Handle SELinux authorisation roles

Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change.  In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2015-08-19

Patch-Name: selinux-role.patch

1 files changed, 7 insertions, 1 deletions

diff --git a/auth1.c b/auth1.c
index 5073c49bb..dd0064832 100644
--- a/auth1.c
+++ b/auth1.c
@@ -383,7 +383,7 @@ void
 do_authentication(Authctxt *authctxt)
 {
         u_int ulen;
-        char *user, *style = NULL;
+        char *user, *style = NULL, *role = NULL;
 
         /* Get the name of the user that we wish to log in as. */
         packet_read_expect(SSH_CMSG_USER);
@@ -392,11 +392,17 @@ do_authentication(Authctxt *authctxt)
         user = packet_get_cstring(&ulen);
         packet_check_eom();
 
+        if ((role = strchr(user, '/')) != NULL)
+                *role++ = '\0';
+
         if ((style = strchr(user, ':')) != NULL)
                 *style++ = '\0';
+        else if (role && (style = strchr(role, ':')) != NULL)
+                *style++ = '\0';
 
         authctxt->user = user;
         authctxt->style = style;
+        authctxt->role = role;
 
         /* Verify that the user is a valid user. */
         if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)