1 files changed, 504 insertions, 0 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
new file mode 100644
index 000000000..48f901c02
--- /dev/null
+++ b/debian/patches/selinux-role.patch
@@ -0,0 +1,504 @@
+From ae32d626ed3d15cfd7f432358b63c005961921df Mon Sep 17 00:00:00 2001
+From: Manoj Srivastava <srivasta@debian.org>
+Date: Sun, 9 Feb 2014 16:09:49 +0000
+Subject: Handle SELinux authorisation roles
+Rejected upstream due to discomfort with magic usernames; a better approach
+will need an SSH protocol change.  In the meantime, this came from Debian's
+SELinux maintainer, so we'll keep it until we have something better.
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
+Bug-Debian: http://bugs.debian.org/394795
+Last-Update: 2013-09-14
+Patch-Name: selinux-role.patch
+---
+ auth.h                      |    1 +
+ auth1.c                     |    8 +++++++-
+ auth2.c                     |   10 ++++++++--
+ monitor.c                   |   32 +++++++++++++++++++++++++++++---
+ monitor.h                   |    2 ++
+ monitor_wrap.c              |   22 ++++++++++++++++++++--
+ monitor_wrap.h              |    3 ++-
+ openbsd-compat/port-linux.c |   27 ++++++++++++++++++++-------
+ openbsd-compat/port-linux.h |    4 ++--
+ platform.c                  |    4 ++--
+ platform.h                  |    2 +-
+ session.c                   |   10 +++++-----
+ session.h                   |    2 +-
+ sshd.c                      |    2 +-
+ sshpty.c                    |    4 ++--
+ sshpty.h                    |    2 +-
+ 16 files changed, 104 insertions(+), 31 deletions(-)
+diff --git a/auth.h b/auth.h
+index 124e597..79e4ea5 100644
+--- a/auth.h
+++ b/auth.h
+@@ -59,6 +59,7 @@ struct Authctxt {
+        char            *service;
+        struct passwd   *pw;            /* set if 'valid' */
+        char            *style;
+       char            *role;
+        void            *kbdintctxt;
+        char            *info;          /* Extra info for next auth_log */
+ #ifdef BSD_AUTH
+diff --git a/auth1.c b/auth1.c
+index 0f870b3..c707390 100644
+--- a/auth1.c
+++ b/auth1.c
+@@ -380,7 +380,7 @@ void
+ do_authentication(Authctxt *authctxt)
+ {
+        u_int ulen;
+-       char *user, *style = NULL;
+       char *user, *style = NULL, *role = NULL;
+ 
+        /* Get the name of the user that we wish to log in as. */
+        packet_read_expect(SSH_CMSG_USER);
+@@ -389,11 +389,17 @@ do_authentication(Authctxt *authctxt)
+        user = packet_get_cstring(&ulen);
+        packet_check_eom();
+ 
+       if ((role = strchr(user, '/')) != NULL)
+               *role++ = '\0';
+
+        if ((style = strchr(user, ':')) != NULL)
+                *style++ = '\0';
+       else if (role && (style = strchr(role, ':')) != NULL)
+               *style++ = '\0';
+ 
+        authctxt->user = user;
+        authctxt->style = style;
+       authctxt->role = role;
+ 
+        /* Verify that the user is a valid user. */
+        if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
+diff --git a/auth2.c b/auth2.c
+index fbe3e1b..70f2925 100644
+--- a/auth2.c
+++ b/auth2.c
+@@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+ {
+        Authctxt *authctxt = ctxt;
+        Authmethod *m = NULL;
+-       char *user, *service, *method, *style = NULL;
+       char *user, *service, *method, *style = NULL, *role = NULL;
+        int authenticated = 0;
+ 
+        if (authctxt == NULL)
+@@ -228,8 +228,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+        debug("userauth-request for user %s service %s method %s", user, service, method);
+        debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+ 
+       if ((role = strchr(user, '/')) != NULL)
+               *role++ = 0;
+
+        if ((style = strchr(user, ':')) != NULL)
+                *style++ = 0;
+       else if (role && (style = strchr(role, ':')) != NULL)
+               *style++ = '\0';
+ 
+        if (authctxt->attempt++ == 0) {
+                /* setup auth context */
+@@ -253,8 +258,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+                    use_privsep ? " [net]" : "");
+                authctxt->service = xstrdup(service);
+                authctxt->style = style ? xstrdup(style) : NULL;
+               authctxt->role = role ? xstrdup(role) : NULL;
+                if (use_privsep)
+-                       mm_inform_authserv(service, style);
+                       mm_inform_authserv(service, style, role);
+                userauth_banner();
+                if (auth2_setup_methods_lists(authctxt) != 0)
+                        packet_disconnect("no authentication methods enabled");
+diff --git a/monitor.c b/monitor.c
+index 2918814..11eac63 100644
+--- a/monitor.c
+++ b/monitor.c
+@@ -145,6 +145,7 @@ int mm_answer_sign(int, Buffer *);
+ int mm_answer_pwnamallow(int, Buffer *);
+ int mm_answer_auth2_read_banner(int, Buffer *);
+ int mm_answer_authserv(int, Buffer *);
+int mm_answer_authrole(int, Buffer *);
+ int mm_answer_authpassword(int, Buffer *);
+ int mm_answer_bsdauthquery(int, Buffer *);
+ int mm_answer_bsdauthrespond(int, Buffer *);
+@@ -221,6 +222,7 @@ struct mon_table mon_dispatch_proto20[] = {
+     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
+     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
+     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
+     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
+     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
+ #ifdef USE_PAM
+@@ -822,6 +824,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
+        else {
+                /* Allow service/style information on the auth context */
+                monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+               monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
+        }
+ #ifdef USE_PAM
+@@ -852,14 +855,37 @@ mm_answer_authserv(int sock, Buffer *m)
+ 
+        authctxt->service = buffer_get_string(m, NULL);
+        authctxt->style = buffer_get_string(m, NULL);
+-       debug3("%s: service=%s, style=%s",
+-           __func__, authctxt->service, authctxt->style);
+       authctxt->role = buffer_get_string(m, NULL);
+       debug3("%s: service=%s, style=%s, role=%s",
+           __func__, authctxt->service, authctxt->style, authctxt->role);
+ 
+        if (strlen(authctxt->style) == 0) {
+                free(authctxt->style);
+                authctxt->style = NULL;
+        }
+ 
+       if (strlen(authctxt->role) == 0) {
+               free(authctxt->role);
+               authctxt->role = NULL;
+       }
+
+       return (0);
+}
+
+int
+mm_answer_authrole(int sock, Buffer *m)
+{
+       monitor_permit_authentications(1);
+
+       authctxt->role = buffer_get_string(m, NULL);
+       debug3("%s: role=%s",
+           __func__, authctxt->role);
+
+       if (strlen(authctxt->role) == 0) {
+               free(authctxt->role);
+               authctxt->role = NULL;
+       }
+
+        return (0);
+ }
+ 
+@@ -1464,7 +1490,7 @@ mm_answer_pty(int sock, Buffer *m)
+        res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
+        if (res == 0)
+                goto error;
+-       pty_setowner(authctxt->pw, s->tty);
+       pty_setowner(authctxt->pw, s->tty, authctxt->role);
+ 
+        buffer_put_int(m, 1);
+        buffer_put_cstring(m, s->tty);
+diff --git a/monitor.h b/monitor.h
+index 7f32b0c..4d5e8fa 100644
+--- a/monitor.h
+++ b/monitor.h
+@@ -68,6 +68,8 @@ enum monitor_reqtype {
+        MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
+        MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
+ 
+       MONITOR_REQ_AUTHROLE = 154,
+
+ };
+ 
+ struct mm_master;
+diff --git a/monitor_wrap.c b/monitor_wrap.c
+index 60b987d..f75dc9d 100644
+--- a/monitor_wrap.c
+++ b/monitor_wrap.c
+@@ -318,10 +318,10 @@ mm_auth2_read_banner(void)
+        return (banner);
+ }
+ 
+-/* Inform the privileged process about service and style */
+/* Inform the privileged process about service, style, and role */
+ 
+ void
+-mm_inform_authserv(char *service, char *style)
+mm_inform_authserv(char *service, char *style, char *role)
+ {
+        Buffer m;
+ 
+@@ -330,12 +330,30 @@ mm_inform_authserv(char *service, char *style)
+        buffer_init(&m);
+        buffer_put_cstring(&m, service);
+        buffer_put_cstring(&m, style ? style : "");
+       buffer_put_cstring(&m, role ? role : "");
+ 
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m);
+ 
+        buffer_free(&m);
+ }
+ 
+/* Inform the privileged process about role */
+
+void
+mm_inform_authrole(char *role)
+{
+       Buffer m;
+
+       debug3("%s entering", __func__);
+
+       buffer_init(&m);
+       buffer_put_cstring(&m, role ? role : "");
+
+       mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+       buffer_free(&m);
+}
+
+ /* Do the password authentication */
+ int
+ mm_auth_password(Authctxt *authctxt, char *password)
+diff --git a/monitor_wrap.h b/monitor_wrap.h
+index a4e9d24..9c2ee49 100644
+--- a/monitor_wrap.h
+++ b/monitor_wrap.h
+@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *);
+ int mm_is_monitor(void);
+ DH *mm_choose_dh(int, int, int);
+ int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
+-void mm_inform_authserv(char *, char *);
+void mm_inform_authserv(char *, char *, char *);
+void mm_inform_authrole(char *);
+ struct passwd *mm_getpwnamallow(const char *);
+ char *mm_auth2_read_banner(void);
+ int mm_auth_password(struct Authctxt *, char *);
+diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+index 4637a7a..de6ad3f 100644
+--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
+@@ -29,6 +29,12 @@
+ #include <string.h>
+ #include <stdio.h>
+ 
+#ifdef WITH_SELINUX
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+#endif
+
+ #include "log.h"
+ #include "xmalloc.h"
+ #include "port-linux.h"
+@@ -58,7 +64,7 @@ ssh_selinux_enabled(void)
+ 
+ /* Return the default security context for the given username */
+ static security_context_t
+-ssh_selinux_getctxbyname(char *pwname)
+ssh_selinux_getctxbyname(char *pwname, const char *role)
+ {
+        security_context_t sc = NULL;
+        char *sename = NULL, *lvl = NULL;
+@@ -73,9 +79,16 @@ ssh_selinux_getctxbyname(char *pwname)
+ #endif
+ 
+ #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+-       r = get_default_context_with_level(sename, lvl, NULL, &sc);
+       if (role != NULL && role[0])
+               r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
+                                                      &sc);
+       else
+               r = get_default_context_with_level(sename, lvl, NULL, &sc);
+ #else
+-       r = get_default_context(sename, NULL, &sc);
+       if (role != NULL && role[0])
+               r = get_default_context_with_role(sename, role, NULL, &sc);
+       else
+               r = get_default_context(sename, NULL, &sc);
+ #endif
+ 
+        if (r != 0) {
+@@ -105,7 +118,7 @@ ssh_selinux_getctxbyname(char *pwname)
+ 
+ /* Set the execution context to the default for the specified user */
+ void
+-ssh_selinux_setup_exec_context(char *pwname)
+ssh_selinux_setup_exec_context(char *pwname, const char *role)
+ {
+        security_context_t user_ctx = NULL;
+ 
+@@ -114,7 +127,7 @@ ssh_selinux_setup_exec_context(char *pwname)
+ 
+        debug3("%s: setting execution context", __func__);
+ 
+-       user_ctx = ssh_selinux_getctxbyname(pwname);
+       user_ctx = ssh_selinux_getctxbyname(pwname, role);
+        if (setexeccon(user_ctx) != 0) {
+                switch (security_getenforce()) {
+                case -1:
+@@ -136,7 +149,7 @@ ssh_selinux_setup_exec_context(char *pwname)
+ 
+ /* Set the TTY context for the specified user */
+ void
+-ssh_selinux_setup_pty(char *pwname, const char *tty)
+ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role)
+ {
+        security_context_t new_tty_ctx = NULL;
+        security_context_t user_ctx = NULL;
+@@ -147,7 +160,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
+ 
+        debug3("%s: setting TTY context on %s", __func__, tty);
+ 
+-       user_ctx = ssh_selinux_getctxbyname(pwname);
+       user_ctx = ssh_selinux_getctxbyname(pwname, role);
+ 
+        /* XXX: should these calls fatal() upon failure in enforcing mode? */
+ 
+diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+index e3d1004..80ce13a 100644
+--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
+@@ -21,8 +21,8 @@
+ 
+ #ifdef WITH_SELINUX
+ int ssh_selinux_enabled(void);
+-void ssh_selinux_setup_pty(char *, const char *);
+-void ssh_selinux_setup_exec_context(char *);
+void ssh_selinux_setup_pty(char *, const char *, const char *);
+void ssh_selinux_setup_exec_context(char *, const char *);
+ void ssh_selinux_change_context(const char *);
+ void ssh_selinux_setfscreatecon(const char *);
+ #endif
+diff --git a/platform.c b/platform.c
+index 30fc609..4aab9a9 100644
+--- a/platform.c
+++ b/platform.c
+@@ -142,7 +142,7 @@ platform_setusercontext(struct passwd *pw)
+  * called if sshd is running as root.
+  */
+ void
+-platform_setusercontext_post_groups(struct passwd *pw)
+platform_setusercontext_post_groups(struct passwd *pw, const char *role)
+ {
+ #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
+        /*
+@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
+        }
+ #endif /* HAVE_SETPCRED */
+ #ifdef WITH_SELINUX
+-       ssh_selinux_setup_exec_context(pw->pw_name);
+       ssh_selinux_setup_exec_context(pw->pw_name, role);
+ #endif
+ }
+ 
+diff --git a/platform.h b/platform.h
+index 1c7a45d..436ae7c 100644
+--- a/platform.h
+++ b/platform.h
+@@ -27,7 +27,7 @@ void platform_post_fork_parent(pid_t child_pid);
+ void platform_post_fork_child(void);
+ int  platform_privileged_uidswap(void);
+ void platform_setusercontext(struct passwd *);
+-void platform_setusercontext_post_groups(struct passwd *);
+void platform_setusercontext_post_groups(struct passwd *, const char *);
+ char *platform_get_krb5_client(const char *);
+ char *platform_krb5_get_principal_name(const char *);
+ int platform_sys_dir_uid(uid_t);
+diff --git a/session.c b/session.c
+index 2bcf818..6848df4 100644
+--- a/session.c
+++ b/session.c
+@@ -1502,7 +1502,7 @@ safely_chroot(const char *path, uid_t uid)
+ 
+ /* Set login name, uid, gid, and groups. */
+ void
+-do_setusercontext(struct passwd *pw)
+do_setusercontext(struct passwd *pw, const char *role)
+ {
+        char *chroot_path, *tmp;
+ 
+@@ -1530,7 +1530,7 @@ do_setusercontext(struct passwd *pw)
+                endgrent();
+ #endif
+ 
+-               platform_setusercontext_post_groups(pw);
+               platform_setusercontext_post_groups(pw, role);
+ 
+                if (options.chroot_directory != NULL &&
+                    strcasecmp(options.chroot_directory, "none") != 0) {
+@@ -1679,7 +1679,7 @@ do_child(Session *s, const char *command)
+ 
+        /* Force a password change */
+        if (s->authctxt->force_pwchange) {
+-               do_setusercontext(pw);
+               do_setusercontext(pw, s->authctxt->role);
+                child_close_fds();
+                do_pwchange(s);
+                exit(1);
+@@ -1706,7 +1706,7 @@ do_child(Session *s, const char *command)
+                /* When PAM is enabled we rely on it to do the nologin check */
+                if (!options.use_pam)
+                        do_nologin(pw);
+-               do_setusercontext(pw);
+               do_setusercontext(pw, s->authctxt->role);
+                /*
+                 * PAM session modules in do_setusercontext may have
+                 * generated messages, so if this in an interactive
+@@ -2117,7 +2117,7 @@ session_pty_req(Session *s)
+        tty_parse_modes(s->ttyfd, &n_bytes);
+ 
+        if (!use_privsep)
+-               pty_setowner(s->pw, s->tty);
+               pty_setowner(s->pw, s->tty, s->authctxt->role);
+ 
+        /* Set window size from the packet. */
+        pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
+diff --git a/session.h b/session.h
+index 6a2f35e..ef6593c 100644
+--- a/session.h
+++ b/session.h
+@@ -77,7 +77,7 @@ void   session_pty_cleanup2(Session *);
+ Session        *session_new(void);
+ Session        *session_by_tty(char *);
+ void    session_close(Session *);
+-void    do_setusercontext(struct passwd *);
+void    do_setusercontext(struct passwd *, const char *);
+ void    child_set_env(char ***envp, u_int *envsizep, const char *name,
+                       const char *value);
+ 
+diff --git a/sshd.c b/sshd.c
+index d787fea..e343d90 100644
+--- a/sshd.c
+++ b/sshd.c
+@@ -769,7 +769,7 @@ privsep_postauth(Authctxt *authctxt)
+        explicit_bzero(rnd, sizeof(rnd));
+ 
+        /* Drop privileges */
+-       do_setusercontext(authctxt->pw);
+       do_setusercontext(authctxt->pw, authctxt->role);
+ 
+  skip:
+        /* It is safe now to apply the key state */
+diff --git a/sshpty.c b/sshpty.c
+index bbbc0fe..8cc26a2 100644
+--- a/sshpty.c
+++ b/sshpty.c
+@@ -200,7 +200,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
+ }
+ 
+ void
+-pty_setowner(struct passwd *pw, const char *tty)
+pty_setowner(struct passwd *pw, const char *tty, const char *role)
+ {
+        struct group *grp;
+        gid_t gid;
+@@ -227,7 +227,7 @@ pty_setowner(struct passwd *pw, const char *tty)
+                    strerror(errno));
+ 
+ #ifdef WITH_SELINUX
+-       ssh_selinux_setup_pty(pw->pw_name, tty);
+       ssh_selinux_setup_pty(pw->pw_name, tty, role);
+ #endif
+ 
+        if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
+diff --git a/sshpty.h b/sshpty.h
+index cfa3224..edf2436 100644
+--- a/sshpty.h
+++ b/sshpty.h
+@@ -24,4 +24,4 @@ int    pty_allocate(int *, int *, char *, size_t);
+ void    pty_release(const char *);
+ void    pty_make_controlling_tty(int *, const char *);
+ void    pty_change_window_size(int, u_int, u_int, u_int, u_int);
+-void    pty_setowner(struct passwd *, const char *);
+void    pty_setowner(struct passwd *, const char *, const char *);

diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch new file mode 100644 index 000000000..48f901c02 --- /dev/null +++ b/debian/patches/selinux-role.patch
@@ -0,0 +1,504 @@
	1	From ae32d626ed3d15cfd7f432358b63c005961921df Mon Sep 17 00:00:00 2001
	2	From: Manoj Srivastava <srivasta@debian.org>
	3	Date: Sun, 9 Feb 2014 16:09:49 +0000
	4	Subject: Handle SELinux authorisation roles
	5
	6	Rejected upstream due to discomfort with magic usernames; a better approach
	7	will need an SSH protocol change. In the meantime, this came from Debian's
	8	SELinux maintainer, so we'll keep it until we have something better.
	9
	10	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
	11	Bug-Debian: http://bugs.debian.org/394795
	12	Last-Update: 2013-09-14
	13
	14	Patch-Name: selinux-role.patch
	15	---
	16	auth.h \| 1 +
	17	auth1.c \| 8 +++++++-
	18	auth2.c \| 10 ++++++++--
	19	monitor.c \| 32 +++++++++++++++++++++++++++++---
	20	monitor.h \| 2 ++
	21	monitor_wrap.c \| 22 ++++++++++++++++++++--
	22	monitor_wrap.h \| 3 ++-
	23	openbsd-compat/port-linux.c \| 27 ++++++++++++++++++++-------
	24	openbsd-compat/port-linux.h \| 4 ++--
	25	platform.c \| 4 ++--
	26	platform.h \| 2 +-
	27	session.c \| 10 +++++-----
	28	session.h \| 2 +-
	29	sshd.c \| 2 +-
	30	sshpty.c \| 4 ++--
	31	sshpty.h \| 2 +-
	32	16 files changed, 104 insertions(+), 31 deletions(-)
	33
	34	diff --git a/auth.h b/auth.h
	35	index 124e597..79e4ea5 100644
	36	--- a/auth.h
	37	+++ b/auth.h
	38	@@ -59,6 +59,7 @@ struct Authctxt {
	39	char *service;
	40	struct passwd pw; / set if 'valid' */
	41	char *style;
	42	+ char *role;
	43	void *kbdintctxt;
	44	char info; / Extra info for next auth_log */
	45	#ifdef BSD_AUTH
	46	diff --git a/auth1.c b/auth1.c
	47	index 0f870b3..c707390 100644
	48	--- a/auth1.c
	49	+++ b/auth1.c
	50	@@ -380,7 +380,7 @@ void
	51	do_authentication(Authctxt *authctxt)
	52	{
	53	u_int ulen;
	54	- char user, style = NULL;
	55	+ char user, style = NULL, *role = NULL;
	56
	57	/* Get the name of the user that we wish to log in as. */
	58	packet_read_expect(SSH_CMSG_USER);
	59	@@ -389,11 +389,17 @@ do_authentication(Authctxt *authctxt)
	60	user = packet_get_cstring(&ulen);
	61	packet_check_eom();
	62
	63	+ if ((role = strchr(user, '/')) != NULL)
	64	+ *role++ = '\0';
	65	+
	66	if ((style = strchr(user, ':')) != NULL)
	67	*style++ = '\0';
	68	+ else if (role && (style = strchr(role, ':')) != NULL)
	69	+ *style++ = '\0';
	70
	71	authctxt->user = user;
	72	authctxt->style = style;
	73	+ authctxt->role = role;
	74
	75	/* Verify that the user is a valid user. */
	76	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
	77	diff --git a/auth2.c b/auth2.c
	78	index fbe3e1b..70f2925 100644
	79	--- a/auth2.c
	80	+++ b/auth2.c
	81	@@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
	82	{
	83	Authctxt *authctxt = ctxt;
	84	Authmethod *m = NULL;
	85	- char user, service, method, style = NULL;
	86	+ char user, service, method, style = NULL, *role = NULL;
	87	int authenticated = 0;
	88
	89	if (authctxt == NULL)
	90	@@ -228,8 +228,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
	91	debug("userauth-request for user %s service %s method %s", user, service, method);
	92	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
	93
	94	+ if ((role = strchr(user, '/')) != NULL)
	95	+ *role++ = 0;
	96	+
	97	if ((style = strchr(user, ':')) != NULL)
	98	*style++ = 0;
	99	+ else if (role && (style = strchr(role, ':')) != NULL)
	100	+ *style++ = '\0';
	101
	102	if (authctxt->attempt++ == 0) {
	103	/* setup auth context */
	104	@@ -253,8 +258,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
	105	use_privsep ? " [net]" : "");
	106	authctxt->service = xstrdup(service);
	107	authctxt->style = style ? xstrdup(style) : NULL;
	108	+ authctxt->role = role ? xstrdup(role) : NULL;
	109	if (use_privsep)
	110	- mm_inform_authserv(service, style);
	111	+ mm_inform_authserv(service, style, role);
	112	userauth_banner();
	113	if (auth2_setup_methods_lists(authctxt) != 0)
	114	packet_disconnect("no authentication methods enabled");
	115	diff --git a/monitor.c b/monitor.c
	116	index 2918814..11eac63 100644
	117	--- a/monitor.c
	118	+++ b/monitor.c
	119	@@ -145,6 +145,7 @@ int mm_answer_sign(int, Buffer *);
	120	int mm_answer_pwnamallow(int, Buffer *);
	121	int mm_answer_auth2_read_banner(int, Buffer *);
	122	int mm_answer_authserv(int, Buffer *);
	123	+int mm_answer_authrole(int, Buffer *);
	124	int mm_answer_authpassword(int, Buffer *);
	125	int mm_answer_bsdauthquery(int, Buffer *);
	126	int mm_answer_bsdauthrespond(int, Buffer *);
	127	@@ -221,6 +222,7 @@ struct mon_table mon_dispatch_proto20[] = {
	128	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
	129	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
	130	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
	131	+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
	132	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
	133	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
	134	#ifdef USE_PAM
	135	@@ -822,6 +824,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
	136	else {
	137	/* Allow service/style information on the auth context */
	138	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
	139	+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
	140	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
	141	}
	142	#ifdef USE_PAM
	143	@@ -852,14 +855,37 @@ mm_answer_authserv(int sock, Buffer *m)
	144
	145	authctxt->service = buffer_get_string(m, NULL);
	146	authctxt->style = buffer_get_string(m, NULL);
	147	- debug3("%s: service=%s, style=%s",
	148	- __func__, authctxt->service, authctxt->style);
	149	+ authctxt->role = buffer_get_string(m, NULL);
	150	+ debug3("%s: service=%s, style=%s, role=%s",
	151	+ __func__, authctxt->service, authctxt->style, authctxt->role);
	152
	153	if (strlen(authctxt->style) == 0) {
	154	free(authctxt->style);
	155	authctxt->style = NULL;
	156	}
	157
	158	+ if (strlen(authctxt->role) == 0) {
	159	+ free(authctxt->role);
	160	+ authctxt->role = NULL;
	161	+ }
	162	+
	163	+ return (0);
	164	+}
	165	+
	166	+int
	167	+mm_answer_authrole(int sock, Buffer *m)
	168	+{
	169	+ monitor_permit_authentications(1);
	170	+
	171	+ authctxt->role = buffer_get_string(m, NULL);
	172	+ debug3("%s: role=%s",
	173	+ __func__, authctxt->role);
	174	+
	175	+ if (strlen(authctxt->role) == 0) {
	176	+ free(authctxt->role);
	177	+ authctxt->role = NULL;
	178	+ }
	179	+
	180	return (0);
	181	}
	182
	183	@@ -1464,7 +1490,7 @@ mm_answer_pty(int sock, Buffer *m)
	184	res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
	185	if (res == 0)
	186	goto error;
	187	- pty_setowner(authctxt->pw, s->tty);
	188	+ pty_setowner(authctxt->pw, s->tty, authctxt->role);
	189
	190	buffer_put_int(m, 1);
	191	buffer_put_cstring(m, s->tty);
	192	diff --git a/monitor.h b/monitor.h
	193	index 7f32b0c..4d5e8fa 100644
	194	--- a/monitor.h
	195	+++ b/monitor.h
	196	@@ -68,6 +68,8 @@ enum monitor_reqtype {
	197	MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
	198	MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
	199
	200	+ MONITOR_REQ_AUTHROLE = 154,
	201	+
	202	};
	203
	204	struct mm_master;
	205	diff --git a/monitor_wrap.c b/monitor_wrap.c
	206	index 60b987d..f75dc9d 100644
	207	--- a/monitor_wrap.c
	208	+++ b/monitor_wrap.c
	209	@@ -318,10 +318,10 @@ mm_auth2_read_banner(void)
	210	return (banner);
	211	}
	212
	213	-/* Inform the privileged process about service and style */
	214	+/* Inform the privileged process about service, style, and role */
	215
	216	void
	217	-mm_inform_authserv(char service, char style)
	218	+mm_inform_authserv(char service, char style, char *role)
	219	{
	220	Buffer m;
	221
	222	@@ -330,12 +330,30 @@ mm_inform_authserv(char service, char style)
	223	buffer_init(&m);
	224	buffer_put_cstring(&m, service);
	225	buffer_put_cstring(&m, style ? style : "");
	226	+ buffer_put_cstring(&m, role ? role : "");
	227
	228	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m);
	229
	230	buffer_free(&m);
	231	}
	232
	233	+/* Inform the privileged process about role */
	234	+
	235	+void
	236	+mm_inform_authrole(char *role)
	237	+{
	238	+ Buffer m;
	239	+
	240	+ debug3("%s entering", __func__);
	241	+
	242	+ buffer_init(&m);
	243	+ buffer_put_cstring(&m, role ? role : "");
	244	+
	245	+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
	246	+
	247	+ buffer_free(&m);
	248	+}
	249	+
	250	/* Do the password authentication */
	251	int
	252	mm_auth_password(Authctxt authctxt, char password)
	253	diff --git a/monitor_wrap.h b/monitor_wrap.h
	254	index a4e9d24..9c2ee49 100644
	255	--- a/monitor_wrap.h
	256	+++ b/monitor_wrap.h
	257	@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char , void );
	258	int mm_is_monitor(void);
	259	DH *mm_choose_dh(int, int, int);
	260	int mm_key_sign(Key , u_char , u_int , u_char *, u_int);
	261	-void mm_inform_authserv(char , char );
	262	+void mm_inform_authserv(char , char , char *);
	263	+void mm_inform_authrole(char *);
	264	struct passwd mm_getpwnamallow(const char );
	265	char *mm_auth2_read_banner(void);
	266	int mm_auth_password(struct Authctxt , char );
	267	diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
	268	index 4637a7a..de6ad3f 100644
	269	--- a/openbsd-compat/port-linux.c
	270	+++ b/openbsd-compat/port-linux.c
	271	@@ -29,6 +29,12 @@
	272	#include <string.h>
	273	#include <stdio.h>
	274
	275	+#ifdef WITH_SELINUX
	276	+#include "key.h"
	277	+#include "hostfile.h"
	278	+#include "auth.h"
	279	+#endif
	280	+
	281	#include "log.h"
	282	#include "xmalloc.h"
	283	#include "port-linux.h"
	284	@@ -58,7 +64,7 @@ ssh_selinux_enabled(void)
	285
	286	/* Return the default security context for the given username */
	287	static security_context_t
	288	-ssh_selinux_getctxbyname(char *pwname)
	289	+ssh_selinux_getctxbyname(char pwname, const char role)
	290	{
	291	security_context_t sc = NULL;
	292	char sename = NULL, lvl = NULL;
	293	@@ -73,9 +79,16 @@ ssh_selinux_getctxbyname(char *pwname)
	294	#endif
	295
	296	#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
	297	- r = get_default_context_with_level(sename, lvl, NULL, &sc);
	298	+ if (role != NULL && role[0])
	299	+ r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
	300	+ &sc);
	301	+ else
	302	+ r = get_default_context_with_level(sename, lvl, NULL, &sc);
	303	#else
	304	- r = get_default_context(sename, NULL, &sc);
	305	+ if (role != NULL && role[0])
	306	+ r = get_default_context_with_role(sename, role, NULL, &sc);
	307	+ else
	308	+ r = get_default_context(sename, NULL, &sc);
	309	#endif
	310
	311	if (r != 0) {
	312	@@ -105,7 +118,7 @@ ssh_selinux_getctxbyname(char *pwname)
	313
	314	/* Set the execution context to the default for the specified user */
	315	void
	316	-ssh_selinux_setup_exec_context(char *pwname)
	317	+ssh_selinux_setup_exec_context(char pwname, const char role)
	318	{
	319	security_context_t user_ctx = NULL;
	320
	321	@@ -114,7 +127,7 @@ ssh_selinux_setup_exec_context(char *pwname)
	322
	323	debug3("%s: setting execution context", __func__);
	324
	325	- user_ctx = ssh_selinux_getctxbyname(pwname);
	326	+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
	327	if (setexeccon(user_ctx) != 0) {
	328	switch (security_getenforce()) {
	329	case -1:
	330	@@ -136,7 +149,7 @@ ssh_selinux_setup_exec_context(char *pwname)
	331
	332	/* Set the TTY context for the specified user */
	333	void
	334	-ssh_selinux_setup_pty(char pwname, const char tty)
	335	+ssh_selinux_setup_pty(char pwname, const char tty, const char *role)
	336	{
	337	security_context_t new_tty_ctx = NULL;
	338	security_context_t user_ctx = NULL;
	339	@@ -147,7 +160,7 @@ ssh_selinux_setup_pty(char pwname, const char tty)
	340
	341	debug3("%s: setting TTY context on %s", __func__, tty);
	342
	343	- user_ctx = ssh_selinux_getctxbyname(pwname);
	344	+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
	345
	346	/* XXX: should these calls fatal() upon failure in enforcing mode? */
	347
	348	diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
	349	index e3d1004..80ce13a 100644
	350	--- a/openbsd-compat/port-linux.h
	351	+++ b/openbsd-compat/port-linux.h
	352	@@ -21,8 +21,8 @@
	353
	354	#ifdef WITH_SELINUX
	355	int ssh_selinux_enabled(void);
	356	-void ssh_selinux_setup_pty(char , const char );
	357	-void ssh_selinux_setup_exec_context(char *);
	358	+void ssh_selinux_setup_pty(char , const char , const char *);
	359	+void ssh_selinux_setup_exec_context(char , const char );
	360	void ssh_selinux_change_context(const char *);
	361	void ssh_selinux_setfscreatecon(const char *);
	362	#endif
	363	diff --git a/platform.c b/platform.c
	364	index 30fc609..4aab9a9 100644
	365	--- a/platform.c
	366	+++ b/platform.c
	367	@@ -142,7 +142,7 @@ platform_setusercontext(struct passwd *pw)
	368	* called if sshd is running as root.
	369	*/
	370	void
	371	-platform_setusercontext_post_groups(struct passwd *pw)
	372	+platform_setusercontext_post_groups(struct passwd pw, const char role)
	373	{
	374	#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
	375	/*
	376	@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
	377	}
	378	#endif /* HAVE_SETPCRED */
	379	#ifdef WITH_SELINUX
	380	- ssh_selinux_setup_exec_context(pw->pw_name);
	381	+ ssh_selinux_setup_exec_context(pw->pw_name, role);
	382	#endif
	383	}
	384
	385	diff --git a/platform.h b/platform.h
	386	index 1c7a45d..436ae7c 100644
	387	--- a/platform.h
	388	+++ b/platform.h
	389	@@ -27,7 +27,7 @@ void platform_post_fork_parent(pid_t child_pid);
	390	void platform_post_fork_child(void);
	391	int platform_privileged_uidswap(void);
	392	void platform_setusercontext(struct passwd *);
	393	-void platform_setusercontext_post_groups(struct passwd *);
	394	+void platform_setusercontext_post_groups(struct passwd , const char );
	395	char platform_get_krb5_client(const char );
	396	char platform_krb5_get_principal_name(const char );
	397	int platform_sys_dir_uid(uid_t);
	398	diff --git a/session.c b/session.c
	399	index 2bcf818..6848df4 100644
	400	--- a/session.c
	401	+++ b/session.c
	402	@@ -1502,7 +1502,7 @@ safely_chroot(const char *path, uid_t uid)
	403
	404	/* Set login name, uid, gid, and groups. */
	405	void
	406	-do_setusercontext(struct passwd *pw)
	407	+do_setusercontext(struct passwd pw, const char role)
	408	{
	409	char chroot_path, tmp;
	410
	411	@@ -1530,7 +1530,7 @@ do_setusercontext(struct passwd *pw)
	412	endgrent();
	413	#endif
	414
	415	- platform_setusercontext_post_groups(pw);
	416	+ platform_setusercontext_post_groups(pw, role);
	417
	418	if (options.chroot_directory != NULL &&
	419	strcasecmp(options.chroot_directory, "none") != 0) {
	420	@@ -1679,7 +1679,7 @@ do_child(Session s, const char command)
	421
	422	/* Force a password change */
	423	if (s->authctxt->force_pwchange) {
	424	- do_setusercontext(pw);
	425	+ do_setusercontext(pw, s->authctxt->role);
	426	child_close_fds();
	427	do_pwchange(s);
	428	exit(1);
	429	@@ -1706,7 +1706,7 @@ do_child(Session s, const char command)
	430	/* When PAM is enabled we rely on it to do the nologin check */
	431	if (!options.use_pam)
	432	do_nologin(pw);
	433	- do_setusercontext(pw);
	434	+ do_setusercontext(pw, s->authctxt->role);
	435	/*
	436	* PAM session modules in do_setusercontext may have
	437	* generated messages, so if this in an interactive
	438	@@ -2117,7 +2117,7 @@ session_pty_req(Session *s)
	439	tty_parse_modes(s->ttyfd, &n_bytes);
	440
	441	if (!use_privsep)
	442	- pty_setowner(s->pw, s->tty);
	443	+ pty_setowner(s->pw, s->tty, s->authctxt->role);
	444
	445	/* Set window size from the packet. */
	446	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
	447	diff --git a/session.h b/session.h
	448	index 6a2f35e..ef6593c 100644
	449	--- a/session.h
	450	+++ b/session.h
	451	@@ -77,7 +77,7 @@ void session_pty_cleanup2(Session *);
	452	Session *session_new(void);
	453	Session session_by_tty(char );
	454	void session_close(Session *);
	455	-void do_setusercontext(struct passwd *);
	456	+void do_setusercontext(struct passwd , const char );
	457	void child_set_env(char **envp, u_int envsizep, const char *name,
	458	const char *value);
	459
	460	diff --git a/sshd.c b/sshd.c
	461	index d787fea..e343d90 100644
	462	--- a/sshd.c
	463	+++ b/sshd.c
	464	@@ -769,7 +769,7 @@ privsep_postauth(Authctxt *authctxt)
	465	explicit_bzero(rnd, sizeof(rnd));
	466
	467	/* Drop privileges */
	468	- do_setusercontext(authctxt->pw);
	469	+ do_setusercontext(authctxt->pw, authctxt->role);
	470
	471	skip:
	472	/* It is safe now to apply the key state */
	473	diff --git a/sshpty.c b/sshpty.c
	474	index bbbc0fe..8cc26a2 100644
	475	--- a/sshpty.c
	476	+++ b/sshpty.c
	477	@@ -200,7 +200,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
	478	}
	479
	480	void
	481	-pty_setowner(struct passwd pw, const char tty)
	482	+pty_setowner(struct passwd pw, const char tty, const char *role)
	483	{
	484	struct group *grp;
	485	gid_t gid;
	486	@@ -227,7 +227,7 @@ pty_setowner(struct passwd pw, const char tty)
	487	strerror(errno));
	488
	489	#ifdef WITH_SELINUX
	490	- ssh_selinux_setup_pty(pw->pw_name, tty);
	491	+ ssh_selinux_setup_pty(pw->pw_name, tty, role);
	492	#endif
	493
	494	if (st.st_uid != pw->pw_uid \|\| st.st_gid != gid) {
	495	diff --git a/sshpty.h b/sshpty.h
	496	index cfa3224..edf2436 100644
	497	--- a/sshpty.h
	498	+++ b/sshpty.h
	499	@@ -24,4 +24,4 @@ int pty_allocate(int , int , char *, size_t);
	500	void pty_release(const char *);
	501	void pty_make_controlling_tty(int , const char );
	502	void pty_change_window_size(int, u_int, u_int, u_int, u_int);
	503	-void pty_setowner(struct passwd , const char );
	504	+void pty_setowner(struct passwd , const char , const char *);