ive thrown together a patch idea to combine AllowUser AllowGroups
AllowHosts and authentication types with two new directives
AuthUser and AuthGroup which both accept mutiple arguments.
Ide like some feedback on the patch its included.
AuthUser patch for ssh-1.2.27 by cruid|gersh.
[EMAIL PROTECTED] http://www.sonn.com/~gersh/ssh
Install:
tar -zxvf ssh-1.2.27.tar.gz && cd ssh-1.2.27
cp ../AuthUser.patch . && patch -p0 < AuthUser.patch
About:
This patch will add two new directives for sshd_config
AuthUser and AuthGroup. Using these two new directives you can
configure ssh wrapers to be more restrictive then before.
Features:
Combines AllowUsers and AllowHosts and Auth type.
More verbose loging.
More verbose client debugs if (!options.silent_deny)
Examples:
AuthUser cruid gersh:*.sonn.com:rsa
AuthUser cruid:127.0.0.1:password rsa
AuthGroup wheel:*.sonn.com:rsa kerberos
Usage:
Fields are seperated by a colon.
Field one is a list of usernames delimited by spaces.
Field two is a list of hostnames delimited by spaces.
Field three is a list of valid authentication methods delmited by spaces.
Fields one and two expand on wildcards, field three does not.
AuthUser and AuthGroup can not be used in conjunction.
Just like AllowUser and AllowGroups, Im considering fixing this
Valid authentication modes are:
rhost rhost_rsa rsa tis kerberos and password
Notes:
At this point The specfic authentication modules
must be turned on on the sshd_config like
PasswordAuthentication yes
I am thinking about changeing this and would like some feedback.
--- sshd.c Wed Oct 13 13:29:37 1999
+++ sshd.c.new Wed Oct 13 13:28:49 1999
@@ -492,6 +492,8 @@
int deny_severity = LOG_WARNING;
#endif /* LIBWRAP */
+#define WHITESPACE " \t\r\n="
+
#ifdef CRAY
#include <udb.h>
#include <unistd.h>
@@ -2075,7 +2077,210 @@
return 0;
}
}
-
+
+ if (options.num_auth_user > 0)
+ {
+ int type, num, check, one = 0, two = 0;
+ char *ptr1, *ptr2, *ptr3, *temp;
+ const char *hostname = get_canonical_hostname();
+ const char *ipaddr = get_remote_ipaddr();
+
+ for (num = 0; num < options.num_auth_user; num++)
+ {
+ int one = 0, two = 0;
+
+ ptr1 = strsep(&options.auth_user[num], ":");
+ ptr2 = strsep(&options.auth_user[num], ":");
+ ptr3 = strsep(&options.auth_user[num], ":");
+
+ /*
+ * Check if the user for this session is allowed.
+ */
+
+ if (one != 1) {
+ for (check = 0; check != MAX_AUTH_USER; check++) {
+ temp = strsep(&ptr1, WHITESPACE);
+ if (temp != NULL) {
+ if (match_user(user, hostname, ipaddr, temp)) {
+ one = 1;
+ break;
+ }
+ }
+ }
+ }
+
+ /*
+ * Check if the hostname is allowed.
+ */
+
+ if (two != 1) {
+ for (check = 0; check != MAX_AUTH_USER; check++) {
+ temp = strsep(&ptr2, WHITESPACE);
+ if (temp != NULL) {
+ if (match_host(hostname, ipaddr, temp)) {
+ two = 1;
+ break;
+ }
+ }
+ }
+ }
+
+ /*
+ * Set all auth types to zero. This will be set to one later.
+ */
+
+ options.rhosts_authentication = 0;
+ options.rhosts_rsa_authentication = 0;
+ options.rsa_authentication = 0;
+ options.tis_authentication = 0;
+ options.kerberos_authentication = 0;
+ options.password_authentication = 0;
+
+ for (check = 0; check != MAX_AUTH_USER; check++) {
+ temp = strsep(&ptr3, WHITESPACE);
+ if (temp != NULL) {
+
+ if (!strcmp(temp, "rhost"))
+ options.rhosts_authentication = 1;
+
+ if (!strcmp(temp, "rhost_rsa"))
+ options.rhosts_rsa_authentication = 1;
+
+ if (!strcmp(temp, "rsa"))
+ options.rsa_authentication = 1;
+
+ if (!strcmp(temp, "tis"))
+ options.tis_authentication = 1;
+
+ if (!strcmp(temp, "kerberos"))
+ options.kerberos_authentication = 1;
+
+ if (!strcmp(temp, "password"))
+ options.password_authentication = 1;
+ }
+ }
+
+ if ((one == 1) && (two == 1))
+ break;
+ }
+
+ if (num >= options.num_auth_user)
+ {
+ log_msg("Connection for %.100s not allowed from %.100s\n", user,
+get_canonical_hostname());
+
+ if (!options.silent_deny)
+ packet_disconnect("Sorry, %.100s is not allowed to connect from %.100s.",
+user, get_canonical_hostname());
+
+ return 0;
+ }
+ }
+
+ if (options.num_auth_group > 0)
+ {
+ int type, num, check, one = 0, two = 0;
+ char *ptr1, *ptr2, *ptr3, *temp;
+ const char *hostname = get_canonical_hostname();
+ const char *ipaddr = get_remote_ipaddr();
+
+ grp = getgrgid(pwd->pw_gid);
+ if (grp)
+ group = grp->gr_name;
+ else {
+ log_msg("Unknown group id %d\n", pwd->pw_gid);
+ group = "none";
+ }
+
+
+ for (num = 0; num < options.num_auth_group; num++)
+ {
+ int one = 0, two = 0;
+
+ ptr1 = strsep(&options.auth_group[num], ":");
+ ptr2 = strsep(&options.auth_group[num], ":");
+ ptr3 = strsep(&options.auth_group[num], ":");
+
+ /*
+ * Check if the group for this session is allowed.
+ */
+
+ if (one != 1) {
+ for (check = 0; check != MAX_AUTH_GROUP; check++) {
+ temp = strsep(&ptr1, WHITESPACE);
+ if (temp != NULL) {
+ if (match_pattern(group, temp)) {
+ one = 1;
+ break;
+ }
+ }
+ }
+ }
+
+ /*
+ * Check if the hostname is allowed.
+ */
+
+ if (two != 1) {
+ for (check = 0; check != MAX_AUTH_GROUP; check++) {
+ temp = strsep(&ptr2, WHITESPACE);
+ if (temp != NULL) {
+ if (match_host(hostname, ipaddr, temp)) {
+ two = 1;
+ break;
+ }
+ }
+ }
+ }
+
+ /*
+ * Set all auth types to zero. This will be set to one later.
+ */
+
+ options.rhosts_authentication = 0;
+ options.rhosts_rsa_authentication = 0;
+ options.rsa_authentication = 0;
+ options.tis_authentication = 0;
+ options.kerberos_authentication = 0;
+ options.password_authentication = 0;
+
+ for (check = 0; check != MAX_AUTH_GROUP; check++) {
+ temp = strsep(&ptr3, WHITESPACE);
+ if (temp != NULL) {
+
+ if (!strcmp(temp, "rhost"))
+ options.rhosts_authentication = 1;
+
+ if (!strcmp(temp, "rhost_rsa"))
+ options.rhosts_rsa_authentication = 1;
+
+ if (!strcmp(temp, "rsa"))
+ options.rsa_authentication = 1;
+
+ if (!strcmp(temp, "tis"))
+ options.tis_authentication = 1;
+
+ if (!strcmp(temp, "kerberos"))
+ options.kerberos_authentication = 1;
+
+ if (!strcmp(temp, "password"))
+ options.password_authentication = 1;
+ }
+ }
+
+ if ((one == 1) && (two == 1))
+ break;
+ }
+
+ if (grp == NULL || num >= options.num_auth_group)
+ {
+ log_msg("Connection for group %.100s is not allowed from %.100s\n", group,
+get_canonical_hostname());
+
+ if (!options.silent_deny)
+ packet_disconnect("Sorry, members of group %.100s are not allowed to
+connect from %.100s.", group, get_canonical_hostname());
+
+ return 0;
+ }
+ }
+
return 1;
}
@@ -2290,7 +2495,9 @@
options.rsa_authentication)))
{
packet_get_all();
- log_msg("Kerberos tgt passing disabled.");
+ log_msg("%.100s may not use Kerberos Authentication from %.100s",
+user, get_canonical_hostname());
+ if (!options.silent_deny)
+ packet_send_debug("Sorry, %.100s may not use Kerberos
+Authentication from %.100s.", user, get_canonical_hostname());
break;
}
@@ -2357,7 +2564,10 @@
if (!options.rhosts_authentication)
{
packet_get_all();
- log_msg("Rhosts authentication disabled.");
+ log_msg("%.100s may not use Rhost Authentication from %.100s", user,
+get_canonical_hostname());
+ if (!options.silent_deny)
+ packet_send_debug("Sorry, %.100s may not use Rhost
+Authentication from %.100s.", user, get_canonical_hostname());
+
break;
}
@@ -2396,7 +2606,9 @@
if (!options.rhosts_rsa_authentication)
{
packet_get_all();
- log_msg("Rhosts with RSA authentication disabled.");
+ log_msg("%.100s may not use RhostRSA Authentication from %.100s",
+user, get_canonical_hostname());
+ if (!options.silent_deny)
+ packet_send_debug("Sorry, %.100s may not use RhostRSA
+Authentication from %.100s.", user, get_canonical_hostname());
break;
}
@@ -2459,7 +2671,9 @@
if (!options.rsa_authentication)
{
packet_get_all();
- log_msg("RSA authentication disabled.");
+ log_msg("%.100s may not use RSA Authentication from %.100s", user,
+get_canonical_hostname());
+ if (!options.silent_deny)
+ packet_send_debug("Sorry, %.100s may not use RSA Authentication
+from %.100s.", user, get_canonical_hostname());
break;
}
@@ -2490,7 +2704,9 @@
debug("TIS Authentication...");
if (!options.tis_authentication) {
packet_get_all();
- log_msg("Tis authsrv authentication disabled.");
+ log_msg("%.100s may not use TIS Authentication from %.100s", user,
+get_canonical_hostname());
+ if (!options.silent_deny)
+ packet_send_debug("Sorry, %.100s may not use TIS Authentication
+from %.100s.", user, get_canonical_hostname());
break;
} else {
char buf[128];
@@ -2624,7 +2840,9 @@
if (!options.password_authentication)
{
packet_get_all();
- log_msg("Password authentication disabled.");
+ log_msg("%.100s may not use Password Authentication from %.100s", user,
+get_canonical_hostname());
+ if (!options.silent_deny)
+ packet_send_debug("Sorry, %.100s may not use Password
+Authentication from %.100s.", user, get_canonical_hostname());
break;
}
if (cipher_type == SSH_CIPHER_NONE)
--- servconf.c Wed Oct 13 13:30:00 1999
+++ servconf.c.new Wed Oct 13 12:26:36 1999
@@ -250,8 +250,8 @@
sForcedPasswd, sForcedEmptyPasswd, sUmask, sSilentDeny, sIdleTimeout,
sUseLogin, sKerberosAuthentication, sKerberosOrLocalPasswd,
sKerberosTgtPassing, sAllowTcpForwarding, sAllowUsers, sDenyUsers,
- sXauthPath, sCheckMail, sDenyGroups, sAllowGroups, sIgnoreRootRhosts,
- sAllowSHosts, sDenySHosts, sPasswordExpireWarningDays,
+ sXauthPath, sCheckMail, sDenyGroups, sAllowGroups, sAuthUser, sAuthGroup,
+ sIgnoreRootRhosts, sAllowSHosts, sDenySHosts, sPasswordExpireWarningDays,
sAccountExpireWarningDays
#ifdef F_SECURE_COMMERCIAL
@@ -289,6 +289,8 @@
{ "denyusers", sDenyUsers },
{ "allowgroups", sAllowGroups },
{ "denygroups", sDenyGroups },
+ { "authuser", sAuthUser },
+ { "authgroup", sAuthGroup },
#ifdef F_SECURE_COMMERCIAL
@@ -796,6 +798,28 @@
}
options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
}
+ break;
+
+ case sAuthUser:
+ while ((cp = strtok(NULL, "")))
+ {
+ if (options->num_auth_user >= MAX_AUTH_USER) {
+ fprintf(stderr, "%s line %d: too many allow AuthUser lines.\n",
+filename, linenum);
+ exit(1);
+ }
+ options->auth_user[options->num_auth_user++] = xstrdup(cp);
+ }
+ break;
+
+ case sAuthGroup:
+ while ((cp = strtok(NULL, "")))
+ {
+ if (options->num_auth_group >= MAX_AUTH_GROUP) {
+ fprintf(stderr, "%s line %d: too many allow AuthGroup lines.\n",
+filename, linenum);
+ exit(1);
+ }
+ options->auth_group[options->num_auth_group++] = xstrdup(cp);
+ }
break;
case sXauthPath:
--- servconf.h Wed Oct 13 13:29:54 1999
+++ servconf.h.new Wed Oct 13 09:13:52 1999
@@ -72,6 +72,8 @@
#define MAX_DENY_USERS 256 /* Max # users on deny list. */
#define MAX_ALLOW_GROUPS 256 /* Max # groups on allow list. */
#define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */
+#define MAX_AUTH_USER 256 /* Max # of auth users on list. */
+#define MAX_AUTH_GROUP 256 /* Max # of auth groups on list */
#ifdef F_SECURE_COMMERCIAL
#define MAX_ALLOW_FORWD_TO 256 /* Max # forwardingto on allow list. */
@@ -139,6 +141,10 @@
char *allow_groups[MAX_ALLOW_GROUPS];
unsigned int num_deny_groups;
char *deny_groups[MAX_DENY_GROUPS];
+ unsigned int num_auth_user;
+ char *auth_user[MAX_AUTH_USER];
+ unsigned int num_auth_group;
+ char *auth_group[MAX_AUTH_GROUP];
char *xauth_path;
~
Logan Gabriel - [Gersh | cruid @ EFnet.irc] - Unix Security Admin
"\xeb\x03\x5f\xeb\x05\xe8\xf8\xff\xff\xff\x31\xd2\xb2\x0a\x31\xc9"
"\xb1\x1a\x01\xf9\x31\xdb\xb3\x01\x31\xc0\xb0\x04\xcd\x80\x31\xc0"
"\xb0\x01\xcd\x80\x44\x4f\x4f\x54\x20\x44\x4f\x4f\x54\x0a\x00";
