+++ /dev/null
-diff -up openssh-5.8p1/auth2-pubkey.c.akc openssh-5.8p1/auth2-pubkey.c
---- openssh-5.8p1/auth2-pubkey.c.akc 2011-02-10 13:21:27.000000000 +0100
-+++ openssh-5.8p1/auth2-pubkey.c 2011-02-10 13:21:28.000000000 +0100
-@@ -27,6 +27,7 @@
-
- #include <sys/types.h>
- #include <sys/stat.h>
-+#include <sys/wait.h>
-
- #include <fcntl.h>
- #include <pwd.h>
-@@ -268,27 +269,15 @@ match_principals_file(char *file, struct
-
- /* return 1 if user allows given key */
- static int
--user_key_allowed2(struct passwd *pw, Key *key, char *file)
-+user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw)
- {
- char line[SSH_MAX_PUBKEY_BYTES];
- const char *reason;
- int found_key = 0;
-- FILE *f;
- u_long linenum = 0;
- Key *found;
- char *fp;
-
-- /* Temporarily use the user's uid. */
-- temporarily_use_uid(pw);
--
-- debug("trying public key file %s", file);
-- f = auth_openkeyfile(file, pw, options.strict_modes);
--
-- if (!f) {
-- restore_uid();
-- return 0;
-- }
--
- found_key = 0;
- found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
-
-@@ -381,8 +370,6 @@ user_key_allowed2(struct passwd *pw, Key
- break;
- }
- }
-- restore_uid();
-- fclose(f);
- key_free(found);
- if (!found_key)
- debug2("key not found");
-@@ -444,13 +431,191 @@ user_cert_trusted_ca(struct passwd *pw,
- return ret;
- }
-
--/* check whether given key is in .ssh/authorized_keys* */
-+/* return 1 if user allows given key */
-+static int
-+user_key_allowed2(struct passwd *pw, Key *key, char *file)
-+{
-+ FILE *f;
-+ int found_key = 0;
-+
-+ /* Temporarily use the user's uid. */
-+ temporarily_use_uid(pw);
-+
-+ debug("trying public key file %s", file);
-+ f = auth_openkeyfile(file, pw, options.strict_modes);
-+
-+ if (f) {
-+ found_key = user_search_key_in_file (f, file, key, pw);
-+ fclose(f);
-+ }
-+
-+ restore_uid();
-+ return found_key;
-+}
-+
-+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
-+
-+#define WHITESPACE " \t\r\n"
-+
-+/* return 1 if user allows given key */
-+static int
-+user_key_via_command_allowed2(struct passwd *pw, Key *key)
-+{
-+ FILE *f;
-+ int found_key = 0;
-+ char *progname = NULL;
-+ char *cp;
-+ struct passwd *runas_pw;
-+ struct stat st;
-+ int childdescriptors[2], i;
-+ pid_t pstat, pid, child;
-+
-+ if (options.authorized_keys_command == NULL || options.authorized_keys_command[0] != '/')
-+ return -1;
-+
-+ /* get the run as identity from config */
-+ runas_pw = (options.authorized_keys_command_runas == NULL)? pw
-+ : getpwnam (options.authorized_keys_command_runas);
-+ if (!runas_pw) {
-+ error("%s: getpwnam(\"%s\"): %s", __func__,
-+ options.authorized_keys_command_runas, strerror(errno));
-+ return 0;
-+ }
-+
-+ /* Temporarily use the specified uid. */
-+ if (runas_pw->pw_uid != 0)
-+ temporarily_use_uid(runas_pw);
-+
-+ progname = xstrdup(options.authorized_keys_command);
-+
-+ debug3("%s: checking program '%s'", __func__, progname);
-+
-+ if (stat (progname, &st) < 0) {
-+ error("%s: stat(\"%s\"): %s", __func__,
-+ progname, strerror(errno));
-+ goto go_away;
-+ }
-+
-+ if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
-+ error("bad ownership or modes for AuthorizedKeysCommand \"%s\"",
-+ progname);
-+ goto go_away;
-+ }
-+
-+ if (!S_ISREG(st.st_mode)) {
-+ error("AuthorizedKeysCommand \"%s\" is not a regular file",
-+ progname);
-+ goto go_away;
-+ }
-+
-+ /*
-+ * Descend the path, checking that each component is a
-+ * root-owned directory with strict permissions.
-+ */
-+ do {
-+ if ((cp = strrchr(progname, '/')) == NULL)
-+ break;
-+ else
-+ *cp = '\0';
-+
-+ debug3("%s: checking component '%s'", __func__, (*progname == '\0' ? "/" : progname));
-+
-+ if (stat((*progname == '\0' ? "/" : progname), &st) != 0) {
-+ error("%s: stat(\"%s\"): %s", __func__,
-+ progname, strerror(errno));
-+ goto go_away;
-+ }
-+ if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
-+ error("bad ownership or modes for AuthorizedKeysCommand path component \"%s\"",
-+ progname);
-+ goto go_away;
-+ }
-+ if (!S_ISDIR(st.st_mode)) {
-+ error("AuthorizedKeysCommand path component \"%s\" is not a directory",
-+ progname);
-+ goto go_away;
-+ }
-+ } while (1);
-+
-+ /* open the pipe and read the keys */
-+ if (pipe(childdescriptors)) {
-+ error("failed to pipe(2) for AuthorizedKeysCommand: %s",
-+ strerror(errno));
-+ goto go_away;
-+ }
-+
-+ child = fork();
-+ if (child == -1) {
-+ error("failed to fork(2) for AuthorizedKeysCommand: %s",
-+ strerror(errno));
-+ goto go_away;
-+ } else if (child == 0) {
-+ /* we're in the child process here -- we should never return from this block. */
-+ /* permanently drop privs in child process */
-+ if (runas_pw->pw_uid != 0) {
-+ restore_uid();
-+ permanently_set_uid(runas_pw);
-+ }
-+
-+ close(childdescriptors[0]);
-+ /* put the write end of the pipe on stdout (FD 1) */
-+ if (dup2(childdescriptors[1], 1) == -1) {
-+ error("failed to dup2(2) from AuthorizedKeysCommand: %s",
-+ strerror(errno));
-+ _exit(127);
-+ }
-+
-+ debug3("about to execl() AuthorizedKeysCommand: \"%s\" \"%s\"", options.authorized_keys_command, pw->pw_name);
-+ /* see session.c:child_close_fds() */
-+ for (i = 3; i < 64; ++i) {
-+ close(i);
-+ }
-+
-+ execl(options.authorized_keys_command, options.authorized_keys_command, pw->pw_name, NULL);
-+
-+ /* if we got here, it didn't work */
-+ error("failed to execl AuthorizedKeysCommand: %s", strerror(errno)); /* this won't work because we closed the fds above */
-+ _exit(127);
-+ }
-+
-+ close(childdescriptors[1]);
-+ f = fdopen(childdescriptors[0], "r");
-+ if (!f) {
-+ error("%s: could not buffer FDs from AuthorizedKeysCommand (\"%s\", \"r\"): %s", __func__,
-+ options.authorized_keys_command, strerror (errno));
-+ goto go_away;
-+ }
-+
-+ found_key = user_search_key_in_file (f, options.authorized_keys_command, key, pw);
-+ fclose (f);
-+ do {
-+ pid = waitpid(child, &pstat, 0);
-+ } while (pid == -1 && errno == EINTR);
-+
-+ /* what about the return value from the child process? */
-+go_away:
-+ if (progname)
-+ free (progname);
-+
-+ if (runas_pw->pw_uid != 0)
-+ restore_uid();
-+ return found_key;
-+}
-+#endif
-+
-+/* check whether given key is in <AuthorizedKeysCommand or .ssh/authorized_keys* */
- int
- user_key_allowed(struct passwd *pw, Key *key)
- {
- int success;
- char *file;
-
-+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
-+ success = user_key_via_command_allowed2(pw, key);
-+ if (success > 0)
-+ return success;
-+#endif
-+
- if (auth_key_is_revoked(key))
- return 0;
- if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
-diff -up openssh-5.8p1/configure.ac.akc openssh-5.8p1/configure.ac
---- openssh-5.8p1/configure.ac.akc 2011-02-10 13:21:28.000000000 +0100
-+++ openssh-5.8p1/configure.ac 2011-02-10 13:21:28.000000000 +0100
-@@ -1422,6 +1422,18 @@ AC_ARG_WITH(audit,
- esac ]
- )
-
-+# Check whether user wants AuthorizedKeysCommand support
-+AKC_MSG="no"
-+AC_ARG_WITH(authorized-keys-command,
-+ [ --with-authorized-keys-command Enable AuthorizedKeysCommand support],
-+ [
-+ if test "x$withval" != "xno" ; then
-+ AC_DEFINE([WITH_AUTHORIZED_KEYS_COMMAND], 1, [Enable AuthorizedKeysCommand support])
-+ AKC_MSG="yes"
-+ fi
-+ ]
-+)
-+
- dnl Checks for library functions. Please keep in alphabetical order
- AC_CHECK_FUNCS( \
- arc4random \
-@@ -4325,6 +4337,7 @@ echo " SELinux support
- echo " Smartcard support: $SCARD_MSG"
- echo " S/KEY support: $SKEY_MSG"
- echo " TCP Wrappers support: $TCPW_MSG"
-+echo " AuthorizedKeysCommand support: $AKC_MSG"
- echo " MD5 password support: $MD5_MSG"
- echo " libedit support: $LIBEDIT_MSG"
- echo " Solaris process contract support: $SPC_MSG"
-diff -up openssh-5.8p1/servconf.c.akc openssh-5.8p1/servconf.c
---- openssh-5.8p1/servconf.c.akc 2011-02-10 13:21:28.000000000 +0100
-+++ openssh-5.8p1/servconf.c 2011-02-10 13:28:21.000000000 +0100
-@@ -134,6 +134,8 @@ initialize_server_options(ServerOptions
- options->num_permitted_opens = -1;
- options->adm_forced_command = NULL;
- options->chroot_directory = NULL;
-+ options->authorized_keys_command = NULL;
-+ options->authorized_keys_command_runas = NULL;
- options->zero_knowledge_password_authentication = -1;
- options->revoked_keys_file = NULL;
- options->trusted_user_ca_keys = NULL;
-@@ -331,6 +333,7 @@ typedef enum {
- sZeroKnowledgePasswordAuthentication, sHostCertificate,
- sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
- sKexAlgorithms, sIPQoS,
-+ sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs,
- sDeprecated, sUnsupported
- } ServerOpCodes;
-
-@@ -456,6 +459,13 @@ static struct {
- { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
- { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
- { "ipqos", sIPQoS, SSHCFG_ALL },
-+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
-+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
-+ { "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL },
-+#else
-+ { "authorizedkeyscommand", sUnsupported, SSHCFG_ALL },
-+ { "authorizedkeyscommandrunas", sUnsupported, SSHCFG_ALL },
-+#endif
- { NULL, sBadOption, 0 }
- };
-
-@@ -1406,6 +1416,20 @@ process_server_config_line(ServerOptions
- }
- break;
-
-+ case sAuthorizedKeysCommand:
-+ len = strspn(cp, WHITESPACE);
-+ if (*activep && options->authorized_keys_command == NULL)
-+ options->authorized_keys_command = xstrdup(cp + len);
-+ return 0;
-+
-+ case sAuthorizedKeysCommandRunAs:
-+ charptr = &options->authorized_keys_command_runas;
-+
-+ arg = strdelim(&cp);
-+ if (*activep && *charptr == NULL)
-+ *charptr = xstrdup(arg);
-+ break;
-+
- case sDeprecated:
- logit("%s line %d: Deprecated option %s",
- filename, linenum, arg);
-@@ -1499,6 +1523,8 @@ copy_set_server_options(ServerOptions *d
- M_CP_INTOPT(gss_authentication);
- M_CP_INTOPT(rsa_authentication);
- M_CP_INTOPT(pubkey_authentication);
-+ M_CP_STROPT(authorized_keys_command);
-+ M_CP_STROPT(authorized_keys_command_runas);
- M_CP_INTOPT(kerberos_authentication);
- M_CP_INTOPT(hostbased_authentication);
- M_CP_INTOPT(hostbased_uses_name_from_packet_only);
-@@ -1753,6 +1779,8 @@ dump_config(ServerOptions *o)
- dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
- dump_cfg_string(sAuthorizedPrincipalsFile,
- o->authorized_principals_file);
-+ dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
-+ dump_cfg_string(sAuthorizedKeysCommandRunAs, o->authorized_keys_command_runas);
-
- /* string arguments requiring a lookup */
- dump_cfg_string(sLogLevel, log_level_name(o->log_level));
-diff -up openssh-5.8p1/servconf.h.akc openssh-5.8p1/servconf.h
---- openssh-5.8p1/servconf.h.akc 2011-02-10 13:21:28.000000000 +0100
-+++ openssh-5.8p1/servconf.h 2011-02-10 13:21:28.000000000 +0100
-@@ -161,6 +161,8 @@ typedef struct {
- char *revoked_keys_file;
- char *trusted_user_ca_keys;
- char *authorized_principals_file;
-+ char *authorized_keys_command;
-+ char *authorized_keys_command_runas;
- } ServerOptions;
-
- void initialize_server_options(ServerOptions *);
-diff -up openssh-5.8p1/sshd_config.0.akc openssh-5.8p1/sshd_config.0
---- openssh-5.8p1/sshd_config.0.akc 2011-02-10 13:21:28.000000000 +0100
-+++ openssh-5.8p1/sshd_config.0 2011-02-10 13:21:28.000000000 +0100
-@@ -71,6 +71,23 @@ DESCRIPTION
-
- See PATTERNS in ssh_config(5) for more information on patterns.
-
-+ AuthorizedKeysCommand
-+
-+ Specifies a program to be used for lookup of the user's
-+ public keys. The program will be invoked with its first
-+ argument the name of the user being authorized, and should produce
-+ on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS
-+ in sshd(8)). By default (or when set to the empty string) there is no
-+ AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully
-+ authorize the user, authorization falls through to the
-+ AuthorizedKeysFile. Note that this option has an effect
-+ only with PubkeyAuthentication turned on.
-+
-+ AuthorizedKeysCommandRunAs
-+ Specifies the user under whose account the AuthorizedKeysCommand is run.
-+ Empty string (the default value) means the user being authorized
-+ is used.
-+
- AuthorizedKeysFile
- Specifies the file that contains the public keys that can be used
- for user authentication. The format is described in the
-@@ -398,7 +415,8 @@ DESCRIPTION
-
- Only a subset of keywords may be used on the lines following a
- Match keyword. Available keywords are AllowAgentForwarding,
-- AllowTcpForwarding, AuthorizedKeysFile, AuthorizedPrincipalsFile,
-+ AllowTcpForwarding, AuthorizedKeysFile, AuthorizedKeysCommand,
-+ AuthorizedKeysCommandRunAs, AuthorizedPrincipalsFile,
- Banner, ChrootDirectory, ForceCommand, GatewayPorts,
- GSSAPIAuthentication, HostbasedAuthentication,
- HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
-diff -up openssh-5.8p1/sshd_config.5.akc openssh-5.8p1/sshd_config.5
---- openssh-5.8p1/sshd_config.5.akc 2011-02-10 13:21:28.000000000 +0100
-+++ openssh-5.8p1/sshd_config.5 2011-02-10 13:21:28.000000000 +0100
-@@ -703,6 +703,8 @@ Available keywords are
- .Cm AllowAgentForwarding ,
- .Cm AllowTcpForwarding ,
- .Cm AuthorizedKeysFile ,
-+.Cm AuthorizedKeysCommand ,
-+.Cm AuthorizedKeysCommandRunAs ,
- .Cm AuthorizedPrincipalsFile ,
- .Cm Banner ,
- .Cm ChrootDirectory ,
-@@ -715,6 +717,7 @@ Available keywords are
- .Cm KerberosAuthentication ,
- .Cm MaxAuthTries ,
- .Cm MaxSessions ,
-+.Cm PubkeyAuthentication ,
- .Cm PasswordAuthentication ,
- .Cm PermitEmptyPasswords ,
- .Cm PermitOpen ,
-@@ -917,6 +920,20 @@ Specifies a list of revoked public keys.
- Keys listed in this file will be refused for public key authentication.
- Note that if this file is not readable, then public key authentication will
- be refused for all users.
-+.It Cm AuthorizedKeysCommand
-+Specifies a program to be used for lookup of the user's
-+public keys. The program will be invoked with its first
-+argument the name of the user being authorized, and should produce
-+on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS
-+in sshd(8)). By default (or when set to the empty string) there is no
-+AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully
-+authorize the user, authorization falls through to the
-+AuthorizedKeysFile. Note that this option has an effect
-+only with PubkeyAuthentication turned on.
-+.It Cm AuthorizedKeysCommandRunAs
-+Specifies the user under whose account the AuthorizedKeysCommand is run. Empty
-+string (the default value) means the user being authorized is used.
-+.Dq
- .It Cm RhostsRSAAuthentication
- Specifies whether rhosts or /etc/hosts.equiv authentication together
- with successful RSA host authentication is allowed.
-diff -up openssh-5.8p1/sshd_config.akc openssh-5.8p1/sshd_config
---- openssh-5.8p1/sshd_config.akc 2011-02-10 13:21:28.000000000 +0100
-+++ openssh-5.8p1/sshd_config 2011-02-10 13:21:28.000000000 +0100
-@@ -46,6 +46,8 @@ SyslogFacility AUTHPRIV
- #RSAAuthentication yes
- #PubkeyAuthentication yes
- #AuthorizedKeysFile .ssh/authorized_keys
-+#AuthorizedKeysCommand none
-+#AuthorizedKeysCommandRunAs nobody
-
- # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
- #RhostsRSAAuthentication no