Bugzilla – Attachment 3411 Details for
Bug 2755
[PATCH] sshd_config: allow directories in AuthorizedKeysFile=
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
sshd_config: allow directories in AuthorizedKeysFile=
0001-sshd_config-allow-directories-in-AuthorizedKeysFile.patch (text/plain), 4.71 KB, created by
Luca BRUNO
on 2020-06-18 19:38:04 AEST
(
hide
)
Description:
sshd_config: allow directories in AuthorizedKeysFile=
Filename:
MIME Type:
Creator:
Luca BRUNO
Created:
2020-06-18 19:38:04 AEST
Size:
4.71 KB
patch
obsolete
>From e2410e4e1a3177e22170845eeb24bb69a0ebe229 Mon Sep 17 00:00:00 2001 >From: Luca Bruno <luca.bruno@coreos.com> >Date: Wed, 17 Jun 2020 14:28:02 +0000 >Subject: [PATCH] sshd_config: allow directories in AuthorizedKeysFile= > >This enhances AuthorizedKeysFile= to accept directory paths in >addition to single files. >It provides an include semantics similar to `.d` / `run-parts(8)` >approach, offering a consistent way for different entities to add >public keys to a given account without single-file contention. >--- > auth2-pubkey.c | 77 ++++++++++++++++++++++++++++++++++++++++++-------- > sshd_config.5 | 2 ++ > 2 files changed, 67 insertions(+), 12 deletions(-) > >diff --git a/auth2-pubkey.c b/auth2-pubkey.c >index 815ea0f2..885335fa 100644 >--- a/auth2-pubkey.c >+++ b/auth2-pubkey.c >@@ -34,6 +34,7 @@ > #ifdef HAVE_PATHS_H > # include <paths.h> > #endif >+#include <dirent.h> > #include <pwd.h> > #include <signal.h> > #include <stdio.h> >@@ -841,16 +842,52 @@ user_cert_trusted_ca(struct ssh *ssh, struct passwd *pw, struct sshkey *key, > return ret; > } > >+/* >+ * Opens file at path and checks whether key is allowed in it. >+ * This returns 1 if the key is allowed or 0 otherwise. >+ */ >+static int >+open_check_authkeys_file(struct ssh *ssh, struct passwd *pw, >+ struct sshkey *key, char *filepath, struct sshauthopt **authoptsp) >+{ >+ int found_key = 0; >+ FILE *f; >+ >+ debug("trying public key file %s", filepath); >+ f = auth_openkeyfile(filepath, pw, options.strict_modes); >+ if (f != NULL) { >+ found_key = check_authkeys_file(ssh, pw, f, filepath, >+ key, authoptsp); >+ fclose(f); >+ } >+ return found_key; >+} >+ >+/* >+ * Filters dotfiles from directory scan results. >+ */ >+static int >+user_key_dotfiles_filter(const struct dirent *entry) { >+ if (entry->d_ino == 0) >+ return 0; >+ >+ if (strlen(entry->d_name) == 0 || entry->d_name[0] == '.') >+ return 0; >+ >+ return 1; >+} >+ > /* > * Checks whether key is allowed in file. > * returns 1 if the key is allowed or 0 otherwise. > */ > static int > user_key_allowed2(struct ssh *ssh, struct passwd *pw, struct sshkey *key, >- char *file, struct sshauthopt **authoptsp) >+ char *path, struct sshauthopt **authoptsp) > { >- FILE *f; >- int found_key = 0; >+ char inner_filepath[PATH_MAX]; >+ int dir_entries, dir_index = 0, found_key = 0, r; >+ struct dirent **namelist; > > if (authoptsp != NULL) > *authoptsp = NULL; >@@ -858,11 +895,27 @@ user_key_allowed2(struct ssh *ssh, struct passwd *pw, struct sshkey *key, > /* Temporarily use the user's uid. */ > temporarily_use_uid(pw); > >- debug("trying public key file %s", file); >- if ((f = auth_openkeyfile(file, pw, options.strict_modes)) != NULL) { >- found_key = check_authkeys_file(ssh, pw, f, file, >- key, authoptsp); >- fclose(f); >+ dir_entries = scandir(path, &namelist, user_key_dotfiles_filter, alphasort); >+ if (dir_entries >= 0) { >+ debug("checking directory %s for public key files", path); >+ >+ for(dir_index = 0; found_key == 0 && dir_index < dir_entries; dir_index++) { >+ r = snprintf(inner_filepath, sizeof(inner_filepath), "%s/%s", >+ path, namelist[dir_index]->d_name); >+ if (r <= 0 || (size_t)r >= sizeof(inner_filepath)) >+ continue; >+ found_key = open_check_authkeys_file(ssh, pw, key, >+ inner_filepath, authoptsp); >+ if (found_key == 1) >+ break; >+ } >+ >+ for(dir_index = 0; dir_index < dir_entries; dir_index++) { >+ free(namelist[dir_index]); >+ } >+ free(namelist); >+ } else { >+ found_key = open_check_authkeys_file(ssh, pw, key, path, authoptsp); > } > > restore_uid(); >@@ -1009,7 +1062,7 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, > int auth_attempt, struct sshauthopt **authoptsp) > { > u_int success = 0, i; >- char *file; >+ char *path; > struct sshauthopt *opts = NULL; > > if (authoptsp != NULL) >@@ -1024,10 +1077,10 @@ user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key, > for (i = 0; !success && i < options.num_authkeys_files; i++) { > if (strcasecmp(options.authorized_keys_files[i], "none") == 0) > continue; >- file = expand_authorized_keys( >+ path = expand_authorized_keys( > options.authorized_keys_files[i], pw); >- success = user_key_allowed2(ssh, pw, key, file, &opts); >- free(file); >+ success = user_key_allowed2(ssh, pw, key, path, &opts); >+ free(path); > if (!success) { > sshauthopt_free(opts); > opts = NULL; >diff --git a/sshd_config.5 b/sshd_config.5 >index 17d8c130..b7ea89e8 100644 >--- a/sshd_config.5 >+++ b/sshd_config.5 >@@ -281,6 +281,8 @@ After expansion, > is taken to be an absolute path or one relative to the user's home > directory. > Multiple files may be listed, separated by whitespace. >+If a directory is specified, all files beneath it are included (non-recursively >+and ignoring dotfiles). > Alternately this option may be set to > .Cm none > to skip checking for user keys in files. >-- >2.27.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3411">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2755
:
3028
| 3411