rpms / openssh

Clone
Source Code
GIT

Files

86_addmissingnb f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 fix_f38_terrapin fix_f39_terrapin gsskexfix main master-future openssh85286 openssh96_rebase_combined openssh_96rebase openssh_rebase_90to93 openssh_rebase_90to93_cont openssh_rebase_90to93_fin private-controlpersist-4_3p2-9-branch private-master-vanilla private-openssh-4_5p1-6-controlpersist-branch rawhide sshkeysign_fix
  1.   f16
  2.   openssh-5.8p1-keycat.patch
Blob Blame History Raw 
diff -up openssh-5.8p1/auth2-pubkey.c.keycat openssh-5.8p1/auth2-pubkey.c
--- openssh-5.8p1/auth2-pubkey.c.keycat	2011-03-09 09:03:37.000000000 +0100
+++ openssh-5.8p1/auth2-pubkey.c	2011-03-09 09:03:40.000000000 +0100
@@ -579,6 +579,14 @@ user_key_via_command_allowed2(struct pas
 			close(i);
 		}
 
+#ifdef WITH_SELINUX
+		if (ssh_selinux_setup_env_variables() < 0) {
+			error ("failed to copy environment:  %s",
+			    strerror(errno));
+			_exit(127);
+		}
+#endif
+
 		execl(options.authorized_keys_command, options.authorized_keys_command, pw->pw_name, NULL);
 
 		/* if we got here, it didn't work */
diff -up openssh-5.8p1/HOWTO.ssh-keycat.keycat openssh-5.8p1/HOWTO.ssh-keycat
--- openssh-5.8p1/HOWTO.ssh-keycat.keycat	2011-03-09 09:03:40.000000000 +0100
+++ openssh-5.8p1/HOWTO.ssh-keycat	2011-03-08 12:19:07.000000000 +0100
@@ -0,0 +1,12 @@
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
+of an user in any environment. This includes environments with
+polyinstantiation of home directories and SELinux MLS policy enabled.
+
+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
+        AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
+        AuthorizedKeysCommandRunAs root
+
+Do not forget to enable public key authentication:
+        PubkeyAuthentication yes
+
+
diff -up openssh-5.8p1/Makefile.in.keycat openssh-5.8p1/Makefile.in
--- openssh-5.8p1/Makefile.in.keycat	2011-03-09 09:03:39.000000000 +0100
+++ openssh-5.8p1/Makefile.in	2011-03-09 09:03:40.000000000 +0100
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
 SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
 SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
+SSH_KEYCAT=$(libexecdir)/ssh-keycat
 RAND_HELPER=$(libexecdir)/ssh-rand-helper
 PRIVSEP_PATH=@PRIVSEP_PATH@
 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
@@ -67,7 +68,7 @@ INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_
 INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
 INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
 
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
 
 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
 	canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
@@ -172,6 +173,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
 ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
 	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keycat.o
+	$(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
+
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
 	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
 
@@ -280,6 +284,7 @@ install-files:
 		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
 		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
 	fi
+	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff -up openssh-5.8p1/openbsd-compat/port-linux.c.keycat openssh-5.8p1/openbsd-compat/port-linux.c
--- openssh-5.8p1/openbsd-compat/port-linux.c.keycat	2011-03-09 09:03:38.000000000 +0100
+++ openssh-5.8p1/openbsd-compat/port-linux.c	2011-03-09 09:03:40.000000000 +0100
@@ -309,7 +309,7 @@ ssh_selinux_getctxbyname(char *pwname,
 
 /* Setup environment variables for pam_selinux */
 static int
-ssh_selinux_setup_pam_variables(void)
+ssh_selinux_setup_variables(int(*set_it)(const char *, const char *))
 {
 	const char *reqlvl;
 	char *role;
@@ -320,16 +320,16 @@ ssh_selinux_setup_pam_variables(void)
 
 	ssh_selinux_get_role_level(&role, &reqlvl);
 
-	rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
+	rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
 	
 	if (inetd_flag && !rexeced_flag) {
 		use_current = "1";
 	} else {
 		use_current = "";
-		rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
+		rv = rv || set_it("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
 	}
 
-	rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
+	rv = rv || set_it("SELINUX_USE_CURRENT_RANGE", use_current);
 
 	if (role != NULL)
 		xfree(role);
@@ -337,6 +337,24 @@ ssh_selinux_setup_pam_variables(void)
 	return rv;
 }
 
+static int
+ssh_selinux_setup_pam_variables(void)
+{
+	return ssh_selinux_setup_variables(do_pam_putenv);
+}
+
+static int
+do_setenv(char *name, char *value)
+{
+	return setenv(name, value, 1);
+}
+
+int
+ssh_selinux_setup_env_variables(void)
+{
+	return ssh_selinux_setup_variables(do_setenv);
+}
+
 /* Set the execution context to the default for the specified user */
 void
 ssh_selinux_setup_exec_context(char *pwname)
diff -up openssh-5.8p1/ssh-keycat.c.keycat openssh-5.8p1/ssh-keycat.c
--- openssh-5.8p1/ssh-keycat.c.keycat	2011-03-09 09:03:40.000000000 +0100
+++ openssh-5.8p1/ssh-keycat.c	2011-03-09 09:03:40.000000000 +0100
@@ -0,0 +1,238 @@
+/*
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, and the entire permission notice in its entirety,
+ *    including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior
+ *    written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions.  (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (c) 2011 Red Hat, Inc.
+ * Written by Tomas Mraz <tmraz@redhat.com>
+*/
+
+#define _GNU_SOURCE
+
+#include "config.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <pwd.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#include <security/pam_appl.h>
+
+#include "uidswap.h"
+#include "misc.h"
+
+#define ERR_USAGE 1
+#define ERR_PAM_START 2
+#define ERR_OPEN_SESSION 3
+#define ERR_CLOSE_SESSION 4
+#define ERR_PAM_END 5
+#define ERR_GETPWNAM 6
+#define ERR_MEMORY 7
+#define ERR_OPEN 8
+#define ERR_FILE_MODE 9
+#define ERR_FDOPEN 10
+#define ERR_STAT 11
+#define ERR_WRITE 12
+#define ERR_PAM_PUTENV 13
+#define BUFLEN 4096
+
+/* Just ignore the messages in the conversation function */
+static int
+dummy_conv(int num_msg, const struct pam_message **msgm,
+	   struct pam_response **response, void *appdata_ptr)
+{
+	struct pam_response *rsp;
+
+	(void)msgm;
+	(void)appdata_ptr;
+
+	if (num_msg <= 0)
+		return PAM_CONV_ERR;
+
+	/* Just allocate the array as empty responses */
+	rsp = calloc (num_msg, sizeof (struct pam_response));
+	if (rsp == NULL)
+		return PAM_CONV_ERR;
+
+	*response = rsp;
+	return PAM_SUCCESS;
+}
+
+static struct pam_conv conv = {
+	dummy_conv,
+	NULL
+};
+
+char *
+make_auth_keys_name(const struct passwd *pwd)
+{
+	char *fname;
+
+	if (asprintf(&fname, "%s/.ssh/authorized_keys", pwd->pw_dir) < 0)
+		return NULL;
+
+	return fname;
+}
+
+int
+dump_keys(const char *user)
+{
+	struct passwd *pwd;
+	int fd = -1;
+	FILE *f = NULL;
+	char *fname = NULL;
+	int rv = 0;
+	char buf[BUFLEN];
+	size_t len;
+	struct stat st;
+
+	if ((pwd = getpwnam(user)) == NULL) {
+		return ERR_GETPWNAM;
+	}
+
+	if ((fname = make_auth_keys_name(pwd)) == NULL) {
+		return ERR_MEMORY;
+	}
+
+	temporarily_use_uid(pwd);
+
+	if ((fd = open(fname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0)) < 0) {
+		rv = ERR_OPEN;
+		goto fail;
+	}
+
+	if (fstat(fd, &st) < 0) {
+		rv = ERR_STAT;
+		goto fail;
+	}
+
+	if (!S_ISREG(st.st_mode) || 
+		(st.st_uid != pwd->pw_uid && st.st_uid != 0)) {
+		rv = ERR_FILE_MODE;
+		goto fail;
+	}
+
+	unset_nonblock(fd);
+
+	if ((f = fdopen(fd, "r")) == NULL) {
+		rv = ERR_FDOPEN;
+		goto fail;
+	}
+
+	fd = -1;
+
+	while ((len = fread(buf, 1, sizeof(buf), f)) > 0) {
+		rv = fwrite(buf, 1, len, stdout) != len ? ERR_WRITE : 0;
+	}
+
+fail:
+	if (fd != -1)
+		close(fd);
+	if (f != NULL)
+		fclose(f);
+	free(fname);
+	restore_uid();
+	return rv;
+}
+
+static const char *env_names[] = { "SELINUX_ROLE_REQUESTED",
+	"SELINUX_LEVEL_REQUESTED",
+	"SELINUX_USE_CURRENT_RANGE"
+};
+
+extern char **environ;
+
+int
+set_pam_environment(pam_handle_t *pamh)
+{
+	int i;
+	size_t j;
+
+	for (j = 0; j < sizeof(env_names)/sizeof(env_names[0]); ++j) {
+		int len = strlen(env_names[j]);
+
+		for (i = 0; environ[i] != NULL; ++i) {
+			if (strncmp(env_names[j], environ[i], len) == 0 &&
+			    environ[i][len] == '=') {
+				if (pam_putenv(pamh, environ[i]) != PAM_SUCCESS)
+					return ERR_PAM_PUTENV;
+			}
+		}
+	}
+
+	return 0;
+}
+
+int
+main(int argc, char *argv[])
+{
+	pam_handle_t *pamh = NULL;
+	int retval;
+	int ev = 0;
+
+	if (argc != 2) {
+		fprintf(stderr, "Usage: %s <user-name>\n", argv[0]);
+		return ERR_USAGE;
+	}
+
+	retval = pam_start("ssh-keycat", argv[1], &conv, &pamh);
+	if (retval != PAM_SUCCESS) {
+		return ERR_PAM_START;
+	}
+
+	ev = set_pam_environment(pamh);
+	if (ev != 0)
+		goto finish;
+
+	retval = pam_open_session(pamh, PAM_SILENT);
+	if (retval != PAM_SUCCESS) {
+		ev = ERR_OPEN_SESSION;
+		goto finish;
+	}
+
+	ev = dump_keys(argv[1]);
+
+	retval = pam_close_session(pamh, PAM_SILENT);
+	if (retval != PAM_SUCCESS) {
+		ev = ERR_CLOSE_SESSION;
+	}
+
+finish:
+	retval = pam_end (pamh,retval);
+	if (retval != PAM_SUCCESS) {
+		ev = ERR_PAM_END;
+	}
+	return ev;
+}
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.