kentpeacock / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone
f8987c
From b0695cc9f5478daa14d3f451ecdd39ba6e6abe0f Mon Sep 17 00:00:00 2001
f8987c
From: Jakub Jelen <jjelen@redhat.com>
f8987c
Date: Tue, 19 Jan 2016 15:29:22 +0100
f8987c
Subject: [PATCH] authorized_keys_command
f8987c
f8987c
---
f8987c
 pam_ssh_agent_auth-0.9.3/CONTRIBUTORS              |   2 +
f8987c
 pam_ssh_agent_auth-0.9.3/Makefile.in               |  28 +-
f8987c
 pam_ssh_agent_auth-0.9.3/README                    |  38 +++
f8987c
 pam_ssh_agent_auth-0.9.3/configure.ac              |  27 +-
f8987c
 pam_ssh_agent_auth-0.9.3/get_command_line.c        | 113 +++++++
f8987c
 pam_ssh_agent_auth-0.9.3/get_command_line.h        |  40 +++
f8987c
 pam_ssh_agent_auth-0.9.3/identity.h                |  24 ++
f8987c
 pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c  | 137 ++++++++-
f8987c
 pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.h  |   2 +-
f8987c
 pam_ssh_agent_auth-0.9.3/pam_ssh_agent_auth.c      |  16 +-
f8987c
 pam_ssh_agent_auth-0.9.3/pam_ssh_agent_auth.pod    |  50 ++-
f8987c
 pam_ssh_agent_auth-0.9.3/pam_static_macros.h       |  29 ++
f8987c
 .../pam_user_authorized_keys.c                     |  23 +-
f8987c
 .../pam_user_authorized_keys.h                     |   2 +-
f8987c
 pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c   | 334 ++++++++++++++++-----
f8987c
 pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.h   |   3 +-
f8987c
 pam_ssh_agent_auth-0.9.3/secure_filename.c         |  51 +++-
f8987c
 pam_ssh_agent_auth-0.9.3/secure_filename.h         |   4 +-
f8987c
 pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c |  20 +-
f8987c
 pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.h |   2 +-
f8987c
 20 files changed, 805 insertions(+), 140 deletions(-)
f8987c
 create mode 100644 pam_ssh_agent_auth-0.9.3/README
f8987c
 create mode 100644 pam_ssh_agent_auth-0.9.3/get_command_line.c
f8987c
 create mode 100644 pam_ssh_agent_auth-0.9.3/get_command_line.h
f8987c
f8987c
diff --git a/pam_ssh_agent_auth-0.9.3/CONTRIBUTORS b/pam_ssh_agent_auth-0.9.3/CONTRIBUTORS
f8987c
index d5a21cb..22b424a 100644
f8987c
--- a/pam_ssh_agent_auth-0.9.3/CONTRIBUTORS
f8987c
+++ b/pam_ssh_agent_auth-0.9.3/CONTRIBUTORS
f8987c
@@ -1,3 +1,5 @@
f8987c
 * Foremost, OpenSSH from which this project is derived.
f8987c
 * Jamie Beverly
f8987c
 * Rafael D'Halleweyn - 2011-06-05 18:56:24 EDT
f8987c
+* Jan-Pieter Cornet ( johnpc ) - 2012-03-23 03:25:52 PDT
f8987c
+* chrysn@fsfe.org
f8987c
diff --git a/pam_ssh_agent_auth-0.9.3/Makefile.in b/pam_ssh_agent_auth-0.9.3/Makefile.in
f8987c
index 47bb103..4977838 100644
f8987c
--- a/pam_ssh_agent_auth-0.9.3/Makefile.in
f8987c
+++ b/pam_ssh_agent_auth-0.9.3/Makefile.in
f8987c
@@ -1,4 +1,28 @@
f8987c
 # $Id: Makefile.in,v 1.289 2008/03/13 01:41:31 djm Exp $
f8987c
+#
f8987c
+# Copyright (c) 2000 Markus Friedl.  All rights reserved.
f8987c
+# Modifications Copyright (c) 2008-2014 Jamie Beverly. All Rights reserved
f8987c
+#
f8987c
+# Redistribution and use in source and binary forms, with or without
f8987c
+# modification, are permitted provided that the following conditions
f8987c
+# are met:
f8987c
+# 1. Redistributions of source code must retain the above copyright
f8987c
+#    notice, this list of conditions and the following disclaimer.
f8987c
+# 2. Redistributions in binary form must reproduce the above copyright
f8987c
+#    notice, this list of conditions and the following disclaimer in the
f8987c
+#    documentation and/or other materials provided with the distribution.
f8987c
+#
f8987c
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
f8987c
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
f8987c
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
f8987c
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
f8987c
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
f8987c
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
f8987c
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
f8987c
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
f8987c
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
f8987c
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
f8987c
+#
f8987c
 
f8987c
 # uncomment if you run a non bourne compatable shell. Ie. csh
f8987c
 #SHELL = @SH@
f8987c
@@ -46,9 +70,9 @@ INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
f8987c
 
f8987c
 PAM_MODULES=pam_ssh_agent_auth.so
f8987c
 
f8987c
-SSHOBJS=xmalloc.o atomicio.o authfd.o bufaux.o bufbn.o buffer.o cleanup.o entropy.o fatal.o key.o log.o misc.o secure_filename.o ssh-dss.o ssh-rsa.o uuencode.o compat.o
f8987c
+SSHOBJS=xmalloc.o atomicio.o authfd.o bufaux.o bufbn.o buffer.o cleanup.o entropy.o fatal.o key.o log.o misc.o secure_filename.o ssh-dss.o ssh-rsa.o uuencode.o compat.o uidswap.o
f8987c
 
f8987c
-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o secure_filename.o
f8987c
+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o secure_filename.o get_command_line.o
f8987c
 
f8987c
 
f8987c
 MANPAGES_IN	= pam_ssh_agent_auth.pod
f8987c
diff --git a/pam_ssh_agent_auth-0.9.3/README b/pam_ssh_agent_auth-0.9.3/README
f8987c
new file mode 100644
f8987c
index 0000000..c1a49ef
f8987c
--- /dev/null
f8987c
+++ b/pam_ssh_agent_auth-0.9.3/README
f8987c
@@ -0,0 +1,38 @@
f8987c
+pam_ssh_agent_auth is a PAM module which permits PAM authentication via your
f8987c
+keyring in a forwarded ssh-agent.
f8987c
+
f8987c
+Release 0.10.1 is stable, and has been tested on FreeBSD, Solaris 10, Solaris 11,
f8987c
+RHEL5, RHEL6, Debian Wheezy, Ubuntu 12.04 (LTS), Ubuntu 13.10,
f8987c
+and MacOS X 10.7.
f8987c
+
f8987c
+This module can be used to provide authentication for anything run locally that
f8987c
+supports PAM. It was written specifically with the intention of permitting
f8987c
+authentication for sudo without password entry, and also has been proven useful
f8987c
+for use with su as an alternative to wheel.
f8987c
+
f8987c
+It serves as middle ground between the two most common, and suboptimal
f8987c
+alternatives for large-scale system administration: allowing rootlogin via ssh,
f8987c
+or using NOPASSWD in sudoers. This module allows for ssh public-key
f8987c
+authentication, and it does this by leveraging an authentication mechanism you
f8987c
+are probably already using, ssh-agent.
f8987c
+
f8987c
+There are caveats of course, ssh-agent forwarding has it’s own security risks
f8987c
+which must be carefully considered for your environment. In cases where there
f8987c
+are not untrustworthy intermediate servers, and you wish to retain traceability,
f8987c
+accountability, and required authentication for privileged command invocation,
f8987c
+the benefits should outweigh the risks. Release 0.10.1 can be downloaded from
f8987c
+SourceForge: https://sourceforge.net/project/showfiles.php?group_id=249556
f8987c
+
f8987c
+If you encounter any issues with usability or security, please use the project's
f8987c
+SourceForge tracker:
f8987c
+https://sourceforge.net/tracker2/?group_id=249556&atid=1126337
f8987c
+
f8987c
+Note that if you wish to use this for sudo, you will need a version of sudo that
f8987c
+preserves the env_keep environment during authentication; and ideally a version
f8987c
+incorporating my minor patch which ensures RUSER is set during PAM authentication.
f8987c
+
f8987c
+sudo 1.6.8p12 does not work correctly with this PAM module, because it clears the
f8987c
+environment (even env_keep variables) prior to attempting PAM authentication.
f8987c
+
f8987c
+sudo 1.7.2p1 or later is preferred, as it correctly sets PAM_RUSER for
f8987c
+authentication.
f8987c
diff --git a/pam_ssh_agent_auth-0.9.3/configure.ac b/pam_ssh_agent_auth-0.9.3/configure.ac
f8987c
index 1f372ce..4eb1f32 100644
f8987c
--- a/pam_ssh_agent_auth-0.9.3/configure.ac
f8987c
+++ b/pam_ssh_agent_auth-0.9.3/configure.ac
f8987c
@@ -18,8 +18,10 @@ AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
f8987c
 AC_REVISION($Revision: 1.397 $)
f8987c
 AC_CONFIG_SRCDIR([pam_ssh_agent_auth.c])
f8987c
 
f8987c
-AC_CONFIG_HEADER(config.h)
f8987c
+AC_CONFIG_SRCDIR([config.h.in])
f8987c
+AC_CONFIG_HEADERS([config.h])
f8987c
 AC_PROG_CC
f8987c
+AC_C_INLINE
f8987c
 AC_CANONICAL_HOST
f8987c
 AC_C_BIGENDIAN
f8987c
 
f8987c
@@ -117,7 +119,6 @@ if test -z "$LD" ; then
f8987c
 fi
f8987c
 AC_SUBST(LD)
f8987c
 
f8987c
-AC_C_INLINE
f8987c
 
f8987c
 AC_CHECK_DECL(LLONG_MAX, have_llong_max=1, , [#include <limits.h>])
f8987c
 
f8987c
@@ -151,7 +152,7 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
f8987c
 		     ;;
f8987c
 		2.*) no_attrib_nonnull=1 ;;
f8987c
 		3.*) CFLAGS="$CFLAGS -Wsign-compare" ;;
f8987c
-		4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;;
f8987c
+		4.*) CFLAGS="$CFLAGS -Wsign-compare -Wall -Wextra" ;;
f8987c
 		*) ;;
f8987c
 	esac
f8987c
 
f8987c
@@ -1656,11 +1657,11 @@ fi
f8987c
 
f8987c
 if test "x$check_for_conflicting_getspnam" = "x1"; then
f8987c
 	AC_MSG_CHECKING(for conflicting getspnam in shadow.h)
f8987c
-	AC_COMPILE_IFELSE(
f8987c
+	AC_COMPILE_IFELSE([AC_LANG_SOURCE(
f8987c
 		[
f8987c
 #include <shadow.h>
f8987c
 int main(void) {exit(0);}
f8987c
-		],
f8987c
+		])],
f8987c
 		[
f8987c
 			AC_MSG_RESULT(no)
f8987c
 		],
f8987c
@@ -2720,7 +2721,7 @@ fi
f8987c
 dnl make sure we're using the real structure members and not defines
f8987c
 AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
f8987c
 		ac_cv_have_accrights_in_msghdr, [
f8987c
-	AC_COMPILE_IFELSE(
f8987c
+	AC_COMPILE_IFELSE([AC_LANG_SOURCE(
f8987c
 		[
f8987c
 #include <sys/types.h>
f8987c
 #include <sys/socket.h>
f8987c
@@ -2734,7 +2735,7 @@ struct msghdr m;
f8987c
 m.msg_accrights = 0;
f8987c
 exit(0);
f8987c
 }
f8987c
-		],
f8987c
+		])],
f8987c
 		[ ac_cv_have_accrights_in_msghdr="yes" ],
f8987c
 		[ ac_cv_have_accrights_in_msghdr="no" ]
f8987c
 	)
f8987c
@@ -2747,7 +2748,7 @@ fi
f8987c
 
f8987c
 AC_CACHE_CHECK([for msg_control field in struct msghdr],
f8987c
 		ac_cv_have_control_in_msghdr, [
f8987c
-	AC_COMPILE_IFELSE(
f8987c
+	AC_COMPILE_IFELSE([AC_LANG_SOURCE(
f8987c
 		[
f8987c
 #include <sys/types.h>
f8987c
 #include <sys/socket.h>
f8987c
@@ -2761,7 +2762,7 @@ struct msghdr m;
f8987c
 m.msg_control = 0;
f8987c
 exit(0);
f8987c
 }
f8987c
-		],
f8987c
+		])],
f8987c
 		[ ac_cv_have_control_in_msghdr="yes" ],
f8987c
 		[ ac_cv_have_control_in_msghdr="no" ]
f8987c
 	)
f8987c
@@ -2891,14 +2892,14 @@ AC_SEARCH_LIBS(getrrsetbyname, resolv,
f8987c
 		    saved_LIBS="$LIBS"
f8987c
 		    LIBS="$LIBS -lresolv"
f8987c
 		    AC_MSG_CHECKING(for res_query in -lresolv)
f8987c
-		    AC_LINK_IFELSE([
f8987c
+		    AC_LINK_IFELSE([AC_LANG_SOURCE([
f8987c
 #include <resolv.h>
f8987c
 int main()
f8987c
 {
f8987c
 	res_query (0, 0, 0, 0, 0);
f8987c
 	return 0;
f8987c
 }
f8987c
-			],
f8987c
+			])],
f8987c
 			[LIBS="$LIBS -lresolv"
f8987c
 			 AC_MSG_RESULT(yes)],
f8987c
 			[LIBS="$saved_LIBS"
f8987c
@@ -2915,7 +2916,7 @@ int main()
f8987c
 	])
f8987c
 
f8987c
 AC_MSG_CHECKING(if struct __res_state _res is an extern)
f8987c
-AC_LINK_IFELSE([
f8987c
+AC_LINK_IFELSE([AC_LANG_SOURCE([
f8987c
 #include <stdio.h>
f8987c
 #if HAVE_SYS_TYPES_H
f8987c
 # include <sys/types.h>
f8987c
@@ -2925,7 +2926,7 @@ AC_LINK_IFELSE([
f8987c
 #include <resolv.h>
f8987c
 extern struct __res_state _res;
f8987c
 int main() { return 0; }
f8987c
-		],
f8987c
+		])],
f8987c
 		[AC_MSG_RESULT(yes)
f8987c
 		 AC_DEFINE(HAVE__RES_EXTERN, 1,
f8987c
 		    [Define if you have struct __res_state _res as an extern])
f8987c
diff --git a/pam_ssh_agent_auth-0.9.3/get_command_line.c b/pam_ssh_agent_auth-0.9.3/get_command_line.c
f8987c
new file mode 100644
f8987c
index 0000000..e880fee
f8987c
--- /dev/null
f8987c
+++ b/pam_ssh_agent_auth-0.9.3/get_command_line.c
f8987c
@@ -0,0 +1,113 @@
f8987c
+/*
f8987c
+ * Copyright (c) 2014, Jamie Beverly.
f8987c
+ * All rights reserved.
f8987c
+ *
f8987c
+ * Redistribution and use in source and binary forms, with or without modification, are
f8987c
+ * permitted provided that the following conditions are met:
f8987c
+ *
f8987c
+ *    1. Redistributions of source code must retain the above copyright notice, this list of
f8987c
+ *       conditions and the following disclaimer.
f8987c
+ *
f8987c
+ *    2. Redistributions in binary form must reproduce the above copyright notice, this list
f8987c
+ *       of conditions and the following disclaimer in the documentation and/or other materials
f8987c
+ *       provided with the distribution.
f8987c
+ *
f8987c
+ * THIS SOFTWARE IS PROVIDED BY Jamie Beverly ``AS IS'' AND ANY EXPRESS OR IMPLIED
f8987c
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
f8987c
+ * FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Jamie Beverly OR
f8987c
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
f8987c
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
f8987c
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
f8987c
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
f8987c
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
f8987c
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
f8987c
+ *
f8987c
+ * The views and conclusions contained in the software and documentation are those of the
f8987c
+ * authors and should not be interpreted as representing official policies, either expressed
f8987c
+ * or implied, of Jamie Beverly.
f8987c
+ */
f8987c
+
f8987c
+#include <stdio.h>
f8987c
+#include <errno.h>
f8987c
+#include <string.h>
f8987c
+
f8987c
+#include "includes.h"
f8987c
+#include "xmalloc.h"
f8987c
+#include "get_command_line.h"
f8987c
+
f8987c
+#ifdef HAVE_PROC_PID_CMDLINE
f8987c
+
f8987c
+static size_t
f8987c
+proc_pid_cmdline(char *** inargv)
f8987c
+{
f8987c
+    pid_t pid;
f8987c
+    FILE *f = NULL;
f8987c
+    char filename[64] = { 0 }, c = '\0';
f8987c
+    char ** argv;
f8987c
+    char argbuf[MAX_LEN_PER_CMDLINE_ARG + 1] = { 0 };
f8987c
+    size_t count = 0, len = 0;
f8987c
+
f8987c
+    pid = getpid();
f8987c
+    argv = NULL;
f8987c
+
f8987c
+    snprintf(filename, sizeof(filename), "/proc/%d/cmdline", pid);
f8987c
+    f = fopen(filename, "r");
f8987c
+
f8987c
+    if (f) { 
f8987c
+        while (!feof(f) && count < MAX_CMDLINE_ARGS) {
f8987c
+            if (len > MAX_LEN_PER_CMDLINE_ARG) {
f8987c
+                while (!feof(f) && (c = fgetc(f)) != '\0');
f8987c
+            }
f8987c
+            else {
f8987c
+                c = fgetc(f);
f8987c
+            }
f8987c
+            switch (c) {
f8987c
+                case EOF:
f8987c
+                case '\0':
f8987c
+                    if (len > 0) { 
f8987c
+                        argv = xrealloc(argv, count + 1, sizeof(*argv));
f8987c
+                        argv[count] = xcalloc(len + 1, sizeof(*argv[count]));
f8987c
+                        strncpy(argv[count++], argbuf, len);
f8987c
+                        memset(argbuf, '\0', MAX_LEN_PER_CMDLINE_ARG + 1);
f8987c
+                        len = 0;
f8987c
+                    }
f8987c
+                    break;
f8987c
+                default:
f8987c
+                    argbuf[len++] = c;
f8987c
+                    break;
f8987c
+            }
f8987c
+        }
f8987c
+        fclose(f);
f8987c
+    }
f8987c
+    *inargv = argv;
f8987c
+    return count;
f8987c
+}
f8987c
+#endif
f8987c
+
f8987c
+
f8987c
+/*
f8987c
+ * takes a pointer to an unallocated array of arrays of strings, populates the
f8987c
+ * given pointer with the address of the allocated array of strings collected
f8987c
+ */
f8987c
+size_t 
f8987c
+pamsshagentauth_get_command_line(char *** argv)
f8987c
+{
f8987c
+#ifdef HAVE_PROC_PID_CMDLINE
f8987c
+    return proc_pid_cmdline(argv);
f8987c
+#else
f8987c
+    /* No other supported implementations at this time */
f8987c
+    return 0;
f8987c
+#endif
f8987c
+}
f8987c
+
f8987c
+void
f8987c
+pamsshagentauth_free_command_line(char ** argv, size_t n_args)
f8987c
+{
f8987c
+    size_t i;
f8987c
+    for (i = 0; i < n_args; i++)
f8987c
+        free(argv[i]);
f8987c
+
f8987c
+    free(argv);
f8987c
+    return;
f8987c
+}
f8987c
+
f8987c
diff --git a/pam_ssh_agent_auth-0.9.3/get_command_line.h b/pam_ssh_agent_auth-0.9.3/get_command_line.h
f8987c
new file mode 100644
f8987c
index 0000000..37cd077
f8987c
--- /dev/null
f8987c
+++ b/pam_ssh_agent_auth-0.9.3/get_command_line.h
f8987c
@@ -0,0 +1,40 @@
f8987c
+/*
f8987c
+ * Copyright (c) 2014, Jamie Beverly.
f8987c
+ * All rights reserved.
f8987c
+ *
f8987c
+ * Redistribution and use in source and binary forms, with or without modification, are
f8987c
+ * permitted provided that the following conditions are met:
f8987c
+ *
f8987c
+ *    1. Redistributions of source code must retain the above copyright notice, this list of
f8987c
+ *       conditions and the following disclaimer.
f8987c
+ *
f8987c
+ *    2. Redistributions in binary form must reproduce the above copyright notice, this list
f8987c
+ *       of conditions and the following disclaimer in the documentation and/or other materials
f8987c
+ *       provided with the distribution.
f8987c
+ *
f8987c
+ * THIS SOFTWARE IS PROVIDED BY Jamie Beverly ``AS IS'' AND ANY EXPRESS OR IMPLIED
f8987c
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
f8987c
+ * FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Jamie Beverly OR
f8987c
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
f8987c
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
f8987c
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
f8987c
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
f8987c
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
f8987c
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
f8987c
+ *
f8987c
+ * The views and conclusions contained in the software and documentation are those of the
f8987c
+ * authors and should not be interpreted as representing official policies, either expressed
f8987c
+ * or implied, of Jamie Beverly.
f8987c
+ */
f8987c
+
f8987c
+#ifndef _GET_COMMAND_LINE_H
f8987c
+#define _GET_COMMAND_LINE_H
f8987c
+
f8987c
+#include "includes.h"
f8987c
+
f8987c
+size_t pamsshagentauth_get_command_line(char ***);
f8987c
+void pamsshagentauth_free_command_line(char **, size_t);
f8987c
+#define MAX_CMDLINE_ARGS 255
f8987c
+#define MAX_LEN_PER_CMDLINE_ARG 255
f8987c
+
f8987c
+#endif
f8987c
diff --git a/pam_ssh_agent_auth-0.9.3/identity.h b/pam_ssh_agent_auth-0.9.3/identity.h
f8987c
index eb21320..0bde782 100644
f8987c
--- a/pam_ssh_agent_auth-0.9.3/identity.h
f8987c
+++ b/pam_ssh_agent_auth-0.9.3/identity.h
f8987c
@@ -1,3 +1,27 @@
f8987c
+/*
f8987c
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
f8987c
+ *
f8987c
+ * Redistribution and use in source and binary forms, with or without
f8987c
+ * modification, are permitted provided that the following conditions
f8987c
+ * are met:
f8987c
+ * 1. Redistributions of source code must retain the above copyright
f8987c
+ *    notice, this list of conditions and the following disclaimer.
f8987c
+ * 2. Redistributions in binary form must reproduce the above copyright
f8987c
+ *    notice, this list of conditions and the following disclaimer in the
f8987c
+ *    documentation and/or other materials provided with the distribution.
f8987c
+ *
f8987c
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
f8987c
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
f8987c
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
f8987c
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
f8987c
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
f8987c
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
f8987c
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
f8987c
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
f8987c
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
f8987c
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
f8987c
+ */
f8987c
+
f8987c
 #ifndef _IDENTITY_H
f8987c
 #define _IDENTITY_H
f8987c
 #include "includes.h"
f8987c
diff --git a/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c b/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c
f8987c
index 11ab6e2..6b4d531 100644
f8987c
--- a/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c
f8987c
+++ b/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c
f8987c
@@ -28,6 +28,8 @@
f8987c
  */
f8987c
 
f8987c
 
f8987c
+#include <string.h>
f8987c
+
f8987c
 #include "includes.h"
f8987c
 #include "config.h"
f8987c
 
f8987c
@@ -48,26 +50,75 @@
f8987c
 #include <errno.h>
f8987c
 #include <fcntl.h>
f8987c
 #include <openssl/evp.h>
f8987c
+#include "ssh2.h"
f8987c
+#include "misc.h"
f8987c
 
f8987c
 #include "userauth_pubkey_from_id.h"
f8987c
 #include "identity.h"
f8987c
+#include "get_command_line.h"
f8987c
+extern char **environ;
f8987c
+
f8987c
+#define PAM_SSH_AGENT_AUTH_REQUESTv1 101
f8987c
+
f8987c
+static char *
f8987c
+log_action(char ** action, size_t count)
f8987c
+{
f8987c
+    size_t i;
f8987c
+    char *buf = NULL;
f8987c
+
f8987c
+    if (count == 0)
f8987c
+        return NULL;
f8987c
+   
f8987c
+    buf = xcalloc((count * MAX_LEN_PER_CMDLINE_ARG) + (count * 3), sizeof(*buf));
f8987c
+    for (i = 0; i < count; i++) {
f8987c
+        strcat(buf, (i > 0) ? " '" : "'");
f8987c
+        strncat(buf, action[i], MAX_LEN_PER_CMDLINE_ARG);
f8987c
+        strcat(buf, "'");
f8987c
+    }
f8987c
+    return buf;
f8987c
+}
f8987c
+
f8987c
+void
f8987c
+agent_action(Buffer *buf, char ** action, size_t count)
f8987c
+{
f8987c
+    size_t i;
f8987c
+    buffer_init(buf);
f8987c
 
f8987c
-u_char * session_id2 = NULL;
f8987c
-uint8_t session_id_len = 0;
f8987c
+    buffer_put_int(buf, count);
f8987c
+
f8987c
+    for (i = 0; i < count; i++) {
f8987c
+        buffer_put_cstring(buf, action[i]);
f8987c
+    }
f8987c
+}
f8987c
 
f8987c
-u_char *
f8987c
-session_id2_gen()
f8987c
+void
f8987c
+session_id2_gen(Buffer * session_id2, const char * user,
f8987c
+                const char * ruser, const char * servicename)
f8987c
 {
f8987c
     char *cookie = NULL;
f8987c
     uint8_t i = 0;
f8987c
     uint32_t rnd = 0;
f8987c
+    uint8_t cookie_len;
f8987c
+    char hostname[256] = { 0 };
f8987c
+    char pwd[1024] = { 0 };
f8987c
+    time_t ts;
f8987c
+    char ** reported_argv = NULL;
f8987c
+    size_t count = 0;
f8987c
+    char * action_logbuf = NULL;
f8987c
+    Buffer action_agentbuf;
f8987c
+    uint8_t free_logbuf = 0;
f8987c
+    char * retc;
f8987c
+    int32_t reti;
f8987c
 
f8987c
     rnd = arc4random();
f8987c
-    session_id_len = (uint8_t) rnd;
f8987c
+    cookie_len = ((uint8_t) rnd);
f8987c
+    while (cookie_len < 16) { 
f8987c
+        cookie_len += 16;                                          /* Add 16 bytes to the size to ensure that while the length is random, the length is always reasonable; ticket #18 */
f8987c
+    }
f8987c
 
f8987c
-    cookie = calloc(1,session_id_len);
f8987c
+    cookie = xcalloc(1, cookie_len);
f8987c
 
f8987c
-    for (i = 0; i < session_id_len; i++) {
f8987c
+    for (i = 0; i < cookie_len; i++) {
f8987c
         if (i % 4 == 0) {
f8987c
             rnd = arc4random();
f8987c
         }
f8987c
@@ -75,7 +126,64 @@ session_id2_gen()
f8987c
         rnd >>= 8;
f8987c
     }
f8987c
 
f8987c
-    return cookie;
f8987c
+    count = pamsshagentauth_get_command_line(&reported_argv);
f8987c
+    if (count > 0) { 
f8987c
+        free_logbuf = 1;
f8987c
+        action_logbuf = log_action(reported_argv, count);
f8987c
+        agent_action(&action_agentbuf, reported_argv, count);
f8987c
+        pamsshagentauth_free_command_line(reported_argv, count);
f8987c
+    }
f8987c
+    else {
f8987c
+        action_logbuf = "unknown on this platform";
f8987c
+        buffer_init(&action_agentbuf); /* stays empty, means unavailable */
f8987c
+    }
f8987c
+    
f8987c
+    /*
f8987c
+    action = getenv("SUDO_COMMAND");
f8987c
+    if(!action) {
f8987c
+        action = getenv("PAM_AUTHORIZED_ACTION");
f8987c
+        if(!action) {
f8987c
+            action = empty;
f8987c
+        }
f8987c
+    }
f8987c
+    */
f8987c
+
f8987c
+    reti = gethostname(hostname, sizeof(hostname) - 1);
f8987c
+    retc = getcwd(pwd, sizeof(pwd) - 1);
f8987c
+    time(&ts);
f8987c
+
f8987c
+    buffer_init(session_id2);
f8987c
+
f8987c
+    buffer_put_int(session_id2, PAM_SSH_AGENT_AUTH_REQUESTv1);
f8987c
+    /* debug3("cookie: %s", tohex(cookie, cookie_len)); */
f8987c
+    buffer_put_string(session_id2, cookie, cookie_len);
f8987c
+    /* debug3("user: %s", user); */
f8987c
+    buffer_put_cstring(session_id2, user);
f8987c
+    /* debug3("ruser: %s", ruser); */
f8987c
+    buffer_put_cstring(session_id2, ruser);
f8987c
+    /* debug3("servicename: %s", servicename); */
f8987c
+    buffer_put_cstring(session_id2, servicename);
f8987c
+    /* debug3("pwd: %s", pwd); */
f8987c
+    if(retc)
f8987c
+        buffer_put_cstring(session_id2, pwd);
f8987c
+    else
f8987c
+        buffer_put_cstring(session_id2, "");
f8987c
+    /* debug3("action: %s", action_logbuf); */
f8987c
+    buffer_put_string(session_id2, action_agentbuf.buf + action_agentbuf.offset, action_agentbuf.end - action_agentbuf.offset);
f8987c
+    if (free_logbuf) { 
f8987c
+        free(action_logbuf);
f8987c
+        buffer_free(&action_agentbuf);
f8987c
+    }
f8987c
+    /* debug3("hostname: %s", hostname); */
f8987c
+    if(reti >= 0)
f8987c
+        buffer_put_cstring(session_id2, hostname);
f8987c
+    else
f8987c
+        buffer_put_cstring(session_id2, "");
f8987c
+    /* debug3("ts: %ld", ts); */
f8987c
+    buffer_put_int64(session_id2, (uint64_t) ts);
f8987c
+
f8987c
+    free(cookie);
f8987c
+    return;
f8987c
 }
f8987c
 
f8987c
 /* 
f8987c
@@ -174,19 +282,21 @@ ssh_get_authentication_connection_for_uid(uid_t uid)
f8987c
 }
f8987c
 
f8987c
 int
f8987c
-find_authorized_keys(uid_t uid)
f8987c
+find_authorized_keys(const char * user, const char * ruser, const char * servicename)
f8987c
 {
f8987c
+    Buffer session_id2 = { 0 };
f8987c
     Identity *id;
f8987c
     Key *key;
f8987c
     AuthenticationConnection *ac;
f8987c
     char *comment;
f8987c
     uint8_t retval = 0;
f8987c
+    uid_t uid = getpwnam(ruser)->pw_uid;
f8987c
 
f8987c
     OpenSSL_add_all_digests();
f8987c
-    session_id2 = session_id2_gen();
f8987c
+    session_id2_gen(&session_id2, user, ruser, servicename);
f8987c
 
f8987c
     if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
f8987c
-        verbose("Contacted ssh-agent of user %s (%u)", getpwuid(uid)->pw_name, uid);
f8987c
+        verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
f8987c
         for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2)) 
f8987c
         {
f8987c
             if(key != NULL) {
f8987c
@@ -194,7 +304,7 @@ find_authorized_keys(uid_t uid)
f8987c
                 id->key = key;
f8987c
                 id->filename = comment;
f8987c
                 id->ac = ac;
f8987c
-                if(userauth_pubkey_from_id(id)) {
f8987c
+                if(userauth_pubkey_from_id(ruser, id, &session_id2)) {
f8987c
                     retval = 1;
f8987c
                 }
f8987c
                 free(id->filename);
f8987c
@@ -204,12 +314,13 @@ find_authorized_keys(uid_t uid)
f8987c
                     break;
f8987c
             }
f8987c
         }
f8987c
+        buffer_free(&session_id2);
f8987c
         ssh_close_authentication_connection(ac);
f8987c
     }
f8987c
     else {
f8987c
         verbose("No ssh-agent could be contacted");
f8987c
     }
f8987c
-    free(session_id2);
f8987c
+    /*free(session_id2);*/
f8987c
     EVP_cleanup();
f8987c
     return retval;
f8987c
 }
f8987c
diff --git a/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.h b/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.h
f8987c
index ed7549e..e6c75aa 100644
f8987c
--- a/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.h
f8987c
+++ b/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.h
f8987c
@@ -31,6 +31,6 @@
f8987c
 #ifndef _ITERATE_SSH_AGENT_KEYS_H
f8987c
 #define _ITERATE_SSH_AGENT_KEYS_H
f8987c
 
f8987c
-int find_authorized_keys(uid_t);
f8987c
+int find_authorized_keys(const char * user, const char * ruser, const char * servicename);
f8987c
 
f8987c
 #endif
f8987c
diff --git a/pam_ssh_agent_auth-0.9.3/pam_ssh_agent_auth.c b/pam_ssh_agent_auth-0.9.3/pam_ssh_agent_auth.c
f8987c
index d3f4325..37309f7 100644
f8987c
--- a/pam_ssh_agent_auth-0.9.3/pam_ssh_agent_auth.c
f8987c
+++ b/pam_ssh_agent_auth-0.9.3/pam_ssh_agent_auth.c
f8987c
@@ -59,9 +59,12 @@
f8987c
 #include "pam_user_authorized_keys.h"
f8987c
 
f8987c
 #define strncasecmp_literal(A,B) strncasecmp( A, B, sizeof(B) - 1)
f8987c
+#define UNUSED(expr) do { (void)(expr); } while (0)
f8987c
 
f8987c
 char           *authorized_keys_file = NULL;
f8987c
 uint8_t         allow_user_owned_authorized_keys_file = 0;
f8987c
+char           *authorized_keys_command = NULL;
f8987c
+char           *authorized_keys_command_user = NULL;
f8987c
 
f8987c
 #if ! HAVE___PROGNAME || HAVE_BUNDLE
f8987c
 char           *__progname;
f8987c
@@ -90,6 +93,7 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
f8987c
     facility = SYSLOG_FACILITY_AUTHPRIV;
f8987c
 #endif
f8987c
 
f8987c
+    UNUSED(flags);
f8987c
     pam_get_item(pamh, PAM_SERVICE, (void *) &servicename);
f8987c
 /*
f8987c
  * XXX: 
f8987c
@@ -113,6 +117,12 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
f8987c
         if(strncasecmp_literal(*argv_ptr, "file=") == 0 ) { 
f8987c
             authorized_keys_file_input = *argv_ptr + sizeof("file=") - 1;
f8987c
         }
f8987c
+        if(strncasecmp_literal(*argv_ptr, "authorized_keys_command=") == 0 ) { 
f8987c
+            authorized_keys_command = *argv_ptr + sizeof("authorized_keys_command=") - 1;
f8987c
+        }
f8987c
+        if(strncasecmp_literal(*argv_ptr, "authorized_keys_command_user=") == 0 ) { 
f8987c
+            authorized_keys_command_user = *argv_ptr + sizeof("authorized_keys_command_user=") - 1;
f8987c
+        }
f8987c
 #ifdef ENABLE_SUDO_HACK
f8987c
         if(strncasecmp_literal(*argv_ptr, "sudo_service_name=") == 0) { 
f8987c
             strncpy( sudo_service_name, *argv_ptr + sizeof("sudo_service_name=") - 1, sizeof(sudo_service_name) - 1);
f8987c
@@ -182,7 +192,7 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
f8987c
         /* 
f8987c
          * this pw_uid is used to validate the SSH_AUTH_SOCK, and so must be the uid of the ruser invoking the program, not the target-user
f8987c
          */
f8987c
-        if(find_authorized_keys(getpwnam(ruser)->pw_uid)) {
f8987c
+        if(find_authorized_keys(user, ruser, servicename)) { /* getpwnam(ruser)->pw_uid)) { */
f8987c
             logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
f8987c
             retval = PAM_SUCCESS;
f8987c
         } else {
f8987c
@@ -207,6 +217,10 @@ cleanexit:
f8987c
 PAM_EXTERN int __attribute__ ((visibility ("default")))
f8987c
 pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv)
f8987c
 {
f8987c
+    UNUSED(pamh);
f8987c
+    UNUSED(flags);
f8987c
+    UNUSED(argc);
f8987c
+    UNUSED(argv);
f8987c
     return PAM_SUCCESS;
f8987c
 }
f8987c
 
f8987c
diff --git a/pam_ssh_agent_auth-0.9.3/pam_ssh_agent_auth.pod b/pam_ssh_agent_auth-0.9.3/pam_ssh_agent_auth.pod
f8987c
index 4570746..76b1f0f 100644
f8987c
--- a/pam_ssh_agent_auth-0.9.3/pam_ssh_agent_auth.pod
f8987c
+++ b/pam_ssh_agent_auth-0.9.3/pam_ssh_agent_auth.pod
f8987c
@@ -1,8 +1,12 @@
f8987c
-=head1 PAM_SSH_AGENT_AUTH
f8987c
+=head1 NAME
f8987c
+
f8987c
+pam_ssh_agent_auth - PAM module for granting permissions based on SSH agent requests
f8987c
+
f8987c
+=head1 DESCRIPTION
f8987c
 
f8987c
 This module provides authentication via ssh-agent.  If an ssh-agent listening at SSH_AUTH_SOCK can successfully authenticate that it has the secret key for a public key in the specified file, authentication is granted, otherwise authentication fails.
f8987c
 
f8987c
-=head1 SUMMARY
f8987c
+=head1 CONFIGURATION
f8987c
 
f8987c
 =over
f8987c
 
f8987c
@@ -10,7 +14,8 @@ This module provides authentication via ssh-agent.  If an ssh-agent listening at
f8987c
  auth	sufficient	pam_ssh_agent_auth.so file=/etc/security/authorized_keys
f8987c
 
f8987c
 =item /etc/sudoers:
f8987c
-
f8987c
+ 
f8987c
+In older versions of sudo (< 1.8.5) it was necessary to set:
f8987c
  Defaults    env_keep += "SSH_AUTH_SOCK"
f8987c
 
f8987c
 =back
f8987c
@@ -33,6 +38,15 @@ Specify the path to the authorized_keys file(s) you would like to use for authen
f8987c
 A flag which enables authorized_keys files to be owned by the invoking user, instead of root. This flag is enabled automatically whenever
f8987c
 the expansions %h or ~ are used.
f8987c
 
f8987c
+=item authorized_keys_command=<path to executable>
f8987c
+
f8987c
+Specify an external command to run, which should take a single argument, the username of the person being authenticated, and emit to its stdout a file in authorized_keys format.
f8987c
+This is ideally suited for use with sssd's sss_ssh_authorizedkeys, for authenticating users via authorized_keys stored in ldap or other sssd supported security service.
f8987c
+
f8987c
+=item authorized_keys_command_user=<username>
f8987c
+
f8987c
+Specify a user to run the authorized_keys_command as. If this option is not specified, the authorized_keys_command will be run as the user being authenticated.
f8987c
+
f8987c
 =item debug
f8987c
 
f8987c
 A flag which enables verbose logging
f8987c
@@ -105,4 +119,34 @@ so this file must be owned by root.
f8987c
 
f8987c
 =back
f8987c
 
f8987c
+=head1 COPYRIGHT
f8987c
+
f8987c
+ Copyright (c) 2008-2014, Jamie Beverly.
f8987c
+ And is based on openssh, and the included works by Markus Friedl, Darren Tucker,
f8987c
+ Todd C. Miller, Ben Lindstrom, Tim Rice, Damien Miller, and many others.
f8987c
+
f8987c
+ All rights reserved.
f8987c
+
f8987c
+ See sources for complete attributions.
f8987c
+ 
f8987c
+ Redistribution and use in source and binary forms, with or without modification, are
f8987c
+ permitted provided that the following conditions are met:
f8987c
+
f8987c
+ 1. Redistributions of source code must retain the above copyright notice, this list of
f8987c
+    conditions and the following disclaimer.
f8987c
+
f8987c
+ 2. Redistributions in binary form must reproduce the above copyright notice, this list
f8987c
+    of conditions and the following disclaimer in the documentation and/or other materials
f8987c
+    provided with the distribution.
f8987c
+
f8987c
+ THIS SOFTWARE IS PROVIDED BY Jamie Beverly ``AS IS'' AND ANY EXPRESS OR IMPLIED
f8987c
+ WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
f8987c
+ FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Jamie Beverly OR
f8987c
+ CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
f8987c
+ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
f8987c
+ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
f8987c
+ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
f8987c
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
f8987c
+ ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
f8987c
+
f8987c
 =cut
f8987c
diff --git a/pam_ssh_agent_auth-0.9.3/pam_static_macros.h b/pam_ssh_agent_auth-0.9.3/pam_static_macros.h
f8987c
index a4938d3..a991704 100644
f8987c
--- a/pam_ssh_agent_auth-0.9.3/pam_static_macros.h
f8987c
+++ b/pam_ssh_agent_auth-0.9.3/pam_static_macros.h
f8987c
@@ -1,3 +1,32 @@
f8987c
+/*
f8987c
+ * Copyright (c) 2008, Jamie Beverly.
f8987c
+ * All rights reserved.
f8987c
+ *
f8987c
+ * Redistribution and use in source and binary forms, with or without modification, are
f8987c
+ * permitted provided that the following conditions are met:
f8987c
+ *
f8987c
+ *    1. Redistributions of source code must retain the above copyright notice, this list of
f8987c
+ *       conditions and the following disclaimer.
f8987c
+ *
f8987c
+ *    2. Redistributions in binary form must reproduce the above copyright notice, this list
f8987c
+ *       of conditions and the following disclaimer in the documentation and/or other materials
f8987c
+ *       provided with the distribution.
f8987c
+ *
f8987c
+ * THIS SOFTWARE IS PROVIDED BY Jamie Beverly ``AS IS'' AND ANY EXPRESS OR IMPLIED
f8987c
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
f8987c
+ * FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Jamie Beverly OR
f8987c
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
f8987c
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
f8987c
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
f8987c
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
f8987c
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
f8987c
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
f8987c
+ *
f8987c
+ * The views and conclusions contained in the software and documentation are those of the
f8987c
+ * authors and should not be interpreted as representing official policies, either expressed
f8987c
+ * or implied, of Jamie Beverly.
f8987c
+ */
f8987c
+
f8987c
 #ifndef __PAM_STATIC_MACROS_H
f8987c
 #define __PAM_STATIC_MACROS_H
f8987c
 
f8987c
diff --git a/pam_ssh_agent_auth-0.9.3/pam_user_authorized_keys.c b/pam_ssh_agent_auth-0.9.3/pam_user_authorized_keys.c
f8987c
index 60bef68..abc0a62 100644
f8987c
--- a/pam_ssh_agent_auth-0.9.3/pam_user_authorized_keys.c
f8987c
+++ b/pam_ssh_agent_auth-0.9.3/pam_user_authorized_keys.c
f8987c
@@ -1,4 +1,4 @@
f8987c
-/*
f8987c
+/* 
f8987c
  * Copyright (c) 2008, Jamie Beverly. 
f8987c
  * All rights reserved.
f8987c
  * 
f8987c
@@ -80,9 +80,15 @@
f8987c
 #include "identity.h"
f8987c
 #include "pam_user_key_allowed2.h"
f8987c
 
f8987c
-extern char    *authorized_keys_file;
f8987c
-extern uint8_t  allow_user_owned_authorized_keys_file;
f8987c
-uid_t           authorized_keys_file_allowed_owner_uid;
f8987c
+extern char *authorized_keys_file;
f8987c
+
f8987c
+extern char *authorized_keys_command;
f8987c
+
f8987c
+extern char *authorized_keys_command_user;
f8987c
+
f8987c
+extern uint8_t allow_user_owned_authorized_keys_file;
f8987c
+
f8987c
+uid_t authorized_keys_file_allowed_owner_uid;
f8987c
 
f8987c
 void
f8987c
 parse_authorized_key_file(const char *user, const char *authorized_keys_file_input)
f8987c
@@ -137,8 +143,11 @@ parse_authorized_key_file(const char *user, const char *authorized_keys_file_inp
f8987c
 }
f8987c
 
f8987c
 int
f8987c
-pam_user_key_allowed(Key * key)
f8987c
+pam_user_key_allowed(const char *ruser, Key * key)
f8987c
 {
f8987c
     return pam_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid), key, authorized_keys_file)
f8987c
-        || pam_user_key_allowed2(getpwuid(0), key, authorized_keys_file);
f8987c
+        || pam_user_key_allowed2(getpwuid(0), key, authorized_keys_file)
f8987c
+        || pam_user_key_command_allowed2(authorized_keys_command,
f8987c
+                                         authorized_keys_command_user,
f8987c
+                                         getpwnam(ruser), key);
f8987c
 }
f8987c
diff --git a/pam_ssh_agent_auth-0.9.3/pam_user_authorized_keys.h b/pam_ssh_agent_auth-0.9.3/pam_user_authorized_keys.h
f8987c
index ae9a4b8..a871bf0 100644
f8987c
--- a/pam_ssh_agent_auth-0.9.3/pam_user_authorized_keys.h
f8987c
+++ b/pam_ssh_agent_auth-0.9.3/pam_user_authorized_keys.h
f8987c
@@ -32,7 +32,7 @@
f8987c
 #define _PAM_USER_KEY_ALLOWED_H
f8987c
 
f8987c
 #include "identity.h"
f8987c
-int pam_user_key_allowed(Key *);
f8987c
+int pam_user_key_allowed(const char *, Key *);
f8987c
 void parse_authorized_key_file(const char *, const char *);
f8987c
 
f8987c
 #endif
f8987c
diff --git a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
f8987c
index c6680e4..4aceecb 100644
f8987c
--- a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
f8987c
+++ b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
f8987c
@@ -1,4 +1,4 @@
f8987c
-/*
f8987c
+/* 
f8987c
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
f8987c
  *
f8987c
  * Redistribution and use in source and binary forms, with or without
f8987c
@@ -33,9 +33,14 @@
f8987c
 
f8987c
 #include <sys/types.h>
f8987c
 #include <sys/stat.h>
f8987c
+#include <sys/wait.h>
f8987c
+#include <fcntl.h>
f8987c
 
f8987c
 #include <pwd.h>
f8987c
 #include <stdio.h>
f8987c
+#include <signal.h>
f8987c
+#include <errno.h>
f8987c
+#include <string.h>
f8987c
 
f8987c
 #include "xmalloc.h"
f8987c
 #include "ssh.h"
f8987c
@@ -48,87 +53,263 @@
f8987c
 #include "pathnames.h"
f8987c
 #include "misc.h"
f8987c
 #include "secure_filename.h"
f8987c
+#include "uidswap.h"
f8987c
+#include <unistd.h>
f8987c
 
f8987c
 #include "identity.h"
f8987c
 
f8987c
 /* return 1 if user allows given key */
f8987c
 /* Modified slightly from original found in auth2-pubkey.c */
f8987c
+static int
f8987c
+pamsshagentauth_check_authkeys_file(FILE * f, char *file, Key * key)
f8987c
+{
f8987c
+    char line[SSH_MAX_PUBKEY_BYTES];
f8987c
+    int found_key = 0;
f8987c
+    u_long linenum = 0;
f8987c
+    Key *found;
f8987c
+    char *fp;
f8987c
+
f8987c
+    found_key = 0;
f8987c
+    found = key_new(key->type);
f8987c
+
f8987c
+    while(read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
f8987c
+        char *cp = NULL; /* *key_options = NULL; */
f8987c
+
f8987c
+        /* Skip leading whitespace, empty and comment lines. */
f8987c
+        for(cp = line; *cp == ' ' || *cp == '\t'; cp++);
f8987c
+        if(!*cp || *cp == '\n' || *cp == '#')
f8987c
+            continue;
f8987c
+
f8987c
+        if(key_read(found, &cp) != 1) {
f8987c
+            /* no key? check if there are options for this key */
f8987c
+            int quoted = 0;
f8987c
+
f8987c
+            verbose("user_key_allowed: check options: '%s'", cp);
f8987c
+            /* key_options = cp; */
f8987c
+            for(; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
f8987c
+                if(*cp == '\\' && cp[1] == '"')
f8987c
+                    cp++;                                  /* Skip both */
f8987c
+                else if(*cp == '"')
f8987c
+                    quoted = !quoted;
f8987c
+            }
f8987c
+            /* Skip remaining whitespace. */
f8987c
+            for(; *cp == ' ' || *cp == '\t'; cp++);
f8987c
+            if(key_read(found, &cp) != 1) {
f8987c
+                verbose("user_key_allowed: advance: '%s'", cp);
f8987c
+                /* still no key? advance to next line */
f8987c
+                continue;
f8987c
+            }
f8987c
+        }
f8987c
+        if(key_equal(found, key)) {
f8987c
+            found_key = 1;
f8987c
+            logit("matching key found: file/command %s, line %lu", file,
f8987c
+                                  linenum);
f8987c
+            fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
f8987c
+            logit("Found matching %s key: %s",
f8987c
+                                  key_type(found), fp);
f8987c
+            free(fp);
f8987c
+            break;
f8987c
+        }
f8987c
+    }
f8987c
+    key_free(found);
f8987c
+    if(!found_key)
f8987c
+        verbose("key not found");
f8987c
+    return found_key;
f8987c
+}
f8987c
+
f8987c
+/* 
f8987c
+ * Checks whether key is allowed in file.
f8987c
+ * returns 1 if the key is allowed or 0 otherwise.
f8987c
+ */
f8987c
 int
f8987c
 pam_user_key_allowed2(struct passwd *pw, Key *key, char *file)
f8987c
 {
f8987c
-	char line[SSH_MAX_PUBKEY_BYTES];
f8987c
-	int found_key = 0;
f8987c
-	FILE *f;
f8987c
-	u_long linenum = 0;
f8987c
-	struct stat st;
f8987c
-	Key *found;
f8987c
-	char *fp;
f8987c
-
f8987c
-	verbose("trying public key file %s", file);
f8987c
-
f8987c
-	/* Fail not so quietly if file does not exist */
f8987c
-	if (stat(file, &st) < 0) {
f8987c
+    FILE *f;
f8987c
+    int found_key = 0;
f8987c
+    struct stat st;
f8987c
+    char buf[SSH_MAX_PUBKEY_BYTES];
f8987c
+
f8987c
+    /* Temporarily use the user's uid. */
f8987c
+    verbose("trying public key file %s", file);
f8987c
+
f8987c
+    /* Fail not so quietly if file does not exist */
f8987c
+    if(stat(file, &st) < 0) {
f8987c
         verbose("File not found: %s", file);
f8987c
-		return 0;
f8987c
-	}
f8987c
-	/* Open the file containing the authorized keys. */
f8987c
-	f = fopen(file, "r");
f8987c
-	if (!f) {
f8987c
-		return 0;
f8987c
-	}
f8987c
-	if (
f8987c
-	    secure_filename(f, file, pw, line, sizeof(line)) != 0) {
f8987c
-		fclose(f);
f8987c
-		logit("Authentication refused: %s", line);
f8987c
-		return 0;
f8987c
-	}
f8987c
-
f8987c
-	found_key = 0;
f8987c
-	found = key_new(key->type);
f8987c
-
f8987c
-	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
f8987c
-		char *cp, *key_options = NULL;
f8987c
-
f8987c
-		/* Skip leading whitespace, empty and comment lines. */
f8987c
-		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
f8987c
-			;
f8987c
-		if (!*cp || *cp == '\n' || *cp == '#')
f8987c
-			continue;
f8987c
-
f8987c
-		if (key_read(found, &cp) != 1) {
f8987c
-			/* no key?  check if there are options for this key */
f8987c
-			int quoted = 0;
f8987c
-			verbose("user_key_allowed: check options: '%s'", cp);
f8987c
-			key_options = cp;
f8987c
-			for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
f8987c
-				if (*cp == '\\' && cp[1] == '"')
f8987c
-					cp++;	/* Skip both */
f8987c
-				else if (*cp == '"')
f8987c
-					quoted = !quoted;
f8987c
-			}
f8987c
-			/* Skip remaining whitespace. */
f8987c
-			for (; *cp == ' ' || *cp == '\t'; cp++)
f8987c
-				;
f8987c
-			if (key_read(found, &cp) != 1) {
f8987c
-				verbose("user_key_allowed: advance: '%s'", cp);
f8987c
-				/* still no key?  advance to next line*/
f8987c
-				continue;
f8987c
-			}
f8987c
-		}
f8987c
-		if (key_equal(found, key)) {
f8987c
-			found_key = 1;
f8987c
-			logit("matching key found: file %s, line %lu",
f8987c
-			    file, linenum);
f8987c
-			fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
f8987c
-			logit("Found matching %s key: %s",
f8987c
-			    key_type(found), fp);
f8987c
-			free(fp);
f8987c
-			break;
f8987c
-		}
f8987c
-	}
f8987c
-	fclose(f);
f8987c
-	key_free(found);
f8987c
-	if (!found_key)
f8987c
-		verbose("key not found");
f8987c
-	return found_key;
f8987c
+        return 0;
f8987c
+    }
f8987c
+
f8987c
+    /* Open the file containing the authorized keys. */
f8987c
+    f = fopen(file, "r");
f8987c
+    if(!f) {
f8987c
+        return 0;
f8987c
+    }
f8987c
+
f8987c
+    if(secure_filename(f, file, pw, buf, sizeof(buf)) != 0) {
f8987c
+        fclose(f);
f8987c
+        logit("Authentication refused: %s", buf);
f8987c
+        return 0;
f8987c
+    }
f8987c
+
f8987c
+    found_key = pamsshagentauth_check_authkeys_file(f, file, key);
f8987c
+    fclose(f);
f8987c
+    return found_key;
f8987c
+}
f8987c
+
f8987c
+/* 
f8987c
+ * Checks whether key is allowed in output of command.
f8987c
+ * returns 1 if the key is allowed or 0 otherwise.
f8987c
+ */
f8987c
+int
f8987c
+pam_user_key_command_allowed2(char *authorized_keys_command,
f8987c
+                          char *authorized_keys_command_user,
f8987c
+                          struct passwd *user_pw, Key * key)
f8987c
+{
f8987c
+    FILE *f;
f8987c
+    int ok, found_key = 0;
f8987c
+    struct passwd *pw;
f8987c
+    struct stat st;
f8987c
+    int status, devnull, p[2], i;
f8987c
+    pid_t pid;
f8987c
+    char errmsg[512];
f8987c
+    char username[512] = { 0 };
f8987c
+    
f8987c
+
f8987c
+
f8987c
+    if(authorized_keys_command == NULL || authorized_keys_command[0] != '/')
f8987c
+        return 0;
f8987c
+
f8987c
+
f8987c
+    /* getpwnam of authorized_keys_command_user will overwrite the statics used by getpwnam (including pw_name) */
f8987c
+    strncpy(username, user_pw->pw_name, sizeof(username) - 1);
f8987c
+
f8987c
+    /* If no user specified to run commands the default to target user */
f8987c
+    if(authorized_keys_command_user == NULL) {
f8987c
+        pw = user_pw;
f8987c
+    }
f8987c
+    else {
f8987c
+        pw = getpwnam(authorized_keys_command_user);
f8987c
+        if(pw == NULL) {
f8987c
+            error("authorized_keys_command_user \"%s\" not found: %s",
f8987c
+                 authorized_keys_command_user, strerror(errno));
f8987c
+            return 0;
f8987c
+        }
f8987c
+    }
f8987c
+
f8987c
+    temporarily_use_uid(pw);
f8987c
+
f8987c
+    if(stat(authorized_keys_command, &st) < 0) {
f8987c
+        error
f8987c
+            ("Could not stat AuthorizedKeysCommand \"%s\": %s",
f8987c
+             authorized_keys_command, strerror(errno));
f8987c
+        goto out;
f8987c
+    }
f8987c
+    if(pamsshagentauth_auth_secure_path
f8987c
+       (authorized_keys_command, &st, NULL, 0, errmsg, sizeof(errmsg)) != 0) {
f8987c
+        error("Unsafe AuthorizedKeysCommand: %s", errmsg);
f8987c
+        goto out;
f8987c
+    }
f8987c
+
f8987c
+    /* open the pipe and read the keys */
f8987c
+    if(pipe(p) != 0) {
f8987c
+        error("%s: pipe: %s", __func__, strerror(errno));
f8987c
+        goto out;
f8987c
+    }
f8987c
+
f8987c
+    debug("Running AuthorizedKeysCommand: \"%s\" as \"%s\" with argument: \"%s\"",
f8987c
+                          authorized_keys_command, pw->pw_name, username);
f8987c
+
f8987c
+    /* 
f8987c
+     * Don't want to call this in the child, where it can fatal() and
f8987c
+     * run cleanup_exit() code.
f8987c
+     */
f8987c
+    restore_uid();
f8987c
+
f8987c
+    switch ((pid = fork())) {
f8987c
+    case -1:                                              /* error */
f8987c
+        error("%s: fork: %s", __func__, strerror(errno));
f8987c
+        close(p[0]);
f8987c
+        close(p[1]);
f8987c
+        return 0;
f8987c
+    case 0:                                               /* child */
f8987c
+        for(i = 0; i < NSIG; i++)
f8987c
+            signal(i, SIG_DFL);
f8987c
+
f8987c
+        /* do this before the setresuid so thta they can be logged */
f8987c
+        if((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
f8987c
+            error("%s: open %s: %s", __func__, _PATH_DEVNULL,
f8987c
+                                     strerror(errno));
f8987c
+            _exit(1);
f8987c
+        }
f8987c
+        if(dup2(devnull, STDIN_FILENO) == -1 || dup2(p[1], STDOUT_FILENO) == -1
f8987c
+           || dup2(devnull, STDERR_FILENO) == -1) {
f8987c
+            error("%s: dup2: %s", __func__, strerror(errno));
f8987c
+            _exit(1);
f8987c
+        }
f8987c
+#if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID)
f8987c
+        if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
f8987c
+#else
f8987c
+        if (setgid(pw->pw_gid) != 0 || setegid(pw->pw_gid) != 0) {
f8987c
+#endif
f8987c
+            error("setresgid %u: %s", (u_int) pw->pw_gid,
f8987c
+                                     strerror(errno));
f8987c
+            _exit(1);
f8987c
+        }
f8987c
+
f8987c
+#ifdef HAVE_SETRESUID
f8987c
+        if(setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) {
f8987c
+#else
f8987c
+        if (setuid(pw->pw_uid) != 0 || seteuid(pw->pw_uid) != 0) {
f8987c
+#endif
f8987c
+            error("setresuid %u: %s", (u_int) pw->pw_uid,
f8987c
+                                     strerror(errno));
f8987c
+            _exit(1);
f8987c
+        }
f8987c
+
f8987c
+        close(p[0]);
f8987c
+        closefrom(STDERR_FILENO + 1);
f8987c
+
f8987c
+        execl(authorized_keys_command, authorized_keys_command, username, (char *)NULL);
f8987c
+
f8987c
+        /* pretty sure this will barf because we are now suid, but since we
f8987c
+           should't reach this anyway, I'll leave it here */
f8987c
+        error("AuthorizedKeysCommand %s exec failed: %s",
f8987c
+                                 authorized_keys_command, strerror(errno));
f8987c
+        _exit(127);
f8987c
+    default:                                              /* parent */
f8987c
+        break;
f8987c
+    }
f8987c
+
f8987c
+    temporarily_use_uid(pw);
f8987c
+
f8987c
+    close(p[1]);
f8987c
+    if((f = fdopen(p[0], "r")) == NULL) {
f8987c
+        error("%s: fdopen: %s", __func__, strerror(errno));
f8987c
+        close(p[0]);
f8987c
+        /* Don't leave zombie child */
f8987c
+        while(waitpid(pid, NULL, 0) == -1 && errno == EINTR);
f8987c
+        goto out;
f8987c
+    }
f8987c
+    ok = pamsshagentauth_check_authkeys_file(f, authorized_keys_command, key);
f8987c
+    fclose(f);
f8987c
+
f8987c
+    while(waitpid(pid, &status, 0) == -1) {
f8987c
+        if(errno != EINTR) {
f8987c
+            error("%s: waitpid: %s", __func__,
f8987c
+                                     strerror(errno));
f8987c
+            goto out;
f8987c
+        }
f8987c
+    }
f8987c
+    if(WIFSIGNALED(status)) {
f8987c
+        error("AuthorizedKeysCommand %s exited on signal %d",
f8987c
+                                 authorized_keys_command, WTERMSIG(status));
f8987c
+        goto out;
f8987c
+    } else if(WEXITSTATUS(status) != 0) {
f8987c
+        error("AuthorizedKeysCommand %s returned status %d",
f8987c
+                                 authorized_keys_command, WEXITSTATUS(status));
f8987c
+        goto out;
f8987c
+    }
f8987c
+    found_key = ok;
f8987c
+  out:
f8987c
+    restore_uid();
f8987c
+    return found_key;
f8987c
 }
f8987c
diff --git a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.h b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.h
f8987c
index 416d055..24533a0 100644
f8987c
--- a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.h
f8987c
+++ b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.h
f8987c
@@ -32,5 +32,6 @@
f8987c
 
f8987c
 #include "identity.h"
f8987c
 int pam_user_key_allowed2(struct passwd *, Key *, char *);
f8987c
+int pam_user_key_command_allowed2(char *, char *, struct passwd *, Key *);
f8987c
 
f8987c
 #endif
f8987c
diff --git a/pam_ssh_agent_auth-0.9.3/secure_filename.c b/pam_ssh_agent_auth-0.9.3/secure_filename.c
f8987c
index c24cab2..d685599 100644
f8987c
--- a/pam_ssh_agent_auth-0.9.3/secure_filename.c
f8987c
+++ b/pam_ssh_agent_auth-0.9.3/secure_filename.c
f8987c
@@ -71,29 +71,38 @@
f8987c
  * Returns 0 on success and -1 on failure
f8987c
  */
f8987c
 int
f8987c
-secure_filename(FILE *f, const char *file, struct passwd *pw,
f8987c
-    char *err, size_t errlen)
f8987c
+pamsshagentauth_auth_secure_path(const char *name, struct stat *stp,
f8987c
+        const char *pw_dir, uid_t uid, char *err, size_t errlen)
f8987c
 {
f8987c
-	uid_t uid = pw->pw_uid;
f8987c
 	char buf[MAXPATHLEN], homedir[MAXPATHLEN];
f8987c
 	char *cp;
f8987c
 	int comparehome = 0;
f8987c
 	struct stat st;
f8987c
 
f8987c
-    verbose("secure_filename: checking for uid: %u", uid);
f8987c
+    verbose("auth_secure_filename: checking for uid: %u", uid);
f8987c
 
f8987c
-	if (realpath(file, buf) == NULL) {
f8987c
-		snprintf(err, errlen, "realpath %s failed: %s", file,
f8987c
+	/* if (realpath(pw->pw_dir, homedir) != NULL) */
f8987c
+    if (realpath(name, buf) == NULL) {
f8987c
+		snprintf(err, errlen, "realpath %s failed: %s", name,
f8987c
 		    strerror(errno));
f8987c
 		return -1;
f8987c
 	}
f8987c
-	if (realpath(pw->pw_dir, homedir) != NULL)
f8987c
+	if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL)
f8987c
 		comparehome = 1;
f8987c
 
f8987c
 	/* check the open file to avoid races */
f8987c
-	if (fstat(fileno(f), &st) < 0 ||
f8987c
-	    (st.st_uid != 0 && st.st_uid != uid) ||
f8987c
-	    (st.st_mode & 022) != 0) {
f8987c
+	/* 
f8987c
+     * if (fstat(fileno(f), &st) < 0 ||
f8987c
+	 *    (st.st_uid != 0 && st.st_uid != uid) ||
f8987c
+	 *    (st.st_mode & 022) != 0) {
f8987c
+    */
f8987c
+    if (!S_ISREG(stp->st_mode)) {
f8987c
+        snprintf(err, errlen, "%s is not a regular file", buf);
f8987c
+        return -1;
f8987c
+    }
f8987c
+
f8987c
+    if ((stp->st_uid != 0 && stp->st_uid != uid) ||
f8987c
+            (stp->st_mode & 022) != 0) {
f8987c
 		snprintf(err, errlen, "bad ownership or modes for file %s",
f8987c
 		    buf);
f8987c
 		return -1;
f8987c
@@ -132,3 +141,25 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
f8987c
 	return 0;
f8987c
 }
f8987c
 
f8987c
+/*
f8987c
+ * Version of secure_path() that accepts an open file descriptor to
f8987c
+ * avoid races.
f8987c
+ *
f8987c
+ * Returns 0 on success and -1 on failure
f8987c
+ */
f8987c
+int
f8987c
+secure_filename(FILE *f, const char *file, struct passwd *pw,
f8987c
+    char *err, size_t errlen)
f8987c
+{
f8987c
+   struct stat st;
f8987c
+   char buf[MAXPATHLEN] = { 0 };
f8987c
+
f8987c
+   /* check the open file to avoid races */
f8987c
+   if (fstat(fileno(f), &st) < 0) {
f8987c
+       snprintf(err, errlen, "cannot stat file %s: %s",
f8987c
+           buf, strerror(errno));
f8987c
+       return -1;
f8987c
+   }
f8987c
+   return pamsshagentauth_auth_secure_path(file, &st, pw->pw_dir, pw->pw_uid, err, errlen);
f8987c
+}
f8987c
+
f8987c
diff --git a/pam_ssh_agent_auth-0.9.3/secure_filename.h b/pam_ssh_agent_auth-0.9.3/secure_filename.h
f8987c
index 198c13d..4c1a208 100644
f8987c
--- a/pam_ssh_agent_auth-0.9.3/secure_filename.h
f8987c
+++ b/pam_ssh_agent_auth-0.9.3/secure_filename.h
f8987c
@@ -28,5 +28,7 @@
f8987c
 #define _SECURE_FILENAME_H
f8987c
 #include <pwd.h>
f8987c
 #include <stdio.h>
f8987c
+struct stat;
f8987c
 int secure_filename(FILE *, const char *, struct passwd *, char *, size_t);
f8987c
+int pamsshagentauth_auth_secure_path(const char *, struct stat *, const char *, uid_t, char *, size_t);
f8987c
 #endif
f8987c
diff --git a/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c b/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
f8987c
index 163278b..31849f8 100644
f8987c
--- a/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
f8987c
+++ b/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
f8987c
@@ -48,11 +48,14 @@
f8987c
 #include "identity.h"
f8987c
 #include "pam_user_authorized_keys.h"
f8987c
 
f8987c
-extern u_char  *session_id2;
f8987c
+#define SSH2_MSG_USERAUTH_TRUST_REQUEST          54
f8987c
+
f8987c
+/* extern u_char  *session_id2;
f8987c
 extern uint8_t  session_id_len;
f8987c
+ */
f8987c
 
f8987c
 int
f8987c
-userauth_pubkey_from_id(Identity * id)
f8987c
+userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
f8987c
 {
f8987c
     Buffer          b = { 0 };
f8987c
     char           *pkalg = NULL;
f8987c
@@ -63,7 +66,7 @@ userauth_pubkey_from_id(Identity * id)
f8987c
     pkalg = (char *) key_ssh_name(id->key);
f8987c
 
f8987c
     /* first test if this key is even allowed */
f8987c
-    if(! pam_user_key_allowed(id->key))
f8987c
+    if(! pam_user_key_allowed(ruser, id->key))
f8987c
         goto user_auth_clean_exit;
f8987c
 
f8987c
     if(key_to_blob(id->key, &pkblob, &blen) == 0)
f8987c
@@ -72,10 +75,10 @@ userauth_pubkey_from_id(Identity * id)
f8987c
     /* construct packet to sign and test */
f8987c
     buffer_init(&b);
f8987c
 
f8987c
-    buffer_put_string(&b, session_id2, session_id_len);
f8987c
-    buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
f8987c
-    buffer_put_cstring(&b, "root");
f8987c
-    buffer_put_cstring(&b, "ssh-userauth");
f8987c
+    buffer_put_string(&b, session_id2->buf + session_id2->offset, session_id2->end - session_id2->offset);
f8987c
+    buffer_put_char(&b, SSH2_MSG_USERAUTH_TRUST_REQUEST); 
f8987c
+    buffer_put_cstring(&b, ruser);
f8987c
+    buffer_put_cstring(&b, "pam_ssh_agent_auth");
f8987c
     buffer_put_cstring(&b, "publickey");
f8987c
     buffer_put_char(&b, 1);
f8987c
     buffer_put_cstring(&b, pkalg);
f8987c
@@ -89,8 +92,7 @@ userauth_pubkey_from_id(Identity * id)
f8987c
         authenticated = 1;
f8987c
 
f8987c
   user_auth_clean_exit:
f8987c
-    if(&b != NULL)
f8987c
-        buffer_free(&b);
f8987c
+    buffer_free(&b);
f8987c
     if(sig != NULL)
f8987c
         free(sig);
f8987c
     if(pkblob != NULL)
f8987c
diff --git a/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.h b/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.h
f8987c
index 1e14231..7758808 100644
f8987c
--- a/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.h
f8987c
+++ b/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.h
f8987c
@@ -32,6 +32,6 @@
f8987c
 #define _USERAUTH_PUBKEY_FROM_ID_H
f8987c
 
f8987c
 #include <identity.h>
f8987c
-int userauth_pubkey_from_id(Identity *);
f8987c
+int userauth_pubkey_from_id(const char *, Identity *, Buffer *);
f8987c
 
f8987c
 #endif
f8987c
-- 
f8987c
2.5.0
f8987c
f8987c
--- openssh-6.6p1/pam_ssh_agent_auth-0.9.3/pam_user_authorized_keys.c.psaa-command	2016-04-20 09:31:32.164686370 +0200
f8987c
+++ openssh-6.6p1/pam_ssh_agent_auth-0.9.3/pam_user_authorized_keys.c	2016-04-20 09:35:49.778344576 +0200
f8987c
@@ -145,8 +145,12 @@
f8987c
 int
f8987c
 pam_user_key_allowed(const char *ruser, Key * key)
f8987c
 {
f8987c
-    return pam_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid), key, authorized_keys_file)
f8987c
-        || pam_user_key_allowed2(getpwuid(0), key, authorized_keys_file)
f8987c
+    struct passwd *pw;
f8987c
+    return
f8987c
+        ((pw = getpwuid(authorized_keys_file_allowed_owner_uid)) &&
f8987c
+            pam_user_key_allowed2(pw, key, authorized_keys_file))
f8987c
+        || ((pw = getpwuid(0)) &&
f8987c
+            pam_user_key_allowed2(pw, key, authorized_keys_file))
f8987c
         || pam_user_key_command_allowed2(authorized_keys_command,
f8987c
                                          authorized_keys_command_user,
f8987c
                                          getpwnam(ruser), key);