vishalmishra434 / rpms / openssh

Forked from rpms/openssh 3 months ago
Clone
Source Code
GIT

Blame openssh-6.1p1-akc.patch

c10s-sig-hyperscale c10s-sig-hyperscale-2 c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   d0630aa3580837ff72193897b837c31207616acc
  2.   openssh-6.1p1-akc.patch
Blob History Raw
Petr Lautrbach 9fe1af 
diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
Petr Lautrbach 9fe1af 
--- openssh-6.1p1/auth2-pubkey.c.akc	2012-09-14 20:20:48.459445650 +0200
Petr Lautrbach 9fe1af 
+++ openssh-6.1p1/auth2-pubkey.c	2012-09-14 20:20:48.520446072 +0200
Jan F. Chadima 69dd72 
@@ -27,6 +27,7 @@
Jan F. Chadima 69dd72
Jan F. Chadima 69dd72 
 #include <sys/types.h>
Jan F. Chadima 69dd72 
 #include <sys/stat.h>
Jan F. Chadima 69dd72 
+#include <sys/wait.h>
Jan F. Chadima 69dd72
Jan F. Chadima 69dd72 
 #include <fcntl.h>
Jan F. Chadima 69dd72 
 #include <pwd.h>
Petr Lautrbach 9fe1af 
@@ -277,27 +278,15 @@ match_principals_file(char *file, struct
Jan F. Chadima 69dd72
Jan F. Chadima 69dd72 
 /* return 1 if user allows given key */
Jan F. Chadima 69dd72 
 static int
Jan F. Chadima 69dd72 
-user_key_allowed2(struct passwd *pw, Key *key, char *file)
Jan F. Chadima 69dd72 
+user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw)
Jan F. Chadima 69dd72 
 {
Jan F. Chadima 69dd72 
 	char line[SSH_MAX_PUBKEY_BYTES];
Jan F. Chadima 69dd72 
 	const char *reason;
Jan F. Chadima 69dd72 
 	int found_key = 0;
Jan F. Chadima 69dd72 
-	FILE *f;
Jan F. Chadima 69dd72 
 	u_long linenum = 0;
Jan F. Chadima 69dd72 
 	Key *found;
Jan F. Chadima 69dd72 
 	char *fp;
Jan F. Chadima 69dd72
Jan F. Chadima 69dd72 
-	/* Temporarily use the user's uid. */
Jan F. Chadima 69dd72 
-	temporarily_use_uid(pw);
Jan F. Chadima 69dd72 
-
Jan F. Chadima 69dd72 
-	debug("trying public key file %s", file);
Jan F. Chadima 69dd72 
-	f = auth_openkeyfile(file, pw, options.strict_modes);
Jan F. Chadima 69dd72 
-
Jan F. Chadima 69dd72 
-	if (!f) {
Jan F. Chadima 69dd72 
-		restore_uid();
Jan F. Chadima 69dd72 
-		return 0;
Jan F. Chadima 69dd72 
-	}
Jan F. Chadima 69dd72 
-
Jan F. Chadima 69dd72 
 	found_key = 0;
Jan F. Chadima 69dd72 
 	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
Jan F. Chadima 69dd72
Petr Lautrbach 9fe1af 
@@ -390,8 +379,6 @@ user_key_allowed2(struct passwd *pw, Key
Jan F. Chadima 69dd72 
 			break;
Jan F. Chadima 69dd72 
 		}
Jan F. Chadima 69dd72 
 	}
Jan F. Chadima 69dd72 
-	restore_uid();
Jan F. Chadima 69dd72 
-	fclose(f);
Jan F. Chadima 69dd72 
 	key_free(found);
Jan F. Chadima 69dd72 
 	if (!found_key)
Jan F. Chadima 69dd72 
 		debug2("key not found");
Petr Lautrbach 9fe1af 
@@ -453,13 +440,191 @@ user_cert_trusted_ca(struct passwd *pw,
Jan F. Chadima 69dd72 
 	return ret;
Jan F. Chadima 69dd72 
 }
Jan F. Chadima 69dd72
Jan F. Chadima 69dd72 
-/* check whether given key is in .ssh/authorized_keys* */
Jan F. Chadima 69dd72 
+/* return 1 if user allows given key */
Jan F. Chadima 69dd72 
+static int
Jan F. Chadima 69dd72 
+user_key_allowed2(struct passwd *pw, Key *key, char *file)
Jan F. Chadima 69dd72 
+{
Jan F. Chadima 69dd72 
+	FILE *f;
Jan F. Chadima 69dd72 
+	int found_key = 0;
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+	/* Temporarily use the user's uid. */
Jan F. Chadima 69dd72 
+	temporarily_use_uid(pw);
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+	debug("trying public key file %s", file);
Jan F. Chadima 69dd72 
+	f = auth_openkeyfile(file, pw, options.strict_modes);
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+ 	if (f) {
Jan F. Chadima 69dd72 
+ 		found_key = user_search_key_in_file (f, file, key, pw);
Jan F. Chadima 69dd72 
+		fclose(f);
Jan F. Chadima 69dd72 
+	}
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+	restore_uid();
Jan F. Chadima 69dd72 
+	return found_key;
Jan F. Chadima 69dd72 
+}
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+#define WHITESPACE " \t\r\n"
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+/* return 1 if user allows given key */
Jan F. Chadima 69dd72 
+static int
Jan F. Chadima 69dd72 
+user_key_via_command_allowed2(struct passwd *pw, Key *key)
Jan F. Chadima 69dd72 
+{
Jan F. Chadima 69dd72 
+	FILE *f;
Jan F. Chadima 69dd72 
+	int found_key = 0;
Jan F. Chadima 69dd72 
+	char *progname = NULL;
Jan F. Chadima 69dd72 
+	char *cp;
Jan F. Chadima 69dd72 
+	struct passwd *runas_pw;
Jan F. Chadima 69dd72 
+	struct stat st;
Jan F. Chadima 69dd72 
+	int childdescriptors[2], i;
Jan F. Chadima 69dd72 
+	pid_t pstat, pid, child;
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+	if (options.authorized_keys_command == NULL || options.authorized_keys_command[0] != '/')
Jan F. Chadima 1df0cf 
+		return 0;
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+	/* get the run as identity from config */
Jan F. Chadima 69dd72 
+	runas_pw = (options.authorized_keys_command_runas == NULL)? pw
Jan F. Chadima 69dd72 
+	    : getpwnam (options.authorized_keys_command_runas);
Jan F. Chadima 69dd72 
+	if (!runas_pw) {
Jan F. Chadima 69dd72 
+		error("%s: getpwnam(\"%s\"): %s", __func__,
Jan F. Chadima 69dd72 
+		    options.authorized_keys_command_runas, strerror(errno));
Jan F. Chadima 69dd72 
+		return 0;
Jan F. Chadima 69dd72 
+	}
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+	/* Temporarily use the specified uid. */
Jan F. Chadima 69dd72 
+	if (runas_pw->pw_uid != 0)
Jan F. Chadima 69dd72 
+		temporarily_use_uid(runas_pw);
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+	progname = xstrdup(options.authorized_keys_command);
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+	debug3("%s: checking program '%s'", __func__, progname);
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+	if (stat (progname, &st) < 0) {
Jan F. Chadima 69dd72 
+		error("%s: stat(\"%s\"): %s", __func__,
Jan F. Chadima 69dd72 
+		    progname, strerror(errno));
Jan F. Chadima 69dd72 
+		goto go_away;
Jan F. Chadima 69dd72 
+	}
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+	if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
Jan F. Chadima 69dd72 
+		error("bad ownership or modes for AuthorizedKeysCommand \"%s\"",
Jan F. Chadima 69dd72 
+		    progname);
Jan F. Chadima 69dd72 
+		goto go_away;
Jan F. Chadima 69dd72 
+	}
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+	if (!S_ISREG(st.st_mode)) {
Jan F. Chadima 69dd72 
+		error("AuthorizedKeysCommand \"%s\" is not a regular file",
Jan F. Chadima 69dd72 
+		    progname);
Jan F. Chadima 69dd72 
+		goto go_away;
Jan F. Chadima 69dd72 
+	}
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+	/*
Jan F. Chadima 69dd72 
+	 * Descend the path, checking that each component is a
Jan F. Chadima 69dd72 
+	 * root-owned directory with strict permissions.
Jan F. Chadima 69dd72 
+	 */
Jan F. Chadima 69dd72 
+	do {
Jan F. Chadima 69dd72 
+		if ((cp = strrchr(progname, '/')) == NULL)
Jan F. Chadima 69dd72 
+			break;
Petr Lautrbach d9e618 
+		else
Jan F. Chadima 69dd72 
+			*cp = '\0';
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+		debug3("%s: checking component '%s'", __func__, (*progname == '\0' ? "/" : progname));
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+		if (stat((*progname == '\0' ? "/" : progname), &st) != 0) {
Jan F. Chadima 69dd72 
+			error("%s: stat(\"%s\"): %s", __func__,
Jan F. Chadima 69dd72 
+			    progname, strerror(errno));
Jan F. Chadima 69dd72 
+			goto go_away;
Jan F. Chadima 69dd72 
+		}
Jan F. Chadima 69dd72 
+		if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
Jan F. Chadima 69dd72 
+			error("bad ownership or modes for AuthorizedKeysCommand path component \"%s\"",
Jan F. Chadima 69dd72 
+			    progname);
Jan F. Chadima 69dd72 
+			goto go_away;
Jan F. Chadima 69dd72 
+		}
Jan F. Chadima 69dd72 
+		if (!S_ISDIR(st.st_mode)) {
Jan F. Chadima 69dd72 
+			error("AuthorizedKeysCommand path component \"%s\" is not a directory",
Jan F. Chadima 69dd72 
+			    progname);
Jan F. Chadima 69dd72 
+			goto go_away;
Jan F. Chadima 69dd72 
+		}
Jan F. Chadima 69dd72 
+	} while (1);
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+	/* open the pipe and read the keys */
Jan F. Chadima 69dd72 
+	if (pipe(childdescriptors)) {
Jan F. Chadima 69dd72 
+		error("failed to pipe(2) for AuthorizedKeysCommand: %s",
Jan F. Chadima 69dd72 
+		    strerror(errno));
Jan F. Chadima 69dd72 
+		goto go_away;
Jan F. Chadima 69dd72 
+	}
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+	child = fork();
Jan F. Chadima 69dd72 
+	if (child == -1) {
Jan F. Chadima 69dd72 
+		error("failed to fork(2) for AuthorizedKeysCommand: %s",
Jan F. Chadima 69dd72 
+		    strerror(errno));
Jan F. Chadima 69dd72 
+		goto go_away;
Jan F. Chadima 69dd72 
+	} else if (child == 0) {
Jan F. Chadima 69dd72 
+		/* we're in the child process here -- we should never return from this block. */
Jan F. Chadima 69dd72 
+		/* permanently drop privs in child process */
Jan F. Chadima 69dd72 
+		if (runas_pw->pw_uid != 0) {
Jan F. Chadima 69dd72 
+			restore_uid();
Jan F. Chadima 69dd72 
+			permanently_set_uid(runas_pw);
Jan F. Chadima 69dd72 
+	  	}
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+		close(childdescriptors[0]);
Jan F. Chadima 69dd72 
+		/* put the write end of the pipe on stdout (FD 1) */
Jan F. Chadima 69dd72 
+		if (dup2(childdescriptors[1], 1) == -1) {
Jan F. Chadima 69dd72 
+			error("failed to dup2(2) from AuthorizedKeysCommand: %s",
Jan F. Chadima 69dd72 
+			    strerror(errno));
Jan F. Chadima 69dd72 
+			_exit(127);
Jan F. Chadima 69dd72 
+		}
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+		debug3("about to execl() AuthorizedKeysCommand: \"%s\" \"%s\"", options.authorized_keys_command, pw->pw_name);
Jan F. Chadima 69dd72 
+		/* see session.c:child_close_fds() */
Jan F. Chadima 69dd72 
+		for (i = 3; i < 64; ++i) {
Jan F. Chadima 69dd72 
+			close(i);
Jan F. Chadima 69dd72 
+		}
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+		execl(options.authorized_keys_command, options.authorized_keys_command, pw->pw_name, NULL);
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+		/* if we got here, it didn't work */
Jan F. Chadima 69dd72 
+		error("failed to execl AuthorizedKeysCommand: %s", strerror(errno)); /* this won't work because we closed the fds above */
Jan F. Chadima 69dd72 
+		_exit(127);
Jan F. Chadima 69dd72 
+	}
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+	close(childdescriptors[1]);
Jan F. Chadima 69dd72 
+	f = fdopen(childdescriptors[0], "r");
Jan F. Chadima 69dd72 
+	if (!f) {
Jan F. Chadima 69dd72 
+		error("%s: could not buffer FDs from AuthorizedKeysCommand (\"%s\", \"r\"): %s", __func__,
Jan F. Chadima 69dd72 
+		    options.authorized_keys_command, strerror (errno));
Jan F. Chadima 69dd72 
+		goto go_away;
Jan F. Chadima 69dd72 
+	}
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+	found_key = user_search_key_in_file (f, options.authorized_keys_command, key, pw);
Jan F. Chadima 69dd72 
+	fclose (f);
Jan F. Chadima 69dd72 
+	do {
Jan F. Chadima 69dd72 
+		pid = waitpid(child, &pstat, 0);
Jan F. Chadima 69dd72 
+	} while (pid == -1 && errno == EINTR);
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+	/* what about the return value from the child process? */
Jan F. Chadima 69dd72 
+go_away:
Jan F. Chadima 69dd72 
+	if (progname)
Jan F. Chadima 69dd72 
+		xfree (progname);
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+	if (runas_pw->pw_uid != 0)
Jan F. Chadima 69dd72 
+		restore_uid();
Jan F. Chadima 69dd72 
+	return found_key;
Jan F. Chadima 69dd72 
+}
Jan F. Chadima 69dd72 
+#endif
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+/* check whether given key is in
Jan F. Chadima 69dd72 
 int
Jan F. Chadima 69dd72 
 user_key_allowed(struct passwd *pw, Key *key)
Jan F. Chadima 69dd72 
 {
Tomas Mraz fc87f2 
 	u_int success, i;
Tomas Mraz fc87f2 
 	char *file;
Tomas Mraz fc87f2
Tomas Mraz fc87f2 
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
Tomas Mraz fc87f2 
+	success = user_key_via_command_allowed2(pw, key);
Tomas Mraz fc87f2 
+	if (success > 0)
Tomas Mraz fc87f2 
+		return success;
Tomas Mraz fc87f2 
+#endif
Tomas Mraz fc87f2 
+
Tomas Mraz fc87f2 
 	if (auth_key_is_revoked(key))
Tomas Mraz fc87f2 
 		return 0;
Tomas Mraz fc87f2 
 	if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
Petr Lautrbach 9fe1af 
diff -up openssh-6.1p1/configure.ac.akc openssh-6.1p1/configure.ac
Petr Lautrbach 9fe1af 
--- openssh-6.1p1/configure.ac.akc	2012-07-06 03:49:29.000000000 +0200
Petr Lautrbach 9fe1af 
+++ openssh-6.1p1/configure.ac	2012-09-14 20:20:48.525446106 +0200
Petr Lautrbach 9fe1af 
@@ -1512,6 +1512,18 @@ AC_ARG_WITH([audit],
Jan F. Chadima 69dd72 
 	esac ]
Jan F. Chadima 69dd72 
 )
Jan F. Chadima 69dd72
Jan F. Chadima 69dd72 
+# Check whether user wants AuthorizedKeysCommand support
Jan F. Chadima 69dd72 
+AKC_MSG="no"
Jan F. Chadima 69dd72 
+AC_ARG_WITH(authorized-keys-command,
Jan F. Chadima 69dd72 
+	[  --with-authorized-keys-command      Enable AuthorizedKeysCommand support],
Jan F. Chadima 69dd72 
+	[
Jan F. Chadima 69dd72 
+		if test "x$withval" != "xno" ; then
Jan F. Chadima 69dd72 
+			AC_DEFINE([WITH_AUTHORIZED_KEYS_COMMAND], 1, [Enable AuthorizedKeysCommand support])
Jan F. Chadima 69dd72 
+			AKC_MSG="yes"
Jan F. Chadima 69dd72 
+		fi
Jan F. Chadima 69dd72 
+	]
Jan F. Chadima 69dd72 
+)
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
 dnl    Checks for library functions. Please keep in alphabetical order
Jan F. Chadima 69dd72 
 AC_CHECK_FUNCS([ \
Jan F. Chadima 69dd72 
 	arc4random \
Petr Lautrbach 9fe1af 
@@ -4407,6 +4419,7 @@ echo "                   SELinux support
Jan F. Chadima 69dd72 
 echo "                 Smartcard support: $SCARD_MSG"
Jan F. Chadima 69dd72 
 echo "                     S/KEY support: $SKEY_MSG"
Jan F. Chadima 69dd72 
 echo "              TCP Wrappers support: $TCPW_MSG"
Jan F. Chadima 69dd72 
+echo "     AuthorizedKeysCommand support: $AKC_MSG"
Jan F. Chadima 69dd72 
 echo "              MD5 password support: $MD5_MSG"
Jan F. Chadima 69dd72 
 echo "                   libedit support: $LIBEDIT_MSG"
Jan F. Chadima 69dd72 
 echo "  Solaris process contract support: $SPC_MSG"
Petr Lautrbach 9fe1af 
diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
Petr Lautrbach 9fe1af 
--- openssh-6.1p1/servconf.c.akc	2012-09-14 20:20:48.138443423 +0200
Petr Lautrbach 9fe1af 
+++ openssh-6.1p1/servconf.c	2012-09-14 20:27:34.546107295 +0200
Petr Lautrbach 9fe1af 
@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions
Jan F. Chadima 69dd72 
 	options->num_permitted_opens = -1;
Jan F. Chadima 69dd72 
 	options->adm_forced_command = NULL;
Jan F. Chadima 69dd72 
 	options->chroot_directory = NULL;
Jan F. Chadima 69dd72 
+	options->authorized_keys_command = NULL;
Jan F. Chadima 69dd72 
+	options->authorized_keys_command_runas = NULL;
Jan F. Chadima 69dd72 
 	options->zero_knowledge_password_authentication = -1;
Jan F. Chadima 69dd72 
 	options->revoked_keys_file = NULL;
Jan F. Chadima 69dd72 
 	options->trusted_user_ca_keys = NULL;
Petr Lautrbach 9fe1af 
@@ -334,6 +336,7 @@ typedef enum {
Jan F. Chadima 69dd72 
 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
Jan F. Chadima 69dd72 
 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
Petr Lautrbach 9fe1af 
 	sKexAlgorithms, sIPQoS, sVersionAddendum,
Jan F. Chadima 69dd72 
+	sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs,
Jan F. Chadima 69dd72 
 	sDeprecated, sUnsupported
Jan F. Chadima 69dd72 
 } ServerOpCodes;
Jan F. Chadima 69dd72
Petr Lautrbach 9fe1af 
@@ -461,6 +464,14 @@ static struct {
Petr Lautrbach d9e618 
 	{ "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
Jan F. Chadima 69dd72 
 	{ "ipqos", sIPQoS, SSHCFG_ALL },
Petr Lautrbach 9fe1af 
 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
Jan F. Chadima 69dd72 
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
Jan F. Chadima 69dd72 
+	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
Jan F. Chadima 69dd72 
+	{ "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL },
Jan F. Chadima 69dd72 
+#else
Jan F. Chadima 69dd72 
+	{ "authorizedkeyscommand", sUnsupported, SSHCFG_ALL },
Jan F. Chadima 69dd72 
+	{ "authorizedkeyscommandrunas", sUnsupported, SSHCFG_ALL },
Jan F. Chadima 69dd72 
+#endif
Petr Lautrbach 9fe1af 
+
Jan F. Chadima 69dd72 
 	{ NULL, sBadOption, 0 }
Jan F. Chadima 69dd72 
 };
Jan F. Chadima 69dd72
Petr Lautrbach 9fe1af 
@@ -1532,6 +1543,24 @@ process_server_config_line(ServerOptions
Jan F. Chadima 69dd72 
 		}
Petr Lautrbach 9fe1af 
 		return 0;
Jan F. Chadima 69dd72
Jan F. Chadima 69dd72 
+	case sAuthorizedKeysCommand:
Jan F. Chadima 69dd72 
+		len = strspn(cp, WHITESPACE);
Jan F. Chadima 69dd72 
+		if (*activep && options->authorized_keys_command == NULL)
Jan F. Chadima 69dd72 
+			options->authorized_keys_command = xstrdup(cp + len);
Jan F. Chadima 69dd72 
+		return 0;
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+	case sAuthorizedKeysCommandRunAs:
Jan F. Chadima 69dd72 
+		charptr = &options->authorized_keys_command_runas;
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+		arg = strdelim(&cp;;
Jan F. Chadima cff1d0 
+		if (!arg || *arg == '\0')
Jan F. Chadima cff1d0 
+			fatal("%s line %d: missing account.",
Jan F. Chadima cff1d0 
+			    filename, linenum);
Jan F. Chadima cff1d0 
+
Jan F. Chadima 69dd72 
+		if (*activep && *charptr == NULL)
Jan F. Chadima 69dd72 
+			*charptr = xstrdup(arg);
Jan F. Chadima 69dd72 
+		break;
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
 	case sDeprecated:
Jan F. Chadima 69dd72 
 		logit("%s line %d: Deprecated option %s",
Jan F. Chadima 69dd72 
 		    filename, linenum, arg);
Petr Lautrbach 9fe1af 
@@ -1682,6 +1711,8 @@ copy_set_server_options(ServerOptions *d
Petr Lautrbach d9e618 
 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
Petr Lautrbach d9e618 
 	M_CP_INTOPT(kbd_interactive_authentication);
Jan F. Chadima 69dd72 
 	M_CP_INTOPT(zero_knowledge_password_authentication);
Jan F. Chadima 69dd72 
+	M_CP_STROPT(authorized_keys_command);
Jan F. Chadima 69dd72 
+	M_CP_STROPT(authorized_keys_command_runas);
Jan F. Chadima 69dd72 
 	M_CP_INTOPT(permit_root_login);
Jan F. Chadima 69dd72 
 	M_CP_INTOPT(permit_empty_passwd);
Jan F. Chadima 69dd72
Petr Lautrbach 9fe1af 
@@ -1942,6 +1973,8 @@ dump_config(ServerOptions *o)
Jan F. Chadima 69dd72 
 	dump_cfg_string(sAuthorizedPrincipalsFile,
Jan F. Chadima 69dd72 
 	    o->authorized_principals_file);
Petr Lautrbach 9fe1af 
 	dump_cfg_string(sVersionAddendum, o->version_addendum);
Jan F. Chadima 69dd72 
+	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
Jan F. Chadima 69dd72 
+	dump_cfg_string(sAuthorizedKeysCommandRunAs, o->authorized_keys_command_runas);
Jan F. Chadima 69dd72
Jan F. Chadima 69dd72 
 	/* string arguments requiring a lookup */
Jan F. Chadima 69dd72 
 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
Petr Lautrbach 9fe1af 
diff -up openssh-6.1p1/servconf.h.akc openssh-6.1p1/servconf.h
Petr Lautrbach 9fe1af 
--- openssh-6.1p1/servconf.h.akc	2012-09-14 20:20:48.000000000 +0200
Petr Lautrbach 9fe1af 
+++ openssh-6.1p1/servconf.h	2012-09-14 20:23:16.691844577 +0200
Petr Lautrbach d9e618 
@@ -169,6 +169,8 @@ typedef struct {
Jan F. Chadima 69dd72 
 	char   *revoked_keys_file;
Jan F. Chadima 69dd72 
 	char   *trusted_user_ca_keys;
Jan F. Chadima 69dd72 
 	char   *authorized_principals_file;
Jan F. Chadima 69dd72 
+	char   *authorized_keys_command;
Jan F. Chadima 69dd72 
+	char   *authorized_keys_command_runas;
Jan F. Chadima 69dd72
Petr Lautrbach 9fe1af 
 	char   *version_addendum;	/* Appended to SSH banner */
Petr Lautrbach 9fe1af 
 }       ServerOptions;
Petr Lautrbach 9fe1af 
diff -up openssh-6.1p1/sshd_config.akc openssh-6.1p1/sshd_config
Petr Lautrbach 9fe1af 
--- openssh-6.1p1/sshd_config.akc	2012-07-31 04:21:34.000000000 +0200
Petr Lautrbach 9fe1af 
+++ openssh-6.1p1/sshd_config	2012-09-14 20:30:46.950095769 +0200
Petr Lautrbach d9e618 
@@ -49,6 +49,9 @@
Petr Lautrbach d9e618 
 # but this is overridden so installations will only check .ssh/authorized_keys
Petr Lautrbach d9e618 
 AuthorizedKeysFile	.ssh/authorized_keys
Petr Lautrbach d9e618
Petr Lautrbach d9e618 
+#AuthorizedKeysCommand none
Petr Lautrbach d9e618 
+#AuthorizedKeysCommandRunAs nobody
Petr Lautrbach d9e618 
+
Petr Lautrbach 9fe1af 
 #AuthorizedPrincipalsFile none
Petr Lautrbach 9fe1af
Petr Lautrbach d9e618 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
Petr Lautrbach 9fe1af 
diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0
Petr Lautrbach 9fe1af 
--- openssh-6.1p1/sshd_config.0.akc	2012-08-29 02:53:04.000000000 +0200
Petr Lautrbach 9fe1af 
+++ openssh-6.1p1/sshd_config.0	2012-09-14 20:32:23.539624859 +0200
Jan F. Chadima 69dd72 
@@ -71,6 +71,23 @@ DESCRIPTION
Jan F. Chadima 69dd72
Jan F. Chadima 69dd72 
              See PATTERNS in ssh_config(5) for more information on patterns.
Jan F. Chadima 69dd72
Jan F. Chadima 69dd72 
+     AuthorizedKeysCommand
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+             Specifies a program to be used for lookup of the user's
Jan F. Chadima 69dd72 
+	     public keys.  The program will be invoked with its first
Petr Lautrbach d9e618 
+	     argument the name of the user being authorized, and should produce
Petr Lautrbach d9e618 
+	     on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS
Jan F. Chadima 69dd72 
+	     in sshd(8)).  By default (or when set to the empty string) there is no
Jan F. Chadima 69dd72 
+	     AuthorizedKeysCommand run.  If the AuthorizedKeysCommand does not successfully
Jan F. Chadima 69dd72 
+	     authorize the user, authorization falls through to the
Jan F. Chadima 69dd72 
+	     AuthorizedKeysFile.  Note that this option has an effect
Jan F. Chadima 69dd72 
+	     only with PubkeyAuthentication turned on.
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
+     AuthorizedKeysCommandRunAs
Jan F. Chadima 69dd72 
+             Specifies the user under whose account the AuthorizedKeysCommand is run.
Jan F. Chadima 69dd72 
+             Empty string (the default value) means the user being authorized
Jan F. Chadima 69dd72 
+             is used.
Jan F. Chadima 69dd72 
+
Jan F. Chadima 69dd72 
      AuthorizedKeysFile
Jan F. Chadima 69dd72 
              Specifies the file that contains the public keys that can be used
Jan F. Chadima 69dd72 
              for user authentication.  The format is described in the
Petr Lautrbach 9fe1af 
@@ -402,7 +419,8 @@ DESCRIPTION
Jan F. Chadima 69dd72 
              Only a subset of keywords may be used on the lines following a
Petr Lautrbach 9fe1af 
              Match keyword.  Available keywords are AcceptEnv,
Petr Lautrbach 9fe1af 
              AllowAgentForwarding, AllowGroups, AllowTcpForwarding,
Petr Lautrbach 9fe1af 
-             AllowUsers, AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner,
Petr Lautrbach 9fe1af 
+             AllowUsers, AuthorizedKeysFile, AuthorizedKeysCommand,
Petr Lautrbach 9fe1af 
+             AuthorizedKeysCommandRunAs, AuthorizedPrincipalsFile, Banner,
Petr Lautrbach 9fe1af 
              ChrootDirectory, DenyGroups, DenyUsers, ForceCommand,
Petr Lautrbach 9fe1af 
              GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
Jan F. Chadima 69dd72 
              HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
Petr Lautrbach 9fe1af 
diff -up openssh-6.1p1/sshd_config.5.akc openssh-6.1p1/sshd_config.5
Petr Lautrbach 9fe1af 
--- openssh-6.1p1/sshd_config.5.akc	2012-09-14 20:20:48.142443448 +0200
Petr Lautrbach 9fe1af 
+++ openssh-6.1p1/sshd_config.5	2012-09-14 20:29:56.003873873 +0200
Petr Lautrbach d9e618 
@@ -151,6 +151,19 @@ See
Petr Lautrbach d9e618 
 in
Petr Lautrbach d9e618 
 .Xr ssh_config 5
Petr Lautrbach d9e618 
 for more information on patterns.
Petr Lautrbach d9e618 
+.It Cm AuthorizedKeysCommand
Petr Lautrbach d9e618 
+Specifies a program to be used for lookup of the user's
Petr Lautrbach d9e618 
+public keys.  The program will be invoked with its first
Petr Lautrbach d9e618 
+argument the name of the user being authorized, and should produce
Petr Lautrbach d9e618 
+on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS
Petr Lautrbach d9e618 
+in sshd(8)).  By default (or when set to the empty string) there is no
Petr Lautrbach d9e618 
+AuthorizedKeysCommand run.  If the AuthorizedKeysCommand does not successfully
Petr Lautrbach d9e618 
+authorize the user, authorization falls through to the
Petr Lautrbach d9e618 
+AuthorizedKeysFile.  Note that this option has an effect
Petr Lautrbach d9e618 
+only with PubkeyAuthentication turned on.
Petr Lautrbach d9e618 
+.It Cm AuthorizedKeysCommandRunAs
Petr Lautrbach d9e618 
+Specifies the user under whose account the AuthorizedKeysCommand is run. Empty
Petr Lautrbach d9e618 
+string (the default value) means the user being authorized is used.
Petr Lautrbach d9e618 
 .It Cm AuthorizedKeysFile
Petr Lautrbach d9e618 
 Specifies the file that contains the public keys that can be used
Petr Lautrbach d9e618 
 for user authentication.
Petr Lautrbach 9fe1af 
@@ -712,6 +725,8 @@ Available keywords are
Jan F. Chadima 69dd72 
 .Cm AllowTcpForwarding ,
Petr Lautrbach 9fe1af 
 .Cm AllowUsers ,
Jan F. Chadima 69dd72 
 .Cm AuthorizedKeysFile ,
Jan F. Chadima 69dd72 
+.Cm AuthorizedKeysCommand ,
Jan F. Chadima 69dd72 
+.Cm AuthorizedKeysCommandRunAs ,
Jan F. Chadima 69dd72 
 .Cm AuthorizedPrincipalsFile ,
Jan F. Chadima 69dd72 
 .Cm Banner ,
Jan F. Chadima 69dd72 
 .Cm ChrootDirectory ,
Petr Lautrbach 9fe1af 
@@ -726,6 +741,7 @@ Available keywords are
Jan F. Chadima 69dd72 
 .Cm KerberosAuthentication ,
Jan F. Chadima 69dd72 
 .Cm MaxAuthTries ,
Jan F. Chadima 69dd72 
 .Cm MaxSessions ,
Jan F. Chadima 69dd72 
+.Cm PubkeyAuthentication ,
Jan F. Chadima 69dd72 
 .Cm PasswordAuthentication ,
Jan F. Chadima 69dd72 
 .Cm PermitEmptyPasswords ,
Jan F. Chadima 69dd72 
 .Cm PermitOpen ,

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation