summaryrefslogtreecommitdiff
path: root/auth1.c
diff options
context:
space:
mode:
authorManoj Srivastava <srivasta@debian.org>2014-02-09 16:09:49 +0000
committerColin Watson <cjwatson@debian.org>2014-10-07 14:26:47 +0100
commitc9638aa44d787849cea1ae273f0908c6313fd19b (patch)
tree6b8681822821aad0dcc92575411f0e6fdfb994bf /auth1.c
parentb25d6dd3b6b5a2cb93723586c56d6fa0277ea56a (diff)
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2013-09-14 Patch-Name: selinux-role.patch
Diffstat (limited to 'auth1.c')
-rw-r--r--auth1.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/auth1.c b/auth1.c
index 50388285c..52b17dbef 100644
--- a/auth1.c
+++ b/auth1.c
@@ -381,7 +381,7 @@ void
381do_authentication(Authctxt *authctxt) 381do_authentication(Authctxt *authctxt)
382{ 382{
383 u_int ulen; 383 u_int ulen;
384 char *user, *style = NULL; 384 char *user, *style = NULL, *role = NULL;
385 385
386 /* Get the name of the user that we wish to log in as. */ 386 /* Get the name of the user that we wish to log in as. */
387 packet_read_expect(SSH_CMSG_USER); 387 packet_read_expect(SSH_CMSG_USER);
@@ -390,11 +390,17 @@ do_authentication(Authctxt *authctxt)
390 user = packet_get_cstring(&ulen); 390 user = packet_get_cstring(&ulen);
391 packet_check_eom(); 391 packet_check_eom();
392 392
393 if ((role = strchr(user, '/')) != NULL)
394 *role++ = '\0';
395
393 if ((style = strchr(user, ':')) != NULL) 396 if ((style = strchr(user, ':')) != NULL)
394 *style++ = '\0'; 397 *style++ = '\0';
398 else if (role && (style = strchr(role, ':')) != NULL)
399 *style++ = '\0';
395 400
396 authctxt->user = user; 401 authctxt->user = user;
397 authctxt->style = style; 402 authctxt->style = style;
403 authctxt->role = role;
398 404
399 /* Verify that the user is a valid user. */ 405 /* Verify that the user is a valid user. */
400 if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) 406 if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)