diff options
author | Darren Tucker <dtucker@zip.com.au> | 2004-08-16 23:12:05 +1000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2004-08-16 23:12:05 +1000 |
commit | 21dd0897d53b5850c3fe1dff43494db3024e3d97 (patch) | |
tree | 726cc8d8f72b2a22209bc13a730018db055985e9 | |
parent | 0cbc3c65094079b5908b3357d69e6cf7b1d94a80 (diff) |
- (dtucker) [acconfig.h auth-pam.c configure.ac] Set real uid to non-root
to convince Solaris PAM to honour password complexity rules. ok djm@
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | acconfig.h | 5 | ||||
-rw-r--r-- | auth-pam.c | 27 | ||||
-rw-r--r-- | configure.ac | 3 |
4 files changed, 37 insertions, 4 deletions
@@ -1,3 +1,7 @@ | |||
1 | 20040816 | ||
2 | - (dtucker) [acconfig.h auth-pam.c configure.ac] Set real uid to non-root | ||
3 | to convince Solaris PAM to honour password complexity rules. ok djm@ | ||
4 | |||
1 | 20040815 | 5 | 20040815 |
2 | - (dtucker) [Makefile.in ssh-keysign.c ssh.c] Use permanently_set_uid() since | 6 | - (dtucker) [Makefile.in ssh-keysign.c ssh.c] Use permanently_set_uid() since |
3 | it does the right thing on all platforms. ok djm@ | 7 | it does the right thing on all platforms. ok djm@ |
@@ -1641,4 +1645,4 @@ | |||
1641 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 1645 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
1642 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 1646 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
1643 | 1647 | ||
1644 | $Id: ChangeLog,v 1.3512 2004/08/15 11:01:37 dtucker Exp $ | 1648 | $Id: ChangeLog,v 1.3513 2004/08/16 13:12:05 dtucker Exp $ |
diff --git a/acconfig.h b/acconfig.h index bb069630d..014413505 100644 --- a/acconfig.h +++ b/acconfig.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: acconfig.h,v 1.179 2004/08/15 08:40:59 djm Exp $ */ | 1 | /* $Id: acconfig.h,v 1.180 2004/08/16 13:12:06 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 1999-2003 Damien Miller. All rights reserved. | 4 | * Copyright (c) 1999-2003 Damien Miller. All rights reserved. |
@@ -104,6 +104,9 @@ | |||
104 | /* Work around problematic Linux PAM modules handling of PAM_TTY */ | 104 | /* Work around problematic Linux PAM modules handling of PAM_TTY */ |
105 | #undef PAM_TTY_KLUDGE | 105 | #undef PAM_TTY_KLUDGE |
106 | 106 | ||
107 | /* Define if pam_chauthtok wants real uid set to the unpriv'ed user */ | ||
108 | #undef SSHPAM_CHAUTHTOK_NEEDS_RUID | ||
109 | |||
107 | /* Use PIPES instead of a socketpair() */ | 110 | /* Use PIPES instead of a socketpair() */ |
108 | #undef USE_PIPES | 111 | #undef USE_PIPES |
109 | 112 | ||
diff --git a/auth-pam.c b/auth-pam.c index 7d610d0bb..b93241f48 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -47,7 +47,7 @@ | |||
47 | 47 | ||
48 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ | 48 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ |
49 | #include "includes.h" | 49 | #include "includes.h" |
50 | RCSID("$Id: auth-pam.c,v 1.113 2004/07/21 10:54:47 djm Exp $"); | 50 | RCSID("$Id: auth-pam.c,v 1.114 2004/08/16 13:12:06 dtucker Exp $"); |
51 | 51 | ||
52 | #ifdef USE_PAM | 52 | #ifdef USE_PAM |
53 | #if defined(HAVE_SECURITY_PAM_APPL_H) | 53 | #if defined(HAVE_SECURITY_PAM_APPL_H) |
@@ -201,6 +201,31 @@ pam_getenvlist(pam_handle_t *pamh) | |||
201 | } | 201 | } |
202 | #endif | 202 | #endif |
203 | 203 | ||
204 | /* | ||
205 | * Some platforms, notably Solaris, do not enforce password complexity | ||
206 | * rules during pam_chauthtok() if the real uid of the calling process | ||
207 | * is 0, on the assumption that it's being called by "passwd" run by root. | ||
208 | * This wraps pam_chauthtok and sets/restore the real uid so PAM will do | ||
209 | * the right thing. | ||
210 | */ | ||
211 | #ifdef SSHPAM_CHAUTHTOK_NEEDS_RUID | ||
212 | static int | ||
213 | sshpam_chauthtok_ruid(pam_handle_t *pamh, int flags) | ||
214 | { | ||
215 | int result; | ||
216 | |||
217 | if (sshpam_authctxt == NULL) | ||
218 | fatal("PAM: sshpam_authctxt not initialized"); | ||
219 | if (setreuid(sshpam_authctxt->pw->pw_uid, -1) == -1) | ||
220 | fatal("%s: setreuid failed: %s", __func__, strerror(errno)); | ||
221 | result = pam_chauthtok(pamh, flags); | ||
222 | if (setreuid(0, -1) == -1) | ||
223 | fatal("%s: setreuid failed: %s", __func__, strerror(errno)); | ||
224 | return result; | ||
225 | } | ||
226 | # define pam_chauthtok(a,b) (sshpam_chauthtok_ruid((a), (b))) | ||
227 | #endif | ||
228 | |||
204 | void | 229 | void |
205 | sshpam_password_change_required(int reqd) | 230 | sshpam_password_change_required(int reqd) |
206 | { | 231 | { |
diff --git a/configure.ac b/configure.ac index 6954fb47e..36c457728 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: configure.ac,v 1.225 2004/08/15 08:40:59 djm Exp $ | 1 | # $Id: configure.ac,v 1.226 2004/08/16 13:12:06 dtucker Exp $ |
2 | # | 2 | # |
3 | # Copyright (c) 1999-2004 Damien Miller | 3 | # Copyright (c) 1999-2004 Damien Miller |
4 | # | 4 | # |
@@ -298,6 +298,7 @@ mips-sony-bsd|mips-sony-newsos4) | |||
298 | AC_DEFINE(LOGIN_NEEDS_UTMPX) | 298 | AC_DEFINE(LOGIN_NEEDS_UTMPX) |
299 | AC_DEFINE(LOGIN_NEEDS_TERM) | 299 | AC_DEFINE(LOGIN_NEEDS_TERM) |
300 | AC_DEFINE(PAM_TTY_KLUDGE) | 300 | AC_DEFINE(PAM_TTY_KLUDGE) |
301 | AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID) | ||
301 | AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") | 302 | AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") |
302 | # Pushing STREAMS modules will cause sshd to acquire a controlling tty. | 303 | # Pushing STREAMS modules will cause sshd to acquire a controlling tty. |
303 | AC_DEFINE(SSHD_ACQUIRES_CTTY) | 304 | AC_DEFINE(SSHD_ACQUIRES_CTTY) |