diff options
author | Damien Miller <djm@mindrot.org> | 2018-12-07 15:41:16 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-12-14 13:23:48 +1100 |
commit | 8a22ffaa13391cfe5b40316d938fe0fb931e9296 (patch) | |
tree | 4d8caa21acbf05e580e393d2f031bcd3bce873e1 | |
parent | a784fa8c7a7b084d63bae82ccfea902131bb45c5 (diff) |
expose $SSH_CONNECTION in the PAM environment
This makes the connection 4-tuple available to PAM modules that
wish to use it in decision-making. bz#2741
-rw-r--r-- | auth-pam.c | 10 | ||||
-rw-r--r-- | session.c | 11 |
2 files changed, 17 insertions, 4 deletions
diff --git a/auth-pam.c b/auth-pam.c index 1dec53e92..d67324e1f 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -673,6 +673,7 @@ sshpam_init(Authctxt *authctxt) | |||
673 | { | 673 | { |
674 | const char *pam_rhost, *pam_user, *user = authctxt->user; | 674 | const char *pam_rhost, *pam_user, *user = authctxt->user; |
675 | const char **ptr_pam_user = &pam_user; | 675 | const char **ptr_pam_user = &pam_user; |
676 | char *laddr, *conninfo; | ||
676 | struct ssh *ssh = active_state; /* XXX */ | 677 | struct ssh *ssh = active_state; /* XXX */ |
677 | 678 | ||
678 | if (sshpam_handle != NULL) { | 679 | if (sshpam_handle != NULL) { |
@@ -702,6 +703,15 @@ sshpam_init(Authctxt *authctxt) | |||
702 | sshpam_handle = NULL; | 703 | sshpam_handle = NULL; |
703 | return (-1); | 704 | return (-1); |
704 | } | 705 | } |
706 | |||
707 | laddr = get_local_ipaddr(packet_get_connection_in()); | ||
708 | xasprintf(&conninfo, "SSH_CONNECTION=%.50s %d %.50s %d", | ||
709 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), | ||
710 | laddr, ssh_local_port(ssh)); | ||
711 | pam_putenv(sshpam_handle, conninfo); | ||
712 | free(laddr); | ||
713 | free(conninfo); | ||
714 | |||
705 | #ifdef PAM_TTY_KLUDGE | 715 | #ifdef PAM_TTY_KLUDGE |
706 | /* | 716 | /* |
707 | * Some silly PAM modules (e.g. pam_time) require a TTY to operate. | 717 | * Some silly PAM modules (e.g. pam_time) require a TTY to operate. |
@@ -1162,15 +1162,18 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) | |||
1162 | char **p; | 1162 | char **p; |
1163 | 1163 | ||
1164 | /* | 1164 | /* |
1165 | * Don't allow SSH_AUTH_INFO variables posted to PAM to leak | 1165 | * Don't allow PAM-internal env vars to leak |
1166 | * back into the environment. | 1166 | * back into the session environment. |
1167 | */ | 1167 | */ |
1168 | #define PAM_ENV_BLACKLIST "SSH_AUTH_INFO*,SSH_CONNECTION*" | ||
1168 | p = fetch_pam_child_environment(); | 1169 | p = fetch_pam_child_environment(); |
1169 | copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*"); | 1170 | copy_environment_blacklist(p, &env, &envsize, |
1171 | PAM_ENV_BLACKLIST); | ||
1170 | free_pam_environment(p); | 1172 | free_pam_environment(p); |
1171 | 1173 | ||
1172 | p = fetch_pam_environment(); | 1174 | p = fetch_pam_environment(); |
1173 | copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*"); | 1175 | copy_environment_blacklist(p, &env, &envsize, |
1176 | PAM_ENV_BLACKLIST); | ||
1174 | free_pam_environment(p); | 1177 | free_pam_environment(p); |
1175 | } | 1178 | } |
1176 | #endif /* USE_PAM */ | 1179 | #endif /* USE_PAM */ |