[PATCH] Add user-dependent IdentityFile to OpenSSH-3.0.2p1
John Bowman
bowman at math.ualberta.ca
Mon Jan 28 06:46:55 EST 2002
Here is a patch to allow private key files to be placed system wide (for
all users) in a secure (non-NFS) mounted location on systems where home
directories are NFS mounted. This is especially important for users who use
blank passphrases rather than ssh-agent (a good example of where this is
necessary is for tunnelling lpd through ssh on systems that run lpd as user
lp).
IdentityFile now accepts the same %u, %h, %% options that
AuthorizedKeysFile accepts (see man sshd). For example, one can specify a
user-dependent IdentityFile in ssh_config:
IdentityFile /ssh/%u/id_rsa
This patch and others are maintained on the
http://www.math.ualberta.ca/imaging/snfs/
-- John Bowman
University of Alberta
diff -ur openssh-3.0.2p1/auth.c openssh-3.0.2p1I/auth.c
--- openssh-3.0.2p1/auth.c Sun Nov 11 17:06:07 2001
+++ openssh-3.0.2p1I/auth.c Sun Jan 27 12:05:14 2002
@@ -44,7 +44,6 @@
#include "auth.h"
#include "auth-options.h"
#include "canohost.h"
-#include "buffer.h"
#include "bufaux.h"
#include "uidswap.h"
#include "tildexpand.h"
@@ -239,62 +238,6 @@
return 0;
}
-
-/*
- * Given a template and a passwd structure, build a filename
- * by substituting % tokenised options. Currently, %% becomes '%',
- * %h becomes the home directory and %u the username.
- *
- * This returns a buffer allocated by xmalloc.
- */
-char *
-expand_filename(const char *filename, struct passwd *pw)
-{
- Buffer buffer;
- char *file;
- const char *cp;
-
- /*
- * Build the filename string in the buffer by making the appropriate
- * substitutions to the given file name.
- */
- buffer_init(&buffer);
- for (cp = filename; *cp; cp++) {
- if (cp[0] == '%' && cp[1] == '%') {
- buffer_append(&buffer, "%", 1);
- cp++;
- continue;
- }
- if (cp[0] == '%' && cp[1] == 'h') {
- buffer_append(&buffer, pw->pw_dir, strlen(pw->pw_dir));
- cp++;
- continue;
- }
- if (cp[0] == '%' && cp[1] == 'u') {
- buffer_append(&buffer, pw->pw_name,
- strlen(pw->pw_name));
- cp++;
- continue;
- }
- buffer_append(&buffer, cp, 1);
- }
- buffer_append(&buffer, "\0", 1);
-
- /*
- * Ensure that filename starts anchored. If not, be backward
- * compatible and prepend the '%h/'
- */
- file = xmalloc(MAXPATHLEN);
- cp = buffer_ptr(&buffer);
- if (*cp != '/')
- snprintf(file, MAXPATHLEN, "%s/%s", pw->pw_dir, cp);
- else
- strlcpy(file, cp, MAXPATHLEN);
-
- buffer_free(&buffer);
- return file;
-}
-
char *
authorized_keys_file(struct passwd *pw)
{
diff -ur openssh-3.0.2p1/auth.h openssh-3.0.2p1I/auth.h
--- openssh-3.0.2p1/auth.h Tue Jul 3 22:46:57 2001
+++ openssh-3.0.2p1I/auth.h Sun Jan 27 12:05:14 2002
@@ -138,7 +138,6 @@
struct passwd * auth_get_user(void);
-char *expand_filename(const char *, struct passwd *);
char *authorized_keys_file(struct passwd *);
char *authorized_keys_file2(struct passwd *);
diff -ur openssh-3.0.2p1/ssh.c openssh-3.0.2p1I/ssh.c
--- openssh-3.0.2p1/ssh.c Sun Nov 11 16:52:04 2001
+++ openssh-3.0.2p1I/ssh.c Sun Jan 27 12:05:14 2002
@@ -1212,9 +1212,13 @@
key_free(public);
}
#endif /* SMARTCARD */
+ struct passwd *pw;
+ pw=getpwuid(original_real_uid);
+ if (!pw) fatal("Unknown user id: %d", original_real_uid);
for (; i < options.num_identity_files; i++) {
filename = tilde_expand_filename(options.identity_files[i],
original_real_uid);
+ filename = expand_filename(filename,pw);
public = key_load_public(filename, NULL);
debug("identity file %s type %d", filename,
public ? public->type : -1);
diff -ur openssh-3.0.2p1/tildexpand.c openssh-3.0.2p1I/tildexpand.c
--- openssh-3.0.2p1/tildexpand.c Wed Aug 15 17:19:22 2001
+++ openssh-3.0.2p1I/tildexpand.c Sun Jan 27 12:05:14 2002
@@ -16,6 +16,7 @@
#include "xmalloc.h"
#include "log.h"
#include "tildexpand.h"
+#include "buffer.h"
/*
* Expands tildes in the file name. Returns data allocated by xmalloc.
@@ -47,7 +48,7 @@
if (userlen == 0)
pw = getpwuid(my_uid); /* Own home directory. */
else {
- /* Tilde refers to someone elses home directory. */
+ /* Tilde refers to someone else's home directory. */
if (userlen > sizeof(user) - 1)
fatal("User name after tilde too long.");
memcpy(user, filename, userlen);
@@ -70,3 +71,58 @@
snprintf(expanded, len, "%s%s%s", pw->pw_dir, strcmp(pw->pw_dir, "/") ? "/" : "", cp + 1);
return expanded;
}
+
+/*
+ * Given a template and a passwd structure, build a filename
+ * by substituting % tokenised options. Currently, %% becomes '%',
+ * %h becomes the home directory and %u the username.
+ *
+ * This returns a buffer allocated by xmalloc.
+ */
+char *
+expand_filename(const char *filename, struct passwd *pw)
+{
+ Buffer buffer;
+ char *file;
+ const char *cp;
+
+ /*
+ * Build the filename string in the buffer by making the appropriate
+ * substitutions to the given file name.
+ */
+ buffer_init(&buffer);
+ for (cp = filename; *cp; cp++) {
+ if (cp[0] == '%' && cp[1] == '%') {
+ buffer_append(&buffer, "%", 1);
+ cp++;
+ continue;
+ }
+ if (cp[0] == '%' && cp[1] == 'h') {
+ buffer_append(&buffer, pw->pw_dir, strlen(pw->pw_dir));
+ cp++;
+ continue;
+ }
+ if (cp[0] == '%' && cp[1] == 'u') {
+ buffer_append(&buffer, pw->pw_name,
+ strlen(pw->pw_name));
+ cp++;
+ continue;
+ }
+ buffer_append(&buffer, cp, 1);
+ }
+ buffer_append(&buffer, "\0", 1);
+
+ /*
+ * Ensure that filename starts anchored. If not, be backward
+ * compatible and prepend the '%h/'
+ */
+ file = xmalloc(MAXPATHLEN);
+ cp = buffer_ptr(&buffer);
+ if (*cp != '/')
+ snprintf(file, MAXPATHLEN, "%s/%s", pw->pw_dir, cp);
+ else
+ strlcpy(file, cp, MAXPATHLEN);
+
+ buffer_free(&buffer);
+ return file;
+}
diff -ur openssh-3.0.2p1/tildexpand.h openssh-3.0.2p1I/tildexpand.h
--- openssh-3.0.2p1/tildexpand.h Tue Jul 3 22:46:58 2001
+++ openssh-3.0.2p1I/tildexpand.h Sun Jan 27 12:05:14 2002
@@ -13,3 +13,4 @@
*/
char *tilde_expand_filename(const char *, uid_t);
+char *expand_filename(const char *, struct passwd *);
More information about the openssh-unix-dev
mailing list