tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom
nixpkgs / pkgs / by-name / pa / pam_ssh_agent_auth / multiple-key-files.patch
at devShellTools-shell 371 lines 16 kB view raw
1diff -u pam_ssh_agent_auth-0.10.3-orig/iterate_ssh_agent_keys.c pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2--- pam_ssh_agent_auth-0.10.3-orig/iterate_ssh_agent_keys.c 2016-11-12 19:24:32.000000000 -0800 3+++ pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-03-02 23:47:18.012203283 -0800 4@@ -176,7 +176,7 @@ 5 return; 6 } 7 8-int 9+const char * 10 pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename) 11 { 12 Buffer session_id2 = { 0 }; 13@@ -184,7 +184,7 @@ 14 Key *key; 15 AuthenticationConnection *ac; 16 char *comment; 17- uint8_t retval = 0; 18+ const char *key_file = 0; 19 uid_t uid = getpwnam(ruser)->pw_uid; 20 21 OpenSSL_add_all_digests(); 22@@ -199,13 +199,11 @@ 23 id->key = key; 24 id->filename = comment; 25 id->ac = ac; 26- if(userauth_pubkey_from_id(ruser, id, &session_id2)) { 27- retval = 1; 28- } 29+ key_file = userauth_pubkey_from_id(ruser, id, &session_id2); 30 pamsshagentauth_xfree(id->filename); 31 pamsshagentauth_key_free(id->key); 32 pamsshagentauth_xfree(id); 33- if(retval == 1) 34+ if(key_file) 35 break; 36 } 37 } 38@@ -217,5 +215,5 @@ 39 } 40 /* pamsshagentauth_xfree(session_id2); */ 41 EVP_cleanup(); 42- return retval; 43+ return key_file; 44 } 45diff -u pam_ssh_agent_auth-0.10.3-orig/iterate_ssh_agent_keys.h pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.h 46--- pam_ssh_agent_auth-0.10.3-orig/iterate_ssh_agent_keys.h 2016-11-12 19:24:32.000000000 -0800 47+++ pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.h 2017-03-02 23:48:06.345803339 -0800 48@@ -31,6 +31,6 @@ 49 #ifndef _ITERATE_SSH_AGENT_KEYS_H 50 #define _ITERATE_SSH_AGENT_KEYS_H 51 52-int pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename); 53+const char * pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename); 54 55 #endif 56diff -u pam_ssh_agent_auth-0.10.3-orig/pam_ssh_agent_auth.c pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c 57--- pam_ssh_agent_auth-0.10.3-orig/pam_ssh_agent_auth.c 2016-11-12 19:24:32.000000000 -0800 58+++ pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c 2017-03-02 23:51:57.642669946 -0800 59@@ -61,7 +61,6 @@ 60 #define strncasecmp_literal(A,B) strncasecmp( A, B, sizeof(B) - 1) 61 #define UNUSED(expr) do { (void)(expr); } while (0) 62 63-char *authorized_keys_file = NULL; 64 uint8_t allow_user_owned_authorized_keys_file = 0; 65 char *authorized_keys_command = NULL; 66 char *authorized_keys_command_user = NULL; 67@@ -171,15 +170,13 @@ 68 goto cleanexit; 69 } 70 71- if(authorized_keys_file_input && user) { 72- /* 73- * user is the name of the target-user, and so must be used for validating the authorized_keys file 74- */ 75- parse_authorized_key_file(user, authorized_keys_file_input); 76- } else { 77- pamsshagentauth_verbose("Using default file=/etc/security/authorized_keys"); 78- authorized_keys_file = pamsshagentauth_xstrdup("/etc/security/authorized_keys"); 79- } 80+ if (!authorized_keys_file_input || !user) 81+ authorized_keys_file_input = "/etc/security/authorized_keys"; 82+ 83+ /* 84+ * user is the name of the target-user, and so must be used for validating the authorized_keys file 85+ */ 86+ parse_authorized_key_files(user, authorized_keys_file_input); 87 88 /* 89 * PAM_USER and PAM_RUSER do not necessarily have to get set by the calling application, and we may be unable to divine the latter. 90@@ -184,5 +181,5 @@ 91 */ 92 93 if(user && strlen(ruser) > 0) { 94- pamsshagentauth_verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file); 95+ pamsshagentauth_verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file_input); 96 97@@ -201,3 +197,3 @@ 98 retval = PAM_SUCCESS; 99- pamsshagentauth_logit("Authenticated (sshd): `%s' as `%s' using %s", ruser, user, authorized_keys_file); 100+ pamsshagentauth_logit("Authenticated (sshd): `%s' as `%s' using %s", ruser, user, authorized_keys_file_input); 101 102@@ -211,11 +208,12 @@ 103 /* 104 * this pw_uid is used to validate the SSH_AUTH_SOCK, and so must be the uid of the ruser invoking the program, not the target-user 105 */ 106- if(pamsshagentauth_find_authorized_keys(user, ruser, servicename)) { /* getpwnam(ruser)->pw_uid)) { */ 107- pamsshagentauth_logit("Authenticated (agent): `%s' as `%s' using %s", ruser, user, authorized_keys_file); 108+ const char *key_file; 109+ if((key_file = pamsshagentauth_find_authorized_keys(user, ruser, servicename))) { /* getpwnam(ruser)->pw_uid)) { */ 110+ pamsshagentauth_logit("Authenticated (agent): `%s' as `%s' using %s", ruser, user, key_file); 111 retval = PAM_SUCCESS; 112 } else { 113- pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file); 114+ pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file_input); 115 } 116 } else { 117 pamsshagentauth_logit("No %s specified, cannot continue with this form of authentication", (user) ? "ruser" : "user" ); 118@@ -208,7 +206,7 @@ 119 free(__progname); 120 #endif 121 122- free(authorized_keys_file); 123+ free_authorized_key_files(); 124 125 return retval; 126 } 127diff -u pam_ssh_agent_auth-0.10.3-orig/pam_ssh_agent_auth.pod pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.pod 128--- pam_ssh_agent_auth-0.10.3-orig/pam_ssh_agent_auth.pod 2016-11-12 19:24:32.000000000 -0800 129+++ pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.pod 2017-03-02 23:52:28.914857449 -0800 130@@ -31,7 +31,7 @@ 131 132 =item file=<path to authorized_keys> 133 134-Specify the path to the authorized_keys file(s) you would like to use for authentication. Subject to tilde and % EXPANSIONS (below) 135+Specify the path(s) to the authorized_keys file(s) you would like to use for authentication. Subject to tilde and % EXPANSIONS (below). Paths are separated using colons. 136 137 =item allow_user_owned_authorized_keys_file 138 139diff -u pam_ssh_agent_auth-0.10.3-orig/pam_user_authorized_keys.c pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c 140--- pam_ssh_agent_auth-0.10.3-orig/pam_user_authorized_keys.c 2016-11-12 19:24:32.000000000 -0800 141+++ pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c 2017-03-03 00:07:45.201322570 -0800 142@@ -79,8 +79,12 @@ 143 144 #include "identity.h" 145 #include "pam_user_key_allowed2.h" 146+#include "pam_user_authorized_keys.h" 147 148-extern char *authorized_keys_file; 149+#define MAX_AUTHORIZED_KEY_FILES 16 150+ 151+char *authorized_keys_files[MAX_AUTHORIZED_KEY_FILES]; 152+unsigned int nr_authorized_keys_files = 0; 153 154 extern char *authorized_keys_command; 155 156@@ -91,79 +95,88 @@ 157 uid_t authorized_keys_file_allowed_owner_uid; 158 159 void 160-parse_authorized_key_file(const char *user, 161- const char *authorized_keys_file_input) 162+parse_authorized_key_files(const char *user, 163+ const char *authorized_keys_file_input) 164 { 165- char fqdn[HOST_NAME_MAX] = ""; 166+ const char *pos = authorized_keys_file_input; 167 char hostname[HOST_NAME_MAX] = ""; 168- char auth_keys_file_buf[4096] = ""; 169- char *slash_ptr = NULL; 170- char owner_uname[128] = ""; 171- size_t owner_uname_len = 0; 172- 173- /* 174- * temporary copy, so that both tilde expansion and percent expansion both 175- * get to apply to the path 176- */ 177- strncat(auth_keys_file_buf, authorized_keys_file_input, 178- sizeof(auth_keys_file_buf) - 1); 179+ char fqdn[HOST_NAME_MAX] = ""; 180 181- if(allow_user_owned_authorized_keys_file) 182- authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid; 183+#if HAVE_GETHOSTNAME 184+ *hostname = '\0'; 185+ gethostname(fqdn, HOST_NAME_MAX); 186+ strncat(hostname, fqdn, strcspn(fqdn,".")); 187+#endif 188 189- if(*auth_keys_file_buf == '~') { 190- if(*(auth_keys_file_buf + 1) == '/') { 191- authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid; 192+ while (pos) { 193+ const char *colon = strchr(pos, ':'); 194+ char auth_keys_file_buf[4096] = ""; 195+ char *slash_ptr = NULL; 196+ char owner_uname[128] = ""; 197+ size_t owner_uname_len = 0; 198+ 199+ strncat(auth_keys_file_buf, pos, sizeof(auth_keys_file_buf) - 1); 200+ if (colon) { 201+ auth_keys_file_buf[colon - pos] = 0; 202+ pos = colon + 1; 203 } else { 204- slash_ptr = strchr(auth_keys_file_buf, '/'); 205- if(!slash_ptr) 206- pamsshagentauth_fatal 207- ("cannot expand tilde in path without a `/'"); 208- 209- owner_uname_len = slash_ptr - auth_keys_file_buf - 1; 210- if(owner_uname_len > (sizeof(owner_uname) - 1)) 211- pamsshagentauth_fatal("Username too long"); 212- 213- strncat(owner_uname, auth_keys_file_buf + 1, owner_uname_len); 214- if(!authorized_keys_file_allowed_owner_uid) 215- authorized_keys_file_allowed_owner_uid = 216- getpwnam(owner_uname)->pw_uid; 217+ pos = 0; 218+ } 219+ 220+ if(allow_user_owned_authorized_keys_file) 221+ authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid; 222+ 223+ if(*auth_keys_file_buf == '~') { 224+ if(*(auth_keys_file_buf+1) == '/') { 225+ authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid; 226+ } 227+ else { 228+ slash_ptr = strchr(auth_keys_file_buf,'/'); 229+ if(!slash_ptr) 230+ pamsshagentauth_fatal("cannot expand tilde in path without a `/'"); 231+ 232+ owner_uname_len = slash_ptr - auth_keys_file_buf - 1; 233+ if(owner_uname_len > (sizeof(owner_uname) - 1) ) 234+ pamsshagentauth_fatal("Username too long"); 235+ 236+ strncat(owner_uname, auth_keys_file_buf + 1, owner_uname_len); 237+ if(!authorized_keys_file_allowed_owner_uid) 238+ authorized_keys_file_allowed_owner_uid = getpwnam(owner_uname)->pw_uid; 239+ } 240+ char *tmp = pamsshagentauth_tilde_expand_filename(auth_keys_file_buf, authorized_keys_file_allowed_owner_uid); 241+ strncpy(auth_keys_file_buf, tmp, sizeof(auth_keys_file_buf) - 1 ); 242+ pamsshagentauth_xfree(tmp); 243 } 244- authorized_keys_file = 245- pamsshagentauth_tilde_expand_filename(auth_keys_file_buf, 246- authorized_keys_file_allowed_owner_uid); 247- strncpy(auth_keys_file_buf, authorized_keys_file, 248- sizeof(auth_keys_file_buf) - 1); 249- pamsshagentauth_xfree(authorized_keys_file) /* when we 250- percent_expand 251- later, we'd step 252- on this, so free 253- it immediately */ ; 254- } 255 256- if(strstr(auth_keys_file_buf, "%h")) { 257- authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid; 258+ if(strstr(auth_keys_file_buf, "%h")) { 259+ authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid; 260+ } 261+ 262+ if (nr_authorized_keys_files >= MAX_AUTHORIZED_KEY_FILES) 263+ pamsshagentauth_fatal("Too many authorized key files"); 264+ authorized_keys_files[nr_authorized_keys_files++] = 265+ pamsshagentauth_percent_expand(auth_keys_file_buf, "h", getpwnam(user)->pw_dir, "H", hostname, "f", fqdn, "u", user, NULL); 266 } 267-#if HAVE_GETHOSTNAME 268- *hostname = '\0'; 269- gethostname(fqdn, HOST_NAME_MAX); 270- strncat(hostname, fqdn, strcspn(fqdn, ".")); 271-#endif 272- authorized_keys_file = 273- pamsshagentauth_percent_expand(auth_keys_file_buf, "h", 274- getpwnam(user)->pw_dir, "H", hostname, 275- "f", fqdn, "u", user, NULL); 276 } 277 278-int 279+void 280+free_authorized_key_files() 281+{ 282+ unsigned int n; 283+ for (n = 0; n < nr_authorized_keys_files; n++) 284+ free(authorized_keys_files[n]); 285+ nr_authorized_keys_files = 0; 286+} 287+ 288+const char * 289 pam_user_key_allowed(const char *ruser, Key * key) 290 { 291- return 292- pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid), 293- key, authorized_keys_file) 294- || pamsshagentauth_user_key_allowed2(getpwuid(0), key, 295- authorized_keys_file) 296- || pamsshagentauth_user_key_command_allowed2(authorized_keys_command, 297- authorized_keys_command_user, 298- getpwnam(ruser), key); 299+ unsigned int n; 300+ for (n = 0; n < nr_authorized_keys_files; n++) { 301+ if (pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid), key, authorized_keys_files[n]) 302+ || pamsshagentauth_user_key_allowed2(getpwuid(0), key, authorized_keys_files[n]) 303+ || pamsshagentauth_user_key_command_allowed2(authorized_keys_command, authorized_keys_command_user, getpwnam(ruser), key)) 304+ return authorized_keys_files[n]; 305+ } 306+ return 0; 307 } 308diff -u pam_ssh_agent_auth-0.10.3-orig/pam_user_authorized_keys.h pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h 309--- pam_ssh_agent_auth-0.10.3-orig/pam_user_authorized_keys.h 2016-11-12 19:24:32.000000000 -0800 310+++ pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h 2017-03-03 00:09:17.256064914 -0800 311@@ -28,11 +28,12 @@ 312 */ 313 314 315-#ifndef _PAM_USER_KEY_ALLOWED_H 316-#define _PAM_USER_KEY_ALLOWED_H 317+#ifndef _PAM_USER_AUTHORIZED_KEYS_H 318+#define _PAM_USER_AUTHORIZED_KEYS_H 319 320 #include "identity.h" 321-int pam_user_key_allowed(const char *, Key *); 322-void parse_authorized_key_file(const char *, const char *); 323+const char * pam_user_key_allowed(const char *, Key *); 324+void parse_authorized_key_files(const char *, const char *); 325+void free_authorized_key_files(); 326 327 #endif 328diff -u pam_ssh_agent_auth-0.10.3-orig/userauth_pubkey_from_id.c pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 329--- pam_ssh_agent_auth-0.10.3-orig/userauth_pubkey_from_id.c 2016-11-12 19:24:32.000000000 -0800 330+++ pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2017-03-03 00:10:33.163545380 -0800 331@@ -52,7 +52,7 @@ 332 extern uint8_t session_id_len; 333 */ 334 335-int 336+const char * 337 userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2) 338 { 339 Buffer b = { 0 }; 340@@ -60,11 +60,12 @@ 341 u_char *pkblob = NULL, *sig = NULL; 342 u_int blen = 0, slen = 0; 343 int authenticated = 0; 344+ const char *key_file; 345 346 pkalg = (char *) key_ssh_name(id->key); 347 348 /* first test if this key is even allowed */ 349- if(! pam_user_key_allowed(ruser, id->key)) 350+ if(!(key_file = pam_user_key_allowed(ruser, id->key))) 351 goto user_auth_clean_exit; 352 353 if(pamsshagentauth_key_to_blob(id->key, &pkblob, &blen) == 0) 354@@ -97,5 +98,5 @@ 355 if(pkblob != NULL) 356 pamsshagentauth_xfree(pkblob); 357 CRYPTO_cleanup_all_ex_data(); 358- return authenticated; 359+ return authenticated ? key_file : 0; 360 } 361diff -u pam_ssh_agent_auth-0.10.3-orig/userauth_pubkey_from_id.h pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h 362--- pam_ssh_agent_auth-0.10.3-orig/userauth_pubkey_from_id.h 2016-11-12 19:24:32.000000000 -0800 363+++ pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h 2017-03-03 00:10:59.067046872 -0800 364@@ -32,6 +32,6 @@ 365 #define _USERAUTH_PUBKEY_FROM_ID_H 366 367 #include <identity.h> 368-int userauth_pubkey_from_id(const char *, Identity *, Buffer *); 369+const char * userauth_pubkey_from_id(const char *, Identity *, Buffer *); 370 371 #endif