security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00
Code Activity

tools:gpg-auth: Enhance it to support use case for login.

Browse Source 
* tools/Makefile.am: gpg-auth is one in libexec_PROGRAMS.
* tools/gpg-auth.c: Support use by root for login user.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
This commit is contained in:
NIIBE Yutaka 2022-09-13 16:41:10 +09:00
parent 87d4338ed1
commit e133bcb1cd
No known key found for this signature in database
GPG Key ID: 640114AF89DE6054
2 changed files with 39 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
tools/Makefile.am
View File

@ -59,12 +59,15 @@ endif
bin_PROGRAMS = gpgconf gpg-connect-agent gpg-card gpg-wks-client bin_PROGRAMS = gpgconf gpg-connect-agent gpg-card gpg-wks-client
if !HAVE_W32_SYSTEM if !HAVE_W32_SYSTEM
bin_PROGRAMS += watchgnupg gpgparsemail ${gpg_wks_server} gpgsplit gpg-auth bin_PROGRAMS += watchgnupg gpgparsemail ${gpg_wks_server} gpgsplit
else else
bin_PROGRAMS += gpgconf-w32 bin_PROGRAMS += gpgconf-w32
endif endif
libexec_PROGRAMS = gpg-check-pattern gpg-pair-tool libexec_PROGRAMS = gpg-check-pattern gpg-pair-tool
if !HAVE_W32_SYSTEM
libexec_PROGRAMS += gpg-auth
endif
noinst_PROGRAMS = clean-sat make-dns-cert noinst_PROGRAMS = clean-sat make-dns-cert

46
tools/gpg-auth.c
View File

@ -46,6 +46,7 @@ struct
int with_colons; int with_colons;
const char *agent_program; const char *agent_program;
int autostart; int autostart;
int use_scd_directly;
/* Options passed to the gpg-agent: */ /* Options passed to the gpg-agent: */
char *lc_ctype; char *lc_ctype;
@ -80,7 +81,7 @@ enum opt_values
oLCctype, oLCctype,
oLCmessages, oLCmessages,
oChUid, oUseSCDDirectly,
oDummy oDummy
}; };
@ -99,6 +100,7 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_s (oAgentProgram, "agent-program", "@"), ARGPARSE_s_s (oAgentProgram, "agent-program", "@"),
ARGPARSE_s_s (oLCctype, "lc-ctype", "@"), ARGPARSE_s_s (oLCctype, "lc-ctype", "@"),
ARGPARSE_s_s (oLCmessages, "lc-messages","@"), ARGPARSE_s_s (oLCmessages, "lc-messages","@"),
ARGPARSE_s_n (oUseSCDDirectly, "use-scdaemon-directly", "@"),
ARGPARSE_end () ARGPARSE_end ()
}; };
@ -175,6 +177,8 @@ parse_arguments (gpgrt_argparse_t *pargs, gpgrt_opt_t *popts)
case oLCctype: opt.lc_ctype = pargs->r.ret_str; break; case oLCctype: opt.lc_ctype = pargs->r.ret_str; break;
case oLCmessages: opt.lc_messages = pargs->r.ret_str; break; case oLCmessages: opt.lc_messages = pargs->r.ret_str; break;
case oUseSCDDirectly: opt.use_scd_directly = 1; break;
default: pargs->err = ARGPARSE_PRINT_ERROR; break; default: pargs->err = ARGPARSE_PRINT_ERROR; break;
} }
} }
@ -195,7 +199,8 @@ static gpg_error_t scd_passwd_reset (assuan_context_t ctx, const char *keygrip);
static gpg_error_t ga_scd_connect (assuan_context_t *r_scd_ctx, int use_agent); static gpg_error_t ga_scd_connect (assuan_context_t *r_scd_ctx, int use_agent);
static gpg_error_t ga_scd_get_auth_keys (assuan_context_t ctx, static gpg_error_t ga_scd_get_auth_keys (assuan_context_t ctx,
struct ga_key_list **r_key_list); struct ga_key_list **r_key_list);
static gpg_error_t ga_filter_by_authorized_keys (struct ga_key_list **r_key_list); static gpg_error_t ga_filter_by_authorized_keys (const char *user,
struct ga_key_list **r_key_list);
static void ga_release_auth_keys (struct ga_key_list *key_list); static void ga_release_auth_keys (struct ga_key_list *key_list);
static gpg_error_t scd_pkauth (assuan_context_t ctx, const char *keygrip); static gpg_error_t scd_pkauth (assuan_context_t ctx, const char *keygrip);
static gpg_error_t authenticate (assuan_context_t ctx, struct ga_key_list *key_list); static gpg_error_t authenticate (assuan_context_t ctx, struct ga_key_list *key_list);
@ -209,6 +214,7 @@ main (int argc, char **argv)
gpgrt_argparse_t pargs; gpgrt_argparse_t pargs;
assuan_context_t scd_ctx = NULL; assuan_context_t scd_ctx = NULL;
struct ga_key_list *key_list = NULL; struct ga_key_list *key_list = NULL;
const char *user;
gnupg_reopen_std ("gpg-auth"); gnupg_reopen_std ("gpg-auth");
gpgrt_set_strusage (my_strusage); gpgrt_set_strusage (my_strusage);
@ -237,13 +243,22 @@ main (int argc, char **argv)
if (argc != 0) if (argc != 0)
gpgrt_usage (1); /* Never returns. */ gpgrt_usage (1); /* Never returns. */
err = ga_scd_connect (&scd_ctx, 1); if (opt.use_scd_directly)
{
user = getenv ("PAM_USER");
if (user == NULL)
exit (2);
}
else
user = NULL;
err = ga_scd_connect (&scd_ctx, opt.use_scd_directly);
if (!err) if (!err)
err = ga_scd_get_auth_keys (scd_ctx, &key_list); err = ga_scd_get_auth_keys (scd_ctx, &key_list);
if (!err) if (!err)
err = ga_filter_by_authorized_keys (&key_list); err = ga_filter_by_authorized_keys (user, &key_list);
if (!err) if (!err)
err = authenticate (scd_ctx, key_list); err = authenticate (scd_ctx, key_list);
@ -418,7 +433,7 @@ scd_passwd_reset (assuan_context_t ctx, const char *keygrip)
/* Connect to scdaemon by pipe or socket. Execute initial "SEREIALNO" /* Connect to scdaemon by pipe or socket. Execute initial "SEREIALNO"
command to enable all connected token under scdaemon control. */ command to enable all connected token under scdaemon control. */
static gpg_error_t static gpg_error_t
ga_scd_connect (assuan_context_t *r_scd_ctx, int use_agent) ga_scd_connect (assuan_context_t *r_scd_ctx, int use_scd_directly)
{ {
assuan_context_t assuan_ctx; assuan_context_t assuan_ctx;
gpg_error_t err; gpg_error_t err;
@ -427,7 +442,7 @@ ga_scd_connect (assuan_context_t *r_scd_ctx, int use_agent)
if (err) if (err)
return err; return err;
if (use_agent) if (!use_scd_directly)
/* Use scdaemon under gpg-agent. */ /* Use scdaemon under gpg-agent. */
{ {
char *scd_socket_name = NULL; char *scd_socket_name = NULL;
@ -479,7 +494,7 @@ ga_scd_connect (assuan_context_t *r_scd_ctx, int use_agent)
NULL, NULL, 0); NULL, NULL, 0);
if (err) if (err)
{ {
log_error ("could not spawn scdaemon: %s", gpg_strerror (err)); log_error ("could not spawn scdaemon: %s\n", gpg_strerror (err));
return err; return err;
} }
@ -769,7 +784,7 @@ release_ssh_key_list (struct ssh_key_list *key_list)
} }
static gpg_error_t static gpg_error_t
ssh_authorized_keys (struct ssh_key_list **r_ssh_key_list) ssh_authorized_keys (const char *user, struct ssh_key_list **r_ssh_key_list)
{ {
gpg_error_t err = 0; gpg_error_t err = 0;
char *fname = NULL; char *fname = NULL;
@ -783,7 +798,16 @@ ssh_authorized_keys (struct ssh_key_list **r_ssh_key_list)
struct ssh_key_list *ssh_key_prev = NULL; struct ssh_key_list *ssh_key_prev = NULL;
struct ssh_key_list *ssh_key = NULL; struct ssh_key_list *ssh_key = NULL;
fname = make_absfilename_try ("~", ".ssh", "authorized_keys", NULL); if (user)
{
char tilde_user[256];
snprintf (tilde_user, sizeof tilde_user, "~%s", user);
fname = make_absfilename_try (tilde_user, ".ssh", "authorized_keys", NULL);
}
else
fname = make_absfilename_try ("~", ".ssh", "authorized_keys", NULL);
if (fname == NULL) if (fname == NULL)
return gpg_error (GPG_ERR_INV_NAME); return gpg_error (GPG_ERR_INV_NAME);
@ -843,7 +867,7 @@ ssh_authorized_keys (struct ssh_key_list **r_ssh_key_list)
} }
static gpg_error_t static gpg_error_t
ga_filter_by_authorized_keys (struct ga_key_list **r_key_list) ga_filter_by_authorized_keys (const char *user, struct ga_key_list **r_key_list)
{ {
gpg_error_t err; gpg_error_t err;
struct ga_key_list *cur = *r_key_list; struct ga_key_list *cur = *r_key_list;
@ -851,7 +875,7 @@ ga_filter_by_authorized_keys (struct ga_key_list **r_key_list)
struct ga_key_list *prev = NULL; struct ga_key_list *prev = NULL;
struct ssh_key_list *ssh_key_list = NULL; struct ssh_key_list *ssh_key_list = NULL;
err = ssh_authorized_keys (&ssh_key_list); err = ssh_authorized_keys (user, &ssh_key_list);
if (err) if (err)
return err; return err;