diff options
| author | Damien Miller <djm@mindrot.org> | 2017-07-28 14:50:59 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2017-07-28 15:04:00 +1000 |
| commit | 94bc1e7ffba3cbdea8c7dcdab8376bf29283128f (patch) | |
| tree | 8d401b50805c125226e2c9aeb073ced1946c76b1 | |
| parent | c78e6eec78c88acf8d51db90ae05a3e39458603d (diff) | |
Expose list of completed auth methods to PAM
bz#2408; ok dtucker@
| -rw-r--r-- | auth-pam.c | 26 | ||||
| -rw-r--r-- | session.c | 26 |
2 files changed, 46 insertions, 6 deletions
diff --git a/auth-pam.c b/auth-pam.c index 9574d9ac7..de29c04c9 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
| @@ -926,6 +926,27 @@ finish_pam(void) | |||
| 926 | sshpam_cleanup(); | 926 | sshpam_cleanup(); |
| 927 | } | 927 | } |
| 928 | 928 | ||
| 929 | static void | ||
| 930 | expose_authinfo(const char *caller) | ||
| 931 | { | ||
| 932 | char *auth_info; | ||
| 933 | |||
| 934 | /* | ||
| 935 | * Expose authentication information to PAM. | ||
| 936 | * The enviornment variable is versioned. Please increment the | ||
| 937 | * version suffix if the format of session_info changes. | ||
| 938 | */ | ||
| 939 | if (sshpam_authctxt->session_info == NULL) | ||
| 940 | auth_info = xstrdup(""); | ||
| 941 | else if ((auth_info = sshbuf_dup_string( | ||
| 942 | sshpam_authctxt->session_info)) == NULL) | ||
| 943 | fatal("%s: sshbuf_dup_string failed", __func__); | ||
| 944 | |||
| 945 | debug2("%s: auth information in SSH_AUTH_INFO_0", caller); | ||
| 946 | do_pam_putenv("SSH_AUTH_INFO_0", auth_info); | ||
| 947 | free(auth_info); | ||
| 948 | } | ||
| 949 | |||
| 929 | u_int | 950 | u_int |
| 930 | do_pam_account(void) | 951 | do_pam_account(void) |
| 931 | { | 952 | { |
| @@ -933,6 +954,8 @@ do_pam_account(void) | |||
| 933 | if (sshpam_account_status != -1) | 954 | if (sshpam_account_status != -1) |
| 934 | return (sshpam_account_status); | 955 | return (sshpam_account_status); |
| 935 | 956 | ||
| 957 | expose_authinfo(__func__); | ||
| 958 | |||
| 936 | sshpam_err = pam_acct_mgmt(sshpam_handle, 0); | 959 | sshpam_err = pam_acct_mgmt(sshpam_handle, 0); |
| 937 | debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err, | 960 | debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err, |
| 938 | pam_strerror(sshpam_handle, sshpam_err)); | 961 | pam_strerror(sshpam_handle, sshpam_err)); |
| @@ -1057,6 +1080,9 @@ void | |||
| 1057 | do_pam_session(void) | 1080 | do_pam_session(void) |
| 1058 | { | 1081 | { |
| 1059 | debug3("PAM: opening session"); | 1082 | debug3("PAM: opening session"); |
| 1083 | |||
| 1084 | expose_authinfo(__func__); | ||
| 1085 | |||
| 1060 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | 1086 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, |
| 1061 | (const void *)&store_conv); | 1087 | (const void *)&store_conv); |
| 1062 | if (sshpam_err != PAM_SUCCESS) | 1088 | if (sshpam_err != PAM_SUCCESS) |
| @@ -984,8 +984,9 @@ read_etc_default_login(char ***env, u_int *envsize, uid_t uid) | |||
| 984 | } | 984 | } |
| 985 | #endif /* HAVE_ETC_DEFAULT_LOGIN */ | 985 | #endif /* HAVE_ETC_DEFAULT_LOGIN */ |
| 986 | 986 | ||
| 987 | void | 987 | static void |
| 988 | copy_environment(char **source, char ***env, u_int *envsize) | 988 | copy_environment_blacklist(char **source, char ***env, u_int *envsize, |
| 989 | const char *blacklist) | ||
| 989 | { | 990 | { |
| 990 | char *var_name, *var_val; | 991 | char *var_name, *var_val; |
| 991 | int i; | 992 | int i; |
| @@ -1001,13 +1002,22 @@ copy_environment(char **source, char ***env, u_int *envsize) | |||
| 1001 | } | 1002 | } |
| 1002 | *var_val++ = '\0'; | 1003 | *var_val++ = '\0'; |
| 1003 | 1004 | ||
| 1004 | debug3("Copy environment: %s=%s", var_name, var_val); | 1005 | if (blacklist == NULL || |
| 1005 | child_set_env(env, envsize, var_name, var_val); | 1006 | match_pattern_list(var_name, blacklist, 0) != 1) { |
| 1007 | debug3("Copy environment: %s=%s", var_name, var_val); | ||
| 1008 | child_set_env(env, envsize, var_name, var_val); | ||
| 1009 | } | ||
| 1006 | 1010 | ||
| 1007 | free(var_name); | 1011 | free(var_name); |
| 1008 | } | 1012 | } |
| 1009 | } | 1013 | } |
| 1010 | 1014 | ||
| 1015 | void | ||
| 1016 | copy_environment(char **source, char ***env, u_int *envsize) | ||
| 1017 | { | ||
| 1018 | copy_environment_blacklist(source, env, envsize, NULL); | ||
| 1019 | } | ||
| 1020 | |||
| 1011 | static char ** | 1021 | static char ** |
| 1012 | do_setup_env(Session *s, const char *shell) | 1022 | do_setup_env(Session *s, const char *shell) |
| 1013 | { | 1023 | { |
| @@ -1169,12 +1179,16 @@ do_setup_env(Session *s, const char *shell) | |||
| 1169 | if (options.use_pam) { | 1179 | if (options.use_pam) { |
| 1170 | char **p; | 1180 | char **p; |
| 1171 | 1181 | ||
| 1182 | /* | ||
| 1183 | * Don't allow SSH_AUTH_INFO variables posted to PAM to leak | ||
| 1184 | * back into the environment. | ||
| 1185 | */ | ||
| 1172 | p = fetch_pam_child_environment(); | 1186 | p = fetch_pam_child_environment(); |
| 1173 | copy_environment(p, &env, &envsize); | 1187 | copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*"); |
| 1174 | free_pam_environment(p); | 1188 | free_pam_environment(p); |
| 1175 | 1189 | ||
| 1176 | p = fetch_pam_environment(); | 1190 | p = fetch_pam_environment(); |
| 1177 | copy_environment(p, &env, &envsize); | 1191 | copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*"); |
| 1178 | free_pam_environment(p); | 1192 | free_pam_environment(p); |
| 1179 | } | 1193 | } |
| 1180 | #endif /* USE_PAM */ | 1194 | #endif /* USE_PAM */ |