Contribution to 3.8.1pl1

TDSCAF tdsc.af at infineon.com
Fri May 7 17:37:48 EST 2004


Hi,

attachment has been removed by some superintelligent
virus filter. So i paste the diff below.

Hello,

I added the support for netgroups to be used in the
AllowUsers and DenyUsers parameters. This has some
advantages:
* hostnames or ip addresses need not to be written or
  maintained in the sshd_config file, but can be kept
  abstract names what also simplifies a bit largescale
  openssh installations
* sshd_config needs not change and sshd be restarted
  when changing the list of allowed / denied users/hosts
  in the NIS netgroups

Though considered to be dead some time in the future,
NIS still serves it's purpose in many environments.
The netgroups will make their way into LDAP some time
in the future, then i'll probably post another patch.
For now i added the functionality mainly in the match.c
file, adapted man-page files and autoconf to figure
out automatically, if NIS client support is available
on the platform. The attached patch can be applied
changing to the source directory of 3.8.1pl1 and
running
gunzip < /path/to/openssh-3.8.1p1.patch_af.gz | patch -p 1

Hope this will be included into the official distribution.
Everyone is welcome to review the modifications.

Regards,

 Albert

--
diff -ru openssh-3.8.1p1/CREDITS openssh-3.8.1p1.paf/CREDITS
--- openssh-3.8.1p1/CREDITS	Fri Jan 30 05:00:50 2004
+++ openssh-3.8.1p1.paf/CREDITS	Fri May  7 08:02:14 2004
@@ -4,6 +4,7 @@
 Theo de Raadt, and Dug Song - Creators of OpenSSH
 
 Alain St-Denis <Alain.St-Denis at ec.gc.ca> - Irix fix
+Albert Fluegel <af at muc.de> - netgroup support, autoconf fix
 Alexandre Oliva <oliva at lsd.ic.unicamp.br> - AIX fixes
 Andre Lucas <andre at ae-35.com> - new login code, many fixes
 Andreas Steinmetz <ast at domdv.de> - Shadow password expiry support
diff -ru openssh-3.8.1p1/config.h.in openssh-3.8.1p1.paf/config.h.in
--- openssh-3.8.1p1/config.h.in	Sun Apr 18 14:51:50 2004
+++ openssh-3.8.1p1.paf/config.h.in	Thu May  6 17:23:24 2004
@@ -747,6 +747,12 @@
 /* Define if you have the <rpc/types.h> header file. */
 #undef HAVE_RPC_TYPES_H
 
+/* Define if you have the <rpcsvc/ypclnt.h> header file. */
+#undef HAVE_RPCSVC_YPCLNT_H
+
+/* Define if you have the <rpcsvc/yp_prot.h> header file. */
+#undef HAVE_RPCSVC_YP_PROT_H
+
 /* Define if you have the `rresvport_af' function. */
 #undef HAVE_RRESVPORT_AF
 
@@ -1004,6 +1010,9 @@
 
 /* Define if you have the `waitpid' function. */
 #undef HAVE_WAITPID
+
+/* Define if you have the `yp_match' function. */
+#undef HAVE_YP_MATCH
 
 /* Define if you have the `_getlong' function. */
 #undef HAVE__GETLONG
diff -ru openssh-3.8.1p1/configure openssh-3.8.1p1.paf/configure
--- openssh-3.8.1p1/configure	Sun Apr 18 14:51:57 2004
+++ openssh-3.8.1p1.paf/configure	Fri May  7 08:23:21 2004
@@ -4907,7 +4907,8 @@
 	getopt.h glob.h ia.h lastlog.h limits.h login.h \
 	login_cap.h maillock.h netdb.h netgroup.h \
 	netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \
-	rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
+	rpc/types.h rpcsvc/ypclnt.h rpcsvc/yp_prot.h \
+	security/pam_appl.h shadow.h stddef.h stdint.h \
 	strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \
 	sys/cdefs.h sys/mman.h sys/prctl.h sys/pstat.h sys/ptms.h \
 	sys/select.h sys/stat.h sys/stream.h sys/stropts.h \
@@ -5202,6 +5203,13 @@
   LIBS="-lsocket $LIBS"
 
 fi
+
+fi
+
+if test "x$ac_cv_func_yp_match" = "xyes" -o "x$ac_cv_lib_nsl_yp_match" = xyes ; then
+  cat >>confdefs.h <<EOF
+#define HAVE_YP_MATCH 1
+EOF
 
 fi
 
diff -ru openssh-3.8.1p1/configure.ac openssh-3.8.1p1.paf/configure.ac
--- openssh-3.8.1p1/configure.ac	Sat Apr 17 05:03:07 2004
+++ openssh-3.8.1p1.paf/configure.ac	Thu May  6 16:55:46 2004
@@ -507,7 +507,8 @@
 	getopt.h glob.h ia.h lastlog.h limits.h login.h \
 	login_cap.h maillock.h netdb.h netgroup.h \
 	netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \
-	rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
+	rpc/types.h rpcsvc/ypclnt.h rpcsvc/yp_prot.h \
+	security/pam_appl.h shadow.h stddef.h stdint.h \
 	strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \
 	sys/cdefs.h sys/mman.h sys/prctl.h sys/pstat.h sys/ptms.h \
 	sys/select.h sys/stat.h sys/stream.h sys/stropts.h \
@@ -517,6 +518,10 @@
 # Checks for libraries.
 AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match))
 AC_CHECK_FUNC(setsockopt, , AC_CHECK_LIB(socket, setsockopt))
+
+if test "x$ac_cv_func_yp_match" = "xyes" -o "x$ac_cv_lib_nsl_yp_match" = xyes ; then
+    AC_DEFINE(HAVE_YP_MATCH)
+fi
 
 dnl SCO OS3 needs this for libwrap
 if test "x$with_tcp_wrappers" != "xno" ; then
diff -ru openssh-3.8.1p1/includes.h openssh-3.8.1p1.paf/includes.h
--- openssh-3.8.1p1/includes.h	Fri Feb  6 11:29:42 2004
+++ openssh-3.8.1p1.paf/includes.h	Thu May  6 16:51:51 2004
@@ -175,6 +175,13 @@
 # include <libutil.h> /* Openpty on FreeBSD at least */
 #endif
 
+#ifdef	HAVE_RPCSVC_YPCLNT_H
+#include <rpcsvc/ypclnt.h>
+#endif
+#ifdef	HAVE_RPCSVC_YP_PROT_H
+#include <rpcsvc/yp_prot.h>
+#endif
+
 #if defined(KRB5) && defined(USE_AFS)
 # include <krb5.h>
 # include <kafs.h>
diff -ru openssh-3.8.1p1/match.c openssh-3.8.1p1.paf/match.c
--- openssh-3.8.1p1/match.c	Tue Mar  5 02:42:43 2002
+++ openssh-3.8.1p1.paf/match.c	Thu May  6 17:20:22 2004
@@ -198,6 +198,159 @@
 	return 1;
 }
 
+static char *
+first_nospace(const char * str)
+{
+	while(*str && isspace(*str))
+		str++;
+	return(str);
+}
+
+#ifdef	HAVE_YP_MATCH
+
+/*
+ * match entry in netgroup, idx is the number
+ *  of the position in the typical netgroup-triples, starting with 0:
+ *   (host,user,domain) i.e. if idx == 0, then host is matched,
+ *      1 -> user, 2-> domain
+ */
+int
+match_entry_in_netgroup(const char *entry, char *netgroup, const int idx)
+{
+	static char *ypdomain = NULL;
+
+	char *nismatch;
+	char *netgentry;
+	int nismatchlen, len, submatch, ret;
+	char *cptr, *end_triple, *end_val;
+
+	ret = 0;
+	nismatch = NULL;
+
+	if(strlen(netgroup) < 1)
+		goto cleanup;
+
+	if(!ypdomain)
+		if(yp_get_default_domain(&ypdomain))
+			goto cleanup;
+
+	if(yp_match(ypdomain, "netgroup", netgroup, strlen(netgroup),
+				&nismatch, &nismatchlen))
+		goto cleanup;
+
+	nismatch[nismatchlen] = '\0';
+
+	for(cptr = first_nospace(nismatch); *cptr; cptr = first_nospace(cptr)){
+		if(*cptr == '('){
+			cptr = first_nospace(cptr + 1);
+
+			if(!(end_triple = strchr(cptr, ')')))
+				break;
+
+			end_val = strchr(cptr, ',');
+			if(!end_val || end_val > end_triple){	/* invalid netgroup entry */
+				cptr = end_triple + 1;
+				continue;
+			}
+
+			if(idx > 0){
+				cptr = first_nospace(end_val + 1);
+				end_val = strchr(cptr, ',');
+				if(!end_val || end_val > end_triple){
+					cptr = end_triple + 1;
+					continue;
+				}
+
+				if(idx > 1){
+					cptr = first_nospace(end_val + 1);
+					end_val = end_triple;
+				}
+			}
+
+			len = end_val - cptr;
+			netgentry = xstrdup(cptr);
+			netgentry[len] = '\0';
+			while(isspace(netgentry[len - 1]) && len > 0)
+				len--;
+
+			netgentry[len] = '\0';
+			submatch = 0;
+
+			if(len > 0)
+				submatch = !strcmp(netgentry, entry);
+
+			xfree(netgentry);
+
+			if(submatch){
+				ret = 1;
+				goto cleanup;
+			}
+
+			cptr = end_triple + 1;
+		}
+		else{
+			for(end_triple = cptr;
+				*end_triple && !isspace(*end_triple);
+					end_triple++);
+
+			len = end_triple - cptr;
+			end_val = xstrdup(cptr);
+			end_val[len] = '\0';
+
+			submatch = match_entry_in_netgroup(entry, end_val, idx);
+
+			xfree(end_val);
+			if(submatch){
+				ret = 1;
+				goto cleanup;
+			}
+
+			cptr = end_triple;
+		}
+	}
+
+	cleanup:
+	if(nismatch)
+		free(nismatch);
+
+	return ret;
+}
+
+#endif	/* defined(HAVE_YP_MATCH) */
+
+/*
+ * match user in @netgroup
+ */
+int
+match_user_or_netgroup(const char *user, char *pattern)
+{
+	if(pattern[0] != '@')
+		return match_pattern(user, pattern);
+
+#ifdef	HAVE_YP_MATCH
+	return match_entry_in_netgroup(user, pattern + 1, 1);
+#else
+	return 0;
+#endif
+}
+
+/*
+ * match host in @netgroup
+ */
+int
+match_host_and_ip_or_netgroup(const char *host, const char * ipaddr, char *pattern)
+{
+	if(pattern[0] != '@')
+		return match_host_and_ip(host, ipaddr, pattern);
+
+#ifdef	HAVE_YP_MATCH
+	return match_entry_in_netgroup(host, pattern + 1, 0)
+		|| match_entry_in_netgroup(ipaddr, pattern + 1, 0);
+#else
+	return 0;
+#endif
+}
+
 /*
  * match user, user at host_or_ip, user at host_or_ip_list against pattern
  */
@@ -208,15 +361,18 @@
 	char *p, *pat;
 	int ret;
 
-	if ((p = strchr(pattern,'@')) == NULL)
-		return match_pattern(user, pattern);
+	if (strlen(pattern) < 1)
+		return 0;
+
+	if ((p = strchr(pattern + 1, '@')) == NULL)
+		return match_user_or_netgroup(user, pattern);
 
 	pat = xstrdup(pattern);
-	p = strchr(pat, '@');
+	p = strchr(pat + 1, '@');
 	*p++ = '\0';
 
-	if ((ret = match_pattern(user, pat)) == 1)
-		ret = match_host_and_ip(host, ipaddr, p);
+	if ((ret = match_user_or_netgroup(user, pat)) == 1)
+		ret = match_host_and_ip_or_netgroup(host, ipaddr, p);
 	xfree(pat);
 
 	return ret;
diff -ru openssh-3.8.1p1/sshd_config.0 openssh-3.8.1p1.paf/sshd_config.0
--- openssh-3.8.1p1/sshd_config.0	Sun Apr 18 14:52:00 2004
+++ openssh-3.8.1p1.paf/sshd_config.0	Thu May  6 17:31:35 2004
@@ -37,7 +37,10 @@
              merical user ID is not recognized.  By default, login is allowed
              for all users.  If the pattern takes the form USER at HOST then USER
              and HOST are separately checked, restricting logins to particular
-             users from particular hosts.
+             users from particular hosts. If NIS is available and netgroup
+             querying is built in, either USER and HOST can be the name of a
+             netgroup of users or hosts, respectively, prefixed with a @ . Then
+             @myusers@@myhosts is a valid entry here.
 
      AuthorizedKeysFile
              Specifies the file that contains the public keys that can be used
@@ -112,7 +115,10 @@
              is not recognized.  By default, login is allowed for all users.
              If the pattern takes the form USER at HOST then USER and HOST are
              separately checked, restricting logins to particular users from
-             particular hosts.
+             particular hosts. If NIS is available and netgroup querying is
+             built in, either USER and HOST can be the name of a netgroup of
+             users or hosts, respectively, prefixed with the character @ .
+             Then e.g. @myusers@@myhosts is a valid entry here.
 
      GatewayPorts
              Specifies whether remote hosts are allowed to connect to ports
diff -ru openssh-3.8.1p1/sshd_config.5 openssh-3.8.1p1.paf/sshd_config.5
--- openssh-3.8.1p1/sshd_config.5	Wed Apr 14 05:04:36 2004
+++ openssh-3.8.1p1.paf/sshd_config.5	Thu May  6 17:54:27 2004
@@ -96,7 +96,10 @@
 By default, login is allowed for all users.
 If the pattern takes the form USER at HOST then USER and HOST
 are separately checked, restricting logins to particular
-users from particular hosts.
+users from particular hosts. If NIS is available and netgroup
+querying is built in, either USER and HOST can be the name of a
+netgroup of users or hosts, respectively, prefixed with a @ . Then
+ at myusers@@myhosts is a valid entry here.
 .Pp
 .It Cm AuthorizedKeysFile
 Specifies the file that contains the public keys that can be used
@@ -206,7 +209,10 @@
 By default, login is allowed for all users.
 If the pattern takes the form USER at HOST then USER and HOST
 are separately checked, restricting logins to particular
-users from particular hosts.
+users from particular hosts. If NIS is available and netgroup querying is
+built in, either USER and HOST can be the name of a netgroup of
+users or hosts, respectively, prefixed with the character @ .
+Then e.g. @myusers@@myhosts is a valid entry here.
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to ports
 forwarded for the client.

-- 
Albert Fluegel                  science + computing ag
IT Services                     Ingolstaedter Straße 22
phone +49 89 356386 851         80807 Muenchen, Germany
fax   +49 89 356386 737         www.science-computing.de
________________________________at Infineon
tdsc.af at infineon.com            phone +49 89 234 27690




More information about the openssh-unix-dev mailing list