diff options
author | Manoj Srivastava <srivasta@debian.org> | 2014-02-09 16:09:49 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-10-07 14:26:47 +0100 |
commit | c9638aa44d787849cea1ae273f0908c6313fd19b (patch) | |
tree | 6b8681822821aad0dcc92575411f0e6fdfb994bf /auth1.c | |
parent | b25d6dd3b6b5a2cb93723586c56d6fa0277ea56a (diff) |
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2013-09-14
Patch-Name: selinux-role.patch
Diffstat (limited to 'auth1.c')
-rw-r--r-- | auth1.c | 8 |
1 files changed, 7 insertions, 1 deletions
@@ -381,7 +381,7 @@ void | |||
381 | do_authentication(Authctxt *authctxt) | 381 | do_authentication(Authctxt *authctxt) |
382 | { | 382 | { |
383 | u_int ulen; | 383 | u_int ulen; |
384 | char *user, *style = NULL; | 384 | char *user, *style = NULL, *role = NULL; |
385 | 385 | ||
386 | /* Get the name of the user that we wish to log in as. */ | 386 | /* Get the name of the user that we wish to log in as. */ |
387 | packet_read_expect(SSH_CMSG_USER); | 387 | packet_read_expect(SSH_CMSG_USER); |
@@ -390,11 +390,17 @@ do_authentication(Authctxt *authctxt) | |||
390 | user = packet_get_cstring(&ulen); | 390 | user = packet_get_cstring(&ulen); |
391 | packet_check_eom(); | 391 | packet_check_eom(); |
392 | 392 | ||
393 | if ((role = strchr(user, '/')) != NULL) | ||
394 | *role++ = '\0'; | ||
395 | |||
393 | if ((style = strchr(user, ':')) != NULL) | 396 | if ((style = strchr(user, ':')) != NULL) |
394 | *style++ = '\0'; | 397 | *style++ = '\0'; |
398 | else if (role && (style = strchr(role, ':')) != NULL) | ||
399 | *style++ = '\0'; | ||
395 | 400 | ||
396 | authctxt->user = user; | 401 | authctxt->user = user; |
397 | authctxt->style = style; | 402 | authctxt->style = style; |
403 | authctxt->role = role; | ||
398 | 404 | ||
399 | /* Verify that the user is a valid user. */ | 405 | /* Verify that the user is a valid user. */ |
400 | if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) | 406 | if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) |