- (djm) Bug #564: Perform PAM account checks for all authentications when

UsePAM=yes; ok dtucker
author: Damien Miller <djm@mindrot.org> 2003-08-25 13:08:49 +1000
committer: Damien Miller <djm@mindrot.org> 2003-08-25 13:08:49 +1000
commit: 1f499fd3688d034daf787859044ede73767b6141 (patch)
tree: 0fec594fff3ac5fb6cc4faab19924e047db10207 /monitor.c
parent: e41bba584737f028579961ddf6669b6a768e47e7 (diff)
1 files changed, 34 insertions, 0 deletions
diff --git a/monitor.c b/monitor.c
index 95fd0cf64..80b1a8fba 100644
--- a/monitor.c
+++ b/monitor.c
@@ -118,6 +118,7 @@ int mm_answer_sessid(int, Buffer *);
 #ifdef USE_PAM
 int mm_answer_pam_start(int, Buffer *);
+int mm_answer_pam_account(int, Buffer *);
 int mm_answer_pam_init_ctx(int, Buffer *);
 int mm_answer_pam_query(int, Buffer *);
 int mm_answer_pam_respond(int, Buffer *);
@@ -165,6 +166,7 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
    {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
+    {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
    {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
    {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
@@ -214,6 +216,7 @@ struct mon_table mon_dispatch_proto15[] = {
 #endif
 #ifdef USE_PAM
    {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
+    {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
    {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
    {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
@@ -295,6 +298,18 @@ monitor_child_preauth(struct monitor *pmonitor)
                        if (authctxt->pw->pw_uid == 0 &&
                            !auth_root_allowed(auth_method))
                                authenticated = 0;
+#ifdef USE_PAM
+                        /* PAM needs to perform account checks after auth */
+                        if (options.use_pam) {
+                                Buffer m;
+                                buffer_init(&m);
+                                mm_request_receive_expect(pmonitor->m_sendfd, 
+                                    MONITOR_REQ_PAM_ACCOUNT, &m);
+                                authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m);
+                                buffer_free(&m);
+                        }
+#endif
                }
                if (ent->flags & MON_AUTHDECIDE) {
@@ -771,9 +786,28 @@ mm_answer_pam_start(int socket, Buffer *m)
        xfree(user);
+        monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);
        return (0);
 }
+int
+mm_answer_pam_account(int socket, Buffer *m)
+{
+        u_int ret;
+        
+        if (!options.use_pam)
+                fatal("UsePAM not set, but ended up in %s anyway", __func__);
+        ret = do_pam_account();
+        buffer_put_int(m, ret);
+        mm_request_send(socket, MONITOR_ANS_PAM_ACCOUNT, m);
+        return (ret);
+}
 static void *sshpam_ctxt, *sshpam_authok;
 extern KbdintDevice sshpam_device;
author	Damien Miller <djm@mindrot.org>	2003-08-25 13:08:49 +1000
committer	Damien Miller <djm@mindrot.org>	2003-08-25 13:08:49 +1000
commit	1f499fd3688d034daf787859044ede73767b6141 (patch)
tree	0fec594fff3ac5fb6cc4faab19924e047db10207 /monitor.c
parent	e41bba584737f028579961ddf6669b6a768e47e7 (diff)

diff --git a/monitor.c b/monitor.c index 95fd0cf64..80b1a8fba 100644 --- a/monitor.c +++ b/monitor.c
@@ -118,6 +118,7 @@ int mm_answer_sessid(int, Buffer *);
118		118
119	#ifdef USE_PAM	119	#ifdef USE_PAM
120	int mm_answer_pam_start(int, Buffer *);	120	int mm_answer_pam_start(int, Buffer *);
		121	int mm_answer_pam_account(int, Buffer *);
121	int mm_answer_pam_init_ctx(int, Buffer *);	122	int mm_answer_pam_init_ctx(int, Buffer *);
122	int mm_answer_pam_query(int, Buffer *);	123	int mm_answer_pam_query(int, Buffer *);
123	int mm_answer_pam_respond(int, Buffer *);	124	int mm_answer_pam_respond(int, Buffer *);
@@ -165,6 +166,7 @@ struct mon_table mon_dispatch_proto20[] = {
165	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},	166	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
166	#ifdef USE_PAM	167	#ifdef USE_PAM
167	{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},	168	{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
		169	{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
168	{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},	170	{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
169	{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},	171	{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
170	{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},	172	{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
@@ -214,6 +216,7 @@ struct mon_table mon_dispatch_proto15[] = {
214	#endif	216	#endif
215	#ifdef USE_PAM	217	#ifdef USE_PAM
216	{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},	218	{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
		219	{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
217	{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},	220	{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
218	{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},	221	{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
219	{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},	222	{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
@@ -295,6 +298,18 @@ monitor_child_preauth(struct monitor *pmonitor)
295	if (authctxt->pw->pw_uid == 0 &&	298	if (authctxt->pw->pw_uid == 0 &&
296	!auth_root_allowed(auth_method))	299	!auth_root_allowed(auth_method))
297	authenticated = 0;	300	authenticated = 0;
		301	#ifdef USE_PAM
		302	/* PAM needs to perform account checks after auth */
		303	if (options.use_pam) {
		304	Buffer m;
		305
		306	buffer_init(&m);
		307	mm_request_receive_expect(pmonitor->m_sendfd,
		308	MONITOR_REQ_PAM_ACCOUNT, &m);
		309	authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m);
		310	buffer_free(&m);
		311	}
		312	#endif
298	}	313	}
299		314
300	if (ent->flags & MON_AUTHDECIDE) {	315	if (ent->flags & MON_AUTHDECIDE) {
@@ -771,9 +786,28 @@ mm_answer_pam_start(int socket, Buffer *m)
771		786
772	xfree(user);	787	xfree(user);
773		788
		789	monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);
		790
774	return (0);	791	return (0);
775	}	792	}
776		793
		794	int
		795	mm_answer_pam_account(int socket, Buffer *m)
		796	{
		797	u_int ret;
		798
		799	if (!options.use_pam)
		800	fatal("UsePAM not set, but ended up in %s anyway", __func__);
		801
		802	ret = do_pam_account();
		803
		804	buffer_put_int(m, ret);
		805
		806	mm_request_send(socket, MONITOR_ANS_PAM_ACCOUNT, m);
		807
		808	return (ret);
		809	}
		810
777	static void sshpam_ctxt, sshpam_authok;	811	static void sshpam_ctxt, sshpam_authok;
778	extern KbdintDevice sshpam_device;	812	extern KbdintDevice sshpam_device;
779		813