|
 |
73d45fa |
diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-agent openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c
|
|
|
73d45fa |
--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-agent 2015-06-02 16:43:09.231902255 +0200
|
|
|
73d45fa |
+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c 2015-06-02 16:43:09.235902253 +0200
|
|
|
637556d |
@@ -37,6 +37,7 @@
|
|
|
637556d |
#include "buffer.h"
|
|
|
637556d |
#include "key.h"
|
|
|
637556d |
#include "authfd.h"
|
|
|
637556d |
+#include "ssherr.h"
|
|
|
637556d |
#include "ssh.h"
|
|
|
637556d |
#include <stdio.h>
|
|
|
637556d |
#include <sys/types.h>
|
|
|
405790e |
@@ -177,34 +178,41 @@ int
|
|
|
637556d |
find_authorized_keys(uid_t uid)
|
|
|
637556d |
{
|
|
|
637556d |
Identity *id;
|
|
|
637556d |
- Key *key;
|
|
|
637556d |
AuthenticationConnection *ac;
|
|
|
637556d |
- char *comment;
|
|
|
637556d |
uint8_t retval = 0;
|
|
|
73d45fa |
+ struct ssh_identitylist *idlist;
|
|
|
73d45fa |
+ int r, i;
|
|
|
637556d |
|
|
|
637556d |
OpenSSL_add_all_digests();
|
|
|
637556d |
session_id2 = session_id2_gen();
|
|
|
637556d |
|
|
|
637556d |
if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
|
|
|
637556d |
verbose("Contacted ssh-agent of user %s (%u)", getpwuid(uid)->pw_name, uid);
|
|
|
637556d |
- for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
|
|
|
637556d |
+ if ((r = ssh_fetch_identitylist(ac->fd, 2,
|
|
|
637556d |
+ &idlist)) != 0) {
|
|
|
637556d |
+ if (r != SSH_ERR_AGENT_NO_IDENTITIES)
|
|
|
637556d |
+ fprintf(stderr, "error fetching identities for "
|
|
|
637556d |
+ "protocol %d: %s\n", 2, ssh_err(r));
|
|
|
405790e |
+ } else {
|
|
|
637556d |
+ for (i = 0; i < idlist->nkeys; i++)
|
|
|
637556d |
{
|
|
|
637556d |
- if(key != NULL) {
|
|
|
637556d |
+ if(idlist->keys[i] != NULL) {
|
|
|
637556d |
id = xcalloc(1, sizeof(*id));
|
|
|
637556d |
- id->key = key;
|
|
|
637556d |
- id->filename = comment;
|
|
|
637556d |
+ id->key = idlist->keys[i];
|
|
|
637556d |
+ id->filename = idlist->comments[i];
|
|
|
637556d |
id->ac = ac;
|
|
|
637556d |
if(userauth_pubkey_from_id(id)) {
|
|
|
637556d |
retval = 1;
|
|
|
73d45fa |
}
|
|
|
73d45fa |
- free(id->filename);
|
|
|
73d45fa |
- key_free(id->key);
|
|
|
73d45fa |
free(id);
|
|
|
73d45fa |
if(retval == 1)
|
|
|
637556d |
break;
|
|
|
637556d |
}
|
|
|
637556d |
}
|
|
|
637556d |
- ssh_close_authentication_connection(ac);
|
|
|
73d45fa |
+ ssh_free_identitylist(idlist);
|
|
|
73d45fa |
+ ssh_close_authentication_socket(ac->fd);
|
|
|
73d45fa |
+ free(ac);
|
|
|
405790e |
+ }
|
|
|
637556d |
}
|
|
|
637556d |
else {
|
|
|
637556d |
verbose("No ssh-agent could be contacted");
|
|
|
73d45fa |
diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h.psaa-agent openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h
|
|
|
73d45fa |
--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h.psaa-agent 2009-08-09 02:54:21.000000000 +0200
|
|
|
73d45fa |
+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h 2015-06-02 16:43:09.235902253 +0200
|
|
|
637556d |
@@ -14,6 +14,12 @@
|
|
|
637556d |
typedef struct identity Identity;
|
|
|
637556d |
typedef struct idlist Idlist;
|
|
|
637556d |
|
|
|
637556d |
+typedef struct {
|
|
|
637556d |
+ int fd;
|
|
|
637556d |
+ Buffer identities;
|
|
|
637556d |
+ int howmany;
|
|
|
637556d |
+} AuthenticationConnection;
|
|
|
637556d |
+
|
|
|
637556d |
struct identity {
|
|
|
637556d |
TAILQ_ENTRY(identity) next;
|
|
|
637556d |
AuthenticationConnection *ac; /* set if agent supports key */
|
|
|
73d45fa |
diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.psaa-agent openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
|
|
|
73d45fa |
--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.psaa-agent 2015-06-02 16:43:09.232902254 +0200
|
|
|
73d45fa |
+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c 2015-06-02 16:45:07.699822094 +0200
|
|
|
73d45fa |
@@ -54,10 +54,11 @@ extern uint8_t session_id_len;
|
|
|
73d45fa |
int
|
|
|
73d45fa |
userauth_pubkey_from_id(Identity * id)
|
|
|
73d45fa |
{
|
|
|
73d45fa |
- Buffer b = { 0 };
|
|
|
73d45fa |
+ Buffer b;
|
|
|
73d45fa |
char *pkalg = NULL;
|
|
|
73d45fa |
u_char *pkblob = NULL, *sig = NULL;
|
|
|
73d45fa |
- u_int blen = 0, slen = 0;
|
|
|
73d45fa |
+ u_int blen = 0;
|
|
|
73d45fa |
+ size_t slen = 0;
|
|
|
73d45fa |
int authenticated = 0;
|
|
|
73d45fa |
|
|
|
73d45fa |
pkalg = (char *) key_ssh_name(id->key);
|
|
|
73d45fa |
@@ -65,10 +65,10 @@ userauth_pubkey_from_id(Identity * id)
|
|
|
73d45fa |
|
|
|
73d45fa |
/* first test if this key is even allowed */
|
|
|
73d45fa |
if(! pam_user_key_allowed(id->key))
|
|
|
73d45fa |
- goto user_auth_clean_exit;
|
|
|
73d45fa |
+ goto user_auth_clean_exit_without_buffer;
|
|
|
73d45fa |
|
|
|
73d45fa |
if(key_to_blob(id->key, &pkblob, &blen) == 0)
|
|
|
73d45fa |
- goto user_auth_clean_exit;
|
|
|
73d45fa |
+ goto user_auth_clean_exit_without_buffer;
|
|
|
73d45fa |
|
|
|
73d45fa |
/* construct packet to sign and test */
|
|
|
73d45fa |
buffer_init(&b);
|
|
|
73d45fa |
@@ -70,7 +70,7 @@ userauth_pubkey_from_id(Identity * id)
|
|
|
637556d |
buffer_put_cstring(&b, pkalg);
|
|
|
637556d |
buffer_put_string(&b, pkblob, blen);
|
|
|
637556d |
|
|
|
637556d |
- if(ssh_agent_sign(id->ac, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b)) != 0)
|
|
|
459bd27 |
+ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 0) != 0)
|
|
|
637556d |
goto user_auth_clean_exit;
|
|
|
637556d |
|
|
|
637556d |
/* test for correct signature */
|
|
|
73d45fa |
@@ -92,6 +92,7 @@ userauth_pubkey_from_id(Identity * id)
|
|
|
73d45fa |
user_auth_clean_exit:
|
|
|
73d45fa |
if(&b != NULL)
|
|
|
73d45fa |
buffer_free(&b);
|
|
|
73d45fa |
+ user_auth_clean_exit_without_buffer:
|
|
|
73d45fa |
if(sig != NULL)
|
|
|
73d45fa |
free(sig);
|
|
|
73d45fa |
if(pkblob != NULL)
|