summaryrefslogtreecommitdiff
path: root/auth-pam.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2019-06-05 06:41:44 +0100
committerColin Watson <cjwatson@debian.org>2019-06-05 06:41:44 +0100
commit102062f825fb26a74295a1c089c00c4c4c76b68a (patch)
tree3db66bc8c8483cce66516dff36f6ef56065143d9 /auth-pam.c
parent3d246f10429fc9a37b98eabef94fe8dc7c61002b (diff)
parentfd0fa130ecf06d7d092932adcd5d77f1549bfc8d (diff)
Import openssh_8.0p1.orig.tar.gz
Diffstat (limited to 'auth-pam.c')
-rw-r--r--auth-pam.c60
1 files changed, 43 insertions, 17 deletions
diff --git a/auth-pam.c b/auth-pam.c
index 1dec53e92..bde0a8f56 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -248,6 +248,9 @@ static int sshpam_maxtries_reached = 0;
248static char **sshpam_env = NULL; 248static char **sshpam_env = NULL;
249static Authctxt *sshpam_authctxt = NULL; 249static Authctxt *sshpam_authctxt = NULL;
250static const char *sshpam_password = NULL; 250static const char *sshpam_password = NULL;
251static char *sshpam_rhost = NULL;
252static char *sshpam_laddr = NULL;
253static char *sshpam_conninfo = NULL;
251 254
252/* Some PAM implementations don't implement this */ 255/* Some PAM implementations don't implement this */
253#ifndef HAVE_PAM_GETENVLIST 256#ifndef HAVE_PAM_GETENVLIST
@@ -669,13 +672,17 @@ sshpam_cleanup(void)
669} 672}
670 673
671static int 674static int
672sshpam_init(Authctxt *authctxt) 675sshpam_init(struct ssh *ssh, Authctxt *authctxt)
673{ 676{
674 const char *pam_rhost, *pam_user, *user = authctxt->user; 677 const char *pam_user, *user = authctxt->user;
675 const char **ptr_pam_user = &pam_user; 678 const char **ptr_pam_user = &pam_user;
676 struct ssh *ssh = active_state; /* XXX */
677 679
678 if (sshpam_handle != NULL) { 680 if (sshpam_handle == NULL) {
681 if (ssh == NULL) {
682 fatal("%s: called initially with no "
683 "packet context", __func__);
684 }
685 } if (sshpam_handle != NULL) {
679 /* We already have a PAM context; check if the user matches */ 686 /* We already have a PAM context; check if the user matches */
680 sshpam_err = pam_get_item(sshpam_handle, 687 sshpam_err = pam_get_item(sshpam_handle,
681 PAM_USER, (sshpam_const void **)ptr_pam_user); 688 PAM_USER, (sshpam_const void **)ptr_pam_user);
@@ -694,14 +701,33 @@ sshpam_init(Authctxt *authctxt)
694 sshpam_handle = NULL; 701 sshpam_handle = NULL;
695 return (-1); 702 return (-1);
696 } 703 }
697 pam_rhost = auth_get_canonical_hostname(ssh, options.use_dns); 704
698 debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost); 705 if (ssh != NULL && sshpam_rhost == NULL) {
699 sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost); 706 /*
700 if (sshpam_err != PAM_SUCCESS) { 707 * We need to cache these as we don't have packet context
701 pam_end(sshpam_handle, sshpam_err); 708 * during the kbdint flow.
702 sshpam_handle = NULL; 709 */
703 return (-1); 710 sshpam_rhost = xstrdup(auth_get_canonical_hostname(ssh,
711 options.use_dns));
712 sshpam_laddr = get_local_ipaddr(
713 ssh_packet_get_connection_in(ssh));
714 xasprintf(&sshpam_conninfo, "SSH_CONNECTION=%.50s %d %.50s %d",
715 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
716 sshpam_laddr, ssh_local_port(ssh));
704 } 717 }
718 if (sshpam_rhost != NULL) {
719 debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost);
720 sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST,
721 sshpam_rhost);
722 if (sshpam_err != PAM_SUCCESS) {
723 pam_end(sshpam_handle, sshpam_err);
724 sshpam_handle = NULL;
725 return (-1);
726 }
727 /* Put SSH_CONNECTION in the PAM environment too */
728 pam_putenv(sshpam_handle, sshpam_conninfo);
729 }
730
705#ifdef PAM_TTY_KLUDGE 731#ifdef PAM_TTY_KLUDGE
706 /* 732 /*
707 * Some silly PAM modules (e.g. pam_time) require a TTY to operate. 733 * Some silly PAM modules (e.g. pam_time) require a TTY to operate.
@@ -755,7 +781,7 @@ sshpam_init_ctx(Authctxt *authctxt)
755 return NULL; 781 return NULL;
756 782
757 /* Initialize PAM */ 783 /* Initialize PAM */
758 if (sshpam_init(authctxt) == -1) { 784 if (sshpam_init(NULL, authctxt) == -1) {
759 error("PAM: initialization failed"); 785 error("PAM: initialization failed");
760 return (NULL); 786 return (NULL);
761 } 787 }
@@ -787,7 +813,6 @@ static int
787sshpam_query(void *ctx, char **name, char **info, 813sshpam_query(void *ctx, char **name, char **info,
788 u_int *num, char ***prompts, u_int **echo_on) 814 u_int *num, char ***prompts, u_int **echo_on)
789{ 815{
790 struct ssh *ssh = active_state; /* XXX */
791 struct sshbuf *buffer; 816 struct sshbuf *buffer;
792 struct pam_ctxt *ctxt = ctx; 817 struct pam_ctxt *ctxt = ctx;
793 size_t plen; 818 size_t plen;
@@ -877,8 +902,7 @@ sshpam_query(void *ctx, char **name, char **info,
877 } 902 }
878 error("PAM: %s for %s%.100s from %.100s", msg, 903 error("PAM: %s for %s%.100s from %.100s", msg,
879 sshpam_authctxt->valid ? "" : "illegal user ", 904 sshpam_authctxt->valid ? "" : "illegal user ",
880 sshpam_authctxt->user, 905 sshpam_authctxt->user, sshpam_rhost);
881 auth_get_canonical_hostname(ssh, options.use_dns));
882 /* FALLTHROUGH */ 906 /* FALLTHROUGH */
883 default: 907 default:
884 *num = 0; 908 *num = 0;
@@ -995,12 +1019,14 @@ KbdintDevice mm_sshpam_device = {
995 * This replaces auth-pam.c 1019 * This replaces auth-pam.c
996 */ 1020 */
997void 1021void
998start_pam(Authctxt *authctxt) 1022start_pam(struct ssh *ssh)
999{ 1023{
1024 Authctxt *authctxt = (Authctxt *)ssh->authctxt;
1025
1000 if (!options.use_pam) 1026 if (!options.use_pam)
1001 fatal("PAM: initialisation requested when UsePAM=no"); 1027 fatal("PAM: initialisation requested when UsePAM=no");
1002 1028
1003 if (sshpam_init(authctxt) == -1) 1029 if (sshpam_init(ssh, authctxt) == -1)
1004 fatal("PAM: initialisation failed"); 1030 fatal("PAM: initialisation failed");
1005} 1031}
1006 1032
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-14 11:25:35 +0000