Attachment #1598 for bug #1423

Lines 71-76 Link Here

(-)../openssh-5.1p1.orig/auth.c (+46 lines)
71	#endif	71	#endif
72	#include "monitor_wrap.h"	72	#include "monitor_wrap.h"
73		73
		74	#ifdef HAVE_MBR_CHECK_SERVICE_MEMBERSHIP
		75	/* Our membershipPriv.h is not yet API, so I will define the prototypes that I need here. */
		76	int mbr_user_name_to_uuid(const char *name, uuid_t uu);
		77	int mbr_check_service_membership(const uuid_t user, const char servicename, int ismember);
		78	#endif
		79
74	/* import */	80	/* import */
75	extern ServerOptions options;	81	extern ServerOptions options;
76	extern int use_privsep;	82	extern int use_privsep;
Lines 235-240 Link Here
235	ga_free();	241	ga_free();
236	}	242	}
237		243
		244	if( options.sacl_support )
		245	{
		246	#ifdef HAVE_MBR_CHECK_SERVICE_MEMBERSHIP
		247	/*
		248	* Here we check with memberd if the Service ACLs allow this user to
		249	* use the ssh service.
		250	*/
		251
		252	debug("Checking with Service ACLs for ssh login restrictions");
		253
		254	uuid_t user_uuid;
		255	int isMember = 0;
		256	int mbrErr = 0;
		257
		258	// get the uuid
		259	if ( mbr_user_name_to_uuid(pw->pw_name, user_uuid) )
		260	{
		261	debug("call to mbr_user_name_to_uuid with <%s> failed to retrieve user_uuid", pw->pw_name);
		262	return 0;
		263	}
		264	debug("call to mbr_user_name_to_uuid with <%s> suceeded to retrieve user_uuid", pw->pw_name);
		265
		266	// check the sacl
		267	if((mbrErr = mbr_check_service_membership(user_uuid, "ssh", &isMember)))
		268	{
		269	debug("Called mbr_check_service_membership with isMember <%d> with status <%d>", isMember, mbrErr);
		270	if(mbrErr == ENOENT) // no ACL exists
		271	{
		272	return 1;
		273	} else {
		274	return 0;
		275	}
		276	}
		277	debug("Call to mbr_check_service_membership failed with status <%d>", mbrErr);
		278	return isMember;
		279	#endif /* HAVE_MBR_CHECK_SERVICE_MEMBERSHIP */
		280	}
		281
		282
		283
238	#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER	284	#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
239	if (!sys_auth_allowed_user(pw, &loginmsg))	285	if (!sys_auth_allowed_user(pw, &loginmsg))
240	return 0;	286	return 0;

Lines 587-592 Link Here

(-)../openssh-5.1p1.orig/config.h.in (+3 lines)
587	/* Define to 1 if you have the <maillock.h> header file. */	587	/* Define to 1 if you have the <maillock.h> header file. */
588	#undef HAVE_MAILLOCK_H	588	#undef HAVE_MAILLOCK_H
589		589
		590	/* Define to 1 if you have the `mbr_check_service_membership' function. */
		591	#undef HAVE_MBR_CHECK_SERVICE_MEMBERSHIP
		592
590	/* Define to 1 if you have the `md5_crypt' function. */	593	/* Define to 1 if you have the `md5_crypt' function. */
591	#undef HAVE_MD5_CRYPT	594	#undef HAVE_MD5_CRYPT
592		595

Lines 12657-12662 Link Here

(-)../openssh-5.1p1.orig/configure (+2 lines)
12657		12657
12658		12658
12659		12659
		12660
12660	for ac_func in \	12661	for ac_func in \
12661	arc4random \	12662	arc4random \
12662	arc4random_buf \	12663	arc4random_buf \
Lines 12692-12697 Link Here
12692	inet_ntop \	12693	inet_ntop \
12693	innetgr \	12694	innetgr \
12694	login_getcapbool \	12695	login_getcapbool \
		12696	mbr_check_service_membership \
12695	md5_crypt \	12697	md5_crypt \
12696	memmove \	12698	memmove \
12697	mkdtemp \	12699	mkdtemp \

Lines 1335-1340 Link Here

(-)../openssh-5.1p1.orig/configure.ac (+1 lines)
1335	inet_ntop \	1335	inet_ntop \
1336	innetgr \	1336	innetgr \
1337	login_getcapbool \	1337	login_getcapbool \
		1338	mbr_check_service_membership \
1338	md5_crypt \	1339	md5_crypt \
1339	memmove \	1340	memmove \
1340	mkdtemp \	1341	mkdtemp \




	options->permit_empty_passwd = -1;
	options->permit_user_env = -1;
	options->use_login = -1;
	options->sacl_support = -1;
	options->compression = -1;
	options->allow_tcp_forwarding = -1;
	options->allow_agent_forwarding = -1;

	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
	sUsePrivilegeSeparation, sAllowAgentForwarding,
	sSACLSupport,
	sDeprecated, sUnsupported
} ServerOpCodes;


	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
	{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
	{ "saclsupport", sSACLSupport },
	{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
	{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
 	{ "match", sMatch, SSHCFG_ALL },

		charptr = &options->xauth_location;
		goto parse_filename;

	case sSACLSupport:
		intptr = &options->sacl_support;
		goto parse_flag;

	case sStrictModes:
		intptr = &options->strict_modes;
		goto parse_flag;

Lines 143-148 Link Here

(-)../openssh-5.1p1.orig/servconf.h (+1 lines)
143	char *adm_forced_command;	143	char *adm_forced_command;
144		144
145	int use_pam; /* Enable auth via PAM */	145	int use_pam; /* Enable auth via PAM */
		146	int sacl_support; /* Enable use of SACLs */
146		147
147	int permit_tun;	148	int permit_tun;
148		149

Lines 61-66 Link Here

(-)../openssh-5.1p1.orig/sshd_config (+3 lines)
61	#PasswordAuthentication yes	61	#PasswordAuthentication yes
62	#PermitEmptyPasswords no	62	#PermitEmptyPasswords no
63		63
		64	# SACL options
		65	#SACLSupport yes
		66
64	# Change to no to disable s/key passwords	67	# Change to no to disable s/key passwords
65	#ChallengeResponseAuthentication yes	68	#ChallengeResponseAuthentication yes
66		69

Return to bug 1423

Lines 99-104 Link Here

(-)../openssh-5.1p1.orig/servconf.c (+7 lines)
99	options->permit_empty_passwd = -1;	99	options->permit_empty_passwd = -1;
100	options->permit_user_env = -1;	100	options->permit_user_env = -1;
101	options->use_login = -1;	101	options->use_login = -1;
		102	options->sacl_support = -1;
102	options->compression = -1;	103	options->compression = -1;
103	options->allow_tcp_forwarding = -1;	104	options->allow_tcp_forwarding = -1;
104	options->allow_agent_forwarding = -1;	105	options->allow_agent_forwarding = -1;
Lines 302-307 Link Here
302	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,	303	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
303	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,	304	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
304	sUsePrivilegeSeparation, sAllowAgentForwarding,	305	sUsePrivilegeSeparation, sAllowAgentForwarding,
		306	sSACLSupport,
305	sDeprecated, sUnsupported	307	sDeprecated, sUnsupported
306	} ServerOpCodes;	308	} ServerOpCodes;
307		309
Lines 409-414 Link Here
409	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },	411	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
410	{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },	412	{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
411	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },	413	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
		414	{ "saclsupport", sSACLSupport },
412	{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },	415	{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
413	{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },	416	{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
414	{ "match", sMatch, SSHCFG_ALL },	417	{ "match", sMatch, SSHCFG_ALL },
Lines 922-927 Link Here
922	charptr = &options->xauth_location;	925	charptr = &options->xauth_location;
923	goto parse_filename;	926	goto parse_filename;
924		927
		928	case sSACLSupport:
		929	intptr = &options->sacl_support;
		930	goto parse_flag;
		931
925	case sStrictModes:	932	case sStrictModes:
926	intptr = &options->strict_modes;	933	intptr = &options->strict_modes;
927	goto parse_flag;	934	goto parse_flag;