Index: auth2.c --- auth2.c.orig 2021-03-02 11:31:47.000000000 +0100 +++ auth2.c 2021-03-03 08:25:17.978876000 +0100 @@ -58,6 +58,9 @@ #endif #include "monitor_wrap.h" #include "digest.h" +#ifdef USE_ALIAS +#include "match.h" +#endif /* import */ extern ServerOptions options; @@ -264,6 +267,10 @@ char *user = NULL, *service = NULL, *method = NULL, *style = NULL; int r, authenticated = 0; double tstart = monotime_double(); +#ifdef USE_ALIAS + int i, n; + char *cp; +#endif if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); @@ -278,6 +285,25 @@ if ((style = strchr(user, ':')) != NULL) *style++ = 0; +#ifdef USE_ALIAS + for (i = 0; i < options.num_alias; i++) { + if (match_pattern_list(user, options.alias[i].alias, strlen(options.alias[i].alias), 0) == 1) { + if (style != NULL) { + n = strlen(options.alias[i].user) + 1 + strlen(style) + 1; + cp = xmalloc(n); + snprintf(cp, n, "%s:%s", options.alias[i].user, style); + style = strchr(cp, ':'); + *style++ = '\0'; + } + else + cp = xstrdup(options.alias[i].user); + free(user); + user = cp; + break; + } + } +#endif + if (authctxt->attempt++ == 0) { /* setup auth context */ authctxt->pw = PRIVSEP(getpwnamallow(ssh, user)); Index: servconf.c --- servconf.c.orig 2021-03-02 11:31:47.000000000 +0100 +++ servconf.c 2021-03-03 08:25:17.979352000 +0100 @@ -196,6 +196,9 @@ options->fingerprint_hash = -1; options->disable_forwarding = -1; options->expose_userauth_info = -1; +#ifdef USE_ALIAS + options->num_alias = 0; +#endif } /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ @@ -520,6 +523,9 @@ sStreamLocalBindMask, sStreamLocalBindUnlink, sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider, +#ifdef USE_ALIAS + sAlias, +#endif sDeprecated, sIgnore, sUnsupported } ServerOpCodes; @@ -678,6 +684,9 @@ { "rdomain", sRDomain, SSHCFG_ALL }, { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, +#ifdef USE_ALIAS + { "alias", sAlias }, +#endif { NULL, sBadOption, 0 } }; @@ -2395,6 +2404,26 @@ *charptr = xstrdup(arg); break; +#ifdef USE_ALIAS + case sAlias: + if (options->num_alias >= MAX_ALIAS) { + fatal("%s line %d: too many user alias defined.", + filename, linenum); + } + arg = strdelim(&cp); + if (arg == NULL || arg[0] == '\0') + fatal("%s line %d: missing user name alias(es).", + filename, linenum); + options->alias[options->num_alias].alias = xstrdup(arg); + arg = strdelim(&cp); + if (arg == NULL || arg[0] == '\0') + fatal("%s line %d: missing user name to map alias '%s' to.", + filename, linenum, options->alias[options->num_alias].alias); + options->alias[options->num_alias].user = xstrdup(arg); + options->num_alias++; + break; +#endif + case sDeprecated: case sIgnore: case sUnsupported: Index: servconf.h --- servconf.h.orig 2021-03-02 11:31:47.000000000 +0100 +++ servconf.h 2021-03-03 08:25:17.979556000 +0100 @@ -229,6 +229,14 @@ int expose_userauth_info; u_int64_t timing_secret; char *sk_provider; +#ifdef USE_ALIAS +#define MAX_ALIAS 256 + u_int num_alias; + struct { + char *alias; /* the alias list to match */ + char *user; /* the username to map to */ + } alias[MAX_ALIAS]; +#endif } ServerOptions; /* Information about the incoming connection as used by Match */ Index: sshd_config.5 --- sshd_config.5.orig 2021-03-02 11:31:47.000000000 +0100 +++ sshd_config.5 2021-03-03 08:25:17.979860000 +0100 @@ -106,6 +106,15 @@ Note that disabling agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. +.It Cm Alias +Specifies an optional mapping of a list of user name aliases onto +real user names. The first argument is a comma separated list of +user name aliases (optionally prefixed with '!' for negation) to +match. The characters `*' and `?' can be used as wildcards in the +alias patterns. The second argument is the real user name onto +which the aliases are mapped. This allows the use of appealing +virtual login names (like `anonymous') instead of their physical +counterparts (like `anoncvs'). .It Cm AllowGroups This keyword can be followed by a list of group name patterns, separated by spaces.