diff options
author | Jan Cholasta <jcholast@redhat.com> | 2013-04-26 09:53:47 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-05-07 14:23:51 +0200 |
commit | 728b10c81204929be5669c1e67bd086e09c47c00 (patch) | |
tree | 65ca341e759ee75126e24d21d2dea3d53ea71f36 | |
parent | f54b271376b23cb968eafb9ffd5100c6dadad2a7 (diff) | |
download | sssd-728b10c81204929be5669c1e67bd086e09c47c00.tar.gz sssd-728b10c81204929be5669c1e67bd086e09c47c00.tar.bz2 sssd-728b10c81204929be5669c1e67bd086e09c47c00.zip |
SSH: Fix parsing of names from client requests
Try to parse names in the form user@domain first, as that's what sss_ssh_*
send in requests when the --domain option is used. Do not parse host names
using domain-specific regular expression.
-rw-r--r-- | src/responder/ssh/sshsrv.c | 8 | ||||
-rw-r--r-- | src/responder/ssh/sshsrv_cmd.c | 23 | ||||
-rw-r--r-- | src/responder/ssh/sshsrv_private.h | 2 |
3 files changed, 30 insertions, 3 deletions
diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c index 8a66f223..410e631a 100644 --- a/src/responder/ssh/sshsrv.c +++ b/src/responder/ssh/sshsrv.c @@ -118,6 +118,14 @@ int ssh_process_init(TALLOC_CTX *mem_ctx, ssh_ctx->rctx = rctx; ssh_ctx->rctx->pvt_ctx = ssh_ctx; + ret = sss_names_init_from_args(ssh_ctx, + "(?P<name>[^@]+)@?(?P<domain>[^@]*$)", + "%1$s@%2$s", &ssh_ctx->snctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, ("fatal error initializing regex data\n")); + goto fail; + } + /* Enable automatic reconnection to the Data Provider */ ret = confdb_get_int(ssh_ctx->rctx->cdb, CONFDB_SSH_CONF_ENTRY, diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c index 671160ea..374abe6c 100644 --- a/src/responder/ssh/sshsrv_cmd.c +++ b/src/responder/ssh/sshsrv_cmd.c @@ -55,6 +55,7 @@ sss_ssh_cmd_get_user_pubkeys(struct cli_ctx *cctx) return ENOMEM; } cmd_ctx->cctx = cctx; + cmd_ctx->is_user = true; ret = ssh_cmd_parse_request(cmd_ctx); if (ret != EOK) { @@ -101,6 +102,7 @@ sss_ssh_cmd_get_host_pubkeys(struct cli_ctx *cctx) return ENOMEM; } cmd_ctx->cctx = cctx; + cmd_ctx->is_user = false; ret = ssh_cmd_parse_request(cmd_ctx); if (ret != EOK) { @@ -673,6 +675,8 @@ static errno_t ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx) { struct cli_ctx *cctx = cmd_ctx->cctx; + struct ssh_ctx *ssh_ctx = talloc_get_type(cctx->rctx->pvt_ctx, + struct ssh_ctx); errno_t ret; uint8_t *body; size_t body_len; @@ -705,14 +709,27 @@ ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx) } c += name_len; - ret = sss_parse_name_for_domains(cmd_ctx, cctx->rctx->domains, - cctx->rctx->default_domain,name, - &cmd_ctx->domname, &cmd_ctx->name); + ret = sss_parse_name(cmd_ctx, ssh_ctx->snctx, name, + &cmd_ctx->domname, &cmd_ctx->name); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Invalid name received [%s]\n", name)); return ENOENT; } + if (cmd_ctx->is_user && cmd_ctx->domname == NULL) { + name = cmd_ctx->name; + + ret = sss_parse_name_for_domains(cmd_ctx, cctx->rctx->domains, + cctx->rctx->default_domain, name, + &cmd_ctx->domname, + &cmd_ctx->name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + ("Invalid name received [%s]\n", name)); + return ENOENT; + } + } + if (flags & 1) { SAFEALIGN_COPY_UINT32_CHECK(&alias_len, body+c, body_len, &c); if (alias_len == 0 || alias_len > body_len - c) { diff --git a/src/responder/ssh/sshsrv_private.h b/src/responder/ssh/sshsrv_private.h index 296bd94a..ebb30ce7 100644 --- a/src/responder/ssh/sshsrv_private.h +++ b/src/responder/ssh/sshsrv_private.h @@ -28,6 +28,7 @@ struct ssh_ctx { struct resp_ctx *rctx; + struct sss_names_ctx *snctx; bool hash_known_hosts; int known_hosts_timeout; @@ -38,6 +39,7 @@ struct ssh_cmd_ctx { char *name; char *alias; char *domname; + bool is_user; struct sss_domain_info *domain; bool check_next; |