diff options
Diffstat (limited to 'src/responder')
| -rw-r--r-- | src/responder/ssh/sshsrv.c | 9 | ||||
| -rw-r--r-- | src/responder/ssh/sshsrv_cmd.c | 54 | ||||
| -rw-r--r-- | src/responder/ssh/sshsrv_private.h | 1 |
3 files changed, 53 insertions, 11 deletions
diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c index 9439b9d89..d4e202d87 100644 --- a/src/responder/ssh/sshsrv.c +++ b/src/responder/ssh/sshsrv.c @@ -163,6 +163,15 @@ int ssh_process_init(TALLOC_CTX *mem_ctx, goto fail; } + ret = confdb_get_string(ssh_ctx->rctx->cdb, ssh_ctx, + CONFDB_SSH_CONF_ENTRY, CONFDB_SSH_CA_DB, + CONFDB_DEFAULT_SSH_CA_DB, &ssh_ctx->ca_db); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error reading CA DB from confdb (%d) [%s]\n", + ret, strerror(ret)); + goto fail; + } + ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c index 483358791..f630e5f03 100644 --- a/src/responder/ssh/sshsrv_cmd.c +++ b/src/responder/ssh/sshsrv_cmd.c @@ -27,6 +27,7 @@ #include "util/util.h" #include "util/crypto/sss_crypto.h" #include "util/sss_ssh.h" +#include "util/cert.h" #include "db/sysdb.h" #include "db/sysdb_ssh.h" #include "providers/data_provider.h" @@ -219,7 +220,8 @@ static errno_t ssh_user_pubkeys_search_next(struct ssh_cmd_ctx *cmd_ctx) { errno_t ret; - const char *attrs[] = { SYSDB_NAME, SYSDB_SSH_PUBKEY, NULL }; + const char *attrs[] = { SYSDB_NAME, SYSDB_SSH_PUBKEY, SYSDB_USER_CERT, + NULL }; struct ldb_result *res; DEBUG(SSSDBG_TRACE_FUNC, @@ -794,6 +796,8 @@ ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx) static errno_t decode_and_add_base64_data(struct ssh_cmd_ctx *cmd_ctx, struct ldb_message_element *el, + bool cert_data, + struct ssh_ctx *ssh_ctx, size_t fqname_len, const char *fqname, size_t *c) @@ -819,12 +823,22 @@ static errno_t decode_and_add_base64_data(struct ssh_cmd_ctx *cmd_ctx, } for (d = 0; d < el->num_values; d++) { - key = sss_base64_decode(tmp_ctx, (const char *) el->values[d].data, - &key_len); - if (key == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed.\n"); - ret = ENOMEM; - goto done; + if (cert_data) { + ret = cert_to_ssh_key(tmp_ctx, ssh_ctx->ca_db, + el->values[d].data, el->values[d].length, + &key, &key_len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "cert_to_ssh_key failed.\n"); + return ret; + } + } else { + key = sss_base64_decode(tmp_ctx, (const char *) el->values[d].data, + &key_len); + if (key == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed.\n"); + ret = ENOMEM; + goto done; + } } ret = sss_packet_grow(cctx->creq->out, @@ -862,10 +876,13 @@ ssh_cmd_build_reply(struct ssh_cmd_ctx *cmd_ctx) struct ldb_message_element *el = NULL; struct ldb_message_element *el_override = NULL; struct ldb_message_element *el_orig = NULL; + struct ldb_message_element *el_user_cert = NULL; uint32_t count = 0; const char *name; char *fqname; uint32_t fqname_len; + struct ssh_ctx *ssh_ctx = talloc_get_type(cctx->rctx->pvt_ctx, + struct ssh_ctx); ret = sss_packet_new(cctx->creq, 0, sss_packet_get_cmd(cctx->creq->in), @@ -893,6 +910,12 @@ ssh_cmd_build_reply(struct ssh_cmd_ctx *cmd_ctx) } } + el_user_cert = ldb_msg_find_element(cmd_ctx->result, SYSDB_USER_CERT); + if (el_user_cert) { + /* TODO check if cert is valid */ + count += el_user_cert->num_values; + } + ret = sss_packet_grow(cctx->creq->out, 2*sizeof(uint32_t)); if (ret != EOK) { return ret; @@ -922,20 +945,29 @@ ssh_cmd_build_reply(struct ssh_cmd_ctx *cmd_ctx) fqname_len = strlen(fqname)+1; - ret = decode_and_add_base64_data(cmd_ctx, el, fqname_len, fqname, &c); + ret = decode_and_add_base64_data(cmd_ctx, el, false, ssh_ctx, + fqname_len, fqname, &c); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n"); + return ret; + } + + ret = decode_and_add_base64_data(cmd_ctx, el_orig, false, ssh_ctx, + fqname_len, fqname, &c); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n"); return ret; } - ret = decode_and_add_base64_data(cmd_ctx, el_orig, fqname_len, fqname, &c); + ret = decode_and_add_base64_data(cmd_ctx, el_override, false, ssh_ctx, + fqname_len, fqname, &c); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n"); return ret; } - ret = decode_and_add_base64_data(cmd_ctx, el_override, fqname_len, fqname, - &c); + ret = decode_and_add_base64_data(cmd_ctx, el_user_cert, true, ssh_ctx, + fqname_len, fqname, &c); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n"); return ret; diff --git a/src/responder/ssh/sshsrv_private.h b/src/responder/ssh/sshsrv_private.h index ebb30ce7c..beb8e18db 100644 --- a/src/responder/ssh/sshsrv_private.h +++ b/src/responder/ssh/sshsrv_private.h @@ -32,6 +32,7 @@ struct ssh_ctx { bool hash_known_hosts; int known_hosts_timeout; + char *ca_db; }; struct ssh_cmd_ctx { |