Contribution to 3.8.1pl1
TDSCAF
tdsc.af at infineon.com
Fri May 7 17:37:48 EST 2004
Hi,
attachment has been removed by some superintelligent
virus filter. So i paste the diff below.
Hello,
I added the support for netgroups to be used in the
AllowUsers and DenyUsers parameters. This has some
advantages:
* hostnames or ip addresses need not to be written or
maintained in the sshd_config file, but can be kept
abstract names what also simplifies a bit largescale
openssh installations
* sshd_config needs not change and sshd be restarted
when changing the list of allowed / denied users/hosts
in the NIS netgroups
Though considered to be dead some time in the future,
NIS still serves it's purpose in many environments.
The netgroups will make their way into LDAP some time
in the future, then i'll probably post another patch.
For now i added the functionality mainly in the match.c
file, adapted man-page files and autoconf to figure
out automatically, if NIS client support is available
on the platform. The attached patch can be applied
changing to the source directory of 3.8.1pl1 and
running
gunzip < /path/to/openssh-3.8.1p1.patch_af.gz | patch -p 1
Hope this will be included into the official distribution.
Everyone is welcome to review the modifications.
Regards,
Albert
--
diff -ru openssh-3.8.1p1/CREDITS openssh-3.8.1p1.paf/CREDITS
--- openssh-3.8.1p1/CREDITS Fri Jan 30 05:00:50 2004
+++ openssh-3.8.1p1.paf/CREDITS Fri May 7 08:02:14 2004
@@ -4,6 +4,7 @@
Theo de Raadt, and Dug Song - Creators of OpenSSH
Alain St-Denis <Alain.St-Denis at ec.gc.ca> - Irix fix
+Albert Fluegel <af at muc.de> - netgroup support, autoconf fix
Alexandre Oliva <oliva at lsd.ic.unicamp.br> - AIX fixes
Andre Lucas <andre at ae-35.com> - new login code, many fixes
Andreas Steinmetz <ast at domdv.de> - Shadow password expiry support
diff -ru openssh-3.8.1p1/config.h.in openssh-3.8.1p1.paf/config.h.in
--- openssh-3.8.1p1/config.h.in Sun Apr 18 14:51:50 2004
+++ openssh-3.8.1p1.paf/config.h.in Thu May 6 17:23:24 2004
@@ -747,6 +747,12 @@
/* Define if you have the <rpc/types.h> header file. */
#undef HAVE_RPC_TYPES_H
+/* Define if you have the <rpcsvc/ypclnt.h> header file. */
+#undef HAVE_RPCSVC_YPCLNT_H
+
+/* Define if you have the <rpcsvc/yp_prot.h> header file. */
+#undef HAVE_RPCSVC_YP_PROT_H
+
/* Define if you have the `rresvport_af' function. */
#undef HAVE_RRESVPORT_AF
@@ -1004,6 +1010,9 @@
/* Define if you have the `waitpid' function. */
#undef HAVE_WAITPID
+
+/* Define if you have the `yp_match' function. */
+#undef HAVE_YP_MATCH
/* Define if you have the `_getlong' function. */
#undef HAVE__GETLONG
diff -ru openssh-3.8.1p1/configure openssh-3.8.1p1.paf/configure
--- openssh-3.8.1p1/configure Sun Apr 18 14:51:57 2004
+++ openssh-3.8.1p1.paf/configure Fri May 7 08:23:21 2004
@@ -4907,7 +4907,8 @@
getopt.h glob.h ia.h lastlog.h limits.h login.h \
login_cap.h maillock.h netdb.h netgroup.h \
netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \
- rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
+ rpc/types.h rpcsvc/ypclnt.h rpcsvc/yp_prot.h \
+ security/pam_appl.h shadow.h stddef.h stdint.h \
strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \
sys/cdefs.h sys/mman.h sys/prctl.h sys/pstat.h sys/ptms.h \
sys/select.h sys/stat.h sys/stream.h sys/stropts.h \
@@ -5202,6 +5203,13 @@
LIBS="-lsocket $LIBS"
fi
+
+fi
+
+if test "x$ac_cv_func_yp_match" = "xyes" -o "x$ac_cv_lib_nsl_yp_match" = xyes ; then
+ cat >>confdefs.h <<EOF
+#define HAVE_YP_MATCH 1
+EOF
fi
diff -ru openssh-3.8.1p1/configure.ac openssh-3.8.1p1.paf/configure.ac
--- openssh-3.8.1p1/configure.ac Sat Apr 17 05:03:07 2004
+++ openssh-3.8.1p1.paf/configure.ac Thu May 6 16:55:46 2004
@@ -507,7 +507,8 @@
getopt.h glob.h ia.h lastlog.h limits.h login.h \
login_cap.h maillock.h netdb.h netgroup.h \
netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \
- rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
+ rpc/types.h rpcsvc/ypclnt.h rpcsvc/yp_prot.h \
+ security/pam_appl.h shadow.h stddef.h stdint.h \
strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \
sys/cdefs.h sys/mman.h sys/prctl.h sys/pstat.h sys/ptms.h \
sys/select.h sys/stat.h sys/stream.h sys/stropts.h \
@@ -517,6 +518,10 @@
# Checks for libraries.
AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match))
AC_CHECK_FUNC(setsockopt, , AC_CHECK_LIB(socket, setsockopt))
+
+if test "x$ac_cv_func_yp_match" = "xyes" -o "x$ac_cv_lib_nsl_yp_match" = xyes ; then
+ AC_DEFINE(HAVE_YP_MATCH)
+fi
dnl SCO OS3 needs this for libwrap
if test "x$with_tcp_wrappers" != "xno" ; then
diff -ru openssh-3.8.1p1/includes.h openssh-3.8.1p1.paf/includes.h
--- openssh-3.8.1p1/includes.h Fri Feb 6 11:29:42 2004
+++ openssh-3.8.1p1.paf/includes.h Thu May 6 16:51:51 2004
@@ -175,6 +175,13 @@
# include <libutil.h> /* Openpty on FreeBSD at least */
#endif
+#ifdef HAVE_RPCSVC_YPCLNT_H
+#include <rpcsvc/ypclnt.h>
+#endif
+#ifdef HAVE_RPCSVC_YP_PROT_H
+#include <rpcsvc/yp_prot.h>
+#endif
+
#if defined(KRB5) && defined(USE_AFS)
# include <krb5.h>
# include <kafs.h>
diff -ru openssh-3.8.1p1/match.c openssh-3.8.1p1.paf/match.c
--- openssh-3.8.1p1/match.c Tue Mar 5 02:42:43 2002
+++ openssh-3.8.1p1.paf/match.c Thu May 6 17:20:22 2004
@@ -198,6 +198,159 @@
return 1;
}
+static char *
+first_nospace(const char * str)
+{
+ while(*str && isspace(*str))
+ str++;
+ return(str);
+}
+
+#ifdef HAVE_YP_MATCH
+
+/*
+ * match entry in netgroup, idx is the number
+ * of the position in the typical netgroup-triples, starting with 0:
+ * (host,user,domain) i.e. if idx == 0, then host is matched,
+ * 1 -> user, 2-> domain
+ */
+int
+match_entry_in_netgroup(const char *entry, char *netgroup, const int idx)
+{
+ static char *ypdomain = NULL;
+
+ char *nismatch;
+ char *netgentry;
+ int nismatchlen, len, submatch, ret;
+ char *cptr, *end_triple, *end_val;
+
+ ret = 0;
+ nismatch = NULL;
+
+ if(strlen(netgroup) < 1)
+ goto cleanup;
+
+ if(!ypdomain)
+ if(yp_get_default_domain(&ypdomain))
+ goto cleanup;
+
+ if(yp_match(ypdomain, "netgroup", netgroup, strlen(netgroup),
+ &nismatch, &nismatchlen))
+ goto cleanup;
+
+ nismatch[nismatchlen] = '\0';
+
+ for(cptr = first_nospace(nismatch); *cptr; cptr = first_nospace(cptr)){
+ if(*cptr == '('){
+ cptr = first_nospace(cptr + 1);
+
+ if(!(end_triple = strchr(cptr, ')')))
+ break;
+
+ end_val = strchr(cptr, ',');
+ if(!end_val || end_val > end_triple){ /* invalid netgroup entry */
+ cptr = end_triple + 1;
+ continue;
+ }
+
+ if(idx > 0){
+ cptr = first_nospace(end_val + 1);
+ end_val = strchr(cptr, ',');
+ if(!end_val || end_val > end_triple){
+ cptr = end_triple + 1;
+ continue;
+ }
+
+ if(idx > 1){
+ cptr = first_nospace(end_val + 1);
+ end_val = end_triple;
+ }
+ }
+
+ len = end_val - cptr;
+ netgentry = xstrdup(cptr);
+ netgentry[len] = '\0';
+ while(isspace(netgentry[len - 1]) && len > 0)
+ len--;
+
+ netgentry[len] = '\0';
+ submatch = 0;
+
+ if(len > 0)
+ submatch = !strcmp(netgentry, entry);
+
+ xfree(netgentry);
+
+ if(submatch){
+ ret = 1;
+ goto cleanup;
+ }
+
+ cptr = end_triple + 1;
+ }
+ else{
+ for(end_triple = cptr;
+ *end_triple && !isspace(*end_triple);
+ end_triple++);
+
+ len = end_triple - cptr;
+ end_val = xstrdup(cptr);
+ end_val[len] = '\0';
+
+ submatch = match_entry_in_netgroup(entry, end_val, idx);
+
+ xfree(end_val);
+ if(submatch){
+ ret = 1;
+ goto cleanup;
+ }
+
+ cptr = end_triple;
+ }
+ }
+
+ cleanup:
+ if(nismatch)
+ free(nismatch);
+
+ return ret;
+}
+
+#endif /* defined(HAVE_YP_MATCH) */
+
+/*
+ * match user in @netgroup
+ */
+int
+match_user_or_netgroup(const char *user, char *pattern)
+{
+ if(pattern[0] != '@')
+ return match_pattern(user, pattern);
+
+#ifdef HAVE_YP_MATCH
+ return match_entry_in_netgroup(user, pattern + 1, 1);
+#else
+ return 0;
+#endif
+}
+
+/*
+ * match host in @netgroup
+ */
+int
+match_host_and_ip_or_netgroup(const char *host, const char * ipaddr, char *pattern)
+{
+ if(pattern[0] != '@')
+ return match_host_and_ip(host, ipaddr, pattern);
+
+#ifdef HAVE_YP_MATCH
+ return match_entry_in_netgroup(host, pattern + 1, 0)
+ || match_entry_in_netgroup(ipaddr, pattern + 1, 0);
+#else
+ return 0;
+#endif
+}
+
/*
* match user, user at host_or_ip, user at host_or_ip_list against pattern
*/
@@ -208,15 +361,18 @@
char *p, *pat;
int ret;
- if ((p = strchr(pattern,'@')) == NULL)
- return match_pattern(user, pattern);
+ if (strlen(pattern) < 1)
+ return 0;
+
+ if ((p = strchr(pattern + 1, '@')) == NULL)
+ return match_user_or_netgroup(user, pattern);
pat = xstrdup(pattern);
- p = strchr(pat, '@');
+ p = strchr(pat + 1, '@');
*p++ = '\0';
- if ((ret = match_pattern(user, pat)) == 1)
- ret = match_host_and_ip(host, ipaddr, p);
+ if ((ret = match_user_or_netgroup(user, pat)) == 1)
+ ret = match_host_and_ip_or_netgroup(host, ipaddr, p);
xfree(pat);
return ret;
diff -ru openssh-3.8.1p1/sshd_config.0 openssh-3.8.1p1.paf/sshd_config.0
--- openssh-3.8.1p1/sshd_config.0 Sun Apr 18 14:52:00 2004
+++ openssh-3.8.1p1.paf/sshd_config.0 Thu May 6 17:31:35 2004
@@ -37,7 +37,10 @@
merical user ID is not recognized. By default, login is allowed
for all users. If the pattern takes the form USER at HOST then USER
and HOST are separately checked, restricting logins to particular
- users from particular hosts.
+ users from particular hosts. If NIS is available and netgroup
+ querying is built in, either USER and HOST can be the name of a
+ netgroup of users or hosts, respectively, prefixed with a @ . Then
+ @myusers@@myhosts is a valid entry here.
AuthorizedKeysFile
Specifies the file that contains the public keys that can be used
@@ -112,7 +115,10 @@
is not recognized. By default, login is allowed for all users.
If the pattern takes the form USER at HOST then USER and HOST are
separately checked, restricting logins to particular users from
- particular hosts.
+ particular hosts. If NIS is available and netgroup querying is
+ built in, either USER and HOST can be the name of a netgroup of
+ users or hosts, respectively, prefixed with the character @ .
+ Then e.g. @myusers@@myhosts is a valid entry here.
GatewayPorts
Specifies whether remote hosts are allowed to connect to ports
diff -ru openssh-3.8.1p1/sshd_config.5 openssh-3.8.1p1.paf/sshd_config.5
--- openssh-3.8.1p1/sshd_config.5 Wed Apr 14 05:04:36 2004
+++ openssh-3.8.1p1.paf/sshd_config.5 Thu May 6 17:54:27 2004
@@ -96,7 +96,10 @@
By default, login is allowed for all users.
If the pattern takes the form USER at HOST then USER and HOST
are separately checked, restricting logins to particular
-users from particular hosts.
+users from particular hosts. If NIS is available and netgroup
+querying is built in, either USER and HOST can be the name of a
+netgroup of users or hosts, respectively, prefixed with a @ . Then
+ at myusers@@myhosts is a valid entry here.
.Pp
.It Cm AuthorizedKeysFile
Specifies the file that contains the public keys that can be used
@@ -206,7 +209,10 @@
By default, login is allowed for all users.
If the pattern takes the form USER at HOST then USER and HOST
are separately checked, restricting logins to particular
-users from particular hosts.
+users from particular hosts. If NIS is available and netgroup querying is
+built in, either USER and HOST can be the name of a netgroup of
+users or hosts, respectively, prefixed with the character @ .
+Then e.g. @myusers@@myhosts is a valid entry here.
.It Cm GatewayPorts
Specifies whether remote hosts are allowed to connect to ports
forwarded for the client.
--
Albert Fluegel science + computing ag
IT Services Ingolstaedter Straße 22
phone +49 89 356386 851 80807 Muenchen, Germany
fax +49 89 356386 737 www.science-computing.de
________________________________at Infineon
tdsc.af at infineon.com phone +49 89 234 27690
More information about the openssh-unix-dev
mailing list