From 3a66e4f120de1025ebbc811b01619267329562e1 Mon Sep 17 00:00:00 2001
From: Michael Santos <michael.santos@gmail.com>
Date: Thu, 7 Sep 2017 10:05:13 -0400
Subject: [PATCH] Add PAM_RUSER format specifier

Add a new "%r" format specifier to represent the PAM remote user:

    auth sufficient pam_ssh_agent_auth.so file=/etc/keys/%r

This change allows programs, like su, that set RUSER to the origin user
and USER to the destination user, to name the key according to the user
calling the program:

    # auser -> root
    /etc/keys/%r # equivalent to /etc/keys/auser
    /etc/keys/%u # equivalent to /etc/keys/root
---
 pam_ssh_agent_auth.c       | 2 +-
 pam_ssh_agent_auth.pod     | 6 ++++++
 pam_user_authorized_keys.c | 4 ++--
 pam_user_authorized_keys.h | 2 +-
 4 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/pam_ssh_agent_auth.c b/pam_ssh_agent_auth.c
index bd3bf01..bce040c 100644
--- a/pam_ssh_agent_auth.c
+++ b/pam_ssh_agent_auth.c
@@ -175,7 +175,7 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
         /*
          * user is the name of the target-user, and so must be used for validating the authorized_keys file
          */
-        parse_authorized_key_file(user, authorized_keys_file_input);
+        parse_authorized_key_file(user, ruser, authorized_keys_file_input);
     } else {
         pamsshagentauth_verbose("Using default file=/etc/security/authorized_keys");
         authorized_keys_file = pamsshagentauth_xstrdup("/etc/security/authorized_keys");
diff --git a/pam_ssh_agent_auth.pod b/pam_ssh_agent_auth.pod
index c64d647..374ecff 100644
--- a/pam_ssh_agent_auth.pod
+++ b/pam_ssh_agent_auth.pod
@@ -79,6 +79,12 @@ Automatically enables allow_user_owned_authorized_keys_file
 
 =item %u -- Username
 
+=item %r -- Remote Username
+
+Allows programs like su that set RUSER to the origin user and USER to the destination user, to name the key according to the user calling the program.
+
+The key file must belong to root or the target user. It must not be writable by the RUSER.
+
 =item %f -- FQDN
 
 =back 
diff --git a/pam_user_authorized_keys.c b/pam_user_authorized_keys.c
index abe7a15..e269b93 100644
--- a/pam_user_authorized_keys.c
+++ b/pam_user_authorized_keys.c
@@ -91,7 +91,7 @@ extern uint8_t allow_user_owned_authorized_keys_file;
 uid_t authorized_keys_file_allowed_owner_uid;
 
 void
-parse_authorized_key_file(const char *user,
+parse_authorized_key_file(const char *user, const char *ruser,
                           const char *authorized_keys_file_input)
 {
     char fqdn[HOST_NAME_MAX] = "";
@@ -152,7 +152,7 @@ parse_authorized_key_file(const char *user,
     authorized_keys_file =
         pamsshagentauth_percent_expand(auth_keys_file_buf, "h",
                                        getpwnam(user)->pw_dir, "H", hostname,
-                                       "f", fqdn, "u", user, NULL);
+                                       "f", fqdn, "u", user, "r", ruser, NULL);
 }
 
 int
diff --git a/pam_user_authorized_keys.h b/pam_user_authorized_keys.h
index a871bf0..8f4c4a2 100644
--- a/pam_user_authorized_keys.h
+++ b/pam_user_authorized_keys.h
@@ -33,6 +33,6 @@
 
 #include "identity.h"
 int pam_user_key_allowed(const char *, Key *);
-void parse_authorized_key_file(const char *, const char *);
+void parse_authorized_key_file(const char *, const char *, const char *);
 
 #endif