Bugzilla – Attachment 2438 Details for
Bug 2081
extend the parameters to the AuthorizedKeysCommand
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Reworked version of the patch using environment variables
openssh-akcenv-enhanced.patch (text/plain), 4.75 KB, created by
Lukas Fleischer
on 2014-06-06 20:39:52 AEST
(
hide
)
Description:
Reworked version of the patch using environment variables
Filename:
MIME Type:
Creator:
Lukas Fleischer
Created:
2014-06-06 20:39:52 AEST
Size:
4.75 KB
patch
obsolete
>diff --git auth2-pubkey.c auth2-pubkey.c >index 0fd27bb..25b1c1c 100644 >--- auth2-pubkey.c >+++ auth2-pubkey.c >@@ -509,7 +509,7 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) > struct stat st; > int status, devnull, p[2], i; > pid_t pid; >- char *username, errmsg[512]; >+ char *username, *keytext, errmsg[512]; > > if (options.authorized_keys_command == NULL || > options.authorized_keys_command[0] != '/') >@@ -568,6 +568,23 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) > for (i = 0; i < NSIG; i++) > signal(i, SIG_DFL); > >+ keytext = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); >+ if (setenv(SSH_KEY_FINGERPRINT_ENV_NAME, keytext, 1) == -1) { >+ error("%s: setenv: %s", __func__, strerror(errno)); >+ _exit(1); >+ } >+ >+ if (!key_write_str(key, &keytext)) { >+ error("%s: key_write_str: %s", __func__, >+ strerror(errno)); >+ _exit(1); >+ } >+ if (setenv(SSH_KEY_ENV_NAME, keytext, 1) == -1) { >+ error("%s: setenv: %s", __func__, strerror(errno)); >+ _exit(1); >+ } >+ free(keytext); >+ > if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) { > error("%s: open %s: %s", __func__, _PATH_DEVNULL, > strerror(errno)); >diff --git key.c key.c >index e8fc5b1..fafc3fa 100644 >--- key.c >+++ key.c >@@ -691,15 +691,13 @@ read_bignum(char **cpp, BIGNUM * value) > } > > static int >-write_bignum(FILE *f, BIGNUM *num) >+write_bignum(char **s, BIGNUM *num) > { >- char *buf = BN_bn2dec(num); >- if (buf == NULL) { >+ *s = BN_bn2dec(num); >+ if (*s == NULL) { > error("write_bignum: BN_bn2dec() failed"); > return 0; > } >- fprintf(f, " %s", buf); >- OPENSSL_free(buf); > return 1; > } > #endif >@@ -889,11 +887,12 @@ key_read(Key *ret, char **cpp) > } > > int >-key_write(const Key *key, FILE *f) >+key_write_str(const Key *key, char **s) > { > int n, success = 0; > #ifdef WITH_SSH1 > u_int bits = 0; >+ char *se = NULL, *sn = NULL; > #endif > u_int len; > u_char *blob; >@@ -917,12 +916,19 @@ key_write(const Key *key, FILE *f) > return 0; > /* size of modulus 'n' */ > bits = BN_num_bits(key->rsa->n); >- fprintf(f, "%u", bits); >- if (write_bignum(f, key->rsa->e) && >- write_bignum(f, key->rsa->n)) >- return 1; >- error("key_write: failed for RSA key"); >- return 0; >+ if (!write_bignum(&se, key->rsa->e) || >+ !write_bignum(&sn, key->rsa->n)) { >+ error("key_write_str: failed for RSA key"); >+ goto done; >+ } >+ xasprintf(s, "%u %s %s", bits, se, sn); >+ success = 1; >+done: >+ if (se != NULL) >+ OPENSSL_free(se); >+ if (sn != NULL) >+ OPENSSL_free(sn); >+ return success; > #endif > #ifdef WITH_OPENSSL > case KEY_DSA: >@@ -958,7 +964,7 @@ key_write(const Key *key, FILE *f) > uu = xmalloc(2*len); > n = uuencode(blob, len, uu, 2*len); > if (n > 0) { >- fprintf(f, "%s %s", key_ssh_name(key), uu); >+ xasprintf(s, "%s %s", key_ssh_name(key), uu); > success = 1; > } > free(blob); >@@ -967,6 +973,19 @@ key_write(const Key *key, FILE *f) > return success; > } > >+int >+key_write(const Key *key, FILE *f) >+{ >+ char *s; >+ >+ if (!key_write_str(key, &s)) >+ return 0; >+ fputs(s, f); >+ free(s); >+ >+ return 1; >+} >+ > const char * > key_cert_type(const Key *k) > { >diff --git key.h key.h >index d8ad13d..e2bbfad 100644 >--- key.h >+++ key.h >@@ -106,6 +106,7 @@ char *key_fingerprint(const Key *, enum fp_type, enum fp_rep); > u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *); > const char *key_type(const Key *); > const char *key_cert_type(const Key *); >+int key_write_str(const Key *, char **); > int key_write(const Key *, FILE *); > int key_read(Key *, char **); > u_int key_size(const Key *); >diff --git ssh.h ssh.h >index c94633b..411ea86 100644 >--- ssh.h >+++ ssh.h >@@ -97,3 +97,15 @@ > > /* Listen backlog for sshd, ssh-agent and forwarding sockets */ > #define SSH_LISTEN_BACKLOG 128 >+ >+/* >+ * Name of the environment variable containing the incoming key passed >+ * to AuthorizedKeysCommand. >+ */ >+#define SSH_KEY_ENV_NAME "SSH_KEY" >+ >+/* >+ * Name of the environment variable containing the incoming key fingerprint >+ * passed to AuthorizedKeysCommand. >+ */ >+#define SSH_KEY_FINGERPRINT_ENV_NAME "SSH_KEY_FINGERPRINT" >diff --git sshd_config.5 sshd_config.5 >index 88be8d9..9780f8f 100644 >--- sshd_config.5 >+++ sshd_config.5 >@@ -203,6 +203,11 @@ It will be invoked with a single argument of the username > being authenticated, and should produce on standard output zero or > more lines of authorized_keys output (see AUTHORIZED_KEYS in > .Xr sshd 8 ) . >+The key being used for authentication (the key's type and the key text itself, >+separated by a space) will be available in the >+.Ev SSH_KEY >+environment variable, and the fingerprint of the key will be available in the >+.Ev SSH_KEY_FINGERPRINT environment variable. > If a key supplied by AuthorizedKeysCommand does not successfully authenticate > and authorize the user then public key authentication continues using the usual > .Cm AuthorizedKeysFile
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2081
:
2412
|
2416
|
2417
|
2438
|
2477
|
2478
|
2479
|
2522
|
2544
|
2545
|
2546
|
2549
|
2556
|
2557