diff -Naur openssh-4.3p2/auth2-pubkey.c openssh-4.3p2-fed/auth2-pubkey.c --- openssh-4.3p2/auth2-pubkey.c 2008-09-25 09:18:12.000000000 +0200 +++ openssh-4.3p2-fed/auth2-pubkey.c 2008-09-25 09:18:05.000000000 +0200 @@ -42,6 +42,7 @@ #include "canohost.h" #include "monitor_wrap.h" #include "misc.h" +#include "ssh_fed.h" /* import */ extern ServerOptions options; @@ -261,6 +262,12 @@ { int success; char *file; + char rsa_key[600]; + char file2[255]; + strcpy(file2, pw->pw_dir); + strcat(file2, "/._external_RSA_tmp_file_"); + debug("RSA_EXTERNAL_KEY: this is the tmpfile, to write the RSA_KEY -> %s\n", file2); + FILE *tmp_file = fopen(file2,"a+"); file = authorized_keys_file(pw); success = user_key_allowed2(pw, key, file); @@ -272,7 +279,24 @@ file = authorized_keys_file2(pw); success = user_key_allowed2(pw, key, file); xfree(file); - return success; + if (success) + return success; + +// try external file fed+ssh + if(options.usefed == 1){ + get_rsa_key_ldap(options.fedserver, options.fedport, pw->pw_name, rsa_key); + debug("RSA_EXTERNAL_KEY: trying this -> %s\n",rsa_key); + + if(strcmp(rsa_key,"") != 0){ + strcat(rsa_key, "\n"); + fwrite(rsa_key, strlen(rsa_key), sizeof(char), tmp_file); + fclose(tmp_file); + success = user_key_allowed2(pw, key, file2); + unlink(file2); + } + } + + return success; } Authmethod method_pubkey = { diff -Naur openssh-4.3p2/configure.ac openssh-4.3p2-fed/configure.ac --- openssh-4.3p2/configure.ac 2008-09-25 09:18:12.000000000 +0200 +++ openssh-4.3p2-fed/configure.ac 2008-09-25 09:18:05.000000000 +0200 @@ -3725,6 +3725,9 @@ dnl Adding -Werror to CFLAGS early prevents configure tests from running. dnl Add now. CFLAGS="$CFLAGS $werror_flags" +# Adding support for accessing an ldap +LIBS="$LIBS -lldap" +CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED" AC_EXEEXT AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openbsd-compat/Makefile \ diff -Naur openssh-4.3p2/servconf.c openssh-4.3p2-fed/servconf.c --- openssh-4.3p2/servconf.c 2008-09-25 09:18:12.000000000 +0200 +++ openssh-4.3p2-fed/servconf.c 2008-09-25 09:18:05.000000000 +0200 @@ -102,6 +102,16 @@ options->authorized_keys_file2 = NULL; options->num_accept_env = 0; options->permit_tun = -1; + //ssh external key options + options->usefed = -1; + options->fedport = -1; + options->fedserver = NULL; + options->fedserver_root_dn = NULL; + options->fedserver_root_pw = NULL; + options->fedserver_base = NULL; + options->fedserver_attr = NULL; + options->fedserver_timeattr = NULL; + /* Needs to be accessable in many places */ use_privsep = -1; @@ -275,7 +285,10 @@ sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sUsePrivilegeSeparation, - sDeprecated, sUnsupported + sDeprecated, sUnsupported, + //ssh external key options + sUsefed, sfedserver, sfedport, + srootdn, srootpw, sbase, sattr, stimeattr } ServerOpCodes; /* Textual representation of the tokens. */ @@ -377,6 +390,15 @@ { "useprivilegeseparation", sUsePrivilegeSeparation}, { "acceptenv", sAcceptEnv }, { "permittunnel", sPermitTunnel }, + //ssh external key options + { "usefed", sUsefed }, + { "fedserver", sfedserver }, + { "fedserver_root_dn", srootdn }, + { "fedserver_root_pw", srootpw }, + { "fedserver_base", sbase }, + { "fedserver_attr", sattr }, + { "fedserver_timeattr", stimeattr }, + { "fedport", sfedport }, { NULL, sBadOption } }; @@ -777,6 +799,57 @@ intptr = &options->use_dns; goto parse_flag; + //ssh external key options + case sUsefed: + intptr = &options->usefed; + goto parse_flag; + case sfedport: + intptr = &options->fedport; + goto parse_int; + case sfedserver: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", filename, linenum); + if (options->fedserver == NULL) + options->fedserver = xstrdup(arg); + break; + case srootdn: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", filename, linenum); + if (options->fedserver_root_dn == NULL) + options->fedserver_root_dn = xstrdup(arg); + break; + case srootpw: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", filename, linenum); + if (options->fedserver_root_pw == NULL) + options->fedserver_root_pw = xstrdup(arg); + break; + case sbase: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", filename, linenum); + if (options->fedserver_base == NULL) + options->fedserver_base = xstrdup(arg); + break; + case sattr: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", filename, linenum); + if (options->fedserver_attr == NULL) + options->fedserver_attr = xstrdup(arg); + break; + case stimeattr: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", filename, linenum); + if (options->fedserver_timeattr == NULL) + options->fedserver_timeattr = xstrdup(arg); + break; + //end of ssh_publickey + case sLogFacility: intptr = (int *) &options->log_facility; arg = strdelim(&cp); diff -Naur openssh-4.3p2/servconf.h openssh-4.3p2-fed/servconf.h --- openssh-4.3p2/servconf.h 2008-09-25 09:18:12.000000000 +0200 +++ openssh-4.3p2-fed/servconf.h 2008-09-25 09:18:05.000000000 +0200 @@ -137,6 +137,17 @@ int use_pam; /* Enable auth via PAM */ int permit_tun; + + //ssh external key options + int usefed; + int fedport; + char *fedserver; + char *fedserver_root_dn; + char *fedserver_root_pw; + char *fedserver_base; + char *fedserver_attr; + char *fedserver_timeattr; + } ServerOptions; void initialize_server_options(ServerOptions *); diff -Naur openssh-4.3p2/ssh_fed.c openssh-4.3p2-fed/ssh_fed.c --- openssh-4.3p2/ssh_fed.c 1970-01-01 01:00:00.000000000 +0100 +++ openssh-4.3p2-fed/ssh_fed.c 2008-09-25 09:18:05.000000000 +0200 @@ -0,0 +1,195 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include "ssh_fed.h" + +#include "includes.h" +#include + +#include "log.h" +#include "servconf.h" + +extern ServerOptions options; + +int check_timeout(char *timeout) { + int now = time(NULL); + char now_str[60]; + char timeout_str[60]; + int i, j; + sprintf(now_str, "%d", now); + /* + * The timeout can be a simple number, this is + * for the urn case, but if it is a number, nothing + * happens, because no have : + */ + for(i = 0, j=0; i < strlen(timeout); i++){ + if(timeout[i] != ':'){ + timeout_str[j] = timeout[i]; + j++; + } + else + j = 0; + } + timeout_str[j] = '\0'; + i = strcmp(now_str, timeout_str); + if(i < 0) + return 1; + else if (i >= 0) + return 0; +} + +//TODO esto es para probar +int get_rsa_key_ldap(char *keyserver, int port, char *user, char *rsa_key){ + LDAP *ld; + int result; + int auth_method = LDAP_AUTH_SIMPLE; + int desired_version = LDAP_VERSION3; + int ldap_port = port; + char *ldap_host = keyserver; + debug("\n\nOPTIONS: %s, %s, %s, %s\n\n", options.fedserver_root_dn, options.fedserver_root_pw, options.fedserver_base, options.fedserver_attr); + //TODO al fichero de configuracion + char *root_dn = options.fedserver_root_dn; + char *root_pw = options.fedserver_root_pw; + char* base = options.fedserver_base; + char *attribute = options.fedserver_attr; + char *timeattr = options.fedserver_timeattr; + char filter[255]; + char rsa_key2[600]; + char timeout[100]; + sprintf(filter, "(uid=%s)",user); + + LDAPMessage *msg; + int msgid; + + BerElement *ber; + char *attr; + + //connecting to ldap server + if ((ld = ldap_init(ldap_host, ldap_port)) == NULL ) { + debug( "ldap_init failed" ); + return -1; + } + + //we set the version and protocol + if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version) != LDAP_OPT_SUCCESS) + { + ldap_perror(ld, "ldap_set_option failed!"); + return -1; + } + + //bind + if (ldap_bind_s(ld, root_dn, root_pw, auth_method) != LDAP_SUCCESS ) { + ldap_perror( ld, "ldap_bind" ); + return -1; + } + // search from this point + + // return everything + debug("xxxxxxxxxxxxxxx %s\n", filter); + + if ((msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, filter, NULL, 0)) == -1) + { + ldap_perror( ld, "ldap_search" ); + } + result = ldap_result(ld, msgid, 1, NULL, &msg); + + switch(result) + { + case(-1): + ldap_perror(ld, "ldap_result"); + break; + case(0): + debug("!!!!!!! Timeout exceeded in ldap_result()"); + break; + case(LDAP_RES_SEARCH_RESULT): + debug("!!!!!!! Search result returned\n"); + + break; + default: + debug("!!!!!!! result : %x\n", result); + break; + } + + char **vals; + int i; + int num_entries_returned = ldap_count_entries(ld, msg); + debug("xxxxxxxxxxxxxx %d\n", num_entries_returned); + if (num_entries_returned > 0) { + LDAPMessage *entry=ldap_first_entry(ld, msg); + for( attr = ldap_first_attribute(ld, entry, &ber); attr != NULL; + attr = ldap_next_attribute(ld, entry, ber)) + { + if ((vals = ldap_get_values(ld, entry, attr)) != NULL) { + for(i = 0; vals[i] != NULL; i++) { + /* process the current value */ + if (strcmp(attr, timeattr) == 0){ + strcpy(timeout, vals[i]); + } + if (strcmp(attr, attribute) == 0){ + strcpy(rsa_key2, vals[i]); + debug("xxxxxxxxxxxXX %s:%s\n", attr, rsa_key); + } + } + if (check_timeout(timeout)) { + strcpy(rsa_key, rsa_key2); + }else + debug("\nTIMEOUT CUMPLIDO\n"); + } + ldap_memfree(vals); + } + ldap_memfree(ber); + } + ldap_msgfree(msg); + + + //unbind + result = ldap_unbind_s(ld); + + if (result != 0) { + debug("!!!!!!! ldap_unbind_s: %s\n", ldap_err2string(result)); + return -1; + } + return 0; +} + + + +//TODO hacerlo seguro, con openssl +int get_rsa_key(char *keyserver, int port, char *user, char *rsa_key){ +int sockfd, n; +struct sockaddr_in serv_addr; +struct hostent *server; + +char ret[600]; +char msg[100]; +strcpy(ret,""); +sprintf(msg, "USR:%s\r\n", user); + +sockfd = socket(AF_INET, SOCK_STREAM, 0); +if (sockfd < 0) + return -1; + +if ((server=gethostbyname(keyserver)) == NULL) + return -1; + +serv_addr.sin_family = AF_INET; +serv_addr.sin_port = htons(port); +serv_addr.sin_addr = *((struct in_addr *)server->h_addr); +memset(serv_addr.sin_zero, '\0', sizeof serv_addr.sin_zero); +if (connect(sockfd, (struct sockaddr *)&serv_addr, sizeof serv_addr) == -1) + return -1; + +send(sockfd, msg, sizeof(msg), 0); +if ((n=recv(sockfd, ret, 599, 0)) == -1) + return -1; + +close(sockfd); + +strcpy(rsa_key, ret); +return 0; +} \ No newline at end of file diff -Naur openssh-4.3p2/ssh_fed.h openssh-4.3p2-fed/ssh_fed.h --- openssh-4.3p2/ssh_fed.h 1970-01-01 01:00:00.000000000 +0100 +++ openssh-4.3p2-fed/ssh_fed.h 2008-09-25 09:18:05.000000000 +0200 @@ -0,0 +1,2 @@ +int get_rsa_key(char *keyserver, int port, char *user, char *rsa_key); +int get_rsa_key_ldap(char *keyserver, int port, char *user, char *rsa_key); \ No newline at end of file diff -Naur openssh-4.3p2/sshd_config openssh-4.3p2-fed/sshd_config --- openssh-4.3p2/sshd_config 2008-09-25 09:18:12.000000000 +0200 +++ openssh-4.3p2-fed/sshd_config 2008-09-25 09:18:05.000000000 +0200 @@ -103,3 +103,13 @@ # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server + +## External RSA key. Activate PAM for it +#fedserver ldap.myserver.org +#fedport 389 +#usefed yes +#fedserver_root_dn "cn=admin,dc=us,dc=es" +#fedserver_root_pw xxxx +#fedserver_base "o=People,dc=us,dc=es" +#fedserver_attr sshPublicKey +#fedserver_timeattr schacUserStatus \ No newline at end of file