diff -up openssh-6.3p1/HOWTO.ssh-keycat.keycat openssh-6.3p1/HOWTO.ssh-keycat

--- openssh-6.3p1/HOWTO.ssh-keycat.keycat	2013-10-10 15:16:33.445566916 +0200

+++ openssh-6.3p1/HOWTO.ssh-keycat	2013-10-10 15:16:33.445566916 +0200

@@ -0,0 +1,12 @@

+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys

+of an user in any environment. This includes environments with

+polyinstantiation of home directories and SELinux MLS policy enabled.

+

+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:

+        AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat

+        AuthorizedKeysCommandRunAs root

+

+Do not forget to enable public key authentication:

+        PubkeyAuthentication yes

+

+

diff -up openssh-6.3p1/Makefile.in.keycat openssh-6.3p1/Makefile.in

--- openssh-6.3p1/Makefile.in.keycat	2013-10-10 15:16:33.442566930 +0200

+++ openssh-6.3p1/Makefile.in	2013-10-10 15:16:33.445566916 +0200

@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server

 SSH_KEYSIGN=$(libexecdir)/ssh-keysign

 SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper

 SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper

+SSH_KEYCAT=$(libexecdir)/ssh-keycat

 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper

 PRIVSEP_PATH=@PRIVSEP_PATH@

 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@

@@ -64,7 +65,7 @@ EXEEXT=@EXEEXT@

 MANFMT=@MANFMT@

 INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@

-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)

+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)

 LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \

 	canohost.o channels.o cipher.o cipher-aes.o \

@@ -172,6 +173,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)

 ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o

 	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)

+ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keycat.o

+	$(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)

+

 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o

 	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)

@@ -279,6 +283,7 @@ install-files:

 		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \

 		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \

 	fi

+	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)

 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)

 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)

 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1

diff -up openssh-6.3p1/auth2-pubkey.c.keycat openssh-6.3p1/auth2-pubkey.c

--- openssh-6.3p1/auth2-pubkey.c.keycat	2013-10-10 15:16:33.429566992 +0200

+++ openssh-6.3p1/auth2-pubkey.c	2013-10-10 15:16:33.445566916 +0200

@@ -606,6 +606,14 @@ user_key_command_allowed2(struct passwd

 			_exit(1);

 		}

+#ifdef WITH_SELINUX

+		if (ssh_selinux_setup_env_variables() < 0) {

+			error ("failed to copy environment:  %s",

+			    strerror(errno));

+			_exit(127);

+		}

+#endif

+

 		execl(options.authorized_keys_command,

 		    options.authorized_keys_command, user_pw->pw_name, NULL);

diff -up openssh-6.3p1/openbsd-compat/port-linux.c.keycat openssh-6.3p1/openbsd-compat/port-linux.c

--- openssh-6.3p1/openbsd-compat/port-linux.c.keycat	2013-10-10 15:16:33.435566964 +0200

+++ openssh-6.3p1/openbsd-compat/port-linux.c	2013-10-10 15:32:19.946065189 +0200

@@ -313,7 +313,7 @@ ssh_selinux_getctxbyname(char *pwname,

 /* Setup environment variables for pam_selinux */

 static int

-ssh_selinux_setup_pam_variables(void)

+ssh_selinux_setup_variables(int(*set_it)(const char *, const char *))

 {

 	const char *reqlvl;

 	char *role;

@@ -324,16 +324,16 @@ ssh_selinux_setup_pam_variables(void)

 	ssh_selinux_get_role_level(&role, &reqlvl);

-	rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");

+	rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");

 	if (inetd_flag && !rexeced_flag) {

 		use_current = "1";

 	} else {

 		use_current = "";

-		rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");

+		rv = rv || set_it("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");

 	}

-	rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);

+	rv = rv || set_it("SELINUX_USE_CURRENT_RANGE", use_current);

 	if (role != NULL)

 		free(role);

@@ -341,6 +341,24 @@ ssh_selinux_setup_pam_variables(void)

 	return rv;

 }

+static int

+ssh_selinux_setup_pam_variables(void)

+{

+	return ssh_selinux_setup_variables(do_pam_putenv);

+}

+

+static int

+do_setenv(char *name, char *value)

+{

+	return setenv(name, value, 1);

+}

+

+int

+ssh_selinux_setup_env_variables(void)

+{

+	return ssh_selinux_setup_variables(do_setenv);

+}

+

 /* Set the execution context to the default for the specified user */

 void

 ssh_selinux_setup_exec_context(char *pwname)

diff -up openssh-6.3p1/ssh-keycat.c.keycat openssh-6.3p1/ssh-keycat.c

--- openssh-6.3p1/ssh-keycat.c.keycat	2013-10-10 15:16:33.446566911 +0200

+++ openssh-6.3p1/ssh-keycat.c	2013-10-10 15:16:33.446566911 +0200

@@ -0,0 +1,238 @@

+/*

+ * Redistribution and use in source and binary forms, with or without

+ * modification, are permitted provided that the following conditions

+ * are met:

+ * 1. Redistributions of source code must retain the above copyright

+ *    notice, and the entire permission notice in its entirety,

+ *    including the disclaimer of warranties.

+ * 2. Redistributions in binary form must reproduce the above copyright

+ *    notice, this list of conditions and the following disclaimer in the

+ *    documentation and/or other materials provided with the distribution.

+ * 3. The name of the author may not be used to endorse or promote

+ *    products derived from this software without specific prior

+ *    written permission.

+ *

+ * ALTERNATIVELY, this product may be distributed under the terms of

+ * the GNU Public License, in which case the provisions of the GPL are

+ * required INSTEAD OF the above restrictions.  (This clause is

+ * necessary due to a potential bad interaction between the GPL and

+ * the restrictions contained in a BSD-style copyright.)

+ *

+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED

+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,

+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

+ * OF THE POSSIBILITY OF SUCH DAMAGE.

+ */

+

+/*

+ * Copyright (c) 2011 Red Hat, Inc.

+ * Written by Tomas Mraz <tmraz@redhat.com>

+*/

+

+#define _GNU_SOURCE

+

+#include "config.h"

+#include <stdio.h>

+#include <stdlib.h>

+#include <string.h>

+#include <sys/types.h>

+#include <sys/stat.h>

+#include <pwd.h>

+#include <fcntl.h>

+#include <unistd.h>

+

+#include <security/pam_appl.h>

+

+#include "uidswap.h"

+#include "misc.h"

+

+#define ERR_USAGE 1

+#define ERR_PAM_START 2

+#define ERR_OPEN_SESSION 3

+#define ERR_CLOSE_SESSION 4

+#define ERR_PAM_END 5

+#define ERR_GETPWNAM 6

+#define ERR_MEMORY 7

+#define ERR_OPEN 8

+#define ERR_FILE_MODE 9

+#define ERR_FDOPEN 10

+#define ERR_STAT 11

+#define ERR_WRITE 12

+#define ERR_PAM_PUTENV 13

+#define BUFLEN 4096

+

+/* Just ignore the messages in the conversation function */

+static int

+dummy_conv(int num_msg, const struct pam_message **msgm,

+	   struct pam_response **response, void *appdata_ptr)

+{

+	struct pam_response *rsp;

+

+	(void)msgm;

+	(void)appdata_ptr;

+

+	if (num_msg <= 0)

+		return PAM_CONV_ERR;

+

+	/* Just allocate the array as empty responses */

+	rsp = calloc (num_msg, sizeof (struct pam_response));

+	if (rsp == NULL)

+		return PAM_CONV_ERR;

+

+	*response = rsp;

+	return PAM_SUCCESS;

+}

+

+static struct pam_conv conv = {

+	dummy_conv,

+	NULL

+};

+

+char *

+make_auth_keys_name(const struct passwd *pwd)

+{

+	char *fname;

+

+	if (asprintf(&fname, "%s/.ssh/authorized_keys", pwd->pw_dir) < 0)

+		return NULL;

+

+	return fname;

+}

+

+int

+dump_keys(const char *user)

+{

+	struct passwd *pwd;

+	int fd = -1;

+	FILE *f = NULL;

+	char *fname = NULL;

+	int rv = 0;

+	char buf[BUFLEN];

+	size_t len;

+	struct stat st;

+

+	if ((pwd = getpwnam(user)) == NULL) {

+		return ERR_GETPWNAM;

+	}

+

+	if ((fname = make_auth_keys_name(pwd)) == NULL) {

+		return ERR_MEMORY;

+	}

+

+	temporarily_use_uid(pwd);

+

+	if ((fd = open(fname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0)) < 0) {

+		rv = ERR_OPEN;

+		goto fail;

+	}

+

+	if (fstat(fd, &st) < 0) {

+		rv = ERR_STAT;

+		goto fail;

+	}

+

+	if (!S_ISREG(st.st_mode) || 

+		(st.st_uid != pwd->pw_uid && st.st_uid != 0)) {

+		rv = ERR_FILE_MODE;

+		goto fail;

+	}

+

+	unset_nonblock(fd);

+

+	if ((f = fdopen(fd, "r")) == NULL) {

+		rv = ERR_FDOPEN;

+		goto fail;

+	}

+

+	fd = -1;

+

+	while ((len = fread(buf, 1, sizeof(buf), f)) > 0) {

+		rv = fwrite(buf, 1, len, stdout) != len ? ERR_WRITE : 0;

+	}

+

+fail:

+	if (fd != -1)

+		close(fd);

+	if (f != NULL)

+		fclose(f);

+	free(fname);

+	restore_uid();

+	return rv;

+}

+

+static const char *env_names[] = { "SELINUX_ROLE_REQUESTED",

+	"SELINUX_LEVEL_REQUESTED",

+	"SELINUX_USE_CURRENT_RANGE"

+};

+

+extern char **environ;

+

+int

+set_pam_environment(pam_handle_t *pamh)

+{

+	int i;

+	size_t j;

+

+	for (j = 0; j < sizeof(env_names)/sizeof(env_names[0]); ++j) {

+		int len = strlen(env_names[j]);

+

+		for (i = 0; environ[i] != NULL; ++i) {

+			if (strncmp(env_names[j], environ[i], len) == 0 &&

+			    environ[i][len] == '=') {

+				if (pam_putenv(pamh, environ[i]) != PAM_SUCCESS)

+					return ERR_PAM_PUTENV;

+			}

+		}

+	}

+

+	return 0;

+}

+

+int

+main(int argc, char *argv[])

+{

+	pam_handle_t *pamh = NULL;

+	int retval;

+	int ev = 0;

+

+	if (argc != 2) {

+		fprintf(stderr, "Usage: %s <user-name>\n", argv[0]);

+		return ERR_USAGE;

+	}

+

+	retval = pam_start("ssh-keycat", argv[1], &conv, &pamh);

+	if (retval != PAM_SUCCESS) {

+		return ERR_PAM_START;

+	}

+

+	ev = set_pam_environment(pamh);

+	if (ev != 0)

+		goto finish;

+

+	retval = pam_open_session(pamh, PAM_SILENT);

+	if (retval != PAM_SUCCESS) {

+		ev = ERR_OPEN_SESSION;

+		goto finish;

+	}

+

+	ev = dump_keys(argv[1]);

+

+	retval = pam_close_session(pamh, PAM_SILENT);

+	if (retval != PAM_SUCCESS) {

+		ev = ERR_CLOSE_SESSION;

+	}

+

+finish:

+	retval = pam_end (pamh,retval);

+	if (retval != PAM_SUCCESS) {

+		ev = ERR_PAM_END;

+	}

+	return ev;

+}