Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package google-guest-oslogin for
openSUSE:Factory checked in at 2021-10-23 00:51:37
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/google-guest-oslogin (Old)
and /work/SRC/openSUSE:Factory/.google-guest-oslogin.new.1890 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "google-guest-oslogin"
Sat Oct 23 00:51:37 2021 rev:11 rq:926956 version:20211013.00
Changes:
--------
---
/work/SRC/openSUSE:Factory/google-guest-oslogin/google-guest-oslogin.changes
2021-08-05 20:48:42.083891749 +0200
+++
/work/SRC/openSUSE:Factory/.google-guest-oslogin.new.1890/google-guest-oslogin.changes
2021-10-23 00:52:21.157157814 +0200
@@ -1,0 +2,20 @@
+Fri Oct 22 11:20:01 UTC 2021 - John Paul Adrian Glaubitz
<[email protected]>
+
+- Update to version 20211013.00
+ * remove deprecated binary (#79)
+- from version 20211001.00
+ * no message if no groups (#78)
+- from version 20210907.00
+ * use sigaction for signals (#76)
+- from version 20210906.00
+ * include cstdlib for exit (#75)
+ * catch SIGPIPE in authorized_keys (#73)
+- from version 20210805.00
+ * fix double free in ParseJsonToKey (#70)
+- from version 20210804.00
+ * fix packaging for authorized_keys_sk (#68)
+ * add authorized_keys_sk (#66)
+- Add google_authorized_keys_sk to %files section
+- Remove google_oslogin_control from %files section
+
+-------------------------------------------------------------------
Old:
----
google-guest-oslogin-20210728.00.tar.gz
New:
----
google-guest-oslogin-20211013.00.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ google-guest-oslogin.spec ++++++
--- /var/tmp/diff_new_pack.B0bxEs/_old 2021-10-23 00:52:21.633158025 +0200
+++ /var/tmp/diff_new_pack.B0bxEs/_new 2021-10-23 00:52:21.633158025 +0200
@@ -17,7 +17,7 @@
Name: google-guest-oslogin
-Version: 20210728.00
+Version: 20211013.00
Release: 0
Summary: Google Cloud Guest OS Login
License: Apache-2.0
@@ -77,8 +77,8 @@
%defattr(0644,root,root,0755)
%doc README.md
%license LICENSE
-%attr(0755,root,root) %{_bindir}/google_oslogin_control
%attr(0755,root,root) %{_bindir}/google_authorized_keys
+%attr(0755,root,root) %{_bindir}/google_authorized_keys_sk
%attr(0755,root,root) %{_bindir}/google_oslogin_nss_cache
%{_mandir}/man8/*
%{_libdir}/libnss*
++++++ google-guest-oslogin-20210728.00.tar.gz ->
google-guest-oslogin-20211013.00.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20210728.00/README.md
new/guest-oslogin-20211013.00/README.md
--- old/guest-oslogin-20210728.00/README.md 2021-07-24 00:28:39.000000000
+0200
+++ new/guest-oslogin-20211013.00/README.md 2021-10-13 02:28:59.000000000
+0200
@@ -33,8 +33,6 @@
In addition to the main components, there are also the following utilities:
-* **google_oslogin_control** is a shell script for activating/deactivating
the
- OS Login components.
* **google_oslogin_nss_cache** is a utility for updating the local user and
group cache.
* **selinux** contains SELinux policy definition files and a compiled policy
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20210728.00/google_oslogin_control
new/guest-oslogin-20211013.00/google_oslogin_control
--- old/guest-oslogin-20210728.00/google_oslogin_control 2021-07-24
00:28:39.000000000 +0200
+++ new/guest-oslogin-20211013.00/google_oslogin_control 1970-01-01
01:00:00.000000000 +0100
@@ -1,463 +0,0 @@
-#!/bin/sh
-# Copyright 2017 Google Inc. All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-is_freebsd() {
- [ "$(uname)" = "FreeBSD" ]
- return $?
-}
-
-nss_config="/etc/nsswitch.conf"
-pam_sshd_config="/etc/pam.d/sshd"
-pam_su_config="/etc/pam.d/su"
-sshd_config="/etc/ssh/sshd_config"
-group_config="/etc/security/group.conf"
-sudoers_dir="/var/google-sudoers.d"
-users_dir="/var/google-users.d"
-added_comment="# Added by Google Compute Engine OS Login."
-sshd_block="#### Google OS Login control. Do not edit this section. ####"
-sshd_end_block="#### End Google OS Login control section. ####"
-sudoers_file="/etc/sudoers.d/google-oslogin"
-if is_freebsd; then
- sudoers_file="/usr/local/etc/sudoers.d/google-oslogin"
-fi
-
-# Update nsswitch.conf to include OS Login NSS module for passwd.
-modify_nsswitch_conf() {
- local nss_config="${1:-${nss_config}}"
-
- if ! grep -q '^passwd:.*oslogin' "$nss_config"; then
- $sed -i"" '/^passwd:/ s/$/ cache_oslogin oslogin/' "$nss_config"
- $sed -i"" '/^group:/ s/$/ cache_oslogin oslogin/' "$nss_config"
- fi
-
- if is_freebsd && grep -q '^passwd:.*compat' "$nss_config"; then
- $sed -i"" '/^passwd:/ s/compat/files/' "$nss_config"
- fi
-}
-
-restore_nsswitch_conf() {
- local nss_config="${1:-${nss_config}}"
-
- $sed -i"" '/^passwd:/ s/ cache_oslogin oslogin//' "$nss_config"
- $sed -i"" '/^group:/ s/ cache_oslogin oslogin//' "$nss_config"
- if is_freebsd; then
- $sed -i"" '/^passwd:/ s/files/compat/' "$nss_config"
- fi
-}
-
-modify_sshd_conf() (
- set -e
-
- local sshd_config="${1:-${sshd_config}}"
-
- local sshd_auth_keys_command="AuthorizedKeysCommand
/usr/bin/google_authorized_keys"
- local sshd_auth_keys_command_user="AuthorizedKeysCommandUser root"
- local sshd_auth_methods="AuthenticationMethods
publickey,keyboard-interactive"
- local sshd_challenge="ChallengeResponseAuthentication yes"
-
- # Update google_authorized_keys path in FreeBSD.
- if is_freebsd; then
- sshd_auth_keys_command="AuthorizedKeysCommand
/usr/local/bin/google_authorized_keys"
- fi
-
- # Update directives for EL 6.
- if grep -qs "release 6" /etc/redhat-release; then
- sshd_auth_keys_command_user="AuthorizedKeysCommandRunAs root"
- sshd_auth_methods="RequiredAuthentications2 publickey,keyboard-interactive"
- fi
-
- add_or_update_sshd() {
- local entry="$1"
- local sshd_config="$2"
- local directive="$(echo "$entry" | cut -d' ' -f1)"
- local value="$(echo "$entry" | cut -d' ' -f2-)"
-
- # Check if directive is present.
- if grep -Eq "^\s*${directive}" "$sshd_config"; then
- # Check if value is incorrect.
- if ! grep -Eq "^\s*${directive}(\s|=)+${value}" "$sshd_config"; then
- # Comment out the line (because sshd_config is first-directive-found)
- # and add to end section.
- $sed -i"" -E "/^\s*${directive}/ s/^/${added_comment}\n#/"
"$sshd_config"
- $sed -i"" "/$sshd_end_block/ i${entry}" "$sshd_config"
- fi
- else
- $sed -i"" "/$sshd_end_block/ i${entry}" "$sshd_config"
- fi
- }
-
- # Setup Google config block.
- if ! grep -q "$sshd_block" "$sshd_config"; then
- # Remove old-style additions.
- $sed -i"" "/${added_comment}/,+1d" "$sshd_config"
- printf "\n\n${sshd_block}\n${sshd_end_block}" >> "$sshd_config"
- fi
-
- for entry in "$sshd_auth_keys_command" "$sshd_auth_keys_command_user"; do
- add_or_update_sshd "$entry" "$sshd_config"
- done
-
- if [ -n "$two_factor" ]; then
- for entry in "$sshd_auth_methods" "$sshd_challenge"; do
- add_or_update_sshd "$entry" "$sshd_config"
- done
- fi
-)
-
-restore_sshd_conf() {
- local sshd_config="${1:-${sshd_config}}"
-
- if ! grep -q "$sshd_block" "$sshd_config"; then
- # Remove old-style additions.
- $sed -i"" "/${added_comment}/,+1d" "$sshd_config"
- else
- # Uncomment commented-out fields and remove Google config block.
- $sed -i"" "/${added_comment}/{n;s/^#//}" "$sshd_config"
- $sed -i"" "/${added_comment}/d" "$sshd_config"
- $sed -i"" "/${sshd_block}/,/${sshd_end_block}/d" "$sshd_config"
- fi
-}
-
-# Inserts pam modules to relevant pam stacks if missing.
-modify_pam_config() (
- # TODO: idempotency of this function would be better assured if it wiped out
- # and applied desired changes each time rather than detecting deltas.
-
- set -e
-
- local pam_sshd_config="${1:-${pam_sshd_config}}"
- local pam_su_config="${1:-${pam_su_config}}"
-
- local pam_auth_oslogin="auth [success=done perm_denied=die
default=ignore] pam_oslogin_login.so"
- local pam_auth_group="auth [default=ignore] pam_group.so"
- local pam_account_oslogin="account [success=ok default=ignore]
pam_oslogin_admin.so"
- local pam_account_admin="account [success=ok ignore=ignore default=die]
pam_oslogin_login.so"
- local pam_session_homedir="session [success=ok default=ignore]
pam_mkhomedir.so"
- local pam_account_su="account [success=bad ignore=ignore]
pam_oslogin_login.so"
-
- # In FreeBSD, the used flags are not supported, replacing them with the
- # previous ones (requisite and optional). This is not an exact feature parity
- # with Linux.
- if is_freebsd; then
- pam_auth_oslogin="auth optional pam_oslogin_login.so"
- pam_auth_group="auth optional pam_group.so"
- pam_account_oslogin="account optional pam_oslogin_admin.so"
- pam_account_admin="account requisite pam_oslogin_login.so"
- pam_session_homedir="session optional pam_mkhomedir.so"
- fi
-
- local added_config=""
- local added_su_config=""
-
- # For COS this file is solely includes, so simply prepend the new config,
- # making each entry the top of its stack.
- if [ -e /etc/os-release ] && grep -q "ID=cos" /etc/os-release; then
- added_config="${added_comment}\n"
- for cfg in "$pam_account_admin" "$pam_account_oslogin" \
- "$pam_session_homedir" "$pam_auth_group"; do
- grep -qE "^${cfg%% *}.*${cfg##* }" ${pam_sshd_config} ||
added_config="${added_config}${cfg}\n"
- done
-
- if [ -n "$two_factor" ]; then
- grep -q "$pam_auth_oslogin" "$pam_sshd_config" ||
added_config="${added_config}${pam_auth_oslogin}\n"
- fi
-
- $sed -i"" "1i ${added_config}\n\n" "$pam_sshd_config"
-
- added_su_config="${added_comment}\n${pam_account_su}"
- $sed -i"" "1i ${added_su_config}" "$pam_su_config"
-
- return 0
- fi
-
- # Find the distro-specific insertion point for auth and su.
- if [ -e /etc/debian_version ]; then
- # Get location of common-auth and check if preceding line is a comment.
- insert=$($sed -rn "/^@include\s+common-auth/=" "$pam_sshd_config")
- $sed -n "$((insert-1))p" "$pam_sshd_config" | grep -q '^#' &&
insert=$((insert-1))
- su_insert=$($sed -rn "/^@include\s+common-account/=" "$pam_su_config")
- elif [ -e /etc/redhat-release ]; then
- # Get location of password-auth.
- insert=$($sed -rn "/^auth\s+(substack|include)\s+password-auth/=" \
- "$pam_sshd_config")
- # Get location of system-auth.
- su_insert=$($sed -rn "/^account\s+include\s+system-auth/="
"$pam_su_config")
- elif [ -e /etc/os-release ] && grep -q 'ID="sles"' /etc/os-release; then
- # Get location of common-auth.
- insert=$($sed -rn "/^auth\s+include\s+common-auth/=" "$pam_sshd_config")
- # Get location of common-account.
- su_insert=$($sed -rn "/^account\s+include\s+common-account/="
"$pam_su_config")
- elif [ -e /etc/arch-release ]; then
- # Get location of system-remote-login.
- insert=$($sed -rn "/^auth\s+include\s+system-remote-login/="
"$pam_sshd_config")
- # TODO: find su_insert point for arch linux.
- elif is_freebsd; then
- # Get location of the first auth occurrence
- insert=$($sed -rn '/^auth/=' "$pam_sshd_config" | head -1)
- fi
-
- added_config="$added_comment"
- if ! grep -qE '^auth.*pam_group' "$pam_sshd_config"; then
- added_config="${added_config}\n${pam_auth_group}"
- fi
-
- # This auth entry for OS Login+two factor MUST be added last, as it will
- # short-circuit processing of the auth stack via [success=ok]. auth stack
- # entries after this one will not be processed.
- if [ -n "$two_factor" ] && ! grep -qE '^auth.*oslogin' "$pam_sshd_config";
then
- added_config="${added_config}\n${pam_auth_oslogin}"
- fi
-
- # Insert auth modules at top of `sshd:auth` stack.
- if [ -n "$insert" ] && [ "$added_config" != "$added_comment" ]; then
- $sed -i"" "${insert}i ${added_config}" "$pam_sshd_config"
- fi
-
- # Insert su blocker at top of `su:account` stack.
- if [ -n "$su_insert" ] && ! grep -qE "$pam_account_su" "$pam_su_config"; then
- added_su_config="${added_comment}\n${pam_account_su}"
- $sed -i"" "${su_insert}i ${added_su_config}" "$pam_su_config"
- fi
-
- # Append account modules at end of `sshd:account` stack.
- if ! grep -qE '^account.*oslogin' "$pam_sshd_config"; then
-
added_config="\\\n${added_comment}\n${pam_account_admin}\n${pam_account_oslogin}"
- account_end=$($sed -n '/^account/=' "$pam_sshd_config" | tail -1)
- $sed -i"" "${account_end}a ${added_config}" "$pam_sshd_config"
- fi
-
- # Append mkhomedir module at end of `sshd:session` stack.
- if ! grep -qE '^session.*mkhomedir' "$pam_sshd_config"; then
- added_config="\\\n${added_comment}\n${pam_session_homedir}"
- session_end=$($sed -n '/^session/=' "$pam_sshd_config" | tail -1)
- $sed -i"" "${session_end}a ${added_config}" "$pam_sshd_config"
- fi
-)
-
-restore_pam_config() {
- local pam_sshd_config="${1:-${pam_sshd_config}}"
- local pam_su_config="${1:-${pam_su_config}}"
-
- $sed -i"" "/${added_comment}/d" "$pam_sshd_config"
- $sed -i"" "/pam_oslogin/d" "$pam_sshd_config"
- $sed -i"" "/^session.*mkhomedir/d" "$pam_sshd_config"
- $sed -i"" "/^auth.*pam_group/d" "$pam_sshd_config"
-
- $sed -i"" "/${added_comment}/d" "$pam_su_config"
- $sed -i"" "/pam_oslogin/d" "$pam_su_config"
-}
-
-modify_group_conf() {
- # In FreeBSD there is no pam_group config file similar to
- # /etc/security/group.conf.
- if is_freebsd; then
- return
- fi
-
- local group_config="${1:-${group_config}}"
- local group_conf_entry="sshd;*;*;Al0000-2400;video"
-
- if ! grep -Fq "$group_conf_entry" "$group_config"; then
- $sed -i"" "\$a ${added_comment}\n${group_conf_entry}" "$group_config"
- fi
-}
-
-restore_group_conf() {
- # In FreeBSD there is no pam_group config file similar to
- # /etc/security/group.conf.
- if is_freebsd; then
- return
- fi
-
- local group_config="${1:-${group_config}}"
-
- $sed -i"" "/${added_comment}/{n;d}" "$group_config"
- $sed -i"" "/${added_comment}/d" "$group_config"
-}
-
-restart_service() {
- local service="$1"
-
- # The other options will be wrappers to systemctl on
- # systemd-enabled systems, so stop if found.
- if readlink -f /sbin/init|grep -q systemd; then
- if systemctl is-active --quiet "$service"; then
- systemctl restart "$service"
- return $?
- else
- return 0
- fi
- fi
-
- # Use the service helper if it exists.
- if command -v service > /dev/null; then
- if ! service "$service" status 2>&1 | grep -Eq "unrecognized|does not
exist"; then
- service "$service" restart
- return $?
- else
- return 0
- fi
- fi
-
- # Fallback to trying sysvinit script of the same name.
- if command -v /etc/init.d/"$service" > /dev/null; then
- if /etc/init.d/"$service" status > /dev/null 2>&1; then
- /etc/init.d/"$service" restart
- return $?
- else
- return 0
- fi
- fi
-
- # We didn't find any way to restart this service.
- return 1
-}
-
-# Restart sshd unless --norestartsshd flag is set.
-restart_sshd() {
- if [ -n "$no_restart_sshd" ]; then
- return 0
- fi
- echo "Restarting SSHD"
- for svc in "ssh" "sshd"; do
- restart_service "$svc"
- done
-}
-
-restart_svcs() {
- echo "Restarting optional services."
- for svc in "nscd" "unscd" "systemd-logind" "cron" "crond"; do
- restart_service "$svc"
- done
-}
-
-setup_google_dirs() {
- for dir in "$sudoers_dir" "$users_dir"; do
- [ -d "$dir" ] && continue
- mkdir -p "$dir"
- chmod 750 "$dir"
- if fixfiles=$(command -v fixfiles); then
- $fixfiles restore "$dir"
- fi
- done
- echo "#includedir ${sudoers_dir}" > "$sudoers_file"
- chmod 0440 "$sudoers_file"
-}
-
-remove_google_dirs() {
- for dir in "$sudoers_dir" "$users_dir"; do
- rm -rf "$dir"
- done
- rm -f "$sudoers_file"
-}
-
-activate() {
- for func in modify_sshd_conf modify_nsswitch_conf \
- modify_pam_config setup_google_dirs restart_svcs restart_sshd \
- modify_group_conf; do
- $func
- [ $? -eq 0 ] || return 1
- done
-}
-
-deactivate() {
- for func in remove_google_dirs restore_nsswitch_conf \
- restore_sshd_conf restore_pam_config restart_svcs restart_sshd \
- restore_group_conf; do
- $func
- done
-}
-
-# get_status checks each file for appropriate updates and exits on first
-# failure. Checks for two factor config changes only if requested.
-get_status() (
- set -e
-
- grep -Eq '^account.*oslogin' "$pam_sshd_config"
- grep -Eq 'google_authorized_keys' "$sshd_config"
- grep -Eq 'passwd:.*oslogin' "$nss_config"
- if [ -n "$two_factor" ]; then
- grep -Eq '^auth.*oslogin' "$pam_sshd_config"
- grep -Eq
'^(AuthenticationMethods|RequiredAuthentications2).*publickey,keyboard-interactive'
"$sshd_config"
- fi
-)
-
-usage() {
- echo "Usage: $(basename "$0") {activate|deactivate|status} [--norestartsshd]
[--twofactor]"
- echo "This script will activate or deactivate the features for"
- echo "Google Compute Engine OS Login and (optionally) two-factor
authentication."
- echo "This script must be run as root."
- exit 1
-}
-
-
-# Main
-if [ $(id -u) -ne 0 ] || [ $# -lt 1 ]; then
- usage
-fi
-
-sed="sed"
-is_freebsd && sed="gsed"
-
-while [ $# -gt 0 ]; do
- case "$1" in
- --norestartsshd)
- no_restart_sshd="true"
- shift
- ;;
- --twofactor)
- two_factor="true"
- shift
- ;;
- activate)
- action="activate"
- shift
- ;;
- deactivate)
- action="deactivate"
- shift
- ;;
- status)
- action="status"
- shift
- ;;
- *)
- shift
- ;;
- esac
-done
-
-case "$action" in
- activate)
- echo "Activating Google Compute Engine OS Login."
- activate
- if [ $? -ne 0 ]; then
- echo "Failed to apply changes, rolling back"
- deactivate
- exit 1
- fi
- ;;
- deactivate)
- echo "Deactivating Google Compute Engine OS Login."
- deactivate
- ;;
- status)
- get_status
- exit $?
- ;;
- *)
- usage
- ;;
-esac
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-oslogin-20210728.00/packaging/google-compute-engine-oslogin.spec
new/guest-oslogin-20211013.00/packaging/google-compute-engine-oslogin.spec
--- old/guest-oslogin-20210728.00/packaging/google-compute-engine-oslogin.spec
2021-07-24 00:28:39.000000000 +0200
+++ new/guest-oslogin-20211013.00/packaging/google-compute-engine-oslogin.spec
2021-10-13 02:28:59.000000000 +0200
@@ -73,7 +73,7 @@
/%{_lib}/security/pam_oslogin_admin.so
/%{_lib}/security/pam_oslogin_login.so
/usr/bin/google_authorized_keys
-/usr/bin/google_oslogin_control
+/usr/bin/google_authorized_keys_sk
/usr/bin/google_oslogin_nss_cache
/usr/share/selinux/packages/oslogin.pp
%{_mandir}/man8/nss-oslogin.8.gz
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20210728.00/src/Makefile
new/guest-oslogin-20211013.00/src/Makefile
--- old/guest-oslogin-20210728.00/src/Makefile 2021-07-24 00:28:39.000000000
+0200
+++ new/guest-oslogin-20211013.00/src/Makefile 2021-10-13 02:28:59.000000000
+0200
@@ -30,7 +30,7 @@
PAM_LOGIN = pam_oslogin_login.so
PAM_ADMIN = pam_oslogin_admin.so
-BINARIES = google_oslogin_nss_cache google_authorized_keys
+BINARIES = google_oslogin_nss_cache google_authorized_keys
google_authorized_keys_sk
all : $(NSS_OSLOGIN) $(NSS_CACHE_OSLOGIN) $(PAM_LOGIN) $(PAM_ADMIN) $(BINARIES)
@@ -63,6 +63,9 @@
google_authorized_keys : authorized_keys/authorized_keys.o oslogin_utils.o
$(CXX) $(CXXFLAGS) $(CPPFLAGS) $^ -o $@ $(LDLIBS)
+google_authorized_keys_sk : authorized_keys/authorized_keys_sk.o
oslogin_utils.o
+ $(CXX) $(CXXFLAGS) $(CPPFLAGS) $^ -o $@ $(LDLIBS)
+
google_oslogin_nss_cache: cache_refresh/cache_refresh.o oslogin_utils.o
$(CXX) $(CXXFLAGS) $(CPPFLAGS) $^ -o $@ $(LDLIBS)
@@ -78,8 +81,8 @@
ln -sf $(NSS_CACHE_OSLOGIN)
$(DESTDIR)$(LIBDIR)/$(NSS_CACHE_OSLOGIN_SONAME)
# PAM modules
install -m 0644 -t $(DESTDIR)$(PAMDIR) $(PAM_ADMIN) $(PAM_LOGIN)
- # Control file
- install -m 0755 -t $(DESTDIR)$(BINDIR) $(BINARIES)
$(TOPDIR)/google_oslogin_control
+ # Binaries
+ install -m 0755 -t $(DESTDIR)$(BINDIR) $(BINARIES)
# Manpages
install -m 0644 -t $(DESTDIR)$(MANDIR)/man8 $(TOPDIR)/man/nss-oslogin.8
$(TOPDIR)/man/nss-cache-oslogin.8
gzip -9 $(DESTDIR)$(MANDIR)/man8/nss-oslogin.8
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-oslogin-20210728.00/src/authorized_keys/authorized_keys.cc
new/guest-oslogin-20211013.00/src/authorized_keys/authorized_keys.cc
--- old/guest-oslogin-20210728.00/src/authorized_keys/authorized_keys.cc
2021-07-24 00:28:39.000000000 +0200
+++ new/guest-oslogin-20211013.00/src/authorized_keys/authorized_keys.cc
2021-10-13 02:28:59.000000000 +0200
@@ -12,10 +12,13 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+#include <cstdlib>
#include <iostream>
#include <sstream>
#include <string>
+#include <signal.h>
+
#include <oslogin_utils.h>
using std::cout;
@@ -24,17 +27,31 @@
using oslogin_utils::HttpGet;
using oslogin_utils::ParseJsonToSuccess;
-using oslogin_utils::ParseJsonToKey;
using oslogin_utils::ParseJsonToEmail;
using oslogin_utils::ParseJsonToSshKeys;
using oslogin_utils::UrlEncode;
using oslogin_utils::kMetadataServerUrl;
+void sigpipe_handler(int signo) {
+ // exit 0 so SSHD can use what we've already written out.
+ _Exit(0);
+}
+
int main(int argc, char* argv[]) {
if (argc != 2) {
cout << "usage: authorized_keys [username]" << endl;
return 1;
}
+
+ struct sigaction newact;
+ newact.sa_handler = sigpipe_handler;
+ sigemptyset(&newact.sa_mask);
+ newact.sa_flags = 0;
+ if (sigaction(SIGPIPE, &newact, NULL) == -1) {
+ cout << "Unable to add SIGPIPE handler, exiting" << endl;
+ return 1;
+ }
+
std::stringstream url;
url << kMetadataServerUrl << "users?username=" << UrlEncode(argv[1]);
string user_response;
@@ -44,6 +61,7 @@
if (http_code == 404) {
// Return 0 if the user is not an oslogin user. If we returned a failure
// code, we would populate auth.log with useless error messages.
+ // This exits successfully but prints no keys.
return 0;
}
return 1;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-oslogin-20210728.00/src/authorized_keys/authorized_keys_sk.cc
new/guest-oslogin-20211013.00/src/authorized_keys/authorized_keys_sk.cc
--- old/guest-oslogin-20210728.00/src/authorized_keys/authorized_keys_sk.cc
1970-01-01 01:00:00.000000000 +0100
+++ new/guest-oslogin-20211013.00/src/authorized_keys/authorized_keys_sk.cc
2021-10-13 02:28:59.000000000 +0200
@@ -0,0 +1,105 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <cstdlib>
+#include <iostream>
+#include <sstream>
+#include <string>
+
+#include <signal.h>
+#include <string.h>
+
+#include <oslogin_utils.h>
+
+using std::cout;
+using std::endl;
+using std::string;
+
+using oslogin_utils::HttpGet;
+using oslogin_utils::ParseJsonToSuccess;
+using oslogin_utils::ParseJsonToEmail;
+using oslogin_utils::ParseJsonToSshKeys;
+using oslogin_utils::ParseJsonToSshKeysSk;
+using oslogin_utils::UrlEncode;
+using oslogin_utils::kMetadataServerUrl;
+
+void sigpipe_handler(int signo) {
+ // exit 0 so SSHD can use what we've already written out.
+ _Exit(0);
+}
+
+int main(int argc, char* argv[]) {
+ if (argc != 2) {
+ cout << "usage: authorized_keys_sk [username]" << endl;
+ return 1;
+ }
+
+ struct sigaction newact;
+ newact.sa_handler = sigpipe_handler;
+ sigemptyset(&newact.sa_mask);
+ newact.sa_flags = 0;
+ if (sigaction(SIGPIPE, &newact, NULL) == -1) {
+ cout << "Unable to add SIGPIPE handler, exiting" << endl;
+ return 1;
+ }
+
+ bool is_sa = (strncmp(argv[1], "sa_", 3) == 0);
+ std::stringstream url;
+ url << kMetadataServerUrl << "users?username=" << UrlEncode(argv[1])
+ << "&view=securityKey";
+ string user_response;
+ long http_code = 0;
+ if (!HttpGet(url.str(), &user_response, &http_code) ||
+ user_response.empty() || http_code != 200) {
+ if (http_code == 404) {
+ // Return 0 if the user is not an oslogin user. If we returned a failure
+ // code, we would populate auth.log with useless error messages.
+ return 0;
+ }
+ return 1;
+ }
+ string email;
+ if (!ParseJsonToEmail(user_response, &email) || email.empty()) {
+ return 1;
+ }
+ // Redundantly verify that this user has permission to log in to this VM.
+ // Normally the PAM module determines this, but in the off chance a transient
+ // error causes the PAM module to permit a user without login permissions,
+ // perform the same check here. If this fails, we can guarantee that we won't
+ // accidentally allow a user to log in without permissions.
+ url.str("");
+ url << kMetadataServerUrl << "authorize?email=" << UrlEncode(email)
+ << "&policy=login";
+ string auth_response;
+ if (!HttpGet(url.str(), &auth_response, &http_code) || http_code != 200 ||
+ auth_response.empty()) {
+ return 1;
+ }
+ if (!ParseJsonToSuccess(auth_response)) {
+ return 1;
+ }
+ // At this point, we've verified the user can log in. Grab the ssh keys from
+ // the user response.
+ std::vector<string> ssh_keys;
+ if (is_sa) {
+ // Service accounts should continue to function when SK is enabled.
+ ssh_keys = ParseJsonToSshKeys(user_response);
+ } else {
+ ssh_keys = ParseJsonToSshKeysSk(user_response);
+ }
+ for (size_t i = 0; i < ssh_keys.size(); i++) {
+ cout << ssh_keys[i] << endl;
+ }
+ return 0;
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-oslogin-20210728.00/src/include/oslogin_utils.h
new/guest-oslogin-20211013.00/src/include/oslogin_utils.h
--- old/guest-oslogin-20210728.00/src/include/oslogin_utils.h 2021-07-24
00:28:39.000000000 +0200
+++ new/guest-oslogin-20211013.00/src/include/oslogin_utils.h 2021-10-13
02:28:59.000000000 +0200
@@ -121,7 +121,7 @@
// response is expected to be a JSON array of passwd or group entries.
Returns
// true on success.
bool LoadJsonUsersToCache(string response);
- bool LoadJsonGroupsToCache(string response);
+ bool LoadJsonGroupsToCache(string response, int* errnop);
// Helper method for get(pw|gr)ent nss methods. Each call will iterate
through the
// OsLogin database and return the next entry. Internally, the cache will
@@ -247,6 +247,7 @@
// ssh_keys. A key is considered valid if it's expiration date is greater than
// current unix time.
std::vector<string> ParseJsonToSshKeys(const string& json);
+std::vector<string> ParseJsonToSshKeysSk(const string& json);
// Parses a JSON object and returns the value associated with a given key.
bool ParseJsonToKey(const string& json, const string& key, string* response);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20210728.00/src/oslogin_utils.cc
new/guest-oslogin-20211013.00/src/oslogin_utils.cc
--- old/guest-oslogin-20210728.00/src/oslogin_utils.cc 2021-07-24
00:28:39.000000000 +0200
+++ new/guest-oslogin-20211013.00/src/oslogin_utils.cc 2021-10-13
02:28:59.000000000 +0200
@@ -177,8 +177,9 @@
return ret;
}
-bool NssCache::LoadJsonGroupsToCache(string response) {
+bool NssCache::LoadJsonGroupsToCache(string response, int* errnop) {
Reset();
+ *errnop = ENOENT;
json_object* root = NULL;
root = json_tokener_parse(response.c_str());
@@ -198,12 +199,14 @@
goto cleanup;
}
// A page_token of 0 for groups is different than for users. This is the last
- // page, but it WILL contain groups.
+ // page, but it WILL contain groups if there are any.
if (page_token_ == "0") {
on_last_page_ = true;
page_token_ = "";
}
if (!json_object_object_get_ex(root, "posixGroups", &groups)) {
+ // Valid JSON but no groups, set ENOMSG as a 'no groups' code.
+ *errnop = ENOMSG;
goto cleanup;
}
if (json_object_get_type(groups) != json_type_array) {
@@ -218,6 +221,7 @@
entry_cache_.push_back(json_object_to_json_string_ext(group,
JSON_C_TO_STRING_PLAIN));
}
ret = true;
+ *errnop = 0;
cleanup:
json_object_put(root);
@@ -285,11 +289,15 @@
*errnop = ENOMSG;
return false;
}
- // General failure to load the cache occurred.
- if (!status || http_code != 200 || response.empty() ||
!LoadJsonGroupsToCache(response)) {
+ // Failed to make the request or empty response.
+ if (!status || http_code != 200 || response.empty()) {
*errnop = ENOENT;
return false;
}
+ // General failure to load the cache occurred.
+ if (!LoadJsonGroupsToCache(response, errnop)) {
+ return false;
+ }
}
if (!HasNextEntry() || !GetNextGroup(buf, result, errnop)) {
@@ -542,7 +550,7 @@
result->gr_gid = gr_gid;
if (!buf->AppendString("", &result->gr_passwd, errnop))
goto cleanup;
- if (!buf->AppendString((char*)json_object_get_string(name), &result->gr_name,
+ if (!buf->AppendString(json_object_get_string(name), &result->gr_name,
errnop))
goto cleanup;
@@ -599,7 +607,7 @@
if (val_type != json_type_string) {
continue;
}
- key_to_add = (char*)json_object_get_string(val);
+ key_to_add = json_object_get_string(val);
}
if (string_key == "expirationTimeUsec") {
if (val_type == json_type_int || val_type == json_type_string) {
@@ -624,6 +632,62 @@
return result;
}
+std::vector<string> ParseJsonToSshKeysSk(const string& json) {
+ std::vector<string> result;
+ json_object* security_keys = NULL;
+
+ json_object* root = NULL;
+ root = json_tokener_parse(json.c_str());
+ if (root == NULL) {
+ return result;
+ }
+
+ // Locate the securityKeys array.
+ json_object* login_profiles = NULL;
+ if (!json_object_object_get_ex(root, "loginProfiles", &login_profiles)) {
+ goto cleanup;
+ }
+ if (json_object_get_type(login_profiles) != json_type_array) {
+ goto cleanup;
+ }
+
+ login_profiles = json_object_array_get_idx(login_profiles, 0);
+
+ if (!json_object_object_get_ex(login_profiles, "securityKeys",
&security_keys)) {
+ goto cleanup;
+ }
+ if (json_object_get_type(security_keys) != json_type_array) {
+ goto cleanup;
+ }
+
+ {
+ size_t number_of_keys = 0;
+ size_t idx;
+ json_object* security_key = NULL;
+ json_object* public_key = NULL;
+ string key_to_add = "";
+
+ number_of_keys = json_object_array_length(security_keys);
+ for (idx = 0; idx < number_of_keys; idx++) {
+ security_key = json_object_array_get_idx(security_keys, idx);
+ if (json_object_get_type(security_key) != json_type_object) {
+ goto cleanup;
+ }
+ if (!json_object_object_get_ex(security_key, "publicKey", &public_key)) {
+ goto cleanup;
+ }
+
+ key_to_add = json_object_get_string(public_key);
+ result.push_back(key_to_add);
+ key_to_add.clear();
+ }
+ }
+
+cleanup:
+ json_object_put(root);
+ return result;
+}
+
bool ParseJsonToPasswd(const string& json, struct passwd* result,
BufferManager*
buf, int* errnop) {
*errnop = EINVAL;
@@ -699,7 +763,7 @@
if (val_type != json_type_string) {
goto cleanup;
}
- if (!buf->AppendString((char*)json_object_get_string(val),
+ if (!buf->AppendString(json_object_get_string(val),
&result->pw_name, errnop)) {
goto cleanup;
}
@@ -707,7 +771,7 @@
if (val_type != json_type_string) {
goto cleanup;
}
- if (!buf->AppendString((char*)json_object_get_string(val),
+ if (!buf->AppendString(json_object_get_string(val),
&result->pw_dir, errnop)) {
goto cleanup;
}
@@ -715,7 +779,7 @@
if (val_type != json_type_string) {
goto cleanup;
}
- if (!buf->AppendString((char*)json_object_get_string(val),
+ if (!buf->AppendString(json_object_get_string(val),
&result->pw_shell, errnop)) {
goto cleanup;
}
@@ -815,12 +879,10 @@
if (!json_object_object_get_ex(root, key.c_str(), &json_response)) {
- json_object_put(root);
goto cleanup;
}
if (!(c_response = json_object_get_string(json_response))) {
- json_object_put(root);
goto cleanup;
}
