diff options
| author | Manoj Srivastava <srivasta@debian.org> | 2014-02-09 16:09:49 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2014-10-07 14:26:47 +0100 |
| commit | c9638aa44d787849cea1ae273f0908c6313fd19b (patch) | |
| tree | 6b8681822821aad0dcc92575411f0e6fdfb994bf /auth2.c | |
| parent | b25d6dd3b6b5a2cb93723586c56d6fa0277ea56a (diff) | |
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2013-09-14
Patch-Name: selinux-role.patch
Diffstat (limited to 'auth2.c')
| -rw-r--r-- | auth2.c | 10 |
1 files changed, 8 insertions, 2 deletions
| @@ -217,7 +217,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
| 217 | { | 217 | { |
| 218 | Authctxt *authctxt = ctxt; | 218 | Authctxt *authctxt = ctxt; |
| 219 | Authmethod *m = NULL; | 219 | Authmethod *m = NULL; |
| 220 | char *user, *service, *method, *style = NULL; | 220 | char *user, *service, *method, *style = NULL, *role = NULL; |
| 221 | int authenticated = 0; | 221 | int authenticated = 0; |
| 222 | 222 | ||
| 223 | if (authctxt == NULL) | 223 | if (authctxt == NULL) |
| @@ -229,8 +229,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
| 229 | debug("userauth-request for user %s service %s method %s", user, service, method); | 229 | debug("userauth-request for user %s service %s method %s", user, service, method); |
| 230 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | 230 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); |
| 231 | 231 | ||
| 232 | if ((role = strchr(user, '/')) != NULL) | ||
| 233 | *role++ = 0; | ||
| 234 | |||
| 232 | if ((style = strchr(user, ':')) != NULL) | 235 | if ((style = strchr(user, ':')) != NULL) |
| 233 | *style++ = 0; | 236 | *style++ = 0; |
| 237 | else if (role && (style = strchr(role, ':')) != NULL) | ||
| 238 | *style++ = '\0'; | ||
| 234 | 239 | ||
| 235 | if (authctxt->attempt++ == 0) { | 240 | if (authctxt->attempt++ == 0) { |
| 236 | /* setup auth context */ | 241 | /* setup auth context */ |
| @@ -254,8 +259,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
| 254 | use_privsep ? " [net]" : ""); | 259 | use_privsep ? " [net]" : ""); |
| 255 | authctxt->service = xstrdup(service); | 260 | authctxt->service = xstrdup(service); |
| 256 | authctxt->style = style ? xstrdup(style) : NULL; | 261 | authctxt->style = style ? xstrdup(style) : NULL; |
| 262 | authctxt->role = role ? xstrdup(role) : NULL; | ||
| 257 | if (use_privsep) | 263 | if (use_privsep) |
| 258 | mm_inform_authserv(service, style); | 264 | mm_inform_authserv(service, style, role); |
| 259 | userauth_banner(); | 265 | userauth_banner(); |
| 260 | if (auth2_setup_methods_lists(authctxt) != 0) | 266 | if (auth2_setup_methods_lists(authctxt) != 0) |
| 261 | packet_disconnect("no authentication methods enabled"); | 267 | packet_disconnect("no authentication methods enabled"); |