diff options
| author | Colin Watson <cjwatson@debian.org> | 2005-06-17 12:44:30 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2005-06-17 12:44:30 +0000 |
| commit | 4c2d1c67cea075107aadaa6d81fe456687c69e67 (patch) | |
| tree | 4f31813c8306491c908948bd75254912385ed651 /auth2.c | |
| parent | bed4bb0fe9380912ecb90e5f918bce8825ec0a38 (diff) | |
Manoj Srivastava:
- Added SELinux capability, and turned it on be default. Added
restorecon calls in preinst and postinst (should not matter if the
machine is not SELinux aware). By and large, the changes made should
have no effect unless the rules file calls --with-selinux; and even
then there should be no performance hit for machines not actively
running SELinux.
- Modified the preinst and postinst to call restorecon to set the
security context for the generated public key files.
- Added a comment to /etc/pam.d/ssh to indicate that an SELinux system
may want to also include pam_selinux.so.
Diffstat (limited to 'auth2.c')
| -rw-r--r-- | auth2.c | 10 |
1 files changed, 8 insertions, 2 deletions
| @@ -134,7 +134,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
| 134 | { | 134 | { |
| 135 | Authctxt *authctxt = ctxt; | 135 | Authctxt *authctxt = ctxt; |
| 136 | Authmethod *m = NULL; | 136 | Authmethod *m = NULL; |
| 137 | char *user, *service, *method, *style = NULL; | 137 | char *user, *service, *method, *style = NULL, *role = NULL; |
| 138 | int authenticated = 0; | 138 | int authenticated = 0; |
| 139 | 139 | ||
| 140 | if (authctxt == NULL) | 140 | if (authctxt == NULL) |
| @@ -146,8 +146,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
| 146 | debug("userauth-request for user %s service %s method %s", user, service, method); | 146 | debug("userauth-request for user %s service %s method %s", user, service, method); |
| 147 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | 147 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); |
| 148 | 148 | ||
| 149 | if ((role = strchr(user, '/')) != NULL) | ||
| 150 | *role++ = 0; | ||
| 151 | |||
| 149 | if ((style = strchr(user, ':')) != NULL) | 152 | if ((style = strchr(user, ':')) != NULL) |
| 150 | *style++ = 0; | 153 | *style++ = 0; |
| 154 | else if (role && (style = strchr(role, ':')) != NULL) | ||
| 155 | *style++ = '\0'; | ||
| 151 | 156 | ||
| 152 | if (authctxt->attempt++ == 0) { | 157 | if (authctxt->attempt++ == 0) { |
| 153 | /* setup auth context */ | 158 | /* setup auth context */ |
| @@ -175,8 +180,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
| 175 | use_privsep ? " [net]" : ""); | 180 | use_privsep ? " [net]" : ""); |
| 176 | authctxt->service = xstrdup(service); | 181 | authctxt->service = xstrdup(service); |
| 177 | authctxt->style = style ? xstrdup(style) : NULL; | 182 | authctxt->style = style ? xstrdup(style) : NULL; |
| 183 | authctxt->role = role ? xstrdup(role) : NULL; | ||
| 178 | if (use_privsep) | 184 | if (use_privsep) |
| 179 | mm_inform_authserv(service, style); | 185 | mm_inform_authserv(service, style, role); |
| 180 | } else if (strcmp(user, authctxt->user) != 0 || | 186 | } else if (strcmp(user, authctxt->user) != 0 || |
| 181 | strcmp(service, authctxt->service) != 0) { | 187 | strcmp(service, authctxt->service) != 0) { |
| 182 | packet_disconnect("Change of username or service not allowed: " | 188 | packet_disconnect("Change of username or service not allowed: " |