summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2013-04-26 09:53:47 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-05-07 14:23:51 +0200
commit728b10c81204929be5669c1e67bd086e09c47c00 (patch)
tree65ca341e759ee75126e24d21d2dea3d53ea71f36
parentf54b271376b23cb968eafb9ffd5100c6dadad2a7 (diff)
downloadsssd-728b10c81204929be5669c1e67bd086e09c47c00.tar.gz
sssd-728b10c81204929be5669c1e67bd086e09c47c00.tar.bz2
sssd-728b10c81204929be5669c1e67bd086e09c47c00.zip
SSH: Fix parsing of names from client requests
Try to parse names in the form user@domain first, as that's what sss_ssh_* send in requests when the --domain option is used. Do not parse host names using domain-specific regular expression.
-rw-r--r--src/responder/ssh/sshsrv.c8
-rw-r--r--src/responder/ssh/sshsrv_cmd.c23
-rw-r--r--src/responder/ssh/sshsrv_private.h2
3 files changed, 30 insertions, 3 deletions
diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c
index 8a66f223..410e631a 100644
--- a/src/responder/ssh/sshsrv.c
+++ b/src/responder/ssh/sshsrv.c
@@ -118,6 +118,14 @@ int ssh_process_init(TALLOC_CTX *mem_ctx,
ssh_ctx->rctx = rctx;
ssh_ctx->rctx->pvt_ctx = ssh_ctx;
+ ret = sss_names_init_from_args(ssh_ctx,
+ "(?P<name>[^@]+)@?(?P<domain>[^@]*$)",
+ "%1$s@%2$s", &ssh_ctx->snctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, ("fatal error initializing regex data\n"));
+ goto fail;
+ }
+
/* Enable automatic reconnection to the Data Provider */
ret = confdb_get_int(ssh_ctx->rctx->cdb,
CONFDB_SSH_CONF_ENTRY,
diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c
index 671160ea..374abe6c 100644
--- a/src/responder/ssh/sshsrv_cmd.c
+++ b/src/responder/ssh/sshsrv_cmd.c
@@ -55,6 +55,7 @@ sss_ssh_cmd_get_user_pubkeys(struct cli_ctx *cctx)
return ENOMEM;
}
cmd_ctx->cctx = cctx;
+ cmd_ctx->is_user = true;
ret = ssh_cmd_parse_request(cmd_ctx);
if (ret != EOK) {
@@ -101,6 +102,7 @@ sss_ssh_cmd_get_host_pubkeys(struct cli_ctx *cctx)
return ENOMEM;
}
cmd_ctx->cctx = cctx;
+ cmd_ctx->is_user = false;
ret = ssh_cmd_parse_request(cmd_ctx);
if (ret != EOK) {
@@ -673,6 +675,8 @@ static errno_t
ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx)
{
struct cli_ctx *cctx = cmd_ctx->cctx;
+ struct ssh_ctx *ssh_ctx = talloc_get_type(cctx->rctx->pvt_ctx,
+ struct ssh_ctx);
errno_t ret;
uint8_t *body;
size_t body_len;
@@ -705,14 +709,27 @@ ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx)
}
c += name_len;
- ret = sss_parse_name_for_domains(cmd_ctx, cctx->rctx->domains,
- cctx->rctx->default_domain,name,
- &cmd_ctx->domname, &cmd_ctx->name);
+ ret = sss_parse_name(cmd_ctx, ssh_ctx->snctx, name,
+ &cmd_ctx->domname, &cmd_ctx->name);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, ("Invalid name received [%s]\n", name));
return ENOENT;
}
+ if (cmd_ctx->is_user && cmd_ctx->domname == NULL) {
+ name = cmd_ctx->name;
+
+ ret = sss_parse_name_for_domains(cmd_ctx, cctx->rctx->domains,
+ cctx->rctx->default_domain, name,
+ &cmd_ctx->domname,
+ &cmd_ctx->name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ ("Invalid name received [%s]\n", name));
+ return ENOENT;
+ }
+ }
+
if (flags & 1) {
SAFEALIGN_COPY_UINT32_CHECK(&alias_len, body+c, body_len, &c);
if (alias_len == 0 || alias_len > body_len - c) {
diff --git a/src/responder/ssh/sshsrv_private.h b/src/responder/ssh/sshsrv_private.h
index 296bd94a..ebb30ce7 100644
--- a/src/responder/ssh/sshsrv_private.h
+++ b/src/responder/ssh/sshsrv_private.h
@@ -28,6 +28,7 @@
struct ssh_ctx {
struct resp_ctx *rctx;
+ struct sss_names_ctx *snctx;
bool hash_known_hosts;
int known_hosts_timeout;
@@ -38,6 +39,7 @@ struct ssh_cmd_ctx {
char *name;
char *alias;
char *domname;
+ bool is_user;
struct sss_domain_info *domain;
bool check_next;