summaryrefslogtreecommitdiff
path: root/auth2.c
diff options
context:
space:
mode:
authorManoj Srivastava <srivasta@debian.org>2014-02-09 16:09:49 +0000
committerColin Watson <cjwatson@debian.org>2018-08-24 17:49:07 +0100
commit03979f2e0768e146d179c66f2d2e33afe61c1be3 (patch)
tree624add62ece0fb72400966a483aa5af060fb0a77 /auth2.c
parent84a7a1b1c767056c80add9f0e15c9f9ec23ec94d (diff)
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2018-08-24 Patch-Name: selinux-role.patch
Diffstat (limited to 'auth2.c')
-rw-r--r--auth2.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/auth2.c b/auth2.c
index 96efe164c..90a247c1c 100644
--- a/auth2.c
+++ b/auth2.c
@@ -257,7 +257,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
257{ 257{
258 Authctxt *authctxt = ssh->authctxt; 258 Authctxt *authctxt = ssh->authctxt;
259 Authmethod *m = NULL; 259 Authmethod *m = NULL;
260 char *user, *service, *method, *style = NULL; 260 char *user, *service, *method, *style = NULL, *role = NULL;
261 int authenticated = 0; 261 int authenticated = 0;
262 double tstart = monotime_double(); 262 double tstart = monotime_double();
263 263
@@ -270,8 +270,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
270 debug("userauth-request for user %s service %s method %s", user, service, method); 270 debug("userauth-request for user %s service %s method %s", user, service, method);
271 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 271 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
272 272
273 if ((role = strchr(user, '/')) != NULL)
274 *role++ = 0;
275
273 if ((style = strchr(user, ':')) != NULL) 276 if ((style = strchr(user, ':')) != NULL)
274 *style++ = 0; 277 *style++ = 0;
278 else if (role && (style = strchr(role, ':')) != NULL)
279 *style++ = '\0';
275 280
276 if (authctxt->attempt++ == 0) { 281 if (authctxt->attempt++ == 0) {
277 /* setup auth context */ 282 /* setup auth context */
@@ -298,8 +303,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
298 use_privsep ? " [net]" : ""); 303 use_privsep ? " [net]" : "");
299 authctxt->service = xstrdup(service); 304 authctxt->service = xstrdup(service);
300 authctxt->style = style ? xstrdup(style) : NULL; 305 authctxt->style = style ? xstrdup(style) : NULL;
306 authctxt->role = role ? xstrdup(role) : NULL;
301 if (use_privsep) 307 if (use_privsep)
302 mm_inform_authserv(service, style); 308 mm_inform_authserv(service, style, role);
303 userauth_banner(); 309 userauth_banner();
304 if (auth2_setup_methods_lists(authctxt) != 0) 310 if (auth2_setup_methods_lists(authctxt) != 0)
305 packet_disconnect("no authentication methods enabled"); 311 packet_disconnect("no authentication methods enabled");