diff options
author | Manoj Srivastava <srivasta@debian.org> | 2014-02-09 16:09:49 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-01-04 15:07:00 +0000 |
commit | 5f583693723b0f56608a9a91e58b248219a668c9 (patch) | |
tree | 6150b43049000afeb3ed01fa6d25e08d403c8f9c /auth1.c | |
parent | c538473bc1958b99bb26283752f287df5934045a (diff) |
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2015-08-19
Patch-Name: selinux-role.patch
Diffstat (limited to 'auth1.c')
-rw-r--r-- | auth1.c | 8 |
1 files changed, 7 insertions, 1 deletions
@@ -383,7 +383,7 @@ void | |||
383 | do_authentication(Authctxt *authctxt) | 383 | do_authentication(Authctxt *authctxt) |
384 | { | 384 | { |
385 | u_int ulen; | 385 | u_int ulen; |
386 | char *user, *style = NULL; | 386 | char *user, *style = NULL, *role = NULL; |
387 | 387 | ||
388 | /* Get the name of the user that we wish to log in as. */ | 388 | /* Get the name of the user that we wish to log in as. */ |
389 | packet_read_expect(SSH_CMSG_USER); | 389 | packet_read_expect(SSH_CMSG_USER); |
@@ -392,11 +392,17 @@ do_authentication(Authctxt *authctxt) | |||
392 | user = packet_get_cstring(&ulen); | 392 | user = packet_get_cstring(&ulen); |
393 | packet_check_eom(); | 393 | packet_check_eom(); |
394 | 394 | ||
395 | if ((role = strchr(user, '/')) != NULL) | ||
396 | *role++ = '\0'; | ||
397 | |||
395 | if ((style = strchr(user, ':')) != NULL) | 398 | if ((style = strchr(user, ':')) != NULL) |
396 | *style++ = '\0'; | 399 | *style++ = '\0'; |
400 | else if (role && (style = strchr(role, ':')) != NULL) | ||
401 | *style++ = '\0'; | ||
397 | 402 | ||
398 | authctxt->user = user; | 403 | authctxt->user = user; |
399 | authctxt->style = style; | 404 | authctxt->style = style; |
405 | authctxt->role = role; | ||
400 | 406 | ||
401 | /* Verify that the user is a valid user. */ | 407 | /* Verify that the user is a valid user. */ |
402 | if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) | 408 | if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) |