- (djm) Merge FreeBSD PAM code: replaces PAM password auth kludge with

proper challenge-response module
author: Damien Miller <djm@mindrot.org> 2003-05-10 19:28:02 +1000
committer: Damien Miller <djm@mindrot.org> 2003-05-10 19:28:02 +1000
commit: 4f9f42a9bb6a6aa8f6100d873dc6344f2f9994de (patch)
tree: f81c39146e1cfabb4b198f57f60453b2dcaac299 /monitor.c
parent: c437cda328b4733b59a7ed028b72e6b7f58f86e6 (diff)
1 files changed, 109 insertions, 4 deletions
diff --git a/monitor.c b/monitor.c
index 99b4d56ec..46241fbbd 100644
--- a/monitor.c
+++ b/monitor.c
@@ -118,6 +118,10 @@ int mm_answer_sessid(int, Buffer *);
 #ifdef USE_PAM
 int mm_answer_pam_start(int, Buffer *);
+int mm_answer_pam_init_ctx(int, Buffer *);
+int mm_answer_pam_query(int, Buffer *);
+int mm_answer_pam_respond(int, Buffer *);
+int mm_answer_pam_free_ctx(int, Buffer *);
 #endif
 #ifdef KRB4
@@ -163,6 +167,10 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
    {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
+    {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
+    {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
+    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
+    {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
 #endif
 #ifdef BSD_AUTH
    {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -205,6 +213,10 @@ struct mon_table mon_dispatch_proto15[] = {
 #endif
 #ifdef USE_PAM
    {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
+    {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
+    {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
+    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
+    {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
 #endif
 #ifdef KRB4
    {MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4},
@@ -285,10 +297,6 @@ monitor_child_preauth(struct monitor *pmonitor)
                        if (authctxt->pw->pw_uid == 0 &&
                            !auth_root_allowed(auth_method))
                                authenticated = 0;
-#ifdef USE_PAM
-                        if (!do_pam_account(authctxt->pw->pw_name, NULL))
-                                authenticated = 0;
-#endif
                }
                if (ent->flags & MON_AUTHDECIDE) {
@@ -747,6 +755,103 @@ mm_answer_pam_start(int socket, Buffer *m)
        return (0);
 }
+static void *sshpam_ctxt, *sshpam_authok;
+extern KbdintDevice sshpam_device;
+int
+mm_answer_pam_init_ctx(int socket, Buffer *m)
+{
+        debug3("%s", __func__);
+        authctxt->user = buffer_get_string(m, NULL);
+        sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
+        sshpam_authok = NULL;
+        buffer_clear(m);
+        if (sshpam_ctxt != NULL) {
+                monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1);
+                buffer_put_int(m, 1);
+        } else {
+                buffer_put_int(m, 0);
+        }
+        mm_request_send(socket, MONITOR_ANS_PAM_INIT_CTX, m);
+        return (0);
+}
+int
+mm_answer_pam_query(int socket, Buffer *m)
+{
+        char *name, *info, **prompts;
+        u_int num, *echo_on;
+        int i, ret;
+        debug3("%s", __func__);
+        sshpam_authok = NULL;
+        ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num, &prompts, &echo_on);
+        if (ret == 0 && num == 0)
+                sshpam_authok = sshpam_ctxt;
+        if (num > 1 || name == NULL || info == NULL)
+                ret = -1;
+        buffer_clear(m);
+        buffer_put_int(m, ret);
+        buffer_put_cstring(m, name);
+        xfree(name);
+        buffer_put_cstring(m, info);
+        xfree(info);
+        buffer_put_int(m, num);
+        for (i = 0; i < num; ++i) {
+                buffer_put_cstring(m, prompts[i]);
+                xfree(prompts[i]);
+                buffer_put_int(m, echo_on[i]);
+        }
+        if (prompts != NULL)
+                xfree(prompts);
+        if (echo_on != NULL)
+                xfree(echo_on);
+        mm_request_send(socket, MONITOR_ANS_PAM_QUERY, m);
+        return (0);
+}
+int
+mm_answer_pam_respond(int socket, Buffer *m)
+{
+        char **resp;
+        u_int num;
+        int i, ret;
+        debug3("%s", __func__);
+        sshpam_authok = NULL;
+        num = buffer_get_int(m);
+        if (num > 0) {
+                resp = xmalloc(num * sizeof(char *));
+                for (i = 0; i < num; ++i)
+                        resp[i] = buffer_get_string(m, NULL);
+                ret = (sshpam_device.respond)(sshpam_ctxt, num, resp);
+                for (i = 0; i < num; ++i)
+                        xfree(resp[i]);
+                xfree(resp);
+        } else {
+                ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL);
+        }
+        buffer_clear(m);
+        buffer_put_int(m, ret);
+        mm_request_send(socket, MONITOR_ANS_PAM_RESPOND, m);
+        auth_method = "keyboard-interactive/pam";
+        if (ret == 0)
+                sshpam_authok = sshpam_ctxt;
+        return (0);
+}
+int
+mm_answer_pam_free_ctx(int socket, Buffer *m)
+{
+        debug3("%s", __func__);
+        (sshpam_device.free_ctx)(sshpam_ctxt);
+        buffer_clear(m);
+        mm_request_send(socket, MONITOR_ANS_PAM_FREE_CTX, m);
+        return (sshpam_authok == sshpam_ctxt);
+}
 #endif
 static void
author	Damien Miller <djm@mindrot.org>	2003-05-10 19:28:02 +1000
committer	Damien Miller <djm@mindrot.org>	2003-05-10 19:28:02 +1000
commit	4f9f42a9bb6a6aa8f6100d873dc6344f2f9994de (patch)
tree	f81c39146e1cfabb4b198f57f60453b2dcaac299 /monitor.c
parent	c437cda328b4733b59a7ed028b72e6b7f58f86e6 (diff)

diff --git a/monitor.c b/monitor.c index 99b4d56ec..46241fbbd 100644 --- a/monitor.c +++ b/monitor.c
@@ -118,6 +118,10 @@ int mm_answer_sessid(int, Buffer *);
118		118
119	#ifdef USE_PAM	119	#ifdef USE_PAM
120	int mm_answer_pam_start(int, Buffer *);	120	int mm_answer_pam_start(int, Buffer *);
		121	int mm_answer_pam_init_ctx(int, Buffer *);
		122	int mm_answer_pam_query(int, Buffer *);
		123	int mm_answer_pam_respond(int, Buffer *);
		124	int mm_answer_pam_free_ctx(int, Buffer *);
121	#endif	125	#endif
122		126
123	#ifdef KRB4	127	#ifdef KRB4
@@ -163,6 +167,10 @@ struct mon_table mon_dispatch_proto20[] = {
163	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},	167	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
164	#ifdef USE_PAM	168	#ifdef USE_PAM
165	{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},	169	{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
		170	{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
		171	{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
		172	{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
		173	{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE\|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
166	#endif	174	#endif
167	#ifdef BSD_AUTH	175	#ifdef BSD_AUTH
168	{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},	176	{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -205,6 +213,10 @@ struct mon_table mon_dispatch_proto15[] = {
205	#endif	213	#endif
206	#ifdef USE_PAM	214	#ifdef USE_PAM
207	{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},	215	{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
		216	{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
		217	{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
		218	{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
		219	{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE\|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
208	#endif	220	#endif
209	#ifdef KRB4	221	#ifdef KRB4
210	{MONITOR_REQ_KRB4, MON_ONCE\|MON_AUTH, mm_answer_krb4},	222	{MONITOR_REQ_KRB4, MON_ONCE\|MON_AUTH, mm_answer_krb4},
@@ -285,10 +297,6 @@ monitor_child_preauth(struct monitor *pmonitor)
285	if (authctxt->pw->pw_uid == 0 &&	297	if (authctxt->pw->pw_uid == 0 &&
286	!auth_root_allowed(auth_method))	298	!auth_root_allowed(auth_method))
287	authenticated = 0;	299	authenticated = 0;
288	#ifdef USE_PAM
289	if (!do_pam_account(authctxt->pw->pw_name, NULL))
290	authenticated = 0;
291	#endif
292	}	300	}
293		301
294	if (ent->flags & MON_AUTHDECIDE) {	302	if (ent->flags & MON_AUTHDECIDE) {
@@ -747,6 +755,103 @@ mm_answer_pam_start(int socket, Buffer *m)
747		755
748	return (0);	756	return (0);
749	}	757	}
		758
		759	static void sshpam_ctxt, sshpam_authok;
		760	extern KbdintDevice sshpam_device;
		761
		762	int
		763	mm_answer_pam_init_ctx(int socket, Buffer *m)
		764	{
		765
		766	debug3("%s", __func__);
		767	authctxt->user = buffer_get_string(m, NULL);
		768	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
		769	sshpam_authok = NULL;
		770	buffer_clear(m);
		771	if (sshpam_ctxt != NULL) {
		772	monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1);
		773	buffer_put_int(m, 1);
		774	} else {
		775	buffer_put_int(m, 0);
		776	}
		777	mm_request_send(socket, MONITOR_ANS_PAM_INIT_CTX, m);
		778	return (0);
		779	}
		780
		781	int
		782	mm_answer_pam_query(int socket, Buffer *m)
		783	{
		784	char name, info, **prompts;
		785	u_int num, *echo_on;
		786	int i, ret;
		787
		788	debug3("%s", __func__);
		789	sshpam_authok = NULL;
		790	ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num, &prompts, &echo_on);
		791	if (ret == 0 && num == 0)
		792	sshpam_authok = sshpam_ctxt;
		793	if (num > 1 \|\| name == NULL \|\| info == NULL)
		794	ret = -1;
		795	buffer_clear(m);
		796	buffer_put_int(m, ret);
		797	buffer_put_cstring(m, name);
		798	xfree(name);
		799	buffer_put_cstring(m, info);
		800	xfree(info);
		801	buffer_put_int(m, num);
		802	for (i = 0; i < num; ++i) {
		803	buffer_put_cstring(m, prompts[i]);
		804	xfree(prompts[i]);
		805	buffer_put_int(m, echo_on[i]);
		806	}
		807	if (prompts != NULL)
		808	xfree(prompts);
		809	if (echo_on != NULL)
		810	xfree(echo_on);
		811	mm_request_send(socket, MONITOR_ANS_PAM_QUERY, m);
		812	return (0);
		813	}
		814
		815	int
		816	mm_answer_pam_respond(int socket, Buffer *m)
		817	{
		818	char **resp;
		819	u_int num;
		820	int i, ret;
		821
		822	debug3("%s", __func__);
		823	sshpam_authok = NULL;
		824	num = buffer_get_int(m);
		825	if (num > 0) {
		826	resp = xmalloc(num * sizeof(char *));
		827	for (i = 0; i < num; ++i)
		828	resp[i] = buffer_get_string(m, NULL);
		829	ret = (sshpam_device.respond)(sshpam_ctxt, num, resp);
		830	for (i = 0; i < num; ++i)
		831	xfree(resp[i]);
		832	xfree(resp);
		833	} else {
		834	ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL);
		835	}
		836	buffer_clear(m);
		837	buffer_put_int(m, ret);
		838	mm_request_send(socket, MONITOR_ANS_PAM_RESPOND, m);
		839	auth_method = "keyboard-interactive/pam";
		840	if (ret == 0)
		841	sshpam_authok = sshpam_ctxt;
		842	return (0);
		843	}
		844
		845	int
		846	mm_answer_pam_free_ctx(int socket, Buffer *m)
		847	{
		848
		849	debug3("%s", __func__);
		850	(sshpam_device.free_ctx)(sshpam_ctxt);
		851	buffer_clear(m);
		852	mm_request_send(socket, MONITOR_ANS_PAM_FREE_CTX, m);
		853	return (sshpam_authok == sshpam_ctxt);
		854	}
750	#endif	855	#endif
751		856
752	static void	857	static void