mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-01 01:51:24 +00:00
372 lines
16 KiB
Diff
372 lines
16 KiB
Diff
diff -u pam_ssh_agent_auth-0.10.3-orig/iterate_ssh_agent_keys.c pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
|
|
--- pam_ssh_agent_auth-0.10.3-orig/iterate_ssh_agent_keys.c 2016-11-12 19:24:32.000000000 -0800
|
|
+++ pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-03-02 23:47:18.012203283 -0800
|
|
@@ -176,7 +176,7 @@
|
|
return;
|
|
}
|
|
|
|
-int
|
|
+const char *
|
|
pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename)
|
|
{
|
|
Buffer session_id2 = { 0 };
|
|
@@ -184,7 +184,7 @@
|
|
Key *key;
|
|
AuthenticationConnection *ac;
|
|
char *comment;
|
|
- uint8_t retval = 0;
|
|
+ const char *key_file = 0;
|
|
uid_t uid = getpwnam(ruser)->pw_uid;
|
|
|
|
OpenSSL_add_all_digests();
|
|
@@ -199,13 +199,11 @@
|
|
id->key = key;
|
|
id->filename = comment;
|
|
id->ac = ac;
|
|
- if(userauth_pubkey_from_id(ruser, id, &session_id2)) {
|
|
- retval = 1;
|
|
- }
|
|
+ key_file = userauth_pubkey_from_id(ruser, id, &session_id2);
|
|
pamsshagentauth_xfree(id->filename);
|
|
pamsshagentauth_key_free(id->key);
|
|
pamsshagentauth_xfree(id);
|
|
- if(retval == 1)
|
|
+ if(key_file)
|
|
break;
|
|
}
|
|
}
|
|
@@ -217,5 +215,5 @@
|
|
}
|
|
/* pamsshagentauth_xfree(session_id2); */
|
|
EVP_cleanup();
|
|
- return retval;
|
|
+ return key_file;
|
|
}
|
|
diff -u pam_ssh_agent_auth-0.10.3-orig/iterate_ssh_agent_keys.h pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.h
|
|
--- pam_ssh_agent_auth-0.10.3-orig/iterate_ssh_agent_keys.h 2016-11-12 19:24:32.000000000 -0800
|
|
+++ pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.h 2017-03-02 23:48:06.345803339 -0800
|
|
@@ -31,6 +31,6 @@
|
|
#ifndef _ITERATE_SSH_AGENT_KEYS_H
|
|
#define _ITERATE_SSH_AGENT_KEYS_H
|
|
|
|
-int pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename);
|
|
+const char * pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename);
|
|
|
|
#endif
|
|
diff -u pam_ssh_agent_auth-0.10.3-orig/pam_ssh_agent_auth.c pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c
|
|
--- pam_ssh_agent_auth-0.10.3-orig/pam_ssh_agent_auth.c 2016-11-12 19:24:32.000000000 -0800
|
|
+++ pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c 2017-03-02 23:51:57.642669946 -0800
|
|
@@ -61,7 +61,6 @@
|
|
#define strncasecmp_literal(A,B) strncasecmp( A, B, sizeof(B) - 1)
|
|
#define UNUSED(expr) do { (void)(expr); } while (0)
|
|
|
|
-char *authorized_keys_file = NULL;
|
|
uint8_t allow_user_owned_authorized_keys_file = 0;
|
|
char *authorized_keys_command = NULL;
|
|
char *authorized_keys_command_user = NULL;
|
|
@@ -171,15 +170,13 @@
|
|
goto cleanexit;
|
|
}
|
|
|
|
- if(authorized_keys_file_input && user) {
|
|
- /*
|
|
- * user is the name of the target-user, and so must be used for validating the authorized_keys file
|
|
- */
|
|
- parse_authorized_key_file(user, authorized_keys_file_input);
|
|
- } else {
|
|
- pamsshagentauth_verbose("Using default file=/etc/security/authorized_keys");
|
|
- authorized_keys_file = pamsshagentauth_xstrdup("/etc/security/authorized_keys");
|
|
- }
|
|
+ if (!authorized_keys_file_input || !user)
|
|
+ authorized_keys_file_input = "/etc/security/authorized_keys";
|
|
+
|
|
+ /*
|
|
+ * user is the name of the target-user, and so must be used for validating the authorized_keys file
|
|
+ */
|
|
+ parse_authorized_key_files(user, authorized_keys_file_input);
|
|
|
|
/*
|
|
* PAM_USER and PAM_RUSER do not necessarily have to get set by the calling application, and we may be unable to divine the latter.
|
|
@@ -184,5 +181,5 @@
|
|
*/
|
|
|
|
if(user && strlen(ruser) > 0) {
|
|
- pamsshagentauth_verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
|
+ pamsshagentauth_verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file_input);
|
|
|
|
@@ -201,3 +197,3 @@
|
|
retval = PAM_SUCCESS;
|
|
- pamsshagentauth_logit("Authenticated (sshd): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
|
+ pamsshagentauth_logit("Authenticated (sshd): `%s' as `%s' using %s", ruser, user, authorized_keys_file_input);
|
|
|
|
@@ -211,11 +208,12 @@
|
|
/*
|
|
* this pw_uid is used to validate the SSH_AUTH_SOCK, and so must be the uid of the ruser invoking the program, not the target-user
|
|
*/
|
|
- if(pamsshagentauth_find_authorized_keys(user, ruser, servicename)) { /* getpwnam(ruser)->pw_uid)) { */
|
|
- pamsshagentauth_logit("Authenticated (agent): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
|
+ const char *key_file;
|
|
+ if((key_file = pamsshagentauth_find_authorized_keys(user, ruser, servicename))) { /* getpwnam(ruser)->pw_uid)) { */
|
|
+ pamsshagentauth_logit("Authenticated (agent): `%s' as `%s' using %s", ruser, user, key_file);
|
|
retval = PAM_SUCCESS;
|
|
} else {
|
|
- pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
|
+ pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file_input);
|
|
}
|
|
} else {
|
|
pamsshagentauth_logit("No %s specified, cannot continue with this form of authentication", (user) ? "ruser" : "user" );
|
|
@@ -208,7 +206,7 @@
|
|
free(__progname);
|
|
#endif
|
|
|
|
- free(authorized_keys_file);
|
|
+ free_authorized_key_files();
|
|
|
|
return retval;
|
|
}
|
|
diff -u pam_ssh_agent_auth-0.10.3-orig/pam_ssh_agent_auth.pod pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.pod
|
|
--- pam_ssh_agent_auth-0.10.3-orig/pam_ssh_agent_auth.pod 2016-11-12 19:24:32.000000000 -0800
|
|
+++ pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.pod 2017-03-02 23:52:28.914857449 -0800
|
|
@@ -31,7 +31,7 @@
|
|
|
|
=item file=<path to authorized_keys>
|
|
|
|
-Specify the path to the authorized_keys file(s) you would like to use for authentication. Subject to tilde and % EXPANSIONS (below)
|
|
+Specify the path(s) to the authorized_keys file(s) you would like to use for authentication. Subject to tilde and % EXPANSIONS (below). Paths are separated using colons.
|
|
|
|
=item allow_user_owned_authorized_keys_file
|
|
|
|
diff -u pam_ssh_agent_auth-0.10.3-orig/pam_user_authorized_keys.c pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c
|
|
--- pam_ssh_agent_auth-0.10.3-orig/pam_user_authorized_keys.c 2016-11-12 19:24:32.000000000 -0800
|
|
+++ pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c 2017-03-03 00:07:45.201322570 -0800
|
|
@@ -79,8 +79,12 @@
|
|
|
|
#include "identity.h"
|
|
#include "pam_user_key_allowed2.h"
|
|
+#include "pam_user_authorized_keys.h"
|
|
|
|
-extern char *authorized_keys_file;
|
|
+#define MAX_AUTHORIZED_KEY_FILES 16
|
|
+
|
|
+char *authorized_keys_files[MAX_AUTHORIZED_KEY_FILES];
|
|
+unsigned int nr_authorized_keys_files = 0;
|
|
|
|
extern char *authorized_keys_command;
|
|
|
|
@@ -91,79 +95,88 @@
|
|
uid_t authorized_keys_file_allowed_owner_uid;
|
|
|
|
void
|
|
-parse_authorized_key_file(const char *user,
|
|
- const char *authorized_keys_file_input)
|
|
+parse_authorized_key_files(const char *user,
|
|
+ const char *authorized_keys_file_input)
|
|
{
|
|
- char fqdn[HOST_NAME_MAX] = "";
|
|
+ const char *pos = authorized_keys_file_input;
|
|
char hostname[HOST_NAME_MAX] = "";
|
|
- char auth_keys_file_buf[4096] = "";
|
|
- char *slash_ptr = NULL;
|
|
- char owner_uname[128] = "";
|
|
- size_t owner_uname_len = 0;
|
|
-
|
|
- /*
|
|
- * temporary copy, so that both tilde expansion and percent expansion both
|
|
- * get to apply to the path
|
|
- */
|
|
- strncat(auth_keys_file_buf, authorized_keys_file_input,
|
|
- sizeof(auth_keys_file_buf) - 1);
|
|
+ char fqdn[HOST_NAME_MAX] = "";
|
|
|
|
- if(allow_user_owned_authorized_keys_file)
|
|
- authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
|
|
+#if HAVE_GETHOSTNAME
|
|
+ *hostname = '\0';
|
|
+ gethostname(fqdn, HOST_NAME_MAX);
|
|
+ strncat(hostname, fqdn, strcspn(fqdn,"."));
|
|
+#endif
|
|
|
|
- if(*auth_keys_file_buf == '~') {
|
|
- if(*(auth_keys_file_buf + 1) == '/') {
|
|
- authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
|
|
+ while (pos) {
|
|
+ const char *colon = strchr(pos, ':');
|
|
+ char auth_keys_file_buf[4096] = "";
|
|
+ char *slash_ptr = NULL;
|
|
+ char owner_uname[128] = "";
|
|
+ size_t owner_uname_len = 0;
|
|
+
|
|
+ strncat(auth_keys_file_buf, pos, sizeof(auth_keys_file_buf) - 1);
|
|
+ if (colon) {
|
|
+ auth_keys_file_buf[colon - pos] = 0;
|
|
+ pos = colon + 1;
|
|
} else {
|
|
- slash_ptr = strchr(auth_keys_file_buf, '/');
|
|
- if(!slash_ptr)
|
|
- pamsshagentauth_fatal
|
|
- ("cannot expand tilde in path without a `/'");
|
|
-
|
|
- owner_uname_len = slash_ptr - auth_keys_file_buf - 1;
|
|
- if(owner_uname_len > (sizeof(owner_uname) - 1))
|
|
- pamsshagentauth_fatal("Username too long");
|
|
-
|
|
- strncat(owner_uname, auth_keys_file_buf + 1, owner_uname_len);
|
|
- if(!authorized_keys_file_allowed_owner_uid)
|
|
- authorized_keys_file_allowed_owner_uid =
|
|
- getpwnam(owner_uname)->pw_uid;
|
|
+ pos = 0;
|
|
+ }
|
|
+
|
|
+ if(allow_user_owned_authorized_keys_file)
|
|
+ authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
|
|
+
|
|
+ if(*auth_keys_file_buf == '~') {
|
|
+ if(*(auth_keys_file_buf+1) == '/') {
|
|
+ authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
|
|
+ }
|
|
+ else {
|
|
+ slash_ptr = strchr(auth_keys_file_buf,'/');
|
|
+ if(!slash_ptr)
|
|
+ pamsshagentauth_fatal("cannot expand tilde in path without a `/'");
|
|
+
|
|
+ owner_uname_len = slash_ptr - auth_keys_file_buf - 1;
|
|
+ if(owner_uname_len > (sizeof(owner_uname) - 1) )
|
|
+ pamsshagentauth_fatal("Username too long");
|
|
+
|
|
+ strncat(owner_uname, auth_keys_file_buf + 1, owner_uname_len);
|
|
+ if(!authorized_keys_file_allowed_owner_uid)
|
|
+ authorized_keys_file_allowed_owner_uid = getpwnam(owner_uname)->pw_uid;
|
|
+ }
|
|
+ char *tmp = pamsshagentauth_tilde_expand_filename(auth_keys_file_buf, authorized_keys_file_allowed_owner_uid);
|
|
+ strncpy(auth_keys_file_buf, tmp, sizeof(auth_keys_file_buf) - 1 );
|
|
+ pamsshagentauth_xfree(tmp);
|
|
}
|
|
- authorized_keys_file =
|
|
- pamsshagentauth_tilde_expand_filename(auth_keys_file_buf,
|
|
- authorized_keys_file_allowed_owner_uid);
|
|
- strncpy(auth_keys_file_buf, authorized_keys_file,
|
|
- sizeof(auth_keys_file_buf) - 1);
|
|
- pamsshagentauth_xfree(authorized_keys_file) /* when we
|
|
- percent_expand
|
|
- later, we'd step
|
|
- on this, so free
|
|
- it immediately */ ;
|
|
- }
|
|
|
|
- if(strstr(auth_keys_file_buf, "%h")) {
|
|
- authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
|
|
+ if(strstr(auth_keys_file_buf, "%h")) {
|
|
+ authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
|
|
+ }
|
|
+
|
|
+ if (nr_authorized_keys_files >= MAX_AUTHORIZED_KEY_FILES)
|
|
+ pamsshagentauth_fatal("Too many authorized key files");
|
|
+ authorized_keys_files[nr_authorized_keys_files++] =
|
|
+ pamsshagentauth_percent_expand(auth_keys_file_buf, "h", getpwnam(user)->pw_dir, "H", hostname, "f", fqdn, "u", user, NULL);
|
|
}
|
|
-#if HAVE_GETHOSTNAME
|
|
- *hostname = '\0';
|
|
- gethostname(fqdn, HOST_NAME_MAX);
|
|
- strncat(hostname, fqdn, strcspn(fqdn, "."));
|
|
-#endif
|
|
- authorized_keys_file =
|
|
- pamsshagentauth_percent_expand(auth_keys_file_buf, "h",
|
|
- getpwnam(user)->pw_dir, "H", hostname,
|
|
- "f", fqdn, "u", user, NULL);
|
|
}
|
|
|
|
-int
|
|
+void
|
|
+free_authorized_key_files()
|
|
+{
|
|
+ unsigned int n;
|
|
+ for (n = 0; n < nr_authorized_keys_files; n++)
|
|
+ free(authorized_keys_files[n]);
|
|
+ nr_authorized_keys_files = 0;
|
|
+}
|
|
+
|
|
+const char *
|
|
pam_user_key_allowed(const char *ruser, Key * key)
|
|
{
|
|
- return
|
|
- pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid),
|
|
- key, authorized_keys_file)
|
|
- || pamsshagentauth_user_key_allowed2(getpwuid(0), key,
|
|
- authorized_keys_file)
|
|
- || pamsshagentauth_user_key_command_allowed2(authorized_keys_command,
|
|
- authorized_keys_command_user,
|
|
- getpwnam(ruser), key);
|
|
+ unsigned int n;
|
|
+ for (n = 0; n < nr_authorized_keys_files; n++) {
|
|
+ if (pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid), key, authorized_keys_files[n])
|
|
+ || pamsshagentauth_user_key_allowed2(getpwuid(0), key, authorized_keys_files[n])
|
|
+ || pamsshagentauth_user_key_command_allowed2(authorized_keys_command, authorized_keys_command_user, getpwnam(ruser), key))
|
|
+ return authorized_keys_files[n];
|
|
+ }
|
|
+ return 0;
|
|
}
|
|
diff -u pam_ssh_agent_auth-0.10.3-orig/pam_user_authorized_keys.h pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h
|
|
--- pam_ssh_agent_auth-0.10.3-orig/pam_user_authorized_keys.h 2016-11-12 19:24:32.000000000 -0800
|
|
+++ pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h 2017-03-03 00:09:17.256064914 -0800
|
|
@@ -28,11 +28,12 @@
|
|
*/
|
|
|
|
|
|
-#ifndef _PAM_USER_KEY_ALLOWED_H
|
|
-#define _PAM_USER_KEY_ALLOWED_H
|
|
+#ifndef _PAM_USER_AUTHORIZED_KEYS_H
|
|
+#define _PAM_USER_AUTHORIZED_KEYS_H
|
|
|
|
#include "identity.h"
|
|
-int pam_user_key_allowed(const char *, Key *);
|
|
-void parse_authorized_key_file(const char *, const char *);
|
|
+const char * pam_user_key_allowed(const char *, Key *);
|
|
+void parse_authorized_key_files(const char *, const char *);
|
|
+void free_authorized_key_files();
|
|
|
|
#endif
|
|
diff -u pam_ssh_agent_auth-0.10.3-orig/userauth_pubkey_from_id.c pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
|
|
--- pam_ssh_agent_auth-0.10.3-orig/userauth_pubkey_from_id.c 2016-11-12 19:24:32.000000000 -0800
|
|
+++ pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2017-03-03 00:10:33.163545380 -0800
|
|
@@ -52,7 +52,7 @@
|
|
extern uint8_t session_id_len;
|
|
*/
|
|
|
|
-int
|
|
+const char *
|
|
userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
|
|
{
|
|
Buffer b = { 0 };
|
|
@@ -60,11 +60,12 @@
|
|
u_char *pkblob = NULL, *sig = NULL;
|
|
u_int blen = 0, slen = 0;
|
|
int authenticated = 0;
|
|
+ const char *key_file;
|
|
|
|
pkalg = (char *) key_ssh_name(id->key);
|
|
|
|
/* first test if this key is even allowed */
|
|
- if(! pam_user_key_allowed(ruser, id->key))
|
|
+ if(!(key_file = pam_user_key_allowed(ruser, id->key)))
|
|
goto user_auth_clean_exit;
|
|
|
|
if(pamsshagentauth_key_to_blob(id->key, &pkblob, &blen) == 0)
|
|
@@ -97,5 +98,5 @@
|
|
if(pkblob != NULL)
|
|
pamsshagentauth_xfree(pkblob);
|
|
CRYPTO_cleanup_all_ex_data();
|
|
- return authenticated;
|
|
+ return authenticated ? key_file : 0;
|
|
}
|
|
diff -u pam_ssh_agent_auth-0.10.3-orig/userauth_pubkey_from_id.h pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h
|
|
--- pam_ssh_agent_auth-0.10.3-orig/userauth_pubkey_from_id.h 2016-11-12 19:24:32.000000000 -0800
|
|
+++ pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h 2017-03-03 00:10:59.067046872 -0800
|
|
@@ -32,6 +32,6 @@
|
|
#define _USERAUTH_PUBKEY_FROM_ID_H
|
|
|
|
#include <identity.h>
|
|
-int userauth_pubkey_from_id(const char *, Identity *, Buffer *);
|
|
+const char * userauth_pubkey_from_id(const char *, Identity *, Buffer *);
|
|
|
|
#endif
|