- enhanced openssh-chroot.patch with UseChroot configuration option

[packages/openssh.git] / ldappubkey-ossh3.6-v2.patch

diff -ru openssh-3.6.1p1/auth2-pubkey.c openssh-3.6.1p1-ldappubkey/auth2-pubkey.c
--- openssh-3.6.1p1/auth2-pubkey.c      Thu Jun  6 22:27:56 2002
+++ openssh-3.6.1p1-ldappubkey/auth2-pubkey.c   Thu Apr 17 11:53:03 2003
@@ -174,12 +174,46 @@
        struct stat st;
        Key *found;
        char *fp;
+#ifdef WITH_LDAP_PUBKEY
+       lh host;
+#endif
 
        if (pw == NULL)
                return 0;
 
        /* Temporarily use the user's uid. */
        temporarily_use_uid(pw);
+#ifdef WITH_LDAP_PUBKEY
+       found_key = 0;
+       /* allocate a new key type */
+       found = key_new(key->type);
+
+       /* first check if the options is enabled, then try.. */
+       debug("trying LDAP first uid=%s",pw->pw_name);
+       
+       /* lets add it */
+       host.url = options.myldap_opt.ldap_server;
+       host.binddn = options.myldap_opt.binddn;
+       host.bindpw = options.myldap_opt.bindpw;
+       host.mgroup = options.myldap_opt.mgroup;
+
+       if(options.myldap_opt.pubkey_from_ldap
+               &&(key_ldap_read(found,pw->pw_name,&host) != 1)) {
+           debug2("LDAP pubkey failed!!!");
+           debug2("URL: %s !!",options.myldap_opt.ldap_server);
+       }
+
+       if (key_equal(found,key)) {
+           found_key = 1;
+           debug("matching key found on LDAP, line %lu",linenum);
+           fp = key_fingerprint(found,SSH_FP_MD5, SSH_FP_HEX);
+           verbose("Found matching %s key: %s",key_type(found),fp);
+           xfree(fp);
+           restore_uid();
+           key_free(found);
+           return found_key;
+       }
+#endif
 
        debug("trying public key file %s", file);
 
@@ -189,6 +223,7 @@
                restore_uid();
                return 0;
        }
+
        /* Open the file containing the authorized keys. */
        f = fopen(file, "r");
        if (!f) {
@@ -196,6 +231,7 @@
                restore_uid();
                return 0;
        }
+
        if (options.strict_modes &&
            secure_filename(f, file, pw, line, sizeof(line)) != 0) {
                fclose(f);
@@ -204,8 +240,11 @@
                return 0;
        }
 
+       /*
        found_key = 0;
        found = key_new(key->type);
+       old place of found_key = 0;
+       */
 
        while (fgets(line, sizeof(line), f)) {
                char *cp, *options = NULL;
diff -ru openssh-3.6.1p1/key.c openssh-3.6.1p1-ldappubkey/key.c
--- openssh-3.6.1p1/key.c       Mon Feb 24 02:01:41 2003
+++ openssh-3.6.1p1-ldappubkey/key.c    Thu Apr 17 11:48:00 2003
@@ -36,6 +36,25 @@
 
 #include <openssl/evp.h>
 
+#ifdef WITH_LDAP_PUBKEY
+#include <ldap.h>
+#include <lber.h>
+
+#define PORT LDAP_PORT
+#define LINEMAX 1024
+/*
+ * defined in core.schema, this is a temporary objectclass which can be
+ * used since i m waiting for pkix schema and pubKey attribute (binary as well
+ * so minor changes for this patch), there will be an update about this ;)
+ * the following defs were for test purposes only
+ * i'm still keeping objectclass=strongAuthenticationuser because of the purpose
+ * this patch, and wrongly using cn for each user to store group includes
+ * refere to the README for a better understanding of this.
+ */
+#define OBJCLASS "objectclass=strongAuthenticationUser"
+#define BASE_REQ "ou=users,dc=foobar,dc=net"
+#endif
+
 #include "xmalloc.h"
 #include "key.h"
 #include "rsa.h"
@@ -372,6 +391,217 @@
        OPENSSL_free(buf);
        return 1;
 }
+
+#ifdef WITH_LDAP_PUBKEY
+/* returns 1 ok, -1 error */
+int
+/* key_ldap_read(Key *ret, char *uid, char *url, char *binddn, char *bindpw) */
+key_ldap_read(Key *ret, char *uid, lh *host)
+{
+    Key *k;
+    LDAP *ld;
+    LDAPMessage *res,*e;
+    LDAPURLDesc *urlstruct;
+    char *a,*urlssl,objbuf[LINEMAX];
+    struct berval **vals;
+    BerElement *ptr;
+    int version, rc, j, i, success = -1, ssl_size = 0;
+
+    /* version to 3 */
+    version = LDAP_VERSION3;
+
+    /* url based ldap://hostport/dn[?attrs[?scope[?filter[?exts]]]] */
+    rc = ldap_is_ldap_url(host->url);
+    if (rc < 0) {
+       error("key_ldap_read: ldap_is_ldap_url() -> ldap is not an url");
+
+       success = -1;
+       return success;
+    }
+    
+    rc = ldap_url_parse(host->url,&urlstruct);
+    if (rc) {
+       error("key_ldap_read: ldap_url_parse() -> ldap couldn't be parsed");
+
+       success = -1;
+       return success;
+    }
+
+    ssl_size = strlen(urlstruct->lud_scheme)+strlen(urlstruct->lud_host)+10;
+
+    urlssl = (char *) malloc( ssl_size * sizeof(char) );
+    if (!urlssl) {
+       error("key_ldap_read: malloc()");
+
+       /* free what has been allocated */
+       ldap_free_urldesc(urlstruct);
+
+       success = -1;
+       return success;
+    }
+    memset(urlssl,0,ssl_size);
+    snprintf(urlssl,ssl_size,"%s://%s:%d",urlstruct->lud_scheme,urlstruct->lud_host,urlstruct->lud_port);
+
+    /* open ldap connection */
+    ld = ldap_init(urlstruct->lud_host,urlstruct->lud_port);
+    if(!ld) {
+       error("key_ldap_read: ldap_init()");
+
+       /* free what has been allocated */
+       free(urlssl);
+       ldap_free_urldesc(urlstruct);
+
+       success = -1;
+       return success;
+    }
+
+    /* setting V3 proto otherwise TLS impossible */
+    if (ldap_set_option(ld,LDAP_OPT_PROTOCOL_VERSION,&version) != LDAP_OPT_SUCCESS) {
+       error("key_ldap_read: ldap couldn't set version for TLS/SSL");
+
+       /* free what has been allocated */
+       free(urlssl);
+       ldap_free_urldesc(urlstruct);
+
+       success = -1;
+       return success;
+    }
+    /* HERE CHOOSE SSL/TLS use the scheme and look for the magic 's' ;) */
+    if (urlstruct->lud_scheme[strlen(urlstruct->lud_scheme)-1] == 's') {
+       if (ldap_initialize(&ld, urlssl) != LDAP_SUCCESS) {
+           error("key_ldap_read: ldap_initialize()");
+
+           /* free what has been allocated */
+           free(urlssl);
+           ldap_free_urldesc(urlstruct);
+
+           success = -1;
+           return success;
+       }
+    } else {
+       if ( (ldap_start_tls_s( ld, NULL, NULL ) != LDAP_SUCCESS)) {
+           ldap_perror( ld, "key_ldap_read: (TLS) ldap_start_tls" );
+           /* recover to normal connection */
+           ld = ldap_init(urlstruct->lud_host,urlstruct->lud_port);
+           if(!ld) {
+               error("key_ldap_read: ldap_init()");
+               
+               /* free what has been allocated */
+               free(urlssl);
+               ldap_free_urldesc(urlstruct);
+
+               success = -1;
+               return success;
+           }
+           /*  use_ssl=1; */
+       }
+    }
+
+    /* anonymous bind pubkey can be retrieved by anybody */
+    if (ldap_simple_bind_s(ld,host->binddn,host->bindpw) != LDAP_SUCCESS) {
+       error("key_ldap_read: ldap_simple_bind_s()");
+       
+       /* free what has been allocated */
+       free(urlssl);
+       ldap_free_urldesc(urlstruct);
+
+       success = -1;
+       return success;
+    }
+    
+    /* start ldap search */
+    if (!uid)
+       return success;
+
+    /* 
+     *
+     * The user need to have posixAccount & strongAuthenticationuser attributes 
+     * to accept the challenge.
+     * posixAccount & strongAuthenticationuser + uid is member of configured group.
+     * ldap user entries MUST respect our standard description.
+     * objectclass still hardcoded, hope to change this soon .
+     *
+     */
+    if (host->mgroup)
+       snprintf(objbuf,LINEMAX,"(&(objectclass=posixAccount)(objectclass=strongAuthenticationUser)(&(cn=*%s*)(uid=%s)))",host->mgroup,uid);
+    else
+       snprintf(objbuf,LINEMAX,"(&(objectclass=posixAccount)(objectclass=strongAuthenticationUser)(uid=%s))",uid);
+
+    /* New filter group inclusive depend on the configuration */
+    /* (&(objectclass=posixAccount)(objectclass=strongAuthenticationUser)(&(cn=*groupname*)(uid=eau))) */
+
+    ldap_search_s(ld,urlstruct->lud_dn,LDAP_SCOPE_SUBTREE,objbuf,NULL,0,&res);
+    i = ldap_count_entries(ld,res);
+
+    for(e=ldap_first_entry(ld,res); e != NULL; e=ldap_next_entry(ld,e)) {
+       ldap_get_dn(ld,e);
+       for(a=ldap_first_attribute(ld,e,&ptr);a!=NULL;a=ldap_next_attribute(ld,e,ptr))
+           {
+               if(strncmp(a,"userCertificate",15) == 0) {
+                   vals=ldap_get_values_len(ld,e,a);
+                   for(j = 0; vals[j] != NULL; j++) {
+                       /* value is here :) vals[j] */
+                       k = key_from_blob((unsigned char *)vals[j]->bv_val,(int)vals[j]->bv_len);
+
+                       if (!k) {
+                           error("key_read: key_from_blob LDAP failed");
+
+                           ldap_value_free_len(vals);
+                           ldap_free_urldesc(urlstruct);
+                           free(urlssl);
+
+                           return (-1);
+                       }
+
+                       /* i dont have type ?!?!?! */
+                       if (k->type != KEY_DSA) {
+                           error("key_read: type mismatch: encoding error");
+
+                           ldap_value_free_len(vals);
+                           ldap_free_urldesc(urlstruct);
+                           free(urlssl);
+                           key_free(k);
+
+                           return (-1);
+                       }
+
+                       if (ret->type == KEY_RSA) {
+                           error("LDAP doesnt handle RSA keys yet");
+
+                           /* freeing everything */
+                           ldap_value_free_len(vals);
+                           ldap_free_urldesc(urlstruct);
+                           free(urlssl);
+                           key_free(k);
+
+                           return (-1);
+                       } else {
+                           if (ret->dsa != NULL)
+                               DSA_free(ret->dsa);
+                           ret->dsa = k->dsa;
+                           k->dsa = NULL;
+                           DSA_print_fp(stderr,ret->dsa,8);
+
+                           /* freeing everything */
+                           ldap_value_free_len(vals);
+                           ldap_free_urldesc(urlstruct);
+                           free(urlssl);
+                           key_free(k);
+
+                           success = 1;
+                           return success;
+                       }
+                   }
+                   ldap_value_free_len(vals);
+                   key_free(k);
+               }
+           }
+    }
+    ldap_free_urldesc(urlstruct);
+    free(urlssl);
+    return success;
+}
+#endif
 
 /* returns 1 ok, -1 error */
 int
diff -ru openssh-3.6.1p1/key.h openssh-3.6.1p1-ldappubkey/key.h
--- openssh-3.6.1p1/key.h       Mon Feb 24 02:01:41 2003
+++ openssh-3.6.1p1-ldappubkey/key.h    Thu Apr 17 11:48:05 2003
@@ -64,6 +64,18 @@
 char   *key_type(Key *);
 int     key_write(Key *, FILE *);
 int     key_read(Key *, char **);
+#ifdef WITH_LDAP_PUBKEY
+/* next step is to handle fallback on ldap servers */
+typedef struct ldaphost {
+    char *url;            /* LDAP infos in URL format */
+    char *binddn;         /* bind DN */
+    char *bindpw;         /* obvious :> */
+    char *mgroup;         /* server group name */
+    struct ldaphost *next;
+} lh;
+
+int     key_ldap_read(Key *, char *, lh *);
+#endif
 u_int   key_size(Key *);
 
 Key    *key_generate(int, u_int);
diff -ru openssh-3.6.1p1/servconf.c openssh-3.6.1p1-ldappubkey/servconf.c
--- openssh-3.6.1p1/servconf.c  Mon Feb 24 02:04:34 2003
+++ openssh-3.6.1p1-ldappubkey/servconf.c       Thu Apr 17 12:04:42 2003
@@ -123,6 +123,13 @@
        options->client_alive_count_max = -1;
        options->authorized_keys_file = NULL;
        options->authorized_keys_file2 = NULL;
+#ifdef WITH_LDAP_PUBKEY
+       options->myldap_opt.pubkey_from_ldap = -1;
+       options->myldap_opt.ldap_server = NULL;
+       options->myldap_opt.binddn = NULL;
+       options->myldap_opt.bindpw = NULL;
+       options->myldap_opt.mgroup = NULL;
+#endif
 
        /* Needs to be accessable in many places */
        use_privsep = -1;
@@ -255,6 +262,18 @@
        }
        if (options->authorized_keys_file == NULL)
                options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
+#ifdef WITH_LDAP_PUBKEY
+       if (options->myldap_opt.pubkey_from_ldap == -1)
+           options->myldap_opt.pubkey_from_ldap = 0;
+       if (options->myldap_opt.ldap_server == NULL)
+           options->myldap_opt.ldap_server = _DEFAULT_LDAP_PUBKEY_SERVER;
+       if (options->myldap_opt.binddn == NULL)
+           options->myldap_opt.binddn = _DEFAULT_BINDDN;
+       if (options->myldap_opt.bindpw == NULL)
+           options->myldap_opt.bindpw = _DEFAULT_BINDPW;
+       if (options->myldap_opt.mgroup == NULL)
+           options->myldap_opt.mgroup = _DEFAULT_MGROUP;
+#endif
 
        /* Turn privilege separation on by default */
        if (use_privsep == -1)
@@ -303,6 +322,9 @@
        sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
        sUsePrivilegeSeparation,
        sDeprecated, sUnsupported
+#ifdef WITH_LDAP_PUBKEY
+           ,sPubkey_from_ldap, sLdap_server, sBinddn, sBindpw, sMgroup
+#endif
 } ServerOpCodes;
 
 /* Textual representation of the tokens. */
@@ -379,6 +401,13 @@
        { "clientalivecountmax", sClientAliveCountMax },
        { "authorizedkeysfile", sAuthorizedKeysFile },
        { "authorizedkeysfile2", sAuthorizedKeysFile2 },
+#ifdef WITH_LDAP_PUBKEY
+       { "pubkeyfromldap", sPubkey_from_ldap },
+       { "ldapserver", sLdap_server },
+       { "binddn", sBinddn },
+       { "bindpw", sBindpw },
+       { "mygroup", sMgroup },
+#endif
        { "useprivilegeseparation", sUsePrivilegeSeparation},
        { NULL, sBadOption }
 };
@@ -915,6 +944,54 @@
                while (arg)
                    arg = strdelim(&cp);
                break;
+#ifdef WITH_LDAP_PUBKEY
+       case sPubkey_from_ldap:
+               intptr = &options->myldap_opt.pubkey_from_ldap;
+               goto parse_flag;
+       case sLdap_server:
+               /* arg = strdelim(&cp); */
+               p = line;
+               while(*p++);
+               arg = p;
+               if (!arg || *arg == '\0')
+                   fatal("%s line %d: missing ldap server",filename,linenum);
+               arg[strlen(arg)-1] = '\0';
+               options->myldap_opt.ldap_server=xstrdup(arg);
+               memset(arg,0,strlen(arg));
+               break;
+       case sBinddn:
+               /* arg = strdelim(&cp); */
+               p = line;
+               while(*p++);
+               arg = p;
+               if (!arg || *arg == '\0')
+                   fatal("%s line %d: missing binddn",filename,linenum);
+               arg[strlen(arg)-1] = '\0';
+               options->myldap_opt.binddn = xstrdup(arg);
+               memset(arg,0,strlen(arg));
+               break;
+       case sBindpw:
+               /* arg = strdelim(&cp); */
+               p = line;
+               while(*p++);
+               arg = p;
+               if (!arg || *arg == '\0')
+                   fatal("%s line %d: missing bindpw",filename,linenum);
+               arg[strlen(arg)-1] = '\0';
+               options->myldap_opt.bindpw=xstrdup(arg);
+               memset(arg,0,strlen(arg));
+               break;
+       case sMgroup:
+               p = line;
+               while (*p++);
+               arg = p;
+               if (!arg || *arg == '\0')
+                   fatal("%s line %d: missing groupname",filename, linenum);
+               arg[strlen(arg) - 1] = '\0';
+               options->myldap_opt.mgroup = xstrdup(arg);
+               memset(arg,0,strlen(arg));
+               break;
+#endif
 
        default:
                fatal("%s line %d: Missing handler for opcode %s (%d)",
diff -ru openssh-3.6.1p1/servconf.h openssh-3.6.1p1-ldappubkey/servconf.h
--- openssh-3.6.1p1/servconf.h  Thu Aug  1 03:28:39 2002
+++ openssh-3.6.1p1-ldappubkey/servconf.h       Thu Apr 17 11:57:48 2003
@@ -32,6 +32,22 @@
 #define        PERMIT_NO_PASSWD        2
 #define        PERMIT_YES              3
 
+#ifdef WITH_LDAP_PUBKEY
+#define _DEFAULT_LDAP_PUBKEY_SERVER "localhost"
+#define _DEFAULT_BASEDN "ou=People,dc=company,dc=net"
+#define _DEFAULT_BINDDN NULL
+#define _DEFAULT_BINDPW NULL
+#define _DEFAULT_MGROUP NULL
+
+typedef struct {
+    int pubkey_from_ldap;
+    char *ldap_server;    /* ldap URL format where pubkeys are */
+    char *binddn;         /* ldap base dn where users resides */
+    char *bindpw;         /* ldap bind passwd */
+    char *mgroup;         /* ldap server group name, NULL if deactivated */
+} ldap_opt;
+#endif
+
 
 typedef struct {
        u_int num_ports;
@@ -132,6 +148,9 @@
        char   *authorized_keys_file;   /* File containing public keys */
        char   *authorized_keys_file2;
        int     use_pam;                /* Enable auth via PAM */
+#ifdef WITH_LDAP_PUBKEY
+       ldap_opt myldap_opt;
+#endif
 }       ServerOptions;
 
 void    initialize_server_options(ServerOptions *);
diff -ru openssh-3.6.1p1/sshd_config openssh-3.6.1p1-ldappubkey/sshd_config
--- openssh-3.6.1p1/sshd_config Fri Sep 27 05:21:58 2002
+++ openssh-3.6.1p1-ldappubkey/sshd_config      Thu Apr 17 12:21:43 2003
@@ -89,5 +89,13 @@
 #Banner /some/path
 #VerifyReverseMapping no
 
+# here is the new patched ldap related tokens
+# entries in your LDAP must be posixAccount & strongAuthenticationUser
+pubkeyfromldap yes
+ldapserver ldap://localhost/ou=users,dc=cuckoos,dc=net
+binddn cn=Manager,dc=cuckoos,dc=net 
+bindpw secret
+mygroup unixmail
+
 # override default of no subsystems
 Subsystem      sftp    /usr/libexec/sftp-server