summaryrefslogtreecommitdiff
path: root/auth2.c
diff options
context:
space:
mode:
authorManoj Srivastava <srivasta@debian.org>2014-02-09 16:09:49 +0000
committerColin Watson <cjwatson@debian.org>2014-02-09 16:17:20 +0000
commit07f2a771c490bd68cd5c5ea9c535705e93bd94f3 (patch)
tree3e2ead17b4c91699c13b0417d46bfd750a04e0b8 /auth2.c
parent950be7e1b1a01ee9b25e2a72726a6370b8acacb6 (diff)
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2013-09-14 Patch-Name: selinux-role.patch
Diffstat (limited to 'auth2.c')
-rw-r--r--auth2.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/auth2.c b/auth2.c
index 6ed8f042b..b55bbcd95 100644
--- a/auth2.c
+++ b/auth2.c
@@ -222,7 +222,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
222{ 222{
223 Authctxt *authctxt = ctxt; 223 Authctxt *authctxt = ctxt;
224 Authmethod *m = NULL; 224 Authmethod *m = NULL;
225 char *user, *service, *method, *style = NULL; 225 char *user, *service, *method, *style = NULL, *role = NULL;
226 int authenticated = 0; 226 int authenticated = 0;
227 227
228 if (authctxt == NULL) 228 if (authctxt == NULL)
@@ -234,8 +234,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
234 debug("userauth-request for user %s service %s method %s", user, service, method); 234 debug("userauth-request for user %s service %s method %s", user, service, method);
235 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 235 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
236 236
237 if ((role = strchr(user, '/')) != NULL)
238 *role++ = 0;
239
237 if ((style = strchr(user, ':')) != NULL) 240 if ((style = strchr(user, ':')) != NULL)
238 *style++ = 0; 241 *style++ = 0;
242 else if (role && (style = strchr(role, ':')) != NULL)
243 *style++ = '\0';
239 244
240 if (authctxt->attempt++ == 0) { 245 if (authctxt->attempt++ == 0) {
241 /* setup auth context */ 246 /* setup auth context */
@@ -259,8 +264,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
259 use_privsep ? " [net]" : ""); 264 use_privsep ? " [net]" : "");
260 authctxt->service = xstrdup(service); 265 authctxt->service = xstrdup(service);
261 authctxt->style = style ? xstrdup(style) : NULL; 266 authctxt->style = style ? xstrdup(style) : NULL;
267 authctxt->role = role ? xstrdup(role) : NULL;
262 if (use_privsep) 268 if (use_privsep)
263 mm_inform_authserv(service, style); 269 mm_inform_authserv(service, style, role);
264 userauth_banner(); 270 userauth_banner();
265 if (auth2_setup_methods_lists(authctxt) != 0) 271 if (auth2_setup_methods_lists(authctxt) != 0)
266 packet_disconnect("no authentication methods enabled"); 272 packet_disconnect("no authentication methods enabled");