- djm@cvs.openbsd.org 2012/11/04 10:38:43
[auth2-pubkey.c sshd.c sshd_config.5]
Remove default of AuthorizedCommandUser. Administrators are now expected
to explicitly specify a user. feedback and ok markus@
diff --git a/ChangeLog b/ChangeLog
index f1d0580..120c132 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,10 @@
- jmc@cvs.openbsd.org 2012/10/31 08:04:50
[sshd_config.5]
tweak previous;
+ - djm@cvs.openbsd.org 2012/11/04 10:38:43
+ [auth2-pubkey.c sshd.c sshd_config.5]
+ Remove default of AuthorizedCommandUser. Administrators are now expected
+ to explicitly specify a user. feedback and ok markus@
20121030
- (djm) OpenBSD CVS Sync
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index ec8f75d..6a62170 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.31 2012/10/30 21:29:54 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.32 2012/11/04 10:38:43 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -462,24 +462,28 @@
struct stat st;
int status, devnull, p[2], i;
pid_t pid;
- char errmsg[512];
+ char *username, errmsg[512];
if (options.authorized_keys_command == NULL ||
options.authorized_keys_command[0] != '/')
return 0;
- /* If no user specified to run commands the default to target user */
- if (options.authorized_keys_command_user == NULL)
- pw = user_pw;
- else {
- pw = getpwnam(options.authorized_keys_command_user);
- if (pw == NULL) {
- error("AuthorizedKeyCommandUser \"%s\" not found: %s",
- options.authorized_keys_command, strerror(errno));
- return 0;
- }
+ if (options.authorized_keys_command_user == NULL) {
+ error("No user for AuthorizedKeysCommand specified, skipping");
+ return 0;
}
+ username = percent_expand(options.authorized_keys_command_user,
+ "u", user_pw->pw_name, (char *)NULL);
+ pw = getpwnam(username);
+ if (pw == NULL) {
+ error("AuthorizedKeyCommandUser \"%s\" not found: %s",
+ options.authorized_keys_command, strerror(errno));
+ free(username);
+ return 0;
+ }
+ free(username);
+
temporarily_use_uid(pw);
if (stat(options.authorized_keys_command, &st) < 0) {
@@ -517,6 +521,7 @@
for (i = 0; i < NSIG; i++)
signal(i, SIG_DFL);
+ closefrom(STDERR_FILENO + 1);
/* Don't use permanently_set_uid() here to avoid fatal() */
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
error("setresgid %u: %s", (u_int)pw->pw_gid,
@@ -541,7 +546,6 @@
error("%s: dup2: %s", __func__, strerror(errno));
_exit(1);
}
- closefrom(STDERR_FILENO + 1);
execl(options.authorized_keys_command,
options.authorized_keys_command, pw->pw_name, NULL);
diff --git a/sshd.c b/sshd.c
index eff0290..4ad1a4b 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.394 2012/10/30 21:29:55 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.395 2012/11/04 10:38:43 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1559,6 +1559,13 @@
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
+ /* Check that options are sensible */
+ if (options.authorized_keys_command_user == NULL &&
+ (options.authorized_keys_command != NULL &&
+ strcasecmp(options.authorized_keys_command, "none") != 0))
+ fatal("AuthorizedKeysCommand set without "
+ "AuthorizedKeysCommandUser");
+
/* set default channel AF */
channel_set_af(options.address_family);
diff --git a/sshd_config.5 b/sshd_config.5
index 3cc901a..0fb0b83 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.147 2012/10/31 08:04:50 jmc Exp $
-.Dd $Mdocdate: October 31 2012 $
+.\" $OpenBSD: sshd_config.5,v 1.148 2012/11/04 10:38:43 djm Exp $
+.Dd $Mdocdate: November 4 2012 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -166,7 +166,6 @@
By default, no AuthorizedKeysCommand is run.
.It Cm AuthorizedKeysCommandUser
Specifies the user under whose account the AuthorizedKeysCommand is run.
-The default is the user being authenticated.
It is recommended to use a dedicated user that has no other role on the host
than running authorized keys commands.
.It Cm AuthorizedKeysFile