diff options
Diffstat (limited to 'monitor.c')
| -rw-r--r-- | monitor.c | 37 |
1 files changed, 33 insertions, 4 deletions
| @@ -117,6 +117,7 @@ int mm_answer_sign(int, struct sshbuf *); | |||
| 117 | int mm_answer_pwnamallow(int, struct sshbuf *); | 117 | int mm_answer_pwnamallow(int, struct sshbuf *); |
| 118 | int mm_answer_auth2_read_banner(int, struct sshbuf *); | 118 | int mm_answer_auth2_read_banner(int, struct sshbuf *); |
| 119 | int mm_answer_authserv(int, struct sshbuf *); | 119 | int mm_answer_authserv(int, struct sshbuf *); |
| 120 | int mm_answer_authrole(int, struct sshbuf *); | ||
| 120 | int mm_answer_authpassword(int, struct sshbuf *); | 121 | int mm_answer_authpassword(int, struct sshbuf *); |
| 121 | int mm_answer_bsdauthquery(int, struct sshbuf *); | 122 | int mm_answer_bsdauthquery(int, struct sshbuf *); |
| 122 | int mm_answer_bsdauthrespond(int, struct sshbuf *); | 123 | int mm_answer_bsdauthrespond(int, struct sshbuf *); |
| @@ -193,6 +194,7 @@ struct mon_table mon_dispatch_proto20[] = { | |||
| 193 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | 194 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
| 194 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 195 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
| 195 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | 196 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
| 197 | {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, | ||
| 196 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, | 198 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
| 197 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 199 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
| 198 | #ifdef USE_PAM | 200 | #ifdef USE_PAM |
| @@ -817,6 +819,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m) | |||
| 817 | 819 | ||
| 818 | /* Allow service/style information on the auth context */ | 820 | /* Allow service/style information on the auth context */ |
| 819 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); | 821 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
| 822 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); | ||
| 820 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); | 823 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
| 821 | 824 | ||
| 822 | #ifdef USE_PAM | 825 | #ifdef USE_PAM |
| @@ -850,16 +853,42 @@ mm_answer_authserv(int sock, struct sshbuf *m) | |||
| 850 | monitor_permit_authentications(1); | 853 | monitor_permit_authentications(1); |
| 851 | 854 | ||
| 852 | if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 || | 855 | if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 || |
| 853 | (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0) | 856 | (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0 || |
| 857 | (r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0) | ||
| 854 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 858 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
| 855 | debug3("%s: service=%s, style=%s", | 859 | debug3("%s: service=%s, style=%s, role=%s", |
| 856 | __func__, authctxt->service, authctxt->style); | 860 | __func__, authctxt->service, authctxt->style, authctxt->role); |
| 857 | 861 | ||
| 858 | if (strlen(authctxt->style) == 0) { | 862 | if (strlen(authctxt->style) == 0) { |
| 859 | free(authctxt->style); | 863 | free(authctxt->style); |
| 860 | authctxt->style = NULL; | 864 | authctxt->style = NULL; |
| 861 | } | 865 | } |
| 862 | 866 | ||
| 867 | if (strlen(authctxt->role) == 0) { | ||
| 868 | free(authctxt->role); | ||
| 869 | authctxt->role = NULL; | ||
| 870 | } | ||
| 871 | |||
| 872 | return (0); | ||
| 873 | } | ||
| 874 | |||
| 875 | int | ||
| 876 | mm_answer_authrole(int sock, struct sshbuf *m) | ||
| 877 | { | ||
| 878 | int r; | ||
| 879 | |||
| 880 | monitor_permit_authentications(1); | ||
| 881 | |||
| 882 | if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0) | ||
| 883 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
| 884 | debug3("%s: role=%s", | ||
| 885 | __func__, authctxt->role); | ||
| 886 | |||
| 887 | if (strlen(authctxt->role) == 0) { | ||
| 888 | free(authctxt->role); | ||
| 889 | authctxt->role = NULL; | ||
| 890 | } | ||
| 891 | |||
| 863 | return (0); | 892 | return (0); |
| 864 | } | 893 | } |
| 865 | 894 | ||
| @@ -1501,7 +1530,7 @@ mm_answer_pty(int sock, struct sshbuf *m) | |||
| 1501 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); | 1530 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); |
| 1502 | if (res == 0) | 1531 | if (res == 0) |
| 1503 | goto error; | 1532 | goto error; |
| 1504 | pty_setowner(authctxt->pw, s->tty); | 1533 | pty_setowner(authctxt->pw, s->tty, authctxt->role); |
| 1505 | 1534 | ||
| 1506 | if ((r = sshbuf_put_u32(m, 1)) != 0 || | 1535 | if ((r = sshbuf_put_u32(m, 1)) != 0 || |
| 1507 | (r = sshbuf_put_cstring(m, s->tty)) != 0) | 1536 | (r = sshbuf_put_cstring(m, s->tty)) != 0) |