summaryrefslogtreecommitdiff
path: root/src/responder/ssh
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2013-04-26 10:45:42 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-05-07 14:23:51 +0200
commit28e55560008f21a532b103b3f612c6fca2a54d76 (patch)
treea32c61fc482cfbe873c2682cc5e7fce8a7868f2e /src/responder/ssh
parent728b10c81204929be5669c1e67bd086e09c47c00 (diff)
downloadsssd-28e55560008f21a532b103b3f612c6fca2a54d76.tar.gz
sssd-28e55560008f21a532b103b3f612c6fca2a54d76.tar.bz2
sssd-28e55560008f21a532b103b3f612c6fca2a54d76.zip
SSH: Use separate field for domain name in client requests
Instead of appending @domain to names when the --domain option of sss_ssh_* is used, put domain name in a separate field in client requests.
Diffstat (limited to 'src/responder/ssh')
-rw-r--r--src/responder/ssh/sshsrv_cmd.c91
1 files changed, 64 insertions, 27 deletions
diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c
index 374abe6c..d2f889fa 100644
--- a/src/responder/ssh/sshsrv_cmd.c
+++ b/src/responder/ssh/sshsrv_cmd.c
@@ -685,12 +685,14 @@ ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx)
uint32_t name_len;
char *name;
uint32_t alias_len;
- char *alias;
+ char *alias = NULL;
+ uint32_t domain_len;
+ char *domain = cctx->rctx->default_domain;
sss_packet_get_body(cctx->creq->in, &body, &body_len);
SAFEALIGN_COPY_UINT32_CHECK(&flags, body+c, body_len, &c);
- if (flags > 1) {
+ if (flags & ~(uint32_t)SSS_SSH_REQ_MASK) {
DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid flags received [0x%x]\n", flags));
return EINVAL;
}
@@ -709,28 +711,7 @@ ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx)
}
c += name_len;
- ret = sss_parse_name(cmd_ctx, ssh_ctx->snctx, name,
- &cmd_ctx->domname, &cmd_ctx->name);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, ("Invalid name received [%s]\n", name));
- return ENOENT;
- }
-
- if (cmd_ctx->is_user && cmd_ctx->domname == NULL) {
- name = cmd_ctx->name;
-
- ret = sss_parse_name_for_domains(cmd_ctx, cctx->rctx->domains,
- cctx->rctx->default_domain, name,
- &cmd_ctx->domname,
- &cmd_ctx->name);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- ("Invalid name received [%s]\n", name));
- return ENOENT;
- }
- }
-
- if (flags & 1) {
+ if (flags & SSS_SSH_REQ_ALIAS) {
SAFEALIGN_COPY_UINT32_CHECK(&alias_len, body+c, body_len, &c);
if (alias_len == 0 || alias_len > body_len - c) {
DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid alias length\n"));
@@ -744,11 +725,67 @@ ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx)
return EINVAL;
}
c += alias_len;
+ }
- if (strcmp(cmd_ctx->name, alias) != 0) {
- cmd_ctx->alias = talloc_strdup(cmd_ctx, alias);
- if (!cmd_ctx->alias) return ENOMEM;
+ if (flags & SSS_SSH_REQ_DOMAIN) {
+ SAFEALIGN_COPY_UINT32_CHECK(&domain_len, body+c, body_len, &c);
+ if (domain_len > 0) {
+ if (domain_len > body_len - c) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid domain length\n"));
+ return EINVAL;
+ }
+
+ domain = (char *)(body+c);
+ if (!sss_utf8_check((const uint8_t *)domain, domain_len-1) ||
+ domain[domain_len-1] != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Domain is not valid UTF-8 string\n"));
+ return EINVAL;
+ }
+ c += domain_len;
}
+
+ DEBUG(SSSDBG_TRACE_FUNC,
+ ("Requested domain [%s]\n", domain ? domain : "<ALL>"));
+ } else {
+ DEBUG(SSSDBG_TRACE_FUNC, ("Splitting domain from name [%s]\n", name));
+
+ ret = sss_parse_name(cmd_ctx, ssh_ctx->snctx, name,
+ &cmd_ctx->domname, &cmd_ctx->name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, ("Invalid name received [%s]\n", name));
+ return ENOENT;
+ }
+
+ name = cmd_ctx->name;
+ }
+
+ if (cmd_ctx->is_user && cmd_ctx->domname == NULL) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ ("Parsing name [%s][%s]\n", name, domain ? domain : "<ALL>"));
+
+ ret = sss_parse_name_for_domains(cmd_ctx, cctx->rctx->domains,
+ domain, name,
+ &cmd_ctx->domname,
+ &cmd_ctx->name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ ("Invalid name received [%s]\n", name));
+ return ENOENT;
+ }
+ } else if (cmd_ctx->name == NULL && cmd_ctx->domname == NULL) {
+ cmd_ctx->name = talloc_strdup(cmd_ctx, name);
+ if (!cmd_ctx->name) return ENOMEM;
+
+ if (domain != NULL) {
+ cmd_ctx->domname = talloc_strdup(cmd_ctx, domain);
+ if (!cmd_ctx->domname) return ENOMEM;
+ }
+ }
+
+ if (alias != NULL && strcmp(cmd_ctx->name, alias) != 0) {
+ cmd_ctx->alias = talloc_strdup(cmd_ctx, alias);
+ if (!cmd_ctx->alias) return ENOMEM;
}
return EOK;