- (djm) Added patch from Chris Adams <cmadams@hiwaay.net> to add OSF SIA

   support. Enable using "USE_SIA=1 ./configure [options]"

11 files changed, 95 insertions, 9 deletions

diff --git a/CREDITS b/CREDITS
index 1774e2760..4bcb1ae68 100644
--- a/CREDITS
+++ b/CREDITS
@@ -13,6 +13,7 @@ Ben Lindstrom <mouring@pconline.com> - NeXT support
 Ben Taylor <bent@clark.net> - Solaris debugging and fixes
 Bratislav ILICH <bilic@zepter.ru> - Configure fix
 Chip Salzenberg <chip@valinux.com> - Assorted patches
+Chris Adams <cmadams@hiwaay.net> - OSF SIA support
 Chris Saia <csaia@wtower.com> - SuSE packaging
 Chris, the Young One <cky@pobox.com> - Password auth fixes
 Christos Zoulas <christos@zoulas.com> - Autoconf fixes
diff --git a/ChangeLog b/ChangeLog
index 6398238b3..ea4667ad2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,7 +4,9 @@
  - (djm) Patch from Michael Stone <mstone@cs.loyola.edu> to add support for
    Irix 6.x array sessions, project id's, and system audit trail id.
  - (djm) Added 'distprep' make target to simplify packaging
-
+ - (djm) Added patch from Chris Adams <cmadams@hiwaay.net> to add OSF SIA 
+   support. Enable using "USE_SIA=1 ./configure [options]"
+   
 20000627
  - (djm) Fixes to login code - not setting li->uid, cleanups
  - (djm) Formatting
diff --git a/acconfig.h b/acconfig.h
index 0a042587f..6f375212c 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -148,6 +148,9 @@
 /* Define if you want have trusted HPUX */
 #undef HAVE_HPUX_TRUSTED_SYSTEM_PW
 
+/* Define if you have Digital Unix Security Integration Architecture */
+#undef HAVE_OSF_SIA
+
 /* Define if you have getpwanam(3) [SunOS 4.x] */
 #undef HAVE_GETPWANAM
 
diff --git a/auth-passwd.c b/auth-passwd.c
index d722122c7..93756e9e6 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -9,10 +9,10 @@
 
 #include "includes.h"
 
-#ifndef USE_PAM
-
 RCSID("$OpenBSD: auth-passwd.c,v 1.16 2000/06/20 01:39:38 markus Exp $");
 
+#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
+
 #include "packet.h"
 #include "ssh.h"
 #include "servconf.h"
@@ -139,4 +139,4 @@ auth_password(struct passwd * pw, const char *password)
         /* Authentication is accepted if the encrypted passwords are identical. */
         return (strcmp(encrypted_password, pw_password) == 0);
 }
-#endif /* !USE_PAM */
+#endif /* !USE_PAM && !HAVE_OSF_SIA */
diff --git a/auth1.c b/auth1.c
index 3e7efcb2a..0d440e521 100644
--- a/auth1.c
+++ b/auth1.c
@@ -18,6 +18,11 @@ RCSID("$OpenBSD: auth1.c,v 1.2 2000/04/29 18:11:52 markus Exp $");
 #include "auth.h"
 #include "session.h"
 
+#ifdef HAVE_OSF_SIA
+# include <sia.h>
+# include <siad.h>
+#endif
+
 /* import */
 extern ServerOptions options;
 extern char *forced_command;
@@ -141,6 +146,10 @@ do_authloop(struct passwd * pw)
         unsigned int ulen;
         int type = 0;
         void (*authlog) (const char *fmt,...) = verbose;
+#ifdef HAVE_OSF_SIA
+        extern int saved_argc;
+        extern char **saved_argv;
+#endif /* HAVE_OSF_SIA */
 
         /* Indicate that authentication is needed. */
         packet_start(SSH_SMSG_FAILURE);
@@ -299,7 +308,15 @@ do_authloop(struct passwd * pw)
 #ifdef USE_PAM
                         /* Do PAM auth with password */
                         authenticated = auth_pam_password(pw, password);
-#else /* USE_PAM */
+#elif defined(HAVE_OSF_SIA)
+                        /* Do SIA auth with password */
+                        host = get_canonical_hostname();
+                        if (sia_validate_user(NULL, saved_argc, saved_argv, 
+                                get_canonical_hostname(), pw->pw_name, NULL, 0, 
+                                NULL, password) == SIASUCCESS) {
+                                authenticated = 1;
+                        }
+#else /* !USE_PAM && !HAVE_OSF_SIA */
                         /* Try authentication with the password. */
                         authenticated = auth_password(pw, password);
 #endif /* USE_PAM */
diff --git a/auth2.c b/auth2.c
index a3d4ab60e..f20953a86 100644
--- a/auth2.c
+++ b/auth2.c
@@ -56,6 +56,11 @@ RCSID("$OpenBSD: auth2.c,v 1.11 2000/06/19 00:50:11 markus Exp $");
 #include "uidswap.h"
 #include "auth-options.h"
 
+#ifdef HAVE_OSF_SIA
+# include <sia.h>
+# include <siad.h>
+#endif
+
 /* import */
 extern ServerOptions options;
 extern unsigned char *session_id2;
@@ -244,10 +249,20 @@ input_userauth_request(int type, int plen)
 int
 ssh2_auth_none(struct passwd *pw)
 {
+#ifdef HAVE_OSF_SIA
+        extern int saved_argc;
+        extern char **saved_argv;
+#endif
+
         packet_done();
+
 #ifdef USE_PAM
         return auth_pam_password(pw, "");
-#else /* USE_PAM */
+#elif defined(HAVE_OSF_SIA)
+        return(sia_validate_user(NULL, saved_argc, saved_argv, 
+                get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, 
+                "") == SIASUCCESS);
+#else /* !HAVE_OSF_SIA && !USE_PAM */
         return auth_password(pw, "");
 #endif /* USE_PAM */
 }
@@ -258,6 +273,10 @@ ssh2_auth_password(struct passwd *pw)
         int authenticated = 0;
         int change;
         unsigned int len;
+#ifdef HAVE_OSF_SIA
+        extern int saved_argc;
+        extern char **saved_argv;
+#endif
         change = packet_get_char();
         if (change)
                 log("password change not supported");
@@ -266,7 +285,11 @@ ssh2_auth_password(struct passwd *pw)
         if (options.password_authentication &&
 #ifdef USE_PAM
             auth_pam_password(pw, password) == 1)
-#else /* USE_PAM */
+#elif defined(HAVE_OSF_SIA)
+            sia_validate_user(NULL, saved_argc, saved_argv, 
+                        get_canonical_hostname(), pw->pw_name, NULL, 0, 
+                        NULL, password) == SIASUCCESS)
+#else /* !USE_PAM && !HAVE_OSF_SIA */
             auth_password(pw, password) == 1)
 #endif /* USE_PAM */
                 authenticated = 1;
diff --git a/bsd-snprintf.c b/bsd-snprintf.c
index 69534ecf1..c31fc38d6 100644
--- a/bsd-snprintf.c
+++ b/bsd-snprintf.c
@@ -126,7 +126,7 @@ vsnprintf(str, n, fmt, ap)
         char *str;
         size_t n;
         char *fmt;
-        va_list *ap;
+        va_list ap;
 {
         struct sigaction osa, nsa;
         char *p;
diff --git a/bsd-snprintf.h b/bsd-snprintf.h
index 8f244604c..6be2047e1 100644
--- a/bsd-snprintf.h
+++ b/bsd-snprintf.h
@@ -10,7 +10,7 @@ int snprintf(char *str, size_t n, char const *fmt, ...);
 #endif /* !HAVE_SNPRINTF */
 
 #ifndef HAVE_VSNPRINTF
-int vsnprintf(char *str, size_t n, char *fmt, va_list *ap);
+int vsnprintf(char *str, size_t n, char *fmt, va_list ap);
 #endif /* !HAVE_SNPRINTF */
 
 
diff --git a/configure.in b/configure.in
index c1bcb3424..4dd08c71a 100644
--- a/configure.in
+++ b/configure.in
@@ -150,6 +150,20 @@ case "$host" in
         LIBS="$LIBS -lgen -lsocket"
         no_dev_ptmx=1
         ;;
+*-dec-osf*)
+# This is untested
+        if test ! -z "USE_SIA" ; then
+                AC_MSG_CHECKING(for Digital Unix Security Integration Architecture)
+                if test -f /etc/sia/matrix.conf; then
+                        AC_MSG_RESULT(yes)
+                        AC_DEFINE(HAVE_OSF_SIA)
+                        AC_DEFINE(DISABLE_LOGIN)
+                        LIBS="$LIBS -lsecurity -ldb -lm -laud"
+                else
+                        AC_MSG_RESULT(no)
+                fi
+        fi
+        ;;
 esac
 
 # Allow user to specify flags
diff --git a/session.c b/session.c
index 1e22f477f..ca4a994e3 100644
--- a/session.c
+++ b/session.c
@@ -32,6 +32,11 @@ RCSID("$OpenBSD: session.c,v 1.20 2000/06/18 04:42:54 markus Exp $");
 #include <proj.h>
 #endif /* WITH_IRIX_PROJECT */
 
+#ifdef HAVE_OSF_SIA
+# include <sia.h>
+# include <siad.h>
+#endif
+
 /* types */
 
 #define TTYSZ 64
@@ -823,14 +828,32 @@ do_child(const char *command, struct passwd * pw, const char *term,
         }
 #endif /* USE_PAM */
 
+#ifndef HAVE_OSF_SIA
         /* Set login name in the kernel. */
         if (setlogin(pw->pw_name) < 0)
                 error("setlogin failed: %s", strerror(errno));
+#endif
 
         /* Set uid, gid, and groups. */
         /* Login(1) does this as well, and it needs uid 0 for the "-h"
            switch, so we let login(1) to this for us. */
         if (!options.use_login) {
+#ifdef HAVE_OSF_SIA
+                extern char **saved_argv;
+                extern int saved_argc;
+                char *host = get_canonical_hostname ();
+
+                if (sia_become_user(NULL, saved_argc, saved_argv, host,
+                    pw->pw_name, ttyname, 0, NULL, NULL, SIA_BEU_SETLUID) !=
+                    SIASUCCESS) {
+                        perror("sia_become_user");
+                        exit(1);
+                }
+                if (setreuid(geteuid(), geteuid()) < 0) {
+                        perror("setreuid");
+                        exit(1);
+                }
+#else /* HAVE_OSF_SIA */
                 if (getuid() == 0 || geteuid() == 0) {
                         if (setgid(pw->pw_gid) < 0) {
                                 perror("setgid");
@@ -867,6 +890,7 @@ do_child(const char *command, struct passwd * pw, const char *term,
                 }
                 if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
                         fatal("Failed to set uids to %d.", (int) pw->pw_uid);
+#endif /* HAVE_OSF_SIA */
         }
         /*
          * Get the shell from the password data.  An empty shell field is
diff --git a/sshd.c b/sshd.c
index 32a6fac7f..a4749fbe4 100644
--- a/sshd.c
+++ b/sshd.c
@@ -88,6 +88,7 @@ char *av0;
 
 /* Saved arguments to main(). */
 char **saved_argv;
+int saved_argc;
 
 /*
  * The sockets that the server is listening; this is used in the SIGHUP
@@ -422,6 +423,7 @@ main(int ac, char **av)
         int listen_sock, maxfd;
 
         /* Save argv[0]. */
+        saved_argc = ac;
         saved_argv = av;
         if (strchr(av[0], '/'))
                 av0 = strrchr(av[0], '/') + 1;