diff options
author | Damien Miller <djm@mindrot.org> | 2003-05-10 19:28:02 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2003-05-10 19:28:02 +1000 |
commit | 4f9f42a9bb6a6aa8f6100d873dc6344f2f9994de (patch) | |
tree | f81c39146e1cfabb4b198f57f60453b2dcaac299 /monitor.c | |
parent | c437cda328b4733b59a7ed028b72e6b7f58f86e6 (diff) |
- (djm) Merge FreeBSD PAM code: replaces PAM password auth kludge with
proper challenge-response module
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 113 |
1 files changed, 109 insertions, 4 deletions
@@ -118,6 +118,10 @@ int mm_answer_sessid(int, Buffer *); | |||
118 | 118 | ||
119 | #ifdef USE_PAM | 119 | #ifdef USE_PAM |
120 | int mm_answer_pam_start(int, Buffer *); | 120 | int mm_answer_pam_start(int, Buffer *); |
121 | int mm_answer_pam_init_ctx(int, Buffer *); | ||
122 | int mm_answer_pam_query(int, Buffer *); | ||
123 | int mm_answer_pam_respond(int, Buffer *); | ||
124 | int mm_answer_pam_free_ctx(int, Buffer *); | ||
121 | #endif | 125 | #endif |
122 | 126 | ||
123 | #ifdef KRB4 | 127 | #ifdef KRB4 |
@@ -163,6 +167,10 @@ struct mon_table mon_dispatch_proto20[] = { | |||
163 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 167 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
164 | #ifdef USE_PAM | 168 | #ifdef USE_PAM |
165 | {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, | 169 | {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, |
170 | {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, | ||
171 | {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, | ||
172 | {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, | ||
173 | {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, | ||
166 | #endif | 174 | #endif |
167 | #ifdef BSD_AUTH | 175 | #ifdef BSD_AUTH |
168 | {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, | 176 | {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, |
@@ -205,6 +213,10 @@ struct mon_table mon_dispatch_proto15[] = { | |||
205 | #endif | 213 | #endif |
206 | #ifdef USE_PAM | 214 | #ifdef USE_PAM |
207 | {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, | 215 | {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, |
216 | {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, | ||
217 | {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, | ||
218 | {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, | ||
219 | {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, | ||
208 | #endif | 220 | #endif |
209 | #ifdef KRB4 | 221 | #ifdef KRB4 |
210 | {MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4}, | 222 | {MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4}, |
@@ -285,10 +297,6 @@ monitor_child_preauth(struct monitor *pmonitor) | |||
285 | if (authctxt->pw->pw_uid == 0 && | 297 | if (authctxt->pw->pw_uid == 0 && |
286 | !auth_root_allowed(auth_method)) | 298 | !auth_root_allowed(auth_method)) |
287 | authenticated = 0; | 299 | authenticated = 0; |
288 | #ifdef USE_PAM | ||
289 | if (!do_pam_account(authctxt->pw->pw_name, NULL)) | ||
290 | authenticated = 0; | ||
291 | #endif | ||
292 | } | 300 | } |
293 | 301 | ||
294 | if (ent->flags & MON_AUTHDECIDE) { | 302 | if (ent->flags & MON_AUTHDECIDE) { |
@@ -747,6 +755,103 @@ mm_answer_pam_start(int socket, Buffer *m) | |||
747 | 755 | ||
748 | return (0); | 756 | return (0); |
749 | } | 757 | } |
758 | |||
759 | static void *sshpam_ctxt, *sshpam_authok; | ||
760 | extern KbdintDevice sshpam_device; | ||
761 | |||
762 | int | ||
763 | mm_answer_pam_init_ctx(int socket, Buffer *m) | ||
764 | { | ||
765 | |||
766 | debug3("%s", __func__); | ||
767 | authctxt->user = buffer_get_string(m, NULL); | ||
768 | sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); | ||
769 | sshpam_authok = NULL; | ||
770 | buffer_clear(m); | ||
771 | if (sshpam_ctxt != NULL) { | ||
772 | monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1); | ||
773 | buffer_put_int(m, 1); | ||
774 | } else { | ||
775 | buffer_put_int(m, 0); | ||
776 | } | ||
777 | mm_request_send(socket, MONITOR_ANS_PAM_INIT_CTX, m); | ||
778 | return (0); | ||
779 | } | ||
780 | |||
781 | int | ||
782 | mm_answer_pam_query(int socket, Buffer *m) | ||
783 | { | ||
784 | char *name, *info, **prompts; | ||
785 | u_int num, *echo_on; | ||
786 | int i, ret; | ||
787 | |||
788 | debug3("%s", __func__); | ||
789 | sshpam_authok = NULL; | ||
790 | ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num, &prompts, &echo_on); | ||
791 | if (ret == 0 && num == 0) | ||
792 | sshpam_authok = sshpam_ctxt; | ||
793 | if (num > 1 || name == NULL || info == NULL) | ||
794 | ret = -1; | ||
795 | buffer_clear(m); | ||
796 | buffer_put_int(m, ret); | ||
797 | buffer_put_cstring(m, name); | ||
798 | xfree(name); | ||
799 | buffer_put_cstring(m, info); | ||
800 | xfree(info); | ||
801 | buffer_put_int(m, num); | ||
802 | for (i = 0; i < num; ++i) { | ||
803 | buffer_put_cstring(m, prompts[i]); | ||
804 | xfree(prompts[i]); | ||
805 | buffer_put_int(m, echo_on[i]); | ||
806 | } | ||
807 | if (prompts != NULL) | ||
808 | xfree(prompts); | ||
809 | if (echo_on != NULL) | ||
810 | xfree(echo_on); | ||
811 | mm_request_send(socket, MONITOR_ANS_PAM_QUERY, m); | ||
812 | return (0); | ||
813 | } | ||
814 | |||
815 | int | ||
816 | mm_answer_pam_respond(int socket, Buffer *m) | ||
817 | { | ||
818 | char **resp; | ||
819 | u_int num; | ||
820 | int i, ret; | ||
821 | |||
822 | debug3("%s", __func__); | ||
823 | sshpam_authok = NULL; | ||
824 | num = buffer_get_int(m); | ||
825 | if (num > 0) { | ||
826 | resp = xmalloc(num * sizeof(char *)); | ||
827 | for (i = 0; i < num; ++i) | ||
828 | resp[i] = buffer_get_string(m, NULL); | ||
829 | ret = (sshpam_device.respond)(sshpam_ctxt, num, resp); | ||
830 | for (i = 0; i < num; ++i) | ||
831 | xfree(resp[i]); | ||
832 | xfree(resp); | ||
833 | } else { | ||
834 | ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL); | ||
835 | } | ||
836 | buffer_clear(m); | ||
837 | buffer_put_int(m, ret); | ||
838 | mm_request_send(socket, MONITOR_ANS_PAM_RESPOND, m); | ||
839 | auth_method = "keyboard-interactive/pam"; | ||
840 | if (ret == 0) | ||
841 | sshpam_authok = sshpam_ctxt; | ||
842 | return (0); | ||
843 | } | ||
844 | |||
845 | int | ||
846 | mm_answer_pam_free_ctx(int socket, Buffer *m) | ||
847 | { | ||
848 | |||
849 | debug3("%s", __func__); | ||
850 | (sshpam_device.free_ctx)(sshpam_ctxt); | ||
851 | buffer_clear(m); | ||
852 | mm_request_send(socket, MONITOR_ANS_PAM_FREE_CTX, m); | ||
853 | return (sshpam_authok == sshpam_ctxt); | ||
854 | } | ||
750 | #endif | 855 | #endif |
751 | 856 | ||
752 | static void | 857 | static void |