diff options
Diffstat (limited to 'scripts/git-integration/0001-Patch-sshd-for-the-AUR.patch')
-rw-r--r-- | scripts/git-integration/0001-Patch-sshd-for-the-AUR.patch | 1094 |
1 files changed, 0 insertions, 1094 deletions
diff --git a/scripts/git-integration/0001-Patch-sshd-for-the-AUR.patch b/scripts/git-integration/0001-Patch-sshd-for-the-AUR.patch deleted file mode 100644 index 688b115b..00000000 --- a/scripts/git-integration/0001-Patch-sshd-for-the-AUR.patch +++ /dev/null @@ -1,1094 +0,0 @@ -From 6423ae83d38535687d52097b7854b3c81151fe34 Mon Sep 17 00:00:00 2001 -From: Lukas Fleischer <lfleischer@archlinux.org> -Date: Sat, 11 Apr 2015 12:57:46 +0200 -Subject: [PATCH] Patch sshd for the AUR - -* Apply the latest version of Damien Miller's patch to extend the - parameters to the AuthorizedKeysCommand. - -* Remove the secure path check for the AuthorizedKeysCommand. We are - running the sshd under a non-privileged user who has as little - permissions as possible. In particular, he does not own the directory - that contains the scripts for the Git backend. - -* Prevent from running the sshd as root. - -Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org> ---- - auth2-pubkey.c | 530 +++++++++++++++++++++++++++++++++++++++++++-------------- - servconf.c | 35 ++++ - servconf.h | 8 +- - ssh.c | 5 + - sshd.c | 5 + - sshd_config.5 | 54 +++++- - sshkey.c | 172 +++++++++++-------- - sshkey.h | 1 + - 8 files changed, 606 insertions(+), 204 deletions(-) - -diff --git a/auth2-pubkey.c b/auth2-pubkey.c -index d943efa..2ce0a4b 100644 ---- a/auth2-pubkey.c -+++ b/auth2-pubkey.c -@@ -65,6 +65,9 @@ - #include "monitor_wrap.h" - #include "authfile.h" - #include "match.h" -+#include "ssherr.h" -+#include "channels.h" /* XXX for session.h */ -+#include "session.h" /* XXX for child_set_env(); refactor? */ - - /* import */ - extern ServerOptions options; -@@ -248,6 +251,227 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) - free(extra); - } - -+/* -+ * Splits 's' into an argument vector. Handles quoted string and basic -+ * escape characters (\\, \", \'). Caller must free the argument vector -+ * and its members. -+ */ -+static int -+split_argv(const char *s, int *argcp, char ***argvp) -+{ -+ int r = SSH_ERR_INTERNAL_ERROR; -+ int argc = 0, quote, i, j; -+ char *arg, **argv = xcalloc(1, sizeof(*argv)); -+ -+ *argvp = NULL; -+ *argcp = 0; -+ -+ for (i = 0; s[i] != '\0'; i++) { -+ /* Skip leading whitespace */ -+ if (s[i] == ' ' || s[i] == '\t') -+ continue; -+ -+ /* Start of a token */ -+ quote = 0; -+ if (s[i] == '\\' && -+ (s[i + 1] == '\'' || s[i + 1] == '\"' || s[i + 1] == '\\')) -+ i++; -+ else if (s[i] == '\'' || s[i] == '"') -+ quote = s[i++]; -+ -+ argv = xrealloc(argv, (argc + 2), sizeof(*argv)); -+ arg = argv[argc++] = xcalloc(1, strlen(s + i) + 1); -+ argv[argc] = NULL; -+ -+ /* Copy the token in, removing escapes */ -+ for (j = 0; s[i] != '\0'; i++) { -+ if (s[i] == '\\') { -+ if (s[i + 1] == '\'' || -+ s[i + 1] == '\"' || -+ s[i + 1] == '\\') { -+ i++; /* Skip '\' */ -+ arg[j++] = s[i]; -+ } else { -+ /* Unrecognised escape */ -+ arg[j++] = s[i]; -+ } -+ } else if (quote == 0 && (s[i] == ' ' || s[i] == '\t')) -+ break; /* done */ -+ else if (quote != 0 && s[i] == quote) -+ break; /* done */ -+ else -+ arg[j++] = s[i]; -+ } -+ if (s[i] == '\0') { -+ if (quote != 0) { -+ /* Ran out of string looking for close quote */ -+ r = SSH_ERR_INVALID_FORMAT; -+ goto out; -+ } -+ break; -+ } -+ } -+ /* Success */ -+ *argcp = argc; -+ *argvp = argv; -+ argc = 0; -+ argv = NULL; -+ r = 0; -+ out: -+ if (argc != 0 && argv != NULL) { -+ for (i = 0; i < argc; i++) -+ free(argv[i]); -+ free(argv); -+ } -+ return r; -+} -+ -+/* -+ * Runs command in a subprocess. Returns pid on success and a FILE* to the -+ * subprocess' stdout or 0 on failure. -+ * NB. "command" is only used for logging. -+ */ -+static pid_t -+subprocess(const char *tag, struct passwd *pw, const char *command, -+ int ac, char **av, FILE **child) -+{ -+ FILE *f; -+ struct stat st; -+ int devnull, p[2], i; -+ pid_t pid; -+ char *cp, errmsg[512]; -+ u_int envsize; -+ char **child_env; -+ -+ *child = NULL; -+ -+ debug3("%s: %s command \"%s\" running as %s", __func__, -+ tag, command, pw->pw_name); -+ -+ /* Verify the path exists and is safe-ish to execute */ -+ if (*av[0] != '/') { -+ error("%s path is not absolute", tag); -+ return 0; -+ } -+ temporarily_use_uid(pw); -+ if (stat(av[0], &st) < 0) { -+ error("Could not stat %s \"%s\": %s", tag, -+ av[0], strerror(errno)); -+ restore_uid(); -+ return 0; -+ } -+ -+ /* -+ * Run the command; stderr is left in place, stdout is the -+ * authorized_keys output. -+ */ -+ if (pipe(p) != 0) { -+ error("%s: pipe: %s", tag, strerror(errno)); -+ restore_uid(); -+ return 0; -+ } -+ -+ /* -+ * Don't want to call this in the child, where it can fatal() and -+ * run cleanup_exit() code. -+ */ -+ restore_uid(); -+ -+ switch ((pid = fork())) { -+ case -1: /* error */ -+ error("%s: fork: %s", tag, strerror(errno)); -+ close(p[0]); -+ close(p[1]); -+ return 0; -+ case 0: /* child */ -+ /* Prepare a minimal environment for the child. */ -+ envsize = 5; -+ child_env = xcalloc(sizeof(*child_env), envsize); -+ child_set_env(&child_env, &envsize, "PATH", _PATH_STDPATH); -+ child_set_env(&child_env, &envsize, "USER", pw->pw_name); -+ child_set_env(&child_env, &envsize, "LOGNAME", pw->pw_name); -+ child_set_env(&child_env, &envsize, "HOME", pw->pw_dir); -+ if ((cp = getenv("LANG")) != NULL) -+ child_set_env(&child_env, &envsize, "LANG", cp); -+ -+ for (i = 0; i < NSIG; i++) -+ signal(i, SIG_DFL); -+ -+ if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) { -+ error("%s: open %s: %s", tag, _PATH_DEVNULL, -+ strerror(errno)); -+ _exit(1); -+ } -+ /* Keep stderr around a while longer to catch errors */ -+ if (dup2(devnull, STDIN_FILENO) == -1 || -+ dup2(p[1], STDOUT_FILENO) == -1) { -+ error("%s: dup2: %s", tag, strerror(errno)); -+ _exit(1); -+ } -+ closefrom(STDERR_FILENO + 1); -+ -+ /* Don't use permanently_set_uid() here to avoid fatal() */ -+ if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) { -+ error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid, -+ strerror(errno)); -+ _exit(1); -+ } -+ if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) { -+ error("%s: setresuid %u: %s", tag, (u_int)pw->pw_uid, -+ strerror(errno)); -+ _exit(1); -+ } -+ /* stdin is pointed to /dev/null at this point */ -+ if (dup2(STDIN_FILENO, STDERR_FILENO) == -1) { -+ error("%s: dup2: %s", tag, strerror(errno)); -+ _exit(1); -+ } -+ -+ execve(av[0], av, child_env); -+ error("%s exec \"%s\": %s", tag, command, strerror(errno)); -+ _exit(127); -+ default: /* parent */ -+ break; -+ } -+ -+ close(p[1]); -+ if ((f = fdopen(p[0], "r")) == NULL) { -+ error("%s: fdopen: %s", tag, strerror(errno)); -+ close(p[0]); -+ /* Don't leave zombie child */ -+ kill(pid, SIGTERM); -+ while (waitpid(pid, NULL, 0) == -1 && errno == EINTR) -+ ; -+ return 0; -+ } -+ /* Success */ -+ debug3("%s: %s pid %ld", __func__, tag, (long)pid); -+ *child = f; -+ return pid; -+} -+ -+/* Returns 0 if pid exited cleanly, non-zero otherwise */ -+static int -+exited_cleanly(pid_t pid, const char *tag, const char *cmd) -+{ -+ int status; -+ -+ while (waitpid(pid, &status, 0) == -1) { -+ if (errno != EINTR) { -+ error("%s: waitpid: %s", tag, strerror(errno)); -+ return -1; -+ } -+ } -+ if (WIFSIGNALED(status)) { -+ error("%s %s exited on signal %d", tag, cmd, WTERMSIG(status)); -+ return -1; -+ } else if (WEXITSTATUS(status) != 0) { -+ error("%s %s failed, status %d", tag, cmd, WEXITSTATUS(status)); -+ return -1; -+ } -+ return 0; -+} -+ - static int - match_principals_option(const char *principal_list, struct sshkey_cert *cert) - { -@@ -269,19 +493,13 @@ match_principals_option(const char *principal_list, struct sshkey_cert *cert) - } - - static int --match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert) -+process_principals(FILE *f, char *file, struct passwd *pw, -+ struct sshkey_cert *cert) - { -- FILE *f; - char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts; - u_long linenum = 0; - u_int i; - -- temporarily_use_uid(pw); -- debug("trying authorized principals file %s", file); -- if ((f = auth_openprincipals(file, pw, options.strict_modes)) == NULL) { -- restore_uid(); -- return 0; -- } - while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { - /* Skip leading whitespace. */ - for (cp = line; *cp == ' ' || *cp == '\t'; cp++) -@@ -309,24 +527,119 @@ match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert) - } - for (i = 0; i < cert->nprincipals; i++) { - if (strcmp(cp, cert->principals[i]) == 0) { -- debug3("matched principal \"%.100s\" " -- "from file \"%s\" on line %lu", -- cert->principals[i], file, linenum); -+ debug3("%s:%lu: matched principal \"%.100s\"", -+ file == NULL ? "(command)" : file, -+ linenum, cert->principals[i]); - if (auth_parse_options(pw, line_opts, - file, linenum) != 1) - continue; -- fclose(f); -- restore_uid(); - return 1; - } - } - } -+ return 0; -+} -+ -+static int -+match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert) -+{ -+ FILE *f; -+ int success; -+ -+ temporarily_use_uid(pw); -+ debug("trying authorized principals file %s", file); -+ if ((f = auth_openprincipals(file, pw, options.strict_modes)) == NULL) { -+ restore_uid(); -+ return 0; -+ } -+ success = process_principals(f, file, pw, cert); - fclose(f); - restore_uid(); -- return 0; -+ return success; - } - - /* -+ * Checks whether principal is allowed in output of command. -+ * returns 1 if the principal is allowed or 0 otherwise. -+ */ -+static int -+match_principals_command(struct passwd *user_pw, struct sshkey *key) -+{ -+ FILE *f = NULL; -+ int ok, found_principal = 0; -+ struct passwd *pw; -+ int i, ac = 0, uid_swapped = 0; -+ pid_t pid; -+ char *username = NULL, *command = NULL, **av = NULL; -+ void (*osigchld)(int); -+ -+ if (options.authorized_principals_command == NULL) -+ return 0; -+ if (options.authorized_principals_command_user == NULL) { -+ error("No user for AuthorizedPrincipalsCommand specified, " -+ "skipping"); -+ return 0; -+ } -+ -+ /* -+ * NB. all returns later this function should go via "out" to -+ * ensure the original SIGCHLD handler is restored properly. -+ */ -+ osigchld = signal(SIGCHLD, SIG_DFL); -+ -+ /* Prepare and verify the user for the command */ -+ username = percent_expand(options.authorized_principals_command_user, -+ "u", user_pw->pw_name, (char *)NULL); -+ pw = getpwnam(username); -+ if (pw == NULL) { -+ error("AuthorizedPrincipalsCommandUser \"%s\" not found: %s", -+ username, strerror(errno)); -+ goto out; -+ } -+ -+ command = percent_expand(options.authorized_principals_command, -+ "u", user_pw->pw_name, "h", user_pw->pw_dir, (char *)NULL); -+ -+ /* Turn the command into an argument vector */ -+ if (split_argv(command, &ac, &av) != 0) { -+ error("AuthorizedPrincipalsCommand \"%s\" contains " -+ "invalid quotes", command); -+ goto out; -+ } -+ if (ac == 0) { -+ error("AuthorizedPrincipalsCommand \"%s\" yielded no arguments", -+ command); -+ goto out; -+ } -+ -+ if ((pid = subprocess("AuthorizedPrincipalsCommand", pw, command, -+ ac, av, &f)) == 0) -+ goto out; -+ -+ uid_swapped = 1; -+ temporarily_use_uid(pw); -+ -+ ok = process_principals(f, NULL, pw, key->cert); -+ -+ if (exited_cleanly(pid, "AuthorizedPrincipalsCommand", command)) -+ goto out; -+ -+ /* Read completed successfully */ -+ found_principal = ok; -+ out: -+ if (f != NULL) -+ fclose(f); -+ signal(SIGCHLD, osigchld); -+ for (i = 0; i < ac; i++) -+ free(av[i]); -+ free(av); -+ if (uid_swapped) -+ restore_uid(); -+ free(command); -+ free(username); -+ return found_principal; -+} -+/* - * Checks whether key is allowed in authorized_keys-format file, - * returns 1 if the key is allowed or 0 otherwise. - */ -@@ -448,7 +761,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) - { - char *ca_fp, *principals_file = NULL; - const char *reason; -- int ret = 0; -+ int ret = 0, found_principal = 0; - - if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) - return 0; -@@ -470,14 +783,20 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) - * against the username. - */ - if ((principals_file = authorized_principals_file(pw)) != NULL) { -- if (!match_principals_file(principals_file, pw, key->cert)) { -- reason = "Certificate does not contain an " -- "authorized principal"; -+ if (match_principals_file(principals_file, pw, key->cert)) -+ found_principal = 1; -+ } -+ /* Try querying command if specified */ -+ if (!found_principal && match_principals_command(pw, key)) -+ found_principal = 1; -+ /* If principals file or command specify, then require a match here */ -+ if (!found_principal && (principals_file != NULL || -+ options.authorized_principals_command != NULL)) { -+ reason = "Certificate does not contain an authorized principal"; - fail_reason: -- error("%s", reason); -- auth_debug_add("%s", reason); -- goto out; -- } -+ error("%s", reason); -+ auth_debug_add("%s", reason); -+ goto out; - } - if (key_cert_check_authority(key, 0, 1, - principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) -@@ -526,144 +845,105 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) - static int - user_key_command_allowed2(struct passwd *user_pw, Key *key) - { -- FILE *f; -- int ok, found_key = 0; -+ FILE *f = NULL; -+ int r, ok, found_key = 0; - struct passwd *pw; -- struct stat st; -- int status, devnull, p[2], i; -+ int i, uid_swapped = 0, ac = 0; - pid_t pid; -- char *username, errmsg[512]; -+ char *username = NULL, *key_fp = NULL, *keytext = NULL; -+ char *command = NULL, **av = NULL; -+ void (*osigchld)(int); - -- if (options.authorized_keys_command == NULL || -- options.authorized_keys_command[0] != '/') -+ if (options.authorized_keys_command == NULL) - return 0; -- - if (options.authorized_keys_command_user == NULL) { - error("No user for AuthorizedKeysCommand specified, skipping"); - return 0; - } - -+ /* -+ * NB. all returns later this function should go via "out" to -+ * ensure the original SIGCHLD handler is restored properly. -+ */ -+ osigchld = signal(SIGCHLD, SIG_DFL); -+ -+ /* Prepare and verify the user for the command */ - username = percent_expand(options.authorized_keys_command_user, - "u", user_pw->pw_name, (char *)NULL); - pw = getpwnam(username); - if (pw == NULL) { - error("AuthorizedKeysCommandUser \"%s\" not found: %s", - username, strerror(errno)); -- free(username); -- return 0; -+ goto out; - } -- free(username); -- -- temporarily_use_uid(pw); - -- if (stat(options.authorized_keys_command, &st) < 0) { -- error("Could not stat AuthorizedKeysCommand \"%s\": %s", -- options.authorized_keys_command, strerror(errno)); -+ /* Prepare AuthorizedKeysCommand */ -+ if ((key_fp = sshkey_fingerprint(key, options.fingerprint_hash, -+ SSH_FP_DEFAULT)) == NULL) { -+ error("%s: sshkey_fingerprint failed", __func__); - goto out; - } -- if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0, -- errmsg, sizeof(errmsg)) != 0) { -- error("Unsafe AuthorizedKeysCommand: %s", errmsg); -+ if ((r = sshkey_to_base64(key, &keytext)) != 0) { -+ error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r)); - goto out; - } -- -- if (pipe(p) != 0) { -- error("%s: pipe: %s", __func__, strerror(errno)); -+ command = percent_expand(options.authorized_keys_command, -+ "u", user_pw->pw_name, "h", user_pw->pw_dir, -+ "t", sshkey_ssh_name(key), "f", key_fp, "k", keytext, (char *)NULL); -+ -+ /* Turn the command into an argument vector */ -+ if (split_argv(command, &ac, &av) != 0) { -+ error("AuthorizedKeysCommand \"%s\" contains invalid quotes", -+ command); -+ goto out; -+ } -+ if (ac == 0) { -+ error("AuthorizedKeysCommand \"%s\" yielded no arguments", -+ command); - goto out; - } -- -- debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"", -- options.authorized_keys_command, user_pw->pw_name, pw->pw_name); - - /* -- * Don't want to call this in the child, where it can fatal() and -- * run cleanup_exit() code. -+ * If AuthorizedKeysCommand was run without arguments -+ * then fall back to the old behaviour of passing the -+ * target username as a single argument. - */ -- restore_uid(); -- -- switch ((pid = fork())) { -- case -1: /* error */ -- error("%s: fork: %s", __func__, strerror(errno)); -- close(p[0]); -- close(p[1]); -- return 0; -- case 0: /* child */ -- for (i = 0; i < NSIG; i++) -- signal(i, SIG_DFL); -- -- if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) { -- error("%s: open %s: %s", __func__, _PATH_DEVNULL, -- strerror(errno)); -- _exit(1); -- } -- /* Keep stderr around a while longer to catch errors */ -- if (dup2(devnull, STDIN_FILENO) == -1 || -- dup2(p[1], STDOUT_FILENO) == -1) { -- error("%s: dup2: %s", __func__, strerror(errno)); -- _exit(1); -- } -- closefrom(STDERR_FILENO + 1); -- -- /* Don't use permanently_set_uid() here to avoid fatal() */ -- if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) { -- error("setresgid %u: %s", (u_int)pw->pw_gid, -- strerror(errno)); -- _exit(1); -- } -- if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) { -- error("setresuid %u: %s", (u_int)pw->pw_uid, -- strerror(errno)); -- _exit(1); -- } -- /* stdin is pointed to /dev/null at this point */ -- if (dup2(STDIN_FILENO, STDERR_FILENO) == -1) { -- error("%s: dup2: %s", __func__, strerror(errno)); -- _exit(1); -- } -- -- execl(options.authorized_keys_command, -- options.authorized_keys_command, user_pw->pw_name, NULL); -- -- error("AuthorizedKeysCommand %s exec failed: %s", -- options.authorized_keys_command, strerror(errno)); -- _exit(127); -- default: /* parent */ -- break; -+ if (ac == 1) { -+ av = xrealloc(av, ac + 2, sizeof(*av)); -+ av[1] = xstrdup(user_pw->pw_name); -+ av[2] = NULL; -+ /* Fix up command too, since it is used in log messages */ -+ free(command); -+ xasprintf(&command, "%s %s", av[0], av[1]); - } - -+ if ((pid = subprocess("AuthorizedKeysCommand", pw, command, -+ ac, av, &f)) == 0) -+ goto out; -+ -+ uid_swapped = 1; - temporarily_use_uid(pw); - -- close(p[1]); -- if ((f = fdopen(p[0], "r")) == NULL) { -- error("%s: fdopen: %s", __func__, strerror(errno)); -- close(p[0]); -- /* Don't leave zombie child */ -- kill(pid, SIGTERM); -- while (waitpid(pid, NULL, 0) == -1 && errno == EINTR) -- ; -- goto out; -- } - ok = check_authkeys_file(f, options.authorized_keys_command, key, pw); -- fclose(f); - -- while (waitpid(pid, &status, 0) == -1) { -- if (errno != EINTR) { -- error("%s: waitpid: %s", __func__, strerror(errno)); -- goto out; -- } -- } -- if (WIFSIGNALED(status)) { -- error("AuthorizedKeysCommand %s exited on signal %d", -- options.authorized_keys_command, WTERMSIG(status)); -+ if (exited_cleanly(pid, "AuthorizedKeysCommand", command)) - goto out; -- } else if (WEXITSTATUS(status) != 0) { -- error("AuthorizedKeysCommand %s returned status %d", -- options.authorized_keys_command, WEXITSTATUS(status)); -- goto out; -- } -+ -+ /* Read completed successfully */ - found_key = ok; - out: -- restore_uid(); -+ if (f != NULL) -+ fclose(f); -+ signal(SIGCHLD, osigchld); -+ for (i = 0; i < ac; i++) -+ free(av[i]); -+ free(av); -+ if (uid_swapped) -+ restore_uid(); -+ free(command); -+ free(username); -+ free(key_fp); -+ free(keytext); - return found_key; - } - -diff --git a/servconf.c b/servconf.c -index 3185462..510cdde 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -159,6 +159,8 @@ initialize_server_options(ServerOptions *options) - options->revoked_keys_file = NULL; - options->trusted_user_ca_keys = NULL; - options->authorized_principals_file = NULL; -+ options->authorized_principals_command = NULL; -+ options->authorized_principals_command_user = NULL; - options->ip_qos_interactive = -1; - options->ip_qos_bulk = -1; - options->version_addendum = NULL; -@@ -396,6 +398,7 @@ typedef enum { - sUsePrivilegeSeparation, sAllowAgentForwarding, - sHostCertificate, - sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, -+ sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, - sKexAlgorithms, sIPQoS, sVersionAddendum, - sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, - sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, -@@ -528,6 +531,8 @@ static struct { - { "ipqos", sIPQoS, SSHCFG_ALL }, - { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, - { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, -+ { "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL }, -+ { "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL }, - { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, - { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, - { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL }, -@@ -1697,6 +1702,34 @@ process_server_config_line(ServerOptions *options, char *line, - *charptr = xstrdup(arg); - break; - -+ case sAuthorizedPrincipalsCommand: -+ if (cp == NULL) -+ fatal("%.200s line %d: Missing argument.", filename, -+ linenum); -+ len = strspn(cp, WHITESPACE); -+ if (*activep && -+ options->authorized_principals_command == NULL) { -+ if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0) -+ fatal("%.200s line %d: " -+ "AuthorizedPrincipalsCommand must be " -+ "an absolute path", filename, linenum); -+ options->authorized_principals_command = -+ xstrdup(cp + len); -+ } -+ return 0; -+ -+ case sAuthorizedPrincipalsCommandUser: -+ charptr = &options->authorized_principals_command_user; -+ -+ arg = strdelim(&cp); -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing " -+ "AuthorizedPrincipalsCommandUser argument.", -+ filename, linenum); -+ if (*activep && *charptr == NULL) -+ *charptr = xstrdup(arg); -+ break; -+ - case sAuthenticationMethods: - if (*activep && options->num_auth_methods == 0) { - while ((arg = strdelim(&cp)) && *arg != '\0') { -@@ -2166,6 +2199,8 @@ dump_config(ServerOptions *o) - dump_cfg_string(sVersionAddendum, o->version_addendum); - dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); - dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); -+ dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command); -+ dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user); - dump_cfg_string(sHostKeyAgent, o->host_key_agent); - dump_cfg_string(sKexAlgorithms, - o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); -diff --git a/servconf.h b/servconf.h -index 9922f0c..35d6673 100644 ---- a/servconf.h -+++ b/servconf.h -@@ -176,9 +176,11 @@ typedef struct { - char *chroot_directory; - char *revoked_keys_file; - char *trusted_user_ca_keys; -- char *authorized_principals_file; - char *authorized_keys_command; - char *authorized_keys_command_user; -+ char *authorized_principals_file; -+ char *authorized_principals_command; -+ char *authorized_principals_command_user; - - int64_t rekey_limit; - int rekey_interval; -@@ -214,9 +216,11 @@ struct connection_info { - M_CP_STROPT(banner); \ - M_CP_STROPT(trusted_user_ca_keys); \ - M_CP_STROPT(revoked_keys_file); \ -- M_CP_STROPT(authorized_principals_file); \ - M_CP_STROPT(authorized_keys_command); \ - M_CP_STROPT(authorized_keys_command_user); \ -+ M_CP_STROPT(authorized_principals_file); \ -+ M_CP_STROPT(authorized_principals_command); \ -+ M_CP_STROPT(authorized_principals_command_user); \ - M_CP_STROPT(hostbased_key_types); \ - M_CP_STROPT(pubkey_key_types); \ - M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ -diff --git a/ssh.c b/ssh.c -index 0ad82f0..abf4e54 100644 ---- a/ssh.c -+++ b/ssh.c -@@ -548,6 +548,11 @@ main(int ac, char **av) - original_real_uid = getuid(); - original_effective_uid = geteuid(); - -+ if (original_effective_uid == 0) { -+ fprintf(stderr, "this is a patched version of the sshd that must not be run as root.\n"); -+ exit(1); -+ } -+ - /* - * Use uid-swapping to give up root privileges for the duration of - * option processing. We will re-instantiate the rights when we are -diff --git a/sshd.c b/sshd.c -index 6aa17fa..672c486 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -1694,6 +1694,11 @@ main(int ac, char **av) - strcasecmp(options.authorized_keys_command, "none") != 0)) - fatal("AuthorizedKeysCommand set without " - "AuthorizedKeysCommandUser"); -+ if (options.authorized_principals_command_user == NULL && -+ (options.authorized_principals_command != NULL && -+ strcasecmp(options.authorized_principals_command, "none") != 0)) -+ fatal("AuthorizedPrincipalsCommand set without " -+ "AuthorizedPrincipalsCommandUser"); - - /* - * Check whether there is any path through configured auth methods. -diff --git a/sshd_config.5 b/sshd_config.5 -index 6dce0c7..a267af9 100644 ---- a/sshd_config.5 -+++ b/sshd_config.5 -@@ -230,9 +230,21 @@ The default is not to require multiple authentication; successful completion - of a single authentication method is sufficient. - .It Cm AuthorizedKeysCommand - Specifies a program to be used to look up the user's public keys. --The program must be owned by root and not writable by group or others. --It will be invoked with a single argument of the username --being authenticated, and should produce on standard output zero or -+The program must be owned by root, not writable by group or others and -+specified by an absolute path. -+.Pp -+Arguments to -+.Cm AuthorizedKeysCommand -+may be provided using the following tokens, which will be expanded -+at runtime: %% is replaced by a literal '%', %u is replaced by the -+username being authenticated, %h is replaced by the home directory -+of the user being authenticated, %t is replaced with the key type -+offered for authentication, %f is replaced with the fingerprint of -+the key, and %k is replaced with the key being offered for authentication. -+If no arguments are specified then the username of the target user -+will be supplied. -+.Pp -+The program should produce on standard output zero or - more lines of authorized_keys output (see AUTHORIZED_KEYS in - .Xr sshd 8 ) . - If a key supplied by AuthorizedKeysCommand does not successfully authenticate -@@ -271,6 +283,42 @@ directory. - Multiple files may be listed, separated by whitespace. - The default is - .Dq .ssh/authorized_keys .ssh/authorized_keys2 . -+.It Cm AuthorizedPrincipalsCommand -+Specifies a program to be used to generate the list of allowed -+certificate principals as per -+.Cm AuthorizedPrincipalsFile . -+The program must be owned by root, not writable by group or others and -+specified by an absolute path. -+.Pp -+Arguments to -+.Cm AuthorizedPrincipalsCommand -+may be provided using the following tokens, which will be expanded -+at runtime: %% is replaced by a literal '%', %u is replaced by the -+username being authenticated and %h is replaced by the home directory -+of the user being authenticated. -+.Pp -+The program should produce on standard output zero or -+more lines of -+.Cm AuthorizedPrincipalsFile -+output. -+If either -+.Cm AuthorizedPrincipalsCommand -+or -+.Cm AuthorizedPrincipalsFile -+is specified, then certificates offered by the client for authentication -+must contain a principal that is listed. -+By default, no AuthorizedPrincipalsCommand is run. -+.It Cm AuthorizedPrincipalsCommandUser -+Specifies the user under whose account the AuthorizedPrincipalsCommand is run. -+It is recommended to use a dedicated user that has no other role on the host -+than running authorized principals commands. -+If -+.Cm AuthorizedPrincipalsCommand -+is specified but -+.Cm AuthorizedPrincipalsCommandUser -+is not, then -+.Xr sshd 8 -+will refuse to start. - .It Cm AuthorizedPrincipalsFile - Specifies a file that lists principal names that are accepted for - certificate authentication. -diff --git a/sshkey.c b/sshkey.c -index 3cc3f44..ecb61fd 100644 ---- a/sshkey.c -+++ b/sshkey.c -@@ -761,6 +761,12 @@ to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain) - if (key == NULL) - return SSH_ERR_INVALID_ARGUMENT; - -+ if (sshkey_is_cert(key)) { -+ if (key->cert == NULL) -+ return SSH_ERR_EXPECTED_CERT; -+ if (sshbuf_len(key->cert->certblob) == 0) -+ return SSH_ERR_KEY_LACKS_CERTBLOB; -+ } - type = force_plain ? sshkey_type_plain(key->type) : key->type; - typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); - -@@ -1409,98 +1415,116 @@ sshkey_read(struct sshkey *ret, char **cpp) - } - - int --sshkey_write(const struct sshkey *key, FILE *f) -+sshkey_to_base64(const struct sshkey *key, char **b64p) - { -- int ret = SSH_ERR_INTERNAL_ERROR; -- struct sshbuf *b = NULL, *bb = NULL; -+ int r = SSH_ERR_INTERNAL_ERROR; -+ struct sshbuf *b = NULL; - char *uu = NULL; -+ -+ if (b64p != NULL) -+ *b64p = NULL; -+ if ((b = sshbuf_new()) == NULL) -+ return SSH_ERR_ALLOC_FAIL; -+ if ((r = sshkey_putb(key, b)) != 0) -+ goto out; -+ if ((uu = sshbuf_dtob64(b)) == NULL) { -+ r = SSH_ERR_ALLOC_FAIL; -+ goto out; -+ } -+ /* Success */ -+ if (b64p != NULL) { -+ *b64p = uu; -+ uu = NULL; -+ } -+ r = 0; -+ out: -+ sshbuf_free(b); -+ free(uu); -+ return r; -+} -+ -+static int -+sshkey_format_rsa1(const struct sshkey *key, struct sshbuf *b) -+{ -+ int r = SSH_ERR_INTERNAL_ERROR; - #ifdef WITH_SSH1 - u_int bits = 0; - char *dec_e = NULL, *dec_n = NULL; --#endif /* WITH_SSH1 */ - -- if (sshkey_is_cert(key)) { -- if (key->cert == NULL) -- return SSH_ERR_EXPECTED_CERT; -- if (sshbuf_len(key->cert->certblob) == 0) -- return SSH_ERR_KEY_LACKS_CERTBLOB; -+ if (key->rsa == NULL || key->rsa->e == NULL || -+ key->rsa->n == NULL) { -+ r = SSH_ERR_INVALID_ARGUMENT; -+ goto out; - } -- if ((b = sshbuf_new()) == NULL) -- return SSH_ERR_ALLOC_FAIL; -- switch (key->type) { --#ifdef WITH_SSH1 -- case KEY_RSA1: -- if (key->rsa == NULL || key->rsa->e == NULL || -- key->rsa->n == NULL) { -- ret = SSH_ERR_INVALID_ARGUMENT; -- goto out; -- } -- if ((dec_e = BN_bn2dec(key->rsa->e)) == NULL || -- (dec_n = BN_bn2dec(key->rsa->n)) == NULL) { -- ret = SSH_ERR_ALLOC_FAIL; -- goto out; -- } -- /* size of modulus 'n' */ -- if ((bits = BN_num_bits(key->rsa->n)) <= 0) { -- ret = SSH_ERR_INVALID_ARGUMENT; -- goto out; -- } -- if ((ret = sshbuf_putf(b, "%u %s %s", bits, dec_e, dec_n)) != 0) -- goto out; -+ if ((dec_e = BN_bn2dec(key->rsa->e)) == NULL || -+ (dec_n = BN_bn2dec(key->rsa->n)) == NULL) { -+ r = SSH_ERR_ALLOC_FAIL; -+ goto out; -+ } -+ /* size of modulus 'n' */ -+ if ((bits = BN_num_bits(key->rsa->n)) <= 0) { -+ r = SSH_ERR_INVALID_ARGUMENT; -+ goto out; -+ } -+ if ((r = sshbuf_putf(b, "%u %s %s", bits, dec_e, dec_n)) != 0) -+ goto out; -+ -+ /* Success */ -+ r = 0; -+ out: -+ if (dec_e != NULL) -+ OPENSSL_free(dec_e); -+ if (dec_n != NULL) -+ OPENSSL_free(dec_n); - #endif /* WITH_SSH1 */ -- break; --#ifdef WITH_OPENSSL -- case KEY_DSA: -- case KEY_DSA_CERT_V00: -- case KEY_DSA_CERT: -- case KEY_ECDSA: -- case KEY_ECDSA_CERT: -- case KEY_RSA: -- case KEY_RSA_CERT_V00: -- case KEY_RSA_CERT: --#endif /* WITH_OPENSSL */ -- case KEY_ED25519: -- case KEY_ED25519_CERT: -- if ((bb = sshbuf_new()) == NULL) { -- ret = SSH_ERR_ALLOC_FAIL; -- goto out; -- } -- if ((ret = sshkey_putb(key, bb)) != 0) -- goto out; -- if ((uu = sshbuf_dtob64(bb)) == NULL) { -- ret = SSH_ERR_ALLOC_FAIL; -+ -+ return r; -+} -+ -+static int -+sshkey_format_text(const struct sshkey *key, struct sshbuf *b) -+{ -+ int r = SSH_ERR_INTERNAL_ERROR; -+ char *uu = NULL; -+ -+ if (key->type == KEY_RSA1) { -+ if ((r = sshkey_format_rsa1(key, b)) != 0) - goto out; -- } -- if ((ret = sshbuf_putf(b, "%s ", sshkey_ssh_name(key))) != 0) -+ } else { -+ /* Unsupported key types handled in sshkey_to_base64() */ -+ if ((r = sshkey_to_base64(key, &uu)) != 0) - goto out; -- if ((ret = sshbuf_put(b, uu, strlen(uu))) != 0) -+ if ((r = sshbuf_putf(b, "%s %s", -+ sshkey_ssh_name(key), uu)) != 0) - goto out; -- break; -- default: -- ret = SSH_ERR_KEY_TYPE_UNKNOWN; -- goto out; - } -+ r = 0; -+ out: -+ free(uu); -+ return r; -+} -+ -+int -+sshkey_write(const struct sshkey *key, FILE *f) -+{ -+ struct sshbuf *b = NULL; -+ int r = SSH_ERR_INTERNAL_ERROR; -+ -+ if ((b = sshbuf_new()) == NULL) -+ return SSH_ERR_ALLOC_FAIL; -+ if ((r = sshkey_format_text(key, b)) != 0) -+ goto out; - if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { - if (feof(f)) - errno = EPIPE; -- ret = SSH_ERR_SYSTEM_ERROR; -+ r = SSH_ERR_SYSTEM_ERROR; - goto out; - } -- ret = 0; -+ /* Success */ -+ r = 0; - out: -- if (b != NULL) -- sshbuf_free(b); -- if (bb != NULL) -- sshbuf_free(bb); -- if (uu != NULL) -- free(uu); --#ifdef WITH_SSH1 -- if (dec_e != NULL) -- OPENSSL_free(dec_e); -- if (dec_n != NULL) -- OPENSSL_free(dec_n); --#endif /* WITH_SSH1 */ -- return ret; -+ sshbuf_free(b); -+ return r; - } - - const char * -diff --git a/sshkey.h b/sshkey.h -index 62c1c3e..98f1ca9 100644 ---- a/sshkey.h -+++ b/sshkey.h -@@ -163,6 +163,7 @@ int sshkey_from_blob(const u_char *, size_t, struct sshkey **); - int sshkey_fromb(struct sshbuf *, struct sshkey **); - int sshkey_froms(struct sshbuf *, struct sshkey **); - int sshkey_to_blob(const struct sshkey *, u_char **, size_t *); -+int sshkey_to_base64(const struct sshkey *, char **); - int sshkey_putb(const struct sshkey *, struct sshbuf *); - int sshkey_puts(const struct sshkey *, struct sshbuf *); - int sshkey_plain_to_blob(const struct sshkey *, u_char **, size_t *); --- -2.3.5 - |