upstream: make UID available as a %-expansion everywhere that the
username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@ OpenBSD-Commit-ID: c7e912b0213713316cb55db194b3a6415b3d4b95
This commit is contained in:
parent
d8748b91d1
commit
9c935dd9bf
8
auth.c
8
auth.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: auth.c,v 1.128 2018/05/25 07:11:01 djm Exp $ */
|
||||
/* $OpenBSD: auth.c,v 1.129 2018/06/01 03:33:53 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
@ -422,11 +422,13 @@ auth_root_allowed(struct ssh *ssh, const char *method)
|
|||
char *
|
||||
expand_authorized_keys(const char *filename, struct passwd *pw)
|
||||
{
|
||||
char *file, ret[PATH_MAX];
|
||||
char *file, uidstr[32], ret[PATH_MAX];
|
||||
int i;
|
||||
|
||||
snprintf(uidstr, sizeof(uidstr), "%llu",
|
||||
(unsigned long long)pw->pw_uid);
|
||||
file = percent_expand(filename, "h", pw->pw_dir,
|
||||
"u", pw->pw_name, (char *)NULL);
|
||||
"u", pw->pw_name, "U", uidstr, (char *)NULL);
|
||||
|
||||
/*
|
||||
* Ensure that filename starts anchored. If not, be backward
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: auth2-pubkey.c,v 1.77 2018/03/03 03:15:51 djm Exp $ */
|
||||
/* $OpenBSD: auth2-pubkey.c,v 1.78 2018/06/01 03:33:53 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
@ -387,7 +387,7 @@ match_principals_command(struct ssh *ssh, struct passwd *user_pw,
|
|||
pid_t pid;
|
||||
char *tmp, *username = NULL, *command = NULL, **av = NULL;
|
||||
char *ca_fp = NULL, *key_fp = NULL, *catext = NULL, *keytext = NULL;
|
||||
char serial_s[16];
|
||||
char serial_s[16], uidstr[32];
|
||||
void (*osigchld)(int);
|
||||
|
||||
if (authoptsp != NULL)
|
||||
|
@ -447,8 +447,11 @@ match_principals_command(struct ssh *ssh, struct passwd *user_pw,
|
|||
}
|
||||
snprintf(serial_s, sizeof(serial_s), "%llu",
|
||||
(unsigned long long)cert->serial);
|
||||
snprintf(uidstr, sizeof(uidstr), "%llu",
|
||||
(unsigned long long)user_pw->pw_uid);
|
||||
for (i = 1; i < ac; i++) {
|
||||
tmp = percent_expand(av[i],
|
||||
"U", uidstr,
|
||||
"u", user_pw->pw_name,
|
||||
"h", user_pw->pw_dir,
|
||||
"t", sshkey_ssh_name(key),
|
||||
|
@ -852,7 +855,7 @@ user_key_command_allowed2(struct ssh *ssh, struct passwd *user_pw,
|
|||
int i, uid_swapped = 0, ac = 0;
|
||||
pid_t pid;
|
||||
char *username = NULL, *key_fp = NULL, *keytext = NULL;
|
||||
char *tmp, *command = NULL, **av = NULL;
|
||||
char uidstr[32], *tmp, *command = NULL, **av = NULL;
|
||||
void (*osigchld)(int);
|
||||
|
||||
if (authoptsp != NULL)
|
||||
|
@ -902,8 +905,11 @@ user_key_command_allowed2(struct ssh *ssh, struct passwd *user_pw,
|
|||
command);
|
||||
goto out;
|
||||
}
|
||||
snprintf(uidstr, sizeof(uidstr), "%llu",
|
||||
(unsigned long long)user_pw->pw_uid);
|
||||
for (i = 1; i < ac; i++) {
|
||||
tmp = percent_expand(av[i],
|
||||
"U", uidstr,
|
||||
"u", user_pw->pw_name,
|
||||
"h", user_pw->pw_dir,
|
||||
"t", sshkey_ssh_name(key),
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: readconf.c,v 1.287 2018/05/22 00:13:26 djm Exp $ */
|
||||
/* $OpenBSD: readconf.c,v 1.288 2018/06/01 03:33:53 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -551,6 +551,7 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
|
|||
const char *ruser;
|
||||
int r, port, this_result, result = 1, attributes = 0, negate;
|
||||
char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
|
||||
char uidstr[32];
|
||||
|
||||
/*
|
||||
* Configuration is likely to be incomplete at this point so we
|
||||
|
@ -631,6 +632,8 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
|
|||
strlcpy(shorthost, thishost, sizeof(shorthost));
|
||||
shorthost[strcspn(thishost, ".")] = '\0';
|
||||
snprintf(portstr, sizeof(portstr), "%d", port);
|
||||
snprintf(uidstr, sizeof(uidstr), "%llu",
|
||||
(unsigned long long)pw->pw_uid);
|
||||
|
||||
cmd = percent_expand(arg,
|
||||
"L", shorthost,
|
||||
|
@ -641,6 +644,7 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
|
|||
"p", portstr,
|
||||
"r", ruser,
|
||||
"u", pw->pw_name,
|
||||
"i", uidstr,
|
||||
(char *)NULL);
|
||||
if (result != 1) {
|
||||
/* skip execution if prior predicate failed */
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: session.c,v 1.294 2018/03/03 03:15:51 djm Exp $ */
|
||||
/* $OpenBSD: session.c,v 1.295 2018/06/01 03:33:53 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
|
@ -1324,7 +1324,7 @@ safely_chroot(const char *path, uid_t uid)
|
|||
void
|
||||
do_setusercontext(struct passwd *pw)
|
||||
{
|
||||
char *chroot_path, *tmp;
|
||||
char uidstr[32], *chroot_path, *tmp;
|
||||
|
||||
platform_setusercontext(pw);
|
||||
|
||||
|
@ -1356,8 +1356,10 @@ do_setusercontext(struct passwd *pw)
|
|||
strcasecmp(options.chroot_directory, "none") != 0) {
|
||||
tmp = tilde_expand_filename(options.chroot_directory,
|
||||
pw->pw_uid);
|
||||
snprintf(uidstr, sizeof(uidstr), "%llu",
|
||||
(unsigned long long)pw->pw_uid);
|
||||
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
|
||||
"u", pw->pw_name, (char *)NULL);
|
||||
"u", pw->pw_name, "U", uidstr, (char *)NULL);
|
||||
safely_chroot(chroot_path, pw->pw_uid);
|
||||
free(tmp);
|
||||
free(chroot_path);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
|
||||
/* $OpenBSD: sftp-server.c,v 1.112 2018/06/01 03:33:53 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
@ -1503,7 +1503,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
|||
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
|
||||
ssize_t len, olen, set_size;
|
||||
SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
|
||||
char *cp, *homedir = NULL, buf[4*4096];
|
||||
char *cp, *homedir = NULL, uidstr[32], buf[4*4096];
|
||||
long mask;
|
||||
|
||||
extern char *optarg;
|
||||
|
@ -1554,8 +1554,10 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
|||
break;
|
||||
case 'd':
|
||||
cp = tilde_expand_filename(optarg, user_pw->pw_uid);
|
||||
snprintf(uidstr, sizeof(uidstr), "%llu",
|
||||
(unsigned long long)pw->pw_uid);
|
||||
homedir = percent_expand(cp, "d", user_pw->pw_dir,
|
||||
"u", user_pw->pw_name, (char *)NULL);
|
||||
"u", user_pw->pw_name, "U", uidstr, (char *)NULL);
|
||||
free(cp);
|
||||
break;
|
||||
case 'p':
|
||||
|
|
30
ssh.c
30
ssh.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh.c,v 1.478 2018/06/01 03:11:49 djm Exp $ */
|
||||
/* $OpenBSD: ssh.c,v 1.479 2018/06/01 03:33:53 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -1278,7 +1278,8 @@ main(int ac, char **av)
|
|||
strlcpy(shorthost, thishost, sizeof(shorthost));
|
||||
shorthost[strcspn(thishost, ".")] = '\0';
|
||||
snprintf(portstr, sizeof(portstr), "%d", options.port);
|
||||
snprintf(uidstr, sizeof(uidstr), "%d", pw->pw_uid);
|
||||
snprintf(uidstr, sizeof(uidstr), "%llu",
|
||||
(unsigned long long)pw->pw_uid);
|
||||
|
||||
if ((md = ssh_digest_start(SSH_DIGEST_SHA1)) == NULL ||
|
||||
ssh_digest_update(md, thishost, strlen(thishost)) < 0 ||
|
||||
|
@ -1303,6 +1304,7 @@ main(int ac, char **av)
|
|||
"L", shorthost,
|
||||
"d", pw->pw_dir,
|
||||
"h", host,
|
||||
"i", uidstr,
|
||||
"l", thishost,
|
||||
"n", host_arg,
|
||||
"p", portstr,
|
||||
|
@ -1323,6 +1325,7 @@ main(int ac, char **av)
|
|||
"C", conn_hash_hex,
|
||||
"L", shorthost,
|
||||
"h", host,
|
||||
"i", uidstr,
|
||||
"l", thishost,
|
||||
"n", host_arg,
|
||||
"p", portstr,
|
||||
|
@ -1501,9 +1504,14 @@ main(int ac, char **av)
|
|||
} else {
|
||||
p = tilde_expand_filename(options.identity_agent,
|
||||
original_real_uid);
|
||||
cp = percent_expand(p, "d", pw->pw_dir,
|
||||
"u", pw->pw_name, "l", thishost, "h", host,
|
||||
"r", options.user, (char *)NULL);
|
||||
cp = percent_expand(p,
|
||||
"d", pw->pw_dir,
|
||||
"h", host,
|
||||
"i", uidstr,
|
||||
"l", thishost,
|
||||
"r", options.user,
|
||||
"u", pw->pw_name,
|
||||
(char *)NULL);
|
||||
setenv(SSH_AUTHSOCKET_ENV_NAME, cp, 1);
|
||||
free(cp);
|
||||
free(p);
|
||||
|
@ -1908,6 +1916,7 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
|
|||
"L", shorthost,
|
||||
"d", pw->pw_dir,
|
||||
"h", host,
|
||||
"i", uidstr,
|
||||
"l", thishost,
|
||||
"n", host_arg,
|
||||
"p", portstr,
|
||||
|
@ -2106,9 +2115,14 @@ load_public_identity_files(struct passwd *pw)
|
|||
for (i = 0; i < options.num_certificate_files; i++) {
|
||||
cp = tilde_expand_filename(options.certificate_files[i],
|
||||
original_real_uid);
|
||||
filename = percent_expand(cp, "d", pw->pw_dir,
|
||||
"u", pw->pw_name, "l", thishost, "h", host,
|
||||
"r", options.user, (char *)NULL);
|
||||
filename = percent_expand(cp,
|
||||
"d", pw->pw_dir,
|
||||
"h", host,
|
||||
"i", host,
|
||||
"l", thishost,
|
||||
"r", options.user,
|
||||
"u", pw->pw_name,
|
||||
(char *)NULL);
|
||||
free(cp);
|
||||
|
||||
public = key_load_public(filename, NULL);
|
||||
|
|
14
ssh_config.5
14
ssh_config.5
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh_config.5,v 1.273 2018/04/10 00:10:49 djm Exp $
|
||||
.Dd $Mdocdate: April 10 2018 $
|
||||
.\" $OpenBSD: ssh_config.5,v 1.274 2018/06/01 03:33:53 djm Exp $
|
||||
.Dd $Mdocdate: June 1 2018 $
|
||||
.Dt SSH_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -1743,10 +1743,10 @@ The local username.
|
|||
.El
|
||||
.Pp
|
||||
.Cm Match exec
|
||||
accepts the tokens %%, %h, %L, %l, %n, %p, %r, and %u.
|
||||
accepts the tokens %%, %h, %i, %L, %l, %n, %p, %r, and %u.
|
||||
.Pp
|
||||
.Cm CertificateFile
|
||||
accepts the tokens %%, %d, %h, %l, %r, and %u.
|
||||
accepts the tokens %%, %d, %h, %i %l, %r, and %u.
|
||||
.Pp
|
||||
.Cm ControlPath
|
||||
accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u.
|
||||
|
@ -1757,16 +1757,16 @@ accepts the tokens %% and %h.
|
|||
.Cm IdentityAgent
|
||||
and
|
||||
.Cm IdentityFile
|
||||
accept the tokens %%, %d, %h, %l, %r, and %u.
|
||||
accept the tokens %%, %d, %h, %i %l, %r, and %u.
|
||||
.Pp
|
||||
.Cm LocalCommand
|
||||
accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, %T, and %u.
|
||||
accepts the tokens %%, %C, %d, %h, %i %l, %n, %p, %r, %T, and %u.
|
||||
.Pp
|
||||
.Cm ProxyCommand
|
||||
accepts the tokens %%, %h, %p, and %r.
|
||||
.Pp
|
||||
.Cm RemoteCommand
|
||||
accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u.
|
||||
accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, and %u.
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds
|
||||
.It Pa ~/.ssh/config
|
||||
|
|
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.266 2018/05/15 05:40:11 jmc Exp $
|
||||
.Dd $Mdocdate: May 15 2018 $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.267 2018/06/01 03:33:53 djm Exp $
|
||||
.Dd $Mdocdate: June 1 2018 $
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -1689,24 +1689,26 @@ The serial number of the certificate.
|
|||
The type of the CA key.
|
||||
.It %t
|
||||
The key or certificate type.
|
||||
.It %U
|
||||
The numeric user-id id of the target user.
|
||||
.It %u
|
||||
The username.
|
||||
.El
|
||||
.Pp
|
||||
.Cm AuthorizedKeysCommand
|
||||
accepts the tokens %%, %f, %h, %k, %t, and %u.
|
||||
accepts the tokens %%, %f, %h, %k, %t, %U and %u.
|
||||
.Pp
|
||||
.Cm AuthorizedKeysFile
|
||||
accepts the tokens %%, %h, and %u.
|
||||
accepts the tokens %%, %h, %U and %u.
|
||||
.Pp
|
||||
.Cm AuthorizedPrincipalsCommand
|
||||
accepts the tokens %%, %F, %f, %h, %i, %K, %k, %s, %T, %t, and %u.
|
||||
accepts the tokens %%, %F, %f, %h, %i, %K, %k, %s, %T, %t, %U and %u.
|
||||
.Pp
|
||||
.Cm AuthorizedPrincipalsFile
|
||||
accepts the tokens %%, %h, and %u.
|
||||
accepts the tokens %%, %h, and %U %u.
|
||||
.Pp
|
||||
.Cm ChrootDirectory
|
||||
accepts the tokens %%, %h, and %u.
|
||||
accepts the tokens %%, %h, and %U %u.
|
||||
.Pp
|
||||
.Cm RoutingDomain
|
||||
accepts the token %D.
|
||||
|
|
Loading…
Reference in New Issue