Attachment #1420 for bug #1423

Lines 45-50 Link Here

(-)../openssh-4.4p1.orig/auth.c (+45 lines)
45	#ifdef HAVE_LIBGEN_H	45	#ifdef HAVE_LIBGEN_H
46	#include <libgen.h>	46	#include <libgen.h>
47	#endif	47	#endif
		48
		49	#ifdef __APPLE_SACL__
		50	#include <membershipPriv.h>
		51	#endif
		52
48	#include <stdarg.h>	53	#include <stdarg.h>
49	#include <stdio.h>	54	#include <stdio.h>
50	#include <string.h>	55	#include <string.h>
Lines 233-238 Link Here
233	}	238	}
234	ga_free();	239	ga_free();
235	}	240	}
		241
		242	if( options.sacl_support )
		243	{
		244	#ifdef __APPLE_SACL__
		245	/*
		246	* Here we check with memberd if the Service ACLs allow this user to
		247	* use the ssh service.
		248	*/
		249
		250	debug("Checking with Service ACLs for ssh login restrictions");
		251
		252	uuid_t user_uuid;
		253	int isMember = 0;
		254	int mbrErr = 0;
		255
		256	// get the uuid
		257	if ( mbr_user_name_to_uuid(pw->pw_name, user_uuid) )
		258	{
		259	debug("call to mbr_user_name_to_uuid with <%s> failed to retrieve user_uuid", pw->pw_name);
		260	return 0;
		261	}
		262	debug("call to mbr_user_name_to_uuid with <%s> suceeded to retrieve user_uuid", pw->pw_name);
		263
		264	// check the sacl
		265	if((mbrErr = mbr_check_service_membership(user_uuid, "ssh", &isMember)))
		266	{
		267	debug("Called mbr_check_service_membership with isMember <%d> with status <%d>", isMember, mbrErr);
		268	if(mbrErr == ENOENT) // no ACL exists
		269	{
		270	return 1;
		271	} else {
		272	return 0;
		273	}
		274	}
		275	debug("Call to mbr_check_service_membership failed with status <%d>", mbrErr);
		276	return isMember;
		277	#endif /* __APPLE_SACL__ */
		278	}
		279
		280
236		281
237	#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER	282	#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
238	if (!sys_auth_allowed_user(pw, &loginmsg))	283	if (!sys_auth_allowed_user(pw, &loginmsg))




	options->permit_empty_passwd = -1;
	options->permit_user_env = -1;
	options->use_login = -1;
	options->sacl_support = -1;
	options->compression = -1;
	options->allow_tcp_forwarding = -1;
	options->num_allow_users = 0;

	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
	sMatch, sPermitOpen, sForceCommand,
	sUsePrivilegeSeparation,
	sSACLSupport,
	sDeprecated, sUnsupported
} ServerOpCodes;


	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
	{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
	{ "saclsupport", sSACLSupport },
	{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
	{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
 	{ "match", sMatch, SSHCFG_ALL },

		charptr = &options->xauth_location;
		goto parse_filename;

	case sSACLSupport:
		intptr = &options->sacl_support;
		goto parse_flag;

	case sStrictModes:
		intptr = &options->strict_modes;
		goto parse_flag;

Lines 137-142 Link Here

(-)../openssh-4.4p1.orig/servconf.h (+1 lines)
137	char *adm_forced_command;	137	char *adm_forced_command;
138		138
139	int use_pam; /* Enable auth via PAM */	139	int use_pam; /* Enable auth via PAM */
		140	int sacl_support; /* Enable use of SACLs */
140		141
141	int permit_tun;	142	int permit_tun;
142		143

Lines 56-61 Link Here

(-)../openssh-4.4p1.orig/sshd_config (+3 lines)
56	#PasswordAuthentication yes	56	#PasswordAuthentication yes
57	#PermitEmptyPasswords no	57	#PermitEmptyPasswords no
58		58
		59	# SACL options
		60	#SACLSupport yes
		61
59	# Change to no to disable s/key passwords	62	# Change to no to disable s/key passwords
60	#ChallengeResponseAuthentication yes	63	#ChallengeResponseAuthentication yes
61		64

Return to bug 1423

Lines 97-102 Link Here

(-)../openssh-4.4p1.orig/servconf.c (+7 lines)
97	options->permit_empty_passwd = -1;	97	options->permit_empty_passwd = -1;
98	options->permit_user_env = -1;	98	options->permit_user_env = -1;
99	options->use_login = -1;	99	options->use_login = -1;
		100	options->sacl_support = -1;
100	options->compression = -1;	101	options->compression = -1;
101	options->allow_tcp_forwarding = -1;	102	options->allow_tcp_forwarding = -1;
102	options->num_allow_users = 0;	103	options->num_allow_users = 0;
Lines 293-298 Link Here
293	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,	294	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
294	sMatch, sPermitOpen, sForceCommand,	295	sMatch, sPermitOpen, sForceCommand,
295	sUsePrivilegeSeparation,	296	sUsePrivilegeSeparation,
		297	sSACLSupport,
296	sDeprecated, sUnsupported	298	sDeprecated, sUnsupported
297	} ServerOpCodes;	299	} ServerOpCodes;
298		300
Lines 398-403 Link Here
398	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },	400	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
399	{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },	401	{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
400	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },	402	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
		403	{ "saclsupport", sSACLSupport },
401	{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },	404	{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
402	{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },	405	{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
403	{ "match", sMatch, SSHCFG_ALL },	406	{ "match", sMatch, SSHCFG_ALL },
Lines 912-917 Link Here
912	charptr = &options->xauth_location;	915	charptr = &options->xauth_location;
913	goto parse_filename;	916	goto parse_filename;
914		917
		918	case sSACLSupport:
		919	intptr = &options->sacl_support;
		920	goto parse_flag;
		921
915	case sStrictModes:	922	case sStrictModes:
916	intptr = &options->strict_modes;	923	intptr = &options->strict_modes;
917	goto parse_flag;	924	goto parse_flag;