summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--auth.h1
-rw-r--r--auth2.c10
-rw-r--r--monitor.c37
-rw-r--r--monitor.h2
-rw-r--r--monitor_wrap.c27
-rw-r--r--monitor_wrap.h3
-rw-r--r--openbsd-compat/port-linux.c21
-rw-r--r--openbsd-compat/port-linux.h4
-rw-r--r--platform.c4
-rw-r--r--platform.h2
-rw-r--r--session.c10
-rw-r--r--session.h2
-rw-r--r--sshd.c2
-rw-r--r--sshpty.c4
-rw-r--r--sshpty.h2
15 files changed, 99 insertions, 32 deletions
diff --git a/auth.h b/auth.h
index 977562f0a..90802a5eb 100644
--- a/auth.h
+++ b/auth.h
@@ -65,6 +65,7 @@ struct Authctxt {
65 char *service; 65 char *service;
66 struct passwd *pw; /* set if 'valid' */ 66 struct passwd *pw; /* set if 'valid' */
67 char *style; 67 char *style;
68 char *role;
68 69
69 /* Method lists for multiple authentication */ 70 /* Method lists for multiple authentication */
70 char **auth_methods; /* modified from server config */ 71 char **auth_methods; /* modified from server config */
diff --git a/auth2.c b/auth2.c
index 96efe164c..90a247c1c 100644
--- a/auth2.c
+++ b/auth2.c
@@ -257,7 +257,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
257{ 257{
258 Authctxt *authctxt = ssh->authctxt; 258 Authctxt *authctxt = ssh->authctxt;
259 Authmethod *m = NULL; 259 Authmethod *m = NULL;
260 char *user, *service, *method, *style = NULL; 260 char *user, *service, *method, *style = NULL, *role = NULL;
261 int authenticated = 0; 261 int authenticated = 0;
262 double tstart = monotime_double(); 262 double tstart = monotime_double();
263 263
@@ -270,8 +270,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
270 debug("userauth-request for user %s service %s method %s", user, service, method); 270 debug("userauth-request for user %s service %s method %s", user, service, method);
271 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 271 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
272 272
273 if ((role = strchr(user, '/')) != NULL)
274 *role++ = 0;
275
273 if ((style = strchr(user, ':')) != NULL) 276 if ((style = strchr(user, ':')) != NULL)
274 *style++ = 0; 277 *style++ = 0;
278 else if (role && (style = strchr(role, ':')) != NULL)
279 *style++ = '\0';
275 280
276 if (authctxt->attempt++ == 0) { 281 if (authctxt->attempt++ == 0) {
277 /* setup auth context */ 282 /* setup auth context */
@@ -298,8 +303,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
298 use_privsep ? " [net]" : ""); 303 use_privsep ? " [net]" : "");
299 authctxt->service = xstrdup(service); 304 authctxt->service = xstrdup(service);
300 authctxt->style = style ? xstrdup(style) : NULL; 305 authctxt->style = style ? xstrdup(style) : NULL;
306 authctxt->role = role ? xstrdup(role) : NULL;
301 if (use_privsep) 307 if (use_privsep)
302 mm_inform_authserv(service, style); 308 mm_inform_authserv(service, style, role);
303 userauth_banner(); 309 userauth_banner();
304 if (auth2_setup_methods_lists(authctxt) != 0) 310 if (auth2_setup_methods_lists(authctxt) != 0)
305 packet_disconnect("no authentication methods enabled"); 311 packet_disconnect("no authentication methods enabled");
diff --git a/monitor.c b/monitor.c
index 4e574a2ae..c1e7e9b80 100644
--- a/monitor.c
+++ b/monitor.c
@@ -115,6 +115,7 @@ int mm_answer_sign(int, struct sshbuf *);
115int mm_answer_pwnamallow(int, struct sshbuf *); 115int mm_answer_pwnamallow(int, struct sshbuf *);
116int mm_answer_auth2_read_banner(int, struct sshbuf *); 116int mm_answer_auth2_read_banner(int, struct sshbuf *);
117int mm_answer_authserv(int, struct sshbuf *); 117int mm_answer_authserv(int, struct sshbuf *);
118int mm_answer_authrole(int, struct sshbuf *);
118int mm_answer_authpassword(int, struct sshbuf *); 119int mm_answer_authpassword(int, struct sshbuf *);
119int mm_answer_bsdauthquery(int, struct sshbuf *); 120int mm_answer_bsdauthquery(int, struct sshbuf *);
120int mm_answer_bsdauthrespond(int, struct sshbuf *); 121int mm_answer_bsdauthrespond(int, struct sshbuf *);
@@ -191,6 +192,7 @@ struct mon_table mon_dispatch_proto20[] = {
191 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 192 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
192 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 193 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
193 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 194 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
195 {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
194 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 196 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
195 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 197 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
196#ifdef USE_PAM 198#ifdef USE_PAM
@@ -813,6 +815,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m)
813 815
814 /* Allow service/style information on the auth context */ 816 /* Allow service/style information on the auth context */
815 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 817 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
818 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
816 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 819 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
817 820
818#ifdef USE_PAM 821#ifdef USE_PAM
@@ -846,16 +849,42 @@ mm_answer_authserv(int sock, struct sshbuf *m)
846 monitor_permit_authentications(1); 849 monitor_permit_authentications(1);
847 850
848 if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 || 851 if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 ||
849 (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0) 852 (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0 ||
853 (r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
850 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 854 fatal("%s: buffer error: %s", __func__, ssh_err(r));
851 debug3("%s: service=%s, style=%s", 855 debug3("%s: service=%s, style=%s, role=%s",
852 __func__, authctxt->service, authctxt->style); 856 __func__, authctxt->service, authctxt->style, authctxt->role);
853 857
854 if (strlen(authctxt->style) == 0) { 858 if (strlen(authctxt->style) == 0) {
855 free(authctxt->style); 859 free(authctxt->style);
856 authctxt->style = NULL; 860 authctxt->style = NULL;
857 } 861 }
858 862
863 if (strlen(authctxt->role) == 0) {
864 free(authctxt->role);
865 authctxt->role = NULL;
866 }
867
868 return (0);
869}
870
871int
872mm_answer_authrole(int sock, struct sshbuf *m)
873{
874 int r;
875
876 monitor_permit_authentications(1);
877
878 if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
879 fatal("%s: buffer error: %s", __func__, ssh_err(r));
880 debug3("%s: role=%s",
881 __func__, authctxt->role);
882
883 if (strlen(authctxt->role) == 0) {
884 free(authctxt->role);
885 authctxt->role = NULL;
886 }
887
859 return (0); 888 return (0);
860} 889}
861 890
@@ -1497,7 +1526,7 @@ mm_answer_pty(int sock, struct sshbuf *m)
1497 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 1526 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
1498 if (res == 0) 1527 if (res == 0)
1499 goto error; 1528 goto error;
1500 pty_setowner(authctxt->pw, s->tty); 1529 pty_setowner(authctxt->pw, s->tty, authctxt->role);
1501 1530
1502 if ((r = sshbuf_put_u32(m, 1)) != 0 || 1531 if ((r = sshbuf_put_u32(m, 1)) != 0 ||
1503 (r = sshbuf_put_cstring(m, s->tty)) != 0) 1532 (r = sshbuf_put_cstring(m, s->tty)) != 0)
diff --git a/monitor.h b/monitor.h
index 44fbed589..8f65e684d 100644
--- a/monitor.h
+++ b/monitor.h
@@ -66,6 +66,8 @@ enum monitor_reqtype {
66 MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151, 66 MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
67 MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153, 67 MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
68 68
69 MONITOR_REQ_AUTHROLE = 154,
70
69}; 71};
70 72
71struct monitor { 73struct monitor {
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 1865a122a..fd4d7eb3b 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -369,10 +369,10 @@ mm_auth2_read_banner(void)
369 return (banner); 369 return (banner);
370} 370}
371 371
372/* Inform the privileged process about service and style */ 372/* Inform the privileged process about service, style, and role */
373 373
374void 374void
375mm_inform_authserv(char *service, char *style) 375mm_inform_authserv(char *service, char *style, char *role)
376{ 376{
377 struct sshbuf *m; 377 struct sshbuf *m;
378 int r; 378 int r;
@@ -382,7 +382,8 @@ mm_inform_authserv(char *service, char *style)
382 if ((m = sshbuf_new()) == NULL) 382 if ((m = sshbuf_new()) == NULL)
383 fatal("%s: sshbuf_new failed", __func__); 383 fatal("%s: sshbuf_new failed", __func__);
384 if ((r = sshbuf_put_cstring(m, service)) != 0 || 384 if ((r = sshbuf_put_cstring(m, service)) != 0 ||
385 (r = sshbuf_put_cstring(m, style ? style : "")) != 0) 385 (r = sshbuf_put_cstring(m, style ? style : "")) != 0 ||
386 (r = sshbuf_put_cstring(m, role ? role : "")) != 0)
386 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 387 fatal("%s: buffer error: %s", __func__, ssh_err(r));
387 388
388 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m); 389 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m);
@@ -390,6 +391,26 @@ mm_inform_authserv(char *service, char *style)
390 sshbuf_free(m); 391 sshbuf_free(m);
391} 392}
392 393
394/* Inform the privileged process about role */
395
396void
397mm_inform_authrole(char *role)
398{
399 struct sshbuf *m;
400 int r;
401
402 debug3("%s entering", __func__);
403
404 if ((m = sshbuf_new()) == NULL)
405 fatal("%s: sshbuf_new failed", __func__);
406 if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
407 fatal("%s: buffer error: %s", __func__, ssh_err(r));
408
409 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
410
411 sshbuf_free(m);
412}
413
393/* Do the password authentication */ 414/* Do the password authentication */
394int 415int
395mm_auth_password(struct ssh *ssh, char *password) 416mm_auth_password(struct ssh *ssh, char *password)
diff --git a/monitor_wrap.h b/monitor_wrap.h
index 7f93144ff..79e78cc90 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -43,7 +43,8 @@ int mm_is_monitor(void);
43DH *mm_choose_dh(int, int, int); 43DH *mm_choose_dh(int, int, int);
44int mm_sshkey_sign(struct sshkey *, u_char **, size_t *, const u_char *, size_t, 44int mm_sshkey_sign(struct sshkey *, u_char **, size_t *, const u_char *, size_t,
45 const char *, u_int compat); 45 const char *, u_int compat);
46void mm_inform_authserv(char *, char *); 46void mm_inform_authserv(char *, char *, char *);
47void mm_inform_authrole(char *);
47struct passwd *mm_getpwnamallow(const char *); 48struct passwd *mm_getpwnamallow(const char *);
48char *mm_auth2_read_banner(void); 49char *mm_auth2_read_banner(void);
49int mm_auth_password(struct ssh *, char *); 50int mm_auth_password(struct ssh *, char *);
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index 8c5325cc3..9fdda664f 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -55,7 +55,7 @@ ssh_selinux_enabled(void)
55 55
56/* Return the default security context for the given username */ 56/* Return the default security context for the given username */
57static security_context_t 57static security_context_t
58ssh_selinux_getctxbyname(char *pwname) 58ssh_selinux_getctxbyname(char *pwname, const char *role)
59{ 59{
60 security_context_t sc = NULL; 60 security_context_t sc = NULL;
61 char *sename = NULL, *lvl = NULL; 61 char *sename = NULL, *lvl = NULL;
@@ -70,9 +70,16 @@ ssh_selinux_getctxbyname(char *pwname)
70#endif 70#endif
71 71
72#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL 72#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
73 r = get_default_context_with_level(sename, lvl, NULL, &sc); 73 if (role != NULL && role[0])
74 r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
75 &sc);
76 else
77 r = get_default_context_with_level(sename, lvl, NULL, &sc);
74#else 78#else
75 r = get_default_context(sename, NULL, &sc); 79 if (role != NULL && role[0])
80 r = get_default_context_with_role(sename, role, NULL, &sc);
81 else
82 r = get_default_context(sename, NULL, &sc);
76#endif 83#endif
77 84
78 if (r != 0) { 85 if (r != 0) {
@@ -102,7 +109,7 @@ ssh_selinux_getctxbyname(char *pwname)
102 109
103/* Set the execution context to the default for the specified user */ 110/* Set the execution context to the default for the specified user */
104void 111void
105ssh_selinux_setup_exec_context(char *pwname) 112ssh_selinux_setup_exec_context(char *pwname, const char *role)
106{ 113{
107 security_context_t user_ctx = NULL; 114 security_context_t user_ctx = NULL;
108 115
@@ -111,7 +118,7 @@ ssh_selinux_setup_exec_context(char *pwname)
111 118
112 debug3("%s: setting execution context", __func__); 119 debug3("%s: setting execution context", __func__);
113 120
114 user_ctx = ssh_selinux_getctxbyname(pwname); 121 user_ctx = ssh_selinux_getctxbyname(pwname, role);
115 if (setexeccon(user_ctx) != 0) { 122 if (setexeccon(user_ctx) != 0) {
116 switch (security_getenforce()) { 123 switch (security_getenforce()) {
117 case -1: 124 case -1:
@@ -133,7 +140,7 @@ ssh_selinux_setup_exec_context(char *pwname)
133 140
134/* Set the TTY context for the specified user */ 141/* Set the TTY context for the specified user */
135void 142void
136ssh_selinux_setup_pty(char *pwname, const char *tty) 143ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role)
137{ 144{
138 security_context_t new_tty_ctx = NULL; 145 security_context_t new_tty_ctx = NULL;
139 security_context_t user_ctx = NULL; 146 security_context_t user_ctx = NULL;
@@ -145,7 +152,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
145 152
146 debug3("%s: setting TTY context on %s", __func__, tty); 153 debug3("%s: setting TTY context on %s", __func__, tty);
147 154
148 user_ctx = ssh_selinux_getctxbyname(pwname); 155 user_ctx = ssh_selinux_getctxbyname(pwname, role);
149 156
150 /* XXX: should these calls fatal() upon failure in enforcing mode? */ 157 /* XXX: should these calls fatal() upon failure in enforcing mode? */
151 158
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
index 3c22a854d..c88129428 100644
--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
@@ -19,8 +19,8 @@
19 19
20#ifdef WITH_SELINUX 20#ifdef WITH_SELINUX
21int ssh_selinux_enabled(void); 21int ssh_selinux_enabled(void);
22void ssh_selinux_setup_pty(char *, const char *); 22void ssh_selinux_setup_pty(char *, const char *, const char *);
23void ssh_selinux_setup_exec_context(char *); 23void ssh_selinux_setup_exec_context(char *, const char *);
24void ssh_selinux_change_context(const char *); 24void ssh_selinux_change_context(const char *);
25void ssh_selinux_setfscreatecon(const char *); 25void ssh_selinux_setfscreatecon(const char *);
26#endif 26#endif
diff --git a/platform.c b/platform.c
index 41acc9370..35654ea51 100644
--- a/platform.c
+++ b/platform.c
@@ -142,7 +142,7 @@ platform_setusercontext(struct passwd *pw)
142 * called if sshd is running as root. 142 * called if sshd is running as root.
143 */ 143 */
144void 144void
145platform_setusercontext_post_groups(struct passwd *pw) 145platform_setusercontext_post_groups(struct passwd *pw, const char *role)
146{ 146{
147#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) 147#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
148 /* 148 /*
@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
183 } 183 }
184#endif /* HAVE_SETPCRED */ 184#endif /* HAVE_SETPCRED */
185#ifdef WITH_SELINUX 185#ifdef WITH_SELINUX
186 ssh_selinux_setup_exec_context(pw->pw_name); 186 ssh_selinux_setup_exec_context(pw->pw_name, role);
187#endif 187#endif
188} 188}
189 189
diff --git a/platform.h b/platform.h
index ea4f9c584..60d72ffe7 100644
--- a/platform.h
+++ b/platform.h
@@ -25,7 +25,7 @@ void platform_post_fork_parent(pid_t child_pid);
25void platform_post_fork_child(void); 25void platform_post_fork_child(void);
26int platform_privileged_uidswap(void); 26int platform_privileged_uidswap(void);
27void platform_setusercontext(struct passwd *); 27void platform_setusercontext(struct passwd *);
28void platform_setusercontext_post_groups(struct passwd *); 28void platform_setusercontext_post_groups(struct passwd *, const char *);
29char *platform_get_krb5_client(const char *); 29char *platform_get_krb5_client(const char *);
30char *platform_krb5_get_principal_name(const char *); 30char *platform_krb5_get_principal_name(const char *);
31int platform_sys_dir_uid(uid_t); 31int platform_sys_dir_uid(uid_t);
diff --git a/session.c b/session.c
index f2cf52006..d5d2e94b0 100644
--- a/session.c
+++ b/session.c
@@ -1378,7 +1378,7 @@ safely_chroot(const char *path, uid_t uid)
1378 1378
1379/* Set login name, uid, gid, and groups. */ 1379/* Set login name, uid, gid, and groups. */
1380void 1380void
1381do_setusercontext(struct passwd *pw) 1381do_setusercontext(struct passwd *pw, const char *role)
1382{ 1382{
1383 char uidstr[32], *chroot_path, *tmp; 1383 char uidstr[32], *chroot_path, *tmp;
1384 1384
@@ -1406,7 +1406,7 @@ do_setusercontext(struct passwd *pw)
1406 endgrent(); 1406 endgrent();
1407#endif 1407#endif
1408 1408
1409 platform_setusercontext_post_groups(pw); 1409 platform_setusercontext_post_groups(pw, role);
1410 1410
1411 if (!in_chroot && options.chroot_directory != NULL && 1411 if (!in_chroot && options.chroot_directory != NULL &&
1412 strcasecmp(options.chroot_directory, "none") != 0) { 1412 strcasecmp(options.chroot_directory, "none") != 0) {
@@ -1545,7 +1545,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
1545 1545
1546 /* Force a password change */ 1546 /* Force a password change */
1547 if (s->authctxt->force_pwchange) { 1547 if (s->authctxt->force_pwchange) {
1548 do_setusercontext(pw); 1548 do_setusercontext(pw, s->authctxt->role);
1549 child_close_fds(ssh); 1549 child_close_fds(ssh);
1550 do_pwchange(s); 1550 do_pwchange(s);
1551 exit(1); 1551 exit(1);
@@ -1563,7 +1563,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
1563 /* When PAM is enabled we rely on it to do the nologin check */ 1563 /* When PAM is enabled we rely on it to do the nologin check */
1564 if (!options.use_pam) 1564 if (!options.use_pam)
1565 do_nologin(pw); 1565 do_nologin(pw);
1566 do_setusercontext(pw); 1566 do_setusercontext(pw, s->authctxt->role);
1567 /* 1567 /*
1568 * PAM session modules in do_setusercontext may have 1568 * PAM session modules in do_setusercontext may have
1569 * generated messages, so if this in an interactive 1569 * generated messages, so if this in an interactive
@@ -1953,7 +1953,7 @@ session_pty_req(struct ssh *ssh, Session *s)
1953 ssh_tty_parse_modes(ssh, s->ttyfd); 1953 ssh_tty_parse_modes(ssh, s->ttyfd);
1954 1954
1955 if (!use_privsep) 1955 if (!use_privsep)
1956 pty_setowner(s->pw, s->tty); 1956 pty_setowner(s->pw, s->tty, s->authctxt->role);
1957 1957
1958 /* Set window size from the packet. */ 1958 /* Set window size from the packet. */
1959 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); 1959 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
diff --git a/session.h b/session.h
index 54dd1f0ca..8535ebcef 100644
--- a/session.h
+++ b/session.h
@@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *);
76Session *session_new(void); 76Session *session_new(void);
77Session *session_by_tty(char *); 77Session *session_by_tty(char *);
78void session_close(struct ssh *, Session *); 78void session_close(struct ssh *, Session *);
79void do_setusercontext(struct passwd *); 79void do_setusercontext(struct passwd *, const char *);
80 80
81const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); 81const char *session_get_remote_name_or_ip(struct ssh *, u_int, int);
82 82
diff --git a/sshd.c b/sshd.c
index 71c360da0..92d15c82d 100644
--- a/sshd.c
+++ b/sshd.c
@@ -684,7 +684,7 @@ privsep_postauth(Authctxt *authctxt)
684 reseed_prngs(); 684 reseed_prngs();
685 685
686 /* Drop privileges */ 686 /* Drop privileges */
687 do_setusercontext(authctxt->pw); 687 do_setusercontext(authctxt->pw, authctxt->role);
688 688
689 skip: 689 skip:
690 /* It is safe now to apply the key state */ 690 /* It is safe now to apply the key state */
diff --git a/sshpty.c b/sshpty.c
index 4da84d05f..676ade50e 100644
--- a/sshpty.c
+++ b/sshpty.c
@@ -162,7 +162,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
162} 162}
163 163
164void 164void
165pty_setowner(struct passwd *pw, const char *tty) 165pty_setowner(struct passwd *pw, const char *tty, const char *role)
166{ 166{
167 struct group *grp; 167 struct group *grp;
168 gid_t gid; 168 gid_t gid;
@@ -184,7 +184,7 @@ pty_setowner(struct passwd *pw, const char *tty)
184 strerror(errno)); 184 strerror(errno));
185 185
186#ifdef WITH_SELINUX 186#ifdef WITH_SELINUX
187 ssh_selinux_setup_pty(pw->pw_name, tty); 187 ssh_selinux_setup_pty(pw->pw_name, tty, role);
188#endif 188#endif
189 189
190 if (st.st_uid != pw->pw_uid || st.st_gid != gid) { 190 if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
diff --git a/sshpty.h b/sshpty.h
index 9ec7e9a15..de7e000ae 100644
--- a/sshpty.h
+++ b/sshpty.h
@@ -24,5 +24,5 @@ int pty_allocate(int *, int *, char *, size_t);
24void pty_release(const char *); 24void pty_release(const char *);
25void pty_make_controlling_tty(int *, const char *); 25void pty_make_controlling_tty(int *, const char *);
26void pty_change_window_size(int, u_int, u_int, u_int, u_int); 26void pty_change_window_size(int, u_int, u_int, u_int, u_int);
27void pty_setowner(struct passwd *, const char *); 27void pty_setowner(struct passwd *, const char *, const char *);
28void disconnect_controlling_tty(void); 28void disconnect_controlling_tty(void);