Line
Link Here
|
0 |
-- openssh-4.3p1/Makefile.in |
0 |
++ openssh-4.3p1/Makefile.in |
Lines 43-48
Link Here
|
43 |
CFLAGS=@CFLAGS@ |
43 |
CFLAGS=@CFLAGS@ |
44 |
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ |
44 |
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ |
45 |
LIBS=@LIBS@ |
45 |
LIBS=@LIBS@ |
|
|
46 |
LIBSELINUX=@LIBSELINUX@ |
46 |
LIBEDIT=@LIBEDIT@ |
47 |
LIBEDIT=@LIBEDIT@ |
47 |
LIBPAM=@LIBPAM@ |
48 |
LIBPAM=@LIBPAM@ |
48 |
LIBWRAP=@LIBWRAP@ |
49 |
LIBWRAP=@LIBWRAP@ |
Lines 77-83
Link Here
|
77 |
sshconnect.o sshconnect1.o sshconnect2.o |
78 |
sshconnect.o sshconnect1.o sshconnect2.o |
78 |
|
79 |
|
79 |
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ |
80 |
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ |
80 |
sshpty.o sshlogin.o servconf.o serverloop.o \ |
81 |
sshpty.o sshlogin.o servconf.o serverloop.o selinux.o \ |
81 |
auth.o auth1.o auth2.o auth-options.o session.o \ |
82 |
auth.o auth1.o auth2.o auth-options.o session.o \ |
82 |
auth-chall.o auth2-chall.o groupaccess.o \ |
83 |
auth-chall.o auth2-chall.o groupaccess.o \ |
83 |
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ |
84 |
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ |
Lines 136-142
Link Here
|
136 |
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |
137 |
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |
137 |
|
138 |
|
138 |
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) |
139 |
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) |
139 |
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) |
140 |
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS) |
140 |
|
141 |
|
141 |
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o |
142 |
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o |
142 |
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |
143 |
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |
143 |
-- openssh-4.3p1/auth.h |
144 |
++ openssh-4.3p1/auth.h |
Lines 58-63
Link Here
|
58 |
char *service; |
58 |
char *service; |
59 |
struct passwd *pw; /* set if 'valid' */ |
59 |
struct passwd *pw; /* set if 'valid' */ |
60 |
char *style; |
60 |
char *style; |
|
|
61 |
char *role; |
61 |
void *kbdintctxt; |
62 |
void *kbdintctxt; |
62 |
#ifdef BSD_AUTH |
63 |
#ifdef BSD_AUTH |
63 |
auth_session_t *as; |
64 |
auth_session_t *as; |
64 |
-- openssh-4.3p1/auth1.c |
65 |
++ openssh-4.3p1/auth1.c |
Lines 370-376
Link Here
|
370 |
do_authentication(Authctxt *authctxt) |
370 |
do_authentication(Authctxt *authctxt) |
371 |
{ |
371 |
{ |
372 |
u_int ulen; |
372 |
u_int ulen; |
373 |
char *user, *style = NULL; |
373 |
char *user, *style = NULL, *role=NULL; |
374 |
|
374 |
|
375 |
/* Get the name of the user that we wish to log in as. */ |
375 |
/* Get the name of the user that we wish to log in as. */ |
376 |
packet_read_expect(SSH_CMSG_USER); |
376 |
packet_read_expect(SSH_CMSG_USER); |
Lines 379-389
Link Here
|
379 |
user = packet_get_string(&ulen); |
379 |
user = packet_get_string(&ulen); |
380 |
packet_check_eom(); |
380 |
packet_check_eom(); |
381 |
|
381 |
|
|
|
382 |
// if ((role = strchr(user, '/')) != NULL) |
383 |
// *role++ = '\0'; |
384 |
|
382 |
if ((style = strchr(user, ':')) != NULL) |
385 |
if ((style = strchr(user, ':')) != NULL) |
383 |
*style++ = '\0'; |
386 |
*style++ = '\0'; |
|
|
387 |
else |
388 |
if (role && (style = strchr(role, ':')) != NULL) |
389 |
*style++ = '\0'; |
390 |
|
384 |
|
391 |
|
385 |
authctxt->user = user; |
392 |
authctxt->user = user; |
386 |
authctxt->style = style; |
393 |
authctxt->style = style; |
|
|
394 |
authctxt->role = role; |
387 |
|
395 |
|
388 |
/* Verify that the user is a valid user. */ |
396 |
/* Verify that the user is a valid user. */ |
389 |
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) |
397 |
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) |
390 |
-- openssh-4.3p1/auth2.c |
398 |
++ openssh-4.3p1/auth2.c |
Lines 134-140
Link Here
|
134 |
{ |
134 |
{ |
135 |
Authctxt *authctxt = ctxt; |
135 |
Authctxt *authctxt = ctxt; |
136 |
Authmethod *m = NULL; |
136 |
Authmethod *m = NULL; |
137 |
char *user, *service, *method, *style = NULL; |
137 |
char *user, *service, *method, *style = NULL, *role = NULL; |
138 |
int authenticated = 0; |
138 |
int authenticated = 0; |
139 |
|
139 |
|
140 |
if (authctxt == NULL) |
140 |
if (authctxt == NULL) |
Lines 171-178
Link Here
|
171 |
use_privsep ? " [net]" : ""); |
174 |
use_privsep ? " [net]" : ""); |
172 |
authctxt->service = xstrdup(service); |
175 |
authctxt->service = xstrdup(service); |
173 |
authctxt->style = style ? xstrdup(style) : NULL; |
176 |
authctxt->style = style ? xstrdup(style) : NULL; |
174 |
if (use_privsep) |
177 |
authctxt->role = role ? xstrdup(role) : NULL; |
|
|
178 |
if (use_privsep) { |
175 |
mm_inform_authserv(service, style); |
179 |
mm_inform_authserv(service, style); |
|
|
180 |
mm_inform_authrole(role); |
181 |
} |
176 |
} else if (strcmp(user, authctxt->user) != 0 || |
182 |
} else if (strcmp(user, authctxt->user) != 0 || |
177 |
strcmp(service, authctxt->service) != 0) { |
183 |
strcmp(service, authctxt->service) != 0) { |
178 |
packet_disconnect("Change of username or service not allowed: " |
184 |
packet_disconnect("Change of username or service not allowed: " |
179 |
-- openssh-4.3p1/configure.ac |
185 |
++ openssh-4.3p1/configure.ac |
Lines 2945-2950
Link Here
|
2945 |
[#include <arpa/nameser.h>]) |
2945 |
[#include <arpa/nameser.h>]) |
2946 |
]) |
2946 |
]) |
2947 |
|
2947 |
|
|
|
2948 |
# Check whether user wants SELinux support |
2949 |
SELINUX_MSG="no" |
2950 |
LIBSELINUX="" |
2951 |
AC_ARG_WITH(selinux, |
2952 |
[ --with-selinux Enable SELinux support], |
2953 |
[ if test "x$withval" != "xno" ; then |
2954 |
AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.]) |
2955 |
SELINUX_MSG="yes" |
2956 |
AC_CHECK_HEADERS(selinux.h) |
2957 |
LIBSELINUX="-lselinux" |
2958 |
fi |
2959 |
]) |
2960 |
AC_SUBST(LIBSELINUX) |
2961 |
|
2948 |
# Check whether user wants Kerberos 5 support |
2962 |
# Check whether user wants Kerberos 5 support |
2949 |
KRB5_MSG="no" |
2963 |
KRB5_MSG="no" |
2950 |
AC_ARG_WITH(kerberos5, |
2964 |
AC_ARG_WITH(kerberos5, |
Lines 3763-3768
Link Here
|
3763 |
echo " Manpage format: $MANTYPE" |
3777 |
echo " Manpage format: $MANTYPE" |
3764 |
echo " PAM support: $PAM_MSG" |
3778 |
echo " PAM support: $PAM_MSG" |
3765 |
echo " KerberosV support: $KRB5_MSG" |
3779 |
echo " KerberosV support: $KRB5_MSG" |
|
|
3780 |
echo " SELinux support: $SELINUX_MSG" |
3766 |
echo " Smartcard support: $SCARD_MSG" |
3781 |
echo " Smartcard support: $SCARD_MSG" |
3767 |
echo " S/KEY support: $SKEY_MSG" |
3782 |
echo " S/KEY support: $SKEY_MSG" |
3768 |
echo " TCP Wrappers support: $TCPW_MSG" |
3783 |
echo " TCP Wrappers support: $TCPW_MSG" |
3769 |
-- openssh-4.3p1/monitor.c |
3784 |
++ openssh-4.3p1/monitor.c |
Lines 115-120
Link Here
|
115 |
int mm_answer_authpassword(int, Buffer *); |
115 |
int mm_answer_authpassword(int, Buffer *); |
116 |
int mm_answer_bsdauthquery(int, Buffer *); |
116 |
int mm_answer_bsdauthquery(int, Buffer *); |
117 |
int mm_answer_bsdauthrespond(int, Buffer *); |
117 |
int mm_answer_bsdauthrespond(int, Buffer *); |
|
|
118 |
int mm_answer_authrole(int, Buffer *); |
118 |
int mm_answer_skeyquery(int, Buffer *); |
119 |
int mm_answer_skeyquery(int, Buffer *); |
119 |
int mm_answer_skeyrespond(int, Buffer *); |
120 |
int mm_answer_skeyrespond(int, Buffer *); |
120 |
int mm_answer_keyallowed(int, Buffer *); |
121 |
int mm_answer_keyallowed(int, Buffer *); |
Lines 181-186
Link Here
|
181 |
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
182 |
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
182 |
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
183 |
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
183 |
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
184 |
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
|
|
185 |
{MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, |
184 |
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
186 |
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
185 |
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
187 |
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
186 |
#ifdef USE_PAM |
188 |
#ifdef USE_PAM |
Lines 623-628
Link Here
|
623 |
else { |
625 |
else { |
624 |
/* Allow service/style information on the auth context */ |
626 |
/* Allow service/style information on the auth context */ |
625 |
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
627 |
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
|
|
628 |
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); |
626 |
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
629 |
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
627 |
} |
630 |
} |
628 |
|
631 |
|
Lines 671-676
Link Here
|
671 |
} |
674 |
} |
672 |
|
675 |
|
673 |
int |
676 |
int |
|
|
677 |
mm_answer_authrole(int sock, Buffer *m) |
678 |
{ |
679 |
monitor_permit_authentications(1); |
680 |
|
681 |
authctxt->role = buffer_get_string(m, NULL); |
682 |
debug3("%s: role=%s", |
683 |
__func__, authctxt->role); |
684 |
|
685 |
if (strlen(authctxt->role) == 0) { |
686 |
xfree(authctxt->role); |
687 |
authctxt->role = NULL; |
688 |
} |
689 |
|
690 |
return (0); |
691 |
} |
692 |
|
693 |
int |
674 |
mm_answer_authpassword(int sock, Buffer *m) |
694 |
mm_answer_authpassword(int sock, Buffer *m) |
675 |
{ |
695 |
{ |
676 |
static int call_count; |
696 |
static int call_count; |
677 |
-- openssh-4.3p1/monitor.h |
697 |
++ openssh-4.3p1/monitor.h |
Lines 30-36
Link Here
|
30 |
|
30 |
|
31 |
enum monitor_reqtype { |
31 |
enum monitor_reqtype { |
32 |
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, |
32 |
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, |
33 |
MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, |
33 |
MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE, |
34 |
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, |
34 |
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, |
35 |
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, |
35 |
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, |
36 |
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, |
36 |
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, |
37 |
-- openssh-4.3p1/monitor_wrap.c |
37 |
++ openssh-4.3p1/monitor_wrap.c |
Lines 271-276
Link Here
|
271 |
buffer_free(&m); |
271 |
buffer_free(&m); |
272 |
} |
272 |
} |
273 |
|
273 |
|
|
|
274 |
/* Inform the privileged process about role */ |
275 |
|
276 |
void |
277 |
mm_inform_authrole(char *role) |
278 |
{ |
279 |
Buffer m; |
280 |
|
281 |
debug3("%s entering", __func__); |
282 |
|
283 |
buffer_init(&m); |
284 |
buffer_put_cstring(&m, role ? role : ""); |
285 |
|
286 |
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); |
287 |
|
288 |
buffer_free(&m); |
289 |
} |
290 |
|
274 |
/* Do the password authentication */ |
291 |
/* Do the password authentication */ |
275 |
int |
292 |
int |
276 |
mm_auth_password(Authctxt *authctxt, char *password) |
293 |
mm_auth_password(Authctxt *authctxt, char *password) |
277 |
-- openssh-4.3p1/monitor_wrap.h |
294 |
++ openssh-4.3p1/monitor_wrap.h |
Lines 44-49
Link Here
|
44 |
DH *mm_choose_dh(int, int, int); |
44 |
DH *mm_choose_dh(int, int, int); |
45 |
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); |
45 |
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); |
46 |
void mm_inform_authserv(char *, char *); |
46 |
void mm_inform_authserv(char *, char *); |
|
|
47 |
void mm_inform_authrole(char *); |
47 |
struct passwd *mm_getpwnamallow(const char *); |
48 |
struct passwd *mm_getpwnamallow(const char *); |
48 |
char *mm_auth2_read_banner(void); |
49 |
char *mm_auth2_read_banner(void); |
49 |
int mm_auth_password(struct Authctxt *, char *); |
50 |
int mm_auth_password(struct Authctxt *, char *); |
50 |
-- openssh-4.3p1/selinux.c |
51 |
++ openssh-4.3p1/selinux.c |
Line 0
Link Here
|
0 |
-- openssh-4.3p1/selinux.h |
1 |
#include "includes.h" |
|
|
2 |
#include "auth.h" |
3 |
#include "log.h" |
4 |
|
5 |
#ifdef WITH_SELINUX |
6 |
#include <selinux/selinux.h> |
7 |
#include <selinux/flask.h> |
8 |
#include <selinux/context.h> |
9 |
#include <selinux/get_context_list.h> |
10 |
#include <selinux/get_default_type.h> |
11 |
extern Authctxt *the_authctxt; |
12 |
|
13 |
static const security_context_t selinux_get_user_context(const char *name) { |
14 |
security_context_t user_context=NULL; |
15 |
char *role=NULL; |
16 |
int ret=-1; |
17 |
char *seuser=NULL; |
18 |
char *level=NULL; |
19 |
|
20 |
if (the_authctxt) |
21 |
role=the_authctxt->role; |
22 |
|
23 |
if (getseuserbyname(name, &seuser, &level)==0) { |
24 |
if (role != NULL && role[0]) |
25 |
ret=get_default_context_with_rolelevel(seuser, role, level,NULL,&user_context); |
26 |
else |
27 |
ret=get_default_context_with_level(seuser, level, NULL,&user_context); |
28 |
} |
29 |
|
30 |
if ( ret < 0 ) { |
31 |
if (security_getenforce() > 0) |
32 |
fatal("Failed to get default security context for %s.", name); |
33 |
else |
34 |
error("Failed to get default security context for %s. Continuing in permissive mode", name); |
35 |
} |
36 |
return user_context; |
37 |
} |
38 |
|
39 |
void setup_selinux_pty(const char *name, const char *tty) { |
40 |
if (is_selinux_enabled() > 0) { |
41 |
security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL; |
42 |
|
43 |
user_context=selinux_get_user_context(name); |
44 |
|
45 |
if (getfilecon(tty, &old_tty_context) < 0) { |
46 |
error("getfilecon(%.100s) failed: %.100s", tty, strerror(errno)); |
47 |
} else { |
48 |
if (security_compute_relabel(user_context,old_tty_context, |
49 |
SECCLASS_CHR_FILE, |
50 |
&new_tty_context) != 0) { |
51 |
error("security_compute_relabel(%.100s) failed: %.100s", tty, |
52 |
strerror(errno)); |
53 |
} else { |
54 |
if (setfilecon (tty, new_tty_context) != 0) |
55 |
error("setfilecon(%.100s, %s) failed: %.100s", |
56 |
tty, new_tty_context, |
57 |
strerror(errno)); |
58 |
freecon(new_tty_context); |
59 |
} |
60 |
freecon(old_tty_context); |
61 |
} |
62 |
if (user_context) { |
63 |
freecon(user_context); |
64 |
} |
65 |
} |
66 |
} |
67 |
|
68 |
void setup_selinux_exec_context(char *name) { |
69 |
|
70 |
if (is_selinux_enabled() > 0) { |
71 |
security_context_t user_context=selinux_get_user_context(name); |
72 |
if (setexeccon(user_context)) { |
73 |
if (security_getenforce() > 0) |
74 |
fatal("Failed to set exec security context %s for %s.", user_context, name); |
75 |
else |
76 |
error("Failed to set exec security context %s for %s. Continuing in permissive mode", user_context, name); |
77 |
} |
78 |
if (user_context) { |
79 |
freecon(user_context); |
80 |
} |
81 |
} |
82 |
} |
83 |
#else |
84 |
inline void setup_selinux_pty(const char *name, const char *tty) {} |
85 |
inline void setup_selinux_exec_context(const char *name) {} |
86 |
#endif /* WITH_SELINUX */ |
|
|
87 |
++ openssh-4.3p1/selinux.h |
Line 0
Link Here
|
0 |
-- openssh-4.3p1/session.c |
1 |
#ifndef __SELINUX_H_ |
|
|
2 |
#define __SELINUX_H_ |
3 |
extern void setup_selinux_pty(const char *name, const char *tty); |
4 |
extern void setup_selinux_exec_context(const char *name); |
5 |
#endif /* __SELINUX_H_ */ |
|
|
6 |
++ openssh-4.3p1/session.c |
Lines 59-64
Link Here
|
59 |
#include "kex.h" |
59 |
#include "kex.h" |
60 |
#include "monitor_wrap.h" |
60 |
#include "monitor_wrap.h" |
61 |
|
61 |
|
|
|
62 |
#include "selinux.h" |
63 |
|
62 |
#if defined(KRB5) && defined(USE_AFS) |
64 |
#if defined(KRB5) && defined(USE_AFS) |
63 |
#include <kafs.h> |
65 |
#include <kafs.h> |
64 |
#endif |
66 |
#endif |
Lines 1340-1345
Link Here
|
1340 |
#endif |
1342 |
#endif |
1341 |
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) |
1343 |
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) |
1342 |
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); |
1344 |
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); |
|
|
1345 |
|
1346 |
setup_selinux_exec_context(pw->pw_name); |
1343 |
} |
1347 |
} |
1344 |
|
1348 |
|
1345 |
static void |
1349 |
static void |
1346 |
-- openssh-4.3p1/sshpty.c |
1350 |
++ openssh-4.3p1/sshpty.c |
Lines 22-27
Link Here
|
22 |
#include "log.h" |
22 |
#include "log.h" |
23 |
#include "misc.h" |
23 |
#include "misc.h" |
24 |
|
24 |
|
|
|
25 |
#include "selinux.h" |
26 |
|
25 |
#ifdef HAVE_PTY_H |
27 |
#ifdef HAVE_PTY_H |
26 |
# include <pty.h> |
28 |
# include <pty.h> |
27 |
#endif |
29 |
#endif |
Lines 200-205
Link Here
|
200 |
fatal("stat(%.100s) failed: %.100s", tty, |
202 |
fatal("stat(%.100s) failed: %.100s", tty, |
201 |
strerror(errno)); |
203 |
strerror(errno)); |
202 |
|
204 |
|
|
|
205 |
setup_selinux_pty(pw->pw_name, tty); |
206 |
|
203 |
if (st.st_uid != pw->pw_uid || st.st_gid != gid) { |
207 |
if (st.st_uid != pw->pw_uid || st.st_gid != gid) { |
204 |
if (chown(tty, pw->pw_uid, gid) < 0) { |
208 |
if (chown(tty, pw->pw_uid, gid) < 0) { |
205 |
if (errno == EROFS && |
209 |
if (errno == EROFS && |