-diff -up openssh-5.8p1/auth2-pubkey.c.akc openssh-5.8p1/auth2-pubkey.c
---- openssh-5.8p1/auth2-pubkey.c.akc 2011-02-10 13:21:27.000000000 +0100
-+++ openssh-5.8p1/auth2-pubkey.c 2011-02-10 13:21:28.000000000 +0100
+diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
+--- openssh-5.9p1/auth2-pubkey.c.akc 2011-09-14 07:24:40.876512251 +0200
++++ openssh-5.9p1/auth2-pubkey.c 2011-09-14 07:24:43.318458515 +0200
@@ -27,6 +27,7 @@
#include <sys/types.h>
#include <fcntl.h>
#include <pwd.h>
-@@ -268,27 +269,15 @@ match_principals_file(char *file, struct
+@@ -276,27 +277,15 @@ match_principals_file(char *file, struct
/* return 1 if user allows given key */
static int
found_key = 0;
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
-@@ -381,8 +370,6 @@ user_key_allowed2(struct passwd *pw, Key
+@@ -389,8 +378,6 @@ user_key_allowed2(struct passwd *pw, Key
break;
}
}
key_free(found);
if (!found_key)
debug2("key not found");
-@@ -444,13 +431,191 @@ user_cert_trusted_ca(struct passwd *pw,
+@@ -452,13 +439,191 @@ user_cert_trusted_ca(struct passwd *pw,
return ret;
}
+ pid_t pstat, pid, child;
+
+ if (options.authorized_keys_command == NULL || options.authorized_keys_command[0] != '/')
-+ return -1;
++ return 0;
+
+ /* get the run as identity from config */
+ runas_pw = (options.authorized_keys_command_runas == NULL)? pw
int
user_key_allowed(struct passwd *pw, Key *key)
{
- int success;
+ u_int success, i;
char *file;
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
if (auth_key_is_revoked(key))
return 0;
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
-diff -up openssh-5.8p1/configure.ac.akc openssh-5.8p1/configure.ac
---- openssh-5.8p1/configure.ac.akc 2011-02-10 13:21:28.000000000 +0100
-+++ openssh-5.8p1/configure.ac 2011-02-10 13:21:28.000000000 +0100
-@@ -1422,6 +1422,18 @@ AC_ARG_WITH(audit,
+diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
+--- openssh-5.9p1/configure.ac.akc 2011-09-14 07:24:42.863494886 +0200
++++ openssh-5.9p1/configure.ac 2011-09-14 07:24:43.441583848 +0200
+@@ -1421,6 +1421,18 @@ AC_ARG_WITH([audit],
esac ]
)
+)
+
dnl Checks for library functions. Please keep in alphabetical order
- AC_CHECK_FUNCS( \
+ AC_CHECK_FUNCS([ \
arc4random \
-@@ -4325,6 +4337,7 @@ echo " SELinux support
+@@ -4239,6 +4251,7 @@ echo " SELinux support
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
-diff -up openssh-5.8p1/servconf.c.akc openssh-5.8p1/servconf.c
---- openssh-5.8p1/servconf.c.akc 2011-02-10 13:21:28.000000000 +0100
-+++ openssh-5.8p1/servconf.c 2011-02-10 13:28:21.000000000 +0100
-@@ -134,6 +134,8 @@ initialize_server_options(ServerOptions
+diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
+--- openssh-5.9p1/servconf.c.akc 2011-09-14 07:24:29.402475399 +0200
++++ openssh-5.9p1/servconf.c 2011-09-14 07:56:27.158585590 +0200
+@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions
options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
options->zero_knowledge_password_authentication = -1;
options->revoked_keys_file = NULL;
options->trusted_user_ca_keys = NULL;
-@@ -331,6 +333,7 @@ typedef enum {
+@@ -348,6 +350,7 @@ typedef enum {
sZeroKnowledgePasswordAuthentication, sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sKexAlgorithms, sIPQoS,
sDeprecated, sUnsupported
} ServerOpCodes;
-@@ -456,6 +459,13 @@ static struct {
+@@ -487,6 +490,13 @@ static struct {
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ NULL, sBadOption, 0 }
};
-@@ -1406,6 +1416,20 @@ process_server_config_line(ServerOptions
+@@ -1462,6 +1472,24 @@ process_server_config_line(ServerOptions
}
break;
+ charptr = &options->authorized_keys_command_runas;
+
+ arg = strdelim(&cp);
++ if (!arg || *arg == '\0')
++ fatal("%s line %d: missing account.",
++ filename, linenum);
++
+ if (*activep && *charptr == NULL)
+ *charptr = xstrdup(arg);
+ break;
case sDeprecated:
logit("%s line %d: Deprecated option %s",
filename, linenum, arg);
-@@ -1499,6 +1523,8 @@ copy_set_server_options(ServerOptions *d
- M_CP_INTOPT(gss_authentication);
- M_CP_INTOPT(rsa_authentication);
- M_CP_INTOPT(pubkey_authentication);
+@@ -1573,6 +1601,8 @@ copy_set_server_options(ServerOptions *d
+ M_CP_INTOPT(zero_knowledge_password_authentication);
+ M_CP_INTOPT(second_zero_knowledge_password_authentication);
+ M_CP_INTOPT(two_factor_authentication);
+ M_CP_STROPT(authorized_keys_command);
+ M_CP_STROPT(authorized_keys_command_runas);
- M_CP_INTOPT(kerberos_authentication);
- M_CP_INTOPT(hostbased_authentication);
- M_CP_INTOPT(hostbased_uses_name_from_packet_only);
-@@ -1753,6 +1779,8 @@ dump_config(ServerOptions *o)
+ M_CP_INTOPT(permit_root_login);
+ M_CP_INTOPT(permit_empty_passwd);
+
+@@ -1839,6 +1869,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
dump_cfg_string(sAuthorizedPrincipalsFile,
o->authorized_principals_file);
/* string arguments requiring a lookup */
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
-diff -up openssh-5.8p1/servconf.h.akc openssh-5.8p1/servconf.h
---- openssh-5.8p1/servconf.h.akc 2011-02-10 13:21:28.000000000 +0100
-+++ openssh-5.8p1/servconf.h 2011-02-10 13:21:28.000000000 +0100
-@@ -161,6 +161,8 @@ typedef struct {
+diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
+--- openssh-5.9p1/servconf.h.akc 2011-09-14 07:24:29.511480441 +0200
++++ openssh-5.9p1/servconf.h 2011-09-14 07:24:43.678459183 +0200
+@@ -174,6 +174,8 @@ typedef struct {
char *revoked_keys_file;
char *trusted_user_ca_keys;
char *authorized_principals_file;
+ char *authorized_keys_command_runas;
} ServerOptions;
- void initialize_server_options(ServerOptions *);
-diff -up openssh-5.8p1/sshd_config.0.akc openssh-5.8p1/sshd_config.0
---- openssh-5.8p1/sshd_config.0.akc 2011-02-10 13:21:28.000000000 +0100
-+++ openssh-5.8p1/sshd_config.0 2011-02-10 13:21:28.000000000 +0100
+ /*
+diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
+--- openssh-5.9p1/sshd_config.0.akc 2011-09-07 01:16:30.000000000 +0200
++++ openssh-5.9p1/sshd_config.0 2011-09-14 07:24:43.791460201 +0200
@@ -71,6 +71,23 @@ DESCRIPTION
See PATTERNS in ssh_config(5) for more information on patterns.
AuthorizedKeysFile
Specifies the file that contains the public keys that can be used
for user authentication. The format is described in the
-@@ -398,7 +415,8 @@ DESCRIPTION
+@@ -401,7 +418,8 @@ DESCRIPTION
Only a subset of keywords may be used on the lines following a
Match keyword. Available keywords are AllowAgentForwarding,
Banner, ChrootDirectory, ForceCommand, GatewayPorts,
GSSAPIAuthentication, HostbasedAuthentication,
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
-diff -up openssh-5.8p1/sshd_config.5.akc openssh-5.8p1/sshd_config.5
---- openssh-5.8p1/sshd_config.5.akc 2011-02-10 13:21:28.000000000 +0100
-+++ openssh-5.8p1/sshd_config.5 2011-02-10 13:21:28.000000000 +0100
-@@ -703,6 +703,8 @@ Available keywords are
+diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
+--- openssh-5.9p1/sshd_config.5.akc 2011-09-14 07:24:29.793520372 +0200
++++ openssh-5.9p1/sshd_config.5 2011-09-14 07:24:43.912583678 +0200
+@@ -706,6 +706,8 @@ Available keywords are
.Cm AllowAgentForwarding ,
.Cm AllowTcpForwarding ,
.Cm AuthorizedKeysFile ,
.Cm AuthorizedPrincipalsFile ,
.Cm Banner ,
.Cm ChrootDirectory ,
-@@ -715,6 +717,7 @@ Available keywords are
+@@ -718,6 +720,7 @@ Available keywords are
.Cm KerberosAuthentication ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
.Cm PasswordAuthentication ,
.Cm PermitEmptyPasswords ,
.Cm PermitOpen ,
-@@ -917,6 +920,20 @@ Specifies a list of revoked public keys.
+@@ -926,6 +929,20 @@ Specifies a list of revoked public keys.
Keys listed in this file will be refused for public key authentication.
Note that if this file is not readable, then public key authentication will
be refused for all users.
.It Cm RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful RSA host authentication is allowed.
-diff -up openssh-5.8p1/sshd_config.akc openssh-5.8p1/sshd_config
---- openssh-5.8p1/sshd_config.akc 2011-02-10 13:21:28.000000000 +0100
-+++ openssh-5.8p1/sshd_config 2011-02-10 13:21:28.000000000 +0100
-@@ -46,6 +46,8 @@ SyslogFacility AUTHPRIV
- #RSAAuthentication yes
- #PubkeyAuthentication yes
- #AuthorizedKeysFile .ssh/authorized_keys
+diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
+--- openssh-5.9p1/sshd_config.akc 2011-09-14 07:24:29.620461608 +0200
++++ openssh-5.9p1/sshd_config 2011-09-14 07:24:44.034462546 +0200
+@@ -49,6 +49,9 @@
+ # but this is overridden so installations will only check .ssh/authorized_keys
+ AuthorizedKeysFile .ssh/authorized_keys
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandRunAs nobody
-
++
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
+ # similar for protocol version 2