vishalmishra434 / rpms / openssh

Forked from rpms/openssh a month ago
Clone
Source Code
GIT

Blame openssh-5.6p1-authorized-keys-command.patch

c10s-sig-hyperscale c10s-sig-hyperscale-2 c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   bb5eb00d2d90f9d9ff17c7d4392927cd1c07d507
  2.   openssh-5.6p1-authorized-keys-command.patch
Blob History Raw
Jan F. Chadima 1b8a26 
diff -up openssh-5.6p1/auth2-pubkey.c.akc openssh-5.6p1/auth2-pubkey.c
Jan F. Chadima c6801b 
--- openssh-5.6p1/auth2-pubkey.c.akc	2010-09-03 15:24:51.000000000 +0200
Jan F. Chadima c6801b 
+++ openssh-5.6p1/auth2-pubkey.c	2010-09-03 15:24:51.000000000 +0200
Jan F. Chadima 7818e5 
@@ -27,6 +27,7 @@
Jan F. Chadima 7818e5
Jan F. Chadima 7818e5 
 #include <sys/types.h>
Jan F. Chadima 7818e5 
 #include <sys/stat.h>
Jan F. Chadima 7818e5 
+#include <sys/wait.h>
Jan F. Chadima 7818e5
Jan F. Chadima 7818e5 
 #include <fcntl.h>
Jan F. Chadima 7818e5 
 #include <pwd.h>
Jan F. Chadima 1b8a26 
@@ -264,27 +265,15 @@ match_principals_file(char *file, struct
Jan F. Chadima 7818e5
Jan F. Chadima 7818e5 
 /* return 1 if user allows given key */
Jan F. Chadima 7818e5 
 static int
Jan F. Chadima 7818e5 
-user_key_allowed2(struct passwd *pw, Key *key, char *file)
Jan F. Chadima 7818e5 
+user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw)
Jan F. Chadima 7818e5 
 {
Jan F. Chadima 7818e5 
 	char line[SSH_MAX_PUBKEY_BYTES];
Jan F. Chadima 7818e5 
 	const char *reason;
Jan F. Chadima 7818e5 
 	int found_key = 0;
Jan F. Chadima 7818e5 
-	FILE *f;
Jan F. Chadima 7818e5 
 	u_long linenum = 0;
Jan F. Chadima 7818e5 
 	Key *found;
Jan F. Chadima 7818e5 
 	char *fp;
Jan F. Chadima 7818e5
Jan F. Chadima 7818e5 
-	/* Temporarily use the user's uid. */
Jan F. Chadima 7818e5 
-	temporarily_use_uid(pw);
Jan F. Chadima 7818e5 
-
Jan F. Chadima 7818e5 
-	debug("trying public key file %s", file);
Jan F. Chadima 7818e5 
-	f = auth_openkeyfile(file, pw, options.strict_modes);
Jan F. Chadima 7818e5 
-
Jan F. Chadima 7818e5 
-	if (!f) {
Jan F. Chadima 7818e5 
-		restore_uid();
Jan F. Chadima 7818e5 
-		return 0;
Jan F. Chadima 7818e5 
-	}
Jan F. Chadima 7818e5 
-
Jan F. Chadima 7818e5 
 	found_key = 0;
Jan F. Chadima 7818e5 
 	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
Jan F. Chadima 7818e5
Jan F. Chadima 1b8a26 
@@ -377,8 +366,6 @@ user_key_allowed2(struct passwd *pw, Key
Jan F. Chadima 7818e5 
 			break;
Jan F. Chadima 7818e5 
 		}
Jan F. Chadima 7818e5 
 	}
Jan F. Chadima 7818e5 
-	restore_uid();
Jan F. Chadima 7818e5 
-	fclose(f);
Jan F. Chadima 7818e5 
 	key_free(found);
Jan F. Chadima 7818e5 
 	if (!found_key)
Jan F. Chadima 7818e5 
 		debug2("key not found");
Jan F. Chadima 1b8a26 
@@ -440,13 +427,191 @@ user_cert_trusted_ca(struct passwd *pw,
Jan F. Chadima 7818e5 
 	return ret;
Jan F. Chadima 7818e5 
 }
Jan F. Chadima 7818e5
Jan F. Chadima 7818e5 
-/* check whether given key is in .ssh/authorized_keys* */
Jan F. Chadima 7818e5 
+/* return 1 if user allows given key */
Jan F. Chadima 7818e5 
+static int
Jan F. Chadima 7818e5 
+user_key_allowed2(struct passwd *pw, Key *key, char *file)
Jan F. Chadima 7818e5 
+{
Jan F. Chadima 7818e5 
+	FILE *f;
Jan F. Chadima 7818e5 
+	int found_key = 0;
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+	/* Temporarily use the user's uid. */
Jan F. Chadima 7818e5 
+	temporarily_use_uid(pw);
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+	debug("trying public key file %s", file);
Jan F. Chadima 7818e5 
+	f = auth_openkeyfile(file, pw, options.strict_modes);
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+ 	if (f) {
Jan F. Chadima 7818e5 
+ 		found_key = user_search_key_in_file (f, file, key, pw);
Jan F. Chadima 7818e5 
+		fclose(f);
Jan F. Chadima 7818e5 
+	}
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+	restore_uid();
Jan F. Chadima 7818e5 
+	return found_key;
Jan F. Chadima 7818e5 
+}
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+#define WHITESPACE " \t\r\n"
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+/* return 1 if user allows given key */
Jan F. Chadima 7818e5 
+static int
Jan F. Chadima 7818e5 
+user_key_via_command_allowed2(struct passwd *pw, Key *key)
Jan F. Chadima 7818e5 
+{
Jan F. Chadima 7818e5 
+	FILE *f;
Jan F. Chadima 7818e5 
+	int found_key = 0;
Jan F. Chadima 7818e5 
+	char *progname = NULL;
Jan F. Chadima 7818e5 
+	char *cp;
Jan F. Chadima 7818e5 
+	struct passwd *runas_pw;
Jan F. Chadima 7818e5 
+	struct stat st;
Jan F. Chadima 7818e5 
+	int childdescriptors[2], i;
Jan F. Chadima 7818e5 
+	pid_t pstat, pid, child;
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+	if (options.authorized_keys_command == NULL || options.authorized_keys_command[0] != '/')
Jan F. Chadima 7818e5 
+		return -1;
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+	/* get the run as identity from config */
Jan F. Chadima 7818e5 
+	runas_pw = (options.authorized_keys_command_runas == NULL)? pw
Jan F. Chadima 7818e5 
+	    : getpwnam (options.authorized_keys_command_runas);
Jan F. Chadima 7818e5 
+	if (!runas_pw) {
Jan F. Chadima 7818e5 
+		error("%s: getpwnam(\"%s\"): %s", __func__,
Jan F. Chadima 7818e5 
+		    options.authorized_keys_command_runas, strerror(errno));
Jan F. Chadima 7818e5 
+		return 0;
Jan F. Chadima 7818e5 
+	}
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+	/* Temporarily use the specified uid. */
Jan F. Chadima 7818e5 
+	if (runas_pw->pw_uid != 0)
Jan F. Chadima 7818e5 
+		temporarily_use_uid(runas_pw);
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+	progname = xstrdup(options.authorized_keys_command);
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+	debug3("%s: checking program '%s'", __func__, progname);
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+	if (stat (progname, &st) < 0) {
Jan F. Chadima 7818e5 
+		error("%s: stat(\"%s\"): %s", __func__,
Jan F. Chadima 7818e5 
+		    progname, strerror(errno));
Jan F. Chadima 7818e5 
+		goto go_away;
Jan F. Chadima 7818e5 
+	}
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+	if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
Jan F. Chadima 7818e5 
+		error("bad ownership or modes for AuthorizedKeysCommand \"%s\"",
Jan F. Chadima 7818e5 
+		    progname);
Jan F. Chadima 7818e5 
+		goto go_away;
Jan F. Chadima 7818e5 
+	}
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+	if (!S_ISREG(st.st_mode)) {
Jan F. Chadima 7818e5 
+		error("AuthorizedKeysCommand \"%s\" is not a regular file",
Jan F. Chadima 7818e5 
+		    progname);
Jan F. Chadima 7818e5 
+		goto go_away;
Jan F. Chadima 7818e5 
+	}
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+	/*
Jan F. Chadima 7818e5 
+	 * Descend the path, checking that each component is a
Jan F. Chadima 7818e5 
+	 * root-owned directory with strict permissions.
Jan F. Chadima 7818e5 
+	 */
Jan F. Chadima 7818e5 
+	do {
Jan F. Chadima 7818e5 
+		if ((cp = strrchr(progname, '/')) == NULL)
Jan F. Chadima 7818e5 
+			break;
Jan F. Chadima 7818e5 
+		else
Jan F. Chadima 7818e5 
+			*cp = '\0';
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+		debug3("%s: checking component '%s'", __func__, (*progname == '\0' ? "/" : progname));
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+		if (stat((*progname == '\0' ? "/" : progname), &st) != 0) {
Jan F. Chadima 7818e5 
+			error("%s: stat(\"%s\"): %s", __func__,
Jan F. Chadima 7818e5 
+			    progname, strerror(errno));
Jan F. Chadima 7818e5 
+			goto go_away;
Jan F. Chadima 7818e5 
+		}
Jan F. Chadima 7818e5 
+		if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
Jan F. Chadima 7818e5 
+			error("bad ownership or modes for AuthorizedKeysCommand path component \"%s\"",
Jan F. Chadima 7818e5 
+			    progname);
Jan F. Chadima 7818e5 
+			goto go_away;
Jan F. Chadima 7818e5 
+		}
Jan F. Chadima 7818e5 
+		if (!S_ISDIR(st.st_mode)) {
Jan F. Chadima 7818e5 
+			error("AuthorizedKeysCommand path component \"%s\" is not a directory",
Jan F. Chadima 7818e5 
+			    progname);
Jan F. Chadima 7818e5 
+			goto go_away;
Jan F. Chadima 7818e5 
+		}
Jan F. Chadima 7818e5 
+	} while (1);
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+	/* open the pipe and read the keys */
Jan F. Chadima 7818e5 
+	if (pipe(childdescriptors)) {
Jan F. Chadima 7818e5 
+		error("failed to pipe(2) for AuthorizedKeysCommand: %s",
Jan F. Chadima 7818e5 
+		    strerror(errno));
Jan F. Chadima 7818e5 
+		goto go_away;
Jan F. Chadima 7818e5 
+	}
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+	child = fork();
Jan F. Chadima 7818e5 
+	if (child == -1) {
Jan F. Chadima 7818e5 
+		error("failed to fork(2) for AuthorizedKeysCommand: %s",
Jan F. Chadima 7818e5 
+		    strerror(errno));
Jan F. Chadima 7818e5 
+		goto go_away;
Jan F. Chadima 7818e5 
+	} else if (child == 0) {
Jan F. Chadima 7818e5 
+		/* we're in the child process here -- we should never return from this block. */
Jan F. Chadima 7818e5 
+		/* permanently drop privs in child process */
Jan F. Chadima 7818e5 
+		if (runas_pw->pw_uid != 0) {
Jan F. Chadima 7818e5 
+			restore_uid();
Jan F. Chadima 7818e5 
+			permanently_set_uid(runas_pw);
Jan F. Chadima 7818e5 
+	  	}
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+		close(childdescriptors[0]);
Jan F. Chadima 7818e5 
+		/* put the write end of the pipe on stdout (FD 1) */
Jan F. Chadima 7818e5 
+		if (dup2(childdescriptors[1], 1) == -1) {
Jan F. Chadima 7818e5 
+			error("failed to dup2(2) from AuthorizedKeysCommand: %s",
Jan F. Chadima 7818e5 
+			    strerror(errno));
Jan F. Chadima 7818e5 
+			_exit(127);
Jan F. Chadima 7818e5 
+		}
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+		debug3("about to execl() AuthorizedKeysCommand: \"%s\" \"%s\"", options.authorized_keys_command, pw->pw_name);
Jan F. Chadima 7818e5 
+		/* see session.c:child_close_fds() */
Jan F. Chadima 7818e5 
+		for (i = 3; i < 64; ++i) {
Jan F. Chadima 7818e5 
+			close(i);
Jan F. Chadima 7818e5 
+		}
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+		execl(options.authorized_keys_command, options.authorized_keys_command, pw->pw_name, NULL);
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+		/* if we got here, it didn't work */
Jan F. Chadima 7818e5 
+		error("failed to execl AuthorizedKeysCommand: %s", strerror(errno)); /* this won't work because we closed the fds above */
Jan F. Chadima 7818e5 
+		_exit(127);
Jan F. Chadima 7818e5 
+	}
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+	close(childdescriptors[1]);
Jan F. Chadima 7818e5 
+	f = fdopen(childdescriptors[0], "r");
Jan F. Chadima 7818e5 
+	if (!f) {
Jan F. Chadima 7818e5 
+		error("%s: could not buffer FDs from AuthorizedKeysCommand (\"%s\", \"r\"): %s", __func__,
Jan F. Chadima 7818e5 
+		    options.authorized_keys_command, strerror (errno));
Jan F. Chadima 7818e5 
+		goto go_away;
Jan F. Chadima 7818e5 
+	}
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+	found_key = user_search_key_in_file (f, options.authorized_keys_command, key, pw);
Jan F. Chadima 7818e5 
+	fclose (f);
Jan F. Chadima 7818e5 
+	do {
Jan F. Chadima 7818e5 
+		pid = waitpid(child, &pstat, 0);
Jan F. Chadima 7818e5 
+	} while (pid == -1 && errno == EINTR);
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+	/* what about the return value from the child process? */
Jan F. Chadima 7818e5 
+go_away:
Jan F. Chadima 7818e5 
+	if (progname)
Jan F. Chadima 7818e5 
+		xfree (progname);
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+	if (runas_pw->pw_uid != 0)
Jan F. Chadima 7818e5 
+		restore_uid();
Jan F. Chadima 7818e5 
+	return found_key;
Jan F. Chadima 7818e5 
+}
Jan F. Chadima 7818e5 
+#endif
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+/* check whether given key is in
Jan F. Chadima 7818e5 
 int
Jan F. Chadima 7818e5 
 user_key_allowed(struct passwd *pw, Key *key)
Jan F. Chadima 7818e5 
 {
Jan F. Chadima 7818e5 
 	int success;
Jan F. Chadima 7818e5 
 	char *file;
Jan F. Chadima 7818e5
Jan F. Chadima 7818e5 
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
Jan F. Chadima 7818e5 
+	success = user_key_via_command_allowed2(pw, key);
Jan F. Chadima 7818e5 
+	if (success > 0)
Jan F. Chadima 7818e5 
+		return success;
Jan F. Chadima 7818e5 
+#endif
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
 	if (auth_key_is_revoked(key))
Jan F. Chadima 7818e5 
 		return 0;
Jan F. Chadima 7818e5 
 	if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
Jan F. Chadima 1b8a26 
diff -up openssh-5.6p1/configure.ac.akc openssh-5.6p1/configure.ac
Jan F. Chadima c6801b 
--- openssh-5.6p1/configure.ac.akc	2010-09-03 15:24:51.000000000 +0200
Jan F. Chadima c6801b 
+++ openssh-5.6p1/configure.ac	2010-09-03 15:24:51.000000000 +0200
Jan F. Chadima 1b8a26 
@@ -1346,6 +1346,18 @@ AC_ARG_WITH(audit,
Jan F. Chadima 7818e5 
 	esac ]
Jan F. Chadima 7818e5 
 )
Jan F. Chadima 7818e5
Jan F. Chadima 7818e5 
+# Check whether user wants AuthorizedKeysCommand support
Jan F. Chadima 7818e5 
+AKC_MSG="no"
Jan F. Chadima 7818e5 
+AC_ARG_WITH(authorized-keys-command,
Jan F. Chadima 7818e5 
+	[  --with-authorized-keys-command      Enable AuthorizedKeysCommand support],
Jan F. Chadima 7818e5 
+	[
Jan F. Chadima 7818e5 
+		if test "x$withval" != "xno" ; then
Jan F. Chadima 7818e5 
+			AC_DEFINE([WITH_AUTHORIZED_KEYS_COMMAND], 1, [Enable AuthorizedKeysCommand support])
Jan F. Chadima 7818e5 
+			AKC_MSG="yes"
Jan F. Chadima 7818e5 
+		fi
Jan F. Chadima 7818e5 
+	]
Jan F. Chadima 7818e5 
+)
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
 dnl    Checks for library functions. Please keep in alphabetical order
Jan F. Chadima 7818e5 
 AC_CHECK_FUNCS( \
Jan F. Chadima 7818e5 
 	arc4random \
Jan F. Chadima 1b8a26 
@@ -4209,6 +4221,7 @@ echo "               Linux audit support
Jan F. Chadima 7818e5 
 echo "                 Smartcard support: $SCARD_MSG"
Jan F. Chadima 7818e5 
 echo "                     S/KEY support: $SKEY_MSG"
Jan F. Chadima 7818e5 
 echo "              TCP Wrappers support: $TCPW_MSG"
Jan F. Chadima 7818e5 
+echo "     AuthorizedKeysCommand support: $AKC_MSG"
Jan F. Chadima 7818e5 
 echo "              MD5 password support: $MD5_MSG"
Jan F. Chadima 7818e5 
 echo "                   libedit support: $LIBEDIT_MSG"
Jan F. Chadima 7818e5 
 echo "  Solaris process contract support: $SPC_MSG"
Jan F. Chadima 1b8a26 
diff -up openssh-5.6p1/servconf.c.akc openssh-5.6p1/servconf.c
Jan F. Chadima c6801b 
--- openssh-5.6p1/servconf.c.akc	2010-09-03 15:24:50.000000000 +0200
Jan F. Chadima c6801b 
+++ openssh-5.6p1/servconf.c	2010-09-03 15:24:51.000000000 +0200
Jan F. Chadima 1b8a26 
@@ -129,6 +129,8 @@ initialize_server_options(ServerOptions
Jan F. Chadima 7818e5 
 	options->num_permitted_opens = -1;
Jan F. Chadima 7818e5 
 	options->adm_forced_command = NULL;
Jan F. Chadima 7818e5 
 	options->chroot_directory = NULL;
Jan F. Chadima 7818e5 
+	options->authorized_keys_command = NULL;
Jan F. Chadima 7818e5 
+	options->authorized_keys_command_runas = NULL;
Jan F. Chadima 7818e5 
 	options->zero_knowledge_password_authentication = -1;
Jan F. Chadima 7818e5 
 	options->revoked_keys_file = NULL;
Jan F. Chadima 7818e5 
 	options->trusted_user_ca_keys = NULL;
Jan F. Chadima 1b8a26 
@@ -316,6 +318,7 @@ typedef enum {
Jan F. Chadima 7818e5 
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
Jan F. Chadima 7818e5 
 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
Jan F. Chadima 1b8a26 
 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
Jan F. Chadima 7818e5 
+	sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs,
Jan F. Chadima 7818e5 
 	sDeprecated, sUnsupported
Jan F. Chadima 7818e5 
 } ServerOpCodes;
Jan F. Chadima 7818e5
Jan F. Chadima 1b8a26 
@@ -439,6 +442,13 @@ static struct {
Jan F. Chadima 7818e5 
 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
Jan F. Chadima 7818e5 
 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
Jan F. Chadima 1b8a26 
 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
Jan F. Chadima 7818e5 
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
Jan F. Chadima 7818e5 
+	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
Jan F. Chadima 7818e5 
+	{ "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL },
Jan F. Chadima 7818e5 
+#else
Jan F. Chadima 7818e5 
+	{ "authorizedkeyscommand", sUnsupported, SSHCFG_ALL },
Jan F. Chadima 7818e5 
+	{ "authorizedkeyscommandrunas", sUnsupported, SSHCFG_ALL },
Jan F. Chadima 7818e5 
+#endif
Jan F. Chadima 7818e5 
 	{ NULL, sBadOption, 0 }
Jan F. Chadima 7818e5 
 };
Jan F. Chadima 7818e5
Jan F. Chadima 1b8a26 
@@ -1360,6 +1370,20 @@ process_server_config_line(ServerOptions
Jan F. Chadima 7818e5 
 		charptr = &options->revoked_keys_file;
Jan F. Chadima 7818e5 
 		goto parse_filename;
Jan F. Chadima 7818e5
Jan F. Chadima 7818e5 
+	case sAuthorizedKeysCommand:
Jan F. Chadima 7818e5 
+		len = strspn(cp, WHITESPACE);
Jan F. Chadima 7818e5 
+		if (*activep && options->authorized_keys_command == NULL)
Jan F. Chadima 7818e5 
+			options->authorized_keys_command = xstrdup(cp + len);
Jan F. Chadima 7818e5 
+		return 0;
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+	case sAuthorizedKeysCommandRunAs:
Jan F. Chadima 7818e5 
+		charptr = &options->authorized_keys_command_runas;
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+		arg = strdelim(&cp;;
Jan F. Chadima 7818e5 
+		if (*activep && *charptr == NULL)
Jan F. Chadima 7818e5 
+			*charptr = xstrdup(arg);
Jan F. Chadima 7818e5 
+		break;
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
 	case sDeprecated:
Jan F. Chadima 7818e5 
 		logit("%s line %d: Deprecated option %s",
Jan F. Chadima 7818e5 
 		    filename, linenum, arg);
Jan F. Chadima 1b8a26 
@@ -1453,6 +1477,8 @@ copy_set_server_options(ServerOptions *d
Jan F. Chadima 7818e5 
 	M_CP_INTOPT(gss_authentication);
Jan F. Chadima 7818e5 
 	M_CP_INTOPT(rsa_authentication);
Jan F. Chadima 7818e5 
 	M_CP_INTOPT(pubkey_authentication);
Jan F. Chadima 7818e5 
+	M_CP_STROPT(authorized_keys_command);
Jan F. Chadima 7818e5 
+	M_CP_STROPT(authorized_keys_command_runas);
Jan F. Chadima 7818e5 
 	M_CP_INTOPT(kerberos_authentication);
Jan F. Chadima 7818e5 
 	M_CP_INTOPT(hostbased_authentication);
Jan F. Chadima 1b8a26 
 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
Jan F. Chadima 1b8a26 
@@ -1705,6 +1731,8 @@ dump_config(ServerOptions *o)
Jan F. Chadima 7818e5 
 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
Jan F. Chadima 1b8a26 
 	dump_cfg_string(sAuthorizedPrincipalsFile,
Jan F. Chadima 1b8a26 
 	    o->authorized_principals_file);
Jan F. Chadima 7818e5 
+	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
Jan F. Chadima 7818e5 
+	dump_cfg_string(sAuthorizedKeysCommandRunAs, o->authorized_keys_command_runas);
Jan F. Chadima 7818e5
Jan F. Chadima 7818e5 
 	/* string arguments requiring a lookup */
Jan F. Chadima 7818e5 
 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
Jan F. Chadima 1b8a26 
diff -up openssh-5.6p1/servconf.h.akc openssh-5.6p1/servconf.h
Jan F. Chadima c6801b 
--- openssh-5.6p1/servconf.h.akc	2010-09-03 15:24:50.000000000 +0200
Jan F. Chadima c6801b 
+++ openssh-5.6p1/servconf.h	2010-09-03 15:24:51.000000000 +0200
Jan F. Chadima 1b8a26 
@@ -158,6 +158,8 @@ typedef struct {
Jan F. Chadima 7818e5 
 	char   *revoked_keys_file;
Jan F. Chadima 7818e5 
 	char   *trusted_user_ca_keys;
Jan F. Chadima 1b8a26 
 	char   *authorized_principals_file;
Jan F. Chadima 7818e5 
+	char   *authorized_keys_command;
Jan F. Chadima 7818e5 
+	char   *authorized_keys_command_runas;
Jan F. Chadima 7818e5 
 }       ServerOptions;
Jan F. Chadima 7818e5
Jan F. Chadima 7818e5 
 void	 initialize_server_options(ServerOptions *);
Jan F. Chadima 1b8a26 
diff -up openssh-5.6p1/sshd_config.0.akc openssh-5.6p1/sshd_config.0
Jan F. Chadima c6801b 
--- openssh-5.6p1/sshd_config.0.akc	2010-09-03 15:24:50.000000000 +0200
Jan F. Chadima c6801b 
+++ openssh-5.6p1/sshd_config.0	2010-09-03 15:27:26.000000000 +0200
Jan F. Chadima c6801b 
@@ -71,6 +71,23 @@ DESCRIPTION
Jan F. Chadima 7818e5
Jan F. Chadima c6801b 
              See PATTERNS in ssh_config(5) for more information on patterns.
Jan F. Chadima 7818e5
Jan F. Chadima 7818e5 
+     AuthorizedKeysCommand
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+             Specifies a program to be used for lookup of the user's
Jan F. Chadima c6801b 
+	     public keys.  The program will be invoked with its first
Jan F. Chadima c6801b 
+	     argument the name of the user being authorized, and should produce
Jan F. Chadima c6801b 
+	     on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS
Jan F. Chadima c6801b 
+	     in sshd(8)).  By default (or when set to the empty string) there is no
Jan F. Chadima c6801b 
+	     AuthorizedKeysCommand run.  If the AuthorizedKeysCommand does not successfully
Jan F. Chadima c6801b 
+	     authorize the user, authorization falls through to the
Jan F. Chadima c6801b 
+	     AuthorizedKeysFile.  Note that this option has an effect
Jan F. Chadima c6801b 
+	     only with PubkeyAuthentication turned on.
Jan F. Chadima 7818e5 
+
Jan F. Chadima 7818e5 
+     AuthorizedKeysCommandRunAs
Jan F. Chadima 7818e5 
+             Specifies the user under whose account the AuthorizedKeysCommand is run.
Jan F. Chadima 7818e5 
+             Empty string (the default value) means the user being authorized
Jan F. Chadima 7818e5 
+             is used.
Jan F. Chadima 7818e5 
+
Jan F. Chadima c6801b 
      AuthorizedKeysFile
Jan F. Chadima c6801b 
              Specifies the file that contains the public keys that can be used
Jan F. Chadima c6801b 
              for user authentication.  The format is described in the
Jan F. Chadima c6801b 
@@ -375,7 +392,8 @@ DESCRIPTION
Jan F. Chadima c6801b
Jan F. Chadima c6801b 
              Only a subset of keywords may be used on the lines following a
Jan F. Chadima c6801b 
              Match keyword.  Available keywords are AllowAgentForwarding,
Jan F. Chadima c6801b 
-             AllowTcpForwarding, AuthorizedKeysFile, AuthorizedPrincipalsFile,
Jan F. Chadima c6801b 
+             AllowTcpForwarding, AuthorizedKeysFile, AuthorizedKeysCommand,
Jan F. Chadima c6801b 
+             AuthorizedKeysCommandRunAs, AuthorizedPrincipalsFile,
Jan F. Chadima c6801b 
              Banner, ChrootDirectory, ForceCommand, GatewayPorts,
Jan F. Chadima c6801b 
              GSSAPIAuthentication, HostbasedAuthentication,
Jan F. Chadima c6801b 
              HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
Jan F. Chadima 1b8a26 
diff -up openssh-5.6p1/sshd_config.5.akc openssh-5.6p1/sshd_config.5
Jan F. Chadima c6801b 
--- openssh-5.6p1/sshd_config.5.akc	2010-09-03 15:24:50.000000000 +0200
Jan F. Chadima c6801b 
+++ openssh-5.6p1/sshd_config.5	2010-09-03 15:24:51.000000000 +0200
Jan F. Chadima 1b8a26 
@@ -654,6 +654,8 @@ Available keywords are
Jan F. Chadima 1b8a26 
 .Cm AllowAgentForwarding ,
Jan F. Chadima 1b8a26 
 .Cm AllowTcpForwarding ,
Jan F. Chadima 1b8a26 
 .Cm AuthorizedKeysFile ,
Jan F. Chadima 1b8a26 
+.Cm AuthorizedKeysCommand ,
Jan F. Chadima 1b8a26 
+.Cm AuthorizedKeysCommandRunAs ,
Jan F. Chadima 1b8a26 
 .Cm AuthorizedPrincipalsFile ,
Jan F. Chadima 1b8a26 
 .Cm Banner ,
Jan F. Chadima 1b8a26 
 .Cm ChrootDirectory ,
Jan F. Chadima 1b8a26 
@@ -666,6 +668,7 @@ Available keywords are
Jan F. Chadima 7818e5 
 .Cm KerberosAuthentication ,
Jan F. Chadima 7818e5 
 .Cm MaxAuthTries ,
Jan F. Chadima 7818e5 
 .Cm MaxSessions ,
Jan F. Chadima 7818e5 
+.Cm PubkeyAuthentication ,
Jan F. Chadima 7818e5 
 .Cm PasswordAuthentication ,
Jan F. Chadima 7818e5 
 .Cm PermitEmptyPasswords ,
Jan F. Chadima 7818e5 
 .Cm PermitOpen ,
Jan F. Chadima 1b8a26 
@@ -868,6 +871,20 @@ Specifies a list of revoked public keys.
Jan F. Chadima 7818e5 
 Keys listed in this file will be refused for public key authentication.
Jan F. Chadima 7818e5 
 Note that if this file is not readable, then public key authentication will
Jan F. Chadima 7818e5 
 be refused for all users.
Jan F. Chadima 7818e5 
+.It Cm AuthorizedKeysCommand
Jan F. Chadima 7818e5 
+Specifies a program to be used for lookup of the user's
Jan F. Chadima 7818e5 
+public keys.  The program will be invoked with its first
Jan F. Chadima 7818e5 
+argument the name of the user being authorized, and should produce
Jan F. Chadima 7818e5 
+on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS
Jan F. Chadima 7818e5 
+in sshd(8)).  By default (or when set to the empty string) there is no
Jan F. Chadima 7818e5 
+AuthorizedKeysCommand run.  If the AuthorizedKeysCommand does not successfully
Jan F. Chadima 7818e5 
+authorize the user, authorization falls through to the
Jan F. Chadima 7818e5 
+AuthorizedKeysFile.  Note that this option has an effect
Jan F. Chadima 7818e5 
+only with PubkeyAuthentication turned on.
Jan F. Chadima 7818e5 
+.It Cm AuthorizedKeysCommandRunAs
Jan F. Chadima 7818e5 
+Specifies the user under whose account the AuthorizedKeysCommand is run. Empty
Jan F. Chadima 7818e5 
+string (the default value) means the user being authorized is used.
Jan F. Chadima 7818e5 
+.Dq
Jan F. Chadima 7818e5 
 .It Cm RhostsRSAAuthentication
Jan F. Chadima 7818e5 
 Specifies whether rhosts or /etc/hosts.equiv authentication together
Jan F. Chadima 7818e5 
 with successful RSA host authentication is allowed.
Jan F. Chadima 1b8a26 
diff -up openssh-5.6p1/sshd_config.akc openssh-5.6p1/sshd_config
Jan F. Chadima c6801b 
--- openssh-5.6p1/sshd_config.akc	2010-09-03 15:24:50.000000000 +0200
Jan F. Chadima c6801b 
+++ openssh-5.6p1/sshd_config	2010-09-03 15:24:51.000000000 +0200
Jan F. Chadima 1b8a26 
@@ -45,6 +45,8 @@ SyslogFacility AUTHPRIV
Jan F. Chadima 1b8a26 
 #RSAAuthentication yes
Jan F. Chadima 1b8a26 
 #PubkeyAuthentication yes
Jan F. Chadima 1b8a26 
 #AuthorizedKeysFile	.ssh/authorized_keys
Jan F. Chadima 1b8a26 
+#AuthorizedKeysCommand none
Jan F. Chadima 1b8a26 
+#AuthorizedKeysCommandRunAs nobody
Jan F. Chadima 1b8a26
Jan F. Chadima 1b8a26 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
Jan F. Chadima 1b8a26 
 #RhostsRSAAuthentication no

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation