- djm@cvs.openbsd.org 2012/11/04 10:38:43

[auth2-pubkey.c sshd.c sshd_config.5] Remove default of AuthorizedCommandUser. Administrators are now expected to explicitly specify a user. feedback and ok markus@
author: Damien Miller <djm@mindrot.org> 2012-11-04 22:23:14 +1100
committer: Damien Miller <djm@mindrot.org> 2012-11-04 22:23:14 +1100
commit: d0d1099b3b8a766480ce6df215631bf0af6e6bcd (patch)
tree: e29b37b3e3a9e8e14e78ddc5eb15005fe201717f
parent: f33580eed055472b9e5ca05f4826b05e9eacc651 (diff)
4 files changed, 31 insertions, 17 deletions
diff --git a/ChangeLog b/ChangeLog
index f1d0580fc..120c132af 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,10 @@
   - jmc@cvs.openbsd.org 2012/10/31 08:04:50
     [sshd_config.5]
     tweak previous;
+   - djm@cvs.openbsd.org 2012/11/04 10:38:43
+     [auth2-pubkey.c sshd.c sshd_config.5]
+     Remove default of AuthorizedCommandUser. Administrators are now expected
+     to explicitly specify a user. feedback and ok markus@
 20121030
 - (djm) OpenBSD CVS Sync
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index ec8f75d57..6a6217017 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.31 2012/10/30 21:29:54 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.32 2012/11/04 10:38:43 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -462,23 +462,27 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
        struct stat st;
        int status, devnull, p[2], i;
        pid_t pid;
-        char errmsg[512];
+        char *username, errmsg[512];
        if (options.authorized_keys_command == NULL ||
            options.authorized_keys_command[0] != '/')
                return 0;
-        /* If no user specified to run commands the default to target user */
+        if (options.authorized_keys_command_user == NULL) {
-        if (options.authorized_keys_command_user == NULL)
+                error("No user for AuthorizedKeysCommand specified, skipping");
-                pw = user_pw;
+                return 0;
-        else {
+        }
-                pw = getpwnam(options.authorized_keys_command_user);
-                if (pw == NULL) {
+        username = percent_expand(options.authorized_keys_command_user,
-                        error("AuthorizedKeyCommandUser \"%s\" not found: %s",
+            "u", user_pw->pw_name, (char *)NULL);
-                            options.authorized_keys_command, strerror(errno));
+        pw = getpwnam(username);
-                        return 0;
+        if (pw == NULL) {
-                }
+                error("AuthorizedKeyCommandUser \"%s\" not found: %s",
+                    options.authorized_keys_command, strerror(errno));
+                free(username);
+                return 0;
        }
+        free(username);
        temporarily_use_uid(pw);
@@ -517,6 +521,7 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
                for (i = 0; i < NSIG; i++)
                        signal(i, SIG_DFL);
+                closefrom(STDERR_FILENO + 1);
                /* Don't use permanently_set_uid() here to avoid fatal() */
                if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
                        error("setresgid %u: %s", (u_int)pw->pw_gid,
@@ -541,7 +546,6 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
                        error("%s: dup2: %s", __func__, strerror(errno));
                        _exit(1);
                }
-                closefrom(STDERR_FILENO + 1);
                execl(options.authorized_keys_command,
                    options.authorized_keys_command, pw->pw_name, NULL);
diff --git a/sshd.c b/sshd.c
index eff0290b0..4ad1a4bd1 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.394 2012/10/30 21:29:55 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.395 2012/11/04 10:38:43 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1559,6 +1559,13 @@ main(int ac, char **av)
        if (options.challenge_response_authentication)
                options.kbd_interactive_authentication = 1;
+        /* Check that options are sensible */
+        if (options.authorized_keys_command_user == NULL &&
+            (options.authorized_keys_command != NULL &&
+            strcasecmp(options.authorized_keys_command, "none") != 0))
+                fatal("AuthorizedKeysCommand set without "
+                    "AuthorizedKeysCommandUser");
        /* set default channel AF */
        channel_set_af(options.address_family);
diff --git a/sshd_config.5 b/sshd_config.5
index 3cc901a82..0fb0b837d 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.147 2012/10/31 08:04:50 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.148 2012/11/04 10:38:43 djm Exp $
-.Dd $Mdocdate: October 31 2012 $
+.Dd $Mdocdate: November 4 2012 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -166,7 +166,6 @@ files.
 By default, no AuthorizedKeysCommand is run.
 .It Cm AuthorizedKeysCommandUser
 Specifies the user under whose account the AuthorizedKeysCommand is run.
-The default is the user being authenticated.
 It is recommended to use a dedicated user that has no other role on the host
 than running authorized keys commands.
 .It Cm AuthorizedKeysFile
author	Damien Miller <djm@mindrot.org>	2012-11-04 22:23:14 +1100
committer	Damien Miller <djm@mindrot.org>	2012-11-04 22:23:14 +1100
commit	d0d1099b3b8a766480ce6df215631bf0af6e6bcd (patch)
tree	e29b37b3e3a9e8e14e78ddc5eb15005fe201717f
parent	f33580eed055472b9e5ca05f4826b05e9eacc651 (diff)

diff --git a/ChangeLog b/ChangeLog index f1d0580fc..120c132af 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -3,6 +3,10 @@
3	- jmc@cvs.openbsd.org 2012/10/31 08:04:50	3	- jmc@cvs.openbsd.org 2012/10/31 08:04:50
4	[sshd_config.5]	4	[sshd_config.5]
5	tweak previous;	5	tweak previous;
		6	- djm@cvs.openbsd.org 2012/11/04 10:38:43
		7	[auth2-pubkey.c sshd.c sshd_config.5]
		8	Remove default of AuthorizedCommandUser. Administrators are now expected
		9	to explicitly specify a user. feedback and ok markus@
6		10
7	20121030	11	20121030
8	- (djm) OpenBSD CVS Sync	12	- (djm) OpenBSD CVS Sync


diff --git a/auth2-pubkey.c b/auth2-pubkey.c index ec8f75d57..6a6217017 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth2-pubkey.c,v 1.31 2012/10/30 21:29:54 djm Exp $ */	1	/* $OpenBSD: auth2-pubkey.c,v 1.32 2012/11/04 10:38:43 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000 Markus Friedl. All rights reserved.	3	* Copyright (c) 2000 Markus Friedl. All rights reserved.
4	*	4	*
@@ -462,23 +462,27 @@ user_key_command_allowed2(struct passwd user_pw, Key key)
462	struct stat st;	462	struct stat st;
463	int status, devnull, p[2], i;	463	int status, devnull, p[2], i;
464	pid_t pid;	464	pid_t pid;
465	char errmsg[512];	465	char *username, errmsg[512];
466		466
467	if (options.authorized_keys_command == NULL \|\|	467	if (options.authorized_keys_command == NULL \|\|
468	options.authorized_keys_command[0] != '/')	468	options.authorized_keys_command[0] != '/')
469	return 0;	469	return 0;
470		470
471	/* If no user specified to run commands the default to target user */	471	if (options.authorized_keys_command_user == NULL) {
472	if (options.authorized_keys_command_user == NULL)	472	error("No user for AuthorizedKeysCommand specified, skipping");
473	pw = user_pw;	473	return 0;
474	else {	474	}
475	pw = getpwnam(options.authorized_keys_command_user);	475
476	if (pw == NULL) {	476	username = percent_expand(options.authorized_keys_command_user,
477	error("AuthorizedKeyCommandUser \"%s\" not found: %s",	477	"u", user_pw->pw_name, (char *)NULL);
478	options.authorized_keys_command, strerror(errno));	478	pw = getpwnam(username);
479	return 0;	479	if (pw == NULL) {
480	}	480	error("AuthorizedKeyCommandUser \"%s\" not found: %s",
		481	options.authorized_keys_command, strerror(errno));
		482	free(username);
		483	return 0;
481	}	484	}
		485	free(username);
482		486
483	temporarily_use_uid(pw);	487	temporarily_use_uid(pw);
484		488
@@ -517,6 +521,7 @@ user_key_command_allowed2(struct passwd user_pw, Key key)
517	for (i = 0; i < NSIG; i++)	521	for (i = 0; i < NSIG; i++)
518	signal(i, SIG_DFL);	522	signal(i, SIG_DFL);
519		523
		524	closefrom(STDERR_FILENO + 1);
520	/* Don't use permanently_set_uid() here to avoid fatal() */	525	/* Don't use permanently_set_uid() here to avoid fatal() */
521	if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {	526	if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
522	error("setresgid %u: %s", (u_int)pw->pw_gid,	527	error("setresgid %u: %s", (u_int)pw->pw_gid,
@@ -541,7 +546,6 @@ user_key_command_allowed2(struct passwd user_pw, Key key)
541	error("%s: dup2: %s", __func__, strerror(errno));	546	error("%s: dup2: %s", __func__, strerror(errno));
542	_exit(1);	547	_exit(1);
543	}	548	}
544	closefrom(STDERR_FILENO + 1);
545		549
546	execl(options.authorized_keys_command,	550	execl(options.authorized_keys_command,
547	options.authorized_keys_command, pw->pw_name, NULL);	551	options.authorized_keys_command, pw->pw_name, NULL);


diff --git a/sshd.c b/sshd.c index eff0290b0..4ad1a4bd1 100644 --- a/sshd.c +++ b/sshd.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: sshd.c,v 1.394 2012/10/30 21:29:55 djm Exp $ */	1	/* $OpenBSD: sshd.c,v 1.395 2012/11/04 10:38:43 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1559,6 +1559,13 @@ main(int ac, char **av)
1559	if (options.challenge_response_authentication)	1559	if (options.challenge_response_authentication)
1560	options.kbd_interactive_authentication = 1;	1560	options.kbd_interactive_authentication = 1;
1561		1561
		1562	/* Check that options are sensible */
		1563	if (options.authorized_keys_command_user == NULL &&
		1564	(options.authorized_keys_command != NULL &&
		1565	strcasecmp(options.authorized_keys_command, "none") != 0))
		1566	fatal("AuthorizedKeysCommand set without "
		1567	"AuthorizedKeysCommandUser");
		1568
1562	/* set default channel AF */	1569	/* set default channel AF */
1563	channel_set_af(options.address_family);	1570	channel_set_af(options.address_family);
1564		1571


diff --git a/sshd_config.5 b/sshd_config.5 index 3cc901a82..0fb0b837d 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.147 2012/10/31 08:04:50 jmc Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.148 2012/11/04 10:38:43 djm Exp $
37	.Dd $Mdocdate: October 31 2012 $	37	.Dd $Mdocdate: November 4 2012 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -166,7 +166,6 @@ files.
166	By default, no AuthorizedKeysCommand is run.	166	By default, no AuthorizedKeysCommand is run.
167	.It Cm AuthorizedKeysCommandUser	167	.It Cm AuthorizedKeysCommandUser
168	Specifies the user under whose account the AuthorizedKeysCommand is run.	168	Specifies the user under whose account the AuthorizedKeysCommand is run.
169	The default is the user being authenticated.
170	It is recommended to use a dedicated user that has no other role on the host	169	It is recommended to use a dedicated user that has no other role on the host
171	than running authorized keys commands.	170	than running authorized keys commands.
172	.It Cm AuthorizedKeysFile	171	.It Cm AuthorizedKeysFile