diff options
| author | Damien Miller <djm@mindrot.org> | 2001-03-27 16:12:24 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2001-03-27 16:12:24 +1000 |
| commit | f9e93009478075ec04f0ee407e8f83ab2558a892 (patch) | |
| tree | 48327e0001087c3d25a13a4a53111519c5b0145c | |
| parent | 771bbac73327304cbac69ca37e33b5771e01fc17 (diff) | |
- (djm) Reestablish PAM credentials (which can be supplemental group
memberships) after initgroups() blows them away. Report and suggested
fix from Nalin Dahyabhai <nalin@redhat.com>
| -rw-r--r-- | ChangeLog | 16 | ||||
| -rw-r--r-- | auth-pam.c | 7 | ||||
| -rw-r--r-- | auth-pam.h | 4 | ||||
| -rw-r--r-- | session.c | 13 |
4 files changed, 25 insertions, 15 deletions
| @@ -1,10 +1,3 @@ | |||
| 1 | 20010328 | ||
| 2 | - OpenBSD CVS Sync | ||
| 3 | - markus@cvs.openbsd.org 2001/03/26 08:07:09 | ||
| 4 | [authfile.c authfile.h ssh-add.c ssh-keygen.c ssh.c sshconnect.c | ||
| 5 | sshconnect.h sshconnect1.c sshconnect2.c sshd.c] | ||
| 6 | simpler key load/save interface, see authfile.h | ||
| 7 | |||
| 8 | 20010327 | 1 | 20010327 |
| 9 | - Attempt sync with sshlogin.c w/ OpenBSD (mainly CVS ID) | 2 | - Attempt sync with sshlogin.c w/ OpenBSD (mainly CVS ID) |
| 10 | - Fix pointer issues in waitpid() and wait() replaces. Patch by Lutz | 3 | - Fix pointer issues in waitpid() and wait() replaces. Patch by Lutz |
| @@ -17,6 +10,13 @@ | |||
| 17 | [servconf.c servconf.h session.c sshd.8 sshd_config] | 10 | [servconf.c servconf.h session.c sshd.8 sshd_config] |
| 18 | PrintLastLog option; from chip@valinux.com with some minor | 11 | PrintLastLog option; from chip@valinux.com with some minor |
| 19 | changes by me. ok markus@ | 12 | changes by me. ok markus@ |
| 13 | - markus@cvs.openbsd.org 2001/03/26 08:07:09 | ||
| 14 | [authfile.c authfile.h ssh-add.c ssh-keygen.c ssh.c sshconnect.c | ||
| 15 | sshconnect.h sshconnect1.c sshconnect2.c sshd.c] | ||
| 16 | simpler key load/save interface, see authfile.h | ||
| 17 | - (djm) Reestablish PAM credentials (which can be supplemental group | ||
| 18 | memberships) after initgroups() blows them away. Report and suggested | ||
| 19 | fix from Nalin Dahyabhai <nalin@redhat.com> | ||
| 20 | 20 | ||
| 21 | 20010324 | 21 | 20010324 |
| 22 | - Fixed permissions ssh-keyscan. Thanks to Christopher Linn <celinn@mtu.edu>. | 22 | - Fixed permissions ssh-keyscan. Thanks to Christopher Linn <celinn@mtu.edu>. |
| @@ -4725,4 +4725,4 @@ | |||
| 4725 | - Wrote replacements for strlcpy and mkdtemp | 4725 | - Wrote replacements for strlcpy and mkdtemp |
| 4726 | - Released 1.0pre1 | 4726 | - Released 1.0pre1 |
| 4727 | 4727 | ||
| 4728 | $Id: ChangeLog,v 1.1020 2001/03/26 13:44:06 mouring Exp $ | 4728 | $Id: ChangeLog,v 1.1021 2001/03/27 06:12:24 djm Exp $ |
diff --git a/auth-pam.c b/auth-pam.c index 2ea29964d..d8eefdfd7 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
| @@ -33,7 +33,7 @@ | |||
| 33 | #include "canohost.h" | 33 | #include "canohost.h" |
| 34 | #include "readpass.h" | 34 | #include "readpass.h" |
| 35 | 35 | ||
| 36 | RCSID("$Id: auth-pam.c,v 1.33 2001/03/21 02:01:35 djm Exp $"); | 36 | RCSID("$Id: auth-pam.c,v 1.34 2001/03/27 06:12:24 djm Exp $"); |
| 37 | 37 | ||
| 38 | #define NEW_AUTHTOK_MSG \ | 38 | #define NEW_AUTHTOK_MSG \ |
| 39 | "Warning: Your password has expired, please change it now" | 39 | "Warning: Your password has expired, please change it now" |
| @@ -287,14 +287,15 @@ void do_pam_session(char *username, const char *ttyname) | |||
| 287 | } | 287 | } |
| 288 | 288 | ||
| 289 | /* Set PAM credentials */ | 289 | /* Set PAM credentials */ |
| 290 | void do_pam_setcred(void) | 290 | void do_pam_setcred(int init) |
| 291 | { | 291 | { |
| 292 | int pam_retval; | 292 | int pam_retval; |
| 293 | 293 | ||
| 294 | do_pam_set_conv(&conv); | 294 | do_pam_set_conv(&conv); |
| 295 | 295 | ||
| 296 | debug("PAM establishing creds"); | 296 | debug("PAM establishing creds"); |
| 297 | pam_retval = pam_setcred(__pamh, PAM_ESTABLISH_CRED); | 297 | pam_retval = pam_setcred(__pamh, |
| 298 | init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); | ||
| 298 | if (pam_retval != PAM_SUCCESS) { | 299 | if (pam_retval != PAM_SUCCESS) { |
| 299 | if (was_authenticated) | 300 | if (was_authenticated) |
| 300 | fatal("PAM setcred failed[%d]: %.200s", | 301 | fatal("PAM setcred failed[%d]: %.200s", |
diff --git a/auth-pam.h b/auth-pam.h index 1cf85c0f1..c249b5396 100644 --- a/auth-pam.h +++ b/auth-pam.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $Id: auth-pam.h,v 1.10 2001/02/15 00:51:32 djm Exp $ */ | 1 | /* $Id: auth-pam.h,v 1.11 2001/03/27 06:12:24 djm Exp $ */ |
| 2 | 2 | ||
| 3 | #include "includes.h" | 3 | #include "includes.h" |
| 4 | #ifdef USE_PAM | 4 | #ifdef USE_PAM |
| @@ -12,7 +12,7 @@ char **fetch_pam_environment(void); | |||
| 12 | int do_pam_authenticate(int flags); | 12 | int do_pam_authenticate(int flags); |
| 13 | int do_pam_account(char *username, char *remote_user); | 13 | int do_pam_account(char *username, char *remote_user); |
| 14 | void do_pam_session(char *username, const char *ttyname); | 14 | void do_pam_session(char *username, const char *ttyname); |
| 15 | void do_pam_setcred(void); | 15 | void do_pam_setcred(int init); |
| 16 | void print_pam_messages(void); | 16 | void print_pam_messages(void); |
| 17 | int is_pam_password_change_required(void); | 17 | int is_pam_password_change_required(void); |
| 18 | void do_pam_chauthtok(void); | 18 | void do_pam_chauthtok(void); |
| @@ -488,7 +488,7 @@ do_exec_no_pty(Session *s, const char *command) | |||
| 488 | session_proctitle(s); | 488 | session_proctitle(s); |
| 489 | 489 | ||
| 490 | #if defined(USE_PAM) | 490 | #if defined(USE_PAM) |
| 491 | do_pam_setcred(); | 491 | do_pam_setcred(1); |
| 492 | #endif /* USE_PAM */ | 492 | #endif /* USE_PAM */ |
| 493 | 493 | ||
| 494 | /* Fork the child. */ | 494 | /* Fork the child. */ |
| @@ -603,7 +603,7 @@ do_exec_pty(Session *s, const char *command) | |||
| 603 | 603 | ||
| 604 | #if defined(USE_PAM) | 604 | #if defined(USE_PAM) |
| 605 | do_pam_session(s->pw->pw_name, s->tty); | 605 | do_pam_session(s->pw->pw_name, s->tty); |
| 606 | do_pam_setcred(); | 606 | do_pam_setcred(1); |
| 607 | #endif | 607 | #endif |
| 608 | 608 | ||
| 609 | /* Fork the child. */ | 609 | /* Fork the child. */ |
| @@ -1100,6 +1100,15 @@ do_child(Session *s, const char *command) | |||
| 1100 | exit(1); | 1100 | exit(1); |
| 1101 | } | 1101 | } |
| 1102 | endgrent(); | 1102 | endgrent(); |
| 1103 | # ifdef USE_PAM | ||
| 1104 | /* | ||
| 1105 | * PAM credentials may take the form of | ||
| 1106 | * supplementary groups. These will have been | ||
| 1107 | * wiped by the above initgroups() call. | ||
| 1108 | * Reestablish them here. | ||
| 1109 | */ | ||
| 1110 | do_pam_setcred(0); | ||
| 1111 | # endif /* USE_PAM */ | ||
| 1103 | # ifdef WITH_IRIX_JOBS | 1112 | # ifdef WITH_IRIX_JOBS |
| 1104 | jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive"); | 1113 | jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive"); |
| 1105 | if (jid == -1) { | 1114 | if (jid == -1) { |