adapt openssh-6.1p1-akc.patch to the upstream version - https://bugzilla.mindrot.org/show_bug.cgi?id=1663

This commit is contained in:
bach 2012-11-05 14:43:22 +01:00
parent 52c8eca4d9
commit f7f8b483b0
4 changed files with 429 additions and 317 deletions

View File

@ -1,6 +1,24 @@
diff -up openssh-5.9p0/HOWTO.ssh-keycat.keycat openssh-5.9p0/HOWTO.ssh-keycat diff -up openssh-6.1p1/auth2-pubkey.c.keycat openssh-6.1p1/auth2-pubkey.c
--- openssh-5.9p0/HOWTO.ssh-keycat.keycat 2011-08-31 11:51:49.886087176 +0200 --- openssh-6.1p1/auth2-pubkey.c.keycat 2012-11-01 13:37:59.000000000 +0100
+++ openssh-5.9p0/HOWTO.ssh-keycat 2011-08-31 11:51:49.890087179 +0200 +++ openssh-6.1p1/auth2-pubkey.c 2012-11-01 14:03:47.402279914 +0100
@@ -564,6 +564,14 @@ user_key_command_allowed2(struct passwd
}
closefrom(STDERR_FILENO + 1);
+#ifdef WITH_SELINUX
+ if (ssh_selinux_setup_env_variables() < 0) {
+ error ("failed to copy environment: %s",
+ strerror(errno));
+ _exit(127);
+ }
+#endif
+
execl(options.authorized_keys_command,
options.authorized_keys_command, pw->pw_name, NULL);
diff -up openssh-6.1p1/HOWTO.ssh-keycat.keycat openssh-6.1p1/HOWTO.ssh-keycat
--- openssh-6.1p1/HOWTO.ssh-keycat.keycat 2012-11-01 13:37:59.417280097 +0100
+++ openssh-6.1p1/HOWTO.ssh-keycat 2012-11-01 13:37:59.417280097 +0100
@@ -0,0 +1,12 @@ @@ -0,0 +1,12 @@
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys +The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
+of an user in any environment. This includes environments with +of an user in any environment. This includes environments with
@ -14,9 +32,9 @@ diff -up openssh-5.9p0/HOWTO.ssh-keycat.keycat openssh-5.9p0/HOWTO.ssh-keycat
+ PubkeyAuthentication yes + PubkeyAuthentication yes
+ +
+ +
diff -up openssh-5.9p0/Makefile.in.keycat openssh-5.9p0/Makefile.in diff -up openssh-6.1p1/Makefile.in.keycat openssh-6.1p1/Makefile.in
--- openssh-5.9p0/Makefile.in.keycat 2011-08-31 11:51:48.367122382 +0200 --- openssh-6.1p1/Makefile.in.keycat 2012-11-01 13:37:59.413280097 +0100
+++ openssh-5.9p0/Makefile.in 2011-08-31 12:03:46.433088864 +0200 +++ openssh-6.1p1/Makefile.in 2012-11-01 13:37:59.418280097 +0100
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server @@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
@ -34,7 +52,7 @@ diff -up openssh-5.9p0/Makefile.in.keycat openssh-5.9p0/Makefile.in
LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
@@ -167,6 +168,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) @@ -168,6 +169,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
@ -44,7 +62,7 @@ diff -up openssh-5.9p0/Makefile.in.keycat openssh-5.9p0/Makefile.in
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -266,6 +270,7 @@ install-files: @@ -267,6 +271,7 @@ install-files:
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
fi fi
@ -52,28 +70,10 @@ diff -up openssh-5.9p0/Makefile.in.keycat openssh-5.9p0/Makefile.in
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff -up openssh-5.9p0/auth2-pubkey.c.keycat openssh-5.9p0/auth2-pubkey.c diff -up openssh-6.1p1/openbsd-compat/port-linux.c.keycat openssh-6.1p1/openbsd-compat/port-linux.c
--- openssh-5.9p0/auth2-pubkey.c.keycat 2011-08-31 11:51:47.066149816 +0200 --- openssh-6.1p1/openbsd-compat/port-linux.c.keycat 2012-11-01 13:37:59.367280097 +0100
+++ openssh-5.9p0/auth2-pubkey.c 2011-08-31 11:51:50.143087097 +0200 +++ openssh-6.1p1/openbsd-compat/port-linux.c 2012-11-01 13:37:59.419280097 +0100
@@ -579,6 +579,14 @@ user_key_via_command_allowed2(struct pas @@ -315,7 +315,7 @@ ssh_selinux_getctxbyname(char *pwname,
close(i);
}
+#ifdef WITH_SELINUX
+ if (ssh_selinux_setup_env_variables() < 0) {
+ error ("failed to copy environment: %s",
+ strerror(errno));
+ _exit(127);
+ }
+#endif
+
execl(options.authorized_keys_command, options.authorized_keys_command, pw->pw_name, NULL);
/* if we got here, it didn't work */
diff -up openssh-5.9p0/openbsd-compat/port-linux.c.keycat openssh-5.9p0/openbsd-compat/port-linux.c
--- openssh-5.9p0/openbsd-compat/port-linux.c.keycat 2011-08-31 11:51:46.275119773 +0200
+++ openssh-5.9p0/openbsd-compat/port-linux.c 2011-08-31 11:51:50.240087963 +0200
@@ -313,7 +313,7 @@ ssh_selinux_getctxbyname(char *pwname,
/* Setup environment variables for pam_selinux */ /* Setup environment variables for pam_selinux */
static int static int
@ -82,7 +82,7 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.c.keycat openssh-5.9p0/openbsd-
{ {
const char *reqlvl; const char *reqlvl;
char *role; char *role;
@@ -324,16 +324,16 @@ ssh_selinux_setup_pam_variables(void) @@ -326,16 +326,16 @@ ssh_selinux_setup_pam_variables(void)
ssh_selinux_get_role_level(&role, &reqlvl); ssh_selinux_get_role_level(&role, &reqlvl);
@ -102,7 +102,7 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.c.keycat openssh-5.9p0/openbsd-
if (role != NULL) if (role != NULL)
xfree(role); xfree(role);
@@ -341,6 +341,24 @@ ssh_selinux_setup_pam_variables(void) @@ -343,6 +343,24 @@ ssh_selinux_setup_pam_variables(void)
return rv; return rv;
} }
@ -127,9 +127,9 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.c.keycat openssh-5.9p0/openbsd-
/* Set the execution context to the default for the specified user */ /* Set the execution context to the default for the specified user */
void void
ssh_selinux_setup_exec_context(char *pwname) ssh_selinux_setup_exec_context(char *pwname)
diff -up openssh-5.9p0/ssh-keycat.c.keycat openssh-5.9p0/ssh-keycat.c diff -up openssh-6.1p1/ssh-keycat.c.keycat openssh-6.1p1/ssh-keycat.c
--- openssh-5.9p0/ssh-keycat.c.keycat 2011-08-31 11:51:50.354136025 +0200 --- openssh-6.1p1/ssh-keycat.c.keycat 2012-11-01 13:37:59.420280097 +0100
+++ openssh-5.9p0/ssh-keycat.c 2011-08-31 11:51:50.359087309 +0200 +++ openssh-6.1p1/ssh-keycat.c 2012-11-01 13:37:59.420280097 +0100
@@ -0,0 +1,238 @@ @@ -0,0 +1,238 @@
+/* +/*
+ * Redistribution and use in source and binary forms, with or without + * Redistribution and use in source and binary forms, with or without

View File

@ -1,8 +1,8 @@
diff -up openssh-6.0p1/configure.ac.ldap openssh-6.0p1/configure.ac diff -up openssh-6.1p1/configure.ac.ldap openssh-6.1p1/configure.ac
--- openssh-6.0p1/configure.ac.ldap 2012-08-06 20:41:38.392454225 +0200 --- openssh-6.1p1/configure.ac.ldap 2012-07-06 03:49:29.000000000 +0200
+++ openssh-6.0p1/configure.ac 2012-08-06 20:41:38.398454202 +0200 +++ openssh-6.1p1/configure.ac 2012-11-01 13:35:14.830280116 +0100
@@ -1523,6 +1523,106 @@ AC_ARG_WITH(authorized-keys-command, @@ -1512,6 +1512,106 @@ AC_ARG_WITH([audit],
] esac ]
) )
+# Check whether user wants LDAP support +# Check whether user wants LDAP support
@ -108,9 +108,9 @@ diff -up openssh-6.0p1/configure.ac.ldap openssh-6.0p1/configure.ac
dnl Checks for library functions. Please keep in alphabetical order dnl Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS([ \ AC_CHECK_FUNCS([ \
arc4random \ arc4random \
diff -up openssh-6.0p1/HOWTO.ldap-keys.ldap openssh-6.0p1/HOWTO.ldap-keys diff -up openssh-6.1p1/HOWTO.ldap-keys.ldap openssh-6.1p1/HOWTO.ldap-keys
--- openssh-6.0p1/HOWTO.ldap-keys.ldap 2012-08-06 20:41:38.399454198 +0200 --- openssh-6.1p1/HOWTO.ldap-keys.ldap 2012-11-01 12:57:17.915280385 +0100
+++ openssh-6.0p1/HOWTO.ldap-keys 2012-08-06 20:41:38.399454198 +0200 +++ openssh-6.1p1/HOWTO.ldap-keys 2012-11-01 12:57:17.915280385 +0100
@@ -0,0 +1,108 @@ @@ -0,0 +1,108 @@
+ +
+HOW TO START +HOW TO START
@ -220,9 +220,9 @@ diff -up openssh-6.0p1/HOWTO.ldap-keys.ldap openssh-6.0p1/HOWTO.ldap-keys
+5) Author +5) Author
+ Jan F. Chadima <jchadima@redhat.com> + Jan F. Chadima <jchadima@redhat.com>
+ +
diff -up openssh-6.0p1/ldapbody.c.ldap openssh-6.0p1/ldapbody.c diff -up openssh-6.1p1/ldapbody.c.ldap openssh-6.1p1/ldapbody.c
--- openssh-6.0p1/ldapbody.c.ldap 2012-08-06 20:41:38.399454198 +0200 --- openssh-6.1p1/ldapbody.c.ldap 2012-11-01 12:57:17.916280385 +0100
+++ openssh-6.0p1/ldapbody.c 2012-08-06 20:41:38.399454198 +0200 +++ openssh-6.1p1/ldapbody.c 2012-11-01 12:57:17.916280385 +0100
@@ -0,0 +1,494 @@ @@ -0,0 +1,494 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -718,9 +718,9 @@ diff -up openssh-6.0p1/ldapbody.c.ldap openssh-6.0p1/ldapbody.c
+ return; + return;
+} +}
+ +
diff -up openssh-6.0p1/ldapbody.h.ldap openssh-6.0p1/ldapbody.h diff -up openssh-6.1p1/ldapbody.h.ldap openssh-6.1p1/ldapbody.h
--- openssh-6.0p1/ldapbody.h.ldap 2012-08-06 20:41:38.399454198 +0200 --- openssh-6.1p1/ldapbody.h.ldap 2012-11-01 12:57:17.916280385 +0100
+++ openssh-6.0p1/ldapbody.h 2012-08-06 20:41:38.400454194 +0200 +++ openssh-6.1p1/ldapbody.h 2012-11-01 12:57:17.916280385 +0100
@@ -0,0 +1,37 @@ @@ -0,0 +1,37 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -759,9 +759,9 @@ diff -up openssh-6.0p1/ldapbody.h.ldap openssh-6.0p1/ldapbody.h
+ +
+#endif /* LDAPBODY_H */ +#endif /* LDAPBODY_H */
+ +
diff -up openssh-6.0p1/ldapconf.c.ldap openssh-6.0p1/ldapconf.c diff -up openssh-6.1p1/ldapconf.c.ldap openssh-6.1p1/ldapconf.c
--- openssh-6.0p1/ldapconf.c.ldap 2012-08-06 20:41:38.400454194 +0200 --- openssh-6.1p1/ldapconf.c.ldap 2012-11-01 12:57:17.917280385 +0100
+++ openssh-6.0p1/ldapconf.c 2012-08-06 20:41:38.400454194 +0200 +++ openssh-6.1p1/ldapconf.c 2012-11-01 12:57:17.917280385 +0100
@@ -0,0 +1,682 @@ @@ -0,0 +1,682 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1445,9 +1445,9 @@ diff -up openssh-6.0p1/ldapconf.c.ldap openssh-6.0p1/ldapconf.c
+ dump_cfg_string(lSSH_Filter, options.ssh_filter); + dump_cfg_string(lSSH_Filter, options.ssh_filter);
+} +}
+ +
diff -up openssh-6.0p1/ldapconf.h.ldap openssh-6.0p1/ldapconf.h diff -up openssh-6.1p1/ldapconf.h.ldap openssh-6.1p1/ldapconf.h
--- openssh-6.0p1/ldapconf.h.ldap 2012-08-06 20:41:38.400454194 +0200 --- openssh-6.1p1/ldapconf.h.ldap 2012-11-01 12:57:17.918280385 +0100
+++ openssh-6.0p1/ldapconf.h 2012-08-06 20:41:38.400454194 +0200 +++ openssh-6.1p1/ldapconf.h 2012-11-01 12:57:17.918280385 +0100
@@ -0,0 +1,71 @@ @@ -0,0 +1,71 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1520,9 +1520,9 @@ diff -up openssh-6.0p1/ldapconf.h.ldap openssh-6.0p1/ldapconf.h
+void dump_config(void); +void dump_config(void);
+ +
+#endif /* LDAPCONF_H */ +#endif /* LDAPCONF_H */
diff -up openssh-6.0p1/ldap.conf.ldap openssh-6.0p1/ldap.conf diff -up openssh-6.1p1/ldap.conf.ldap openssh-6.1p1/ldap.conf
--- openssh-6.0p1/ldap.conf.ldap 2012-08-06 20:41:38.401454190 +0200 --- openssh-6.1p1/ldap.conf.ldap 2012-11-01 12:57:17.918280385 +0100
+++ openssh-6.0p1/ldap.conf 2012-08-06 20:41:38.401454190 +0200 +++ openssh-6.1p1/ldap.conf 2012-11-01 12:57:17.918280385 +0100
@@ -0,0 +1,88 @@ @@ -0,0 +1,88 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+# +#
@ -1612,9 +1612,9 @@ diff -up openssh-6.0p1/ldap.conf.ldap openssh-6.0p1/ldap.conf
+#tls_cert +#tls_cert
+#tls_key +#tls_key
+ +
diff -up openssh-6.0p1/ldap-helper.c.ldap openssh-6.0p1/ldap-helper.c diff -up openssh-6.1p1/ldap-helper.c.ldap openssh-6.1p1/ldap-helper.c
--- openssh-6.0p1/ldap-helper.c.ldap 2012-08-06 20:41:38.401454190 +0200 --- openssh-6.1p1/ldap-helper.c.ldap 2012-11-01 12:57:17.919280385 +0100
+++ openssh-6.0p1/ldap-helper.c 2012-08-06 20:41:38.401454190 +0200 +++ openssh-6.1p1/ldap-helper.c 2012-11-01 12:57:17.919280385 +0100
@@ -0,0 +1,155 @@ @@ -0,0 +1,155 @@
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1771,9 +1771,9 @@ diff -up openssh-6.0p1/ldap-helper.c.ldap openssh-6.0p1/ldap-helper.c
+void *buffer_get_string(Buffer *b, u_int *l) { return NULL; } +void *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
+void buffer_put_string(Buffer *b, const void *f, u_int l) {} +void buffer_put_string(Buffer *b, const void *f, u_int l) {}
+ +
diff -up openssh-6.0p1/ldap-helper.h.ldap openssh-6.0p1/ldap-helper.h diff -up openssh-6.1p1/ldap-helper.h.ldap openssh-6.1p1/ldap-helper.h
--- openssh-6.0p1/ldap-helper.h.ldap 2012-08-06 20:41:38.401454190 +0200 --- openssh-6.1p1/ldap-helper.h.ldap 2012-11-01 12:57:17.919280385 +0100
+++ openssh-6.0p1/ldap-helper.h 2012-08-06 20:41:38.401454190 +0200 +++ openssh-6.1p1/ldap-helper.h 2012-11-01 12:57:17.919280385 +0100
@@ -0,0 +1,32 @@ @@ -0,0 +1,32 @@
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1807,9 +1807,9 @@ diff -up openssh-6.0p1/ldap-helper.h.ldap openssh-6.0p1/ldap-helper.h
+extern int config_warning_config_file; +extern int config_warning_config_file;
+ +
+#endif /* LDAP_HELPER_H */ +#endif /* LDAP_HELPER_H */
diff -up openssh-6.0p1/ldapincludes.h.ldap openssh-6.0p1/ldapincludes.h diff -up openssh-6.1p1/ldapincludes.h.ldap openssh-6.1p1/ldapincludes.h
--- openssh-6.0p1/ldapincludes.h.ldap 2012-08-06 20:41:38.402454186 +0200 --- openssh-6.1p1/ldapincludes.h.ldap 2012-11-01 12:57:17.920280385 +0100
+++ openssh-6.0p1/ldapincludes.h 2012-08-06 20:41:38.402454186 +0200 +++ openssh-6.1p1/ldapincludes.h 2012-11-01 12:57:17.920280385 +0100
@@ -0,0 +1,41 @@ @@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1852,9 +1852,9 @@ diff -up openssh-6.0p1/ldapincludes.h.ldap openssh-6.0p1/ldapincludes.h
+#endif +#endif
+ +
+#endif /* LDAPINCLUDES_H */ +#endif /* LDAPINCLUDES_H */
diff -up openssh-6.0p1/ldapmisc.c.ldap openssh-6.0p1/ldapmisc.c diff -up openssh-6.1p1/ldapmisc.c.ldap openssh-6.1p1/ldapmisc.c
--- openssh-6.0p1/ldapmisc.c.ldap 2012-08-06 20:41:38.402454186 +0200 --- openssh-6.1p1/ldapmisc.c.ldap 2012-11-01 12:57:17.920280385 +0100
+++ openssh-6.0p1/ldapmisc.c 2012-08-06 20:41:38.402454186 +0200 +++ openssh-6.1p1/ldapmisc.c 2012-11-01 12:57:17.920280385 +0100
@@ -0,0 +1,79 @@ @@ -0,0 +1,79 @@
+ +
+#include "ldapincludes.h" +#include "ldapincludes.h"
@ -1935,9 +1935,9 @@ diff -up openssh-6.0p1/ldapmisc.c.ldap openssh-6.0p1/ldapmisc.c
+} +}
+#endif +#endif
+ +
diff -up openssh-6.0p1/ldapmisc.h.ldap openssh-6.0p1/ldapmisc.h diff -up openssh-6.1p1/ldapmisc.h.ldap openssh-6.1p1/ldapmisc.h
--- openssh-6.0p1/ldapmisc.h.ldap 2012-08-06 20:41:38.402454186 +0200 --- openssh-6.1p1/ldapmisc.h.ldap 2012-11-01 12:57:17.921280385 +0100
+++ openssh-6.0p1/ldapmisc.h 2012-08-06 20:41:38.402454186 +0200 +++ openssh-6.1p1/ldapmisc.h 2012-11-01 12:57:17.921280385 +0100
@@ -0,0 +1,35 @@ @@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1974,9 +1974,9 @@ diff -up openssh-6.0p1/ldapmisc.h.ldap openssh-6.0p1/ldapmisc.h
+ +
+#endif /* LDAPMISC_H */ +#endif /* LDAPMISC_H */
+ +
diff -up openssh-6.0p1/Makefile.in.ldap openssh-6.0p1/Makefile.in diff -up openssh-6.1p1/Makefile.in.ldap openssh-6.1p1/Makefile.in
--- openssh-6.0p1/Makefile.in.ldap 2012-08-06 20:41:38.336454444 +0200 --- openssh-6.1p1/Makefile.in.ldap 2012-11-01 12:57:17.750280385 +0100
+++ openssh-6.0p1/Makefile.in 2012-08-06 20:41:38.403454183 +0200 +++ openssh-6.1p1/Makefile.in 2012-11-01 12:57:17.922280385 +0100
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh @@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server SFTP_SERVER=$(libexecdir)/sftp-server
@ -2071,9 +2071,9 @@ diff -up openssh-6.0p1/Makefile.in.ldap openssh-6.0p1/Makefile.in
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
tests interop-tests: $(TARGETS) tests interop-tests: $(TARGETS)
diff -up openssh-6.0p1/openssh-lpk-openldap.schema.ldap openssh-6.0p1/openssh-lpk-openldap.schema diff -up openssh-6.1p1/openssh-lpk-openldap.schema.ldap openssh-6.1p1/openssh-lpk-openldap.schema
--- openssh-6.0p1/openssh-lpk-openldap.schema.ldap 2012-08-06 20:41:38.404454179 +0200 --- openssh-6.1p1/openssh-lpk-openldap.schema.ldap 2012-11-01 12:57:17.922280385 +0100
+++ openssh-6.0p1/openssh-lpk-openldap.schema 2012-08-06 20:41:38.404454179 +0200 +++ openssh-6.1p1/openssh-lpk-openldap.schema 2012-11-01 12:57:17.922280385 +0100
@@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
+# +#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2096,9 +2096,9 @@ diff -up openssh-6.0p1/openssh-lpk-openldap.schema.ldap openssh-6.0p1/openssh-lp
+ DESC 'MANDATORY: OpenSSH LPK objectclass' + DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid ) + MUST ( sshPublicKey $ uid )
+ ) + )
diff -up openssh-6.0p1/openssh-lpk-sun.schema.ldap openssh-6.0p1/openssh-lpk-sun.schema diff -up openssh-6.1p1/openssh-lpk-sun.schema.ldap openssh-6.1p1/openssh-lpk-sun.schema
--- openssh-6.0p1/openssh-lpk-sun.schema.ldap 2012-08-06 20:41:38.404454179 +0200 --- openssh-6.1p1/openssh-lpk-sun.schema.ldap 2012-11-01 12:57:17.922280385 +0100
+++ openssh-6.0p1/openssh-lpk-sun.schema 2012-08-06 20:41:38.404454179 +0200 +++ openssh-6.1p1/openssh-lpk-sun.schema 2012-11-01 12:57:17.922280385 +0100
@@ -0,0 +1,23 @@ @@ -0,0 +1,23 @@
+# +#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2123,9 +2123,9 @@ diff -up openssh-6.0p1/openssh-lpk-sun.schema.ldap openssh-6.0p1/openssh-lpk-sun
+ DESC 'MANDATORY: OpenSSH LPK objectclass' + DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid ) + MUST ( sshPublicKey $ uid )
+ ) + )
diff -up openssh-6.0p1/ssh-ldap.conf.5.ldap openssh-6.0p1/ssh-ldap.conf.5 diff -up openssh-6.1p1/ssh-ldap.conf.5.ldap openssh-6.1p1/ssh-ldap.conf.5
--- openssh-6.0p1/ssh-ldap.conf.5.ldap 2012-08-06 20:41:38.405454175 +0200 --- openssh-6.1p1/ssh-ldap.conf.5.ldap 2012-11-01 12:57:17.923280385 +0100
+++ openssh-6.0p1/ssh-ldap.conf.5 2012-08-06 20:41:38.405454175 +0200 +++ openssh-6.1p1/ssh-ldap.conf.5 2012-11-01 12:57:17.923280385 +0100
@@ -0,0 +1,376 @@ @@ -0,0 +1,376 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\" +.\"
@ -2503,9 +2503,9 @@ diff -up openssh-6.0p1/ssh-ldap.conf.5.ldap openssh-6.0p1/ssh-ldap.conf.5
+OpenSSH 5.5 + PKA-LDAP . +OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS +.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima@redhat.com +.An Jan F. Chadima Aq jchadima@redhat.com
diff -up openssh-6.0p1/ssh-ldap-helper.8.ldap openssh-6.0p1/ssh-ldap-helper.8 diff -up openssh-6.1p1/ssh-ldap-helper.8.ldap openssh-6.1p1/ssh-ldap-helper.8
--- openssh-6.0p1/ssh-ldap-helper.8.ldap 2012-08-06 20:41:38.405454175 +0200 --- openssh-6.1p1/ssh-ldap-helper.8.ldap 2012-11-01 12:57:17.924280385 +0100
+++ openssh-6.0p1/ssh-ldap-helper.8 2012-08-06 20:41:38.405454175 +0200 +++ openssh-6.1p1/ssh-ldap-helper.8 2012-11-01 12:57:17.924280385 +0100
@@ -0,0 +1,79 @@ @@ -0,0 +1,79 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\" +.\"
@ -2586,9 +2586,9 @@ diff -up openssh-6.0p1/ssh-ldap-helper.8.ldap openssh-6.0p1/ssh-ldap-helper.8
+OpenSSH 5.5 + PKA-LDAP . +OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS +.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima@redhat.com +.An Jan F. Chadima Aq jchadima@redhat.com
diff -up openssh-6.0p1/ssh-ldap-wrapper.ldap openssh-6.0p1/ssh-ldap-wrapper diff -up openssh-6.1p1/ssh-ldap-wrapper.ldap openssh-6.1p1/ssh-ldap-wrapper
--- openssh-6.0p1/ssh-ldap-wrapper.ldap 2012-08-06 20:41:38.405454175 +0200 --- openssh-6.1p1/ssh-ldap-wrapper.ldap 2012-11-01 12:57:17.924280385 +0100
+++ openssh-6.0p1/ssh-ldap-wrapper 2012-08-06 20:41:38.405454175 +0200 +++ openssh-6.1p1/ssh-ldap-wrapper 2012-11-01 12:57:17.924280385 +0100
@@ -0,0 +1,4 @@ @@ -0,0 +1,4 @@
+#!/bin/sh +#!/bin/sh
+ +

View File

@ -1,20 +1,148 @@
diff -up openssh-6.1p1/auth.c.akc openssh-6.1p1/auth.c
--- openssh-6.1p1/auth.c.akc 2012-11-02 14:00:49.181077248 +0100
+++ openssh-6.1p1/auth.c 2012-11-02 14:00:49.253077860 +0100
@@ -413,39 +413,41 @@ check_key_in_hostfiles(struct passwd *pw
/*
- * Check a given file for security. This is defined as all components
+ * Check a given path for security. This is defined as all components
* of the path to the file must be owned by either the owner of
* of the file or root and no directories must be group or world writable.
*
* XXX Should any specific check be done for sym links ?
*
- * Takes an open file descriptor, the file name, a uid and and
+ * Takes an the file name, its stat information (preferably from fstat() to
+ * avoid races), the uid of the expected owner, their home directory and an
* error buffer plus max size as arguments.
*
* Returns 0 on success and -1 on failure
*/
-static int
-secure_filename(FILE *f, const char *file, struct passwd *pw,
- char *err, size_t errlen)
+int
+auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
+ uid_t uid, char *err, size_t errlen)
{
- uid_t uid = pw->pw_uid;
char buf[MAXPATHLEN], homedir[MAXPATHLEN];
char *cp;
int comparehome = 0;
struct stat st;
- if (realpath(file, buf) == NULL) {
- snprintf(err, errlen, "realpath %s failed: %s", file,
+ if (realpath(name, buf) == NULL) {
+ snprintf(err, errlen, "realpath %s failed: %s", name,
strerror(errno));
return -1;
}
- if (realpath(pw->pw_dir, homedir) != NULL)
+ if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL)
comparehome = 1;
- /* check the open file to avoid races */
- if (fstat(fileno(f), &st) < 0 ||
- (st.st_uid != 0 && st.st_uid != uid) ||
- (st.st_mode & 022) != 0) {
+ if (!S_ISREG(stp->st_mode)) {
+ snprintf(err, errlen, "%s is not a regular file", buf);
+ return -1;
+ }
+ if ((stp->st_uid != 0 && stp->st_uid != uid) ||
+ (stp->st_mode & 022) != 0) {
snprintf(err, errlen, "bad ownership or modes for file %s",
buf);
return -1;
@@ -481,6 +483,31 @@ secure_filename(FILE *f, const char *fil
return 0;
}
+/*
+ * Version of secure_path() that accepts an open file descriptor to
+ * avoid races.
+ *
+ * Returns 0 on success and -1 on failure
+ */
+static int
+secure_filename(FILE *f, const char *file, struct passwd *pw,
+ char *err, size_t errlen)
+{
+ uid_t uid = pw->pw_uid;
+ char buf[MAXPATHLEN], homedir[MAXPATHLEN];
+ char *cp;
+ int comparehome = 0;
+ struct stat st;
+
+ /* check the open file to avoid races */
+ if (fstat(fileno(f), &st) < 0) {
+ snprintf(err, errlen, "cannot stat file %s: %s",
+ buf, strerror(errno));
+ return -1;
+ }
+ return auth_secure_path(file, &st, pw->pw_dir, pw->pw_uid, err, errlen);
+}
+
static FILE *
auth_openfile(const char *file, struct passwd *pw, int strict_modes,
int log_missing, char *file_type)
diff -up openssh-6.1p1/auth.h.akc openssh-6.1p1/auth.h
--- openssh-6.1p1/auth.h.akc 2012-11-02 14:00:49.239077742 +0100
+++ openssh-6.1p1/auth.h 2012-11-02 14:00:49.253077860 +0100
@@ -123,6 +123,10 @@ int auth_rhosts_rsa_key_allowed(struct
int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
int user_key_allowed(struct passwd *, Key *);
+struct stat;
+int auth_secure_path(const char *, struct stat *, const char *, uid_t,
+ char *, size_t);
+
#ifdef KRB5
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
--- openssh-6.1p1/auth2-pubkey.c.akc 2012-09-14 20:20:48.459445650 +0200 --- openssh-6.1p1/auth2-pubkey.c.akc 2012-11-02 14:00:49.241077758 +0100
+++ openssh-6.1p1/auth2-pubkey.c 2012-09-14 20:20:48.520446072 +0200 +++ openssh-6.1p1/auth2-pubkey.c 2012-11-02 14:00:49.252077852 +0100
@@ -27,6 +27,7 @@ @@ -27,9 +27,13 @@
#include <sys/types.h> #include <sys/types.h>
#include <sys/stat.h> #include <sys/stat.h>
+#include <sys/wait.h> +#include <sys/wait.h>
+#include <errno.h>
#include <fcntl.h> #include <fcntl.h>
+#include <paths.h>
#include <pwd.h> #include <pwd.h>
@@ -277,27 +278,15 @@ match_principals_file(char *file, struct +#include <signal.h>
#include <stdio.h>
#include <stdarg.h>
#include <string.h>
@@ -260,7 +264,7 @@ match_principals_file(char *file, struct
if (strcmp(cp, cert->principals[i]) == 0) {
debug3("matched principal \"%.100s\" "
"from file \"%s\" on line %lu",
- cert->principals[i], file, linenum);
+ cert->principals[i], file, linenum);
if (auth_parse_options(pw, line_opts,
file, linenum) != 1)
continue;
@@ -273,31 +277,22 @@ match_principals_file(char *file, struct
fclose(f);
restore_uid();
return 0;
-}
+}
/* return 1 if user allows given key */ -/* return 1 if user allows given key */
+/*
+ * Checks whether key is allowed in authorized_keys-format file,
+ * returns 1 if the key is allowed or 0 otherwise.
+ */
static int static int
-user_key_allowed2(struct passwd *pw, Key *key, char *file) -user_key_allowed2(struct passwd *pw, Key *key, char *file)
+user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw) +check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
{ {
char line[SSH_MAX_PUBKEY_BYTES]; char line[SSH_MAX_PUBKEY_BYTES];
const char *reason; const char *reason;
@ -38,7 +166,7 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
found_key = 0; found_key = 0;
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
@@ -390,8 +379,6 @@ user_key_allowed2(struct passwd *pw, Key @@ -390,8 +385,6 @@ user_key_allowed2(struct passwd *pw, Key
break; break;
} }
} }
@ -47,12 +175,15 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
key_free(found); key_free(found);
if (!found_key) if (!found_key)
debug2("key not found"); debug2("key not found");
@@ -453,13 +440,191 @@ user_cert_trusted_ca(struct passwd *pw, @@ -453,7 +446,173 @@ user_cert_trusted_ca(struct passwd *pw,
return ret; return ret;
} }
-/* check whether given key is in .ssh/authorized_keys* */ -/* check whether given key is in .ssh/authorized_keys* */
+/* return 1 if user allows given key */ +/*
+ * Checks whether key is allowed in file.
+ * returns 1 if the key is allowed or 0 otherwise.
+ */
+static int +static int
+user_key_allowed2(struct passwd *pw, Key *key, char *file) +user_key_allowed2(struct passwd *pw, Key *key, char *file)
+{ +{
@ -63,10 +194,8 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
+ temporarily_use_uid(pw); + temporarily_use_uid(pw);
+ +
+ debug("trying public key file %s", file); + debug("trying public key file %s", file);
+ f = auth_openkeyfile(file, pw, options.strict_modes); + if ((f = auth_openkeyfile(file, pw, options.strict_modes)) != NULL) {
+ + found_key = check_authkeys_file(f, file, key, pw);
+ if (f) {
+ found_key = user_search_key_in_file (f, file, key, pw);
+ fclose(f); + fclose(f);
+ } + }
+ +
@ -74,211 +203,173 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
+ return found_key; + return found_key;
+} +}
+ +
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND +/*
+ + * Checks whether key is allowed in output of command.
+#define WHITESPACE " \t\r\n" + * returns 1 if the key is allowed or 0 otherwise.
+ + */
+/* return 1 if user allows given key */
+static int +static int
+user_key_via_command_allowed2(struct passwd *pw, Key *key) +user_key_command_allowed2(struct passwd *user_pw, Key *key)
+{ +{
+ FILE *f; + FILE *f;
+ int found_key = 0; + int ok, found_key = 0;
+ char *progname = NULL; + struct passwd *pw;
+ char *cp;
+ struct passwd *runas_pw;
+ struct stat st; + struct stat st;
+ int childdescriptors[2], i; + int status, devnull, p[2], i;
+ pid_t pstat, pid, child; + pid_t pid;
+ char errmsg[512];
+ +
+ if (options.authorized_keys_command == NULL || options.authorized_keys_command[0] != '/') + if (options.authorized_keys_command == NULL ||
+ options.authorized_keys_command[0] != '/')
+ return 0; + return 0;
+ +
+ /* get the run as identity from config */ + /* If no user specified to run commands the default to target user */
+ runas_pw = (options.authorized_keys_command_runas == NULL)? pw + if (options.authorized_keys_command_user == NULL)
+ : getpwnam (options.authorized_keys_command_runas); + pw = user_pw;
+ if (!runas_pw) { + else {
+ error("%s: getpwnam(\"%s\"): %s", __func__, + pw = getpwnam(options.authorized_keys_command_user);
+ options.authorized_keys_command_runas, strerror(errno)); + if (pw == NULL) {
+ return 0; + error("AuthorizedKeyCommandUser \"%s\" not found: %s",
+ } + options.authorized_keys_command, strerror(errno));
+ + return 0;
+ /* Temporarily use the specified uid. */
+ if (runas_pw->pw_uid != 0)
+ temporarily_use_uid(runas_pw);
+
+ progname = xstrdup(options.authorized_keys_command);
+
+ debug3("%s: checking program '%s'", __func__, progname);
+
+ if (stat (progname, &st) < 0) {
+ error("%s: stat(\"%s\"): %s", __func__,
+ progname, strerror(errno));
+ goto go_away;
+ }
+
+ if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
+ error("bad ownership or modes for AuthorizedKeysCommand \"%s\"",
+ progname);
+ goto go_away;
+ }
+
+ if (!S_ISREG(st.st_mode)) {
+ error("AuthorizedKeysCommand \"%s\" is not a regular file",
+ progname);
+ goto go_away;
+ }
+
+ /*
+ * Descend the path, checking that each component is a
+ * root-owned directory with strict permissions.
+ */
+ do {
+ if ((cp = strrchr(progname, '/')) == NULL)
+ break;
+ else
+ *cp = '\0';
+
+ debug3("%s: checking component '%s'", __func__, (*progname == '\0' ? "/" : progname));
+
+ if (stat((*progname == '\0' ? "/" : progname), &st) != 0) {
+ error("%s: stat(\"%s\"): %s", __func__,
+ progname, strerror(errno));
+ goto go_away;
+ } + }
+ if (st.st_uid != 0 || (st.st_mode & 022) != 0) { + }
+ error("bad ownership or modes for AuthorizedKeysCommand path component \"%s\"", +
+ progname); + temporarily_use_uid(pw);
+ goto go_away; + if (stat(options.authorized_keys_command, &st) < 0) {
+ } + error("Could not stat AuthorizedKeysCommand \"%s\": %s",
+ if (!S_ISDIR(st.st_mode)) { + options.authorized_keys_command, strerror(errno));
+ error("AuthorizedKeysCommand path component \"%s\" is not a directory", + goto out;
+ progname); + }
+ goto go_away; +
+ } + if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0,
+ } while (1); + errmsg, sizeof(errmsg)) != 0) {
+ error("Unsafe AuthorizedKeysCommand: %s", errmsg);
+ goto out;
+ }
+ +
+ /* open the pipe and read the keys */ + /* open the pipe and read the keys */
+ if (pipe(childdescriptors)) { + if (pipe(p) != 0) {
+ error("failed to pipe(2) for AuthorizedKeysCommand: %s", + error("%s: pipe: %s", __func__, strerror(errno));
+ strerror(errno)); + goto out;
+ goto go_away; + }
+ }
+ +
+ child = fork(); + debug3("Running AuthorizedKeysCommand: \"%s\" as \"%s\"",
+ if (child == -1) { + options.authorized_keys_command, pw->pw_name);
+ error("failed to fork(2) for AuthorizedKeysCommand: %s",
+ strerror(errno));
+ goto go_away;
+ } else if (child == 0) {
+ /* we're in the child process here -- we should never return from this block. */
+ /* permanently drop privs in child process */
+ if (runas_pw->pw_uid != 0) {
+ restore_uid();
+ permanently_set_uid(runas_pw);
+ }
+ +
+ close(childdescriptors[0]); + /*
+ /* put the write end of the pipe on stdout (FD 1) */ + * Don't want to call this in the child, where it can fatal() and
+ if (dup2(childdescriptors[1], 1) == -1) { + * run cleanup_exit() code.
+ error("failed to dup2(2) from AuthorizedKeysCommand: %s", + */
+ restore_uid();
+
+ switch ((pid = fork())) {
+ case -1: /* error */
+ error("%s: fork: %s", __func__, strerror(errno));
+ close(p[0]);
+ close(p[1]);
+ return 0;
+ case 0: /* child */
+ for (i = 0; i < NSIG; i++)
+ signal(i, SIG_DFL);
+
+ /* Don't use permanently_set_uid() here to avoid fatal() */
+ if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
+ error("setresgid %u: %s", (u_int)pw->pw_gid,
+ strerror(errno)); + strerror(errno));
+ _exit(127); + _exit(1);
+ }
+ if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) {
+ error("setresuid %u: %s", (u_int)pw->pw_uid,
+ strerror(errno));
+ _exit(1);
+ } + }
+ +
+ debug3("about to execl() AuthorizedKeysCommand: \"%s\" \"%s\"", options.authorized_keys_command, pw->pw_name); + close(p[0]);
+ /* see session.c:child_close_fds() */ + if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
+ for (i = 3; i < 64; ++i) { + error("%s: open %s: %s", __func__, _PATH_DEVNULL,
+ close(i); + strerror(errno));
+ _exit(1);
+ } + }
+ if (dup2(devnull, STDIN_FILENO) == -1 ||
+ dup2(p[1], STDOUT_FILENO) == -1 ||
+ dup2(devnull, STDERR_FILENO) == -1) {
+ error("%s: dup2: %s", __func__, strerror(errno));
+ _exit(1);
+ }
+ closefrom(STDERR_FILENO + 1);
+ +
+ execl(options.authorized_keys_command, options.authorized_keys_command, pw->pw_name, NULL); + execl(options.authorized_keys_command,
+ options.authorized_keys_command, pw->pw_name, NULL);
+ +
+ /* if we got here, it didn't work */ + error("AuthorizedKeysCommand %s exec failed: %s",
+ error("failed to execl AuthorizedKeysCommand: %s", strerror(errno)); /* this won't work because we closed the fds above */ + options.authorized_keys_command, strerror(errno));
+ _exit(127); + _exit(127);
+ default: /* parent */
+ break;
+ } + }
+ +
+ close(childdescriptors[1]); + temporarily_use_uid(pw);
+ f = fdopen(childdescriptors[0], "r"); +
+ if (!f) { + close(p[1]);
+ error("%s: could not buffer FDs from AuthorizedKeysCommand (\"%s\", \"r\"): %s", __func__, + if ((f = fdopen(p[0], "r")) == NULL) {
+ options.authorized_keys_command, strerror (errno)); + error("%s: fdopen: %s", __func__, strerror(errno));
+ goto go_away; + close(p[0]);
+ /* Don't leave zombie child */
+ while (waitpid(pid, NULL, 0) == -1 && errno == EINTR)
+ ;
+ goto out;
+ } + }
+ ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
+ fclose(f);
+ +
+ found_key = user_search_key_in_file (f, options.authorized_keys_command, key, pw); + while (waitpid(pid, &status, 0) == -1) {
+ fclose (f); + if (errno != EINTR) {
+ do { + error("%s: waitpid: %s", __func__, strerror(errno));
+ pid = waitpid(child, &pstat, 0); + goto out;
+ } while (pid == -1 && errno == EINTR); + }
+ }
+ if (WIFSIGNALED(status)) {
+ error("AuthorizedKeysCommand %s exited on signal %d",
+ options.authorized_keys_command, WTERMSIG(status));
+ goto out;
+ } else if (WEXITSTATUS(status) != 0) {
+ error("AuthorizedKeysCommand %s returned status %d",
+ options.authorized_keys_command, WEXITSTATUS(status));
+ goto out;
+ }
+ found_key = ok;
+ out:
+ restore_uid();
+ +
+ /* what about the return value from the child process? */
+go_away:
+ if (progname)
+ xfree (progname);
+
+ if (runas_pw->pw_uid != 0)
+ restore_uid();
+ return found_key; + return found_key;
+} +}
+#endif
+ +
+/* check whether given key is in <AuthorizedKeysCommand or .ssh/authorized_keys* */ +/*
+ * Check whether key authenticates and authorises the user.
+ */
int int
user_key_allowed(struct passwd *pw, Key *key) user_key_allowed(struct passwd *pw, Key *key)
{ {
u_int success, i; @@ -469,6 +628,10 @@ user_key_allowed(struct passwd *pw, Key
char *file; if (success)
return success;
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND + success = user_key_command_allowed2(pw, key);
+ success = user_key_via_command_allowed2(pw, key);
+ if (success > 0) + if (success > 0)
+ return success; + return success;
+#endif
+ +
if (auth_key_is_revoked(key)) for (i = 0; !success && i < options.num_authkeys_files; i++) {
return 0; file = expand_authorized_keys(
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) options.authorized_keys_files[i], pw);
diff -up openssh-6.1p1/configure.ac.akc openssh-6.1p1/configure.ac
--- openssh-6.1p1/configure.ac.akc 2012-07-06 03:49:29.000000000 +0200
+++ openssh-6.1p1/configure.ac 2012-09-14 20:20:48.525446106 +0200
@@ -1512,6 +1512,18 @@ AC_ARG_WITH([audit],
esac ]
)
+# Check whether user wants AuthorizedKeysCommand support
+AKC_MSG="no"
+AC_ARG_WITH(authorized-keys-command,
+ [ --with-authorized-keys-command Enable AuthorizedKeysCommand support],
+ [
+ if test "x$withval" != "xno" ; then
+ AC_DEFINE([WITH_AUTHORIZED_KEYS_COMMAND], 1, [Enable AuthorizedKeysCommand support])
+ AKC_MSG="yes"
+ fi
+ ]
+)
+
dnl Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS([ \
arc4random \
@@ -4407,6 +4419,7 @@ echo " SELinux support
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
+echo " AuthorizedKeysCommand support: $AKC_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
--- openssh-6.1p1/servconf.c.akc 2012-09-14 20:20:48.138443423 +0200 --- openssh-6.1p1/servconf.c.akc 2012-11-02 14:00:49.186077290 +0100
+++ openssh-6.1p1/servconf.c 2012-09-14 20:27:34.546107295 +0200 +++ openssh-6.1p1/servconf.c 2012-11-02 14:26:32.086138017 +0100
@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions @@ -139,6 +139,8 @@ initialize_server_options(ServerOptions
options->num_permitted_opens = -1; options->num_permitted_opens = -1;
options->adm_forced_command = NULL; options->adm_forced_command = NULL;
options->chroot_directory = NULL; options->chroot_directory = NULL;
+ options->authorized_keys_command = NULL; + options->authorized_keys_command = NULL;
+ options->authorized_keys_command_runas = NULL; + options->authorized_keys_command_user = NULL;
options->zero_knowledge_password_authentication = -1; options->zero_knowledge_password_authentication = -1;
options->revoked_keys_file = NULL; options->revoked_keys_file = NULL;
options->trusted_user_ca_keys = NULL; options->trusted_user_ca_keys = NULL;
@ -286,43 +377,40 @@ diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
sZeroKnowledgePasswordAuthentication, sHostCertificate, sZeroKnowledgePasswordAuthentication, sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sKexAlgorithms, sIPQoS, sVersionAddendum, sKexAlgorithms, sIPQoS, sVersionAddendum,
+ sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs, + sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sDeprecated, sUnsupported sDeprecated, sUnsupported
} ServerOpCodes; } ServerOpCodes;
@@ -461,6 +464,14 @@ static struct { @@ -460,6 +463,9 @@ static struct {
{ "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
{ "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL }, { "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
{ "ipqos", sIPQoS, SSHCFG_ALL }, { "ipqos", sIPQoS, SSHCFG_ALL },
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, + { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
+ { "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL }, + { "authorizedkeyscommandrunas", sAuthorizedKeysCommandUser, SSHCFG_ALL },
+#else + { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
+ { "authorizedkeyscommand", sUnsupported, SSHCFG_ALL }, { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
+ { "authorizedkeyscommandrunas", sUnsupported, SSHCFG_ALL },
+#endif
+
{ NULL, sBadOption, 0 } { NULL, sBadOption, 0 }
}; };
@@ -1532,6 +1538,26 @@ process_server_config_line(ServerOptions
@@ -1532,6 +1543,24 @@ process_server_config_line(ServerOptions
} }
return 0; return 0;
+ case sAuthorizedKeysCommand: + case sAuthorizedKeysCommand:
+ len = strspn(cp, WHITESPACE); + len = strspn(cp, WHITESPACE);
+ if (*activep && options->authorized_keys_command == NULL) + if (*activep && options->authorized_keys_command == NULL) {
+ options->authorized_keys_command = xstrdup(cp + len); + options->authorized_keys_command = xstrdup(cp + len);
+ if (*options->authorized_keys_command != '/') {
+ fatal("%.200s line %d: AuthorizedKeysCommand "
+ "must be an absolute path",
+ filename, linenum);
+ }
+ }
+ return 0; + return 0;
+ +
+ case sAuthorizedKeysCommandRunAs: + case sAuthorizedKeysCommandUser:
+ charptr = &options->authorized_keys_command_runas; + charptr = &options->authorized_keys_command_user;
+ +
+ arg = strdelim(&cp); + arg = strdelim(&cp);
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing account.",
+ filename, linenum);
+
+ if (*activep && *charptr == NULL) + if (*activep && *charptr == NULL)
+ *charptr = xstrdup(arg); + *charptr = xstrdup(arg);
+ break; + break;
@ -330,52 +418,76 @@ diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
case sDeprecated: case sDeprecated:
logit("%s line %d: Deprecated option %s", logit("%s line %d: Deprecated option %s",
filename, linenum, arg); filename, linenum, arg);
@@ -1682,6 +1711,8 @@ copy_set_server_options(ServerOptions *d @@ -1682,6 +1708,8 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(hostbased_uses_name_from_packet_only); M_CP_INTOPT(hostbased_uses_name_from_packet_only);
M_CP_INTOPT(kbd_interactive_authentication); M_CP_INTOPT(kbd_interactive_authentication);
M_CP_INTOPT(zero_knowledge_password_authentication); M_CP_INTOPT(zero_knowledge_password_authentication);
+ M_CP_STROPT(authorized_keys_command); + M_CP_STROPT(authorized_keys_command);
+ M_CP_STROPT(authorized_keys_command_runas); + M_CP_STROPT(authorized_keys_command_user);
M_CP_INTOPT(permit_root_login); M_CP_INTOPT(permit_root_login);
M_CP_INTOPT(permit_empty_passwd); M_CP_INTOPT(permit_empty_passwd);
@@ -1942,6 +1973,8 @@ dump_config(ServerOptions *o) @@ -1942,6 +1970,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sAuthorizedPrincipalsFile, dump_cfg_string(sAuthorizedPrincipalsFile,
o->authorized_principals_file); o->authorized_principals_file);
dump_cfg_string(sVersionAddendum, o->version_addendum); dump_cfg_string(sVersionAddendum, o->version_addendum);
+ dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); + dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
+ dump_cfg_string(sAuthorizedKeysCommandRunAs, o->authorized_keys_command_runas); + dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
/* string arguments requiring a lookup */ /* string arguments requiring a lookup */
dump_cfg_string(sLogLevel, log_level_name(o->log_level)); dump_cfg_string(sLogLevel, log_level_name(o->log_level));
diff -up openssh-6.1p1/servconf.h.akc openssh-6.1p1/servconf.h diff -up openssh-6.1p1/servconf.h.akc openssh-6.1p1/servconf.h
--- openssh-6.1p1/servconf.h.akc 2012-09-14 20:20:48.000000000 +0200 --- openssh-6.1p1/servconf.h.akc 2012-11-02 14:00:49.186077290 +0100
+++ openssh-6.1p1/servconf.h 2012-09-14 20:23:16.691844577 +0200 +++ openssh-6.1p1/servconf.h 2012-11-02 14:00:49.254077869 +0100
@@ -169,6 +169,8 @@ typedef struct { @@ -169,6 +169,8 @@ typedef struct {
char *revoked_keys_file; char *revoked_keys_file;
char *trusted_user_ca_keys; char *trusted_user_ca_keys;
char *authorized_principals_file; char *authorized_principals_file;
+ char *authorized_keys_command; + char *authorized_keys_command;
+ char *authorized_keys_command_runas; + char *authorized_keys_command_user;
char *version_addendum; /* Appended to SSH banner */ char *version_addendum; /* Appended to SSH banner */
} ServerOptions; } ServerOptions;
diff -up openssh-6.1p1/sshd.c.akc openssh-6.1p1/sshd.c
--- openssh-6.1p1/sshd.c.akc 2012-11-02 14:00:49.249077826 +0100
+++ openssh-6.1p1/sshd.c 2012-11-02 14:00:49.254077869 +0100
@@ -366,9 +366,20 @@ main_sigchld_handler(int sig)
static void
grace_alarm_handler(int sig)
{
+ pid_t pgid;
+
if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
kill(pmonitor->m_pid, SIGALRM);
+ /*
+ * Try to kill any processes that we have spawned, E.g. authorized
+ * keys command helpers.
+ */
+ if ((pgid = getpgid(0)) == getpid()) {
+ signal(SIGTERM, SIG_IGN);
+ killpg(pgid, SIGTERM);
+ }
+
/* Log error and exit. */
sigdie("Timeout before authentication for %s", get_remote_ipaddr());
}
diff -up openssh-6.1p1/sshd_config.akc openssh-6.1p1/sshd_config diff -up openssh-6.1p1/sshd_config.akc openssh-6.1p1/sshd_config
--- openssh-6.1p1/sshd_config.akc 2012-07-31 04:21:34.000000000 +0200 --- openssh-6.1p1/sshd_config.akc 2012-07-31 04:21:34.000000000 +0200
+++ openssh-6.1p1/sshd_config 2012-09-14 20:30:46.950095769 +0200 +++ openssh-6.1p1/sshd_config 2012-11-02 14:00:49.255077878 +0100
@@ -49,6 +49,9 @@ @@ -49,6 +49,9 @@
# but this is overridden so installations will only check .ssh/authorized_keys # but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys
+#AuthorizedKeysCommand none +#AuthorizedKeysCommand none
+#AuthorizedKeysCommandRunAs nobody +#AuthorizedKeysCommandUser nobody
+ +
#AuthorizedPrincipalsFile none #AuthorizedPrincipalsFile none
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0 diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0
--- openssh-6.1p1/sshd_config.0.akc 2012-08-29 02:53:04.000000000 +0200 --- openssh-6.1p1/sshd_config.0.akc 2012-08-29 02:53:04.000000000 +0200
+++ openssh-6.1p1/sshd_config.0 2012-09-14 20:32:23.539624859 +0200 +++ openssh-6.1p1/sshd_config.0 2012-11-02 14:00:49.255077878 +0100
@@ -71,6 +71,23 @@ DESCRIPTION @@ -71,6 +71,23 @@ DESCRIPTION
See PATTERNS in ssh_config(5) for more information on patterns. See PATTERNS in ssh_config(5) for more information on patterns.
@ -411,38 +523,39 @@ diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0
GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
diff -up openssh-6.1p1/sshd_config.5.akc openssh-6.1p1/sshd_config.5 diff -up openssh-6.1p1/sshd_config.5.akc openssh-6.1p1/sshd_config.5
--- openssh-6.1p1/sshd_config.5.akc 2012-09-14 20:20:48.142443448 +0200 --- openssh-6.1p1/sshd_config.5.akc 2012-11-02 14:00:49.187077299 +0100
+++ openssh-6.1p1/sshd_config.5 2012-09-14 20:29:56.003873873 +0200 +++ openssh-6.1p1/sshd_config.5 2012-11-02 14:00:49.255077878 +0100
@@ -151,6 +151,19 @@ See @@ -151,6 +151,20 @@ See
in in
.Xr ssh_config 5 .Xr ssh_config 5
for more information on patterns. for more information on patterns.
+.It Cm AuthorizedKeysCommand +.It Cm AuthorizedKeysCommand
+Specifies a program to be used for lookup of the user's +Specifies a program to be used for lookup of the user's public keys.
+public keys. The program will be invoked with its first +The program will be invoked with a single argument of the username
+argument the name of the user being authorized, and should produce +being authenticated, and should produce on standard output zero or
+on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS +more lines of authorized_keys output (see AUTHORIZED_KEYS in
+in sshd(8)). By default (or when set to the empty string) there is no +.Xr sshd 8 )
+AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully +If a key supplied by AuthorizedKeysCommand does not successfully authenticate
+authorize the user, authorization falls through to the +and authorize the user then public key authentication continues using the usual
+AuthorizedKeysFile. Note that this option has an effect +.Cm AuthorizedKeysFile
+only with PubkeyAuthentication turned on. +files.
+.It Cm AuthorizedKeysCommandRunAs +By default, no AuthorizedKeysCommand is run.
+Specifies the user under whose account the AuthorizedKeysCommand is run. Empty +.It Cm AuthorizedKeysCommandUser
+string (the default value) means the user being authorized is used. +Specifies the user under whose account the AuthorizedKeysCommand is run.
+The default is the user being authenticated.
.It Cm AuthorizedKeysFile .It Cm AuthorizedKeysFile
Specifies the file that contains the public keys that can be used Specifies the file that contains the public keys that can be used
for user authentication. for user authentication.
@@ -712,6 +725,8 @@ Available keywords are @@ -712,6 +726,8 @@ Available keywords are
.Cm AllowTcpForwarding , .Cm AllowTcpForwarding ,
.Cm AllowUsers , .Cm AllowUsers ,
.Cm AuthorizedKeysFile , .Cm AuthorizedKeysFile ,
+.Cm AuthorizedKeysCommand , +.Cm AuthorizedKeysCommand ,
+.Cm AuthorizedKeysCommandRunAs , +.Cm AuthorizedKeysCommandUser ,
.Cm AuthorizedPrincipalsFile , .Cm AuthorizedPrincipalsFile ,
.Cm Banner , .Cm Banner ,
.Cm ChrootDirectory , .Cm ChrootDirectory ,
@@ -726,6 +741,7 @@ Available keywords are @@ -726,6 +742,7 @@ Available keywords are
.Cm KerberosAuthentication , .Cm KerberosAuthentication ,
.Cm MaxAuthTries , .Cm MaxAuthTries ,
.Cm MaxSessions , .Cm MaxSessions ,

View File

@ -507,7 +507,6 @@ fi
--disable-strip \ --disable-strip \
--without-zlib-version-check \ --without-zlib-version-check \
--with-ssl-engine \ --with-ssl-engine \
--with-authorized-keys-command \
--with-ipaddr-display \ --with-ipaddr-display \
%if %{ldap} %if %{ldap}
--with-ldap \ --with-ldap \