vishalmishra434 / rpms / openssh

Forked from rpms/openssh a month ago
Clone
Tomas Mraz 4f4687
diff -up pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-build pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c
Tomas Mraz 4f4687
--- pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-build	2010-01-13 03:17:01.000000000 +0100
Tomas Mraz 4f4687
+++ pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c	2012-06-21 20:14:56.432527764 +0200
Tomas Mraz 4f4687
@@ -37,7 +37,16 @@
Tomáš Mráz e47cb0
 #include "buffer.h"
Tomáš Mráz e47cb0
 #include "key.h"
Tomáš Mráz e47cb0
 #include "authfd.h"
Tomáš Mráz e47cb0
+#include "ssh.h"
Tomáš Mráz e47cb0
 #include <stdio.h>
Tomáš Mráz e47cb0
+#include <sys/types.h>
Tomáš Mráz e47cb0
+#include <sys/stat.h>
Tomáš Mráz e47cb0
+#include <sys/socket.h>
Tomáš Mráz e47cb0
+#include <sys/un.h>
Tomáš Mráz e47cb0
+#include <unistd.h>
Tomáš Mráz e47cb0
+#include <stdlib.h>
Tomáš Mráz e47cb0
+#include <errno.h>
Tomáš Mráz e47cb0
+#include <fcntl.h>
Tomáš Mráz e47cb0
 #include <openssl/evp.h>
Tomáš Mráz e47cb0
 
Tomáš Mráz e47cb0
 #include "userauth_pubkey_from_id.h"
Tomas Mraz 4f4687
@@ -69,6 +78,96 @@ session_id2_gen()
Tomáš Mráz e47cb0
     return cookie;
Tomáš Mráz e47cb0
 }
Tomáš Mráz e47cb0
 
Tomáš Mráz e47cb0
+/* 
Tomáš Mráz e47cb0
+ * Added by Jamie Beverly, ensure socket fd points to a socket owned by the user 
Tomáš Mráz e47cb0
+ * A cursory check is done, but to avoid race conditions, it is necessary 
Tomáš Mráz e47cb0
+ * to drop effective UID when connecting to the socket. 
Tomáš Mráz e47cb0
+ *
Tomáš Mráz e47cb0
+ * If the cause of error is EACCES, because we verified we would not have that 
Tomáš Mráz e47cb0
+ * problem initially, we can safely assume that somebody is attempting to find a 
Tomáš Mráz e47cb0
+ * race condition; so a more "direct" log message is generated.
Tomáš Mráz e47cb0
+ */
Tomáš Mráz e47cb0
+
Tomáš Mráz e47cb0
+int
Tomáš Mráz e47cb0
+ssh_get_authentication_socket_for_uid(uid_t uid)
Tomáš Mráz e47cb0
+{
Tomáš Mráz e47cb0
+	const char *authsocket;
Tomáš Mráz e47cb0
+	int sock;
Tomáš Mráz e47cb0
+	struct sockaddr_un sunaddr;
Tomáš Mráz e47cb0
+	struct stat sock_st;
Tomáš Mráz e47cb0
+
Tomáš Mráz e47cb0
+	authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME);
Tomáš Mráz e47cb0
+	if (!authsocket)
Tomáš Mráz e47cb0
+		return -1;
Tomáš Mráz e47cb0
+
Tomáš Mráz e47cb0
+	/* Advisory only; seteuid ensures no race condition; but will only log if we see EACCES */
Tomáš Mráz e47cb0
+	if( stat(authsocket,&sock_st) == 0) {
Tomáš Mráz e47cb0
+		if(uid != 0 && sock_st.st_uid != uid) {
Tomáš Mráz e47cb0
+			fatal("uid %lu attempted to open an agent socket owned by uid %lu", (unsigned long) uid, (unsigned long) sock_st.st_uid);
Tomáš Mráz e47cb0
+			return -1;
Tomáš Mráz e47cb0
+		}
Tomáš Mráz e47cb0
+	}
Tomáš Mráz e47cb0
+
Tomáš Mráz e47cb0
+	/* 
Tomáš Mráz e47cb0
+	 * Ensures that the EACCES tested for below can _only_ happen if somebody 
Tomáš Mráz e47cb0
+	 * is attempting to race the stat above to bypass authentication.
Tomáš Mráz e47cb0
+	 */
Tomáš Mráz e47cb0
+	if( (sock_st.st_mode & S_IWUSR) != S_IWUSR || (sock_st.st_mode & S_IRUSR) != S_IRUSR) {
Tomáš Mráz e47cb0
+		error("ssh-agent socket has incorrect permissions for owner");
Tomáš Mráz e47cb0
+		return -1;
Tomáš Mráz e47cb0
+	}
Tomáš Mráz e47cb0
+
Tomáš Mráz e47cb0
+	sunaddr.sun_family = AF_UNIX;
Tomáš Mráz e47cb0
+	strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path));
Tomáš Mráz e47cb0
+
Tomáš Mráz e47cb0
+	sock = socket(AF_UNIX, SOCK_STREAM, 0);
Tomáš Mráz e47cb0
+	if (sock < 0)
Tomáš Mráz e47cb0
+		return -1;
Tomáš Mráz e47cb0
+
Tomáš Mráz e47cb0
+	/* close on exec */
Tomáš Mráz e47cb0
+	if (fcntl(sock, F_SETFD, 1) == -1) {
Tomáš Mráz e47cb0
+		close(sock);
Tomáš Mráz e47cb0
+		return -1;
Tomáš Mráz e47cb0
+	}
Tomáš Mráz e47cb0
+
Tomáš Mráz e47cb0
+	errno = 0; 
Tomáš Mráz e47cb0
+	seteuid(uid); /* To ensure a race condition is not used to circumvent the stat
Tomáš Mráz e47cb0
+	             above, we will temporarily drop UID to the caller */
Tomáš Mráz e47cb0
+	if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
Tomáš Mráz e47cb0
+		close(sock);
Tomáš Mráz e47cb0
+        if(errno == EACCES)
Tomáš Mráz e47cb0
+		fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
Tomáš Mráz e47cb0
+		return -1;
Tomáš Mráz e47cb0
+	}
Tomáš Mráz e47cb0
+
Tomáš Mráz e47cb0
+	seteuid(0); /* we now continue the regularly scheduled programming */
Tomáš Mráz e47cb0
+
Tomáš Mráz e47cb0
+	return sock;
Tomáš Mráz e47cb0
+}
Tomáš Mráz e47cb0
+
Tomáš Mráz e47cb0
+AuthenticationConnection *
Tomáš Mráz e47cb0
+ssh_get_authentication_connection_for_uid(uid_t uid)
Tomáš Mráz e47cb0
+{
Tomáš Mráz e47cb0
+	AuthenticationConnection *auth;
Tomáš Mráz e47cb0
+	int sock;
Tomáš Mráz e47cb0
+
Tomáš Mráz e47cb0
+	sock = ssh_get_authentication_socket_for_uid(uid);
Tomáš Mráz e47cb0
+
Tomáš Mráz e47cb0
+	/*
Tomáš Mráz e47cb0
+	 * Fail if we couldn't obtain a connection.  This happens if we
Tomáš Mráz e47cb0
+	 * exited due to a timeout.
Tomáš Mráz e47cb0
+	 */
Tomáš Mráz e47cb0
+	if (sock < 0)
Tomáš Mráz e47cb0
+		return NULL;
Tomáš Mráz e47cb0
+
Tomáš Mráz e47cb0
+	auth = xmalloc(sizeof(*auth));
Tomáš Mráz e47cb0
+	auth->fd = sock;
Tomáš Mráz e47cb0
+	buffer_init(&auth->identities);
Tomáš Mráz e47cb0
+	auth->howmany = 0;
Tomáš Mráz e47cb0
+
Tomáš Mráz e47cb0
+	return auth;
Tomáš Mráz e47cb0
+}
Tomáš Mráz e47cb0
+
Tomáš Mráz e47cb0
 int
Tomáš Mráz e47cb0
 find_authorized_keys(uid_t uid)
Tomáš Mráz e47cb0
 {
Tomas Mraz 4f4687
@@ -81,7 +180,7 @@ find_authorized_keys(uid_t uid)
Tomáš Mráz e47cb0
     OpenSSL_add_all_digests();
Tomáš Mráz e47cb0
     session_id2 = session_id2_gen();
Tomáš Mráz e47cb0
 
Tomáš Mráz e47cb0
-    if ((ac = ssh_get_authentication_connection(uid))) {
Tomáš Mráz e47cb0
+    if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
Tomáš Mráz e47cb0
         verbose("Contacted ssh-agent of user %s (%u)", getpwuid(uid)->pw_name, uid);
Tomáš Mráz e47cb0
         for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2)) 
Tomáš Mráz e47cb0
         {
Tomas Mraz 4f4687
@@ -109,3 +208,4 @@ find_authorized_keys(uid_t uid)
Tomáš Mráz e47cb0
     EVP_cleanup();
Tomáš Mráz e47cb0
     return retval;
Tomáš Mráz e47cb0
 }
Tomáš Mráz e47cb0
+
Tomas Mraz 4f4687
diff -up pam_ssh_agent_auth-0.9.3/Makefile.in.psaa-build pam_ssh_agent_auth-0.9.3/Makefile.in
Tomas Mraz 4f4687
--- pam_ssh_agent_auth-0.9.3/Makefile.in.psaa-build	2009-10-27 21:19:41.000000000 +0100
Tomas Mraz 4f4687
+++ pam_ssh_agent_auth-0.9.3/Makefile.in	2012-06-21 20:14:56.432527764 +0200
Tomáš Mráz e47cb0
@@ -28,7 +28,7 @@ PATHS=
Tomáš Mráz e47cb0
 CC=@CC@
Tomáš Mráz e47cb0
 LD=@LD@
Tomáš Mráz e47cb0
 CFLAGS=@CFLAGS@
Tomáš Mráz e47cb0
-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
Tomáš Mráz e47cb0
+CPPFLAGS=-I.. -I$(srcdir) -I/usr/include/nss3 -I/usr/include/nspr4 @CPPFLAGS@ $(PATHS) @DEFS@
Tomáš Mráz e47cb0
 LIBS=@LIBS@
Tomáš Mráz e47cb0
 AR=@AR@
Tomáš Mráz e47cb0
 AWK=@AWK@
Tomáš Mráz e47cb0
@@ -37,7 +37,7 @@ INSTALL=@INSTALL@
Tomáš Mráz e47cb0
 PERL=@PERL@
Tomáš Mráz e47cb0
 SED=@SED@
Tomáš Mráz e47cb0
 ENT=@ENT@
Tomáš Mráz e47cb0
-LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
Tomáš Mráz e47cb0
+LDFLAGS=-L.. -L../openbsd-compat/ @LDFLAGS@
Tomáš Mráz e47cb0
 LDFLAGS_SHARED = @LDFLAGS_SHARED@
Tomáš Mráz e47cb0
 EXEEXT=@EXEEXT@
Tomáš Mráz e47cb0
 
Tomáš Mráz e47cb0
@@ -48,7 +48,7 @@ PAM_MODULES=pam_ssh_agent_auth.so
Tomáš Mráz e47cb0
 
Tomáš Mráz e47cb0
 SSHOBJS=xmalloc.o atomicio.o authfd.o bufaux.o bufbn.o buffer.o cleanup.o entropy.o fatal.o key.o log.o misc.o secure_filename.o ssh-dss.o ssh-rsa.o uuencode.o compat.o
Tomáš Mráz e47cb0
 
Tomáš Mráz e47cb0
-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o
Tomáš Mráz e47cb0
+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o secure_filename.o
Tomáš Mráz e47cb0
 
Tomáš Mráz e47cb0
 
Tomáš Mráz e47cb0
 MANPAGES_IN	= pam_ssh_agent_auth.pod
Tomáš Mráz e47cb0
@@ -67,13 +67,13 @@ $(PAM_MODULES): Makefile.in config.h
Tomáš Mráz e47cb0
 .c.o:
Tomáš Mráz e47cb0
 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
Tomáš Mráz e47cb0
 
Tomáš Mráz e47cb0
-LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
Tomáš Mráz e47cb0
+LIBCOMPAT=../openbsd-compat/libopenbsd-compat.a
Tomáš Mráz e47cb0
 $(LIBCOMPAT): always
Tomáš Mráz e47cb0
 	(cd openbsd-compat && $(MAKE))
Tomáš Mráz e47cb0
 always:
Tomáš Mráz e47cb0
 
Tomáš Mráz e47cb0
-pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS)  pam_ssh_agent_auth.o
Tomáš Mráz e47cb0
-	$(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat $(LIBS) -lpam pam_ssh_agent_auth.o
Tomáš Mráz e47cb0
+pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS)  pam_ssh_agent_auth.o
Tomáš Mráz e47cb0
+	$(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -lpam -lnss3 pam_ssh_agent_auth.o
Tomáš Mráz e47cb0
 
Tomáš Mráz e47cb0
 $(MANPAGES): $(MANPAGES_IN)
Tomáš Mráz e47cb0
 	pod2man --section=8 --release=v0.8 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8
Tomas Mraz 4f4687
diff -up pam_ssh_agent_auth-0.9.3/pam_user_authorized_keys.c.psaa-build pam_ssh_agent_auth-0.9.3/pam_user_authorized_keys.c