Attachment #1688 for bug #1641

View | Details | Raw Unified | Return to bug 1641
Collapse All | Expand All

Lines 392-397 do_authentication(Authctxt *authctxt) Link Here

(-)openssh-5.2p1/auth1.c.selinux (+17 lines)
392	{	392	{
393	u_int ulen;	393	u_int ulen;
394	char user, style = NULL;	394	char user, style = NULL;
		395	#ifdef WITH_SELINUX
		396	char *role=NULL;
		397	#endif
395		398
396	/* Get the name of the user that we wish to log in as. */	399	/* Get the name of the user that we wish to log in as. */
397	packet_read_expect(SSH_CMSG_USER);	400	packet_read_expect(SSH_CMSG_USER);
Lines 400-410 do_authentication(Authctxt *authctxt) Link Here
400	user = packet_get_string(&ulen);	403	user = packet_get_string(&ulen);
401	packet_check_eom();	404	packet_check_eom();
402		405
		406	#ifdef WITH_SELINUX
		407	if ((role = strchr(user, '/')) != NULL)
		408	*role++ = '\0';
		409	#endif
		410
403	if ((style = strchr(user, ':')) != NULL)	411	if ((style = strchr(user, ':')) != NULL)
404	*style++ = '\0';	412	*style++ = '\0';
		413	#ifdef WITH_SELINUX
		414	else
		415	if (role && (style = strchr(role, ':')) != NULL)
		416	*style++ = '\0';
		417	#endif
		418
405		419
406	authctxt->user = user;	420	authctxt->user = user;
407	authctxt->style = style;	421	authctxt->style = style;
		422	#ifdef WITH_SELINUX
		423	authctxt->role = role;
		424	#endif
408		425
409	/* Verify that the user is a valid user. */	426	/* Verify that the user is a valid user. */
410	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)	427	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)

Lines 216-221 input_userauth_request(int type, u_int32 Link Here

(-)openssh-5.2p1/auth2.c.selinux (-1 / +16 lines)
216	Authctxt *authctxt = ctxt;	216	Authctxt *authctxt = ctxt;
217	Authmethod *m = NULL;	217	Authmethod *m = NULL;
218	char user, service, method, style = NULL;	218	char user, service, method, style = NULL;
		219	#ifdef WITH_SELINUX
		220	char *role = NULL;
		221	#endif
219	int authenticated = 0;	222	int authenticated = 0;
220		223
221	if (authctxt == NULL)	224	if (authctxt == NULL)
Lines 227-232 input_userauth_request(int type, u_int32 Link Here
227	debug("userauth-request for user %s service %s method %s", user, service, method);	230	debug("userauth-request for user %s service %s method %s", user, service, method);
228	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);	231	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
229		232
		233	#ifdef WITH_SELINUX
		234	if ((role = strchr(user, '/')) != NULL)
		235	*role++ = 0;
		236	#endif
		237
230	if ((style = strchr(user, ':')) != NULL)	238	if ((style = strchr(user, ':')) != NULL)
231	*style++ = 0;	239	*style++ = 0;
232		240
Lines 252-259 input_userauth_request(int type, u_int32 Link Here
252	use_privsep ? " [net]" : "");	260	use_privsep ? " [net]" : "");
253	authctxt->service = xstrdup(service);	261	authctxt->service = xstrdup(service);
254	authctxt->style = style ? xstrdup(style) : NULL;	262	authctxt->style = style ? xstrdup(style) : NULL;
255	if (use_privsep)	263	#ifdef WITH_SELINUX
		264	authctxt->role = role ? xstrdup(role) : NULL;
		265	#endif
		266	if (use_privsep) {
256	mm_inform_authserv(service, style);	267	mm_inform_authserv(service, style);
		268	#ifdef WITH_SELINUX
		269	mm_inform_authrole(role);
		270	#endif
		271	}
257	userauth_banner();	272	userauth_banner();
258	} else if (strcmp(user, authctxt->user) != 0 \|\|	273	} else if (strcmp(user, authctxt->user) != 0 \|\|
259	strcmp(service, authctxt->service) != 0) {	274	strcmp(service, authctxt->service) != 0) {

Lines 258-263 input_gssapi_mic(int type, u_int32_t ple Link Here

(-)openssh-5.2p1/auth2-gss.c.selinux (-1 / +10 lines)
258	Authctxt *authctxt = ctxt;	258	Authctxt *authctxt = ctxt;
259	Gssctxt *gssctxt;	259	Gssctxt *gssctxt;
260	int authenticated = 0;	260	int authenticated = 0;
		261	char *micuser;
261	Buffer b;	262	Buffer b;
262	gss_buffer_desc mic, gssbuf;	263	gss_buffer_desc mic, gssbuf;
263	u_int len;	264	u_int len;
Lines 270-276 input_gssapi_mic(int type, u_int32_t ple Link Here
270	mic.value = packet_get_string(&len);	271	mic.value = packet_get_string(&len);
271	mic.length = len;	272	mic.length = len;
272		273
273	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,	274	#ifdef WITH_SELINUX
		275	if (authctxt->role && (strlen(authctxt->role) > 0))
		276	xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
		277	else
		278	#endif
		279	micuser = authctxt->user;
		280	ssh_gssapi_buildmic(&b, micuser, authctxt->service,
274	"gssapi-with-mic");	281	"gssapi-with-mic");
275		282
276	gssbuf.value = buffer_ptr(&b);	283	gssbuf.value = buffer_ptr(&b);
Lines 282-287 input_gssapi_mic(int type, u_int32_t ple Link Here
282	logit("GSSAPI MIC check failed");	289	logit("GSSAPI MIC check failed");
283		290
284	buffer_free(&b);	291	buffer_free(&b);
		292	if (micuser != authctxt->user)
		293	xfree(micuser);
285	xfree(mic.value);	294	xfree(mic.value);
286		295
287	authctxt->postponed = 0;	296	authctxt->postponed = 0;

Lines 106-112 userauth_hostbased(Authctxt *authctxt) Link Here

(-)openssh-5.2p1/auth2-hostbased.c.selinux (-1 / +9 lines)
106	buffer_put_string(&b, session_id2, session_id2_len);	106	buffer_put_string(&b, session_id2, session_id2_len);
107	/* reconstruct packet */	107	/* reconstruct packet */
108	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);	108	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
109	buffer_put_cstring(&b, authctxt->user);	109	#ifdef WITH_SELINUX
		110	if (authctxt->role) {
		111	buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
		112	buffer_append(&b, authctxt->user, strlen(authctxt->user));
		113	buffer_put_char(&b, '/');
		114	buffer_append(&b, authctxt->role, strlen(authctxt->role));
		115	} else
		116	#endif
		117	buffer_put_cstring(&b, authctxt->user);
110	buffer_put_cstring(&b, service);	118	buffer_put_cstring(&b, service);
111	buffer_put_cstring(&b, "hostbased");	119	buffer_put_cstring(&b, "hostbased");
112	buffer_put_string(&b, pkalg, alen);	120	buffer_put_string(&b, pkalg, alen);

Lines 117-123 userauth_pubkey(Authctxt *authctxt) Link Here

(-)openssh-5.2p1/auth2-pubkey.c.selinux (-1 / +9 lines)
117	}	117	}
118	/* reconstruct packet */	118	/* reconstruct packet */
119	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);	119	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
120	buffer_put_cstring(&b, authctxt->user);	120	#ifdef WITH_SELINUX
		121	if (authctxt->role) {
		122	buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
		123	buffer_append(&b, authctxt->user, strlen(authctxt->user));
		124	buffer_put_char(&b, '/');
		125	buffer_append(&b, authctxt->role, strlen(authctxt->role));
		126	} else
		127	#endif
		128	buffer_put_cstring(&b, authctxt->user);
121	buffer_put_cstring(&b,	129	buffer_put_cstring(&b,
122	datafellows & SSH_BUG_PKSERVICE ?	130	datafellows & SSH_BUG_PKSERVICE ?
123	"ssh-userauth" :	131	"ssh-userauth" :

Lines 58-63 struct Authctxt { Link Here

(-)openssh-5.2p1/auth.h.selinux (+3 lines)
58	char *service;	58	char *service;
59	struct passwd pw; / set if 'valid' */	59	struct passwd pw; / set if 'valid' */
60	char *style;	60	char *style;
		61	#ifdef WITH_SELINUX
		62	char *role;
		63	#endif
61	void *kbdintctxt;	64	void *kbdintctxt;
62	void *jpake_ctx;	65	void *jpake_ctx;
63	#ifdef BSD_AUTH	66	#ifdef BSD_AUTH

Lines 3335-3340 AC_ARG_WITH(selinux, Link Here

(-)openssh-5.2p1/configure.ac.selinux (+1 lines)
3335	AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],	3335	AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
3336	AC_MSG_ERROR(SELinux support requires libselinux library))	3336	AC_MSG_ERROR(SELinux support requires libselinux library))
3337	SSHDLIBS="$SSHDLIBS $LIBSELINUX"	3337	SSHDLIBS="$SSHDLIBS $LIBSELINUX"
		3338	LIBS="$LIBS $LIBSELINUX"
3338	AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)	3339	AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
3339	LIBS="$save_LIBS"	3340	LIBS="$save_LIBS"
3340	fi ]	3341	fi ]

Lines 135-140 int mm_answer_sign(int, Buffer *); Link Here

(-)openssh-5.2p1/monitor.c.selinux (-2 / +34 lines)
135	int mm_answer_pwnamallow(int, Buffer *);	135	int mm_answer_pwnamallow(int, Buffer *);
136	int mm_answer_auth2_read_banner(int, Buffer *);	136	int mm_answer_auth2_read_banner(int, Buffer *);
137	int mm_answer_authserv(int, Buffer *);	137	int mm_answer_authserv(int, Buffer *);
		138	#ifdef WITH_SELINUX
		139	int mm_answer_authrole(int, Buffer *);
		140	#endif
138	int mm_answer_authpassword(int, Buffer *);	141	int mm_answer_authpassword(int, Buffer *);
139	int mm_answer_bsdauthquery(int, Buffer *);	142	int mm_answer_bsdauthquery(int, Buffer *);
140	int mm_answer_bsdauthrespond(int, Buffer *);	143	int mm_answer_bsdauthrespond(int, Buffer *);
Lines 211-216 struct mon_table mon_dispatch_proto20[] Link Here
211	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},	214	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
212	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},	215	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
213	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},	216	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
		217	#ifdef WITH_SELINUX
		218	{MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
		219	#endif
214	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},	220	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
215	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},	221	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
216	#ifdef USE_PAM	222	#ifdef USE_PAM
Lines 680-685 mm_answer_pwnamallow(int sock, Buffer *m Link Here
680	else {	686	else {
681	/* Allow service/style information on the auth context */	687	/* Allow service/style information on the auth context */
682	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);	688	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
		689	#ifdef WITH_SELINUX
		690	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
		691	#endif
683	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);	692	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
684	}	693	}
685		694
Lines 724-729 mm_answer_authserv(int sock, Buffer *m) Link Here
724	return (0);	733	return (0);
725	}	734	}
726		735
		736	#ifdef WITH_SELINUX
		737	int
		738	mm_answer_authrole(int sock, Buffer *m)
		739	{
		740	monitor_permit_authentications(1);
		741
		742	authctxt->role = buffer_get_string(m, NULL);
		743	debug3("%s: role=%s",
		744	__func__, authctxt->role);
		745
		746	if (strlen(authctxt->role) == 0) {
		747	xfree(authctxt->role);
		748	authctxt->role = NULL;
		749	}
		750
		751	return (0);
		752	}
		753	#endif
		754
727	int	755	int
728	mm_answer_authpassword(int sock, Buffer *m)	756	mm_answer_authpassword(int sock, Buffer *m)
729	{	757	{
Lines 1102-1108 static int Link Here
1102	monitor_valid_userblob(u_char *data, u_int datalen)	1130	monitor_valid_userblob(u_char *data, u_int datalen)
1103	{	1131	{
1104	Buffer b;	1132	Buffer b;
1105	char *p;	1133	char p, r;
1106	u_int len;	1134	u_int len;
1107	int fail = 0;	1135	int fail = 0;
1108		1136
Lines 1128-1133 monitor_valid_userblob(u_char *data, u_i Link Here
1128	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)	1156	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
1129	fail++;	1157	fail++;
1130	p = buffer_get_string(&b, NULL);	1158	p = buffer_get_string(&b, NULL);
		1159	if ((r = strchr(p, '/')) != NULL)
		1160	*r = '\0';
1131	if (strcmp(authctxt->user, p) != 0) {	1161	if (strcmp(authctxt->user, p) != 0) {
1132	logit("wrong user name passed to monitor: expected %s != %.100s",	1162	logit("wrong user name passed to monitor: expected %s != %.100s",
1133	authctxt->user, p);	1163	authctxt->user, p);
Lines 1159-1165 monitor_valid_hostbasedblob(u_char *data Link Here
1159	char *chost)	1189	char *chost)
1160	{	1190	{
1161	Buffer b;	1191	Buffer b;
1162	char *p;	1192	char p, r;
1163	u_int len;	1193	u_int len;
1164	int fail = 0;	1194	int fail = 0;
1165		1195
Lines 1176-1181 monitor_valid_hostbasedblob(u_char *data Link Here
1176	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)	1206	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
1177	fail++;	1207	fail++;
1178	p = buffer_get_string(&b, NULL);	1208	p = buffer_get_string(&b, NULL);
		1209	if ((r = strchr(p, '/')) != NULL)
		1210	*r = '\0';
1179	if (strcmp(authctxt->user, p) != 0) {	1211	if (strcmp(authctxt->user, p) != 0) {
1180	logit("wrong user name passed to monitor: expected %s != %.100s",	1212	logit("wrong user name passed to monitor: expected %s != %.100s",
1181	authctxt->user, p);	1213	authctxt->user, p);

Lines 31-36 Link Here

(-)openssh-5.2p1/monitor.h.selinux (+3 lines)
31	enum monitor_reqtype {	31	enum monitor_reqtype {
32	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,	32	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
33	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,	33	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
		34	#ifdef WITH_SELINUX
		35	MONITOR_REQ_AUTHROLE,
		36	#endif
34	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,	37	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
35	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,	38	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
36	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,	39	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,




	buffer_free(&m);
}

/* Inform the privileged process about role */

#ifdef WITH_SELINUX
void
mm_inform_authrole(char *role)
{
	Buffer m;

	debug3("%s entering", __func__);

	buffer_init(&m);
	buffer_put_cstring(&m, role ? role : "");

	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);

	buffer_free(&m);
}
#endif

/* Do the password authentication */
int
mm_auth_password(Authctxt *authctxt, char *password)

Lines 41-46 int mm_is_monitor(void); Link Here

(-)openssh-5.2p1/monitor_wrap.h.selinux (+3 lines)
41	DH *mm_choose_dh(int, int, int);	41	DH *mm_choose_dh(int, int, int);
42	int mm_key_sign(Key , u_char , u_int , u_char *, u_int);	42	int mm_key_sign(Key , u_char , u_int , u_char *, u_int);
43	void mm_inform_authserv(char , char );	43	void mm_inform_authserv(char , char );
		44	#ifdef WITH_SELINUX
		45	void mm_inform_authrole(char *);
		46	#endif
44	struct passwd mm_getpwnamallow(const char );	47	struct passwd mm_getpwnamallow(const char );
45	char *mm_auth2_read_banner(void);	48	char *mm_auth2_read_banner(void);
46	int mm_auth_password(struct Authctxt , char );	49	int mm_auth_password(struct Authctxt , char );

Lines 30-40 Link Here

(-)openssh-5.2p1/openbsd-compat/port-linux.c.selinux (-7 / +25 lines)
30	#ifdef WITH_SELINUX	30	#ifdef WITH_SELINUX
31	#include "log.h"	31	#include "log.h"
32	#include "port-linux.h"	32	#include "port-linux.h"
		33	#include "key.h"
		34	#include "hostfile.h"
		35	#include "auth.h"
33		36
34	#include <selinux/selinux.h>	37	#include <selinux/selinux.h>
35	#include <selinux/flask.h>	38	#include <selinux/flask.h>
36	#include <selinux/get_context_list.h>	39	#include <selinux/get_context_list.h>
37		40
		41	extern Authctxt *the_authctxt;
		42
38	/* Wrapper around is_selinux_enabled() to log its return value once only */	43	/* Wrapper around is_selinux_enabled() to log its return value once only */
39	int	44	int
40	ssh_selinux_enabled(void)	45	ssh_selinux_enabled(void)
Lines 53-75 ssh_selinux_enabled(void) Link Here
53	static security_context_t	58	static security_context_t
54	ssh_selinux_getctxbyname(char *pwname)	59	ssh_selinux_getctxbyname(char *pwname)
55	{	60	{
56	security_context_t sc;	61	security_context_t sc = NULL;
57	char sename = NULL, lvl = NULL;	62	char sename, lvl;
58	int r;	63	char *role = NULL;
		64	int r = 0;
59		65
		66	if (the_authctxt)
		67	role=the_authctxt->role;
60	#ifdef HAVE_GETSEUSERBYNAME	68	#ifdef HAVE_GETSEUSERBYNAME
61	if (getseuserbyname(pwname, &sename, &lvl) != 0)	69	if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
62	return NULL;	70	sename = NULL;
		71	lvl = NULL;
		72	}
63	#else	73	#else
64	sename = pwname;	74	sename = pwname;
65	lvl = NULL;	75	lvl = NULL;
66	#endif	76	#endif
67		77
		78	if (r == 0) {
68	#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL	79	#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
69	r = get_default_context_with_level(sename, lvl, NULL, &sc);	80	if (role != NULL && role[0])
		81	r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc);
		82	else
		83	r = get_default_context_with_level(sename, lvl, NULL, &sc);
70	#else	84	#else
71	r = get_default_context(sename, NULL, &sc);	85	if (role != NULL && role[0])
		86	r = get_default_context_with_role(sename, role, NULL, &sc);
		87	else
		88	r = get_default_context(sename, NULL, &sc);
72	#endif	89	#endif
		90	}
73		91
74	if (r != 0) {	92	if (r != 0) {
75	switch (security_getenforce()) {	93	switch (security_getenforce()) {

Return to bug 1641

Lines 297-302 mm_inform_authserv(char service, char Link Here

(-)openssh-5.2p1/monitor_wrap.c.selinux (+19 lines)
297	buffer_free(&m);	297	buffer_free(&m);
298	}	298	}
299		299
		300	/* Inform the privileged process about role */
		301
		302	#ifdef WITH_SELINUX
		303	void
		304	mm_inform_authrole(char *role)
		305	{
		306	Buffer m;
		307
		308	debug3("%s entering", __func__);
		309
		310	buffer_init(&m);
		311	buffer_put_cstring(&m, role ? role : "");
		312
		313	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
		314
		315	buffer_free(&m);
		316	}
		317	#endif
		318
300	/* Do the password authentication */	319	/* Do the password authentication */
301	int	320	int
302	mm_auth_password(Authctxt authctxt, char password)	321	mm_auth_password(Authctxt authctxt, char password)