diff options
author | Damien Miller <djm@mindrot.org> | 1999-10-29 11:49:20 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 1999-10-29 11:49:20 +1000 |
commit | 07a826d85456d2194fb0030cde8e2b7cbb7d061b (patch) | |
tree | 990c7467ab356e94d503b568c017830f180f11ea | |
parent | 070f7a1fd0efbb7bba1f096d58b0ad6938935afd (diff) |
- Make distclean now removed configure script
- Improved PAM logging
- Added some debug() calls for PAM
-rw-r--r-- | ChangeLog | 3 | ||||
-rw-r--r-- | Makefile.in | 2 | ||||
-rw-r--r-- | sshd.c | 89 |
3 files changed, 63 insertions, 31 deletions
@@ -3,6 +3,9 @@ | |||
3 | - Incorporated latest changes from OpenBSD's CVS | 3 | - Incorporated latest changes from OpenBSD's CVS |
4 | - Integrated Makefile patch from Niels Kristian Bech Jensen <nkbj@image.dk> | 4 | - Integrated Makefile patch from Niels Kristian Bech Jensen <nkbj@image.dk> |
5 | - Integrated PAM env patch from Nalin Dahyabhai <nalin.dahyabhai@pobox.com> | 5 | - Integrated PAM env patch from Nalin Dahyabhai <nalin.dahyabhai@pobox.com> |
6 | - Make distclean now removed configure script | ||
7 | - Improved PAM logging | ||
8 | - Added some debug() calls for PAM | ||
6 | 9 | ||
7 | 19991028 | 10 | 19991028 |
8 | - Further PAM enhancements. | 11 | - Further PAM enhancements. |
diff --git a/Makefile.in b/Makefile.in index 436bc2ea1..d1aec1330 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -76,7 +76,7 @@ install: | |||
76 | install -m644 -c sshd.8 $(mandir)/man8/sshd.8 | 76 | install -m644 -c sshd.8 $(mandir)/man8/sshd.8 |
77 | 77 | ||
78 | distclean: clean | 78 | distclean: clean |
79 | rm -f Makefile config.h *~ | 79 | rm -f Makefile config.h core configure *~ |
80 | rm -rf bin | 80 | rm -rf bin |
81 | 81 | ||
82 | mrproper: distclean | 82 | mrproper: distclean |
@@ -18,7 +18,7 @@ agent connections. | |||
18 | */ | 18 | */ |
19 | 19 | ||
20 | #include "includes.h" | 20 | #include "includes.h" |
21 | RCSID("$Id: sshd.c,v 1.7 1999/10/29 00:21:15 damien Exp $"); | 21 | RCSID("$Id: sshd.c,v 1.8 1999/10/29 01:49:20 damien Exp $"); |
22 | 22 | ||
23 | #include "xmalloc.h" | 23 | #include "xmalloc.h" |
24 | #include "rsa.h" | 24 | #include "rsa.h" |
@@ -188,40 +188,63 @@ static int pamconv(int num_msg, const struct pam_message **msg, | |||
188 | 188 | ||
189 | void pam_cleanup_proc(void *context) | 189 | void pam_cleanup_proc(void *context) |
190 | { | 190 | { |
191 | int retval; | 191 | int pam_retval; |
192 | 192 | ||
193 | if (pamh != NULL) | 193 | if (pamh != NULL) |
194 | { | 194 | { |
195 | retval = pam_close_session((pam_handle_t *)pamh, 0); | 195 | pam_retval = pam_close_session((pam_handle_t *)pamh, 0); |
196 | 196 | if (pam_retval != PAM_SUCCESS) | |
197 | if (pam_end((pam_handle_t *)pamh, retval) != PAM_SUCCESS) | 197 | { |
198 | log("Cannot release PAM authentication."); | 198 | log("Cannot close PAM session: %.200s", |
199 | pam_strerror((pam_handle_t *)pamh, pam_retval)); | ||
200 | } | ||
201 | |||
202 | pam_retval = pam_end((pam_handle_t *)pamh, pam_retval); | ||
203 | if (pam_retval != PAM_SUCCESS) | ||
204 | { | ||
205 | log("Cannot release PAM authentication: %.200s", | ||
206 | pam_strerror((pam_handle_t *)pamh, pam_retval)); | ||
207 | } | ||
199 | } | 208 | } |
200 | } | 209 | } |
201 | 210 | ||
202 | void do_pam_account_and_session(const char *username, const char *password, const char *remote_user, const char *remote_host) | 211 | void do_pam_account_and_session(const char *username, const char *password, const char *remote_user, const char *remote_host) |
203 | { | 212 | { |
204 | if (remote_host && (PAM_SUCCESS != pam_set_item((pam_handle_t *)pamh, PAM_RHOST, remote_host))) | 213 | int pam_retval; |
214 | |||
215 | if (remote_host != NULL) | ||
205 | { | 216 | { |
206 | log("PAM setup failed."); | 217 | debug("PAM setting rhost to \"%.200s\"", remote_host); |
207 | eat_packets_and_disconnect(username); | 218 | pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, remote_host); |
219 | if (pam_retval != PAM_SUCCESS) | ||
220 | { | ||
221 | log("PAM set rhost failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval)); | ||
222 | eat_packets_and_disconnect(username); | ||
223 | } | ||
208 | } | 224 | } |
209 | 225 | ||
210 | if (remote_user && (PAM_SUCCESS != pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user))) | 226 | if (remote_user != NULL) |
211 | { | 227 | { |
212 | log("PAM setup failed."); | 228 | debug("PAM setting ruser to \"%.200s\"", remote_user); |
213 | eat_packets_and_disconnect(username); | 229 | pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user); |
230 | if (pam_retval != PAM_SUCCESS) | ||
231 | { | ||
232 | log("PAM set ruser failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval)); | ||
233 | eat_packets_and_disconnect(username); | ||
234 | } | ||
214 | } | 235 | } |
215 | 236 | ||
216 | if (PAM_SUCCESS != pam_acct_mgmt((pam_handle_t *)pamh, 0)) | 237 | pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0); |
238 | if (pam_retval != PAM_SUCCESS) | ||
217 | { | 239 | { |
218 | log("PAM rejected by account configuration."); | 240 | log("PAM rejected by account configuration: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval)); |
219 | eat_packets_and_disconnect(username); | 241 | eat_packets_and_disconnect(username); |
220 | } | 242 | } |
221 | 243 | ||
222 | if (PAM_SUCCESS != pam_open_session((pam_handle_t *)pamh, 0)) | 244 | pam_retval = pam_open_session((pam_handle_t *)pamh, 0); |
245 | if (pam_retval != PAM_SUCCESS) | ||
223 | { | 246 | { |
224 | log("PAM session setup failed."); | 247 | log("PAM session setup failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval)); |
225 | eat_packets_and_disconnect(username); | 248 | eat_packets_and_disconnect(username); |
226 | } | 249 | } |
227 | } | 250 | } |
@@ -815,8 +838,10 @@ main(int ac, char **av) | |||
815 | 838 | ||
816 | if (pamh != NULL) | 839 | if (pamh != NULL) |
817 | { | 840 | { |
841 | debug("Closing PAM session."); | ||
818 | retval = pam_close_session((pam_handle_t *)pamh, 0); | 842 | retval = pam_close_session((pam_handle_t *)pamh, 0); |
819 | 843 | ||
844 | debug("Terminating PAM library."); | ||
820 | if (pam_end((pam_handle_t *)pamh, retval) != PAM_SUCCESS) | 845 | if (pam_end((pam_handle_t *)pamh, retval) != PAM_SUCCESS) |
821 | log("Cannot release PAM authentication."); | 846 | log("Cannot release PAM authentication."); |
822 | 847 | ||
@@ -1111,7 +1136,10 @@ do_authentication(char *user, int privileged_port) | |||
1111 | char *client_user = NULL; | 1136 | char *client_user = NULL; |
1112 | unsigned int client_host_key_bits; | 1137 | unsigned int client_host_key_bits; |
1113 | BIGNUM *client_host_key_e, *client_host_key_n; | 1138 | BIGNUM *client_host_key_e, *client_host_key_n; |
1114 | 1139 | #ifdef HAVE_LIBPAM | |
1140 | int pam_retval; | ||
1141 | #endif /* HAVE_LIBPAM */ | ||
1142 | |||
1115 | #ifdef AFS | 1143 | #ifdef AFS |
1116 | /* If machine has AFS, set process authentication group. */ | 1144 | /* If machine has AFS, set process authentication group. */ |
1117 | if (k_hasafs()) { | 1145 | if (k_hasafs()) { |
@@ -1136,15 +1164,14 @@ do_authentication(char *user, int privileged_port) | |||
1136 | pw = &pwcopy; | 1164 | pw = &pwcopy; |
1137 | 1165 | ||
1138 | #ifdef HAVE_LIBPAM | 1166 | #ifdef HAVE_LIBPAM |
1139 | if (PAM_SUCCESS != pam_start("sshd", pw->pw_name, &conv, (pam_handle_t**)&pamh)) | 1167 | debug("Starting up PAM with username \"%.200s\"", pw->pw_name); |
1168 | pam_retval = pam_start("sshd", pw->pw_name, &conv, (pam_handle_t**)&pamh); | ||
1169 | if (pam_retval != PAM_SUCCESS) | ||
1140 | { | 1170 | { |
1141 | packet_start(SSH_SMSG_FAILURE); | 1171 | log("PAM initialisation failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval)); |
1142 | packet_send(); | 1172 | eat_packets_and_disconnect(user); |
1143 | packet_write_wait(); | ||
1144 | packet_disconnect("PAM initialisation failed."); | ||
1145 | } | 1173 | } |
1146 | 1174 | fatal_add_cleanup(&pam_cleanup_proc, NULL); | |
1147 | fatal_add_cleanup(&pam_cleanup_proc, NULL); | ||
1148 | #endif | 1175 | #endif |
1149 | 1176 | ||
1150 | /* If we are not running as root, the user must have the same uid as the | 1177 | /* If we are not running as root, the user must have the same uid as the |
@@ -1405,15 +1432,17 @@ do_authentication(char *user, int privileged_port) | |||
1405 | 1432 | ||
1406 | #ifdef HAVE_LIBPAM | 1433 | #ifdef HAVE_LIBPAM |
1407 | pampasswd = password; | 1434 | pampasswd = password; |
1408 | 1435 | ||
1409 | if (PAM_SUCCESS == pam_authenticate((pam_handle_t *)pamh, 0)) | 1436 | pam_retval = pam_authenticate((pam_handle_t *)pamh, 0); |
1437 | if (pam_retval == PAM_SUCCESS) | ||
1410 | { | 1438 | { |
1411 | log("PAM Password authentication accepted for %.100s.", user); | 1439 | log("PAM Password authentication accepted for \"%.100s\"", user); |
1412 | authenticated = 1; | 1440 | authenticated = 1; |
1413 | break; | 1441 | break; |
1414 | } else | 1442 | } else |
1415 | { | 1443 | { |
1416 | log("PAM Password authentication for %.100s failed.", user); | 1444 | log("PAM Password authentication for \"%.100s\" failed: %s", |
1445 | user, pam_strerror((pam_handle_t *)pamh, pam_retval)); | ||
1417 | break; | 1446 | break; |
1418 | } | 1447 | } |
1419 | #else /* HAVE_LIBPAM */ | 1448 | #else /* HAVE_LIBPAM */ |