diff options
author | Damien Miller <djm@mindrot.org> | 2003-09-02 23:18:52 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2003-09-02 23:18:52 +1000 |
commit | 341c6e687c2e2d3629f19d4b43fccc2dc8d7f9d3 (patch) | |
tree | a54163ac7548e84d257e611333f8e3cf628a7b9d | |
parent | f4b6f10deda4413528ddb5ffbb69c5da84ae58b9 (diff) |
- (djm) Bug #423: reorder setting of PAM_TTY and calling of PAM session
management (now done in do_setusercontext). Largely from
michael_steffens AT hp.com
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | auth-pam.c | 19 | ||||
-rw-r--r-- | auth-pam.h | 5 | ||||
-rw-r--r-- | session.c | 7 |
4 files changed, 23 insertions, 13 deletions
@@ -49,6 +49,9 @@ | |||
49 | fix leak | 49 | fix leak |
50 | - (djm) Don't initialise pam_conv structures inline. Avoids HP/UX compiler | 50 | - (djm) Don't initialise pam_conv structures inline. Avoids HP/UX compiler |
51 | error. Part of Bug #423, patch from michael_steffens AT hp.com | 51 | error. Part of Bug #423, patch from michael_steffens AT hp.com |
52 | - (djm) Bug #423: reorder setting of PAM_TTY and calling of PAM session | ||
53 | management (now done in do_setusercontext). Largely from | ||
54 | michael_steffens AT hp.com | ||
52 | 55 | ||
53 | 20030829 | 56 | 20030829 |
54 | - (bal) openbsd-compat/ clean up. Considate headers, add in Id on our | 57 | - (bal) openbsd-compat/ clean up. Considate headers, add in Id on our |
@@ -964,4 +967,4 @@ | |||
964 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. | 967 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. |
965 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au | 968 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au |
966 | 969 | ||
967 | $Id: ChangeLog,v 1.2935 2003/09/02 13:12:06 djm Exp $ | 970 | $Id: ChangeLog,v 1.2936 2003/09/02 13:18:52 djm Exp $ |
diff --git a/auth-pam.c b/auth-pam.c index 3f3fbf28c..bc378a32b 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -31,7 +31,7 @@ | |||
31 | 31 | ||
32 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ | 32 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ |
33 | #include "includes.h" | 33 | #include "includes.h" |
34 | RCSID("$Id: auth-pam.c,v 1.69 2003/09/02 13:12:06 djm Exp $"); | 34 | RCSID("$Id: auth-pam.c,v 1.70 2003/09/02 13:18:53 djm Exp $"); |
35 | 35 | ||
36 | #ifdef USE_PAM | 36 | #ifdef USE_PAM |
37 | #include <security/pam_appl.h> | 37 | #include <security/pam_appl.h> |
@@ -534,13 +534,23 @@ do_pam_account(void) | |||
534 | } | 534 | } |
535 | 535 | ||
536 | void | 536 | void |
537 | do_pam_session(const char *user, const char *tty) | 537 | do_pam_session(void) |
538 | { | 538 | { |
539 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | 539 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, |
540 | (const void *)&null_conv); | 540 | (const void *)&null_conv); |
541 | if (sshpam_err != PAM_SUCCESS) | 541 | if (sshpam_err != PAM_SUCCESS) |
542 | fatal("PAM: failed to set PAM_CONV: %s", | 542 | fatal("PAM: failed to set PAM_CONV: %s", |
543 | pam_strerror(sshpam_handle, sshpam_err)); | 543 | pam_strerror(sshpam_handle, sshpam_err)); |
544 | sshpam_err = pam_open_session(sshpam_handle, 0); | ||
545 | if (sshpam_err != PAM_SUCCESS) | ||
546 | fatal("PAM: pam_open_session(): %s", | ||
547 | pam_strerror(sshpam_handle, sshpam_err)); | ||
548 | sshpam_session_open = 1; | ||
549 | } | ||
550 | |||
551 | void | ||
552 | do_pam_set_tty(const char *tty) | ||
553 | { | ||
544 | if (tty != NULL) { | 554 | if (tty != NULL) { |
545 | debug("PAM: setting PAM_TTY to \"%s\"", tty); | 555 | debug("PAM: setting PAM_TTY to \"%s\"", tty); |
546 | sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, tty); | 556 | sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, tty); |
@@ -548,11 +558,6 @@ do_pam_session(const char *user, const char *tty) | |||
548 | fatal("PAM: failed to set PAM_TTY: %s", | 558 | fatal("PAM: failed to set PAM_TTY: %s", |
549 | pam_strerror(sshpam_handle, sshpam_err)); | 559 | pam_strerror(sshpam_handle, sshpam_err)); |
550 | } | 560 | } |
551 | sshpam_err = pam_open_session(sshpam_handle, 0); | ||
552 | if (sshpam_err != PAM_SUCCESS) | ||
553 | fatal("PAM: pam_open_session(): %s", | ||
554 | pam_strerror(sshpam_handle, sshpam_err)); | ||
555 | sshpam_session_open = 1; | ||
556 | } | 561 | } |
557 | 562 | ||
558 | void | 563 | void |
diff --git a/auth-pam.h b/auth-pam.h index 03868312c..5c952f305 100644 --- a/auth-pam.h +++ b/auth-pam.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: auth-pam.h,v 1.20 2003/08/26 01:58:16 dtucker Exp $ */ | 1 | /* $Id: auth-pam.h,v 1.21 2003/09/02 13:18:53 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2000 Damien Miller. All rights reserved. |
@@ -34,7 +34,8 @@ | |||
34 | void start_pam(const char *); | 34 | void start_pam(const char *); |
35 | void finish_pam(void); | 35 | void finish_pam(void); |
36 | u_int do_pam_account(void); | 36 | u_int do_pam_account(void); |
37 | void do_pam_session(const char *, const char *); | 37 | void do_pam_session(void); |
38 | void do_pam_set_tty(const char *); | ||
38 | void do_pam_setcred(int ); | 39 | void do_pam_setcred(int ); |
39 | int is_pam_password_change_required(void); | 40 | int is_pam_password_change_required(void); |
40 | void do_pam_chauthtok(void); | 41 | void do_pam_chauthtok(void); |
@@ -396,7 +396,6 @@ do_exec_no_pty(Session *s, const char *command) | |||
396 | 396 | ||
397 | #if defined(USE_PAM) | 397 | #if defined(USE_PAM) |
398 | if (options.use_pam) { | 398 | if (options.use_pam) { |
399 | do_pam_session(s->pw->pw_name, NULL); | ||
400 | do_pam_setcred(1); | 399 | do_pam_setcred(1); |
401 | if (is_pam_password_change_required()) | 400 | if (is_pam_password_change_required()) |
402 | packet_disconnect("Password change required but no " | 401 | packet_disconnect("Password change required but no " |
@@ -525,7 +524,7 @@ do_exec_pty(Session *s, const char *command) | |||
525 | 524 | ||
526 | #if defined(USE_PAM) | 525 | #if defined(USE_PAM) |
527 | if (options.use_pam) { | 526 | if (options.use_pam) { |
528 | do_pam_session(s->pw->pw_name, s->tty); | 527 | do_pam_set_tty(s->tty); |
529 | do_pam_setcred(1); | 528 | do_pam_setcred(1); |
530 | } | 529 | } |
531 | #endif | 530 | #endif |
@@ -1205,8 +1204,10 @@ do_setusercontext(struct passwd *pw) | |||
1205 | * These will have been wiped by the above initgroups() call. | 1204 | * These will have been wiped by the above initgroups() call. |
1206 | * Reestablish them here. | 1205 | * Reestablish them here. |
1207 | */ | 1206 | */ |
1208 | if (options.use_pam) | 1207 | if (options.use_pam) { |
1208 | do_pam_session(); | ||
1209 | do_pam_setcred(0); | 1209 | do_pam_setcred(0); |
1210 | } | ||
1210 | # endif /* USE_PAM */ | 1211 | # endif /* USE_PAM */ |
1211 | # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) | 1212 | # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) |
1212 | irix_setusercontext(pw); | 1213 | irix_setusercontext(pw); |