diff options
Diffstat (limited to 'usr/src/lib/libsmartsshd')
| -rw-r--r-- | usr/src/lib/libsmartsshd/Makefile | 48 | ||||
| -rw-r--r-- | usr/src/lib/libsmartsshd/Makefile.com | 46 | ||||
| -rw-r--r-- | usr/src/lib/libsmartsshd/amd64/Makefile | 32 | ||||
| -rw-r--r-- | usr/src/lib/libsmartsshd/common/llib-lsmartsshd | 32 | ||||
| -rw-r--r-- | usr/src/lib/libsmartsshd/common/mapfile-vers | 48 | ||||
| -rw-r--r-- | usr/src/lib/libsmartsshd/common/sshd-plugin.c | 193 | ||||
| -rw-r--r-- | usr/src/lib/libsmartsshd/i386/Makefile | 31 |
7 files changed, 430 insertions, 0 deletions
diff --git a/usr/src/lib/libsmartsshd/Makefile b/usr/src/lib/libsmartsshd/Makefile new file mode 100644 index 0000000000..50d9545ef1 --- /dev/null +++ b/usr/src/lib/libsmartsshd/Makefile @@ -0,0 +1,48 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# +# Copyright 2011 Joyent, Inc. All rights reserved. +# Use is subject to license terms. +# + +include ../Makefile.lib + +SUBDIRS= $(MACH) +$(BUILD64)SUBDIRS += $(MACH64) + +all := TARGET = all +clean := TARGET = clean +clobber := TARGET = clobber +install := TARGET = install +lint := TARGET = lint + +.KEEP_STATE: + +all clean clobber install lint: $(SUBDIRS) + +$(SUBDIRS): FRC + @cd $@; pwd; $(MAKE) $(TARGET) + +_msg: + +FRC: + +include ../Makefile.targ diff --git a/usr/src/lib/libsmartsshd/Makefile.com b/usr/src/lib/libsmartsshd/Makefile.com new file mode 100644 index 0000000000..dc75c96925 --- /dev/null +++ b/usr/src/lib/libsmartsshd/Makefile.com @@ -0,0 +1,46 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# Copyright 2020 Joyent, Inc. +# + +LIBRARY= libsmartsshd.a +VERS= .1 +OBJECTS= sshd-plugin.o + +include ../../Makefile.lib +include ../../Makefile.rootfs + +SRCDIR = ../common +SRCS = $(OBJECTS:%.o=$(SRCDIR)/%.c) + +CPPFLAGS += -I$(SRCDIR) -D_REENTRANT -D_FILE_OFFSET_BITS=64 +LIBS = $(DYNLIB) $(LINTLIB) +LDLIBS += -lc -lmd + +$(LINTLIB) := SRCS= $(SRCDIR)/$(LINTSRC) + +.KEEP_STATE: + +all: $(LIBS) + +lint: lintcheck + +include ../../Makefile.targ diff --git a/usr/src/lib/libsmartsshd/amd64/Makefile b/usr/src/lib/libsmartsshd/amd64/Makefile new file mode 100644 index 0000000000..31be0ef7e6 --- /dev/null +++ b/usr/src/lib/libsmartsshd/amd64/Makefile @@ -0,0 +1,32 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License, Version 1.0 only +# (the "License"). You may not use this file except in compliance +# with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# +# Copyright 2011 Joyent, Inc. All rights reserved. +# Use is subject to license terms. +# +# ident "%Z%%M% %I% %E% SMI" +# + +include ../Makefile.com +include ../../Makefile.lib.64 + +install: all $(ROOTLIBS64) $(ROOTLINKS64) $(ROOTLINT64) diff --git a/usr/src/lib/libsmartsshd/common/llib-lsmartsshd b/usr/src/lib/libsmartsshd/common/llib-lsmartsshd new file mode 100644 index 0000000000..ace7017d41 --- /dev/null +++ b/usr/src/lib/libsmartsshd/common/llib-lsmartsshd @@ -0,0 +1,32 @@ +/* + * CDDL HEADER START + * + * The contents of this file are subject to the terms of the + * Common Development and Distribution License, Version 1.0 only + * (the "License"). You may not use this file except in compliance + * with the License. + * + * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + * or http://www.opensolaris.org/os/licensing. + * See the License for the specific language governing permissions + * and limitations under the License. + * + * When distributing Covered Code, include this CDDL HEADER in each + * file and include the License file at usr/src/OPENSOLARIS.LICENSE. + * If applicable, add the following below this CDDL HEADER, with the + * fields enclosed by brackets "[]" replaced with your own identifying + * information: Portions Copyright [yyyy] [name of copyright owner] + * + * CDDL HEADER END + */ +/*LINTLIBRARY*/ +/*PROTOLIB1*/ +/* + * + * Copyright 2011 Joyent, Inc. All rights reserved. + * Use is subject to license terms. + * + */ + +#pragma ident "%Z%%M% %I% %E% SMI" + diff --git a/usr/src/lib/libsmartsshd/common/mapfile-vers b/usr/src/lib/libsmartsshd/common/mapfile-vers new file mode 100644 index 0000000000..c3c6fe4946 --- /dev/null +++ b/usr/src/lib/libsmartsshd/common/mapfile-vers @@ -0,0 +1,48 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# Copyright 2016 Joyent, Inc. +# + +# +# MAPFILE HEADER START +# +# WARNING: STOP NOW. DO NOT MODIFY THIS FILE. +# Object versioning must comply with the rules detailed in +# +# usr/src/lib/README.mapfiles +# +# You should not be making modifications here until you've read the most current +# copy of that file. If you need help, contact a gatekeeper for guidance. +# +# MAPFILE HEADER END +# + +$mapfile_version 2 + +SYMBOL_VERSION SUNWprivate_1.1 { + global: + sshd_user_rsa_key_allowed; + sshd_user_dsa_key_allowed; + sshd_user_ecdsa_key_allowed; + sshd_user_key_allowed; + local: + *; +}; diff --git a/usr/src/lib/libsmartsshd/common/sshd-plugin.c b/usr/src/lib/libsmartsshd/common/sshd-plugin.c new file mode 100644 index 0000000000..a6463cea12 --- /dev/null +++ b/usr/src/lib/libsmartsshd/common/sshd-plugin.c @@ -0,0 +1,193 @@ +/* + * CDDL HEADER START + * + * The contents of this file are subject to the terms of the + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. + * + * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + * or http://www.opensolaris.org/os/licensing. + * See the License for the specific language governing permissions + * and limitations under the License. + * + * When distributing Covered Code, include this CDDL HEADER in each + * file and include the License file at usr/src/OPENSOLARIS.LICENSE. + * If applicable, add the following below this CDDL HEADER, with the + * fields enclosed by brackets "[]" replaced with your own identifying + * information: Portions Copyright [yyyy] [name of copyright owner] + * + * CDDL HEADER END + */ + +/* + * Copyright 2016 Joyent, Inc. + */ + +#include <alloca.h> +#include <door.h> +#include <errno.h> +#include <fcntl.h> +#include <pwd.h> +#include <sys/mman.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> + +#include <openssl/rsa.h> + +#include <md5.h> + +#ifdef __cplusplus +extern "C" { +#endif + +#define LOG_OOM(SZ) (void) fprintf(stderr, "Cannot alloca %d bytes\n", SZ) + +static const char *DOOR = "/var/tmp/._joyent_sshd_key_is_authorized"; +static const char *REQ_FMT_STR = "%s %d %s"; /* name uid fp */ +static const int RETURN_SZ = 2; + +static const int MAX_ATTEMPTS = 2; +static const int SLEEP_PERIOD = 1; + +static int +sshd_allowed_in_capi(struct passwd *pw, const char *fp) +{ + int allowed = 0; + int fd = -1; + int blen = 0; + int attempts = 0; + char *buf = NULL; + door_arg_t door_args = {0}; + + if (pw == NULL || fp == NULL) + return (0); + + blen = snprintf(NULL, 0, REQ_FMT_STR, pw->pw_name, pw->pw_uid, fp) + 1; + + buf = (char *)alloca(blen); + if (buf == NULL) { + LOG_OOM(blen); + return (0); + } + + (void) snprintf(buf, blen, REQ_FMT_STR, pw->pw_name, pw->pw_uid, fp); + door_args.data_ptr = buf; + door_args.data_size = blen; + + door_args.rsize = RETURN_SZ; + door_args.rbuf = alloca(RETURN_SZ); + if (door_args.rbuf == NULL) { + LOG_OOM(RETURN_SZ); + return (0); + } + (void) memset(door_args.rbuf, 0, RETURN_SZ); + + do { + fd = open(DOOR, O_RDWR); + if (fd < 0) { + if (errno == ENOENT) { + /* + * On systems which are not running SmartLogin, + * such as vanilla SmartOS, the door will be + * completely absent. The sleep/retry loop is + * skipped in this case to keep the login + * process more lively. + */ + perror("smartplugin: door does not exist"); + return (0); + } + perror("smartplugin: open (of door FD) failed"); + } else if (door_call(fd, &door_args) < 0) { + perror("smartplugin: door_call failed"); + } else { + allowed = atoi(door_args.rbuf); + if (door_args.rsize > RETURN_SZ) { + /* + * Given what we know about the SmartLogin + * daemon on the other end of the door, this + * should never occur. An assert might be + * preferable, but that is avoided since the + * error can be handled. + */ + (void) munmap(door_args.rbuf, door_args.rsize); + } + return (allowed); + } + if (++attempts < MAX_ATTEMPTS) { + (void) sleep(SLEEP_PERIOD); + } + } while (attempts < MAX_ATTEMPTS); + + return (0); +} + +static int +tohexstr(uchar_t *bytes, size_t blen, char *hexstr, size_t hexlen) +{ + size_t i, j; + const char hexlist[] = "0123456789abcdef"; + + if (hexlen < 1) + return (-1); + for (i = 0, j = 0; i < blen; i++) { + /* + * We need 3 bytes output per input byte -- the third byte is + * either for a : or the \0 at the end. + */ + if (hexlen < (j + 3)) + return (-1); + hexstr[j++] = hexlist[(bytes[i] >> 4) & 0xf]; + hexstr[j++] = hexlist[bytes[i] & 0xf]; + if (i + 1 < blen) + hexstr[j++] = ':'; + } + hexstr[j] = '\0'; + return (0); +} + +/* ARGSUSED */ +int +sshd_user_key_allowed(struct passwd *pw, const char *type, + const unsigned char *buf, size_t size) +{ + unsigned char md5buf[MD5_DIGEST_LENGTH]; + /* + * Will contain the fingerprint MD5 in colonhex format. Need 3 bytes + * per MD5 byte: two for hex digits, plus one for either ':' or '\0'. + */ + char hex[MD5_DIGEST_LENGTH * 3]; + + md5_calc(md5buf, buf, size); + if (tohexstr(md5buf, sizeof (md5buf), hex, sizeof (hex)) != 0) + return (0); + return (sshd_allowed_in_capi(pw, hex)); +} + +/* ARGSUSED */ +int +sshd_user_rsa_key_allowed(struct passwd *pw, RSA *key, const char *fp) +{ + return (sshd_allowed_in_capi(pw, fp)); +} + +/* ARGSUSED */ +int +sshd_user_dsa_key_allowed(struct passwd *pw, DSA *key, const char *fp) +{ + return (sshd_allowed_in_capi(pw, fp)); +} + +/* ARGSUSED */ +int +sshd_user_ecdsa_key_allowed(struct passwd *pw, DSA *key, const char *fp) +{ + return (sshd_allowed_in_capi(pw, fp)); +} + +#ifdef __cplusplus +} +#endif diff --git a/usr/src/lib/libsmartsshd/i386/Makefile b/usr/src/lib/libsmartsshd/i386/Makefile new file mode 100644 index 0000000000..2bfe8001d9 --- /dev/null +++ b/usr/src/lib/libsmartsshd/i386/Makefile @@ -0,0 +1,31 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License, Version 1.0 only +# (the "License"). You may not use this file except in compliance +# with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# +# Copyright 2011 Joyent, Inc. All rights reserved. +# Use is subject to license terms. +# +# ident "%Z%%M% %I% %E% SMI" +# + +include ../Makefile.com + +install: all $(ROOTLIBS) $(ROOTLINKS) $(ROOTLINT) |