|
 |
8f2528 |
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-agent openssh-7.4p1/pam_ssh_agent_auth-0.10.3/get_command_line.c
|
|
|
8f2528 |
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-agent 2017-02-14 10:19:16.466070259 +0100
|
|
|
8f2528 |
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/get_command_line.c 2017-02-14 10:26:10.062866980 +0100
|
|
|
8f2528 |
@@ -65,8 +65,8 @@ proc_pid_cmdline(char *** inargv)
|
|
|
8f2528 |
case EOF:
|
|
|
8f2528 |
case '\0':
|
|
|
8f2528 |
if (len > 0) {
|
|
|
8f2528 |
- argv = pamsshagentauth_xrealloc(argv, count + 1, sizeof(*argv));
|
|
|
8f2528 |
- argv[count] = pamsshagentauth_xcalloc(len + 1, sizeof(*argv[count]));
|
|
|
8f2528 |
+ argv = xrealloc(argv, count + 1, sizeof(*argv));
|
|
|
8f2528 |
+ argv[count] = xcalloc(len + 1, sizeof(*argv[count]));
|
|
|
8f2528 |
strncpy(argv[count++], argbuf, len);
|
|
|
8f2528 |
memset(argbuf, '\0', MAX_LEN_PER_CMDLINE_ARG + 1);
|
|
|
8f2528 |
len = 0;
|
|
|
8f2528 |
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent openssh-7.4p1/pam_ssh_agent_auth-0.10.3/identity.h
|
|
|
8f2528 |
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent 2016-11-13 04:24:32.000000000 +0100
|
|
|
8f2528 |
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/identity.h 2017-02-14 10:19:12.225071868 +0100
|
|
|
8f2528 |
@@ -38,6 +38,12 @@
|
|
|
8f2528 |
typedef struct identity Identity;
|
|
|
8f2528 |
typedef struct idlist Idlist;
|
|
|
8f2528 |
|
|
|
8f2528 |
+typedef struct {
|
|
|
8f2528 |
+ int fd;
|
|
|
8f2528 |
+ Buffer identities;
|
|
|
8f2528 |
+ int howmany;
|
|
|
8f2528 |
+} AuthenticationConnection;
|
|
|
8f2528 |
+
|
|
|
8f2528 |
struct identity {
|
|
|
8f2528 |
TAILQ_ENTRY(identity) next;
|
|
|
8f2528 |
AuthenticationConnection *ac; /* set if agent supports key */
|
|
|
8f2528 |
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
|
|
|
8f2528 |
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent 2017-02-14 10:19:12.224071868 +0100
|
|
|
8f2528 |
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-02-14 10:19:12.226071867 +0100
|
|
|
8f2528 |
@@ -52,12 +52,15 @@
|
|
|
8f2528 |
#include <openssl/evp.h>
|
|
|
8f2528 |
#include "ssh2.h"
|
|
|
8f2528 |
#include "misc.h"
|
|
|
8f2528 |
+#include "ssherr.h"
|
|
|
8f2528 |
|
|
|
8f2528 |
#include "userauth_pubkey_from_id.h"
|
|
|
8f2528 |
#include "identity.h"
|
|
|
8f2528 |
#include "get_command_line.h"
|
|
|
8f2528 |
extern char **environ;
|
|
|
8f2528 |
|
|
|
8f2528 |
+#define PAM_SSH_AGENT_AUTH_REQUESTv1 101
|
|
|
8f2528 |
+
|
|
|
8f2528 |
static char *
|
|
|
8f2528 |
log_action(char ** action, size_t count)
|
|
|
8f2528 |
{
|
|
|
8f2528 |
@@ -67,7 +70,7 @@ log_action(char ** action, size_t count)
|
|
|
8f2528 |
if (count == 0)
|
|
|
8f2528 |
return NULL;
|
|
|
8f2528 |
|
|
|
8f2528 |
- buf = pamsshagentauth_xcalloc((count * MAX_LEN_PER_CMDLINE_ARG) + (count * 3), sizeof(*buf));
|
|
|
8f2528 |
+ buf = xcalloc((count * MAX_LEN_PER_CMDLINE_ARG) + (count * 3), sizeof(*buf));
|
|
|
8f2528 |
for (i = 0; i < count; i++) {
|
|
|
8f2528 |
strcat(buf, (i > 0) ? " '" : "'");
|
|
|
8f2528 |
strncat(buf, action[i], MAX_LEN_PER_CMDLINE_ARG);
|
|
|
8f2528 |
@@ -80,12 +83,12 @@ void
|
|
|
8f2528 |
agent_action(Buffer *buf, char ** action, size_t count)
|
|
|
8f2528 |
{
|
|
|
8f2528 |
size_t i;
|
|
|
8f2528 |
- pamsshagentauth_buffer_init(buf);
|
|
|
8f2528 |
+ buffer_init(buf);
|
|
|
8f2528 |
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_int(buf, count);
|
|
|
8f2528 |
+ buffer_put_int(buf, count);
|
|
|
8f2528 |
|
|
|
8f2528 |
for (i = 0; i < count; i++) {
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_cstring(buf, action[i]);
|
|
|
8f2528 |
+ buffer_put_cstring(buf, action[i]);
|
|
|
8f2528 |
}
|
|
|
8f2528 |
}
|
|
|
8f2528 |
|
|
|
8f2528 |
@@ -109,17 +112,17 @@ pamsshagentauth_session_id2_gen(Buffer *
|
|
|
8f2528 |
char * retc;
|
|
|
8f2528 |
int32_t reti;
|
|
|
8f2528 |
|
|
|
8f2528 |
- rnd = pamsshagentauth_arc4random();
|
|
|
8f2528 |
+ rnd = arc4random();
|
|
|
8f2528 |
cookie_len = ((uint8_t) rnd);
|
|
|
8f2528 |
while (cookie_len < 16) {
|
|
|
8f2528 |
cookie_len += 16; /* Add 16 bytes to the size to ensure that while the length is random, the length is always reasonable; ticket #18 */
|
|
|
8f2528 |
}
|
|
|
8f2528 |
|
|
|
8f2528 |
- cookie = pamsshagentauth_xcalloc(1,cookie_len);
|
|
|
8f2528 |
+ cookie = xcalloc(1,cookie_len);
|
|
|
8f2528 |
|
|
|
8f2528 |
for (i = 0; i < cookie_len; i++) {
|
|
|
8f2528 |
if (i % 4 == 0) {
|
|
|
8f2528 |
- rnd = pamsshagentauth_arc4random();
|
|
|
8f2528 |
+ rnd = arc4random();
|
|
|
8f2528 |
}
|
|
|
8f2528 |
cookie[i] = (char) rnd;
|
|
|
8f2528 |
rnd >>= 8;
|
|
|
8f2528 |
@@ -134,7 +137,7 @@ pamsshagentauth_session_id2_gen(Buffer *
|
|
|
8f2528 |
}
|
|
|
8f2528 |
else {
|
|
|
8f2528 |
action_logbuf = "unknown on this platform";
|
|
|
8f2528 |
- pamsshagentauth_buffer_init(&action_agentbuf); /* stays empty, means unavailable */
|
|
|
8f2528 |
+ buffer_init(&action_agentbuf); /* stays empty, means unavailable */
|
|
|
8f2528 |
}
|
|
|
8f2528 |
|
|
|
8f2528 |
/*
|
|
|
8f2528 |
@@ -151,35 +154,35 @@ pamsshagentauth_session_id2_gen(Buffer *
|
|
|
8f2528 |
retc = getcwd(pwd, sizeof(pwd) - 1);
|
|
|
8f2528 |
time(&ts);
|
|
|
8f2528 |
|
|
|
8f2528 |
- pamsshagentauth_buffer_init(session_id2);
|
|
|
8f2528 |
+ buffer_init(session_id2);
|
|
|
8f2528 |
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_int(session_id2, PAM_SSH_AGENT_AUTH_REQUESTv1);
|
|
|
8f2528 |
- /* pamsshagentauth_debug3("cookie: %s", pamsshagentauth_tohex(cookie, cookie_len)); */
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_string(session_id2, cookie, cookie_len);
|
|
|
8f2528 |
- /* pamsshagentauth_debug3("user: %s", user); */
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_cstring(session_id2, user);
|
|
|
8f2528 |
- /* pamsshagentauth_debug3("ruser: %s", ruser); */
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_cstring(session_id2, ruser);
|
|
|
8f2528 |
- /* pamsshagentauth_debug3("servicename: %s", servicename); */
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_cstring(session_id2, servicename);
|
|
|
8f2528 |
- /* pamsshagentauth_debug3("pwd: %s", pwd); */
|
|
|
8f2528 |
+ buffer_put_int(session_id2, PAM_SSH_AGENT_AUTH_REQUESTv1);
|
|
|
8f2528 |
+ /* debug3("cookie: %s", tohex(cookie, cookie_len)); */
|
|
|
8f2528 |
+ buffer_put_string(session_id2, cookie, cookie_len);
|
|
|
8f2528 |
+ /* debug3("user: %s", user); */
|
|
|
8f2528 |
+ buffer_put_cstring(session_id2, user);
|
|
|
8f2528 |
+ /* debug3("ruser: %s", ruser); */
|
|
|
8f2528 |
+ buffer_put_cstring(session_id2, ruser);
|
|
|
8f2528 |
+ /* debug3("servicename: %s", servicename); */
|
|
|
8f2528 |
+ buffer_put_cstring(session_id2, servicename);
|
|
|
8f2528 |
+ /* debug3("pwd: %s", pwd); */
|
|
|
8f2528 |
if(retc)
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_cstring(session_id2, pwd);
|
|
|
8f2528 |
+ buffer_put_cstring(session_id2, pwd);
|
|
|
8f2528 |
else
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_cstring(session_id2, "");
|
|
|
8f2528 |
- /* pamsshagentauth_debug3("action: %s", action_logbuf); */
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_string(session_id2, action_agentbuf.buf + action_agentbuf.offset, action_agentbuf.end - action_agentbuf.offset);
|
|
|
8f2528 |
+ buffer_put_cstring(session_id2, "");
|
|
|
8f2528 |
+ /* debug3("action: %s", action_logbuf); */
|
|
|
8f2528 |
+ buffer_put_string(session_id2, sshbuf_ptr(&action_agentbuf), sshbuf_len(&action_agentbuf));
|
|
|
8f2528 |
if (free_logbuf) {
|
|
|
8f2528 |
free(action_logbuf);
|
|
|
8f2528 |
- pamsshagentauth_buffer_free(&action_agentbuf);
|
|
|
8f2528 |
+ buffer_free(&action_agentbuf);
|
|
|
8f2528 |
}
|
|
|
8f2528 |
- /* pamsshagentauth_debug3("hostname: %s", hostname); */
|
|
|
8f2528 |
+ /* debug3("hostname: %s", hostname); */
|
|
|
8f2528 |
if(reti >= 0)
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_cstring(session_id2, hostname);
|
|
|
8f2528 |
+ buffer_put_cstring(session_id2, hostname);
|
|
|
8f2528 |
else
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_cstring(session_id2, "");
|
|
|
8f2528 |
- /* pamsshagentauth_debug3("ts: %ld", ts); */
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_int64(session_id2, (uint64_t) ts);
|
|
|
8f2528 |
+ buffer_put_cstring(session_id2, "");
|
|
|
8f2528 |
+ /* debug3("ts: %ld", ts); */
|
|
|
8f2528 |
+ buffer_put_int64(session_id2, (uint64_t) ts);
|
|
|
8f2528 |
|
|
|
8f2528 |
free(cookie);
|
|
|
8f2528 |
return;
|
|
|
8f2528 |
@@ -288,39 +291,47 @@ pamsshagentauth_find_authorized_keys(con
|
|
|
8f2528 |
{
|
|
|
8f2528 |
Buffer session_id2 = { 0 };
|
|
|
8f2528 |
Identity *id;
|
|
|
8f2528 |
- Key *key;
|
|
|
8f2528 |
AuthenticationConnection *ac;
|
|
|
8f2528 |
- char *comment;
|
|
|
8f2528 |
uint8_t retval = 0;
|
|
|
8f2528 |
uid_t uid = getpwnam(ruser)->pw_uid;
|
|
|
8f2528 |
+ struct ssh_identitylist *idlist;
|
|
|
8f2528 |
+ int r;
|
|
|
8f2528 |
+ unsigned int i;
|
|
|
8f2528 |
|
|
|
8f2528 |
OpenSSL_add_all_digests();
|
|
|
8f2528 |
pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
|
|
|
8f2528 |
|
|
|
8f2528 |
if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
|
|
|
8f2528 |
- pamsshagentauth_verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
|
|
|
8f2528 |
- for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
|
|
|
8f2528 |
+ verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
|
|
|
8f2528 |
+ if ((r = ssh_fetch_identitylist(ac->fd, 2,
|
|
|
8f2528 |
+ &idlist)) != 0) {
|
|
|
8f2528 |
+ if (r != SSH_ERR_AGENT_NO_IDENTITIES)
|
|
|
8f2528 |
+ fprintf(stderr, "error fetching identities for "
|
|
|
8f2528 |
+ "protocol %d: %s\n", 2, ssh_err(r));
|
|
|
8f2528 |
+ } else {
|
|
|
8f2528 |
+ for (i = 0; i < idlist->nkeys; i++)
|
|
|
8f2528 |
{
|
|
|
8f2528 |
- if(key != NULL) {
|
|
|
8f2528 |
- id = pamsshagentauth_xcalloc(1, sizeof(*id));
|
|
|
8f2528 |
- id->key = key;
|
|
|
8f2528 |
- id->filename = comment;
|
|
|
8f2528 |
+ if(idlist->keys[i] != NULL) {
|
|
|
8f2528 |
+ id = xcalloc(1, sizeof(*id));
|
|
|
8f2528 |
+ id->key = idlist->keys[i];
|
|
|
8f2528 |
+ id->filename = idlist->comments[i];
|
|
|
8f2528 |
id->ac = ac;
|
|
|
8f2528 |
if(userauth_pubkey_from_id(ruser, id, &session_id2)) {
|
|
|
8f2528 |
retval = 1;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
- free(id->filename);
|
|
|
8f2528 |
- pamsshagentauth_key_free(id->key);
|
|
|
8f2528 |
free(id);
|
|
|
8f2528 |
if(retval == 1)
|
|
|
8f2528 |
break;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
}
|
|
|
8f2528 |
- pamsshagentauth_buffer_free(&session_id2);
|
|
|
8f2528 |
- ssh_close_authentication_connection(ac);
|
|
|
8f2528 |
+ buffer_free(&session_id2);
|
|
|
8f2528 |
+ ssh_free_identitylist(idlist);
|
|
|
8f2528 |
+ ssh_close_authentication_socket(ac->fd);
|
|
|
8f2528 |
+ free(ac);
|
|
|
8f2528 |
+ }
|
|
|
8f2528 |
}
|
|
|
8f2528 |
else {
|
|
|
8f2528 |
- pamsshagentauth_verbose("No ssh-agent could be contacted");
|
|
|
8f2528 |
+ verbose("No ssh-agent could be contacted");
|
|
|
8f2528 |
}
|
|
|
8f2528 |
/* pamsshagentauth_xfree(session_id2); */
|
|
|
8f2528 |
EVP_cleanup();
|
|
|
8f2528 |
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-agent openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c
|
|
|
8f2528 |
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-agent 2017-02-14 10:19:12.223071868 +0100
|
|
|
8f2528 |
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c 2017-02-14 10:19:12.226071867 +0100
|
|
|
8f2528 |
@@ -104,7 +104,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
|
|
8f2528 |
* a patch 8-)
|
|
|
8f2528 |
*/
|
|
|
8f2528 |
#if ! HAVE___PROGNAME || HAVE_BUNDLE
|
|
|
8f2528 |
- __progname = pamsshagentauth_xstrdup(servicename);
|
|
|
8f2528 |
+ __progname = xstrdup(servicename);
|
|
|
8f2528 |
#endif
|
|
|
8f2528 |
|
|
|
8f2528 |
for(i = argc, argv_ptr = (char **) argv; i > 0; ++argv_ptr, i--) {
|
|
|
8f2528 |
@@ -130,11 +130,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
|
|
8f2528 |
#endif
|
|
|
8f2528 |
}
|
|
|
8f2528 |
|
|
|
8f2528 |
- pamsshagentauth_log_init(__progname, log_lvl, facility, getenv("PAM_SSH_AGENT_AUTH_DEBUG") ? 1 : 0);
|
|
|
8f2528 |
+ log_init(__progname, log_lvl, facility, getenv("PAM_SSH_AGENT_AUTH_DEBUG") ? 1 : 0);
|
|
|
8f2528 |
pam_get_item(pamh, PAM_USER, (void *) &user);
|
|
|
8f2528 |
pam_get_item(pamh, PAM_RUSER, (void *) &ruser_ptr);
|
|
|
8f2528 |
|
|
|
8f2528 |
- pamsshagentauth_verbose("Beginning pam_ssh_agent_auth for user %s", user);
|
|
|
8f2528 |
+ verbose("Beginning pam_ssh_agent_auth for user %s", user);
|
|
|
8f2528 |
|
|
|
8f2528 |
if(ruser_ptr) {
|
|
|
8f2528 |
strncpy(ruser, ruser_ptr, sizeof(ruser) - 1);
|
|
|
8f2528 |
@@ -149,12 +149,12 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
|
|
8f2528 |
#ifdef ENABLE_SUDO_HACK
|
|
|
8f2528 |
if( (strlen(sudo_service_name) > 0) && strncasecmp(servicename, sudo_service_name, sizeof(sudo_service_name) - 1) == 0 && getenv("SUDO_USER") ) {
|
|
|
8f2528 |
strncpy(ruser, getenv("SUDO_USER"), sizeof(ruser) - 1 );
|
|
|
8f2528 |
- pamsshagentauth_verbose( "Using environment variable SUDO_USER (%s)", ruser );
|
|
|
8f2528 |
+ verbose( "Using environment variable SUDO_USER (%s)", ruser );
|
|
|
8f2528 |
} else
|
|
|
8f2528 |
#endif
|
|
|
8f2528 |
{
|
|
|
8f2528 |
if( ! getpwuid(getuid()) ) {
|
|
|
8f2528 |
- pamsshagentauth_verbose("Unable to getpwuid(getuid())");
|
|
|
8f2528 |
+ verbose("Unable to getpwuid(getuid())");
|
|
|
8f2528 |
goto cleanexit;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
strncpy(ruser, getpwuid(getuid())->pw_name, sizeof(ruser) - 1);
|
|
|
8f2528 |
@@ -163,11 +163,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
|
|
8f2528 |
|
|
|
8f2528 |
/* Might as well explicitely confirm the user exists here */
|
|
|
8f2528 |
if(! getpwnam(ruser) ) {
|
|
|
8f2528 |
- pamsshagentauth_verbose("getpwnam(%s) failed, bailing out", ruser);
|
|
|
8f2528 |
+ verbose("getpwnam(%s) failed, bailing out", ruser);
|
|
|
8f2528 |
goto cleanexit;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
if( ! getpwnam(user) ) {
|
|
|
8f2528 |
- pamsshagentauth_verbose("getpwnam(%s) failed, bailing out", user);
|
|
|
8f2528 |
+ verbose("getpwnam(%s) failed, bailing out", user);
|
|
|
8f2528 |
goto cleanexit;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
|
|
|
8f2528 |
@@ -177,8 +177,8 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
|
|
8f2528 |
*/
|
|
|
8f2528 |
parse_authorized_key_file(user, authorized_keys_file_input);
|
|
|
8f2528 |
} else {
|
|
|
8f2528 |
- pamsshagentauth_verbose("Using default file=/etc/security/authorized_keys");
|
|
|
8f2528 |
- authorized_keys_file = pamsshagentauth_xstrdup("/etc/security/authorized_keys");
|
|
|
8f2528 |
+ verbose("Using default file=/etc/security/authorized_keys");
|
|
|
8f2528 |
+ authorized_keys_file = xstrdup("/etc/security/authorized_keys");
|
|
|
8f2528 |
}
|
|
|
8f2528 |
|
|
|
8f2528 |
/*
|
|
|
8f2528 |
@@ -187,19 +187,19 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
|
|
8f2528 |
*/
|
|
|
8f2528 |
|
|
|
8f2528 |
if(user && strlen(ruser) > 0) {
|
|
|
8f2528 |
- pamsshagentauth_verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
|
|
8f2528 |
+ verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
|
|
8f2528 |
|
|
|
8f2528 |
/*
|
|
|
8f2528 |
* this pw_uid is used to validate the SSH_AUTH_SOCK, and so must be the uid of the ruser invoking the program, not the target-user
|
|
|
8f2528 |
*/
|
|
|
8f2528 |
if(pamsshagentauth_find_authorized_keys(user, ruser, servicename)) { /* getpwnam(ruser)->pw_uid)) { */
|
|
|
8f2528 |
- pamsshagentauth_logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
|
|
8f2528 |
+ logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
|
|
8f2528 |
retval = PAM_SUCCESS;
|
|
|
8f2528 |
} else {
|
|
|
8f2528 |
- pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
|
|
8f2528 |
+ logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
|
|
8f2528 |
}
|
|
|
8f2528 |
} else {
|
|
|
8f2528 |
- pamsshagentauth_logit("No %s specified, cannot continue with this form of authentication", (user) ? "ruser" : "user" );
|
|
|
8f2528 |
+ logit("No %s specified, cannot continue with this form of authentication", (user) ? "ruser" : "user" );
|
|
|
8f2528 |
}
|
|
|
8f2528 |
|
|
|
8f2528 |
cleanexit:
|
|
|
8f2528 |
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-agent openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c
|
|
|
8f2528 |
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-agent 2016-11-13 04:24:32.000000000 +0100
|
|
|
8f2528 |
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c 2017-02-14 10:19:12.226071867 +0100
|
|
|
8f2528 |
@@ -117,12 +117,12 @@ parse_authorized_key_file(const char *us
|
|
|
8f2528 |
} else {
|
|
|
8f2528 |
slash_ptr = strchr(auth_keys_file_buf, '/');
|
|
|
8f2528 |
if(!slash_ptr)
|
|
|
8f2528 |
- pamsshagentauth_fatal
|
|
|
8f2528 |
+ fatal
|
|
|
8f2528 |
("cannot expand tilde in path without a `/'");
|
|
|
8f2528 |
|
|
|
8f2528 |
owner_uname_len = slash_ptr - auth_keys_file_buf - 1;
|
|
|
8f2528 |
if(owner_uname_len > (sizeof(owner_uname) - 1))
|
|
|
8f2528 |
- pamsshagentauth_fatal("Username too long");
|
|
|
8f2528 |
+ fatal("Username too long");
|
|
|
8f2528 |
|
|
|
8f2528 |
strncat(owner_uname, auth_keys_file_buf + 1, owner_uname_len);
|
|
|
8f2528 |
if(!authorized_keys_file_allowed_owner_uid)
|
|
|
8f2528 |
@@ -130,11 +130,11 @@ parse_authorized_key_file(const char *us
|
|
|
8f2528 |
getpwnam(owner_uname)->pw_uid;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
authorized_keys_file =
|
|
|
8f2528 |
- pamsshagentauth_tilde_expand_filename(auth_keys_file_buf,
|
|
|
8f2528 |
+ tilde_expand_filename(auth_keys_file_buf,
|
|
|
8f2528 |
authorized_keys_file_allowed_owner_uid);
|
|
|
8f2528 |
strncpy(auth_keys_file_buf, authorized_keys_file,
|
|
|
8f2528 |
sizeof(auth_keys_file_buf) - 1);
|
|
|
8f2528 |
- pamsshagentauth_xfree(authorized_keys_file) /* when we
|
|
|
8f2528 |
+ free(authorized_keys_file) /* when we
|
|
|
8f2528 |
percent_expand
|
|
|
8f2528 |
later, we'd step
|
|
|
8f2528 |
on this, so free
|
|
|
8f2528 |
@@ -150,7 +150,7 @@ parse_authorized_key_file(const char *us
|
|
|
8f2528 |
strncat(hostname, fqdn, strcspn(fqdn, "."));
|
|
|
8f2528 |
#endif
|
|
|
8f2528 |
authorized_keys_file =
|
|
|
8f2528 |
- pamsshagentauth_percent_expand(auth_keys_file_buf, "h",
|
|
|
8f2528 |
+ percent_expand(auth_keys_file_buf, "h",
|
|
|
8f2528 |
getpwnam(user)->pw_dir, "H", hostname,
|
|
|
8f2528 |
"f", fqdn, "u", user, NULL);
|
|
|
8f2528 |
}
|
|
|
8f2528 |
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-agent openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c
|
|
|
8f2528 |
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-agent 2017-02-14 10:19:12.224071868 +0100
|
|
|
8f2528 |
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c 2017-02-14 10:19:12.226071867 +0100
|
|
|
8f2528 |
@@ -35,6 +35,7 @@
|
|
|
8f2528 |
#include <sys/stat.h>
|
|
|
8f2528 |
#include <sys/wait.h>
|
|
|
8f2528 |
#include <fcntl.h>
|
|
|
8f2528 |
+#include <unistd.h>
|
|
|
8f2528 |
|
|
|
8f2528 |
#include <pwd.h>
|
|
|
8f2528 |
#include <stdio.h>
|
|
|
8f2528 |
@@ -53,6 +54,7 @@
|
|
|
8f2528 |
#include "misc.h"
|
|
|
8f2528 |
#include "secure_filename.h"
|
|
|
8f2528 |
#include "uidswap.h"
|
|
|
8f2528 |
+#include "digest.h"
|
|
|
8f2528 |
|
|
|
8f2528 |
#include "identity.h"
|
|
|
8f2528 |
|
|
|
8f2528 |
@@ -68,7 +70,7 @@ pamsshagentauth_check_authkeys_file(FILE
|
|
|
8f2528 |
char *fp;
|
|
|
8f2528 |
|
|
|
8f2528 |
found_key = 0;
|
|
|
8f2528 |
- found = pamsshagentauth_key_new(key->type);
|
|
|
8f2528 |
+ found = key_new(key->type);
|
|
|
8f2528 |
|
|
|
8f2528 |
while(read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
|
|
|
8f2528 |
char *cp = NULL; /* *key_options = NULL; */
|
|
|
8f2528 |
@@ -78,11 +80,11 @@ pamsshagentauth_check_authkeys_file(FILE
|
|
|
8f2528 |
if(!*cp || *cp == '\n' || *cp == '#')
|
|
|
8f2528 |
continue;
|
|
|
8f2528 |
|
|
|
8f2528 |
- if(pamsshagentauth_key_read(found, &cp) != 1) {
|
|
|
8f2528 |
+ if(key_read(found, &cp) != 1) {
|
|
|
8f2528 |
/* no key? check if there are options for this key */
|
|
|
8f2528 |
int quoted = 0;
|
|
|
8f2528 |
|
|
|
8f2528 |
- pamsshagentauth_verbose("user_key_allowed: check options: '%s'", cp);
|
|
|
8f2528 |
+ verbose("user_key_allowed: check options: '%s'", cp);
|
|
|
8f2528 |
/* key_options = cp; */
|
|
|
8f2528 |
for(; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
|
|
|
8f2528 |
if(*cp == '\\' && cp[1] == '"')
|
|
|
8f2528 |
@@ -92,26 +94,26 @@ pamsshagentauth_check_authkeys_file(FILE
|
|
|
8f2528 |
}
|
|
|
8f2528 |
/* Skip remaining whitespace. */
|
|
|
8f2528 |
for(; *cp == ' ' || *cp == '\t'; cp++);
|
|
|
8f2528 |
- if(pamsshagentauth_key_read(found, &cp) != 1) {
|
|
|
8f2528 |
- pamsshagentauth_verbose("user_key_allowed: advance: '%s'", cp);
|
|
|
8f2528 |
+ if(key_read(found, &cp) != 1) {
|
|
|
8f2528 |
+ verbose("user_key_allowed: advance: '%s'", cp);
|
|
|
8f2528 |
/* still no key? advance to next line */
|
|
|
8f2528 |
continue;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
}
|
|
|
8f2528 |
- if(pamsshagentauth_key_equal(found, key)) {
|
|
|
8f2528 |
+ if(key_equal(found, key)) {
|
|
|
8f2528 |
found_key = 1;
|
|
|
8f2528 |
- pamsshagentauth_logit("matching key found: file/command %s, line %lu", file,
|
|
|
8f2528 |
+ logit("matching key found: file/command %s, line %lu", file,
|
|
|
8f2528 |
linenum);
|
|
|
8f2528 |
- fp = pamsshagentauth_key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
|
|
|
8f2528 |
- pamsshagentauth_logit("Found matching %s key: %s",
|
|
|
8f2528 |
- pamsshagentauth_key_type(found), fp);
|
|
|
8f2528 |
+ fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
|
|
|
8f2528 |
+ logit("Found matching %s key: %s",
|
|
|
8f2528 |
+ key_type(found), fp);
|
|
|
8f2528 |
free(fp);
|
|
|
8f2528 |
break;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
}
|
|
|
8f2528 |
- pamsshagentauth_key_free(found);
|
|
|
8f2528 |
+ key_free(found);
|
|
|
8f2528 |
if(!found_key)
|
|
|
8f2528 |
- pamsshagentauth_verbose("key not found");
|
|
|
8f2528 |
+ verbose("key not found");
|
|
|
8f2528 |
return found_key;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
|
|
|
8f2528 |
@@ -128,11 +130,11 @@ pamsshagentauth_user_key_allowed2(struct
|
|
|
8f2528 |
char buf[SSH_MAX_PUBKEY_BYTES];
|
|
|
8f2528 |
|
|
|
8f2528 |
/* Temporarily use the user's uid. */
|
|
|
8f2528 |
- pamsshagentauth_verbose("trying public key file %s", file);
|
|
|
8f2528 |
+ verbose("trying public key file %s", file);
|
|
|
8f2528 |
|
|
|
8f2528 |
/* Fail not so quietly if file does not exist */
|
|
|
8f2528 |
if(stat(file, &st) < 0) {
|
|
|
8f2528 |
- pamsshagentauth_verbose("File not found: %s", file);
|
|
|
8f2528 |
+ verbose("File not found: %s", file);
|
|
|
8f2528 |
return 0;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
|
|
|
8f2528 |
@@ -144,7 +146,7 @@ pamsshagentauth_user_key_allowed2(struct
|
|
|
8f2528 |
|
|
|
8f2528 |
if(pamsshagentauth_secure_filename(f, file, pw, buf, sizeof(buf)) != 0) {
|
|
|
8f2528 |
fclose(f);
|
|
|
8f2528 |
- pamsshagentauth_logit("Authentication refused: %s", buf);
|
|
|
8f2528 |
+ logit("Authentication refused: %s", buf);
|
|
|
8f2528 |
return 0;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
|
|
|
8f2528 |
@@ -187,44 +189,44 @@ pamsshagentauth_user_key_command_allowed
|
|
|
8f2528 |
else {
|
|
|
8f2528 |
pw = getpwnam(authorized_keys_command_user);
|
|
|
8f2528 |
if(pw == NULL) {
|
|
|
8f2528 |
- pamsshagentauth_logerror("authorized_keys_command_user \"%s\" not found: %s",
|
|
|
8f2528 |
+ error("authorized_keys_command_user \"%s\" not found: %s",
|
|
|
8f2528 |
authorized_keys_command_user, strerror(errno));
|
|
|
8f2528 |
return 0;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
}
|
|
|
8f2528 |
|
|
|
8f2528 |
- pamsshagentauth_temporarily_use_uid(pw);
|
|
|
8f2528 |
+ temporarily_use_uid(pw);
|
|
|
8f2528 |
|
|
|
8f2528 |
if(stat(authorized_keys_command, &st) < 0) {
|
|
|
8f2528 |
- pamsshagentauth_logerror
|
|
|
8f2528 |
+ error
|
|
|
8f2528 |
("Could not stat AuthorizedKeysCommand \"%s\": %s",
|
|
|
8f2528 |
authorized_keys_command, strerror(errno));
|
|
|
8f2528 |
goto out;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
if(pamsshagentauth_auth_secure_path
|
|
|
8f2528 |
(authorized_keys_command, &st, NULL, 0, errmsg, sizeof(errmsg)) != 0) {
|
|
|
8f2528 |
- pamsshagentauth_logerror("Unsafe AuthorizedKeysCommand: %s", errmsg);
|
|
|
8f2528 |
+ error("Unsafe AuthorizedKeysCommand: %s", errmsg);
|
|
|
8f2528 |
goto out;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
|
|
|
8f2528 |
/* open the pipe and read the keys */
|
|
|
8f2528 |
if(pipe(p) != 0) {
|
|
|
8f2528 |
- pamsshagentauth_logerror("%s: pipe: %s", __func__, strerror(errno));
|
|
|
8f2528 |
+ error("%s: pipe: %s", __func__, strerror(errno));
|
|
|
8f2528 |
goto out;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
|
|
|
8f2528 |
- pamsshagentauth_debug("Running AuthorizedKeysCommand: \"%s\" as \"%s\" with argument: \"%s\"",
|
|
|
8f2528 |
+ debug("Running AuthorizedKeysCommand: \"%s\" as \"%s\" with argument: \"%s\"",
|
|
|
8f2528 |
authorized_keys_command, pw->pw_name, username);
|
|
|
8f2528 |
|
|
|
8f2528 |
/*
|
|
|
8f2528 |
* Don't want to call this in the child, where it can fatal() and
|
|
|
8f2528 |
* run cleanup_exit() code.
|
|
|
8f2528 |
*/
|
|
|
8f2528 |
- pamsshagentauth_restore_uid();
|
|
|
8f2528 |
+ restore_uid();
|
|
|
8f2528 |
|
|
|
8f2528 |
switch ((pid = fork())) {
|
|
|
8f2528 |
case -1: /* error */
|
|
|
8f2528 |
- pamsshagentauth_logerror("%s: fork: %s", __func__, strerror(errno));
|
|
|
8f2528 |
+ error("%s: fork: %s", __func__, strerror(errno));
|
|
|
8f2528 |
close(p[0]);
|
|
|
8f2528 |
close(p[1]);
|
|
|
8f2528 |
return 0;
|
|
|
8f2528 |
@@ -234,13 +236,13 @@ pamsshagentauth_user_key_command_allowed
|
|
|
8f2528 |
|
|
|
8f2528 |
/* do this before the setresuid so thta they can be logged */
|
|
|
8f2528 |
if((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
|
|
|
8f2528 |
- pamsshagentauth_logerror("%s: open %s: %s", __func__, _PATH_DEVNULL,
|
|
|
8f2528 |
+ error("%s: open %s: %s", __func__, _PATH_DEVNULL,
|
|
|
8f2528 |
strerror(errno));
|
|
|
8f2528 |
_exit(1);
|
|
|
8f2528 |
}
|
|
|
8f2528 |
if(dup2(devnull, STDIN_FILENO) == -1 || dup2(p[1], STDOUT_FILENO) == -1
|
|
|
8f2528 |
|| dup2(devnull, STDERR_FILENO) == -1) {
|
|
|
8f2528 |
- pamsshagentauth_logerror("%s: dup2: %s", __func__, strerror(errno));
|
|
|
8f2528 |
+ error("%s: dup2: %s", __func__, strerror(errno));
|
|
|
8f2528 |
_exit(1);
|
|
|
8f2528 |
}
|
|
|
8f2528 |
#if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID)
|
|
|
8f2528 |
@@ -248,7 +250,7 @@ pamsshagentauth_user_key_command_allowed
|
|
|
8f2528 |
#else
|
|
|
8f2528 |
if (setgid(pw->pw_gid) != 0 || setegid(pw->pw_gid) != 0) {
|
|
|
8f2528 |
#endif
|
|
|
8f2528 |
- pamsshagentauth_logerror("setresgid %u: %s", (u_int) pw->pw_gid,
|
|
|
8f2528 |
+ error("setresgid %u: %s", (u_int) pw->pw_gid,
|
|
|
8f2528 |
strerror(errno));
|
|
|
8f2528 |
_exit(1);
|
|
|
8f2528 |
}
|
|
|
8f2528 |
@@ -258,7 +260,7 @@ pamsshagentauth_user_key_command_allowed
|
|
|
8f2528 |
#else
|
|
|
8f2528 |
if (setuid(pw->pw_uid) != 0 || seteuid(pw->pw_uid) != 0) {
|
|
|
8f2528 |
#endif
|
|
|
8f2528 |
- pamsshagentauth_logerror("setresuid %u: %s", (u_int) pw->pw_uid,
|
|
|
8f2528 |
+ error("setresuid %u: %s", (u_int) pw->pw_uid,
|
|
|
8f2528 |
strerror(errno));
|
|
|
8f2528 |
_exit(1);
|
|
|
8f2528 |
}
|
|
|
8f2528 |
@@ -270,18 +272,18 @@ pamsshagentauth_user_key_command_allowed
|
|
|
8f2528 |
|
|
|
8f2528 |
/* pretty sure this will barf because we are now suid, but since we
|
|
|
8f2528 |
should't reach this anyway, I'll leave it here */
|
|
|
8f2528 |
- pamsshagentauth_logerror("AuthorizedKeysCommand %s exec failed: %s",
|
|
|
8f2528 |
+ error("AuthorizedKeysCommand %s exec failed: %s",
|
|
|
8f2528 |
authorized_keys_command, strerror(errno));
|
|
|
8f2528 |
_exit(127);
|
|
|
8f2528 |
default: /* parent */
|
|
|
8f2528 |
break;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
|
|
|
8f2528 |
- pamsshagentauth_temporarily_use_uid(pw);
|
|
|
8f2528 |
+ temporarily_use_uid(pw);
|
|
|
8f2528 |
|
|
|
8f2528 |
close(p[1]);
|
|
|
8f2528 |
if((f = fdopen(p[0], "r")) == NULL) {
|
|
|
8f2528 |
- pamsshagentauth_logerror("%s: fdopen: %s", __func__, strerror(errno));
|
|
|
8f2528 |
+ error("%s: fdopen: %s", __func__, strerror(errno));
|
|
|
8f2528 |
close(p[0]);
|
|
|
8f2528 |
/* Don't leave zombie child */
|
|
|
8f2528 |
while(waitpid(pid, NULL, 0) == -1 && errno == EINTR);
|
|
|
8f2528 |
@@ -292,22 +294,22 @@ pamsshagentauth_user_key_command_allowed
|
|
|
8f2528 |
|
|
|
8f2528 |
while(waitpid(pid, &status, 0) == -1) {
|
|
|
8f2528 |
if(errno != EINTR) {
|
|
|
8f2528 |
- pamsshagentauth_logerror("%s: waitpid: %s", __func__,
|
|
|
8f2528 |
+ error("%s: waitpid: %s", __func__,
|
|
|
8f2528 |
strerror(errno));
|
|
|
8f2528 |
goto out;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
}
|
|
|
8f2528 |
if(WIFSIGNALED(status)) {
|
|
|
8f2528 |
- pamsshagentauth_logerror("AuthorizedKeysCommand %s exited on signal %d",
|
|
|
8f2528 |
+ error("AuthorizedKeysCommand %s exited on signal %d",
|
|
|
8f2528 |
authorized_keys_command, WTERMSIG(status));
|
|
|
8f2528 |
goto out;
|
|
|
8f2528 |
} else if(WEXITSTATUS(status) != 0) {
|
|
|
8f2528 |
- pamsshagentauth_logerror("AuthorizedKeysCommand %s returned status %d",
|
|
|
8f2528 |
+ error("AuthorizedKeysCommand %s returned status %d",
|
|
|
8f2528 |
authorized_keys_command, WEXITSTATUS(status));
|
|
|
8f2528 |
goto out;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
found_key = ok;
|
|
|
8f2528 |
out:
|
|
|
8f2528 |
- pamsshagentauth_restore_uid();
|
|
|
8f2528 |
+ restore_uid();
|
|
|
8f2528 |
return found_key;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-agent openssh-7.4p1/pam_ssh_agent_auth-0.10.3/secure_filename.c
|
|
|
8f2528 |
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-agent 2016-11-13 04:24:32.000000000 +0100
|
|
|
8f2528 |
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/secure_filename.c 2017-02-14 10:19:12.226071867 +0100
|
|
|
8f2528 |
@@ -80,7 +80,7 @@ pamsshagentauth_auth_secure_path(const c
|
|
|
8f2528 |
int comparehome = 0;
|
|
|
8f2528 |
struct stat st;
|
|
|
8f2528 |
|
|
|
8f2528 |
- pamsshagentauth_verbose("auth_secure_filename: checking for uid: %u", uid);
|
|
|
8f2528 |
+ verbose("auth_secure_filename: checking for uid: %u", uid);
|
|
|
8f2528 |
|
|
|
8f2528 |
if (realpath(name, buf) == NULL) {
|
|
|
8f2528 |
snprintf(err, errlen, "realpath %s failed: %s", name,
|
|
|
8f2528 |
@@ -115,9 +115,9 @@ pamsshagentauth_auth_secure_path(const c
|
|
|
8f2528 |
snprintf(err, errlen, "dirname() failed");
|
|
|
8f2528 |
return -1;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
- pamsshagentauth_strlcpy(buf, cp, sizeof(buf));
|
|
|
8f2528 |
+ strlcpy(buf, cp, sizeof(buf));
|
|
|
8f2528 |
|
|
|
8f2528 |
- pamsshagentauth_verbose("secure_filename: checking '%s'", buf);
|
|
|
8f2528 |
+ verbose("secure_filename: checking '%s'", buf);
|
|
|
8f2528 |
if (stat(buf, &st) < 0 ||
|
|
|
8f2528 |
(st.st_uid != 0 && st.st_uid != uid) ||
|
|
|
8f2528 |
(st.st_mode & 022) != 0) {
|
|
|
8f2528 |
@@ -128,7 +128,7 @@ pamsshagentauth_auth_secure_path(const c
|
|
|
8f2528 |
|
|
|
8f2528 |
/* If are passed the homedir then we can stop */
|
|
|
8f2528 |
if (comparehome && strcmp(homedir, buf) == 0) {
|
|
|
8f2528 |
- pamsshagentauth_verbose("secure_filename: terminating check at '%s'",
|
|
|
8f2528 |
+ verbose("secure_filename: terminating check at '%s'",
|
|
|
8f2528 |
buf);
|
|
|
8f2528 |
break;
|
|
|
8f2528 |
}
|
|
|
8f2528 |
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
|
|
|
8f2528 |
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent 2017-02-14 10:19:12.224071868 +0100
|
|
|
8f2528 |
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2017-02-14 10:19:12.226071867 +0100
|
|
|
8f2528 |
@@ -48,6 +48,8 @@
|
|
|
8f2528 |
#include "identity.h"
|
|
|
8f2528 |
#include "pam_user_authorized_keys.h"
|
|
|
8f2528 |
|
|
|
8f2528 |
+#define SSH2_MSG_USERAUTH_TRUST_REQUEST 54
|
|
|
8f2528 |
+
|
|
|
8f2528 |
/* extern u_char *session_id2;
|
|
|
8f2528 |
extern uint8_t session_id_len;
|
|
|
8f2528 |
*/
|
|
|
8f2528 |
@@ -58,40 +60,41 @@ userauth_pubkey_from_id(const char *ruse
|
|
|
8f2528 |
Buffer b = { 0 };
|
|
|
8f2528 |
char *pkalg = NULL;
|
|
|
8f2528 |
u_char *pkblob = NULL, *sig = NULL;
|
|
|
8f2528 |
- u_int blen = 0, slen = 0;
|
|
|
8f2528 |
+ u_int blen = 0;
|
|
|
8f2528 |
+ size_t slen = 0;
|
|
|
8f2528 |
int authenticated = 0;
|
|
|
8f2528 |
|
|
|
8f2528 |
pkalg = (char *) key_ssh_name(id->key);
|
|
|
8f2528 |
|
|
|
8f2528 |
+ /* construct packet to sign and test */
|
|
|
8f2528 |
+ buffer_init(&b);
|
|
|
8f2528 |
+
|
|
|
8f2528 |
/* first test if this key is even allowed */
|
|
|
8f2528 |
if(! pam_user_key_allowed(ruser, id->key))
|
|
|
8f2528 |
goto user_auth_clean_exit;
|
|
|
8f2528 |
|
|
|
8f2528 |
- if(pamsshagentauth_key_to_blob(id->key, &pkblob, &blen) == 0)
|
|
|
8f2528 |
+ if(key_to_blob(id->key, &pkblob, &blen) == 0)
|
|
|
8f2528 |
goto user_auth_clean_exit;
|
|
|
8f2528 |
|
|
|
8f2528 |
- /* construct packet to sign and test */
|
|
|
8f2528 |
- pamsshagentauth_buffer_init(&b);
|
|
|
8f2528 |
-
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_string(&b, session_id2->buf + session_id2->offset, session_id2->end - session_id2->offset);
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_char(&b, SSH2_MSG_USERAUTH_TRUST_REQUEST);
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_cstring(&b, ruser);
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_cstring(&b, "pam_ssh_agent_auth");
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_cstring(&b, "publickey");
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_char(&b, 1);
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_cstring(&b, pkalg);
|
|
|
8f2528 |
- pamsshagentauth_buffer_put_string(&b, pkblob, blen);
|
|
|
8f2528 |
+ buffer_put_string(&b, sshbuf_ptr(session_id2), sshbuf_len(session_id2));
|
|
|
8f2528 |
+ buffer_put_char(&b, SSH2_MSG_USERAUTH_TRUST_REQUEST);
|
|
|
8f2528 |
+ buffer_put_cstring(&b, ruser);
|
|
|
8f2528 |
+ buffer_put_cstring(&b, "pam_ssh_agent_auth");
|
|
|
8f2528 |
+ buffer_put_cstring(&b, "publickey");
|
|
|
8f2528 |
+ buffer_put_char(&b, 1);
|
|
|
8f2528 |
+ buffer_put_cstring(&b, pkalg);
|
|
|
8f2528 |
+ buffer_put_string(&b, pkblob, blen);
|
|
|
8f2528 |
|
|
|
8f2528 |
- if(ssh_agent_sign(id->ac, id->key, &sig, &slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) != 0)
|
|
|
8f2528 |
+ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), NULL, 0) != 0)
|
|
|
8f2528 |
goto user_auth_clean_exit;
|
|
|
8f2528 |
|
|
|
8f2528 |
/* test for correct signature */
|
|
|
8f2528 |
- if(pamsshagentauth_key_verify(id->key, sig, slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) == 1)
|
|
|
8f2528 |
+ if(key_verify(id->key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
|
|
|
8f2528 |
authenticated = 1;
|
|
|
8f2528 |
|
|
|
8f2528 |
user_auth_clean_exit:
|
|
|
8f2528 |
/* if(&b != NULL) */
|
|
|
8f2528 |
- pamsshagentauth_buffer_free(&b);
|
|
|
8f2528 |
+ buffer_free(&b);
|
|
|
8f2528 |
if(sig != NULL)
|
|
|
8f2528 |
free(sig);
|
|
|
8f2528 |
if(pkblob != NULL)
|