From 30da3447d2ef3329cb0eb083cdddf84532659454 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 10 May 2010 11:58:03 +1000 Subject: - djm@cvs.openbsd.org 2010/05/07 11:30:30 [auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c] [key.c servconf.c servconf.h sshd.8 sshd_config.5] add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable. When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option. For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names. If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply. These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates. feedback and ok markus@ --- sshd_config.5 | 41 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 39 insertions(+), 2 deletions(-) (limited to 'sshd_config.5') diff --git a/sshd_config.5 b/sshd_config.5 index 2f5410281..a5260d358 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.120 2010/03/04 23:17:25 djm Exp $ -.Dd $Mdocdate: March 4 2010 $ +.\" $OpenBSD: sshd_config.5,v 1.121 2010/05/07 11:30:30 djm Exp $ +.Dd $Mdocdate: May 7 2010 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -167,6 +167,43 @@ is taken to be an absolute path or one relative to the user's home directory. The default is .Dq .ssh/authorized_keys . +.It Cm AuthorizedPrincipalsFile +Specifies a file that lists principal names that are accepted for +certificate authentication. +When using certificates signed by a key listed in +.Cm TrustedUserCAKeys , +this file lists names, one of which must appear in the certificate for it +to be accepted for authentication. +Names are listed one per line; empty lines and comments starting with +.Ql # +are ignored. +.Pp +.Cm AuthorizedPrincipalsFile +may contain tokens of the form %T which are substituted during connection +setup. +The following tokens are defined: %% is replaced by a literal '%', +%h is replaced by the home directory of the user being authenticated, and +%u is replaced by the username of that user. +After expansion, +.Cm AuthorizedPrincipalsFile +is taken to be an absolute path or one relative to the user's home +directory. +.Pp +The default is not to use a principals file - in this case, the username +of the user must appear in a certificate's principals list for it to be +accepted. +Note that +.Cm AuthorizedPrincipalsFile +is only used when authentication proceeds using a CA listed in +.Cm TrustedUserCAKeys +and is not consulted for certification authorities trusted via +.Pa ~/.ssh/authorized_keys , +though the +.Cm principals= +key option offers a similar facility (see +.Xr sshd 8 +for details). +.Pp .It Cm Banner The contents of the specified file are sent to the remote user before authentication is allowed. -- cgit v1.2.3 From 81d3fc535b9725d6d0212bea10e86d7c752225db Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 10 May 2010 11:58:45 +1000 Subject: - jmc@cvs.openbsd.org 2010/05/07 12:49:17 [sshd_config.5] tweak previous; --- ChangeLog | 3 +++ sshd_config.5 | 5 ++--- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 090e2352c..e6b69c1f2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -53,6 +53,9 @@ and "user@realm"-style naming policies in certificates. feedback and ok markus@ + - jmc@cvs.openbsd.org 2010/05/07 12:49:17 + [sshd_config.5] + tweak previous; 20100423 - (dtucker) [configure.ac] Bug #1756: Check for the existence of a lib64 dir diff --git a/sshd_config.5 b/sshd_config.5 index a5260d358..f9814f9a0 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.121 2010/05/07 11:30:30 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.122 2010/05/07 12:49:17 jmc Exp $ .Dd $Mdocdate: May 7 2010 $ .Dt SSHD_CONFIG 5 .Os @@ -189,7 +189,7 @@ After expansion, is taken to be an absolute path or one relative to the user's home directory. .Pp -The default is not to use a principals file - in this case, the username +The default is not to use a principals file \(en in this case, the username of the user must appear in a certificate's principals list for it to be accepted. Note that @@ -203,7 +203,6 @@ though the key option offers a similar facility (see .Xr sshd 8 for details). -.Pp .It Cm Banner The contents of the specified file are sent to the remote user before authentication is allowed. -- cgit v1.2.3 From ab6de351404d5a691a89cf2c9fbe9438271bd03d Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 26 Jun 2010 09:38:45 +1000 Subject: - djm@cvs.openbsd.org 2010/06/22 04:22:59 [servconf.c sshd_config.5] expose some more sshd_config options inside Match blocks: AuthorizedKeysFile AuthorizedPrincipalsFile HostbasedUsesNameFromPacketOnly PermitTunnel bz#1764; feedback from imorgan AT nas.nasa.gov; ok dtucker@ --- ChangeLog | 6 ++++++ servconf.c | 17 +++++++++++------ sshd_config.5 | 8 ++++++-- 3 files changed, 23 insertions(+), 8 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 6563597ac..6ca101ab1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,12 @@ [sftp-client.c] fix memory leak in do_realpath() error path; bz#1771, patch from anicka AT suse.cz + - djm@cvs.openbsd.org 2010/06/22 04:22:59 + [servconf.c sshd_config.5] + expose some more sshd_config options inside Match blocks: + AuthorizedKeysFile AuthorizedPrincipalsFile + HostbasedUsesNameFromPacketOnly PermitTunnel + bz#1764; feedback from imorgan AT nas.nasa.gov; ok dtucker@ 20100622 - (djm) [loginrec.c] crank LINFO_NAMESIZE (username length) to 512 diff --git a/servconf.c b/servconf.c index c556986e3..986a5b92f 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.208 2010/05/07 11:30:29 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.209 2010/06/22 04:22:59 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -346,7 +346,7 @@ static struct { { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, - { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL }, + { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL }, { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ @@ -421,11 +421,11 @@ static struct { { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, - { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL }, - { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL }, + { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, + { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_ALL }, { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL }, - { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL }, + { "permittunnel", sPermitTunnel, SSHCFG_ALL }, { "match", sMatch, SSHCFG_ALL }, { "permitopen", sPermitOpen, SSHCFG_ALL }, { "forcecommand", sForceCommand, SSHCFG_ALL }, @@ -433,7 +433,7 @@ static struct { { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_GLOBAL }, + { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, { NULL, sBadOption, 0 } }; @@ -1446,6 +1446,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(pubkey_authentication); M_CP_INTOPT(kerberos_authentication); M_CP_INTOPT(hostbased_authentication); + M_CP_INTOPT(hostbased_uses_name_from_packet_only); M_CP_INTOPT(kbd_interactive_authentication); M_CP_INTOPT(zero_knowledge_password_authentication); M_CP_INTOPT(permit_root_login); @@ -1453,6 +1454,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(allow_tcp_forwarding); M_CP_INTOPT(allow_agent_forwarding); + M_CP_INTOPT(permit_tun); M_CP_INTOPT(gateway_ports); M_CP_INTOPT(x11_display_offset); M_CP_INTOPT(x11_forwarding); @@ -1467,6 +1469,9 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_STROPT(chroot_directory); M_CP_STROPT(trusted_user_ca_keys); M_CP_STROPT(revoked_keys_file); + M_CP_STROPT(authorized_keys_file); + M_CP_STROPT(authorized_keys_file2); + M_CP_STROPT(authorized_principals_file); } #undef M_CP_INTOPT diff --git a/sshd_config.5 b/sshd_config.5 index f9814f9a0..acaf809db 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.122 2010/05/07 12:49:17 jmc Exp $ -.Dd $Mdocdate: May 7 2010 $ +.\" $OpenBSD: sshd_config.5,v 1.123 2010/06/22 04:22:59 djm Exp $ +.Dd $Mdocdate: June 22 2010 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -644,12 +644,15 @@ keyword. Available keywords are .Cm AllowAgentForwarding , .Cm AllowTcpForwarding , +.Cm AuthorizedKeysFile , +.Cm AuthorizedPrincipalsFile , .Cm Banner , .Cm ChrootDirectory , .Cm ForceCommand , .Cm GatewayPorts , .Cm GSSAPIAuthentication , .Cm HostbasedAuthentication , +.Cm HostbasedUsesNameFromPacketOnly , .Cm KbdInteractiveAuthentication , .Cm KerberosAuthentication , .Cm MaxAuthTries , @@ -658,6 +661,7 @@ Available keywords are .Cm PermitEmptyPasswords , .Cm PermitOpen , .Cm PermitRootLogin , +.Cm PermitTunnel , .Cm PubkeyAuthentication , .Cm RhostsRSAAuthentication , .Cm RSAAuthentication , -- cgit v1.2.3 From 6018a36864643ad0e5ff1f7205a7187b961c2c57 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 2 Jul 2010 13:35:19 +1000 Subject: - djm@cvs.openbsd.org 2010/06/29 23:16:46 [auth2-pubkey.c sshd_config.5] allow key options (command="..." and friends) in AuthorizedPrincipals; ok markus@ --- ChangeLog | 4 ++++ auth2-pubkey.c | 34 +++++++++++++++++++++++++++------- sshd_config.5 | 15 ++++++++++++--- 3 files changed, 43 insertions(+), 10 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index ee40f10eb..586b23c13 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,10 @@ [ssh-keygen.1 ssh-keygen.c] allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys; bz#1749; ok markus@ + - djm@cvs.openbsd.org 2010/06/29 23:16:46 + [auth2-pubkey.c sshd_config.5] + allow key options (command="..." and friends) in AuthorizedPrincipals; + ok markus@ 20100627 - (tim) [openbsd-compat/port-uw.c] Reorder includes. auth-options.h now needs diff --git a/auth2-pubkey.c b/auth2-pubkey.c index faab0e771..35cf79c9f 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.25 2010/05/20 11:25:26 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.26 2010/06/29 23:16:46 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -198,10 +198,10 @@ match_principals_option(const char *principal_list, struct KeyCert *cert) } static int -match_principals_file(const char *file, struct passwd *pw, struct KeyCert *cert) +match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert) { FILE *f; - char line[SSH_MAX_PUBKEY_BYTES], *cp; + char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts; u_long linenum = 0; u_int i; @@ -212,17 +212,37 @@ match_principals_file(const char *file, struct passwd *pw, struct KeyCert *cert) return 0; } while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { - /* Skip leading whitespace, empty and comment lines. */ + /* Skip leading whitespace. */ for (cp = line; *cp == ' ' || *cp == '\t'; cp++) ; - if (!*cp || *cp == '\n' || *cp == '#') + /* Skip blank and comment lines. */ + if ((ep = strchr(cp, '#')) != NULL) + *ep = '\0'; + if (!*cp || *cp == '\n') continue; - line[strcspn(line, "\n")] = '\0'; - + /* Trim trailing whitespace. */ + ep = cp + strlen(cp) - 1; + while (ep > cp && (*ep == '\n' || *ep == ' ' || *ep == '\t')) + *ep-- = '\0'; + /* + * If the line has internal whitespace then assume it has + * key options. + */ + line_opts = NULL; + if ((ep = strrchr(cp, ' ')) != NULL || + (ep = strrchr(cp, '\t')) != NULL) { + for (; *ep == ' ' || *ep == '\t'; ep++) + ;; + line_opts = cp; + cp = ep; + } for (i = 0; i < cert->nprincipals; i++) { if (strcmp(cp, cert->principals[i]) == 0) { debug3("matched principal from file \"%.100s\"", cert->principals[i]); + if (auth_parse_options(pw, line_opts, + file, linenum) != 1) + continue; fclose(f); restore_uid(); return 1; diff --git a/sshd_config.5 b/sshd_config.5 index acaf809db..4d066eb8a 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.123 2010/06/22 04:22:59 djm Exp $ -.Dd $Mdocdate: June 22 2010 $ +.\" $OpenBSD: sshd_config.5,v 1.124 2010/06/29 23:16:46 djm Exp $ +.Dd $Mdocdate: June 29 2010 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -155,6 +155,10 @@ for more information on patterns. .It Cm AuthorizedKeysFile Specifies the file that contains the public keys that can be used for user authentication. +The format is described in the +.Sx AUTHORIZED_KEYS FILE FORMAT +section of +.Xr sshd 8 . .Cm AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection setup. @@ -174,7 +178,12 @@ When using certificates signed by a key listed in .Cm TrustedUserCAKeys , this file lists names, one of which must appear in the certificate for it to be accepted for authentication. -Names are listed one per line; empty lines and comments starting with +Names are listed one per line preceeded by key options (as described +in +.Sx AUTHORIZED_KEYS FILE FORMAT +in +.Xr sshd 8 ). +Empty lines and comments starting with .Ql # are ignored. .Pp -- cgit v1.2.3 From d59dab83536d4a539e795ff5ce2be6b952d57e24 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 2 Jul 2010 13:37:17 +1000 Subject: - jmc@cvs.openbsd.org 2010/06/30 07:28:34 [sshd_config.5] tweak previous; --- ChangeLog | 3 +++ sshd_config.5 | 8 ++++---- 2 files changed, 7 insertions(+), 4 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index ca7cfc8fe..9b214e864 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,9 @@ - jmc@cvs.openbsd.org 2010/06/30 07:26:03 [ssh-keygen.c] sort usage(); + - jmc@cvs.openbsd.org 2010/06/30 07:28:34 + [sshd_config.5] + tweak previous; 20100627 - (tim) [openbsd-compat/port-uw.c] Reorder includes. auth-options.h now needs diff --git a/sshd_config.5 b/sshd_config.5 index 4d066eb8a..596a728f8 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.124 2010/06/29 23:16:46 djm Exp $ -.Dd $Mdocdate: June 29 2010 $ +.\" $OpenBSD: sshd_config.5,v 1.125 2010/06/30 07:28:34 jmc Exp $ +.Dd $Mdocdate: June 30 2010 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -178,11 +178,11 @@ When using certificates signed by a key listed in .Cm TrustedUserCAKeys , this file lists names, one of which must appear in the certificate for it to be accepted for authentication. -Names are listed one per line preceeded by key options (as described +Names are listed one per line preceded by key options (as described in .Sx AUTHORIZED_KEYS FILE FORMAT in -.Xr sshd 8 ). +.Xr sshd 8 ) . Empty lines and comments starting with .Ql # are ignored. -- cgit v1.2.3