openssh-5.8p1-script-auth.diff

From c065833127e09e96cdcbeeada1003c0740c26e9b Mon Sep 17 00:00:00 2001
From: Kevin J. Lynagh <kevin@dirigibleFlightcraft.com>
Date: Sat, 5 Mar 2011 07:14:15 -0800
Subject: [PATCH 1/2] Manually apply 5.1p1 patch to 5.8p1.

---
 auth.c         |    9 ++++
 auth.h         |    1 +
 auth2-pubkey.c |  122 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 servconf.c     |    7 +++
 servconf.h     |    2 +
 5 files changed, 141 insertions(+), 0 deletions(-)

diff --git a/auth.c b/auth.c
index 33680b9..31617da 100644
--- a/auth.c
+++ b/auth.c
@@ -367,6 +367,15 @@ authorized_keys_file2(struct passwd *pw)
 }
 
 char *
+authorized_keys_script(struct passwd *pw)
+{
+	if (options.authorized_keys_script)
+		return expand_authorized_keys(options.authorized_keys_script, pw);
+	else
+		return NULL;
+}
+
+char *
 authorized_principals_file(struct passwd *pw)
 {
 	if (options.authorized_principals_file == NULL)
diff --git a/auth.h b/auth.h
index 77317ae..4b30284 100644
--- a/auth.h
+++ b/auth.h
@@ -169,6 +169,7 @@ void	abandon_challenge_response(Authctxt *);
 
 char	*authorized_keys_file(struct passwd *);
 char	*authorized_keys_file2(struct passwd *);
+char	*authorized_keys_script(struct passwd *);
 char	*authorized_principals_file(struct passwd *);
 
 FILE	*auth_openkeyfile(const char *, struct passwd *, int);
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 7d21413..7a1d467 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -377,6 +377,118 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
 	return found_key;
 }
 
+
+
+/* check to see if the script specified by file can authorize the key
+ *
+ * the script will have the key written to STDIN, which is identical
+ * to the normal public key format.
+ *
+ * the script must exit with either 0 for success or 1 for failure.
+ * the script can print login options (if any) to STDOUT. No whitepace should be added
+ * to the output.
+ *
+ * Use with caution: the script can hang sshd. It is recommended you code the script
+ * with a timeout set if it cannot determine authenication quickly.
+ */
+static int
+user_key_found_by_script(struct passwd *pw, Key *key, char *file)
+{
+	pid_t pid;
+	char line[SSH_MAX_PUBKEY_BYTES];
+	int pipe_in[2];
+	int pipe_out[2];
+	int exit_code = 1;
+	int success = 0;
+	FILE *f;
+	//mysig_t oldsig;
+
+	pipe(pipe_in);
+	pipe(pipe_out);
+
+	//oldsig = signal(SIGCHLD, SIG_IGN);
+	temporarily_use_uid(pw);
+
+	debug3("user_key_found_by_script: executing %s", file);
+
+	switch ((pid = fork())) {
+	case -1:
+		error("fork(): %s", strerror(errno));
+		restore_uid();
+		return (-1);
+	case 0:
+		/* setup input pipe */
+		close(pipe_in[1]);
+		dup2(pipe_in[0], 0);
+		close(pipe_in[0]);
+
+		/* setup output pipe */
+		close(pipe_out[0]);
+		dup2(pipe_out[1], 1);
+		close(pipe_out[1]);
+
+		execl(file, file, NULL);
+
+		/* exec failed */
+		error("execl(): %s", strerror(errno));
+		_exit(1);
+	default:
+		debug3("user_key_found_by_script: script pid %d", pid);
+
+		close(pipe_in[0]);
+		close(pipe_out[1]);
+
+		f = fdopen(pipe_in[1], "w");
+		key_write(key, f);
+		fclose(f);
+
+		while(waitpid(pid, &exit_code, 0) < 0) {
+			switch(errno) {
+			case EINTR:
+				debug3("user_key_found_by_script: waitpid() EINTR, continuing");
+				continue;
+			default:
+				error("waitpid(): %s", strerror(errno));
+				goto waitpid_error;
+			}
+		}
+		if (WIFEXITED(exit_code) && WEXITSTATUS(exit_code) == 0) {
+			int amt_read = read(pipe_out[0], line, sizeof(line) - 1);
+			line[amt_read] = ' ';
+			line[amt_read + 1] = 0;
+			debug3("user_key_found_by_script: options: %s", line);
+			if (auth_parse_options(pw, line, file, 0) == 1)
+				success = 1;
+		}
+	 waitpid_error:
+		close(pipe_out[0]);
+	}
+
+	restore_uid();
+	//signal(SIGCHLD, oldsig);
+
+	return success;
+}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 /* Authenticate a certificate key against TrustedUserCAKeys */
 static int
 user_cert_trusted_ca(struct passwd *pw, Key *key)
@@ -458,6 +570,16 @@ user_key_allowed(struct passwd *pw, Key *key)
 	file = authorized_keys_file2(pw);
 	success = user_key_allowed2(pw, key, file);
 	xfree(file);
+
+	if (success)
+		return success;
+
+	/* try the script to find the key */
+	if ((file = authorized_keys_script(pw))) {
+		success = user_key_found_by_script(pw, key, file);
+		xfree(file);
+	}
+
 	return success;
 }
 
diff --git a/servconf.c b/servconf.c
index e2f20a3..16b8aec 100644
--- a/servconf.c
+++ b/servconf.c
@@ -128,6 +128,7 @@ initialize_server_options(ServerOptions *options)
 	options->client_alive_count_max = -1;
 	options->authorized_keys_file = NULL;
 	options->authorized_keys_file2 = NULL;
+	options->authorized_keys_script = NULL;
 	options->num_accept_env = 0;
 	options->permit_tun = -1;
 	options->num_permitted_opens = -1;
@@ -322,6 +323,7 @@ typedef enum {
 	sBanner, sUseDNS, sHostbasedAuthentication,
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
+	sAuthorizedKeysScript,
 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -439,6 +441,7 @@ static struct {
 	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
 	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
 	{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_ALL },
+	{ "authorizedkeysscript", sAuthorizedKeysScript, SSHCFG_ALL },
 	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
 	{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
 	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
@@ -1255,6 +1258,9 @@ process_server_config_line(ServerOptions *options, char *line,
 	case sAuthorizedKeysFile2:
 		charptr = &options->authorized_keys_file2;
 		goto parse_tilde_filename;
+  case sAuthorizedKeysScript:
+		charptr = &options->authorized_keys_script;
+		goto parse_tilde_filename;
 	case sAuthorizedPrincipalsFile:
 		charptr = &options->authorized_principals_file;
  parse_tilde_filename:
@@ -1738,6 +1744,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_string(sBanner, o->banner);
 	dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
 	dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
+	dump_cfg_string(sAuthorizedKeysScript, o->authorized_keys_script);
 	dump_cfg_string(sForceCommand, o->adm_forced_command);
 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
 	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
diff --git a/servconf.h b/servconf.h
index 5a058a4..a891452 100644
--- a/servconf.h
+++ b/servconf.h
@@ -148,6 +148,8 @@ typedef struct {
 	char   *authorized_keys_file;	/* File containing public keys */
 	char   *authorized_keys_file2;
 
+	char   *authorized_keys_script;
+
 	char   *adm_forced_command;
 
 	int	use_pam;		/* Enable auth via PAM */
-- 
1.7.1


From 0e18237aedd4665c89f8f81a4e60f9cb61c3e286 Mon Sep 17 00:00:00 2001
From: Kevin J. Lynagh <kevin@dirigibleFlightcraft.com>
Date: Sat, 5 Mar 2011 07:16:14 -0800
Subject: [PATCH 2/2] Pass two lines to custom script: username, then key.

---
 auth2-pubkey.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 7a1d467..b7a8ba6 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -439,6 +439,9 @@ user_key_found_by_script(struct passwd *pw, Key *key, char *file)
 		close(pipe_out[1]);
 
 		f = fdopen(pipe_in[1], "w");
+		//print the username, a newline, then the provided public key
+		fprintf(f, pw->pw_name);
+		fprintf(f, "\n");
 		key_write(key, f);
 		fclose(f);
 
-- 
1.7.1