Hi all,
I would like a couple people to look over this patch I have made to SSH.
It creates a new option that allows ssh to lookup RSA authentication keys
in a global file modeled after the shadow password file. The intent is to
allow users to place their RSA ssh key into the ldap directory and then
have that key replicated automatically to all machines and used by ssh.
Checking of the global key file is done after looking at the users
.ssh/authorizes_key file and the global file is keyed to each maintainer.
LDAP entries would look like this:
sshrsaauthkey=1024 35
13188913800864665310056145282172752809896969986210687776638992421269538682667499807562325681722264279958572627924253677904887346542958562754647616248471798299277451202136815142932982865314941795877586991831796183279248323438349823299332680534314763423857547649263063185581654408646481264156574330001283021
[EMAIL PROTECTED]
And I would probably put a PGP mail gateway to set new keys. [ie gpg
--clearsign .ssh/identity.pub | mail [EMAIL PROTECTED]
The advantage would be that everyone can use their ssh key uniformly on
all the machines. If someone looses their key or needs to revoke it due to
a compromise it can be done quickly and correctly.
If nobody can see why this would be a bad idea I will deploy this system
on db.debian.org and the debian.org machines in the near future. I hope
that when lsh becomes usable a similar patch to it can be made.
Thanks,
Jason
diff -ur ssh-1.2.27/auth-rsa.c ssh-1.2.27+jgg/auth-rsa.c
--- ssh-1.2.27/auth-rsa.c Wed May 12 05:19:24 1999
+++ ssh-1.2.27+jgg/auth-rsa.c Sat Sep 25 14:25:40 1999
@@ -211,7 +211,7 @@
successful. This may exit if there is a serious protocol violation. */
int auth_rsa(struct passwd *pw, MP_INT *client_n, RandomState *state,
- int strict_modes)
+ int strict_modes,int global)
{
char line[8192];
int authenticated;
@@ -220,61 +220,93 @@
UserFile uf;
unsigned long linenum = 0;
struct stat st;
-
- /* Check permissions owner of user's .ssh directory */
- snprintf(line, sizeof(line), %.500s/%.100s, pw-pw_dir, SSH_USER_DIR);
-
- /* Check permissions owner of user's home directory */
- if (strict_modes !userfile_check_owner_permissions(pw, pw-pw_dir))
-{
- log_msg(Rsa authentication refused for %.100s: bad modes for %.200s,
- pw-pw_name, pw-pw_dir);
- packet_send_debug(Bad file modes for %.200s, pw-pw_dir);
- return 0;
-}
-
- /* Check if user have .ssh directory */
- if (userfile_stat(pw-pw_uid, line, st) 0)
-{
- log_msg(Rsa authentication refused for %.100s: no %.200s directory,
- pw-pw_name, line);
- packet_send_debug(Rsa authentication refused, no %.200s directory,
-line);
- return 0;
-}
-
- if (strict_modes !userfile_check_owner_permissions(pw, line))
-{
- log_msg(Rsa authentication refused for %.100s: bad modes for %.200s,
- pw-pw_name, line);
- packet_send_debug(Bad file modes for %.200s, line);
- return 0;
-}
+ const char *keyfile = 0;
+
+ if (global == 0)
+ {
+ /* Check permissions owner of user's .ssh directory */
+ snprintf(line, sizeof(line), %.500s/%.100s, pw-pw_dir, SSH_USER_DIR);
+
+ /* Check permissions owner of user's home directory */
+ if (strict_modes !userfile_check_owner_permissions(pw, pw-pw_dir))
+ {
+ log_msg(Rsa authentication refused for %.100s: bad modes for %.200s,
+ pw-pw_name, pw-pw_dir);
+ packet_send_debug(Bad file modes for %.200s, pw-pw_dir);
+ return 0;
+ }
+
+ /* Check if user have .ssh directory */
+ if (userfile_stat(pw-pw_uid, line, st) 0)
+ {
+ log_msg(Rsa authentication refused for %.100s: no %.200s directory,
+ pw-pw_name, line);
+ packet_send_debug(Rsa authentication refused, no %.200s directory,
+ line);
+ return 0;
+ }
+
+ if (strict_modes !userfile_check_owner_permissions(pw, line))
+ {
+ log_msg(Rsa authentication refused for %.100s: bad modes for %.200s,
+ pw-pw_name, line);
+ packet_send_debug(Bad file modes for %.200s, line);
+ return 0;
+ }
+
+ /* Check permissions owner of user's authorized keys file */
+ snprintf(line, sizeof(line),
+ %.500s/%.100s, pw-pw_dir, SSH_USER_PERMITTED_KEYS);
+
+ /* Open the file containing the authorized keys. */
+ if (userfile_stat(pw-pw_uid, line, st) 0)
+ return 0;
+
+ if (strict_modes !userfile_check_owner_permissions(pw, line))
+ {
+ log_msg(Rsa authentication refused for %.100s: bad modes for %.200s,
+ pw-pw_name, line);
+ packet_send_debug(Bad file modes for %.200s, line);
+ return 0;
+ }
+
+ uf = userfile_open(pw-pw_uid, line, O_RDONLY, 0);
+ if (uf == NULL)
+ {
+ packet_send_debug(Could not open %.900s for