2017-09-26 12:04:45 +00:00
|
|
|
diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/identity.h
|
|
|
|
--- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent 2016-11-13 04:24:32.000000000 +0100
|
|
|
|
+++ openssh/pam_ssh_agent_auth-0.10.3/identity.h 2017-09-27 14:25:49.421739027 +0200
|
2016-01-22 16:22:39 +00:00
|
|
|
@@ -38,6 +38,12 @@
|
|
|
|
typedef struct identity Identity;
|
|
|
|
typedef struct idlist Idlist;
|
|
|
|
|
|
|
|
+typedef struct {
|
|
|
|
+ int fd;
|
|
|
|
+ Buffer identities;
|
|
|
|
+ int howmany;
|
|
|
|
+} AuthenticationConnection;
|
|
|
|
+
|
|
|
|
struct identity {
|
|
|
|
TAILQ_ENTRY(identity) next;
|
|
|
|
AuthenticationConnection *ac; /* set if agent supports key */
|
2017-09-26 12:04:45 +00:00
|
|
|
diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
|
|
|
|
--- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent 2017-09-27 14:25:49.420739021 +0200
|
|
|
|
+++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-09-27 14:25:49.421739027 +0200
|
2016-01-22 16:22:39 +00:00
|
|
|
@@ -39,6 +39,7 @@
|
2015-05-27 13:08:37 +00:00
|
|
|
#include "buffer.h"
|
|
|
|
#include "key.h"
|
|
|
|
#include "authfd.h"
|
|
|
|
+#include "ssherr.h"
|
|
|
|
#include <stdio.h>
|
2016-01-22 16:22:39 +00:00
|
|
|
#include <openssl/evp.h>
|
|
|
|
#include "ssh2.h"
|
2017-09-26 12:04:45 +00:00
|
|
|
@@ -291,36 +292,43 @@ pamsshagentauth_find_authorized_keys(con
|
2015-05-27 13:08:37 +00:00
|
|
|
{
|
2016-01-22 16:22:39 +00:00
|
|
|
Buffer session_id2 = { 0 };
|
2015-05-27 13:08:37 +00:00
|
|
|
Identity *id;
|
|
|
|
- Key *key;
|
|
|
|
AuthenticationConnection *ac;
|
|
|
|
- char *comment;
|
|
|
|
uint8_t retval = 0;
|
2016-01-22 16:22:39 +00:00
|
|
|
uid_t uid = getpwnam(ruser)->pw_uid;
|
2015-06-02 11:28:54 +00:00
|
|
|
+ struct ssh_identitylist *idlist;
|
2017-03-03 14:51:39 +00:00
|
|
|
+ int r;
|
|
|
|
+ unsigned int i;
|
2015-05-27 13:08:37 +00:00
|
|
|
|
|
|
|
OpenSSL_add_all_digests();
|
2016-01-22 16:22:39 +00:00
|
|
|
pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
|
2015-05-27 13:08:37 +00:00
|
|
|
|
|
|
|
if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
|
2016-01-22 16:22:39 +00:00
|
|
|
verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
|
2015-05-27 13:08:37 +00:00
|
|
|
- for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
|
2017-09-26 12:04:45 +00:00
|
|
|
+ if ((r = ssh_fetch_identitylist(ac->fd, &idlist)) != 0) {
|
2015-05-27 13:08:37 +00:00
|
|
|
+ if (r != SSH_ERR_AGENT_NO_IDENTITIES)
|
|
|
|
+ fprintf(stderr, "error fetching identities for "
|
|
|
|
+ "protocol %d: %s\n", 2, ssh_err(r));
|
2015-08-11 15:57:59 +00:00
|
|
|
+ } else {
|
2015-05-27 13:08:37 +00:00
|
|
|
+ for (i = 0; i < idlist->nkeys; i++)
|
|
|
|
{
|
|
|
|
- if(key != NULL) {
|
|
|
|
+ if(idlist->keys[i] != NULL) {
|
|
|
|
id = xcalloc(1, sizeof(*id));
|
|
|
|
- id->key = key;
|
|
|
|
- id->filename = comment;
|
|
|
|
+ id->key = idlist->keys[i];
|
|
|
|
+ id->filename = idlist->comments[i];
|
|
|
|
id->ac = ac;
|
2016-01-22 16:22:39 +00:00
|
|
|
if(userauth_pubkey_from_id(ruser, id, &session_id2)) {
|
2015-05-27 13:08:37 +00:00
|
|
|
retval = 1;
|
2015-06-02 11:28:54 +00:00
|
|
|
}
|
|
|
|
- free(id->filename);
|
|
|
|
- key_free(id->key);
|
|
|
|
free(id);
|
|
|
|
if(retval == 1)
|
2015-05-27 13:08:37 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
2016-01-22 16:22:39 +00:00
|
|
|
buffer_free(&session_id2);
|
2015-05-27 13:08:37 +00:00
|
|
|
- ssh_close_authentication_connection(ac);
|
2015-06-02 11:28:54 +00:00
|
|
|
+ ssh_free_identitylist(idlist);
|
|
|
|
+ ssh_close_authentication_socket(ac->fd);
|
|
|
|
+ free(ac);
|
2015-08-11 15:57:59 +00:00
|
|
|
+ }
|
2015-05-27 13:08:37 +00:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
verbose("No ssh-agent could be contacted");
|
2017-09-26 12:04:45 +00:00
|
|
|
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c
|
|
|
|
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-agent 2017-09-27 14:26:04.277820716 +0200
|
|
|
|
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c 2017-09-27 14:26:34.426986497 +0200
|
|
|
|
@@ -70,7 +70,7 @@ pamsshagentauth_check_authkeys_file(FILE
|
|
|
|
char *fp;
|
|
|
|
|
|
|
|
found_key = 0;
|
|
|
|
- found = key_new(key->type);
|
|
|
|
+ found = sshkey_new(key->type);
|
|
|
|
|
|
|
|
while(read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
|
|
|
|
char *cp = NULL; /* *key_options = NULL; */
|
|
|
|
@@ -80,7 +80,7 @@ pamsshagentauth_check_authkeys_file(FILE
|
|
|
|
if(!*cp || *cp == '\n' || *cp == '#')
|
|
|
|
continue;
|
|
|
|
|
|
|
|
- if(key_read(found, &cp) != 1) {
|
|
|
|
+ if(sshkey_read(found, &cp) != 0) {
|
|
|
|
/* no key? check if there are options for this key */
|
|
|
|
int quoted = 0;
|
|
|
|
|
|
|
|
@@ -94,24 +94,24 @@ pamsshagentauth_check_authkeys_file(FILE
|
|
|
|
}
|
|
|
|
/* Skip remaining whitespace. */
|
|
|
|
for(; *cp == ' ' || *cp == '\t'; cp++);
|
|
|
|
- if(key_read(found, &cp) != 1) {
|
|
|
|
+ if(sshkey_read(found, &cp) != 0) {
|
|
|
|
verbose("user_key_allowed: advance: '%s'", cp);
|
|
|
|
/* still no key? advance to next line */
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
- if(key_equal(found, key)) {
|
|
|
|
+ if(sshkey_equal(found, key)) {
|
|
|
|
found_key = 1;
|
|
|
|
logit("matching key found: file/command %s, line %lu", file,
|
|
|
|
linenum);
|
|
|
|
fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
|
|
|
|
logit("Found matching %s key: %s",
|
|
|
|
- key_type(found), fp);
|
|
|
|
+ sshkey_type(found), fp);
|
|
|
|
free(fp);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
- key_free(found);
|
|
|
|
+ sshkey_free(found);
|
|
|
|
if(!found_key)
|
|
|
|
verbose("key not found");
|
|
|
|
return found_key;
|
|
|
|
diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
|
|
|
|
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent 2017-09-27 14:25:49.420739021 +0200
|
|
|
|
+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2017-09-27 14:25:49.422739032 +0200
|
|
|
|
@@ -57,10 +57,11 @@ extern uint8_t session_id_len;
|
2015-06-02 11:28:54 +00:00
|
|
|
int
|
2016-01-22 16:22:39 +00:00
|
|
|
userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
|
2015-06-02 11:28:54 +00:00
|
|
|
{
|
|
|
|
- Buffer b = { 0 };
|
|
|
|
+ Buffer b;
|
|
|
|
char *pkalg = NULL;
|
|
|
|
u_char *pkblob = NULL, *sig = NULL;
|
|
|
|
- u_int blen = 0, slen = 0;
|
|
|
|
+ u_int blen = 0;
|
|
|
|
+ size_t slen = 0;
|
|
|
|
int authenticated = 0;
|
|
|
|
|
|
|
|
pkalg = (char *) key_ssh_name(id->key);
|
2017-09-26 12:04:45 +00:00
|
|
|
@@ -84,7 +85,7 @@ userauth_pubkey_from_id(const char *ruse
|
2015-05-27 13:08:37 +00:00
|
|
|
buffer_put_cstring(&b, pkalg);
|
|
|
|
buffer_put_string(&b, pkblob, blen);
|
|
|
|
|
|
|
|
- if(ssh_agent_sign(id->ac, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b)) != 0)
|
2016-02-19 13:42:33 +00:00
|
|
|
+ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), NULL, 0) != 0)
|
|
|
|
goto user_auth_clean_exit;
|
|
|
|
|
|
|
|
/* test for correct signature */
|
2018-03-27 14:52:07 +00:00
|
|
|
diff -up openssh-7.7p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-sshkey openssh-7.7p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
|
|
|
|
--- openssh-7.7p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-sshkey 2018-04-04 13:55:02.383899631 +0200
|
|
|
|
+++ openssh-7.7p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2018-04-04 13:58:36.759339845 +0200
|
|
|
|
@@ -89,7 +89,7 @@ userauth_pubkey_from_id(const char *ruse
|
|
|
|
goto user_auth_clean_exit;
|
|
|
|
|
|
|
|
/* test for correct signature */
|
|
|
|
- if(key_verify(id->key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
|
|
|
|
+ if(sshkey_verify(id->key, sig, slen, buffer_ptr(&b), buffer_len(&b), NULL, 0) == 0)
|
|
|
|
authenticated = 1;
|
|
|
|
|
|
|
|
user_auth_clean_exit:
|