Manoj Srivastava:

- Added SELinux capability, and turned it on be default. Added
  restorecon calls in preinst and postinst (should not matter if the
  machine is not SELinux aware). By and large, the changes made should
  have no effect unless the rules file calls --with-selinux; and even
  then there should be no performance hit for machines not actively
  running SELinux.
- Modified the preinst and postinst to call restorecon to set the
  security context for the generated public key files.
- Added a comment to /etc/pam.d/ssh to indicate that an SELinux system
  may want to also include pam_selinux.so.

1 files changed, 7 insertions, 1 deletions

diff --git a/auth1.c b/auth1.c
index d08928455..4fe00ddae 100644
--- a/auth1.c
+++ b/auth1.c
@@ -308,7 +308,7 @@ void
 do_authentication(Authctxt *authctxt)
 {
         u_int ulen;
-        char *user, *style = NULL;
+        char *user, *style = NULL, *role = NULL;
 
         /* Get the name of the user that we wish to log in as. */
         packet_read_expect(SSH_CMSG_USER);
@@ -317,11 +317,17 @@ do_authentication(Authctxt *authctxt)
         user = packet_get_string(&ulen);
         packet_check_eom();
 
+        if ((role = strchr(user, '/')) != NULL)
+                *role++ = '\0';
+
         if ((style = strchr(user, ':')) != NULL)
                 *style++ = '\0';
+        else if (role && (style = strchr(role, ':')) != NULL)
+                *style++ = '\0';
 
         authctxt->user = user;
         authctxt->style = style;
+        authctxt->role = role;
 
         /* Verify that the user is a valid user. */
         if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)