Bugzilla – Attachment 2474 Details for
Bug 2276
AuthorizedKeysCommand: add an option for alternate owner
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
AuthorizedKeysCommand-add-an-option-for-alternate-ow.patch
0001-AuthorizedKeysCommand-add-an-option-for-alternate-ow.patch (text/plain), 8.50 KB, created by
Alon Bar-Lev
on 2014-09-16 22:32:39 AEST
(
hide
)
Description:
AuthorizedKeysCommand-add-an-option-for-alternate-ow.patch
Filename:
MIME Type:
Creator:
Alon Bar-Lev
Created:
2014-09-16 22:32:39 AEST
Size:
8.50 KB
patch
obsolete
>From 5bc2f97cccffa7c824159f40f1fe548211505dd3 Mon Sep 17 00:00:00 2001 >From: Alon Bar-Lev <alon.barlev@gmail.com> >Date: Tue, 16 Sep 2014 14:39:29 +0300 >Subject: [PATCH] AuthorizedKeysCommand: add an option for alternate owner > >Currently the owner of AuthorizedKeysCommand must be root. > >A setup in which sshd is running as non root, can enjoy a complete >and secure environment even if the AuthorizedKeysCommand is owned by a >different user. > >This patch adds AuthorizedKeysCommandOwner option to control the >ownership check of the AuthorizedKeysCommand. Default is root, so no >change is done without explicit request. > >Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> >--- > auth2-pubkey.c | 20 ++++++++++++++++++-- > servconf.c | 13 ++++++++++++- > servconf.h | 2 ++ > sshd_config | 1 + > sshd_config.0 | 14 +++++++++----- > sshd_config.5 | 7 ++++++- > 6 files changed, 48 insertions(+), 9 deletions(-) > >diff --git a/auth2-pubkey.c b/auth2-pubkey.c >index 0fd27bb..2e6b8e1 100644 >--- a/auth2-pubkey.c >+++ b/auth2-pubkey.c >@@ -506,10 +506,11 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) > FILE *f; > int ok, found_key = 0; > struct passwd *pw; >+ uid_t owneruid = 0; > struct stat st; > int status, devnull, p[2], i; > pid_t pid; >- char *username, errmsg[512]; >+ char *ownername, *username, errmsg[512]; > > if (options.authorized_keys_command == NULL || > options.authorized_keys_command[0] != '/') >@@ -520,6 +521,21 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) > return 0; > } > >+ if (options.authorized_keys_command_owner != NULL) { >+ struct passwd *ownerpw; >+ ownername = percent_expand(options.authorized_keys_command_owner, >+ "u", user_pw->pw_name, (char *)NULL); >+ ownerpw = getpwnam(ownername); >+ if (ownerpw == NULL) { >+ error("AuthorizedKeysCommandOwner \"%s\" not found: %s", >+ ownername, strerror(errno)); >+ free(ownername); >+ return 0; >+ } >+ free(ownername); >+ owneruid = ownerpw->pw_uid; >+ } >+ > username = percent_expand(options.authorized_keys_command_user, > "u", user_pw->pw_name, (char *)NULL); > pw = getpwnam(username); >@@ -538,7 +554,7 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) > options.authorized_keys_command, strerror(errno)); > goto out; > } >- if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0, >+ if (auth_secure_path(options.authorized_keys_command, &st, NULL, owneruid, > errmsg, sizeof(errmsg)) != 0) { > error("Unsafe AuthorizedKeysCommand: %s", errmsg); > goto out; >diff --git a/servconf.c b/servconf.c >index 7ba65d5..47ed815 100644 >--- a/servconf.c >+++ b/servconf.c >@@ -146,6 +146,7 @@ initialize_server_options(ServerOptions *options) > options->adm_forced_command = NULL; > options->chroot_directory = NULL; > options->authorized_keys_command = NULL; >+ options->authorized_keys_command_owner = NULL; > options->authorized_keys_command_user = NULL; > options->revoked_keys_file = NULL; > options->trusted_user_ca_keys = NULL; >@@ -346,7 +347,7 @@ typedef enum { > sHostCertificate, > sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, > sKexAlgorithms, sIPQoS, sVersionAddendum, >- sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, >+ sAuthorizedKeysCommand, sAuthorizedKeysCommandOwner, sAuthorizedKeysCommandUser, > sAuthenticationMethods, sHostKeyAgent, > sDeprecated, sUnsupported > } ServerOpCodes; >@@ -471,6 +472,7 @@ static struct { > { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, > { "ipqos", sIPQoS, SSHCFG_ALL }, > { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, >+ { "authorizedkeyscommandowner", sAuthorizedKeysCommandOwner, SSHCFG_ALL }, > { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, > { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, > { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, >@@ -1594,6 +1596,14 @@ process_server_config_line(ServerOptions *options, char *line, > } > return 0; > >+ case sAuthorizedKeysCommandOwner: >+ charptr = &options->authorized_keys_command_owner; >+ >+ arg = strdelim(&cp); >+ if (*activep && *charptr == NULL) >+ *charptr = xstrdup(arg); >+ break; >+ > case sAuthorizedKeysCommandUser: > charptr = &options->authorized_keys_command_user; > >@@ -2033,6 +2043,7 @@ dump_config(ServerOptions *o) > o->authorized_principals_file); > dump_cfg_string(sVersionAddendum, o->version_addendum); > dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); >+ dump_cfg_string(sAuthorizedKeysCommandOwner, o->authorized_keys_command_owner); > dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); > dump_cfg_string(sHostKeyAgent, o->host_key_agent); > dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : >diff --git a/servconf.h b/servconf.h >index 752d1c5..ab41f05 100644 >--- a/servconf.h >+++ b/servconf.h >@@ -174,6 +174,7 @@ typedef struct { > char *trusted_user_ca_keys; > char *authorized_principals_file; > char *authorized_keys_command; >+ char *authorized_keys_command_owner; > char *authorized_keys_command_user; > > int64_t rekey_limit; >@@ -210,6 +211,7 @@ struct connection_info { > M_CP_STROPT(revoked_keys_file); \ > M_CP_STROPT(authorized_principals_file); \ > M_CP_STROPT(authorized_keys_command); \ >+ M_CP_STROPT(authorized_keys_command_owner); \ > M_CP_STROPT(authorized_keys_command_user); \ > M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ > M_CP_STRARRAYOPT(allow_users, num_allow_users); \ >diff --git a/sshd_config b/sshd_config >index e9045bc..dd59e1f 100644 >--- a/sshd_config >+++ b/sshd_config >@@ -56,6 +56,7 @@ AuthorizedKeysFile .ssh/authorized_keys > #AuthorizedPrincipalsFile none > > #AuthorizedKeysCommand none >+#AuthorizedKeysCommandOwner root > #AuthorizedKeysCommandUser nobody > > # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts >diff --git a/sshd_config.0 b/sshd_config.0 >index 413c260..92b6d0c 100644 >--- a/sshd_config.0 >+++ b/sshd_config.0 >@@ -106,16 +106,20 @@ DESCRIPTION > > AuthorizedKeysCommand > Specifies a program to be used to look up the user's public keys. >- The program must be owned by root and not writable by group or >- others. It will be invoked with a single argument of the >- username being authenticated, and should produce on standard >- output zero or more lines of authorized_keys output (see >- AUTHORIZED_KEYS in sshd(8)). If a key supplied by >+ The program must be owned by value of AuthorizedKeysCommandOwner >+ and not writable by group or others. It will be invoked with a >+ single argument of the username being authenticated, and should >+ produce on standard output zero or more lines of authorized_keys >+ output (see AUTHORIZED_KEYS in sshd(8)). If a key supplied by > AuthorizedKeysCommand does not successfully authenticate and > authorize the user then public key authentication continues using > the usual AuthorizedKeysFile files. By default, no > AuthorizedKeysCommand is run. > >+ AuthorizedKeysCommandOwner >+ Specifies the user who should own the file referred by >+ AuthorizedKeysCommand. By default, root. >+ > AuthorizedKeysCommandUser > Specifies the user under whose account the AuthorizedKeysCommand > is run. It is recommended to use a dedicated user that has no >diff --git a/sshd_config.5 b/sshd_config.5 >index ce71efe..3f3eba4 100644 >--- a/sshd_config.5 >+++ b/sshd_config.5 >@@ -198,7 +198,9 @@ The default is not to require multiple authentication; successful completion > of a single authentication method is sufficient. > .It Cm AuthorizedKeysCommand > Specifies a program to be used to look up the user's public keys. >-The program must be owned by root and not writable by group or others. >+The program must be owned by value of >+.Cm AuthorizedKeysCommandOwner >+and not writable by group or others. > It will be invoked with a single argument of the username > being authenticated, and should produce on standard output zero or > more lines of authorized_keys output (see AUTHORIZED_KEYS in >@@ -208,6 +210,9 @@ and authorize the user then public key authentication continues using the usual > .Cm AuthorizedKeysFile > files. > By default, no AuthorizedKeysCommand is run. >+.It Cm AuthorizedKeysCommandOwner >+Specifies the user who should own the file referred by >+AuthorizedKeysCommand. By default, root. > .It Cm AuthorizedKeysCommandUser > Specifies the user under whose account the AuthorizedKeysCommand is run. > It is recommended to use a dedicated user that has no other role on the host >-- >1.8.5.5 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2474">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2276
:
2474
|
2558
|
2559
|
2560