2  * QEMU Guest Agent win32-specific command implementations for SSH keys.
12  * See the COPYING file in the top-level directory.
17 #include <qga-qapi-types.h>
19 #include "commands-common-ssh.h"
20 #include "commands-windows-ssh.h"
21 #include "guest-agent-core.h"
28 #include "qga-qapi-commands.h"
35 #define LOCAL_SYSTEM_SID "S-1-5-18"
36 #define ADMIN_SID "S-1-5-32-544"
44     g_free(info->sshDirectory);  in free_userInfo()
45     g_free(info->authorizedKeyFile);  in free_userInfo()
46     LocalFree(info->SSID);  in free_userInfo()
47     g_free(info->username);  in free_userInfo()
58  * errp -> error structure to set when an error occurs
62 static char *get_admin_ssh_folder(Error **errp)  in get_admin_ssh_folder()
79     programDataPath = g_utf16_to_utf8(pgDataW, -1, NULL, NULL, &gerr);  in get_admin_ssh_folder()
83                    "Failed converting ProgramData folder path to UTF-16 %s",  in get_admin_ssh_folder()
84                    gerr->message);  in get_admin_ssh_folder()
88     /* Build the path to the file. */  in get_admin_ssh_folder()
94  * Gets the path to the SSH folder for the specified user. If the user is an
95  * admin it returns the ssh folder located at %PROGRAMDATA%/ssh. If the user is
99  * username -> Username to get the SSH folder for
100  * isAdmin -> Whether the user is an admin or not
101  * errp -> Error structure to set any errors that occur.
104 static char *get_ssh_folder(const char *username, const bool isAdmin,  in get_ssh_folder()
114     /* If not an Admin the SSH key is in the user directory. */  in get_ssh_folder()
115     /* Get the user profile directory on the machine. */  in get_ssh_folder()
128  * Creates an entry for the user so they can access the ssh folder in their
132  * userInfo -> Information about the current user
133  * pACL -> Pointer to an ACL structure
134  * errp -> Error structure to set any errors that occur
135  * returns -> 1 on success, 0 otherwise
137 static bool create_acl_user(PWindowsUserInfo userInfo, PACL *pACL, Error **errp)  in create_acl_user()
145     bool converted = ConvertStringSidToSid(userInfo->SSID, &userPSID);  in create_acl_user()
147         error_setg_win32(errp, GetLastError(), "failed to retrieve user %s SID",  in create_acl_user()
148                          userInfo->username);  in create_acl_user()
152     /* Set the permissions for the user. */  in create_acl_user()
175                          "failed to set ACL entries for user %s %lu",  in create_acl_user()
176                          userInfo->username, setResult);  in create_acl_user()
193  * pACL -> Pointer to an ACL structure
194  * errp -> Error structure to set any errors that occur
197 static bool create_acl_base(PACL *pACL, Error **errp)  in create_acl_base()
205     /* Create an entry for the system user. */  in create_acl_base()
213     /* set permissions for system user */  in create_acl_base()
221     /* Create an entry for the admin user. */  in create_acl_base()
253                          "failed to set base ACL entries for system user and "  in create_acl_base()
279  * access the folders. For normal user accounts only the specified user,
283  * userInfo -> pointer to structure that contains information about the user
284  * PACL -> pointer to an access control structure that will be set upon
286  * errp -> error structure that will be set upon error.
289 static bool create_acl(PWindowsUserInfo userInfo, PACL *pACL, Error **errp)  in create_acl()
300      * If the user is not an admin give the user creating the key permission to  in create_acl()
303     if (!userInfo->isAdmin) {  in create_acl()
314  * Create the SSH directory for the user and d sets appropriate permissions.
315  * In general the directory will be %PROGRAMDATA%/ssh if the user is an admin.
319  * userInfo -> Contains information about the user
320  * errp -> Structure that will contain errors if the function fails.
323 static bool create_ssh_directory(WindowsUserInfo *userInfo, Error **errp)  in create_ssh_directory()
328     /* Gets the appropriate ACL for the user */  in create_ssh_directory()
355     BOOL created = CreateDirectory(userInfo->sshDirectory, &sAttr);  in create_ssh_directory()
358                          userInfo->sshDirectory);  in create_ssh_directory()
373  * parameters: userInfo -> Information about the user
374  * errp -> error structure that will contain errors upon failure
377 static bool set_file_permissions(PWindowsUserInfo userInfo, Error **errp)  in set_file_permissions()
387     /* Get the PSID structure for the user based off the string SID. */  in set_file_permissions()
388     bool converted = ConvertStringSidToSid(userInfo->SSID, &userPSID);  in set_file_permissions()
390         error_setg_win32(errp, GetLastError(), "failed to retrieve user %s SID",  in set_file_permissions()
391                          userInfo->username);  in set_file_permissions()
400     if (SetNamedSecurityInfo(userInfo->authorizedKeyFile, SE_FILE_OBJECT,  in set_file_permissions()
405                          userInfo->authorizedKeyFile);  in set_file_permissions()
423  * userInfo: Information about the user we are writing the authkeys file to.
428 static bool write_authkeys(WindowsUserInfo *userInfo, GStrv authkeys,  in write_authkeys()
436     if (!g_file_set_contents(userInfo->authorizedKeyFile, contents, -1, &err)) {  in write_authkeys()
438                    userInfo->authorizedKeyFile, err->message);  in write_authkeys()
450  * Retrieves information about a Windows user by their username
453  * userInfo -> Double pointer to a WindowsUserInfo structure. Upon success, it
454  * will be allocated with information about the user and need to be freed.
455  * username -> Name of the user to lookup.
456  * errp -> Contains any errors that occur.
459 static bool get_user_info(PWindowsUserInfo *userInfo, const char *username,  in get_user_info()
472     wideUserName = g_utf8_to_utf16(username, -1, NULL, NULL, &gerr);  in get_user_info()
487         /* Give a friendlier error message if the user was not found. */  in get_user_info()
489             error_setg(errp, "User %s was not found", username);  in get_user_info()
494                    "Received unexpected error when asking for user info: Error "  in get_user_info()
501     uData->username = g_strdup(username);  in get_user_info()
502     uData->isAdmin = uBuf->usri4_priv == USER_PRIV_ADMIN;  in get_user_info()
503     psid = uBuf->usri4_user_sid;  in get_user_info()
514                          "failed to get SID string for user %s", username);  in get_user_info()
519     uData->SSID = sidStr;  in get_user_info()
521     /* Get the SSH folder for the user. */  in get_user_info()
522     char *sshFolder = get_ssh_folder(username, uData->isAdmin, errp);  in get_user_info()
529         uData->isAdmin ? AUTHORIZED_KEY_FILE_ADMIN : AUTHORIZED_KEY_FILE;  in get_user_info()
532     uData->sshDirectory = sshFolder;  in get_user_info()
533     uData->authorizedKeyFile = authorizedKeyPath;  in get_user_info()
547  * Gets the list of authorized keys for a user.
550  * username -> Username to retrieve the keys for.
551  * errp -> Error structure that will display any errors through QMP.
552  * returns: List of keys associated with the user.
562     /* Gets user information */  in qmp_guest_ssh_get_authorized_keys()
567     /* Reads authkeys for the user */  in qmp_guest_ssh_get_authorized_keys()
568     authKeys = read_authkeys(userInfo->authorizedKeyFile, errp);  in qmp_guest_ssh_get_authorized_keys()
581         QAPI_LIST_PREPEND(ret->keys, g_strdup(authKeys[i]));  in qmp_guest_ssh_get_authorized_keys()
593  * Adds an ssh key for a user.
596  * username -> User to add the SSH key to
597  * strList -> Array of keys to add to the list
598  * has_reset -> Whether the keys have been reset
599  * reset -> Boolean to reset the keys (If this is set the existing list will be
600  * cleared) and the other key reset. errp -> Pointer to an error structure that
616     /* Gets user information */  in qmp_guest_ssh_add_authorized_keys()
625         authkeys = read_authkeys(userInfo->authorizedKeyFile, NULL);  in qmp_guest_ssh_add_authorized_keys()
628     /* Check that the SSH key directory exists for the user. */  in qmp_guest_ssh_add_authorized_keys()
629     if (!g_file_test(userInfo->sshDirectory, G_FILE_TEST_IS_DIR)) {  in qmp_guest_ssh_add_authorized_keys()
644     for (k = keys; k != NULL; k = k->next) {  in qmp_guest_ssh_add_authorized_keys()
646         if (g_strv_contains((const gchar *const *)authkeys, k->value)) {  in qmp_guest_ssh_add_authorized_keys()
650         authkeys[nauthkeys++] = g_strdup(k->value);  in qmp_guest_ssh_add_authorized_keys()
658  * Removes an SSH key for a user
661  * username -> Username to remove the key from
662  * strList -> List of strings to remove
663  * errp -> Contains any errors that occur.
675     /* Validates the keys passed in by the user */  in qmp_guest_ssh_remove_authorized_keys()
680     /* Gets user information */  in qmp_guest_ssh_remove_authorized_keys()
685     /* Reads the authkeys for the user */  in qmp_guest_ssh_remove_authorized_keys()
686     authkeys = read_authkeys(userInfo->authorizedKeyFile, errp);  in qmp_guest_ssh_remove_authorized_keys()
696         /* Filters out keys that are equal to ones the user specified. */  in qmp_guest_ssh_remove_authorized_keys()
697         for (k = keys; k != NULL; k = k->next) {  in qmp_guest_ssh_remove_authorized_keys()
698             if (g_str_equal(k->value, *a)) {  in qmp_guest_ssh_remove_authorized_keys()