Attachment #2560 for bug #2276




	FILE *f;
	int ok, found_key = 0;
	struct passwd *pw;
	uid_t owneruid = 0;
	struct stat st;
	int status, devnull, p[2], i;
	pid_t pid;
	char *ownername, *username, errmsg[512];

	if (options.authorized_keys_command == NULL ||
	    options.authorized_keys_command[0] != '/')

		return 0;
	}

	if (options.authorized_keys_command_owner != NULL) {
		struct passwd *ownerpw;
		ownername = percent_expand(options.authorized_keys_command_owner,
		    "u", user_pw->pw_name, (char *)NULL);
		ownerpw = getpwnam(ownername);
		if (ownerpw == NULL) {
			error("AuthorizedKeysCommandOwner \"%s\" not found: %s",
			    ownername, strerror(errno));
			free(ownername);
			return 0;
		}
		free(ownername);
		owneruid = ownerpw->pw_uid;
	}

	username = percent_expand(options.authorized_keys_command_user,
	    "u", user_pw->pw_name, (char *)NULL);
	pw = getpwnam(username);

		    options.authorized_keys_command, strerror(errno));
		goto out;
	}
	if (auth_secure_path(options.authorized_keys_command, &st, NULL, owneruid,
	    errmsg, sizeof(errmsg)) != 0) {
		error("Unsafe AuthorizedKeysCommand: %s", errmsg);
		goto out;




	options->adm_forced_command = NULL;
	options->chroot_directory = NULL;
	options->authorized_keys_command = NULL;
	options->authorized_keys_command_owner = NULL;
	options->authorized_keys_command_user = NULL;
	options->revoked_keys_file = NULL;
	options->trusted_user_ca_keys = NULL;

	sHostCertificate,
	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
	sKexAlgorithms, sIPQoS, sVersionAddendum,
	sAuthorizedKeysCommand, sAuthorizedKeysCommandOwner, sAuthorizedKeysCommandUser,
	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
	sStreamLocalBindMask, sStreamLocalBindUnlink,
	sAllowStreamLocalForwarding, sFingerprintHash,

	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
	{ "ipqos", sIPQoS, SSHCFG_ALL },
	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
	{ "authorizedkeyscommandowner", sAuthorizedKeysCommandOwner, SSHCFG_ALL },
	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },

		}
		return 0;

	case sAuthorizedKeysCommandOwner:
		charptr = &options->authorized_keys_command_owner;

		arg = strdelim(&cp);
		if (*activep && *charptr == NULL)
			*charptr = xstrdup(arg);
		break;

	case sAuthorizedKeysCommandUser:
		charptr = &options->authorized_keys_command_user;


	    o->authorized_principals_file);
	dump_cfg_string(sVersionAddendum, o->version_addendum);
	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
	dump_cfg_string(sAuthorizedKeysCommandOwner, o->authorized_keys_command_owner);
	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
	dump_cfg_string(sKexAlgorithms,

Lines 56-61 AuthorizedKeysFile .ssh/authorized_keys Link Here

(-)a/sshd_config (+1 lines)
56	#AuthorizedPrincipalsFile none	56	#AuthorizedPrincipalsFile none
57		57
58	#AuthorizedKeysCommand none	58	#AuthorizedKeysCommand none
		59	#AuthorizedKeysCommandOwner root
59	#AuthorizedKeysCommandUser nobody	60	#AuthorizedKeysCommandUser nobody
60		61
61	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts	62	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

Lines 230-236 The default is not to require multiple authentication; successful completion Link Here

(-)a/sshd_config.5 (-2 / +6 lines)
230	of a single authentication method is sufficient.	230	of a single authentication method is sufficient.
231	.It Cm AuthorizedKeysCommand	231	.It Cm AuthorizedKeysCommand
232	Specifies a program to be used to look up the user's public keys.	232	Specifies a program to be used to look up the user's public keys.
233	The program must be owned by root and not writable by group or others.	233	The program must be owned by value of
		234	.Cm AuthorizedKeysCommandOwner
		235	and not writable by group or others.
234	It will be invoked with a single argument of the username	236	It will be invoked with a single argument of the username
235	being authenticated, and should produce on standard output zero or	237	being authenticated, and should produce on standard output zero or
236	more lines of authorized_keys output (see AUTHORIZED_KEYS in	238	more lines of authorized_keys output (see AUTHORIZED_KEYS in
Lines 240-245 and authorize the user then public key authentication continues using the usual Link Here
240	.Cm AuthorizedKeysFile	242	.Cm AuthorizedKeysFile
241	files.	243	files.
242	By default, no AuthorizedKeysCommand is run.	244	By default, no AuthorizedKeysCommand is run.
		245	.It Cm AuthorizedKeysCommandOwner
		246	Specifies the user who should own the file referred by
		247	AuthorizedKeysCommand. By default, root.
243	.It Cm AuthorizedKeysCommandUser	248	.It Cm AuthorizedKeysCommandUser
244	Specifies the user under whose account the AuthorizedKeysCommand is run.	249	Specifies the user under whose account the AuthorizedKeysCommand is run.
245	It is recommended to use a dedicated user that has no other role on the host	250	It is recommended to use a dedicated user that has no other role on the host
246	-

Return to bug 2276

Lines 529-538 user_key_command_allowed2(struct passwd user_pw, Key key) Link Here

(-)a/auth2-pubkey.c (-2 / +18 lines)
529	FILE *f;	529	FILE *f;
530	int ok, found_key = 0;	530	int ok, found_key = 0;
531	struct passwd *pw;	531	struct passwd *pw;
		532	uid_t owneruid = 0;
532	struct stat st;	533	struct stat st;
533	int status, devnull, p[2], i;	534	int status, devnull, p[2], i;
534	pid_t pid;	535	pid_t pid;
535	char *username, errmsg[512];	536	char ownername, username, errmsg[512];
536		537
537	if (options.authorized_keys_command == NULL \|\|	538	if (options.authorized_keys_command == NULL \|\|
538	options.authorized_keys_command[0] != '/')	539	options.authorized_keys_command[0] != '/')
Lines 543-548 user_key_command_allowed2(struct passwd user_pw, Key key) Link Here
543	return 0;	544	return 0;
544	}	545	}
545		546
		547	if (options.authorized_keys_command_owner != NULL) {
		548	struct passwd *ownerpw;
		549	ownername = percent_expand(options.authorized_keys_command_owner,
		550	"u", user_pw->pw_name, (char *)NULL);
		551	ownerpw = getpwnam(ownername);
		552	if (ownerpw == NULL) {
		553	error("AuthorizedKeysCommandOwner \"%s\" not found: %s",
		554	ownername, strerror(errno));
		555	free(ownername);
		556	return 0;
		557	}
		558	free(ownername);
		559	owneruid = ownerpw->pw_uid;
		560	}
		561
546	username = percent_expand(options.authorized_keys_command_user,	562	username = percent_expand(options.authorized_keys_command_user,
547	"u", user_pw->pw_name, (char *)NULL);	563	"u", user_pw->pw_name, (char *)NULL);
548	pw = getpwnam(username);	564	pw = getpwnam(username);
Lines 561-567 user_key_command_allowed2(struct passwd user_pw, Key key) Link Here
561	options.authorized_keys_command, strerror(errno));	577	options.authorized_keys_command, strerror(errno));
562	goto out;	578	goto out;
563	}	579	}
564	if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0,	580	if (auth_secure_path(options.authorized_keys_command, &st, NULL, owneruid,
565	errmsg, sizeof(errmsg)) != 0) {	581	errmsg, sizeof(errmsg)) != 0) {
566	error("Unsafe AuthorizedKeysCommand: %s", errmsg);	582	error("Unsafe AuthorizedKeysCommand: %s", errmsg);
567	goto out;	583	goto out;

Lines 155-160 initialize_server_options(ServerOptions *options) Link Here

(-)a/servconf.c (-1 / +12 lines)
155	options->adm_forced_command = NULL;	155	options->adm_forced_command = NULL;
156	options->chroot_directory = NULL;	156	options->chroot_directory = NULL;
157	options->authorized_keys_command = NULL;	157	options->authorized_keys_command = NULL;
		158	options->authorized_keys_command_owner = NULL;
158	options->authorized_keys_command_user = NULL;	159	options->authorized_keys_command_user = NULL;
159	options->revoked_keys_file = NULL;	160	options->revoked_keys_file = NULL;
160	options->trusted_user_ca_keys = NULL;	161	options->trusted_user_ca_keys = NULL;
Lines 397-403 typedef enum { Link Here
397	sHostCertificate,	398	sHostCertificate,
398	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,	399	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
399	sKexAlgorithms, sIPQoS, sVersionAddendum,	400	sKexAlgorithms, sIPQoS, sVersionAddendum,
400	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,	401	sAuthorizedKeysCommand, sAuthorizedKeysCommandOwner, sAuthorizedKeysCommandUser,
401	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,	402	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
402	sStreamLocalBindMask, sStreamLocalBindUnlink,	403	sStreamLocalBindMask, sStreamLocalBindUnlink,
403	sAllowStreamLocalForwarding, sFingerprintHash,	404	sAllowStreamLocalForwarding, sFingerprintHash,
Lines 527-532 static struct { Link Here
527	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },	528	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
528	{ "ipqos", sIPQoS, SSHCFG_ALL },	529	{ "ipqos", sIPQoS, SSHCFG_ALL },
529	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },	530	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
		531	{ "authorizedkeyscommandowner", sAuthorizedKeysCommandOwner, SSHCFG_ALL },
530	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },	532	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
531	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },	533	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
532	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },	534	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
Lines 1686-1691 process_server_config_line(ServerOptions options, char line, Link Here
1686	}	1688	}
1687	return 0;	1689	return 0;
1688		1690
		1691	case sAuthorizedKeysCommandOwner:
		1692	charptr = &options->authorized_keys_command_owner;
		1693
		1694	arg = strdelim(&cp);
		1695	if (activep && charptr == NULL)
		1696	*charptr = xstrdup(arg);
		1697	break;
		1698
1689	case sAuthorizedKeysCommandUser:	1699	case sAuthorizedKeysCommandUser:
1690	charptr = &options->authorized_keys_command_user;	1700	charptr = &options->authorized_keys_command_user;
1691		1701
Lines 2165-2170 dump_config(ServerOptions *o) Link Here
2165	o->authorized_principals_file);	2175	o->authorized_principals_file);
2166	dump_cfg_string(sVersionAddendum, o->version_addendum);	2176	dump_cfg_string(sVersionAddendum, o->version_addendum);
2167	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);	2177	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
		2178	dump_cfg_string(sAuthorizedKeysCommandOwner, o->authorized_keys_command_owner);
2168	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);	2179	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2169	dump_cfg_string(sHostKeyAgent, o->host_key_agent);	2180	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2170	dump_cfg_string(sKexAlgorithms,	2181	dump_cfg_string(sKexAlgorithms,

Lines 178-183 typedef struct { Link Here

(-)a/servconf.h (+2 lines)
178	char *trusted_user_ca_keys;	178	char *trusted_user_ca_keys;
179	char *authorized_principals_file;	179	char *authorized_principals_file;
180	char *authorized_keys_command;	180	char *authorized_keys_command;
		181	char *authorized_keys_command_owner;
181	char *authorized_keys_command_user;	182	char *authorized_keys_command_user;
182		183
183	int64_t rekey_limit;	184	int64_t rekey_limit;
Lines 216-221 struct connection_info { Link Here
216	M_CP_STROPT(revoked_keys_file); \	217	M_CP_STROPT(revoked_keys_file); \
217	M_CP_STROPT(authorized_principals_file); \	218	M_CP_STROPT(authorized_principals_file); \
218	M_CP_STROPT(authorized_keys_command); \	219	M_CP_STROPT(authorized_keys_command); \
		220	M_CP_STROPT(authorized_keys_command_owner); \
219	M_CP_STROPT(authorized_keys_command_user); \	221	M_CP_STROPT(authorized_keys_command_user); \
220	M_CP_STROPT(hostbased_key_types); \	222	M_CP_STROPT(hostbased_key_types); \
221	M_CP_STROPT(pubkey_key_types); \	223	M_CP_STROPT(pubkey_key_types); \