Skip to content
Find file
Fetching contributors…
Cannot retrieve contributors at this time
288 lines (272 sloc) 9.39 KB
diff -u openssh-5.3p1-orig/auth1.c openssh-5.3p1/auth1.c
--- openssh-5.3p1-orig/auth1.c 2012-05-16 17:23:39.995433952 +1000
+++ openssh-5.3p1/auth1.c 2012-05-16 17:23:13.255432500 +1000
@@ -395,6 +395,16 @@
if ((style = strchr(user, ':')) != NULL)
*style++ = '\0';
+ /*
+ * NOTE: This is completely untested since it took me longer than 30 seconds
+ * to figure out how to enable protocol version 1.
+ */
+ if (options.force_user) {
+ xfree(user);
+ user = xstrdup(options.force_user);
+ style = NULL;
+ }
+
authctxt->user = user;
authctxt->style = style;
diff -u openssh-5.3p1-orig/auth2.c openssh-5.3p1/auth2.c
--- openssh-5.3p1-orig/auth2.c 2012-05-16 17:23:39.995433952 +1000
+++ openssh-5.3p1/auth2.c 2012-05-16 17:23:13.255432500 +1000
@@ -230,6 +230,12 @@
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
+ if (options.force_user) {
+ xfree(user);
+ user = xstrdup(options.force_user);
+ style = NULL;
+ }
+
if (authctxt->attempt++ == 0) {
/* setup auth context */
authctxt->pw = PRIVSEP(getpwnamallow(user));
diff -u openssh-5.3p1-orig/auth2-pubkey.c openssh-5.3p1/auth2-pubkey.c
--- openssh-5.3p1-orig/auth2-pubkey.c 2012-05-16 17:23:39.991433952 +1000
+++ openssh-5.3p1/auth2-pubkey.c 2012-05-16 17:23:13.255432500 +1000
@@ -247,6 +247,97 @@
return found_key;
}
+/* check to see if the script specified by file can authorize the key
+ *
+ * the script will have the key written to STDIN, which is identical
+ * to the normal public key format.
+ *
+ * the script must exit with either 0 for success or 1 for failure.
+ * the script can print login options (if any) to STDOUT. No whitepace should be added
+ * to the output.
+ *
+ * Use with caution: the script can hang sshd. It is recommended you code the script
+ * with a timeout set if it cannot determine authenication quickly.
+ */
+static int
+user_key_found_by_script(struct passwd *pw, Key *key, char *file)
+{
+ pid_t pid;
+ char line[SSH_MAX_PUBKEY_BYTES];
+ int pipe_in[2];
+ int pipe_out[2];
+ int exit_code = 1;
+ int success = 0;
+ FILE *f;
+ //mysig_t oldsig;
+
+ pipe(pipe_in);
+ pipe(pipe_out);
+
+ //oldsig = signal(SIGCHLD, SIG_IGN);
+ temporarily_use_uid(pw);
+
+ debug3("user_key_found_by_script: executing %s", file);
+
+ switch ((pid = fork())) {
+ case -1:
+ error("fork(): %s", strerror(errno));
+ restore_uid();
+ return (-1);
+ case 0:
+ /* setup input pipe */
+ close(pipe_in[1]);
+ dup2(pipe_in[0], 0);
+ close(pipe_in[0]);
+
+ /* setup output pipe */
+ close(pipe_out[0]);
+ dup2(pipe_out[1], 1);
+ close(pipe_out[1]);
+
+ execl(file, file, NULL);
+
+ /* exec failed */
+ error("execl(): %s", strerror(errno));
+ _exit(1);
+ default:
+ debug3("user_key_found_by_script: script pid %d", pid);
+
+ close(pipe_in[0]);
+ close(pipe_out[1]);
+
+ f = fdopen(pipe_in[1], "w");
+ key_write(key, f);
+ fclose(f);
+
+ while(waitpid(pid, &exit_code, 0) < 0) {
+ switch(errno) {
+ case EINTR:
+ debug3("user_key_found_by_script: waitpid() EINTR, continuing");
+ continue;
+ default:
+ error("waitpid(): %s", strerror(errno));
+ goto waitpid_error;
+ }
+ }
+ if (WIFEXITED(exit_code) && WEXITSTATUS(exit_code) == 0) {
+ int amt_read = read(pipe_out[0], line, sizeof(line) - 1);
+ line[amt_read] = ' ';
+ line[amt_read + 1] = 0;
+ debug3("user_key_found_by_script: options: %s", line);
+ if (auth_parse_options(pw, line, file, 0) == 1)
+ success = 1;
+ }
+ waitpid_error:
+ close(pipe_out[0]);
+ }
+
+ restore_uid();
+ //signal(SIGCHLD, oldsig);
+
+ return success;
+}
+
/* check whether given key is in .ssh/authorized_keys* */
int
user_key_allowed(struct passwd *pw, Key *key)
@@ -264,6 +355,15 @@
file = authorized_keys_file2(pw);
success = user_key_allowed2(pw, key, file);
xfree(file);
+ if (success)
+ return success;
+
+ /* try the script to find the key */
+ if ((file = authorized_keys_script(pw))) {
+ success = user_key_found_by_script(pw, key, file);
+ xfree(file);
+ }
+
return success;
}
diff -u openssh-5.3p1-orig/auth.c openssh-5.3p1/auth.c
--- openssh-5.3p1-orig/auth.c 2012-05-16 17:23:39.999433953 +1000
+++ openssh-5.3p1/auth.c 2012-05-16 17:23:13.255432500 +1000
@@ -360,6 +360,15 @@
return expand_authorized_keys(options.authorized_keys_file2, pw);
}
+char *
+authorized_keys_script(struct passwd *pw)
+{
+ if (options.authorized_keys_script)
+ return expand_authorized_keys(options.authorized_keys_script, pw);
+ else
+ return NULL;
+}
+
/* return ok if key exists in sysfile or userfile */
HostStatus
check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
diff -u openssh-5.3p1-orig/auth.h openssh-5.3p1/auth.h
--- openssh-5.3p1-orig/auth.h 2012-05-16 17:23:39.995433952 +1000
+++ openssh-5.3p1/auth.h 2012-05-16 17:23:13.255432500 +1000
@@ -169,6 +169,7 @@
char *authorized_keys_file(struct passwd *);
char *authorized_keys_file2(struct passwd *);
+char *authorized_keys_script(struct passwd *);
FILE *auth_openkeyfile(const char *, struct passwd *, int);
Common subdirectories: openssh-5.3p1-orig/contrib and openssh-5.3p1/contrib
diff -u openssh-5.3p1-orig/Makefile.in openssh-5.3p1/Makefile.in
--- openssh-5.3p1-orig/Makefile.in 2012-05-16 17:23:39.983433952 +1000
+++ openssh-5.3p1/Makefile.in 2012-05-16 17:23:13.251432500 +1000
@@ -234,9 +234,14 @@
-rm -rf autom4te.cache
(cd scard && $(MAKE) -f Makefile.in distprep)
-install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
-install-nokeys: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf
-install-nosysconf: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files
+#install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
+#install-nokeys: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf
+#install-nosysconf: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files
+install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-sshd
+
+install-sshd:
+ $(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir)
+ $(INSTALL) -m 0755 $(STRIP_OPT) sshd $(DESTDIR)$(sbindir)/sshd-vcs
check-config:
-$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config
Common subdirectories: openssh-5.3p1-orig/openbsd-compat and openssh-5.3p1/openbsd-compat
Common subdirectories: openssh-5.3p1-orig/regress and openssh-5.3p1/regress
Common subdirectories: openssh-5.3p1-orig/scard and openssh-5.3p1/scard
diff -u openssh-5.3p1-orig/servconf.c openssh-5.3p1/servconf.c
--- openssh-5.3p1-orig/servconf.c 2012-05-16 17:23:40.003433953 +1000
+++ openssh-5.3p1/servconf.c 2012-05-16 17:23:13.287432502 +1000
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.195 2009/04/14 21:10:54 jj Exp $ */
+ /* $OpenBSD: servconf.c,v 1.195 2009/04/14 21:10:54 jj Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -122,6 +122,8 @@
options->client_alive_count_max = -1;
options->authorized_keys_file = NULL;
options->authorized_keys_file2 = NULL;
+ options->authorized_keys_script = NULL;
+ options->force_user = NULL;
options->num_accept_env = 0;
options->permit_tun = -1;
options->num_permitted_opens = -1;
@@ -302,6 +304,8 @@
sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
+ sAuthorizedKeysScript,
+ sForceUser,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -417,6 +421,8 @@
{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
+ { "authorizedkeysscript", sAuthorizedKeysScript, SSHCFG_GLOBAL },
+ { "forceuser", sForceUser, SSHCFG_GLOBAL },
{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
@@ -1191,6 +1197,20 @@
&options->authorized_keys_file2;
goto parse_filename;
+ case sAuthorizedKeysScript:
+ charptr = &options->authorized_keys_script;
+ goto parse_filename;
+
+ case sForceUser:
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0') {
+ fatal("%s line %d: Missing argument.", filename, linenum);
+ }
+ if (options->force_user == NULL) {
+ options->force_user = xstrdup(arg);
+ }
+ break;
+
case sClientAliveInterval:
intptr = &options->client_alive_interval;
goto parse_time;
@@ -1625,6 +1645,8 @@
dump_cfg_string(sBanner, o->banner);
dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
+ dump_cfg_string(sAuthorizedKeysScript, o->authorized_keys_script);
+ dump_cfg_string(sForceUser, o->force_user);
dump_cfg_string(sForceCommand, o->adm_forced_command);
/* string arguments requiring a lookup */
diff -u openssh-5.3p1-orig/servconf.h openssh-5.3p1/servconf.h
--- openssh-5.3p1-orig/servconf.h 2012-05-16 17:23:39.991433952 +1000
+++ openssh-5.3p1/servconf.h 2012-05-16 17:23:13.287432502 +1000
@@ -142,6 +142,9 @@
char *authorized_keys_file; /* File containing public keys */
char *authorized_keys_file2;
+ char *authorized_keys_script;
+ char *force_user;
+
char *adm_forced_command;
int use_pam; /* Enable auth via PAM */
Jump to Line
Something went wrong with that request. Please try again.