diff options
author | Manoj Srivastava <srivasta@debian.org> | 2014-02-09 16:09:49 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2019-10-09 23:06:25 +0100 |
commit | 3131e3bb3c56a6c6ee8cb9d68f542af04cd9e8ff (patch) | |
tree | fb2bdf39ed7ad6111f501712d2d9346a55528214 /auth2.c | |
parent | 57c1dd662f9259f58a47801e2d4b0f84e973441d (diff) |
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2019-06-05
Patch-Name: selinux-role.patch
Diffstat (limited to 'auth2.c')
-rw-r--r-- | auth2.c | 10 |
1 files changed, 8 insertions, 2 deletions
@@ -265,7 +265,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | |||
265 | { | 265 | { |
266 | Authctxt *authctxt = ssh->authctxt; | 266 | Authctxt *authctxt = ssh->authctxt; |
267 | Authmethod *m = NULL; | 267 | Authmethod *m = NULL; |
268 | char *user = NULL, *service = NULL, *method = NULL, *style = NULL; | 268 | char *user = NULL, *service = NULL, *method = NULL, *style = NULL, *role = NULL; |
269 | int r, authenticated = 0; | 269 | int r, authenticated = 0; |
270 | double tstart = monotime_double(); | 270 | double tstart = monotime_double(); |
271 | 271 | ||
@@ -279,8 +279,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | |||
279 | debug("userauth-request for user %s service %s method %s", user, service, method); | 279 | debug("userauth-request for user %s service %s method %s", user, service, method); |
280 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | 280 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); |
281 | 281 | ||
282 | if ((role = strchr(user, '/')) != NULL) | ||
283 | *role++ = 0; | ||
284 | |||
282 | if ((style = strchr(user, ':')) != NULL) | 285 | if ((style = strchr(user, ':')) != NULL) |
283 | *style++ = 0; | 286 | *style++ = 0; |
287 | else if (role && (style = strchr(role, ':')) != NULL) | ||
288 | *style++ = '\0'; | ||
284 | 289 | ||
285 | if (authctxt->attempt++ == 0) { | 290 | if (authctxt->attempt++ == 0) { |
286 | /* setup auth context */ | 291 | /* setup auth context */ |
@@ -307,8 +312,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | |||
307 | use_privsep ? " [net]" : ""); | 312 | use_privsep ? " [net]" : ""); |
308 | authctxt->service = xstrdup(service); | 313 | authctxt->service = xstrdup(service); |
309 | authctxt->style = style ? xstrdup(style) : NULL; | 314 | authctxt->style = style ? xstrdup(style) : NULL; |
315 | authctxt->role = role ? xstrdup(role) : NULL; | ||
310 | if (use_privsep) | 316 | if (use_privsep) |
311 | mm_inform_authserv(service, style); | 317 | mm_inform_authserv(service, style, role); |
312 | userauth_banner(ssh); | 318 | userauth_banner(ssh); |
313 | if (auth2_setup_methods_lists(authctxt) != 0) | 319 | if (auth2_setup_methods_lists(authctxt) != 0) |
314 | ssh_packet_disconnect(ssh, | 320 | ssh_packet_disconnect(ssh, |