diff options
author | Manoj Srivastava <srivasta@debian.org> | 2014-02-09 16:09:49 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2018-08-24 17:49:07 +0100 |
commit | 03979f2e0768e146d179c66f2d2e33afe61c1be3 (patch) | |
tree | 624add62ece0fb72400966a483aa5af060fb0a77 /auth2.c | |
parent | 84a7a1b1c767056c80add9f0e15c9f9ec23ec94d (diff) |
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2018-08-24
Patch-Name: selinux-role.patch
Diffstat (limited to 'auth2.c')
-rw-r--r-- | auth2.c | 10 |
1 files changed, 8 insertions, 2 deletions
@@ -257,7 +257,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | |||
257 | { | 257 | { |
258 | Authctxt *authctxt = ssh->authctxt; | 258 | Authctxt *authctxt = ssh->authctxt; |
259 | Authmethod *m = NULL; | 259 | Authmethod *m = NULL; |
260 | char *user, *service, *method, *style = NULL; | 260 | char *user, *service, *method, *style = NULL, *role = NULL; |
261 | int authenticated = 0; | 261 | int authenticated = 0; |
262 | double tstart = monotime_double(); | 262 | double tstart = monotime_double(); |
263 | 263 | ||
@@ -270,8 +270,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | |||
270 | debug("userauth-request for user %s service %s method %s", user, service, method); | 270 | debug("userauth-request for user %s service %s method %s", user, service, method); |
271 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | 271 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); |
272 | 272 | ||
273 | if ((role = strchr(user, '/')) != NULL) | ||
274 | *role++ = 0; | ||
275 | |||
273 | if ((style = strchr(user, ':')) != NULL) | 276 | if ((style = strchr(user, ':')) != NULL) |
274 | *style++ = 0; | 277 | *style++ = 0; |
278 | else if (role && (style = strchr(role, ':')) != NULL) | ||
279 | *style++ = '\0'; | ||
275 | 280 | ||
276 | if (authctxt->attempt++ == 0) { | 281 | if (authctxt->attempt++ == 0) { |
277 | /* setup auth context */ | 282 | /* setup auth context */ |
@@ -298,8 +303,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | |||
298 | use_privsep ? " [net]" : ""); | 303 | use_privsep ? " [net]" : ""); |
299 | authctxt->service = xstrdup(service); | 304 | authctxt->service = xstrdup(service); |
300 | authctxt->style = style ? xstrdup(style) : NULL; | 305 | authctxt->style = style ? xstrdup(style) : NULL; |
306 | authctxt->role = role ? xstrdup(role) : NULL; | ||
301 | if (use_privsep) | 307 | if (use_privsep) |
302 | mm_inform_authserv(service, style); | 308 | mm_inform_authserv(service, style, role); |
303 | userauth_banner(); | 309 | userauth_banner(); |
304 | if (auth2_setup_methods_lists(authctxt) != 0) | 310 | if (auth2_setup_methods_lists(authctxt) != 0) |
305 | packet_disconnect("no authentication methods enabled"); | 311 | packet_disconnect("no authentication methods enabled"); |