Bugzilla – Attachment 2560 Details for
Bug 2276
AuthorizedKeysCommand: add an option for alternate owner
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
AuthorizedKeysCommand-add-an-option-for-alternate-ow.patch
0001-AuthorizedKeysCommand-add-an-option-for-alternate-ow.patch (text/plain), 6.92 KB, created by
Alon Bar-Lev
on 2015-03-04 18:36:56 AEDT
(
hide
)
Description:
AuthorizedKeysCommand-add-an-option-for-alternate-ow.patch
Filename:
MIME Type:
Creator:
Alon Bar-Lev
Created:
2015-03-04 18:36:56 AEDT
Size:
6.92 KB
patch
obsolete
>From 1f09afcc596b9791ae9b4f0630cb83d8b897e2d1 Mon Sep 17 00:00:00 2001 >From: Alon Bar-Lev <alon.barlev@gmail.com> >Date: Tue, 7 Oct 2014 15:18:58 +0300 >Subject: [PATCH] AuthorizedKeysCommand: add an option for alternate owner > >Currently the owner of AuthorizedKeysCommand must be root. > >A setup in which sshd is running as non root, can enjoy a complete >and secure environment even if the AuthorizedKeysCommand is owned by a >different user. > >This patch adds AuthorizedKeysCommandOwner option to control the >ownership check of the AuthorizedKeysCommand. Default is root, so no >change is done without explicit request. > >Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> >Bug-Url: https://bugzilla.mindrot.org/show_bug.cgi?id=2276 >--- > auth2-pubkey.c | 20 ++++++++++++++++++-- > servconf.c | 13 ++++++++++++- > servconf.h | 2 ++ > sshd_config | 1 + > sshd_config.5 | 7 ++++++- > 5 files changed, 39 insertions(+), 4 deletions(-) > >diff --git a/auth2-pubkey.c b/auth2-pubkey.c >index d943efa..beba925 100644 >--- a/auth2-pubkey.c >+++ b/auth2-pubkey.c >@@ -529,10 +529,11 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) > FILE *f; > int ok, found_key = 0; > struct passwd *pw; >+ uid_t owneruid = 0; > struct stat st; > int status, devnull, p[2], i; > pid_t pid; >- char *username, errmsg[512]; >+ char *ownername, *username, errmsg[512]; > > if (options.authorized_keys_command == NULL || > options.authorized_keys_command[0] != '/') >@@ -543,6 +544,21 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) > return 0; > } > >+ if (options.authorized_keys_command_owner != NULL) { >+ struct passwd *ownerpw; >+ ownername = percent_expand(options.authorized_keys_command_owner, >+ "u", user_pw->pw_name, (char *)NULL); >+ ownerpw = getpwnam(ownername); >+ if (ownerpw == NULL) { >+ error("AuthorizedKeysCommandOwner \"%s\" not found: %s", >+ ownername, strerror(errno)); >+ free(ownername); >+ return 0; >+ } >+ free(ownername); >+ owneruid = ownerpw->pw_uid; >+ } >+ > username = percent_expand(options.authorized_keys_command_user, > "u", user_pw->pw_name, (char *)NULL); > pw = getpwnam(username); >@@ -561,7 +577,7 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) > options.authorized_keys_command, strerror(errno)); > goto out; > } >- if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0, >+ if (auth_secure_path(options.authorized_keys_command, &st, NULL, owneruid, > errmsg, sizeof(errmsg)) != 0) { > error("Unsafe AuthorizedKeysCommand: %s", errmsg); > goto out; >diff --git a/servconf.c b/servconf.c >index 3185462..774b1fb 100644 >--- a/servconf.c >+++ b/servconf.c >@@ -155,6 +155,7 @@ initialize_server_options(ServerOptions *options) > options->adm_forced_command = NULL; > options->chroot_directory = NULL; > options->authorized_keys_command = NULL; >+ options->authorized_keys_command_owner = NULL; > options->authorized_keys_command_user = NULL; > options->revoked_keys_file = NULL; > options->trusted_user_ca_keys = NULL; >@@ -397,7 +398,7 @@ typedef enum { > sHostCertificate, > sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, > sKexAlgorithms, sIPQoS, sVersionAddendum, >- sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, >+ sAuthorizedKeysCommand, sAuthorizedKeysCommandOwner, sAuthorizedKeysCommandUser, > sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, > sStreamLocalBindMask, sStreamLocalBindUnlink, > sAllowStreamLocalForwarding, sFingerprintHash, >@@ -527,6 +528,7 @@ static struct { > { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, > { "ipqos", sIPQoS, SSHCFG_ALL }, > { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, >+ { "authorizedkeyscommandowner", sAuthorizedKeysCommandOwner, SSHCFG_ALL }, > { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, > { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, > { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, >@@ -1686,6 +1688,14 @@ process_server_config_line(ServerOptions *options, char *line, > } > return 0; > >+ case sAuthorizedKeysCommandOwner: >+ charptr = &options->authorized_keys_command_owner; >+ >+ arg = strdelim(&cp); >+ if (*activep && *charptr == NULL) >+ *charptr = xstrdup(arg); >+ break; >+ > case sAuthorizedKeysCommandUser: > charptr = &options->authorized_keys_command_user; > >@@ -2165,6 +2175,7 @@ dump_config(ServerOptions *o) > o->authorized_principals_file); > dump_cfg_string(sVersionAddendum, o->version_addendum); > dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); >+ dump_cfg_string(sAuthorizedKeysCommandOwner, o->authorized_keys_command_owner); > dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); > dump_cfg_string(sHostKeyAgent, o->host_key_agent); > dump_cfg_string(sKexAlgorithms, >diff --git a/servconf.h b/servconf.h >index 9922f0c..046fc21 100644 >--- a/servconf.h >+++ b/servconf.h >@@ -178,6 +178,7 @@ typedef struct { > char *trusted_user_ca_keys; > char *authorized_principals_file; > char *authorized_keys_command; >+ char *authorized_keys_command_owner; > char *authorized_keys_command_user; > > int64_t rekey_limit; >@@ -216,6 +217,7 @@ struct connection_info { > M_CP_STROPT(revoked_keys_file); \ > M_CP_STROPT(authorized_principals_file); \ > M_CP_STROPT(authorized_keys_command); \ >+ M_CP_STROPT(authorized_keys_command_owner); \ > M_CP_STROPT(authorized_keys_command_user); \ > M_CP_STROPT(hostbased_key_types); \ > M_CP_STROPT(pubkey_key_types); \ >diff --git a/sshd_config b/sshd_config >index c9042ac..29b6013 100644 >--- a/sshd_config >+++ b/sshd_config >@@ -56,6 +56,7 @@ AuthorizedKeysFile .ssh/authorized_keys > #AuthorizedPrincipalsFile none > > #AuthorizedKeysCommand none >+#AuthorizedKeysCommandOwner root > #AuthorizedKeysCommandUser nobody > > # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts >diff --git a/sshd_config.5 b/sshd_config.5 >index 6dce0c7..76b203e 100644 >--- a/sshd_config.5 >+++ b/sshd_config.5 >@@ -230,7 +230,9 @@ The default is not to require multiple authentication; successful completion > of a single authentication method is sufficient. > .It Cm AuthorizedKeysCommand > Specifies a program to be used to look up the user's public keys. >-The program must be owned by root and not writable by group or others. >+The program must be owned by value of >+.Cm AuthorizedKeysCommandOwner >+and not writable by group or others. > It will be invoked with a single argument of the username > being authenticated, and should produce on standard output zero or > more lines of authorized_keys output (see AUTHORIZED_KEYS in >@@ -240,6 +242,9 @@ and authorize the user then public key authentication continues using the usual > .Cm AuthorizedKeysFile > files. > By default, no AuthorizedKeysCommand is run. >+.It Cm AuthorizedKeysCommandOwner >+Specifies the user who should own the file referred by >+AuthorizedKeysCommand. By default, root. > .It Cm AuthorizedKeysCommandUser > Specifies the user under whose account the AuthorizedKeysCommand is run. > It is recommended to use a dedicated user that has no other role on the host >-- >2.0.5 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2560">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2276
:
2474
|
2558
|
2559
| 2560