- (djm) Split out and improve OSF SIA auth code. Patch from Chris Adams

   <cmadams@hiwaay.net> with a little modification and KNF.

7 files changed, 116 insertions, 53 deletions

diff --git a/ChangeLog b/ChangeLog
index 115d7aebc..6d07d0105 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,8 @@
    from Nalin Dahyabhai <nalin@redhat.com>
  - (bal) Missing function prototype in bsd-snprintf.c patch by
    Mark Miller <markm@swoon.net>
+ - (djm) Split out and improve OSF SIA auth code. Patch from Chris Adams
+   <cmadams@hiwaay.net> with a little modification and KNF.
 
 20010213
  - (djm) Only test -S potential EGD sockets if they exist and are readable.
@@ -3922,4 +3924,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.757 2001/02/13 14:05:59 mouring Exp $
+$Id: ChangeLog,v 1.758 2001/02/13 14:25:23 djm Exp $
diff --git a/Makefile.in b/Makefile.in
index f64e25504..f9c48d29a 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.150 2001/02/09 13:40:03 djm Exp $
+# $Id: Makefile.in,v 1.151 2001/02/13 14:25:23 djm Exp $
 
 prefix=@prefix@
 exec_prefix=@exec_prefix@
@@ -48,7 +48,7 @@ LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels
 
 SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o
 
-SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o dh.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o
+SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o
 
 TROFFMAN        = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1
 CATMAN          = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh-keyscan.0 ssh.0 sshd.0 sftp-server.0 sftp.0
diff --git a/auth-sia.c b/auth-sia.c
new file mode 100644
index 000000000..6fece555d
--- /dev/null
+++ b/auth-sia.c
@@ -0,0 +1,96 @@
+#include "includes.h"
+
+#ifdef HAVE_OSF_SIA
+#include "ssh.h"
+#include "auth-sia.h"
+#include "log.h"
+#include "servconf.h"
+#include "canohost.h"
+
+#include <sia.h>
+#include <siad.h>
+#include <pwd.h>
+#include <signal.h>
+#include <setjmp.h>
+#include <sys/resource.h>
+#include <unistd.h>
+#include <string.h>
+
+extern ServerOptions options;
+extern int saved_argc;
+extern char **saved_argv;
+
+extern int errno;
+
+int
+auth_sia_password(char *user, char *pass)
+{
+        int ret;
+        SIAENTITY *ent = NULL;
+        const char *host;
+
+        host = get_canonical_hostname(options.reverse_mapping_check);
+
+        if (!user || !pass)
+                return(0);
+
+        if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0,
+            NULL) != SIASUCCESS)
+                return(0);
+
+        if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) {
+                error("couldn't authenticate %s from %s", user, host);
+                if (ret & SIASTOP)
+                        sia_ses_release(&ent);
+                return(0);
+        }
+
+        sia_ses_release(&ent);
+
+        return(1);
+}
+
+void
+session_setup_sia(char *user, char *tty)
+{
+        int ret;
+        struct passwd *pw;
+        SIAENTITY *ent = NULL;
+        const char *host;
+
+        host = get_canonical_hostname (options.reverse_mapping_check);
+
+        if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0,
+            NULL) != SIASUCCESS)
+                fatal("sia_ses_init failed");
+
+        if ((pw = getpwnam(user)) == NULL) {
+                sia_ses_release(&ent);
+                fatal("getpwnam(%s) failed: %s", user, strerror(errno));
+        }
+        if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) {
+                sia_ses_release(&ent);
+                fatal("sia_make_entity_pwd failed");
+        }
+
+        ent->authtype = SIA_A_NONE;
+        if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS)
+                fatal("couldn't establish session for %s from %s", user,
+                    host);
+
+        if (setpriority(PRIO_PROCESS, 0, 0) == -1) {
+                sia_ses_release(&ent);
+                fatal("setpriority failed: %s", strerror (errno));
+        }
+
+        if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS)
+                fatal("couldn't launch session for %s from %s", user, host);
+        
+        sia_ses_release(&ent);
+
+        if (setreuid(geteuid(), geteuid()) < 0)
+                fatal("setreuid failed: %s", strerror (errno));
+}
+
+#endif /* HAVE_OSF_SIA */
+
diff --git a/auth-sia.h b/auth-sia.h
new file mode 100644
index 000000000..eaa933322
--- /dev/null
+++ b/auth-sia.h
@@ -0,0 +1,8 @@
+#include "includes.h"
+
+#ifdef HAVE_OSF_SIA
+
+int     auth_sia_password(char *user, char *pass);
+void    session_setup_sia(char *user, char *tty);
+
+#endif /* HAVE_OSF_SIA */
diff --git a/auth1.c b/auth1.c
index a7693df59..31034262b 100644
--- a/auth1.c
+++ b/auth1.c
@@ -12,11 +12,6 @@
 #include "includes.h"
 RCSID("$OpenBSD: auth1.c,v 1.15 2001/02/07 22:35:45 markus Exp $");
 
-#ifdef HAVE_OSF_SIA
-# include <sia.h>
-# include <siad.h>
-#endif
-
 #include "xmalloc.h"
 #include "rsa.h"
 #include "ssh1.h"
@@ -36,10 +31,6 @@ extern char *forced_command;
 #ifdef WITH_AIXAUTHENTICATE
 extern char *aixloginmsg;
 #endif /* WITH_AIXAUTHENTICATE */
-#ifdef HAVE_OSF_SIA
-extern int saved_argc;
-extern char **saved_argv;
-#endif /* HAVE_OSF_SIA */
 
 /*
  * convert ssh auth msg type into description
@@ -98,6 +89,8 @@ do_authloop(Authctxt *authctxt)
 #endif
 #ifdef USE_PAM
             auth_pam_password(pw, "")) {
+#elif defined(HAVE_OSF_SIA)
+            0) {
 #else
             auth_password(pw, "")) {
 #endif
@@ -265,11 +258,8 @@ do_authloop(Authctxt *authctxt)
                         authenticated = auth_pam_password(pw, password);
 #elif defined(HAVE_OSF_SIA)
                         /* Do SIA auth with password */
-                        if (sia_validate_user(NULL, saved_argc, saved_argv,
-                            get_canonical_hostname(options.reverse_mapping_check),
-                            authctxt->user?authctxt->user:"NOUSER", NULL, 
-                            0, NULL, password) == SIASUCCESS)
-                                authenticated = 1;
+                        authenticated = auth_sia_password(authctxt->user, 
+                            password);
 #else /* !USE_PAM && !HAVE_OSF_SIA */
                         /* Try authentication with the password. */
                         authenticated = auth_password(pw, password);
diff --git a/auth2.c b/auth2.c
index c887283a3..b74920578 100644
--- a/auth2.c
+++ b/auth2.c
@@ -25,11 +25,6 @@
 #include "includes.h"
 RCSID("$OpenBSD: auth2.c,v 1.40 2001/02/10 12:52:02 markus Exp $");
 
-#ifdef HAVE_OSF_SIA
-# include <sia.h>
-# include <siad.h>
-#endif
-
 #include <openssl/evp.h>
 
 #include "ssh2.h"
@@ -61,10 +56,6 @@ extern int session_id2_len;
 #ifdef WITH_AIXAUTHENTICATE
 extern char *aixloginmsg;
 #endif
-#ifdef HAVE_OSF_SIA
-extern int saved_argc;
-extern char **saved_argv;
-#endif
 
 static Authctxt *x_authctxt = NULL;
 static int one = 1;
@@ -346,10 +337,7 @@ userauth_none(Authctxt *authctxt)
 #ifdef USE_PAM
         return auth_pam_password(authctxt->pw, "");
 #elif defined(HAVE_OSF_SIA)
-        return (sia_validate_user(NULL, saved_argc, saved_argv,
-            get_canonical_hostname(options.reverse_mapping_check),
-            authctxt->user?authctxt->user:"NOUSER", NULL, 0,
-            NULL, "") == SIASUCCESS);
+        return 0;
 #else /* !HAVE_OSF_SIA && !USE_PAM */
         return auth_password(authctxt->pw, "");
 #endif /* USE_PAM */
@@ -374,10 +362,7 @@ userauth_passwd(Authctxt *authctxt)
 #ifdef USE_PAM
             auth_pam_password(authctxt->pw, password) == 1)
 #elif defined(HAVE_OSF_SIA)
-            sia_validate_user(NULL, saved_argc, saved_argv,
-            get_canonical_hostname(options.reverse_mapping_check),
-            authctxt->user?authctxt->user:"NOUSER", NULL, 0, NULL,
-            password) == SIASUCCESS)
+            auth_sia_password(authctxt->user, password) == 1)
 #else /* !USE_PAM && !HAVE_OSF_SIA */
             auth_password(authctxt->pw, password) == 1)
 #endif /* USE_PAM */
diff --git a/session.c b/session.c
index 7319df3d1..a9b4d87a3 100644
--- a/session.c
+++ b/session.c
@@ -72,11 +72,6 @@ RCSID("$OpenBSD: session.c,v 1.55 2001/02/08 19:30:52 itojun Exp $");
 #include <usersec.h>
 #endif
 
-#ifdef HAVE_OSF_SIA
-# include <sia.h>
-# include <siad.h>
-#endif
-
 #ifdef HAVE_CYGWIN
 #include <windows.h>
 #include <sys/cygwin.h>
@@ -1051,21 +1046,8 @@ do_child(const char *command, struct passwd * pw, const char *term,
            switch, so we let login(1) to this for us. */
         if (!options.use_login) {
 #ifdef HAVE_OSF_SIA
-                extern char **saved_argv;
-                extern int saved_argc;
-                char *host = get_canonical_hostname(options.reverse_mapping_check);
-
-                if (sia_become_user(NULL, saved_argc, saved_argv, host,
-                    pw->pw_name, ttyname, 0, NULL, NULL, SIA_BEU_SETLUID) !=
-                    SIASUCCESS) {
-                        perror("sia_become_user");
-                        exit(1);
-                }
-                if (setreuid(geteuid(), geteuid()) < 0) {
-                        perror("setreuid");
-                        exit(1);
-                }
 #else /* HAVE_OSF_SIA */
+                session_setup_sia(pw->pw_name, ttyname);
 #ifdef HAVE_CYGWIN
                 if (is_winnt) {
 #else