diff options
| author | Damien Miller <djm@mindrot.org> | 2010-05-10 11:58:03 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2010-05-10 11:58:03 +1000 |
| commit | 30da3447d2ef3329cb0eb083cdddf84532659454 (patch) | |
| tree | 02537d2355d77cc15d1bf9d266d474e660848012 /auth-options.c | |
| parent | 099fc1634e1cc0f96b77a811e554bf9d796def8f (diff) | |
- djm@cvs.openbsd.org 2010/05/07 11:30:30
[auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c]
[key.c servconf.c servconf.h sshd.8 sshd_config.5]
add some optional indirection to matching of principal names listed
in certificates. Currently, a certificate must include the a user's name
to be accepted for authentication. This change adds the ability to
specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys,
this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config
option "AuthorizedPrincipalsFile" specifies a per-user file containing
the list of acceptable names.
If either option is absent, the current behaviour of requiring the
username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces
and "user@realm"-style naming policies in certificates.
feedback and ok markus@
Diffstat (limited to 'auth-options.c')
| -rw-r--r-- | auth-options.c | 43 |
1 files changed, 42 insertions, 1 deletions
diff --git a/auth-options.c b/auth-options.c index 60d5f749b..57a67ec79 100644 --- a/auth-options.c +++ b/auth-options.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth-options.c,v 1.50 2010/04/16 01:47:26 djm Exp $ */ | 1 | /* $OpenBSD: auth-options.c,v 1.51 2010/05/07 11:30:29 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -55,6 +55,9 @@ struct envstring *custom_environment = NULL; | |||
| 55 | /* "tunnel=" option. */ | 55 | /* "tunnel=" option. */ |
| 56 | int forced_tun_device = -1; | 56 | int forced_tun_device = -1; |
| 57 | 57 | ||
| 58 | /* "principals=" option. */ | ||
| 59 | char *authorized_principals = NULL; | ||
| 60 | |||
| 58 | extern ServerOptions options; | 61 | extern ServerOptions options; |
| 59 | 62 | ||
| 60 | void | 63 | void |
| @@ -76,6 +79,10 @@ auth_clear_options(void) | |||
| 76 | xfree(forced_command); | 79 | xfree(forced_command); |
| 77 | forced_command = NULL; | 80 | forced_command = NULL; |
| 78 | } | 81 | } |
| 82 | if (authorized_principals) { | ||
| 83 | xfree(authorized_principals); | ||
| 84 | authorized_principals = NULL; | ||
| 85 | } | ||
| 79 | forced_tun_device = -1; | 86 | forced_tun_device = -1; |
| 80 | channel_clear_permitted_opens(); | 87 | channel_clear_permitted_opens(); |
| 81 | } | 88 | } |
| @@ -141,6 +148,8 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
| 141 | cp = "command=\""; | 148 | cp = "command=\""; |
| 142 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | 149 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { |
| 143 | opts += strlen(cp); | 150 | opts += strlen(cp); |
| 151 | if (forced_command != NULL) | ||
| 152 | xfree(forced_command); | ||
| 144 | forced_command = xmalloc(strlen(opts) + 1); | 153 | forced_command = xmalloc(strlen(opts) + 1); |
| 145 | i = 0; | 154 | i = 0; |
| 146 | while (*opts) { | 155 | while (*opts) { |
| @@ -167,6 +176,38 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
| 167 | opts++; | 176 | opts++; |
| 168 | goto next_option; | 177 | goto next_option; |
| 169 | } | 178 | } |
| 179 | cp = "principals=\""; | ||
| 180 | if (strncasecmp(opts, cp, strlen(cp)) == 0) { | ||
| 181 | opts += strlen(cp); | ||
| 182 | if (authorized_principals != NULL) | ||
| 183 | xfree(authorized_principals); | ||
| 184 | authorized_principals = xmalloc(strlen(opts) + 1); | ||
| 185 | i = 0; | ||
| 186 | while (*opts) { | ||
| 187 | if (*opts == '"') | ||
| 188 | break; | ||
| 189 | if (*opts == '\\' && opts[1] == '"') { | ||
| 190 | opts += 2; | ||
| 191 | authorized_principals[i++] = '"'; | ||
| 192 | continue; | ||
| 193 | } | ||
| 194 | authorized_principals[i++] = *opts++; | ||
| 195 | } | ||
| 196 | if (!*opts) { | ||
| 197 | debug("%.100s, line %lu: missing end quote", | ||
| 198 | file, linenum); | ||
| 199 | auth_debug_add("%.100s, line %lu: missing end quote", | ||
| 200 | file, linenum); | ||
| 201 | xfree(authorized_principals); | ||
| 202 | authorized_principals = NULL; | ||
| 203 | goto bad_option; | ||
| 204 | } | ||
| 205 | authorized_principals[i] = '\0'; | ||
| 206 | auth_debug_add("principals: %.900s", | ||
| 207 | authorized_principals); | ||
| 208 | opts++; | ||
| 209 | goto next_option; | ||
| 210 | } | ||
| 170 | cp = "environment=\""; | 211 | cp = "environment=\""; |
| 171 | if (options.permit_user_env && | 212 | if (options.permit_user_env && |
| 172 | strncasecmp(opts, cp, strlen(cp)) == 0) { | 213 | strncasecmp(opts, cp, strlen(cp)) == 0) { |