- (djm) Workaround PAM inconsistencies between Solaris derived PAM code

   and Linux-PAM. Based on report and fix from Andrew Morgan
   <morgan@transmeta.com>

7 files changed, 41 insertions, 15 deletions

diff --git a/CREDITS b/CREDITS
index b8c54824a..797b1895a 100644
--- a/CREDITS
+++ b/CREDITS
@@ -8,6 +8,7 @@ Alexandre Oliva <oliva@lsd.ic.unicamp.br> - AIX fixes
 Andre Lucas <andre.lucas@dial.pipex.com> - new login code, many fixes
 Andreas Steinmetz <ast@domdv.de> - Shadow password expiry support
 Andrew McGill <andrewm@datrix.co.za> - SCO fixes
+Andrew Morgan <morgan@transmeta.com> - PAM bugfixes
 Andrew Stribblehill <a.d.stribblehill@durham.ac.uk> - Bugfixes
 Andy Sloane <andy@guildsoftware.com> - bugfixes
 Aran Cox <acox@cv.telegroup.com> - SCO bugfixes
diff --git a/ChangeLog b/ChangeLog
index 38bd2b3f4..a99195e5d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+20001220
+ - (djm) Workaround PAM inconsistencies between Solaris derived PAM code 
+   and Linux-PAM. Based on report and fix from Andrew Morgan
+   <morgan@transmeta.com>
+
 20001218
  - (stevesk) rsa.c: entropy.h not needed.
  - (bal) split CFLAGS into CFLAGS and CPPFLAGS in configure.in and Makefile.
diff --git a/acconfig.h b/acconfig.h
index bfbacba42..21832fe2d 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -218,6 +218,10 @@
 /* to pam_strerror */
 #undef HAVE_OLD_PAM
 
+/* Define if you are using Solaris-derived PAM which passes pam_messages  */
+/* to the conversation function with an extra level of indirection */
+#undef PAM_SUN_CODEBASE
+ 
 /* Set this to your mail directory if you don't have maillock.h */
 #undef MAIL_DIRECTORY
 
diff --git a/auth-pam.c b/auth-pam.c
index 1e077602e..07847cb9d 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -29,7 +29,7 @@
 #include "xmalloc.h"
 #include "servconf.h"
 
-RCSID("$Id: auth-pam.c,v 1.19 2000/12/03 00:51:51 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.20 2000/12/20 02:34:49 djm Exp $");
 
 #define NEW_AUTHTOK_MSG \
         "Warning: Your password has expired, please change it now"
@@ -97,13 +97,13 @@ static int pamconv(int num_msg, const struct pam_message **msg,
                 return PAM_CONV_ERR; 
 
         for (count = 0; count < num_msg; count++) {
-                switch ((*msg)[count].msg_style) {
+                switch(PAM_MSG_MEMBER(msg, count, msg_style)) {
                         case PAM_PROMPT_ECHO_ON:
                                 if (pamstate == INITIAL_LOGIN) {
                                         free(reply);
                                         return PAM_CONV_ERR;
                                 } else {
-                                        fputs((*msg)[count].msg, stderr);
+                                        fputs(PAM_MSG_MEMBER(msg, count, msg), stderr);
                                         fgets(buf, sizeof(buf), stdin);
                                         reply[count].resp = xstrdup(buf);
                                         reply[count].resp_retcode = PAM_SUCCESS;
@@ -118,7 +118,7 @@ static int pamconv(int num_msg, const struct pam_message **msg,
                                         reply[count].resp = xstrdup(pampasswd);
                                 } else {
                                         reply[count].resp = 
-                                                xstrdup(read_passphrase((*msg)[count].msg, 1));
+                                                xstrdup(read_passphrase(PAM_MSG_MEMBER(msg, count, msg), 1));
                                 }
                                 reply[count].resp_retcode = PAM_SUCCESS;
                                 break;
@@ -126,9 +126,9 @@ static int pamconv(int num_msg, const struct pam_message **msg,
                         case PAM_TEXT_INFO:
                                 if ((*msg)[count].msg != NULL) {
                                         if (pamstate == INITIAL_LOGIN)
-                                                pam_msg_cat((*msg)[count].msg);
+                                                pam_msg_cat(PAM_MSG_MEMBER(msg, count, msg));
                                         else {
-                                                fputs((*msg)[count].msg, stderr);
+                                                fputs(PAM_MSG_MEMBER(msg, count, msg), stderr);
                                                 fputs("\n", stderr);
                                         }
                                 }
diff --git a/auth2-pam.c b/auth2-pam.c
index 8ffbc244c..30e02101e 100644
--- a/auth2-pam.c
+++ b/auth2-pam.c
@@ -1,5 +1,5 @@
 #include "includes.h"
-RCSID("$Id: auth2-pam.c,v 1.1 2000/12/03 00:51:51 djm Exp $");
+RCSID("$Id: auth2-pam.c,v 1.2 2000/12/20 02:34:49 djm Exp $");
 
 #ifdef USE_PAM
 #include "ssh.h"
@@ -70,8 +70,8 @@ do_conversation2(int num_msg, const struct pam_message **msg,
         packet_put_cstring("");                         /* Instructions */
         packet_put_cstring("");                         /* Language */
         for (i = 0, j = 0; i < num_msg; i++) {
-                if(((*msg)[i].msg_style == PAM_PROMPT_ECHO_ON) ||
-                   ((*msg)[i].msg_style == PAM_PROMPT_ECHO_OFF) ||
+                if((PAM_MSG_MEMBER(msg, i, msg_style) == PAM_PROMPT_ECHO_ON) ||
+                   (PAM_MSG_MEMBER(msg, i, msg_style) == PAM_PROMPT_ECHO_OFF) ||
                    (i == num_msg - 1)) {
                         j++;
                 }
@@ -79,7 +79,7 @@ do_conversation2(int num_msg, const struct pam_message **msg,
         packet_put_int(j);                              /* Number of prompts. */
         context_pam2.num_expected = j;
         for (i = 0, j = 0; i < num_msg; i++) {
-                switch((*msg)[i].msg_style) {
+                switch(PAM_MSG_MEMBER(msg, i, msg_style)) {
                         case PAM_PROMPT_ECHO_ON:
                                 echo = 1;
                                 break;
@@ -91,18 +91,18 @@ do_conversation2(int num_msg, const struct pam_message **msg,
                                 break;
                 }
                 if(text) {
-                        tmp = xmalloc(strlen(text) + strlen((*msg)[i].msg) + 2);
+                        tmp = xmalloc(strlen(text) + strlen(PAM_MSG_MEMBER(msg, i, msg)) + 2);
                         strcpy(tmp, text);
                         strcat(tmp, "\n");
-                        strcat(tmp, (*msg)[i].msg);
+                        strcat(tmp, PAM_MSG_MEMBER(msg, i, msg));
                         xfree(text);
                         text = tmp;
                         tmp = NULL;
                 } else {
-                        text = xstrdup((*msg)[i].msg);
+                        text = xstrdup(PAM_MSG_MEMBER(msg, i, msg));
                 }
-                if(((*msg)[i].msg_style == PAM_PROMPT_ECHO_ON) ||
-                   ((*msg)[i].msg_style == PAM_PROMPT_ECHO_OFF) ||
+                if((PAM_MSG_MEMBER(msg, i, msg_style) == PAM_PROMPT_ECHO_ON) ||
+                   (PAM_MSG_MEMBER(msg, i, msg_style) == PAM_PROMPT_ECHO_OFF) ||
                    (i == num_msg - 1)) {
                         debug("sending prompt ssh-%d(pam-%d) = \"%s\"",
                               j, i, text);
diff --git a/configure.in b/configure.in
index 9f3b10c43..4601cd38b 100644
--- a/configure.in
+++ b/configure.in
@@ -88,6 +88,7 @@ case "$host" in
 *-*-hpux11*)
         CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE"
         IPADDR_IN_DISPLAY=yes
+        AC_DEFINE(PAM_SUN_CODEBASE)
         AC_DEFINE(USE_PIPES)
         AC_DEFINE(DISABLE_SHADOW)
         AC_DEFINE(DISABLE_UTMP)
@@ -149,6 +150,7 @@ mips-sony-bsd|mips-sony-newsos4)
         CPPFLAGS="$CPPFLAGS -I/usr/local/include"
         LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib -L/usr/ucblib -R/usr/ucblib"
         need_dash_r=1
+        AC_DEFINE(PAM_SUN_CODEBASE)
         # hardwire lastlog location (can't detect it on some versions)
         conf_lastlog_location="/var/adm/lastlog"
         AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x)
@@ -164,6 +166,7 @@ mips-sony-bsd|mips-sony-newsos4)
 *-*-sunos4*)
         CPPFLAGS="$CPPFLAGS -DSUNOS4"
         AC_CHECK_FUNCS(getpwanam)
+        AC_DEFINE(PAM_SUN_CODEBASE)
         conf_utmp_location=/etc/utmp
         conf_wtmp_location=/var/adm/wtmp
         conf_lastlog_location=/var/adm/lastlog
@@ -1614,6 +1617,13 @@ echo "         Libraries: ${LIBS}"
 
 echo ""
 
+if test "x$PAM_MSG" = "xyes" ; then
+        echo "PAM is enabled. You may need to install a PAM control file for sshd,"
+        echo "otherwise password authentication may fail. Example PAM control files"
+        echo "can be found in the contrib/ subdirectory"
+        echo ""
+fi
+
 if test ! -z "$BUILTIN_RNG" ; then
         echo "WARNING: you are using the builtin random number collection service."
         echo "Please read WARNING.RNG and request that your OS vendor includes"
diff --git a/defines.h b/defines.h
index 642b00797..4c3941cad 100644
--- a/defines.h
+++ b/defines.h
@@ -340,6 +340,12 @@ struct winsize {
 # define PAM_STRERROR(a,b) pam_strerror((a),(b))
 #endif
 
+#ifdef PAM_SUN_CODEBASE
+# define PAM_MSG_MEMBER(msg, n, member) ((*(msg))[(n)].member)
+#else
+# define PAM_MSG_MEMBER(msg, n, member) ((msg)[(n)]->member)
+#endif
+
 #if defined(BROKEN_GETADDRINFO) && defined(HAVE_GETADDRINFO)
 # undef HAVE_GETADDRINFO
 #endif /* defined(BROKEN_GETADDRINFO) && defined(HAVE_GETADDRINFO) */