diff options
author | Damien Miller <djm@mindrot.org> | 2003-08-25 13:08:49 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2003-08-25 13:08:49 +1000 |
commit | 1f499fd3688d034daf787859044ede73767b6141 (patch) | |
tree | 0fec594fff3ac5fb6cc4faab19924e047db10207 /monitor.c | |
parent | e41bba584737f028579961ddf6669b6a768e47e7 (diff) |
- (djm) Bug #564: Perform PAM account checks for all authentications when
UsePAM=yes; ok dtucker
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 34 |
1 files changed, 34 insertions, 0 deletions
@@ -118,6 +118,7 @@ int mm_answer_sessid(int, Buffer *); | |||
118 | 118 | ||
119 | #ifdef USE_PAM | 119 | #ifdef USE_PAM |
120 | int mm_answer_pam_start(int, Buffer *); | 120 | int mm_answer_pam_start(int, Buffer *); |
121 | int mm_answer_pam_account(int, Buffer *); | ||
121 | int mm_answer_pam_init_ctx(int, Buffer *); | 122 | int mm_answer_pam_init_ctx(int, Buffer *); |
122 | int mm_answer_pam_query(int, Buffer *); | 123 | int mm_answer_pam_query(int, Buffer *); |
123 | int mm_answer_pam_respond(int, Buffer *); | 124 | int mm_answer_pam_respond(int, Buffer *); |
@@ -165,6 +166,7 @@ struct mon_table mon_dispatch_proto20[] = { | |||
165 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 166 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
166 | #ifdef USE_PAM | 167 | #ifdef USE_PAM |
167 | {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, | 168 | {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, |
169 | {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, | ||
168 | {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, | 170 | {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, |
169 | {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, | 171 | {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, |
170 | {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, | 172 | {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, |
@@ -214,6 +216,7 @@ struct mon_table mon_dispatch_proto15[] = { | |||
214 | #endif | 216 | #endif |
215 | #ifdef USE_PAM | 217 | #ifdef USE_PAM |
216 | {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, | 218 | {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, |
219 | {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, | ||
217 | {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, | 220 | {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, |
218 | {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, | 221 | {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, |
219 | {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, | 222 | {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, |
@@ -295,6 +298,18 @@ monitor_child_preauth(struct monitor *pmonitor) | |||
295 | if (authctxt->pw->pw_uid == 0 && | 298 | if (authctxt->pw->pw_uid == 0 && |
296 | !auth_root_allowed(auth_method)) | 299 | !auth_root_allowed(auth_method)) |
297 | authenticated = 0; | 300 | authenticated = 0; |
301 | #ifdef USE_PAM | ||
302 | /* PAM needs to perform account checks after auth */ | ||
303 | if (options.use_pam) { | ||
304 | Buffer m; | ||
305 | |||
306 | buffer_init(&m); | ||
307 | mm_request_receive_expect(pmonitor->m_sendfd, | ||
308 | MONITOR_REQ_PAM_ACCOUNT, &m); | ||
309 | authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m); | ||
310 | buffer_free(&m); | ||
311 | } | ||
312 | #endif | ||
298 | } | 313 | } |
299 | 314 | ||
300 | if (ent->flags & MON_AUTHDECIDE) { | 315 | if (ent->flags & MON_AUTHDECIDE) { |
@@ -771,9 +786,28 @@ mm_answer_pam_start(int socket, Buffer *m) | |||
771 | 786 | ||
772 | xfree(user); | 787 | xfree(user); |
773 | 788 | ||
789 | monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1); | ||
790 | |||
774 | return (0); | 791 | return (0); |
775 | } | 792 | } |
776 | 793 | ||
794 | int | ||
795 | mm_answer_pam_account(int socket, Buffer *m) | ||
796 | { | ||
797 | u_int ret; | ||
798 | |||
799 | if (!options.use_pam) | ||
800 | fatal("UsePAM not set, but ended up in %s anyway", __func__); | ||
801 | |||
802 | ret = do_pam_account(); | ||
803 | |||
804 | buffer_put_int(m, ret); | ||
805 | |||
806 | mm_request_send(socket, MONITOR_ANS_PAM_ACCOUNT, m); | ||
807 | |||
808 | return (ret); | ||
809 | } | ||
810 | |||
777 | static void *sshpam_ctxt, *sshpam_authok; | 811 | static void *sshpam_ctxt, *sshpam_authok; |
778 | extern KbdintDevice sshpam_device; | 812 | extern KbdintDevice sshpam_device; |
779 | 813 | ||