|
 |
9070b3 |
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
|
|
|
9070b3 |
index 413b845..54dd383 100644
|
|
|
9070b3 |
--- a/gss-serv-krb5.c
|
|
|
9070b3 |
+++ b/gss-serv-krb5.c
|
|
|
9070b3 |
@@ -32,7 +32,9 @@
|
|
|
9070b3 |
#include <sys/types.h>
|
|
|
9070b3 |
|
|
|
9070b3 |
#include <stdarg.h>
|
|
|
9070b3 |
+#include <stdio.h>
|
|
|
9070b3 |
#include <string.h>
|
|
|
9070b3 |
+#include <unistd.h>
|
|
|
9070b3 |
|
|
|
9070b3 |
#include "xmalloc.h"
|
|
|
9070b3 |
#include "sshkey.h"
|
|
|
9070b3 |
@@ -45,6 +47,7 @@
|
|
|
9070b3 |
|
|
|
9070b3 |
#include "ssh-gss.h"
|
|
|
9070b3 |
|
|
|
9070b3 |
+extern Authctxt *the_authctxt;
|
|
|
9070b3 |
extern ServerOptions options;
|
|
|
9070b3 |
|
|
|
9070b3 |
#ifdef HEIMDAL
|
|
|
9070b3 |
@@ -56,6 +59,13 @@ extern ServerOptions options;
|
|
|
9070b3 |
# include <gssapi/gssapi_krb5.h>
|
|
|
9070b3 |
#endif
|
|
|
9070b3 |
|
|
|
9070b3 |
+/* all commands are allowed by default */
|
|
|
9070b3 |
+char **k5users_allowed_cmds = NULL;
|
|
|
9070b3 |
+
|
|
|
9070b3 |
+static int ssh_gssapi_k5login_exists();
|
|
|
9070b3 |
+static int ssh_gssapi_krb5_cmdok(krb5_principal, const char *, const char *,
|
|
|
9070b3 |
+ int);
|
|
|
9070b3 |
+
|
|
|
9070b3 |
static krb5_context krb_context = NULL;
|
|
|
9070b3 |
|
|
|
9070b3 |
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
|
|
|
9070b3 |
@@ -88,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
|
|
9070b3 |
krb5_principal princ;
|
|
|
9070b3 |
int retval;
|
|
|
9070b3 |
const char *errmsg;
|
|
|
9070b3 |
+ int k5login_exists;
|
|
|
9070b3 |
|
|
|
9070b3 |
if (ssh_gssapi_krb5_init() == 0)
|
|
|
9070b3 |
return 0;
|
|
|
9070b3 |
@@ -99,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
|
|
9070b3 |
krb5_free_error_message(krb_context, errmsg);
|
|
|
9070b3 |
return 0;
|
|
|
9070b3 |
}
|
|
|
9070b3 |
- if (krb5_kuserok(krb_context, princ, name)) {
|
|
|
9070b3 |
+ /* krb5_kuserok() returns 1 if .k5login DNE and this is self-login.
|
|
|
9070b3 |
+ * We have to make sure to check .k5users in that case. */
|
|
|
9070b3 |
+ k5login_exists = ssh_gssapi_k5login_exists();
|
|
|
9070b3 |
+ /* NOTE: .k5login and .k5users must opened as root, not the user,
|
|
|
9070b3 |
+ * because if they are on a krb5-protected filesystem, user credentials
|
|
|
9070b3 |
+ * to access these files aren't available yet. */
|
|
|
9070b3 |
+ if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
|
|
|
9070b3 |
retval = 1;
|
|
|
9070b3 |
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
|
|
|
9070b3 |
name, (char *)client->displayname.value);
|
|
|
9070b3 |
+ } else if (ssh_gssapi_krb5_cmdok(princ, client->exportedname.value,
|
|
|
9070b3 |
+ name, k5login_exists)) {
|
|
|
9070b3 |
+ retval = 1;
|
|
|
9070b3 |
+ logit("Authorized to %s, krb5 principal %s "
|
|
|
9070b3 |
+ "(ssh_gssapi_krb5_cmdok)",
|
|
|
9070b3 |
+ name, (char *)client->displayname.value);
|
|
|
9070b3 |
} else
|
|
|
9070b3 |
retval = 0;
|
|
|
9070b3 |
|
|
|
9070b3 |
@@ -110,6 +133,137 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
|
|
9070b3 |
return retval;
|
|
|
9070b3 |
}
|
|
|
9070b3 |
|
|
|
9070b3 |
+/* Test for existence of .k5login.
|
|
|
9070b3 |
+ * We need this as part of our .k5users check, because krb5_kuserok()
|
|
|
9070b3 |
+ * returns success if .k5login DNE and user is logging in as himself.
|
|
|
9070b3 |
+ * With .k5login absent and .k5users present, we don't want absence
|
|
|
9070b3 |
+ * of .k5login to authorize self-login. (absence of both is required)
|
|
|
9070b3 |
+ * Returns 1 if .k5login is available, 0 otherwise.
|
|
|
9070b3 |
+ */
|
|
|
9070b3 |
+static int
|
|
|
9070b3 |
+ssh_gssapi_k5login_exists()
|
|
|
9070b3 |
+{
|
|
|
9070b3 |
+ char file[MAXPATHLEN];
|
|
|
9070b3 |
+ struct passwd *pw = the_authctxt->pw;
|
|
|
9070b3 |
+
|
|
|
9070b3 |
+ snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
|
|
|
9070b3 |
+ return access(file, F_OK) == 0;
|
|
|
9070b3 |
+}
|
|
|
9070b3 |
+
|
|
|
9070b3 |
+/* check .k5users for login or command authorization
|
|
|
9070b3 |
+ * Returns 1 if principal is authorized, 0 otherwise.
|
|
|
9070b3 |
+ * If principal is authorized, (global) k5users_allowed_cmds may be populated.
|
|
|
9070b3 |
+ */
|
|
|
9070b3 |
+static int
|
|
|
9070b3 |
+ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
|
|
|
9070b3 |
+ const char *luser, int k5login_exists)
|
|
|
9070b3 |
+{
|
|
|
9070b3 |
+ FILE *fp;
|
|
|
9070b3 |
+ char file[MAXPATHLEN];
|
|
|
9070b3 |
+ char *line = NULL;
|
|
|
9070b3 |
+ char kuser[65]; /* match krb5_kuserok() */
|
|
|
9070b3 |
+ struct stat st;
|
|
|
9070b3 |
+ struct passwd *pw = the_authctxt->pw;
|
|
|
9070b3 |
+ int found_principal = 0;
|
|
|
9070b3 |
+ int ncommands = 0, allcommands = 0;
|
|
|
9070b3 |
+ u_long linenum = 0;
|
|
|
9070b3 |
+ size_t linesize = 0;
|
|
|
9070b3 |
+
|
|
|
9070b3 |
+ snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
|
|
|
9070b3 |
+ /* If both .k5login and .k5users DNE, self-login is ok. */
|
|
|
9070b3 |
+ if (!k5login_exists && (access(file, F_OK) == -1)) {
|
|
|
9070b3 |
+ return (krb5_aname_to_localname(krb_context, principal,
|
|
|
9070b3 |
+ sizeof(kuser), kuser) == 0) &&
|
|
|
9070b3 |
+ (strcmp(kuser, luser) == 0);
|
|
|
9070b3 |
+ }
|
|
|
9070b3 |
+ if ((fp = fopen(file, "r")) == NULL) {
|
|
|
9070b3 |
+ int saved_errno = errno;
|
|
|
9070b3 |
+ /* 2nd access check to ease debugging if file perms are wrong.
|
|
|
9070b3 |
+ * But we don't want to report this if .k5users simply DNE. */
|
|
|
9070b3 |
+ if (access(file, F_OK) == 0) {
|
|
|
9070b3 |
+ logit("User %s fopen %s failed: %s",
|
|
|
9070b3 |
+ pw->pw_name, file, strerror(saved_errno));
|
|
|
9070b3 |
+ }
|
|
|
9070b3 |
+ return 0;
|
|
|
9070b3 |
+ }
|
|
|
9070b3 |
+ /* .k5users must be owned either by the user or by root */
|
|
|
9070b3 |
+ if (fstat(fileno(fp), &st) == -1) {
|
|
|
9070b3 |
+ /* can happen, but very wierd error so report it */
|
|
|
9070b3 |
+ logit("User %s fstat %s failed: %s",
|
|
|
9070b3 |
+ pw->pw_name, file, strerror(errno));
|
|
|
9070b3 |
+ fclose(fp);
|
|
|
9070b3 |
+ return 0;
|
|
|
9070b3 |
+ }
|
|
|
9070b3 |
+ if (!(st.st_uid == pw->pw_uid || st.st_uid == 0)) {
|
|
|
9070b3 |
+ logit("User %s %s is not owned by root or user",
|
|
|
9070b3 |
+ pw->pw_name, file);
|
|
|
9070b3 |
+ fclose(fp);
|
|
|
9070b3 |
+ return 0;
|
|
|
9070b3 |
+ }
|
|
|
9070b3 |
+ /* .k5users must be a regular file. krb5_kuserok() doesn't do this
|
|
|
9070b3 |
+ * check, but we don't want to be deficient if they add a check. */
|
|
|
9070b3 |
+ if (!S_ISREG(st.st_mode)) {
|
|
|
9070b3 |
+ logit("User %s %s is not a regular file", pw->pw_name, file);
|
|
|
9070b3 |
+ fclose(fp);
|
|
|
9070b3 |
+ return 0;
|
|
|
9070b3 |
+ }
|
|
|
9070b3 |
+ /* file exists; initialize k5users_allowed_cmds (to none!) */
|
|
|
9070b3 |
+ k5users_allowed_cmds = xcalloc(++ncommands,
|
|
|
9070b3 |
+ sizeof(*k5users_allowed_cmds));
|
|
|
9070b3 |
+
|
|
|
9070b3 |
+ /* Check each line. ksu allows unlimited length lines. */
|
|
|
9070b3 |
+ while (!allcommands && getline(&line, &linesize, fp) != -1) {
|
|
|
9070b3 |
+ linenum++;
|
|
|
9070b3 |
+ char *token;
|
|
|
9070b3 |
+
|
|
|
9070b3 |
+ /* we parse just like ksu, even though we could do better */
|
|
|
9070b3 |
+ if ((token = strtok(line, " \t\n")) == NULL)
|
|
|
9070b3 |
+ continue;
|
|
|
9070b3 |
+ if (strcmp(name, token) == 0) {
|
|
|
9070b3 |
+ /* we matched on client principal */
|
|
|
9070b3 |
+ found_principal = 1;
|
|
|
9070b3 |
+ if ((token = strtok(NULL, " \t\n")) == NULL) {
|
|
|
9070b3 |
+ /* only shell is allowed */
|
|
|
9070b3 |
+ k5users_allowed_cmds[ncommands-1] =
|
|
|
9070b3 |
+ xstrdup(pw->pw_shell);
|
|
|
9070b3 |
+ k5users_allowed_cmds =
|
|
|
9070b3 |
+ xreallocarray(k5users_allowed_cmds, ++ncommands,
|
|
|
9070b3 |
+ sizeof(*k5users_allowed_cmds));
|
|
|
9070b3 |
+ break;
|
|
|
9070b3 |
+ }
|
|
|
9070b3 |
+ /* process the allowed commands */
|
|
|
9070b3 |
+ while (token) {
|
|
|
9070b3 |
+ if (strcmp(token, "*") == 0) {
|
|
|
9070b3 |
+ allcommands = 1;
|
|
|
9070b3 |
+ break;
|
|
|
9070b3 |
+ }
|
|
|
9070b3 |
+ k5users_allowed_cmds[ncommands-1] =
|
|
|
9070b3 |
+ xstrdup(token);
|
|
|
9070b3 |
+ k5users_allowed_cmds =
|
|
|
9070b3 |
+ xreallocarray(k5users_allowed_cmds, ++ncommands,
|
|
|
9070b3 |
+ sizeof(*k5users_allowed_cmds));
|
|
|
9070b3 |
+ token = strtok(NULL, " \t\n");
|
|
|
9070b3 |
+ }
|
|
|
9070b3 |
+ }
|
|
|
9070b3 |
+ }
|
|
|
9070b3 |
+ free(line);
|
|
|
9070b3 |
+ if (k5users_allowed_cmds) {
|
|
|
9070b3 |
+ /* terminate vector */
|
|
|
9070b3 |
+ k5users_allowed_cmds[ncommands-1] = NULL;
|
|
|
9070b3 |
+ /* if all commands are allowed, free vector */
|
|
|
9070b3 |
+ if (allcommands) {
|
|
|
9070b3 |
+ int i;
|
|
|
9070b3 |
+ for (i = 0; i < ncommands; i++) {
|
|
|
9070b3 |
+ free(k5users_allowed_cmds[i]);
|
|
|
9070b3 |
+ }
|
|
|
9070b3 |
+ free(k5users_allowed_cmds);
|
|
|
9070b3 |
+ k5users_allowed_cmds = NULL;
|
|
|
9070b3 |
+ }
|
|
|
9070b3 |
+ }
|
|
|
9070b3 |
+ fclose(fp);
|
|
|
9070b3 |
+ return found_principal;
|
|
|
9070b3 |
+}
|
|
|
9070b3 |
+
|
|
|
9070b3 |
|
|
|
9070b3 |
/* This writes out any forwarded credentials from the structure populated
|
|
|
9070b3 |
* during userauth. Called after we have setuid to the user */
|
|
|
9070b3 |
diff --git a/session.c b/session.c
|
|
|
9070b3 |
index 28659ec..9c94d8e 100644
|
|
|
9070b3 |
--- a/session.c
|
|
|
9070b3 |
+++ b/session.c
|
|
|
9070b3 |
@@ -789,6 +789,29 @@ do_exec(Session *s, const char *command)
|
|
|
9070b3 |
command = auth_opts->force_command;
|
|
|
9070b3 |
forced = "(key-option)";
|
|
|
9070b3 |
}
|
|
|
9070b3 |
+#ifdef GSSAPI
|
|
|
9070b3 |
+#ifdef KRB5 /* k5users_allowed_cmds only available w/ GSSAPI+KRB5 */
|
|
|
9070b3 |
+ else if (k5users_allowed_cmds) {
|
|
|
9070b3 |
+ const char *match = command;
|
|
|
9070b3 |
+ int allowed = 0, i = 0;
|
|
|
9070b3 |
+
|
|
|
9070b3 |
+ if (!match)
|
|
|
9070b3 |
+ match = s->pw->pw_shell;
|
|
|
9070b3 |
+ while (k5users_allowed_cmds[i]) {
|
|
|
9070b3 |
+ if (strcmp(match, k5users_allowed_cmds[i++]) == 0) {
|
|
|
9070b3 |
+ debug("Allowed command '%.900s'", match);
|
|
|
9070b3 |
+ allowed = 1;
|
|
|
9070b3 |
+ break;
|
|
|
9070b3 |
+ }
|
|
|
9070b3 |
+ }
|
|
|
9070b3 |
+ if (!allowed) {
|
|
|
9070b3 |
+ debug("command '%.900s' not allowed", match);
|
|
|
9070b3 |
+ return 1;
|
|
|
9070b3 |
+ }
|
|
|
9070b3 |
+ }
|
|
|
9070b3 |
+#endif
|
|
|
9070b3 |
+#endif
|
|
|
9070b3 |
+
|
|
|
9070b3 |
s->forced = 0;
|
|
|
9070b3 |
if (forced != NULL) {
|
|
|
9070b3 |
s->forced = 1;
|
|
|
9070b3 |
diff --git a/ssh-gss.h b/ssh-gss.h
|
|
|
9070b3 |
index 0374c88..509109a 100644
|
|
|
9070b3 |
--- a/ssh-gss.h
|
|
|
9070b3 |
+++ b/ssh-gss.h
|
|
|
9070b3 |
@@ -49,6 +49,10 @@
|
|
|
9070b3 |
# endif /* !HAVE_DECL_GSS_C_NT_... */
|
|
|
9070b3 |
|
|
|
9070b3 |
# endif /* !HEIMDAL */
|
|
|
9070b3 |
+
|
|
|
9070b3 |
+/* .k5users support */
|
|
|
9070b3 |
+extern char **k5users_allowed_cmds;
|
|
|
9070b3 |
+
|
|
|
9070b3 |
#endif /* KRB5 */
|
|
|
9070b3 |
|
|
|
9070b3 |
/* draft-ietf-secsh-gsskeyex-06 */
|
|
|
9070b3 |
diff --git a/sshd.8 b/sshd.8
|
|
|
9070b3 |
index adcaaf9..824163b 100644
|
|
|
9070b3 |
--- a/sshd.8
|
|
|
9070b3 |
+++ b/sshd.8
|
|
|
9070b3 |
@@ -324,6 +324,7 @@ Finally, the server and the client enter an authentication dialog.
|
|
|
9070b3 |
The client tries to authenticate itself using
|
|
|
9070b3 |
host-based authentication,
|
|
|
9070b3 |
public key authentication,
|
|
|
9070b3 |
+GSSAPI authentication,
|
|
|
9070b3 |
challenge-response authentication,
|
|
|
9070b3 |
or password authentication.
|
|
|
9070b3 |
.Pp
|
|
|
9070b3 |
@@ -800,6 +801,12 @@ This file is used in exactly the same way as
|
|
|
9070b3 |
but allows host-based authentication without permitting login with
|
|
|
9070b3 |
rlogin/rsh.
|
|
|
9070b3 |
.Pp
|
|
|
9070b3 |
+.It Pa ~/.k5login
|
|
|
9070b3 |
+.It Pa ~/.k5users
|
|
|
9070b3 |
+These files enforce GSSAPI/Kerberos authentication access control.
|
|
|
9070b3 |
+Further details are described in
|
|
|
9070b3 |
+.Xr ksu 1 .
|
|
|
9070b3 |
+.Pp
|
|
|
9070b3 |
.It Pa ~/.ssh/
|
|
|
9070b3 |
This directory is the default location for all user-specific configuration
|
|
|
9070b3 |
and authentication information.
|