|
|
8f2528 |
diff -up openssh-7.4p1/auth2-pubkey.c.keycat openssh-7.4p1/auth2-pubkey.c
|
|
|
8f2528 |
--- openssh-7.4p1/auth2-pubkey.c.keycat 2017-02-08 14:32:33.015581448 +0100
|
|
|
8f2528 |
+++ openssh-7.4p1/auth2-pubkey.c 2017-02-08 14:40:26.125216292 +0100
|
|
|
8f2528 |
@@ -1043,6 +1043,14 @@ user_key_command_allowed2(struct passwd
|
|
|
8f2528 |
xasprintf(&command, "%s %s", av[0], av[1]);
|
|
|
8f2528 |
}
|
|
|
8f2528 |
|
|
|
8f2528 |
+#ifdef WITH_SELINUX
|
|
|
8f2528 |
+ if (sshd_selinux_setup_env_variables() < 0) {
|
|
|
8f2528 |
+ error ("failed to copy environment: %s",
|
|
|
8f2528 |
+ strerror(errno));
|
|
|
8f2528 |
+ _exit(127);
|
|
|
8f2528 |
+ }
|
|
|
8f2528 |
+#endif
|
|
|
8f2528 |
+
|
|
|
8f2528 |
if ((pid = subprocess("AuthorizedKeysCommand", pw, command,
|
|
|
8f2528 |
ac, av, &f)) == 0)
|
|
|
8f2528 |
goto out;
|
|
|
8f2528 |
diff -up openssh-7.4p1/configure.ac.keycat openssh-7.4p1/configure.ac
|
|
|
8f2528 |
--- openssh-7.4p1/configure.ac.keycat 2017-02-08 14:32:33.011581451 +0100
|
|
|
8f2528 |
+++ openssh-7.4p1/configure.ac 2017-02-08 14:32:33.016581448 +0100
|
|
|
8f2528 |
@@ -3129,6 +3129,7 @@ AC_ARG_WITH([pam],
|
|
|
8f2528 |
PAM_MSG="yes"
|
|
|
8f2528 |
|
|
|
8f2528 |
SSHDLIBS="$SSHDLIBS -lpam"
|
|
|
8f2528 |
+ KEYCATLIBS="$KEYCATLIBS -lpam"
|
|
|
8f2528 |
AC_DEFINE([USE_PAM], [1],
|
|
|
8f2528 |
[Define if you want to enable PAM support])
|
|
|
8f2528 |
|
|
|
8f2528 |
@@ -3139,6 +3140,7 @@ AC_ARG_WITH([pam],
|
|
|
8f2528 |
;;
|
|
|
8f2528 |
*)
|
|
|
8f2528 |
SSHDLIBS="$SSHDLIBS -ldl"
|
|
|
8f2528 |
+ KEYCATLIBS="$KEYCATLIBS -ldl"
|
|
|
8f2528 |
;;
|
|
|
8f2528 |
esac
|
|
|
8f2528 |
fi
|
|
|
8f2528 |
@@ -4255,6 +4257,7 @@ AC_ARG_WITH([selinux],
|
|
|
8f2528 |
)
|
|
|
8f2528 |
AC_SUBST([SSHLIBS])
|
|
|
8f2528 |
AC_SUBST([SSHDLIBS])
|
|
|
8f2528 |
+AC_SUBST([KEYCATLIBS])
|
|
|
8f2528 |
|
|
|
8f2528 |
# Check whether user wants Kerberos 5 support
|
|
|
8f2528 |
KRB5_MSG="no"
|
|
|
8f2528 |
@@ -5206,6 +5209,9 @@ fi
|
|
|
8f2528 |
if test ! -z "${SSHLIBS}"; then
|
|
|
8f2528 |
echo " +for ssh: ${SSHLIBS}"
|
|
|
8f2528 |
fi
|
|
|
8f2528 |
+if test ! -z "${KEYCATLIBS}"; then
|
|
|
8f2528 |
+echo " +for ssh-keycat: ${KEYCATLIBS}"
|
|
|
8f2528 |
+fi
|
|
|
8f2528 |
|
|
|
8f2528 |
echo ""
|
|
|
8f2528 |
|
|
|
8f2528 |
diff -up openssh-7.4p1/HOWTO.ssh-keycat.keycat openssh-7.4p1/HOWTO.ssh-keycat
|
|
|
8f2528 |
--- openssh-7.4p1/HOWTO.ssh-keycat.keycat 2017-02-08 14:32:33.014581449 +0100
|
|
|
8f2528 |
+++ openssh-7.4p1/HOWTO.ssh-keycat 2017-02-08 14:32:33.014581449 +0100
|
|
|
8f2528 |
@@ -0,0 +1,12 @@
|
|
|
8f2528 |
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
|
|
|
8f2528 |
+of an user in any environment. This includes environments with
|
|
|
8f2528 |
+polyinstantiation of home directories and SELinux MLS policy enabled.
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
|
|
|
8f2528 |
+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
|
|
|
8f2528 |
+ AuthorizedKeysCommandUser root
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+Do not forget to enable public key authentication:
|
|
|
8f2528 |
+ PubkeyAuthentication yes
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+
|
|
|
8f2528 |
diff -up openssh-7.4p1/Makefile.in.keycat openssh-7.4p1/Makefile.in
|
|
|
8f2528 |
--- openssh-7.4p1/Makefile.in.keycat 2017-02-08 14:32:33.012581451 +0100
|
|
|
8f2528 |
+++ openssh-7.4p1/Makefile.in 2017-02-08 14:38:28.839306815 +0100
|
|
|
8f2528 |
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
|
|
8f2528 |
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
|
|
8f2528 |
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
|
|
8f2528 |
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
|
|
8f2528 |
+SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
|
|
8f2528 |
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
|
|
8f2528 |
PRIVSEP_PATH=@PRIVSEP_PATH@
|
|
|
8f2528 |
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
|
|
8f2528 |
@@ -51,6 +52,7 @@ K5LIBS=@K5LIBS@
|
|
|
8f2528 |
GSSLIBS=@GSSLIBS@
|
|
|
8f2528 |
SSHLIBS=@SSHLIBS@
|
|
|
8f2528 |
SSHDLIBS=@SSHDLIBS@
|
|
|
8f2528 |
+KEYCATLIBS=@KEYCATLIBS@
|
|
|
8f2528 |
LIBEDIT=@LIBEDIT@
|
|
|
8f2528 |
AR=@AR@
|
|
|
8f2528 |
AWK=@AWK@
|
|
|
8f2528 |
@@ -65,7 +67,7 @@ EXEEXT=@EXEEXT@
|
|
|
8f2528 |
MANFMT=@MANFMT@
|
|
|
8f2528 |
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
|
|
8f2528 |
|
|
|
8f2528 |
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
|
|
|
8f2528 |
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
|
|
8f2528 |
|
|
|
8f2528 |
LIBOPENSSH_OBJS=\
|
|
|
8f2528 |
ssh_api.o \
|
|
|
8f2528 |
@@ -190,6 +192,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
|
|
8f2528 |
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
|
|
8f2528 |
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
|
|
8f2528 |
|
|
|
8f2528 |
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
|
|
|
8f2528 |
+ $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(SSHLIBS)
|
|
|
8f2528 |
+
|
|
|
8f2528 |
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
|
|
8f2528 |
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
|
8f2528 |
|
|
|
8f2528 |
@@ -332,6 +337,7 @@ install-files:
|
|
|
8f2528 |
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
|
|
|
8f2528 |
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
|
|
8f2528 |
fi
|
|
|
8f2528 |
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
|
|
8f2528 |
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
|
|
8f2528 |
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
|
|
8f2528 |
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
|
|
8f2528 |
diff -up openssh-7.4p1/openbsd-compat/port-linux.h.keycat openssh-7.4p1/openbsd-compat/port-linux.h
|
|
|
8f2528 |
--- openssh-7.4p1/openbsd-compat/port-linux.h.keycat 2017-02-08 14:32:33.009581453 +0100
|
|
|
8f2528 |
+++ openssh-7.4p1/openbsd-compat/port-linux.h 2017-02-08 14:32:33.015581448 +0100
|
|
|
8f2528 |
@@ -23,8 +23,10 @@ void ssh_selinux_setup_pty(char *, const
|
|
|
8f2528 |
void ssh_selinux_change_context(const char *);
|
|
|
8f2528 |
void ssh_selinux_setfscreatecon(const char *);
|
|
|
8f2528 |
|
|
|
8f2528 |
+int sshd_selinux_enabled(void);
|
|
|
8f2528 |
void sshd_selinux_copy_context(void);
|
|
|
8f2528 |
void sshd_selinux_setup_exec_context(char *);
|
|
|
8f2528 |
+int sshd_selinux_setup_env_variables(void);
|
|
|
8f2528 |
#endif
|
|
|
8f2528 |
|
|
|
8f2528 |
#ifdef LINUX_OOM_ADJUST
|
|
|
8f2528 |
diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.keycat openssh-7.4p1/openbsd-compat/port-linux-sshd.c
|
|
|
8f2528 |
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.keycat 2017-02-08 14:32:33.008581454 +0100
|
|
|
8f2528 |
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2017-02-08 14:32:33.015581448 +0100
|
|
|
8f2528 |
@@ -53,6 +53,20 @@ extern Authctxt *the_authctxt;
|
|
|
8f2528 |
extern int inetd_flag;
|
|
|
8f2528 |
extern int rexeced_flag;
|
|
|
8f2528 |
|
|
|
8f2528 |
+/* Wrapper around is_selinux_enabled() to log its return value once only */
|
|
|
8f2528 |
+int
|
|
|
8f2528 |
+sshd_selinux_enabled(void)
|
|
|
8f2528 |
+{
|
|
|
8f2528 |
+ static int enabled = -1;
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ if (enabled == -1) {
|
|
|
8f2528 |
+ enabled = (is_selinux_enabled() == 1);
|
|
|
8f2528 |
+ debug("SELinux support %s", enabled ? "enabled" : "disabled");
|
|
|
8f2528 |
+ }
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ return (enabled);
|
|
|
8f2528 |
+}
|
|
|
8f2528 |
+
|
|
|
8f2528 |
/* Send audit message */
|
|
|
8f2528 |
static int
|
|
|
8f2528 |
sshd_selinux_send_audit_message(int success, security_context_t default_context,
|
|
|
8f2528 |
@@ -307,7 +321,7 @@ sshd_selinux_getctxbyname(char *pwname,
|
|
|
8f2528 |
|
|
|
8f2528 |
/* Setup environment variables for pam_selinux */
|
|
|
8f2528 |
static int
|
|
|
8f2528 |
-sshd_selinux_setup_pam_variables(void)
|
|
|
8f2528 |
+sshd_selinux_setup_variables(int(*set_it)(char *, const char *))
|
|
|
8f2528 |
{
|
|
|
8f2528 |
const char *reqlvl;
|
|
|
8f2528 |
char *role;
|
|
|
8f2528 |
@@ -318,16 +332,16 @@ sshd_selinux_setup_pam_variables(void)
|
|
|
8f2528 |
|
|
|
8f2528 |
ssh_selinux_get_role_level(&role, &reqlvl);
|
|
|
8f2528 |
|
|
|
8f2528 |
- rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
|
|
|
8f2528 |
+ rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
|
|
|
8f2528 |
|
|
|
8f2528 |
if (inetd_flag && !rexeced_flag) {
|
|
|
8f2528 |
use_current = "1";
|
|
|
8f2528 |
} else {
|
|
|
8f2528 |
use_current = "";
|
|
|
8f2528 |
- rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
|
|
|
8f2528 |
+ rv = rv || set_it("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
|
|
|
8f2528 |
}
|
|
|
8f2528 |
|
|
|
8f2528 |
- rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
|
|
|
8f2528 |
+ rv = rv || set_it("SELINUX_USE_CURRENT_RANGE", use_current);
|
|
|
8f2528 |
|
|
|
8f2528 |
if (role != NULL)
|
|
|
8f2528 |
free(role);
|
|
|
8f2528 |
@@ -335,6 +349,24 @@ sshd_selinux_setup_pam_variables(void)
|
|
|
8f2528 |
return rv;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
|
|
|
8f2528 |
+static int
|
|
|
8f2528 |
+sshd_selinux_setup_pam_variables(void)
|
|
|
8f2528 |
+{
|
|
|
8f2528 |
+ return sshd_selinux_setup_variables(do_pam_putenv);
|
|
|
8f2528 |
+}
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+static int
|
|
|
8f2528 |
+do_setenv(char *name, const char *value)
|
|
|
8f2528 |
+{
|
|
|
8f2528 |
+ return setenv(name, value, 1);
|
|
|
8f2528 |
+}
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+int
|
|
|
8f2528 |
+sshd_selinux_setup_env_variables(void)
|
|
|
8f2528 |
+{
|
|
|
8f2528 |
+ return sshd_selinux_setup_variables(do_setenv);
|
|
|
8f2528 |
+}
|
|
|
8f2528 |
+
|
|
|
8f2528 |
/* Set the execution context to the default for the specified user */
|
|
|
8f2528 |
void
|
|
|
8f2528 |
sshd_selinux_setup_exec_context(char *pwname)
|
|
|
8f2528 |
@@ -343,7 +375,7 @@ sshd_selinux_setup_exec_context(char *pw
|
|
|
8f2528 |
int r = 0;
|
|
|
8f2528 |
security_context_t default_ctx = NULL;
|
|
|
8f2528 |
|
|
|
8f2528 |
- if (!ssh_selinux_enabled())
|
|
|
8f2528 |
+ if (!sshd_selinux_enabled())
|
|
|
8f2528 |
return;
|
|
|
8f2528 |
|
|
|
8f2528 |
if (options.use_pam) {
|
|
|
8f2528 |
@@ -414,7 +446,7 @@ sshd_selinux_copy_context(void)
|
|
|
8f2528 |
{
|
|
|
8f2528 |
security_context_t *ctx;
|
|
|
8f2528 |
|
|
|
8f2528 |
- if (!ssh_selinux_enabled())
|
|
|
8f2528 |
+ if (!sshd_selinux_enabled())
|
|
|
8f2528 |
return;
|
|
|
8f2528 |
|
|
|
8f2528 |
if (getexeccon((security_context_t *)&ctx) != 0) {
|
|
|
8f2528 |
diff -up openssh-7.4p1/platform.c.keycat openssh-7.4p1/platform.c
|
|
|
8f2528 |
--- openssh-7.4p1/platform.c.keycat 2017-02-08 14:32:33.007581455 +0100
|
|
|
8f2528 |
+++ openssh-7.4p1/platform.c 2017-02-08 14:32:33.015581448 +0100
|
|
|
8f2528 |
@@ -99,7 +99,7 @@ platform_setusercontext(struct passwd *p
|
|
|
8f2528 |
{
|
|
|
8f2528 |
#ifdef WITH_SELINUX
|
|
|
8f2528 |
/* Cache selinux status for later use */
|
|
|
8f2528 |
- (void)ssh_selinux_enabled();
|
|
|
8f2528 |
+ (void)sshd_selinux_enabled();
|
|
|
8f2528 |
#endif
|
|
|
8f2528 |
|
|
|
8f2528 |
#ifdef USE_SOLARIS_PROJECTS
|
|
|
8f2528 |
diff -up openssh-7.4p1/ssh-keycat.c.keycat openssh-7.4p1/ssh-keycat.c
|
|
|
8f2528 |
--- openssh-7.4p1/ssh-keycat.c.keycat 2017-02-08 14:32:33.015581448 +0100
|
|
|
8f2528 |
+++ openssh-7.4p1/ssh-keycat.c 2017-02-08 14:32:33.015581448 +0100
|
|
|
8f2528 |
@@ -0,0 +1,238 @@
|
|
|
8f2528 |
+/*
|
|
|
8f2528 |
+ * Redistribution and use in source and binary forms, with or without
|
|
|
8f2528 |
+ * modification, are permitted provided that the following conditions
|
|
|
8f2528 |
+ * are met:
|
|
|
8f2528 |
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
8f2528 |
+ * notice, and the entire permission notice in its entirety,
|
|
|
8f2528 |
+ * including the disclaimer of warranties.
|
|
|
8f2528 |
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
8f2528 |
+ * notice, this list of conditions and the following disclaimer in the
|
|
|
8f2528 |
+ * documentation and/or other materials provided with the distribution.
|
|
|
8f2528 |
+ * 3. The name of the author may not be used to endorse or promote
|
|
|
8f2528 |
+ * products derived from this software without specific prior
|
|
|
8f2528 |
+ * written permission.
|
|
|
8f2528 |
+ *
|
|
|
8f2528 |
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
|
|
8f2528 |
+ * the GNU Public License, in which case the provisions of the GPL are
|
|
|
8f2528 |
+ * required INSTEAD OF the above restrictions. (This clause is
|
|
|
8f2528 |
+ * necessary due to a potential bad interaction between the GPL and
|
|
|
8f2528 |
+ * the restrictions contained in a BSD-style copyright.)
|
|
|
8f2528 |
+ *
|
|
|
8f2528 |
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
|
8f2528 |
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
8f2528 |
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
|
8f2528 |
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
|
|
8f2528 |
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
|
8f2528 |
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
|
8f2528 |
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
8f2528 |
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
|
8f2528 |
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
|
8f2528 |
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
|
8f2528 |
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
8f2528 |
+ */
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+/*
|
|
|
8f2528 |
+ * Copyright (c) 2011 Red Hat, Inc.
|
|
|
8f2528 |
+ * Written by Tomas Mraz <tmraz@redhat.com>
|
|
|
8f2528 |
+*/
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+#define _GNU_SOURCE
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+#include "config.h"
|
|
|
8f2528 |
+#include <stdio.h>
|
|
|
8f2528 |
+#include <stdlib.h>
|
|
|
8f2528 |
+#include <string.h>
|
|
|
8f2528 |
+#include <sys/types.h>
|
|
|
8f2528 |
+#include <sys/stat.h>
|
|
|
8f2528 |
+#include <pwd.h>
|
|
|
8f2528 |
+#include <fcntl.h>
|
|
|
8f2528 |
+#include <unistd.h>
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+#include <security/pam_appl.h>
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+#include "uidswap.h"
|
|
|
8f2528 |
+#include "misc.h"
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+#define ERR_USAGE 1
|
|
|
8f2528 |
+#define ERR_PAM_START 2
|
|
|
8f2528 |
+#define ERR_OPEN_SESSION 3
|
|
|
8f2528 |
+#define ERR_CLOSE_SESSION 4
|
|
|
8f2528 |
+#define ERR_PAM_END 5
|
|
|
8f2528 |
+#define ERR_GETPWNAM 6
|
|
|
8f2528 |
+#define ERR_MEMORY 7
|
|
|
8f2528 |
+#define ERR_OPEN 8
|
|
|
8f2528 |
+#define ERR_FILE_MODE 9
|
|
|
8f2528 |
+#define ERR_FDOPEN 10
|
|
|
8f2528 |
+#define ERR_STAT 11
|
|
|
8f2528 |
+#define ERR_WRITE 12
|
|
|
8f2528 |
+#define ERR_PAM_PUTENV 13
|
|
|
8f2528 |
+#define BUFLEN 4096
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+/* Just ignore the messages in the conversation function */
|
|
|
8f2528 |
+static int
|
|
|
8f2528 |
+dummy_conv(int num_msg, const struct pam_message **msgm,
|
|
|
8f2528 |
+ struct pam_response **response, void *appdata_ptr)
|
|
|
8f2528 |
+{
|
|
|
8f2528 |
+ struct pam_response *rsp;
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ (void)msgm;
|
|
|
8f2528 |
+ (void)appdata_ptr;
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ if (num_msg <= 0)
|
|
|
8f2528 |
+ return PAM_CONV_ERR;
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ /* Just allocate the array as empty responses */
|
|
|
8f2528 |
+ rsp = calloc (num_msg, sizeof (struct pam_response));
|
|
|
8f2528 |
+ if (rsp == NULL)
|
|
|
8f2528 |
+ return PAM_CONV_ERR;
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ *response = rsp;
|
|
|
8f2528 |
+ return PAM_SUCCESS;
|
|
|
8f2528 |
+}
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+static struct pam_conv conv = {
|
|
|
8f2528 |
+ dummy_conv,
|
|
|
8f2528 |
+ NULL
|
|
|
8f2528 |
+};
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+char *
|
|
|
8f2528 |
+make_auth_keys_name(const struct passwd *pwd)
|
|
|
8f2528 |
+{
|
|
|
8f2528 |
+ char *fname;
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ if (asprintf(&fname, "%s/.ssh/authorized_keys", pwd->pw_dir) < 0)
|
|
|
8f2528 |
+ return NULL;
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ return fname;
|
|
|
8f2528 |
+}
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+int
|
|
|
8f2528 |
+dump_keys(const char *user)
|
|
|
8f2528 |
+{
|
|
|
8f2528 |
+ struct passwd *pwd;
|
|
|
8f2528 |
+ int fd = -1;
|
|
|
8f2528 |
+ FILE *f = NULL;
|
|
|
8f2528 |
+ char *fname = NULL;
|
|
|
8f2528 |
+ int rv = 0;
|
|
|
8f2528 |
+ char buf[BUFLEN];
|
|
|
8f2528 |
+ size_t len;
|
|
|
8f2528 |
+ struct stat st;
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ if ((pwd = getpwnam(user)) == NULL) {
|
|
|
8f2528 |
+ return ERR_GETPWNAM;
|
|
|
8f2528 |
+ }
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ if ((fname = make_auth_keys_name(pwd)) == NULL) {
|
|
|
8f2528 |
+ return ERR_MEMORY;
|
|
|
8f2528 |
+ }
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ temporarily_use_uid(pwd);
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ if ((fd = open(fname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0)) < 0) {
|
|
|
8f2528 |
+ rv = ERR_OPEN;
|
|
|
8f2528 |
+ goto fail;
|
|
|
8f2528 |
+ }
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ if (fstat(fd, &st) < 0) {
|
|
|
8f2528 |
+ rv = ERR_STAT;
|
|
|
8f2528 |
+ goto fail;
|
|
|
8f2528 |
+ }
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ if (!S_ISREG(st.st_mode) ||
|
|
|
8f2528 |
+ (st.st_uid != pwd->pw_uid && st.st_uid != 0)) {
|
|
|
8f2528 |
+ rv = ERR_FILE_MODE;
|
|
|
8f2528 |
+ goto fail;
|
|
|
8f2528 |
+ }
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ unset_nonblock(fd);
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ if ((f = fdopen(fd, "r")) == NULL) {
|
|
|
8f2528 |
+ rv = ERR_FDOPEN;
|
|
|
8f2528 |
+ goto fail;
|
|
|
8f2528 |
+ }
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ fd = -1;
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ while ((len = fread(buf, 1, sizeof(buf), f)) > 0) {
|
|
|
8f2528 |
+ rv = fwrite(buf, 1, len, stdout) != len ? ERR_WRITE : 0;
|
|
|
8f2528 |
+ }
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+fail:
|
|
|
8f2528 |
+ if (fd != -1)
|
|
|
8f2528 |
+ close(fd);
|
|
|
8f2528 |
+ if (f != NULL)
|
|
|
8f2528 |
+ fclose(f);
|
|
|
8f2528 |
+ free(fname);
|
|
|
8f2528 |
+ restore_uid();
|
|
|
8f2528 |
+ return rv;
|
|
|
8f2528 |
+}
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+static const char *env_names[] = { "SELINUX_ROLE_REQUESTED",
|
|
|
8f2528 |
+ "SELINUX_LEVEL_REQUESTED",
|
|
|
8f2528 |
+ "SELINUX_USE_CURRENT_RANGE"
|
|
|
8f2528 |
+};
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+extern char **environ;
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+int
|
|
|
8f2528 |
+set_pam_environment(pam_handle_t *pamh)
|
|
|
8f2528 |
+{
|
|
|
8f2528 |
+ int i;
|
|
|
8f2528 |
+ size_t j;
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ for (j = 0; j < sizeof(env_names)/sizeof(env_names[0]); ++j) {
|
|
|
8f2528 |
+ int len = strlen(env_names[j]);
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ for (i = 0; environ[i] != NULL; ++i) {
|
|
|
8f2528 |
+ if (strncmp(env_names[j], environ[i], len) == 0 &&
|
|
|
8f2528 |
+ environ[i][len] == '=') {
|
|
|
8f2528 |
+ if (pam_putenv(pamh, environ[i]) != PAM_SUCCESS)
|
|
|
8f2528 |
+ return ERR_PAM_PUTENV;
|
|
|
8f2528 |
+ }
|
|
|
8f2528 |
+ }
|
|
|
8f2528 |
+ }
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ return 0;
|
|
|
8f2528 |
+}
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+int
|
|
|
8f2528 |
+main(int argc, char *argv[])
|
|
|
8f2528 |
+{
|
|
|
8f2528 |
+ pam_handle_t *pamh = NULL;
|
|
|
8f2528 |
+ int retval;
|
|
|
8f2528 |
+ int ev = 0;
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ if (argc != 2) {
|
|
|
8f2528 |
+ fprintf(stderr, "Usage: %s <user-name>\n", argv[0]);
|
|
|
8f2528 |
+ return ERR_USAGE;
|
|
|
8f2528 |
+ }
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ retval = pam_start("ssh-keycat", argv[1], &conv, &pamh);
|
|
|
8f2528 |
+ if (retval != PAM_SUCCESS) {
|
|
|
8f2528 |
+ return ERR_PAM_START;
|
|
|
8f2528 |
+ }
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ ev = set_pam_environment(pamh);
|
|
|
8f2528 |
+ if (ev != 0)
|
|
|
8f2528 |
+ goto finish;
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ retval = pam_open_session(pamh, PAM_SILENT);
|
|
|
8f2528 |
+ if (retval != PAM_SUCCESS) {
|
|
|
8f2528 |
+ ev = ERR_OPEN_SESSION;
|
|
|
8f2528 |
+ goto finish;
|
|
|
8f2528 |
+ }
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ ev = dump_keys(argv[1]);
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+ retval = pam_close_session(pamh, PAM_SILENT);
|
|
|
8f2528 |
+ if (retval != PAM_SUCCESS) {
|
|
|
8f2528 |
+ ev = ERR_CLOSE_SESSION;
|
|
|
8f2528 |
+ }
|
|
|
8f2528 |
+
|
|
|
8f2528 |
+finish:
|
|
|
8f2528 |
+ retval = pam_end (pamh,retval);
|
|
|
8f2528 |
+ if (retval != PAM_SUCCESS) {
|
|
|
8f2528 |
+ ev = ERR_PAM_END;
|
|
|
8f2528 |
+ }
|
|
|
8f2528 |
+ return ev;
|
|
|
8f2528 |
+}
|