diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2003-11-18 12:42:07 +1100 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2003-11-18 12:42:07 +1100 |
| commit | 18df00cc77b39fe7858cf987eb9a4f7c314af018 (patch) | |
| tree | 3fdde46acc1a57036269472ba4857a9df38ef0c7 | |
| parent | 6aef38f5ac65ad599454159c82530b62d740b9b9 (diff) | |
- (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv,
and use it for do_pam_session. Fixes problems like pam_motd not displaying
anything. ok djm@
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | auth-pam.c | 56 |
2 files changed, 30 insertions, 33 deletions
| @@ -1,6 +1,9 @@ | |||
| 1 | 20031117 | 1 | 20031118 |
| 2 | - (djm) Fix early exit for root auth success when UsePAM=yes and | 2 | - (djm) Fix early exit for root auth success when UsePAM=yes and |
| 3 | PermitRootLogin=no | 3 | PermitRootLogin=no |
| 4 | - (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv, | ||
| 5 | and use it for do_pam_session. Fixes problems like pam_motd not displaying | ||
| 6 | anything. ok djm@ | ||
| 4 | 7 | ||
| 5 | 20031117 | 8 | 20031117 |
| 6 | - (djm) OpenBSD CVS Sync | 9 | - (djm) OpenBSD CVS Sync |
| @@ -1476,4 +1479,4 @@ | |||
| 1476 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. | 1479 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. |
| 1477 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au | 1480 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au |
| 1478 | 1481 | ||
| 1479 | $Id: ChangeLog,v 1.3113 2003/11/17 23:45:20 djm Exp $ | 1482 | $Id: ChangeLog,v 1.3114 2003/11/18 01:42:07 dtucker Exp $ |
diff --git a/auth-pam.c b/auth-pam.c index 92a3da406..af8d37fab 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
| @@ -31,7 +31,7 @@ | |||
| 31 | 31 | ||
| 32 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ | 32 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ |
| 33 | #include "includes.h" | 33 | #include "includes.h" |
| 34 | RCSID("$Id: auth-pam.c,v 1.80 2003/11/17 10:41:42 djm Exp $"); | 34 | RCSID("$Id: auth-pam.c,v 1.81 2003/11/18 01:42:08 dtucker Exp $"); |
| 35 | 35 | ||
| 36 | #ifdef USE_PAM | 36 | #ifdef USE_PAM |
| 37 | #include <security/pam_appl.h> | 37 | #include <security/pam_appl.h> |
| @@ -52,6 +52,7 @@ RCSID("$Id: auth-pam.c,v 1.80 2003/11/17 10:41:42 djm Exp $"); | |||
| 52 | #include "auth-options.h" | 52 | #include "auth-options.h" |
| 53 | 53 | ||
| 54 | extern ServerOptions options; | 54 | extern ServerOptions options; |
| 55 | extern Buffer loginmsg; | ||
| 55 | 56 | ||
| 56 | #define __unused | 57 | #define __unused |
| 57 | 58 | ||
| @@ -497,13 +498,9 @@ sshpam_query(void *ctx, char **name, char **info, | |||
| 497 | case PAM_AUTH_ERR: | 498 | case PAM_AUTH_ERR: |
| 498 | if (**prompts != NULL) { | 499 | if (**prompts != NULL) { |
| 499 | /* drain any accumulated messages */ | 500 | /* drain any accumulated messages */ |
| 500 | #if 0 /* XXX - not compatible with privsep */ | 501 | debug("PAM: %s", **prompts); |
| 501 | packet_start(SSH2_MSG_USERAUTH_BANNER); | 502 | buffer_append(&loginmsg, **prompts, |
| 502 | packet_put_cstring(**prompts); | 503 | strlen(**prompts)); |
| 503 | packet_put_cstring(""); | ||
| 504 | packet_send(); | ||
| 505 | packet_write_wait(); | ||
| 506 | #endif | ||
| 507 | xfree(**prompts); | 504 | xfree(**prompts); |
| 508 | **prompts = NULL; | 505 | **prompts = NULL; |
| 509 | } | 506 | } |
| @@ -631,21 +628,6 @@ do_pam_account(void) | |||
| 631 | } | 628 | } |
| 632 | 629 | ||
| 633 | void | 630 | void |
| 634 | do_pam_session(void) | ||
| 635 | { | ||
| 636 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | ||
| 637 | (const void *)&null_conv); | ||
| 638 | if (sshpam_err != PAM_SUCCESS) | ||
| 639 | fatal("PAM: failed to set PAM_CONV: %s", | ||
| 640 | pam_strerror(sshpam_handle, sshpam_err)); | ||
| 641 | sshpam_err = pam_open_session(sshpam_handle, 0); | ||
| 642 | if (sshpam_err != PAM_SUCCESS) | ||
| 643 | fatal("PAM: pam_open_session(): %s", | ||
| 644 | pam_strerror(sshpam_handle, sshpam_err)); | ||
| 645 | sshpam_session_open = 1; | ||
| 646 | } | ||
| 647 | |||
| 648 | void | ||
| 649 | do_pam_set_tty(const char *tty) | 631 | do_pam_set_tty(const char *tty) |
| 650 | { | 632 | { |
| 651 | if (tty != NULL) { | 633 | if (tty != NULL) { |
| @@ -691,7 +673,7 @@ is_pam_password_change_required(void) | |||
| 691 | } | 673 | } |
| 692 | 674 | ||
| 693 | static int | 675 | static int |
| 694 | pam_chauthtok_conv(int n, const struct pam_message **msg, | 676 | pam_tty_conv(int n, const struct pam_message **msg, |
| 695 | struct pam_response **resp, void *data) | 677 | struct pam_response **resp, void *data) |
| 696 | { | 678 | { |
| 697 | char input[PAM_MAX_MSG_SIZE]; | 679 | char input[PAM_MAX_MSG_SIZE]; |
| @@ -700,7 +682,7 @@ pam_chauthtok_conv(int n, const struct pam_message **msg, | |||
| 700 | 682 | ||
| 701 | *resp = NULL; | 683 | *resp = NULL; |
| 702 | 684 | ||
| 703 | if (n <= 0 || n > PAM_MAX_NUM_MSG) | 685 | if (n <= 0 || n > PAM_MAX_NUM_MSG || !isatty(STDIN_FILENO)) |
| 704 | return (PAM_CONV_ERR); | 686 | return (PAM_CONV_ERR); |
| 705 | 687 | ||
| 706 | if ((reply = malloc(n * sizeof(*reply))) == NULL) | 688 | if ((reply = malloc(n * sizeof(*reply))) == NULL) |
| @@ -742,6 +724,8 @@ pam_chauthtok_conv(int n, const struct pam_message **msg, | |||
| 742 | return (PAM_CONV_ERR); | 724 | return (PAM_CONV_ERR); |
| 743 | } | 725 | } |
| 744 | 726 | ||
| 727 | static struct pam_conv tty_conv = { pam_tty_conv, NULL }; | ||
| 728 | |||
| 745 | /* | 729 | /* |
| 746 | * XXX this should be done in the authentication phase, but ssh1 doesn't | 730 | * XXX this should be done in the authentication phase, but ssh1 doesn't |
| 747 | * support that | 731 | * support that |
| @@ -749,15 +733,10 @@ pam_chauthtok_conv(int n, const struct pam_message **msg, | |||
| 749 | void | 733 | void |
| 750 | do_pam_chauthtok(void) | 734 | do_pam_chauthtok(void) |
| 751 | { | 735 | { |
| 752 | struct pam_conv pam_conv; | ||
| 753 | |||
| 754 | pam_conv.conv = pam_chauthtok_conv; | ||
| 755 | pam_conv.appdata_ptr = NULL; | ||
| 756 | |||
| 757 | if (use_privsep) | 736 | if (use_privsep) |
| 758 | fatal("Password expired (unable to change with privsep)"); | 737 | fatal("Password expired (unable to change with privsep)"); |
| 759 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | 738 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, |
| 760 | (const void *)&pam_conv); | 739 | (const void *)&tty_conv); |
| 761 | if (sshpam_err != PAM_SUCCESS) | 740 | if (sshpam_err != PAM_SUCCESS) |
| 762 | fatal("PAM: failed to set PAM_CONV: %s", | 741 | fatal("PAM: failed to set PAM_CONV: %s", |
| 763 | pam_strerror(sshpam_handle, sshpam_err)); | 742 | pam_strerror(sshpam_handle, sshpam_err)); |
| @@ -768,6 +747,21 @@ do_pam_chauthtok(void) | |||
| 768 | pam_strerror(sshpam_handle, sshpam_err)); | 747 | pam_strerror(sshpam_handle, sshpam_err)); |
| 769 | } | 748 | } |
| 770 | 749 | ||
| 750 | void | ||
| 751 | do_pam_session(void) | ||
| 752 | { | ||
| 753 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | ||
| 754 | (const void *)&tty_conv); | ||
| 755 | if (sshpam_err != PAM_SUCCESS) | ||
| 756 | fatal("PAM: failed to set PAM_CONV: %s", | ||
| 757 | pam_strerror(sshpam_handle, sshpam_err)); | ||
| 758 | sshpam_err = pam_open_session(sshpam_handle, 0); | ||
| 759 | if (sshpam_err != PAM_SUCCESS) | ||
| 760 | fatal("PAM: pam_open_session(): %s", | ||
| 761 | pam_strerror(sshpam_handle, sshpam_err)); | ||
| 762 | sshpam_session_open = 1; | ||
| 763 | } | ||
| 764 | |||
| 771 | /* | 765 | /* |
| 772 | * Set a PAM environment string. We need to do this so that the session | 766 | * Set a PAM environment string. We need to do this so that the session |
| 773 | * modules can handle things like Kerberos/GSI credentials that appear | 767 | * modules can handle things like Kerberos/GSI credentials that appear |