From 206bdbf6bcc95e589effa11695aff2c6b9327e11 Mon Sep 17 00:00:00 2001 From: Manoj Srivastava Date: Sun, 9 Feb 2014 16:09:49 +0000 Subject: Handle SELinux authorisation roles Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2015-08-19 Patch-Name: selinux-role.patch --- auth1.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'auth1.c') diff --git a/auth1.c b/auth1.c index 5073c49bb..dd0064832 100644 --- a/auth1.c +++ b/auth1.c @@ -383,7 +383,7 @@ void do_authentication(Authctxt *authctxt) { u_int ulen; - char *user, *style = NULL; + char *user, *style = NULL, *role = NULL; /* Get the name of the user that we wish to log in as. */ packet_read_expect(SSH_CMSG_USER); @@ -392,11 +392,17 @@ do_authentication(Authctxt *authctxt) user = packet_get_cstring(&ulen); packet_check_eom(); + if ((role = strchr(user, '/')) != NULL) + *role++ = '\0'; + if ((style = strchr(user, ':')) != NULL) *style++ = '\0'; + else if (role && (style = strchr(role, ':')) != NULL) + *style++ = '\0'; authctxt->user = user; authctxt->style = style; + authctxt->role = role; /* Verify that the user is a valid user. */ if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) -- cgit v1.2.3