Attachment 2438 Details for Bug 2081 – Reworked version of the patch using environment variables

[patch] Reworked version of the patch using environment variables

openssh-akcenv-enhanced.patch (text/plain), 4.75 KB, created by Lukas Fleischer on 2014-06-06 20:39:52 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Lukas Fleischer

Created: 2014-06-06 20:39:52 AEST

Size: 4.75 KB

patch

obsolete

>diff --git auth2-pubkey.c auth2-pubkey.c
>index 0fd27bb..25b1c1c 100644
>--- auth2-pubkey.c
>+++ auth2-pubkey.c
>@@ -509,7 +509,7 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
> 	struct stat st;
> 	int status, devnull, p[2], i;
> 	pid_t pid;
>-	char *username, errmsg[512];
>+	char *username, *keytext, errmsg[512];
> 
> 	if (options.authorized_keys_command == NULL ||
> 	    options.authorized_keys_command[0] != '/')
>@@ -568,6 +568,23 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
> 		for (i = 0; i < NSIG; i++)
> 			signal(i, SIG_DFL);
> 
>+		keytext = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
>+		if (setenv(SSH_KEY_FINGERPRINT_ENV_NAME, keytext, 1) == -1) {
>+			error("%s: setenv: %s", __func__, strerror(errno));
>+			_exit(1);
>+		}
>+
>+		if (!key_write_str(key, &keytext)) {
>+			error("%s: key_write_str: %s", __func__,
>+			    strerror(errno));
>+			_exit(1);
>+		}
>+		if (setenv(SSH_KEY_ENV_NAME, keytext, 1) == -1) {
>+			error("%s: setenv: %s", __func__, strerror(errno));
>+			_exit(1);
>+		}
>+		free(keytext);
>+
> 		if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
> 			error("%s: open %s: %s", __func__, _PATH_DEVNULL,
> 			    strerror(errno));
>diff --git key.c key.c
>index e8fc5b1..fafc3fa 100644
>--- key.c
>+++ key.c
>@@ -691,15 +691,13 @@ read_bignum(char **cpp, BIGNUM * value)
> }
> 
> static int
>-write_bignum(FILE *f, BIGNUM *num)
>+write_bignum(char **s, BIGNUM *num)
> {
>-	char *buf = BN_bn2dec(num);
>-	if (buf == NULL) {
>+	*s = BN_bn2dec(num);
>+	if (*s == NULL) {
> 		error("write_bignum: BN_bn2dec() failed");
> 		return 0;
> 	}
>-	fprintf(f, " %s", buf);
>-	OPENSSL_free(buf);
> 	return 1;
> }
> #endif
>@@ -889,11 +887,12 @@ key_read(Key *ret, char **cpp)
> }
> 
> int
>-key_write(const Key *key, FILE *f)
>+key_write_str(const Key *key, char **s)
> {
> 	int n, success = 0;
> #ifdef WITH_SSH1
> 	u_int bits = 0;
>+	char *se = NULL, *sn = NULL;
> #endif
> 	u_int len;
> 	u_char *blob;
>@@ -917,12 +916,19 @@ key_write(const Key *key, FILE *f)
> 			return 0;
> 		/* size of modulus 'n' */
> 		bits = BN_num_bits(key->rsa->n);
>-		fprintf(f, "%u", bits);
>-		if (write_bignum(f, key->rsa->e) &&
>-		    write_bignum(f, key->rsa->n))
>-			return 1;
>-		error("key_write: failed for RSA key");
>-		return 0;
>+		if (!write_bignum(&se, key->rsa->e) ||
>+		    !write_bignum(&sn, key->rsa->n)) {
>+			error("key_write_str: failed for RSA key");
>+			goto done;
>+		}
>+		xasprintf(s, "%u %s %s", bits, se, sn);
>+		success = 1;
>+done:
>+		if (se != NULL)
>+			OPENSSL_free(se);
>+		if (sn != NULL)
>+			OPENSSL_free(sn);
>+		return success;
> #endif
> #ifdef WITH_OPENSSL
> 	case KEY_DSA:
>@@ -958,7 +964,7 @@ key_write(const Key *key, FILE *f)
> 	uu = xmalloc(2*len);
> 	n = uuencode(blob, len, uu, 2*len);
> 	if (n > 0) {
>-		fprintf(f, "%s %s", key_ssh_name(key), uu);
>+		xasprintf(s, "%s %s", key_ssh_name(key), uu);
> 		success = 1;
> 	}
> 	free(blob);
>@@ -967,6 +973,19 @@ key_write(const Key *key, FILE *f)
> 	return success;
> }
> 
>+int
>+key_write(const Key *key, FILE *f)
>+{
>+	char *s;
>+
>+	if (!key_write_str(key, &s))
>+		return 0;
>+	fputs(s, f);
>+	free(s);
>+
>+	return 1;
>+}
>+
> const char *
> key_cert_type(const Key *k)
> {
>diff --git key.h key.h
>index d8ad13d..e2bbfad 100644
>--- key.h
>+++ key.h
>@@ -106,6 +106,7 @@ char		*key_fingerprint(const Key *, enum fp_type, enum fp_rep);
> u_char		*key_fingerprint_raw(const Key *, enum fp_type, u_int *);
> const char	*key_type(const Key *);
> const char	*key_cert_type(const Key *);
>+int		 key_write_str(const Key *, char **);
> int		 key_write(const Key *, FILE *);
> int		 key_read(Key *, char **);
> u_int		 key_size(const Key *);
>diff --git ssh.h ssh.h
>index c94633b..411ea86 100644
>--- ssh.h
>+++ ssh.h
>@@ -97,3 +97,15 @@
> 
> /* Listen backlog for sshd, ssh-agent and forwarding sockets */
> #define SSH_LISTEN_BACKLOG		128
>+
>+/*
>+ * Name of the environment variable containing the incoming key passed
>+ * to AuthorizedKeysCommand.
>+ */
>+#define SSH_KEY_ENV_NAME "SSH_KEY"
>+
>+/*
>+ * Name of the environment variable containing the incoming key fingerprint
>+ * passed to AuthorizedKeysCommand.
>+ */
>+#define SSH_KEY_FINGERPRINT_ENV_NAME "SSH_KEY_FINGERPRINT"
>diff --git sshd_config.5 sshd_config.5
>index 88be8d9..9780f8f 100644
>--- sshd_config.5
>+++ sshd_config.5
>@@ -203,6 +203,11 @@ It will be invoked with a single argument of the username
> being authenticated, and should produce on standard output zero or
> more lines of authorized_keys output (see AUTHORIZED_KEYS in
> .Xr sshd 8 ) .
>+The key being used for authentication (the key's type and the key text itself,
>+separated by a space) will be available in the
>+.Ev SSH_KEY
>+environment variable, and the fingerprint of the key will be available in the
>+.Ev SSH_KEY_FINGERPRINT environment variable.
> If a key supplied by AuthorizedKeysCommand does not successfully authenticate
> and authorize the user then public key authentication continues using the usual
> .Cm AuthorizedKeysFile

Actions: View | Diff

Attachments on bug 2081: 2412 | 2416 | 2417 | 2438 | 2477 | 2478 | 2479 | 2522 | 2544 | 2545 | 2546 | 2549 | 2556 | 2557