summaryrefslogtreecommitdiff
path: root/auth1.c
diff options
context:
space:
mode:
authorManoj Srivastava <srivasta@debian.org>2014-02-09 16:09:49 +0000
committerColin Watson <cjwatson@debian.org>2016-01-04 15:07:00 +0000
commit5f583693723b0f56608a9a91e58b248219a668c9 (patch)
tree6150b43049000afeb3ed01fa6d25e08d403c8f9c /auth1.c
parentc538473bc1958b99bb26283752f287df5934045a (diff)
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2015-08-19 Patch-Name: selinux-role.patch
Diffstat (limited to 'auth1.c')
-rw-r--r--auth1.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/auth1.c b/auth1.c
index 5073c49bb..dd0064832 100644
--- a/auth1.c
+++ b/auth1.c
@@ -383,7 +383,7 @@ void
383do_authentication(Authctxt *authctxt) 383do_authentication(Authctxt *authctxt)
384{ 384{
385 u_int ulen; 385 u_int ulen;
386 char *user, *style = NULL; 386 char *user, *style = NULL, *role = NULL;
387 387
388 /* Get the name of the user that we wish to log in as. */ 388 /* Get the name of the user that we wish to log in as. */
389 packet_read_expect(SSH_CMSG_USER); 389 packet_read_expect(SSH_CMSG_USER);
@@ -392,11 +392,17 @@ do_authentication(Authctxt *authctxt)
392 user = packet_get_cstring(&ulen); 392 user = packet_get_cstring(&ulen);
393 packet_check_eom(); 393 packet_check_eom();
394 394
395 if ((role = strchr(user, '/')) != NULL)
396 *role++ = '\0';
397
395 if ((style = strchr(user, ':')) != NULL) 398 if ((style = strchr(user, ':')) != NULL)
396 *style++ = '\0'; 399 *style++ = '\0';
400 else if (role && (style = strchr(role, ':')) != NULL)
401 *style++ = '\0';
397 402
398 authctxt->user = user; 403 authctxt->user = user;
399 authctxt->style = style; 404 authctxt->style = style;
405 authctxt->role = role;
400 406
401 /* Verify that the user is a valid user. */ 407 /* Verify that the user is a valid user. */
402 if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) 408 if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)