diff options
author | Manoj Srivastava <srivasta@debian.org> | 2014-02-09 16:09:49 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:17:20 +0000 |
commit | 07f2a771c490bd68cd5c5ea9c535705e93bd94f3 (patch) | |
tree | 3e2ead17b4c91699c13b0417d46bfd750a04e0b8 /auth2.c | |
parent | 950be7e1b1a01ee9b25e2a72726a6370b8acacb6 (diff) |
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2013-09-14
Patch-Name: selinux-role.patch
Diffstat (limited to 'auth2.c')
-rw-r--r-- | auth2.c | 10 |
1 files changed, 8 insertions, 2 deletions
@@ -222,7 +222,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
222 | { | 222 | { |
223 | Authctxt *authctxt = ctxt; | 223 | Authctxt *authctxt = ctxt; |
224 | Authmethod *m = NULL; | 224 | Authmethod *m = NULL; |
225 | char *user, *service, *method, *style = NULL; | 225 | char *user, *service, *method, *style = NULL, *role = NULL; |
226 | int authenticated = 0; | 226 | int authenticated = 0; |
227 | 227 | ||
228 | if (authctxt == NULL) | 228 | if (authctxt == NULL) |
@@ -234,8 +234,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
234 | debug("userauth-request for user %s service %s method %s", user, service, method); | 234 | debug("userauth-request for user %s service %s method %s", user, service, method); |
235 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | 235 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); |
236 | 236 | ||
237 | if ((role = strchr(user, '/')) != NULL) | ||
238 | *role++ = 0; | ||
239 | |||
237 | if ((style = strchr(user, ':')) != NULL) | 240 | if ((style = strchr(user, ':')) != NULL) |
238 | *style++ = 0; | 241 | *style++ = 0; |
242 | else if (role && (style = strchr(role, ':')) != NULL) | ||
243 | *style++ = '\0'; | ||
239 | 244 | ||
240 | if (authctxt->attempt++ == 0) { | 245 | if (authctxt->attempt++ == 0) { |
241 | /* setup auth context */ | 246 | /* setup auth context */ |
@@ -259,8 +264,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
259 | use_privsep ? " [net]" : ""); | 264 | use_privsep ? " [net]" : ""); |
260 | authctxt->service = xstrdup(service); | 265 | authctxt->service = xstrdup(service); |
261 | authctxt->style = style ? xstrdup(style) : NULL; | 266 | authctxt->style = style ? xstrdup(style) : NULL; |
267 | authctxt->role = role ? xstrdup(role) : NULL; | ||
262 | if (use_privsep) | 268 | if (use_privsep) |
263 | mm_inform_authserv(service, style); | 269 | mm_inform_authserv(service, style, role); |
264 | userauth_banner(); | 270 | userauth_banner(); |
265 | if (auth2_setup_methods_lists(authctxt) != 0) | 271 | if (auth2_setup_methods_lists(authctxt) != 0) |
266 | packet_disconnect("no authentication methods enabled"); | 272 | packet_disconnect("no authentication methods enabled"); |