diff options
Diffstat (limited to 'src/responder/ssh/sshsrv_cmd.c')
| -rw-r--r-- | src/responder/ssh/sshsrv_cmd.c | 54 |
1 files changed, 43 insertions, 11 deletions
diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c index 483358791..f630e5f03 100644 --- a/src/responder/ssh/sshsrv_cmd.c +++ b/src/responder/ssh/sshsrv_cmd.c @@ -27,6 +27,7 @@ #include "util/util.h" #include "util/crypto/sss_crypto.h" #include "util/sss_ssh.h" +#include "util/cert.h" #include "db/sysdb.h" #include "db/sysdb_ssh.h" #include "providers/data_provider.h" @@ -219,7 +220,8 @@ static errno_t ssh_user_pubkeys_search_next(struct ssh_cmd_ctx *cmd_ctx) { errno_t ret; - const char *attrs[] = { SYSDB_NAME, SYSDB_SSH_PUBKEY, NULL }; + const char *attrs[] = { SYSDB_NAME, SYSDB_SSH_PUBKEY, SYSDB_USER_CERT, + NULL }; struct ldb_result *res; DEBUG(SSSDBG_TRACE_FUNC, @@ -794,6 +796,8 @@ ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx) static errno_t decode_and_add_base64_data(struct ssh_cmd_ctx *cmd_ctx, struct ldb_message_element *el, + bool cert_data, + struct ssh_ctx *ssh_ctx, size_t fqname_len, const char *fqname, size_t *c) @@ -819,12 +823,22 @@ static errno_t decode_and_add_base64_data(struct ssh_cmd_ctx *cmd_ctx, } for (d = 0; d < el->num_values; d++) { - key = sss_base64_decode(tmp_ctx, (const char *) el->values[d].data, - &key_len); - if (key == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed.\n"); - ret = ENOMEM; - goto done; + if (cert_data) { + ret = cert_to_ssh_key(tmp_ctx, ssh_ctx->ca_db, + el->values[d].data, el->values[d].length, + &key, &key_len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "cert_to_ssh_key failed.\n"); + return ret; + } + } else { + key = sss_base64_decode(tmp_ctx, (const char *) el->values[d].data, + &key_len); + if (key == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed.\n"); + ret = ENOMEM; + goto done; + } } ret = sss_packet_grow(cctx->creq->out, @@ -862,10 +876,13 @@ ssh_cmd_build_reply(struct ssh_cmd_ctx *cmd_ctx) struct ldb_message_element *el = NULL; struct ldb_message_element *el_override = NULL; struct ldb_message_element *el_orig = NULL; + struct ldb_message_element *el_user_cert = NULL; uint32_t count = 0; const char *name; char *fqname; uint32_t fqname_len; + struct ssh_ctx *ssh_ctx = talloc_get_type(cctx->rctx->pvt_ctx, + struct ssh_ctx); ret = sss_packet_new(cctx->creq, 0, sss_packet_get_cmd(cctx->creq->in), @@ -893,6 +910,12 @@ ssh_cmd_build_reply(struct ssh_cmd_ctx *cmd_ctx) } } + el_user_cert = ldb_msg_find_element(cmd_ctx->result, SYSDB_USER_CERT); + if (el_user_cert) { + /* TODO check if cert is valid */ + count += el_user_cert->num_values; + } + ret = sss_packet_grow(cctx->creq->out, 2*sizeof(uint32_t)); if (ret != EOK) { return ret; @@ -922,20 +945,29 @@ ssh_cmd_build_reply(struct ssh_cmd_ctx *cmd_ctx) fqname_len = strlen(fqname)+1; - ret = decode_and_add_base64_data(cmd_ctx, el, fqname_len, fqname, &c); + ret = decode_and_add_base64_data(cmd_ctx, el, false, ssh_ctx, + fqname_len, fqname, &c); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n"); + return ret; + } + + ret = decode_and_add_base64_data(cmd_ctx, el_orig, false, ssh_ctx, + fqname_len, fqname, &c); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n"); return ret; } - ret = decode_and_add_base64_data(cmd_ctx, el_orig, fqname_len, fqname, &c); + ret = decode_and_add_base64_data(cmd_ctx, el_override, false, ssh_ctx, + fqname_len, fqname, &c); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n"); return ret; } - ret = decode_and_add_base64_data(cmd_ctx, el_override, fqname_len, fqname, - &c); + ret = decode_and_add_base64_data(cmd_ctx, el_user_cert, true, ssh_ctx, + fqname_len, fqname, &c); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n"); return ret; |