Bugzilla – Attachment 3028 Details for
Bug 2755
[PATCH] sshd_config: allow directories in AuthorizedKeysFile=
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
sshd_config: allow directories in AuthorizedKeysFile=
authorized-keys-d.patch (text/plain), 2.46 KB, created by
Luca BRUNO
on 2017-08-07 19:09:32 AEST
(
hide
)
Description:
sshd_config: allow directories in AuthorizedKeysFile=
Filename:
MIME Type:
Creator:
Luca BRUNO
Created:
2017-08-07 19:09:32 AEST
Size:
2.46 KB
patch
obsolete
>From 80435d9a5c15f6f474f6b1bac927c09d87b7129b Mon Sep 17 00:00:00 2001 >From: Luca Bruno <luca.bruno@coreos.com> >Date: Wed, 14 Jun 2017 12:51:05 +0000 >Subject: [PATCH] sshd_config: allow directories in AuthorizedKeysFile= > >This commit enhances AuthorizedKeysFile= to accept directory paths >in addition to single files. >It provides an include semantics similar to `.d` / `run-parts(8)` >approach, offering a consistent way for different entities to add >public keys to a given account without single-file contention. >--- > auth2-pubkey.c | 26 ++++++++++++++++++++++++-- > sshd_config.5 | 1 + > 2 files changed, 25 insertions(+), 2 deletions(-) > >diff --git a/auth2-pubkey.c b/auth2-pubkey.c >index 1c59b5bb0..91fbb4053 100644 >--- a/auth2-pubkey.c >+++ b/auth2-pubkey.c >@@ -34,6 +34,7 @@ > #ifdef HAVE_PATHS_H > # include <paths.h> > #endif >+#include <dirent.h> > #include <pwd.h> > #include <signal.h> > #include <stdio.h> >@@ -1075,8 +1076,12 @@ user_key_command_allowed2(struct passwd *user_pw, struct sshkey *key) > int > user_key_allowed(struct passwd *pw, struct sshkey *key, int auth_attempt) > { >+ struct stat st; > u_int success, i; >- char *file; >+ int r; >+ char dfile[PATH_MAX], *file; >+ DIR *dirp; >+ struct dirent *dp; > > if (auth_key_is_revoked(key)) > return 0; >@@ -1099,7 +1104,24 @@ user_key_allowed(struct passwd *pw, struct sshkey *key, int auth_attempt) > file = expand_authorized_keys( > options.authorized_keys_files[i], pw); > >- success = user_key_allowed2(pw, key, file); >+ if (stat(file, &st) == 0 && S_ISDIR(st.st_mode) && >+ (dirp = opendir(file)) != NULL) { >+ while ((dp = readdir(dirp)) != NULL) { >+ if (dp->d_ino == 0) >+ continue; >+ if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, "..")) >+ continue; >+ r = snprintf(dfile, sizeof(dfile), "%s/%s", file, dp->d_name); >+ if (r <= 0 || (size_t)r >= sizeof(dfile)) >+ continue; >+ if ((success = user_key_allowed2(pw, key, dfile))) >+ break; >+ } >+ closedir(dirp); >+ } else { >+ success = user_key_allowed2(pw, key, file); >+ } >+ > free(file); > } > >diff --git a/sshd_config.5 b/sshd_config.5 >index 76e157f2e..5b5129e8e 100644 >--- a/sshd_config.5 >+++ b/sshd_config.5 >@@ -277,6 +277,7 @@ After expansion, > is taken to be an absolute path or one relative to the user's home > directory. > Multiple files may be listed, separated by whitespace. >+If a directory is specified, all files beneath it are included (non-recursively). > Alternately this option may be set to > .Cm none > to skip checking for user keys in files.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3028">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2755
:
3028
|
3411