From 3131e3bb3c56a6c6ee8cb9d68f542af04cd9e8ff Mon Sep 17 00:00:00 2001 From: Manoj Srivastava Date: Sun, 9 Feb 2014 16:09:49 +0000 Subject: Handle SELinux authorisation roles Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2019-06-05 Patch-Name: selinux-role.patch --- auth2.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'auth2.c') diff --git a/auth2.c b/auth2.c index 1c217268c..92a6bcaf4 100644 --- a/auth2.c +++ b/auth2.c @@ -265,7 +265,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) { Authctxt *authctxt = ssh->authctxt; Authmethod *m = NULL; - char *user = NULL, *service = NULL, *method = NULL, *style = NULL; + char *user = NULL, *service = NULL, *method = NULL, *style = NULL, *role = NULL; int r, authenticated = 0; double tstart = monotime_double(); @@ -279,8 +279,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) debug("userauth-request for user %s service %s method %s", user, service, method); debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); + if ((role = strchr(user, '/')) != NULL) + *role++ = 0; + if ((style = strchr(user, ':')) != NULL) *style++ = 0; + else if (role && (style = strchr(role, ':')) != NULL) + *style++ = '\0'; if (authctxt->attempt++ == 0) { /* setup auth context */ @@ -307,8 +312,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) use_privsep ? " [net]" : ""); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; + authctxt->role = role ? xstrdup(role) : NULL; if (use_privsep) - mm_inform_authserv(service, style); + mm_inform_authserv(service, style, role); userauth_banner(ssh); if (auth2_setup_methods_lists(authctxt) != 0) ssh_packet_disconnect(ssh, -- cgit v1.2.3