diff options
| author | Damien Miller <djm@mindrot.org> | 2019-01-20 10:22:18 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-01-20 10:22:18 +1100 |
| commit | 3f0786bbe73609ac96e5a0d91425ee21129f8e04 (patch) | |
| tree | be9ab562ad56a3948fee1f27fc9a13e4700b3661 | |
| parent | 08f66d9f17e12c1140d1f1cf5c4dce67e915d3cc (diff) | |
remove PAM dependencies on old packet API
Requires some caching of values, because the PAM code isn't
always called with packet context.
| -rw-r--r-- | auth-pam.c | 68 | ||||
| -rw-r--r-- | auth-pam.h | 2 | ||||
| -rw-r--r-- | auth2.c | 2 | ||||
| -rw-r--r-- | monitor.c | 2 | ||||
| -rw-r--r-- | monitor_wrap.c | 2 | ||||
| -rw-r--r-- | monitor_wrap.h | 2 |
6 files changed, 47 insertions, 31 deletions
diff --git a/auth-pam.c b/auth-pam.c index d67324e1f..bde0a8f56 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
| @@ -248,6 +248,9 @@ static int sshpam_maxtries_reached = 0; | |||
| 248 | static char **sshpam_env = NULL; | 248 | static char **sshpam_env = NULL; |
| 249 | static Authctxt *sshpam_authctxt = NULL; | 249 | static Authctxt *sshpam_authctxt = NULL; |
| 250 | static const char *sshpam_password = NULL; | 250 | static const char *sshpam_password = NULL; |
| 251 | static char *sshpam_rhost = NULL; | ||
| 252 | static char *sshpam_laddr = NULL; | ||
| 253 | static char *sshpam_conninfo = NULL; | ||
| 251 | 254 | ||
| 252 | /* Some PAM implementations don't implement this */ | 255 | /* Some PAM implementations don't implement this */ |
| 253 | #ifndef HAVE_PAM_GETENVLIST | 256 | #ifndef HAVE_PAM_GETENVLIST |
| @@ -669,14 +672,17 @@ sshpam_cleanup(void) | |||
| 669 | } | 672 | } |
| 670 | 673 | ||
| 671 | static int | 674 | static int |
| 672 | sshpam_init(Authctxt *authctxt) | 675 | sshpam_init(struct ssh *ssh, Authctxt *authctxt) |
| 673 | { | 676 | { |
| 674 | const char *pam_rhost, *pam_user, *user = authctxt->user; | 677 | const char *pam_user, *user = authctxt->user; |
| 675 | const char **ptr_pam_user = &pam_user; | 678 | const char **ptr_pam_user = &pam_user; |
| 676 | char *laddr, *conninfo; | ||
| 677 | struct ssh *ssh = active_state; /* XXX */ | ||
| 678 | 679 | ||
| 679 | if (sshpam_handle != NULL) { | 680 | if (sshpam_handle == NULL) { |
| 681 | if (ssh == NULL) { | ||
| 682 | fatal("%s: called initially with no " | ||
| 683 | "packet context", __func__); | ||
| 684 | } | ||
| 685 | } if (sshpam_handle != NULL) { | ||
| 680 | /* We already have a PAM context; check if the user matches */ | 686 | /* We already have a PAM context; check if the user matches */ |
| 681 | sshpam_err = pam_get_item(sshpam_handle, | 687 | sshpam_err = pam_get_item(sshpam_handle, |
| 682 | PAM_USER, (sshpam_const void **)ptr_pam_user); | 688 | PAM_USER, (sshpam_const void **)ptr_pam_user); |
| @@ -695,22 +701,32 @@ sshpam_init(Authctxt *authctxt) | |||
| 695 | sshpam_handle = NULL; | 701 | sshpam_handle = NULL; |
| 696 | return (-1); | 702 | return (-1); |
| 697 | } | 703 | } |
| 698 | pam_rhost = auth_get_canonical_hostname(ssh, options.use_dns); | ||
| 699 | debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost); | ||
| 700 | sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost); | ||
| 701 | if (sshpam_err != PAM_SUCCESS) { | ||
| 702 | pam_end(sshpam_handle, sshpam_err); | ||
| 703 | sshpam_handle = NULL; | ||
| 704 | return (-1); | ||
| 705 | } | ||
| 706 | 704 | ||
| 707 | laddr = get_local_ipaddr(packet_get_connection_in()); | 705 | if (ssh != NULL && sshpam_rhost == NULL) { |
| 708 | xasprintf(&conninfo, "SSH_CONNECTION=%.50s %d %.50s %d", | 706 | /* |
| 709 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), | 707 | * We need to cache these as we don't have packet context |
| 710 | laddr, ssh_local_port(ssh)); | 708 | * during the kbdint flow. |
| 711 | pam_putenv(sshpam_handle, conninfo); | 709 | */ |
| 712 | free(laddr); | 710 | sshpam_rhost = xstrdup(auth_get_canonical_hostname(ssh, |
| 713 | free(conninfo); | 711 | options.use_dns)); |
| 712 | sshpam_laddr = get_local_ipaddr( | ||
| 713 | ssh_packet_get_connection_in(ssh)); | ||
| 714 | xasprintf(&sshpam_conninfo, "SSH_CONNECTION=%.50s %d %.50s %d", | ||
| 715 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), | ||
| 716 | sshpam_laddr, ssh_local_port(ssh)); | ||
| 717 | } | ||
| 718 | if (sshpam_rhost != NULL) { | ||
| 719 | debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost); | ||
| 720 | sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, | ||
| 721 | sshpam_rhost); | ||
| 722 | if (sshpam_err != PAM_SUCCESS) { | ||
| 723 | pam_end(sshpam_handle, sshpam_err); | ||
| 724 | sshpam_handle = NULL; | ||
| 725 | return (-1); | ||
| 726 | } | ||
| 727 | /* Put SSH_CONNECTION in the PAM environment too */ | ||
| 728 | pam_putenv(sshpam_handle, sshpam_conninfo); | ||
| 729 | } | ||
| 714 | 730 | ||
| 715 | #ifdef PAM_TTY_KLUDGE | 731 | #ifdef PAM_TTY_KLUDGE |
| 716 | /* | 732 | /* |
| @@ -765,7 +781,7 @@ sshpam_init_ctx(Authctxt *authctxt) | |||
| 765 | return NULL; | 781 | return NULL; |
| 766 | 782 | ||
| 767 | /* Initialize PAM */ | 783 | /* Initialize PAM */ |
| 768 | if (sshpam_init(authctxt) == -1) { | 784 | if (sshpam_init(NULL, authctxt) == -1) { |
| 769 | error("PAM: initialization failed"); | 785 | error("PAM: initialization failed"); |
| 770 | return (NULL); | 786 | return (NULL); |
| 771 | } | 787 | } |
| @@ -797,7 +813,6 @@ static int | |||
| 797 | sshpam_query(void *ctx, char **name, char **info, | 813 | sshpam_query(void *ctx, char **name, char **info, |
| 798 | u_int *num, char ***prompts, u_int **echo_on) | 814 | u_int *num, char ***prompts, u_int **echo_on) |
| 799 | { | 815 | { |
| 800 | struct ssh *ssh = active_state; /* XXX */ | ||
| 801 | struct sshbuf *buffer; | 816 | struct sshbuf *buffer; |
| 802 | struct pam_ctxt *ctxt = ctx; | 817 | struct pam_ctxt *ctxt = ctx; |
| 803 | size_t plen; | 818 | size_t plen; |
| @@ -887,8 +902,7 @@ sshpam_query(void *ctx, char **name, char **info, | |||
| 887 | } | 902 | } |
| 888 | error("PAM: %s for %s%.100s from %.100s", msg, | 903 | error("PAM: %s for %s%.100s from %.100s", msg, |
| 889 | sshpam_authctxt->valid ? "" : "illegal user ", | 904 | sshpam_authctxt->valid ? "" : "illegal user ", |
| 890 | sshpam_authctxt->user, | 905 | sshpam_authctxt->user, sshpam_rhost); |
| 891 | auth_get_canonical_hostname(ssh, options.use_dns)); | ||
| 892 | /* FALLTHROUGH */ | 906 | /* FALLTHROUGH */ |
| 893 | default: | 907 | default: |
| 894 | *num = 0; | 908 | *num = 0; |
| @@ -1005,12 +1019,14 @@ KbdintDevice mm_sshpam_device = { | |||
| 1005 | * This replaces auth-pam.c | 1019 | * This replaces auth-pam.c |
| 1006 | */ | 1020 | */ |
| 1007 | void | 1021 | void |
| 1008 | start_pam(Authctxt *authctxt) | 1022 | start_pam(struct ssh *ssh) |
| 1009 | { | 1023 | { |
| 1024 | Authctxt *authctxt = (Authctxt *)ssh->authctxt; | ||
| 1025 | |||
| 1010 | if (!options.use_pam) | 1026 | if (!options.use_pam) |
| 1011 | fatal("PAM: initialisation requested when UsePAM=no"); | 1027 | fatal("PAM: initialisation requested when UsePAM=no"); |
| 1012 | 1028 | ||
| 1013 | if (sshpam_init(authctxt) == -1) | 1029 | if (sshpam_init(ssh, authctxt) == -1) |
| 1014 | fatal("PAM: initialisation failed"); | 1030 | fatal("PAM: initialisation failed"); |
| 1015 | } | 1031 | } |
| 1016 | 1032 | ||
diff --git a/auth-pam.h b/auth-pam.h index 419860745..9fcea270f 100644 --- a/auth-pam.h +++ b/auth-pam.h | |||
| @@ -27,7 +27,7 @@ | |||
| 27 | 27 | ||
| 28 | struct ssh; | 28 | struct ssh; |
| 29 | 29 | ||
| 30 | void start_pam(Authctxt *); | 30 | void start_pam(struct ssh *); |
| 31 | void finish_pam(void); | 31 | void finish_pam(void); |
| 32 | u_int do_pam_account(void); | 32 | u_int do_pam_account(void); |
| 33 | void do_pam_session(struct ssh *); | 33 | void do_pam_session(struct ssh *); |
| @@ -299,7 +299,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | |||
| 299 | } | 299 | } |
| 300 | #ifdef USE_PAM | 300 | #ifdef USE_PAM |
| 301 | if (options.use_pam) | 301 | if (options.use_pam) |
| 302 | PRIVSEP(start_pam(authctxt)); | 302 | PRIVSEP(start_pam(ssh)); |
| 303 | #endif | 303 | #endif |
| 304 | ssh_packet_set_log_preamble(ssh, "%suser %s", | 304 | ssh_packet_set_log_preamble(ssh, "%suser %s", |
| 305 | authctxt->valid ? "authenticating " : "invalid ", user); | 305 | authctxt->valid ? "authenticating " : "invalid ", user); |
| @@ -991,7 +991,7 @@ mm_answer_pam_start(struct ssh *ssh, int sock, struct sshbuf *m) | |||
| 991 | if (!options.use_pam) | 991 | if (!options.use_pam) |
| 992 | fatal("UsePAM not set, but ended up in %s anyway", __func__); | 992 | fatal("UsePAM not set, but ended up in %s anyway", __func__); |
| 993 | 993 | ||
| 994 | start_pam(authctxt); | 994 | start_pam(ssh); |
| 995 | 995 | ||
| 996 | monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1); | 996 | monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1); |
| 997 | if (options.kbd_interactive_authentication) | 997 | if (options.kbd_interactive_authentication) |
diff --git a/monitor_wrap.c b/monitor_wrap.c index 5a0964b69..f52b9c88c 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
| @@ -626,7 +626,7 @@ mm_session_pty_cleanup2(Session *s) | |||
| 626 | 626 | ||
| 627 | #ifdef USE_PAM | 627 | #ifdef USE_PAM |
| 628 | void | 628 | void |
| 629 | mm_start_pam(Authctxt *authctxt) | 629 | mm_start_pam(struct ssh *ssh) |
| 630 | { | 630 | { |
| 631 | struct sshbuf *m; | 631 | struct sshbuf *m; |
| 632 | 632 | ||
diff --git a/monitor_wrap.h b/monitor_wrap.h index 2b7052202..c7e0c91dd 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h | |||
| @@ -66,7 +66,7 @@ OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); | |||
| 66 | #endif | 66 | #endif |
| 67 | 67 | ||
| 68 | #ifdef USE_PAM | 68 | #ifdef USE_PAM |
| 69 | void mm_start_pam(struct Authctxt *); | 69 | void mm_start_pam(struct ssh *ssh); |
| 70 | u_int mm_do_pam_account(void); | 70 | u_int mm_do_pam_account(void); |
| 71 | void *mm_sshpam_init_ctx(struct Authctxt *); | 71 | void *mm_sshpam_init_ctx(struct Authctxt *); |
| 72 | int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); | 72 | int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); |