summaryrefslogtreecommitdiff
path: root/auth2.c
diff options
context:
space:
mode:
authorManoj Srivastava <srivasta@debian.org>2014-02-09 16:09:49 +0000
committerColin Watson <cjwatson@debian.org>2016-12-28 20:05:04 +0000
commitef3ee35a1061c563f2c32ab13f77324b6372e8be (patch)
treeac3c0346a8f758bfec45ec562c5d164b2ae7c904 /auth2.c
parent10d7583287f2d589da0786819e62a0be5ec9847f (diff)
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2015-08-19 Patch-Name: selinux-role.patch
Diffstat (limited to 'auth2.c')
-rw-r--r--auth2.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/auth2.c b/auth2.c
index ce0d37601..461311bda 100644
--- a/auth2.c
+++ b/auth2.c
@@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
216{ 216{
217 Authctxt *authctxt = ctxt; 217 Authctxt *authctxt = ctxt;
218 Authmethod *m = NULL; 218 Authmethod *m = NULL;
219 char *user, *service, *method, *style = NULL; 219 char *user, *service, *method, *style = NULL, *role = NULL;
220 int authenticated = 0; 220 int authenticated = 0;
221 221
222 if (authctxt == NULL) 222 if (authctxt == NULL)
@@ -228,8 +228,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
228 debug("userauth-request for user %s service %s method %s", user, service, method); 228 debug("userauth-request for user %s service %s method %s", user, service, method);
229 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 229 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
230 230
231 if ((role = strchr(user, '/')) != NULL)
232 *role++ = 0;
233
231 if ((style = strchr(user, ':')) != NULL) 234 if ((style = strchr(user, ':')) != NULL)
232 *style++ = 0; 235 *style++ = 0;
236 else if (role && (style = strchr(role, ':')) != NULL)
237 *style++ = '\0';
233 238
234 if (authctxt->attempt++ == 0) { 239 if (authctxt->attempt++ == 0) {
235 /* setup auth context */ 240 /* setup auth context */
@@ -253,8 +258,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
253 use_privsep ? " [net]" : ""); 258 use_privsep ? " [net]" : "");
254 authctxt->service = xstrdup(service); 259 authctxt->service = xstrdup(service);
255 authctxt->style = style ? xstrdup(style) : NULL; 260 authctxt->style = style ? xstrdup(style) : NULL;
261 authctxt->role = role ? xstrdup(role) : NULL;
256 if (use_privsep) 262 if (use_privsep)
257 mm_inform_authserv(service, style); 263 mm_inform_authserv(service, style, role);
258 userauth_banner(); 264 userauth_banner();
259 if (auth2_setup_methods_lists(authctxt) != 0) 265 if (auth2_setup_methods_lists(authctxt) != 0)
260 packet_disconnect("no authentication methods enabled"); 266 packet_disconnect("no authentication methods enabled");