Attachment 1811 Details for Bug 1663 – pattch against openssh-5.4p1

[patch] pattch against openssh-5.4p1

openssh-5.4p1-pka.patch (text/plain), 12.24 KB, created by jchadima on 2010-03-17 19:32:09 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: jchadima

Created: 2010-03-17 19:32:09 AEDT

Size: 12.24 KB

patch

obsolete

>diff -up openssh-5.4p1/auth2-pubkey.c.pka openssh-5.4p1/auth2-pubkey.c
>--- openssh-5.4p1/auth2-pubkey.c.pka	2010-03-09 08:01:05.000000000 +0100
>+++ openssh-5.4p1/auth2-pubkey.c	2010-03-09 08:07:15.000000000 +0100
>@@ -187,27 +187,15 @@ done:
> 
> /* return 1 if user allows given key */
> static int
>-user_key_allowed2(struct passwd *pw, Key *key, char *file)
>+user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw)
> {
> 	char line[SSH_MAX_PUBKEY_BYTES];
> 	const char *reason;
> 	int found_key = 0;
>-	FILE *f;
> 	u_long linenum = 0;
> 	Key *found;
> 	char *fp;
> 
>-	/* Temporarily use the user's uid. */
>-	temporarily_use_uid(pw);
>-
>-	debug("trying public key file %s", file);
>-	f = auth_openkeyfile(file, pw, options.strict_modes);
>-
>-	if (!f) {
>-		restore_uid();
>-		return 0;
>-	}
>-
> 	found_key = 0;
> 	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
> 
>@@ -278,8 +266,6 @@ user_key_allowed2(struct passwd *pw, Key
> 			break;
> 		}
> 	}
>-	restore_uid();
>-	fclose(f);
> 	key_free(found);
> 	if (!found_key)
> 		debug2("key not found");
>@@ -327,13 +313,153 @@ user_cert_trusted_ca(struct passwd *pw, 
> 	return ret;
> }
> 
>-/* check whether given key is in .ssh/authorized_keys* */
>+/* return 1 if user allows given key */
>+static int
>+user_key_allowed2(struct passwd *pw, Key *key, char *file)
>+{
>+	FILE *f;
>+	int found_key = 0;
>+
>+	/* Temporarily use the user's uid. */
>+	temporarily_use_uid(pw);
>+
>+	debug("trying public key file %s", file);
>+	f = auth_openkeyfile(file, pw, options.strict_modes);
>+
>+ 	if (f) {
>+ 		found_key = user_search_key_in_file (f, file, key, pw);
>+		fclose(f);
>+	}
>+
>+	restore_uid();
>+	return found_key;
>+}
>+
>+#ifdef WITH_PUBKEY_AGENT
>+
>+#define WHITESPACE " \t\r\n"
>+
>+/* return 1 if user allows given key */
>+static int
>+user_key_via_agent_allowed2(struct passwd *pw, Key *key)
>+{
>+	FILE *f;
>+	int found_key = 0;
>+	char *pubkey_agent_string = NULL;
>+	char *tmp_pubkey_agent_string = NULL;
>+	char *progname;
>+	char *cp;
>+	struct passwd *runas_pw;
>+	struct stat st;
>+
>+	if (options.pubkey_agent == NULL || options.pubkey_agent[0] != '/')
>+		return -1;
>+
>+	/* get the run as identity from config */
>+	runas_pw = (options.pubkey_agent_runas == NULL)? pw
>+	    : getpwnam (options.pubkey_agent_runas);
>+	if (!runas_pw) {
>+		error("%s: getpwnam(\"%s\"): %s", __func__,
>+		    options.pubkey_agent_runas, strerror(errno));
>+		return 0;
>+	}
>+
>+	/* Temporarily use the specified uid. */
>+	if (runas_pw->pw_uid != 0)
>+		temporarily_use_uid(runas_pw);
>+
>+	pubkey_agent_string = percent_expand(options.pubkey_agent,
>+	    "h", pw->pw_dir, "u", pw->pw_name, (char *)NULL);
>+
>+	/* Test whether agent can be modified by non root user */
>+	tmp_pubkey_agent_string = xstrdup (pubkey_agent_string);
>+	progname = strtok (tmp_pubkey_agent_string, WHITESPACE);
>+
>+	debug3("%s: checking program '%s'", __func__, progname);
>+
>+	if (stat (progname, &st) < 0) {
>+		error("%s: stat(\"%s\"): %s", __func__,
>+		    progname, strerror(errno));
>+		goto go_away;
>+	}
>+
>+	if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
>+		error("bad ownership or modes for pubkey agent \"%s\"",
>+		    progname);
>+		goto go_away;
>+	}
>+
>+	if (!S_ISREG(st.st_mode)) {
>+		error("pubkey agent \"%s\" is not a regular file",
>+		    progname);
>+		goto go_away;
>+	}
>+
>+	/*
>+	 * Descend the path, checking that each component is a
>+	 * root-owned directory with strict permissions.
>+	 */
>+	do {
>+		if ((cp = strrchr(progname, '/')) == NULL)
>+			break;
>+		else 
>+			*cp = '\0';
>+	
>+		debug3("%s: checking component '%s'", __func__, progname);
>+
>+		if (stat(progname, &st) != 0) {
>+			error("%s: stat(\"%s\"): %s", __func__,
>+			    progname, strerror(errno));
>+			goto go_away;
>+		}
>+		if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
>+			error("bad ownership or modes for pubkey agent path component \"%s\"",
>+			    progname);
>+			goto go_away;
>+		}
>+		if (!S_ISDIR(st.st_mode)) {
>+			error("pubkey agent path component \"%s\" is not a directory",
>+			    progname);
>+			goto go_away;
>+		}
>+	} while (0);
>+
>+	/* open the pipe and read the keys */
>+	f = popen (pubkey_agent_string, "r");
>+	if (!f) {
>+		error("%s: popen (\"%s\", \"r\"): %s", __func__,
>+		    pubkey_agent_string, strerror (errno));
>+		goto go_away;
>+	}
>+
>+	found_key = user_search_key_in_file (f, options.pubkey_agent, key, pw);
>+	pclose (f);
>+
>+go_away:
>+	if (tmp_pubkey_agent_string)
>+		xfree (tmp_pubkey_agent_string);
>+	if (pubkey_agent_string)
>+		xfree (pubkey_agent_string);
>+
>+	if (runas_pw->pw_uid != 0)
>+		restore_uid();
>+	return found_key;
>+}
>+#endif
>+
>+/* check whether given key is in <pkey_agent or .ssh/authorized_keys* */
> int
> user_key_allowed(struct passwd *pw, Key *key)
> {
> 	int success;
> 	char *file;
> 
>+#ifdef WITH_PUBKEY_AGENT
>+	success = user_key_via_agent_allowed2(pw, key);
>+	if (success >= 0)
>+		return success;
>+#endif
>+
> 	if (auth_key_is_revoked(key))
> 		return 0;
> 	if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
>diff -up openssh-5.4p1/configure.ac.pka openssh-5.4p1/configure.ac
>--- openssh-5.4p1/configure.ac.pka	2010-03-09 08:01:04.000000000 +0100
>+++ openssh-5.4p1/configure.ac	2010-03-09 08:01:05.000000000 +0100
>@@ -1323,6 +1323,18 @@ AC_ARG_WITH(audit,
> 	esac ]
> )
> 
>+# Check whether user wants pubkey agent support
>+PKA_MSG="no"
>+AC_ARG_WITH(pka,
>+	[  --with-pka      Enable pubkey agent support],
>+	[
>+		if test "x$withval" != "xno" ; then
>+			AC_DEFINE([WITH_PUBKEY_AGENT], 1, [Enable pubkey agent support])
>+			PKA_MSG="yes"
>+		fi
>+	]
>+)
>+
> dnl    Checks for library functions. Please keep in alphabetical order
> AC_CHECK_FUNCS( \
> 	arc4random \
>@@ -4206,6 +4218,7 @@ echo "               Linux audit support
> echo "                 Smartcard support: $SCARD_MSG"
> echo "                     S/KEY support: $SKEY_MSG"
> echo "              TCP Wrappers support: $TCPW_MSG"
>+echo "                       PKA support: $PKA_MSG"
> echo "              MD5 password support: $MD5_MSG"
> echo "                   libedit support: $LIBEDIT_MSG"
> echo "  Solaris process contract support: $SPC_MSG"
>diff -up openssh-5.4p1/servconf.c.pka openssh-5.4p1/servconf.c
>--- openssh-5.4p1/servconf.c.pka	2010-03-09 08:01:04.000000000 +0100
>+++ openssh-5.4p1/servconf.c	2010-03-09 09:04:57.000000000 +0100
>@@ -129,6 +129,8 @@ initialize_server_options(ServerOptions 
> 	options->num_permitted_opens = -1;
> 	options->adm_forced_command = NULL;
> 	options->chroot_directory = NULL;
>+	options->pubkey_agent = NULL;
>+	options->pubkey_agent_runas = NULL;
> 	options->zero_knowledge_password_authentication = -1;
> 	options->revoked_keys_file = NULL;
> 	options->trusted_user_ca_keys = NULL;
>@@ -315,6 +317,7 @@ typedef enum {
> 	sUsePrivilegeSeparation, sAllowAgentForwarding,
> 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
> 	sRevokedKeys, sTrustedUserCAKeys,
>+	sPubkeyAgent, sPubkeyAgentRunAs,
> 	sDeprecated, sUnsupported
> } ServerOpCodes;
> 
>@@ -437,6 +440,13 @@ static struct {
> 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
> 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
> 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
>+#ifdef WITH_PUBKEY_AGENT
>+	{ "pubkeyagent", sPubkeyAgent, SSHCFG_ALL },
>+	{ "pubkeyagentrunas", sPubkeyAgentRunAs, SSHCFG_ALL },
>+#else
>+	{ "pubkeyagent", sUnsupported, SSHCFG_ALL },
>+	{ "pubkeyagentrunas", sUnsupported, SSHCFG_ALL },
>+#endif
> 	{ NULL, sBadOption, 0 }
> };
> 
>@@ -1345,6 +1355,20 @@ process_server_config_line(ServerOptions
> 		charptr = &options->revoked_keys_file;
> 		goto parse_filename;
> 
>+	case sPubkeyAgent:
>+		len = strspn(cp, WHITESPACE);
>+		if (*activep && options->pubkey_agent == NULL)
>+			options->pubkey_agent = xstrdup(cp + len);
>+		return 0;
>+
>+	case sPubkeyAgentRunAs:
>+		charptr = &options->pubkey_agent_runas;
>+
>+		arg = strdelim(&cp);
>+		if (*activep && *charptr == NULL)
>+			*charptr = xstrdup(arg);
>+		break;
>+
> 	case sDeprecated:
> 		logit("%s line %d: Deprecated option %s",
> 		    filename, linenum, arg);
>@@ -1438,6 +1462,8 @@ copy_set_server_options(ServerOptions *d
> 	M_CP_INTOPT(gss_authentication);
> 	M_CP_INTOPT(rsa_authentication);
> 	M_CP_INTOPT(pubkey_authentication);
>+	M_CP_STROPT(pubkey_agent);
>+	M_CP_STROPT(pubkey_agent_runas);
> 	M_CP_INTOPT(kerberos_authentication);
> 	M_CP_INTOPT(hostbased_authentication);
> 	M_CP_INTOPT(kbd_interactive_authentication);
>@@ -1683,6 +1709,8 @@ dump_config(ServerOptions *o)
> 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
> 	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
> 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
>+	dump_cfg_string(sPubkeyAgent, o->pubkey_agent);
>+	dump_cfg_string(sPubkeyAgentRunAs, o->pubkey_agent_runas);
> 
> 	/* string arguments requiring a lookup */
> 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
>diff -up openssh-5.4p1/servconf.h.pka openssh-5.4p1/servconf.h
>--- openssh-5.4p1/servconf.h.pka	2010-03-09 08:01:04.000000000 +0100
>+++ openssh-5.4p1/servconf.h	2010-03-09 09:05:29.000000000 +0100
>@@ -157,6 +157,8 @@ typedef struct {
> 	char   *chroot_directory;
> 	char   *revoked_keys_file;
> 	char   *trusted_user_ca_keys;
>+	char   *pubkey_agent;
>+	char   *pubkey_agent_runas;
> }       ServerOptions;
> 
> void	 initialize_server_options(ServerOptions *);
>diff -up openssh-5.4p1/sshd_config.0.pka openssh-5.4p1/sshd_config.0
>--- openssh-5.4p1/sshd_config.0.pka	2010-03-09 08:01:04.000000000 +0100
>+++ openssh-5.4p1/sshd_config.0	2010-03-09 09:07:35.000000000 +0100
>@@ -352,7 +352,8 @@ DESCRIPTION
>              KbdInteractiveAuthentication, KerberosAuthentication,
>              MaxAuthTries, MaxSessions, PasswordAuthentication,
>              PermitEmptyPasswords, PermitOpen, PermitRootLogin,
>-             PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication,
>+             PubkeyAuthentication, PubkeyAgent, PubkeyAgentRunAs,
>+             RhostsRSAAuthentication, RSAAuthentication,
>              X11DisplayOffset, X11Forwarding and X11UseLocalHost.
> 
>      MaxAuthTries
>@@ -467,6 +468,17 @@ DESCRIPTION
>              this file is not readable, then public key authentication will be
>              refused for all users.
> 
>+     PubkeyAgent
>+             Specifies which agent is used for lookup of the user's public
>+             keys. Empty string means to use the authorized_keys file.  By
>+             default there is no PubkeyAgent set.  Note that this option has
>+             an effect only with PubkeyAuthentication switched on.
>+
>+     PubkeyAgentRunAs
>+             Specifies the user under whose account the PubkeyAgent is run.
>+             Empty string (the default value) means the user being authorized
>+             is used.
>+
>      RhostsRSAAuthentication
>              Specifies whether rhosts or /etc/hosts.equiv authentication to-
>              gether with successful RSA host authentication is allowed.  The
>diff -up openssh-5.4p1/sshd_config.5.pka openssh-5.4p1/sshd_config.5
>--- openssh-5.4p1/sshd_config.5.pka	2010-03-09 08:01:04.000000000 +0100
>+++ openssh-5.4p1/sshd_config.5	2010-03-09 09:06:40.000000000 +0100
>@@ -618,6 +618,9 @@ Available keywords are
> .Cm KerberosAuthentication ,
> .Cm MaxAuthTries ,
> .Cm MaxSessions ,
>+.Cm PubkeyAuthentication ,
>+.Cm PubkeyAgent ,
>+.Cm PubkeyAgentRunAs ,
> .Cm PasswordAuthentication ,
> .Cm PermitEmptyPasswords ,
> .Cm PermitOpen ,
>@@ -819,6 +822,16 @@ Specifies a list of revoked public keys.
> Keys listed in this file will be refused for public key authentication.
> Note that if this file is not readable, then public key authentication will
> be refused for all users.
>++.It Cm PubkeyAgent
>++Specifies which agent is used for lookup of the user's public
>++keys. Empty string means to use the authorized_keys file.
>++By default there is no PubkeyAgent set.
>++Note that this option has an effect only with PubkeyAuthentication
>++switched on.
>++.It Cm PubkeyAgentRunAs
>++Specifies the user under whose account the PubkeyAgent is run. Empty
>++string (the default value) means the user being authorized is used.
>++.Dq 
> .It Cm RhostsRSAAuthentication
> Specifies whether rhosts or /etc/hosts.equiv authentication together
> with successful RSA host authentication is allowed.
>diff -up openssh-5.4p1/sshd_config.pka openssh-5.4p1/sshd_config
>--- openssh-5.4p1/sshd_config.pka	2010-03-09 08:01:04.000000000 +0100
>+++ openssh-5.4p1/sshd_config	2010-03-09 08:01:06.000000000 +0100
>@@ -45,6 +45,8 @@ SyslogFacility AUTHPRIV
> #RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile	.ssh/authorized_keys
>+#PubkeyAgent none
>+#PubkeyAgentRunAs nobody
> 
> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> #RhostsRSAAuthentication no

Actions: View | Diff

Attachments on bug 1663: 1703 | 1765 | 1804 | 1811 | 1850 | 1895 | 1896 | 1915 | 1920 | 2067 | 2083 | 2191