available keywords are
|
||||
@@ -726,6 +742,7 @@ Available keywords are
|
||||
.Cm KerberosAuthentication ,
|
||||
.Cm MaxAuthTries ,
|
||||
.Cm MaxSessions ,
|
||||
|
@ -507,7 +507,6 @@ fi
|
||||
--disable-strip \
|
||||
--without-zlib-version-check \
|
||||
--with-ssl-engine \
|
||||
--with-authorized-keys-command \
|
||||
--with-ipaddr-display \
|
||||
%if %{ldap}
|
||||
--with-ldap \
|
||||
|
Loading…
Reference in New Issue
Block a user