kentpeacock / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone
3e8b5b
diff -up openssh/auth.c.keycat openssh/misc.c
3e8b5b
--- openssh/auth.c.keycat	2015-06-24 10:57:50.158849606 +0200
3e8b5b
+++ openssh/auth.c	2015-06-24 11:04:23.989868638 +0200
3e8b5b
@@ -966,6 +966,14 @@ subprocess(const char *tag, struct passw
3e8b5b
 			_exit(1);
3e8b5b
 		}
3e8b5b
 
3e8b5b
+#ifdef WITH_SELINUX
3e8b5b
+		if (sshd_selinux_setup_env_variables() < 0) {
3e8b5b
+			error ("failed to copy environment:  %s",
3e8b5b
+			    strerror(errno));
3e8b5b
+			_exit(127);
3e8b5b
+		}
3e8b5b
+#endif
3e8b5b
+
3e8b5b
 		execve(av[0], av, child_env);
3e8b5b
 		error("%s exec \"%s\": %s", tag, command, strerror(errno));
3e8b5b
 		_exit(127);
3e8b5b
diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat
3e8b5b
--- openssh/HOWTO.ssh-keycat.keycat	2015-06-24 10:57:50.157849608 +0200
3e8b5b
+++ openssh/HOWTO.ssh-keycat	2015-06-24 10:57:50.157849608 +0200
3e8b5b
@@ -0,0 +1,12 @@
3e8b5b
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
3e8b5b
+of an user in any environment. This includes environments with
3e8b5b
+polyinstantiation of home directories and SELinux MLS policy enabled.
3e8b5b
+
3e8b5b
+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
3e8b5b
+        AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
3e8b5b
+        AuthorizedKeysCommandUser root
3e8b5b
+
3e8b5b
+Do not forget to enable public key authentication:
3e8b5b
+        PubkeyAuthentication yes
3e8b5b
+
3e8b5b
+
3e8b5b
diff -up openssh/Makefile.in.keycat openssh/Makefile.in
3e8b5b
--- openssh/Makefile.in.keycat	2015-06-24 10:57:50.152849621 +0200
3e8b5b
+++ openssh/Makefile.in	2015-06-24 10:57:50.157849608 +0200
3e8b5b
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
3e8b5b
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
3e8b5b
 SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
3e8b5b
 SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
3e8b5b
+SSH_KEYCAT=$(libexecdir)/ssh-keycat
3e8b5b
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
3e8b5b
 PRIVSEP_PATH=@PRIVSEP_PATH@
3e8b5b
 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
3e8b5b
@@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
3e8b5b
 GSSLIBS=@GSSLIBS@
3e8b5b
 SSHLIBS=@SSHLIBS@
3e8b5b
 SSHDLIBS=@SSHDLIBS@
3e8b5b
+KEYCATLIBS=@KEYCATLIBS@
3e8b5b
 LIBEDIT=@LIBEDIT@
3e8b5b
 AR=@AR@
3e8b5b
 AWK=@AWK@
3e8b5b
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
3e8b5b
 MKDIR_P=@MKDIR_P@
3e8b5b
 INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
3e8b5b
 
3e8b5b
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
3e8b5b
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
3e8b5b
 
3e8b5b
 XMSS_OBJS=\
3e8b5b
 	ssh-xmss.o \
3e8b5b
@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
3e8b5b
 ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
3e8b5b
 	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS)
3e8b5b
 
3e8b5b
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
3e8b5b
+	$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
3e8b5b
+
3e8b5b
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
3e8b5b
 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
3e8b5b
 
3e8b5b
@@ -321,6 +325,7 @@ install-files:
3e8b5b
 		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
3e8b5b
 		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
3e8b5b
 	fi
3e8b5b
+	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
3e8b5b
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
3e8b5b
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
3e8b5b
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
3e8b5b
diff -up openssh/openbsd-compat/port-linux.h.keycat openssh/openbsd-compat/port-linux.h
3e8b5b
--- openssh/openbsd-compat/port-linux.h.keycat	2015-06-24 10:57:50.150849626 +0200
3e8b5b
+++ openssh/openbsd-compat/port-linux.h	2015-06-24 10:57:50.160849601 +0200
3e8b5b
@@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const
3e8b5b
 void ssh_selinux_change_context(const char *);
3e8b5b
 void ssh_selinux_setfscreatecon(const char *);
3e8b5b
 
3e8b5b
+int sshd_selinux_enabled(void);
3e8b5b
 void sshd_selinux_copy_context(void);
3e8b5b
 void sshd_selinux_setup_exec_context(char *);
3e8b5b
+int sshd_selinux_setup_env_variables(void);
3e8b5b
 #endif
3e8b5b
 
3e8b5b
 #ifdef LINUX_OOM_ADJUST
3e8b5b
diff -up openssh/openbsd-compat/port-linux-sshd.c.keycat openssh/openbsd-compat/port-linux-sshd.c
3e8b5b
--- openssh/openbsd-compat/port-linux-sshd.c.keycat	2015-06-24 10:57:50.150849626 +0200
3e8b5b
+++ openssh/openbsd-compat/port-linux-sshd.c	2015-06-24 10:57:50.159849603 +0200
3e8b5b
@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
3e8b5b
 extern int inetd_flag;
3e8b5b
 extern int rexeced_flag;
3e8b5b
 
3e8b5b
+/* Wrapper around is_selinux_enabled() to log its return value once only */
3e8b5b
+int
3e8b5b
+sshd_selinux_enabled(void)
3e8b5b
+{
3e8b5b
+	static int enabled = -1;
3e8b5b
+
3e8b5b
+	if (enabled == -1) {
3e8b5b
+		enabled = (is_selinux_enabled() == 1);
3e8b5b
+		debug("SELinux support %s", enabled ? "enabled" : "disabled");
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	return (enabled);
3e8b5b
+}
3e8b5b
+
3e8b5b
 /* Send audit message */
3e8b5b
 static int
3e8b5b
 sshd_selinux_send_audit_message(int success, security_context_t default_context,
3e8b5b
@@ -308,7 +322,7 @@ sshd_selinux_getctxbyname(char *pwname,
3e8b5b
 
3e8b5b
 /* Setup environment variables for pam_selinux */
3e8b5b
 static int
3e8b5b
-sshd_selinux_setup_pam_variables(void)
3e8b5b
+sshd_selinux_setup_variables(int(*set_it)(char *, const char *))
3e8b5b
 {
3e8b5b
 	const char *reqlvl;
3e8b5b
 	char *role;
3e8b5b
@@ -319,16 +333,16 @@ sshd_selinux_setup_pam_variables(void)
3e8b5b
 
3e8b5b
 	ssh_selinux_get_role_level(&role, &reqlvl);
3e8b5b
 
3e8b5b
-	rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
3e8b5b
+	rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
3e8b5b
 
3e8b5b
 	if (inetd_flag && !rexeced_flag) {
3e8b5b
 		use_current = "1";
3e8b5b
 	} else {
3e8b5b
 		use_current = "";
3e8b5b
-		rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
3e8b5b
+		rv = rv || set_it("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
3e8b5b
 	}
3e8b5b
 
3e8b5b
-	rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
3e8b5b
+	rv = rv || set_it("SELINUX_USE_CURRENT_RANGE", use_current);
3e8b5b
 
3e8b5b
 	if (role != NULL)
3e8b5b
 		free(role);
3e8b5b
@@ -336,6 +350,24 @@ sshd_selinux_setup_pam_variables(void)
3e8b5b
 	return rv;
3e8b5b
 }
3e8b5b
 
3e8b5b
+static int
3e8b5b
+sshd_selinux_setup_pam_variables(void)
3e8b5b
+{
3e8b5b
+	return sshd_selinux_setup_variables(do_pam_putenv);
3e8b5b
+}
3e8b5b
+
3e8b5b
+static int
3e8b5b
+do_setenv(char *name, const char *value)
3e8b5b
+{
3e8b5b
+	return setenv(name, value, 1);
3e8b5b
+}
3e8b5b
+
3e8b5b
+int
3e8b5b
+sshd_selinux_setup_env_variables(void)
3e8b5b
+{
3e8b5b
+	return sshd_selinux_setup_variables(do_setenv);
3e8b5b
+}
3e8b5b
+
3e8b5b
 /* Set the execution context to the default for the specified user */
3e8b5b
 void
3e8b5b
 sshd_selinux_setup_exec_context(char *pwname)
3e8b5b
@@ -344,7 +376,7 @@ sshd_selinux_setup_exec_context(char *pw
3e8b5b
 	int r = 0;
3e8b5b
 	security_context_t default_ctx = NULL;
3e8b5b
 
3e8b5b
-	if (!ssh_selinux_enabled())
3e8b5b
+	if (!sshd_selinux_enabled())
3e8b5b
 		return;
3e8b5b
 
3e8b5b
 	if (options.use_pam) {
3e8b5b
@@ -415,7 +447,7 @@ sshd_selinux_copy_context(void)
3e8b5b
 {
3e8b5b
 	security_context_t *ctx;
3e8b5b
 
3e8b5b
-	if (!ssh_selinux_enabled())
3e8b5b
+	if (!sshd_selinux_enabled())
3e8b5b
 		return;
3e8b5b
 
3e8b5b
 	if (getexeccon((security_context_t *)&ctx) != 0) {
3e8b5b
diff -up openssh/platform.c.keycat openssh/platform.c
3e8b5b
--- openssh/platform.c.keycat	2015-06-24 10:57:50.147849633 +0200
3e8b5b
+++ openssh/platform.c	2015-06-24 10:57:50.160849601 +0200
3e8b5b
@@ -103,7 +103,7 @@ platform_setusercontext(struct passwd *p
3e8b5b
 {
3e8b5b
 #ifdef WITH_SELINUX
3e8b5b
 	/* Cache selinux status for later use */
3e8b5b
-	(void)ssh_selinux_enabled();
3e8b5b
+	(void)sshd_selinux_enabled();
3e8b5b
 #endif
3e8b5b
 
3e8b5b
 #ifdef USE_SOLARIS_PROJECTS
3e8b5b
diff -up openssh/ssh-keycat.c.keycat openssh/ssh-keycat.c
3e8b5b
--- openssh/ssh-keycat.c.keycat	2015-06-24 10:57:50.161849599 +0200
3e8b5b
+++ openssh/ssh-keycat.c	2015-06-24 10:57:50.161849599 +0200
3e8b5b
@@ -0,0 +1,241 @@
3e8b5b
+/*
3e8b5b
+ * Redistribution and use in source and binary forms, with or without
3e8b5b
+ * modification, are permitted provided that the following conditions
3e8b5b
+ * are met:
3e8b5b
+ * 1. Redistributions of source code must retain the above copyright
3e8b5b
+ *    notice, and the entire permission notice in its entirety,
3e8b5b
+ *    including the disclaimer of warranties.
3e8b5b
+ * 2. Redistributions in binary form must reproduce the above copyright
3e8b5b
+ *    notice, this list of conditions and the following disclaimer in the
3e8b5b
+ *    documentation and/or other materials provided with the distribution.
3e8b5b
+ * 3. The name of the author may not be used to endorse or promote
3e8b5b
+ *    products derived from this software without specific prior
3e8b5b
+ *    written permission.
3e8b5b
+ *
3e8b5b
+ * ALTERNATIVELY, this product may be distributed under the terms of
3e8b5b
+ * the GNU Public License, in which case the provisions of the GPL are
3e8b5b
+ * required INSTEAD OF the above restrictions.  (This clause is
3e8b5b
+ * necessary due to a potential bad interaction between the GPL and
3e8b5b
+ * the restrictions contained in a BSD-style copyright.)
3e8b5b
+ *
3e8b5b
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
3e8b5b
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
3e8b5b
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
3e8b5b
+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
3e8b5b
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
3e8b5b
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
3e8b5b
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
3e8b5b
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
3e8b5b
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
3e8b5b
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
3e8b5b
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
3e8b5b
+ */
3e8b5b
+
3e8b5b
+/*
3e8b5b
+ * Copyright (c) 2011 Red Hat, Inc.
3e8b5b
+ * Written by Tomas Mraz <tmraz@redhat.com>
3e8b5b
+*/
3e8b5b
+
3e8b5b
+#define _GNU_SOURCE
3e8b5b
+
3e8b5b
+#include "config.h"
3e8b5b
+#include <stdio.h>
3e8b5b
+#include <stdlib.h>
3e8b5b
+#include <string.h>
3e8b5b
+#include <sys/types.h>
3e8b5b
+#include <sys/stat.h>
3e8b5b
+#include <pwd.h>
3e8b5b
+#include <fcntl.h>
3e8b5b
+#include <unistd.h>
3e8b5b
+#ifdef HAVE_STDINT_H
3e8b5b
+#include <stdint.h>
3e8b5b
+#endif
3e8b5b
+
3e8b5b
+#include <security/pam_appl.h>
3e8b5b
+
3e8b5b
+#include "uidswap.h"
3e8b5b
+#include "misc.h"
3e8b5b
+
3e8b5b
+#define ERR_USAGE 1
3e8b5b
+#define ERR_PAM_START 2
3e8b5b
+#define ERR_OPEN_SESSION 3
3e8b5b
+#define ERR_CLOSE_SESSION 4
3e8b5b
+#define ERR_PAM_END 5
3e8b5b
+#define ERR_GETPWNAM 6
3e8b5b
+#define ERR_MEMORY 7
3e8b5b
+#define ERR_OPEN 8
3e8b5b
+#define ERR_FILE_MODE 9
3e8b5b
+#define ERR_FDOPEN 10
3e8b5b
+#define ERR_STAT 11
3e8b5b
+#define ERR_WRITE 12
3e8b5b
+#define ERR_PAM_PUTENV 13
3e8b5b
+#define BUFLEN 4096
3e8b5b
+
3e8b5b
+/* Just ignore the messages in the conversation function */
3e8b5b
+static int
3e8b5b
+dummy_conv(int num_msg, const struct pam_message **msgm,
3e8b5b
+	   struct pam_response **response, void *appdata_ptr)
3e8b5b
+{
3e8b5b
+	struct pam_response *rsp;
3e8b5b
+
3e8b5b
+	(void)msgm;
3e8b5b
+	(void)appdata_ptr;
3e8b5b
+
3e8b5b
+	if (num_msg <= 0)
3e8b5b
+		return PAM_CONV_ERR;
3e8b5b
+
3e8b5b
+	/* Just allocate the array as empty responses */
3e8b5b
+	rsp = calloc (num_msg, sizeof (struct pam_response));
3e8b5b
+	if (rsp == NULL)
3e8b5b
+		return PAM_CONV_ERR;
3e8b5b
+
3e8b5b
+	*response = rsp;
3e8b5b
+	return PAM_SUCCESS;
3e8b5b
+}
3e8b5b
+
3e8b5b
+static struct pam_conv conv = {
3e8b5b
+	dummy_conv,
3e8b5b
+	NULL
3e8b5b
+};
3e8b5b
+
3e8b5b
+char *
3e8b5b
+make_auth_keys_name(const struct passwd *pwd)
3e8b5b
+{
3e8b5b
+	char *fname;
3e8b5b
+
3e8b5b
+	if (asprintf(&fname, "%s/.ssh/authorized_keys", pwd->pw_dir) < 0)
3e8b5b
+		return NULL;
3e8b5b
+
3e8b5b
+	return fname;
3e8b5b
+}
3e8b5b
+
3e8b5b
+int
3e8b5b
+dump_keys(const char *user)
3e8b5b
+{
3e8b5b
+	struct passwd *pwd;
3e8b5b
+	int fd = -1;
3e8b5b
+	FILE *f = NULL;
3e8b5b
+	char *fname = NULL;
3e8b5b
+	int rv = 0;
3e8b5b
+	char buf[BUFLEN];
3e8b5b
+	size_t len;
3e8b5b
+	struct stat st;
3e8b5b
+
3e8b5b
+	if ((pwd = getpwnam(user)) == NULL) {
3e8b5b
+		return ERR_GETPWNAM;
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	if ((fname = make_auth_keys_name(pwd)) == NULL) {
3e8b5b
+		return ERR_MEMORY;
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	temporarily_use_uid(pwd);
3e8b5b
+
3e8b5b
+	if ((fd = open(fname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0)) < 0) {
3e8b5b
+		rv = ERR_OPEN;
3e8b5b
+		goto fail;
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	if (fstat(fd, &st) < 0) {
3e8b5b
+		rv = ERR_STAT;
3e8b5b
+		goto fail;
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	if (!S_ISREG(st.st_mode) || 
3e8b5b
+		(st.st_uid != pwd->pw_uid && st.st_uid != 0)) {
3e8b5b
+		rv = ERR_FILE_MODE;
3e8b5b
+		goto fail;
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	unset_nonblock(fd);
3e8b5b
+
3e8b5b
+	if ((f = fdopen(fd, "r")) == NULL) {
3e8b5b
+		rv = ERR_FDOPEN;
3e8b5b
+		goto fail;
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	fd = -1;
3e8b5b
+
3e8b5b
+	while ((len = fread(buf, 1, sizeof(buf), f)) > 0) {
3e8b5b
+		rv = fwrite(buf, 1, len, stdout) != len ? ERR_WRITE : 0;
3e8b5b
+	}
3e8b5b
+
3e8b5b
+fail:
3e8b5b
+	if (fd != -1)
3e8b5b
+		close(fd);
3e8b5b
+	if (f != NULL)
3e8b5b
+		fclose(f);
3e8b5b
+	free(fname);
3e8b5b
+	restore_uid();
3e8b5b
+	return rv;
3e8b5b
+}
3e8b5b
+
3e8b5b
+static const char *env_names[] = { "SELINUX_ROLE_REQUESTED",
3e8b5b
+	"SELINUX_LEVEL_REQUESTED",
3e8b5b
+	"SELINUX_USE_CURRENT_RANGE"
3e8b5b
+};
3e8b5b
+
3e8b5b
+extern char **environ;
3e8b5b
+
3e8b5b
+int
3e8b5b
+set_pam_environment(pam_handle_t *pamh)
3e8b5b
+{
3e8b5b
+	int i;
3e8b5b
+	size_t j;
3e8b5b
+
3e8b5b
+	for (j = 0; j < sizeof(env_names)/sizeof(env_names[0]); ++j) {
3e8b5b
+		int len = strlen(env_names[j]);
3e8b5b
+
3e8b5b
+		for (i = 0; environ[i] != NULL; ++i) {
3e8b5b
+			if (strncmp(env_names[j], environ[i], len) == 0 &&
3e8b5b
+			    environ[i][len] == '=') {
3e8b5b
+				if (pam_putenv(pamh, environ[i]) != PAM_SUCCESS)
3e8b5b
+					return ERR_PAM_PUTENV;
3e8b5b
+			}
3e8b5b
+		}
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	return 0;
3e8b5b
+}
3e8b5b
+
3e8b5b
+int
3e8b5b
+main(int argc, char *argv[])
3e8b5b
+{
3e8b5b
+	pam_handle_t *pamh = NULL;
3e8b5b
+	int retval;
3e8b5b
+	int ev = 0;
3e8b5b
+
3e8b5b
+	if (argc != 2) {
3e8b5b
+		fprintf(stderr, "Usage: %s <user-name>\n", argv[0]);
3e8b5b
+		return ERR_USAGE;
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	retval = pam_start("ssh-keycat", argv[1], &conv, &pamh);
3e8b5b
+	if (retval != PAM_SUCCESS) {
3e8b5b
+		return ERR_PAM_START;
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	ev = set_pam_environment(pamh);
3e8b5b
+	if (ev != 0)
3e8b5b
+		goto finish;
3e8b5b
+
3e8b5b
+	retval = pam_open_session(pamh, PAM_SILENT);
3e8b5b
+	if (retval != PAM_SUCCESS) {
3e8b5b
+		ev = ERR_OPEN_SESSION;
3e8b5b
+		goto finish;
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	ev = dump_keys(argv[1]);
3e8b5b
+
3e8b5b
+	retval = pam_close_session(pamh, PAM_SILENT);
3e8b5b
+	if (retval != PAM_SUCCESS) {
3e8b5b
+		ev = ERR_CLOSE_SESSION;
3e8b5b
+	}
3e8b5b
+
3e8b5b
+finish:
3e8b5b
+	retval = pam_end (pamh,retval);
3e8b5b
+	if (retval != PAM_SUCCESS) {
3e8b5b
+		ev = ERR_PAM_END;
3e8b5b
+	}
3e8b5b
+	return ev;
3e8b5b
+}
3e8b5b
diff --git a/configure.ac b/configure.ac
3e8b5b
index 3bbccfd..6481f1f 100644
3e8b5b
--- a/configure.ac
3e8b5b
+++ b/configure.ac
3e8b5b
@@ -2952,6 +2952,7 @@ AC_ARG_WITH([pam],
3e8b5b
 			PAM_MSG="yes"
3e8b5b
 
3e8b5b
 			SSHDLIBS="$SSHDLIBS -lpam"
3e8b5b
+			KEYCATLIBS="$KEYCATLIBS -lpam"
3e8b5b
 			AC_DEFINE([USE_PAM], [1],
3e8b5b
 				[Define if you want to enable PAM support])
3e8b5b
 
3e8b5b
@@ -3105,6 +3106,7 @@
3e8b5b
 					;;
3e8b5b
 				*)
3e8b5b
 					SSHDLIBS="$SSHDLIBS -ldl"
3e8b5b
+					KEYCATLIBS="$KEYCATLIBS -ldl"
3e8b5b
 					;;
3e8b5b
 				esac
3e8b5b
 			fi
3e8b5b
@@ -4042,6 +4044,7 @@ AC_ARG_WITH([selinux],
3e8b5b
 )
3e8b5b
 AC_SUBST([SSHLIBS])
3e8b5b
 AC_SUBST([SSHDLIBS])
3e8b5b
+AC_SUBST([KEYCATLIBS])
3e8b5b
 
3e8b5b
 # Check whether user wants Kerberos 5 support
3e8b5b
 KRB5_MSG="no"
3e8b5b
@@ -5031,6 +5034,9 @@ fi
3e8b5b
 if test ! -z "${SSHLIBS}"; then
3e8b5b
 echo "          +for ssh: ${SSHLIBS}"
3e8b5b
 fi
3e8b5b
+if test ! -z "${KEYCATLIBS}"; then
3e8b5b
+echo "   +for ssh-keycat: ${KEYCATLIBS}"
3e8b5b
+fi
3e8b5b
 
3e8b5b
 echo ""
3e8b5b