- Import of patch from Ben Taylor <bent@clark.net>:

- Improved PAM support - "uninstall" rule for Makefile - utmpx support - Should fix PAM problems on Solaris
author: Damien Miller <djm@mindrot.org> 1999-12-09 10:16:54 +1100
committer: Damien Miller <djm@mindrot.org> 1999-12-09 10:16:54 +1100
commit: bf1c9b2012fadab02392126bece5d21e9ddffda6 (patch)
tree: 371e5f27669fa28773e2b2bb008a81a03715cf2e /sshd.c
parent: fce1648681a20b99f569d4bfd9335bc4a956b119 (diff)
1 files changed, 29 insertions, 20 deletions
diff --git a/sshd.c b/sshd.c
index 0c15e2837..2ff8f45b4 100644
--- a/sshd.c
+++ b/sshd.c
@@ -11,7 +11,7 @@
 */
 #include "includes.h"
-RCSID("$Id: sshd.c,v 1.35 1999/12/07 04:38:32 damien Exp $");
+RCSID("$Id: sshd.c,v 1.36 1999/12/08 23:16:55 damien Exp $");
 #include "xmalloc.h"
 #include "rsa.h"
@@ -138,7 +138,8 @@ void do_child(const char *command, struct passwd * pw, const char *term,
 #ifdef HAVE_LIBPAM
 static int pamconv(int num_msg, const struct pam_message **msg,
          struct pam_response **resp, void *appdata_ptr);
-void do_pam_account_and_session(char *username, char *remote_user);
+void do_pam_account(char *username, char *remote_user);
+void do_pam_session(char *username, char *ttyname);
 void pam_cleanup_proc(void *context);
 static struct pam_conv conv = {
@@ -228,7 +229,7 @@ void pam_cleanup_proc(void *context)
        }
 }
-void do_pam_account_and_session(char *username, char *remote_user)
+void do_pam_account(char *username, char *remote_user)
 {
        int pam_retval;
@@ -254,12 +255,22 @@ void do_pam_account_and_session(char *username, char *remote_user)
                log("PAM rejected by account configuration: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
                do_fake_authloop(username);
        }
+}
-        pam_retval = pam_open_session((pam_handle_t *)pamh, 0);
+void do_pam_session(char *username, char *ttyname)
-        if (pam_retval != PAM_SUCCESS) {
+{
-                log("PAM session setup failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+        int pam_retval;
-                do_fake_authloop(username);
+        if (ttyname != NULL) {
+                debug("PAM setting tty to \"%.200s\"", ttyname);
+                pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, ttyname);
+                if (pam_retval != PAM_SUCCESS)
+                        fatal("PAM set tty failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
        }
+        pam_retval = pam_open_session((pam_handle_t *)pamh, 0);
+        if (pam_retval != PAM_SUCCESS)
+                fatal("PAM session setup failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
 }
 #endif /* HAVE_LIBPAM */
@@ -1476,12 +1487,16 @@ do_authloop(struct passwd * pw)
                        pam_retval = pam_authenticate((pam_handle_t *)pamh, 0);
                        if (pam_retval == PAM_SUCCESS) {
                                log("PAM Password authentication accepted for user \"%.100s\"", pw->pw_name);
+                                memset(password, 0, strlen(password));
+                                xfree(password);
                                authenticated = 1;
                                break;
                        }
                        log("PAM Password authentication for \"%.100s\" failed: %s", 
                                pw->pw_name, PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+                        memset(password, 0, strlen(password));
+                        xfree(password);
                        break;
 #else /* HAVE_LIBPAM */
                        /* Try authentication with the password. */
@@ -1561,30 +1576,18 @@ do_authloop(struct passwd * pw)
                        packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
 #else /* HAVE_LIBPAM */
                if (authenticated) {
-                        do_pam_account_and_session(pw->pw_name, client_user);
+                        do_pam_account(pw->pw_name, client_user);
-                        /* Clean up */
                        if (client_user != NULL)
                                xfree(client_user);
-                        if (password != NULL) {
-                                memset(password, 0, strlen(password));
-                                xfree(password);
-                        }
-                        
                        return;
                }
                if (attempt > AUTH_FAIL_MAX) {
-                        /* Clean up */
                        if (client_user != NULL)
                                xfree(client_user);
-                        if (password != NULL) {
-                                memset(password, 0, strlen(password));
-                                xfree(password);
-                        }
-                        
                        packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
                }
 #endif /* HAVE_LIBPAM */
@@ -1785,6 +1788,12 @@ do_authenticated(struct passwd * pw)
                        /* Indicate that we now have a pty. */
                        have_pty = 1;
+#ifdef HAVE_LIBPAM
+                        /* do the pam_open_session since we have the pty */
+                        do_pam_session(pw->pw_name,ttyname);
+#endif /* HAVE_LIBPAM */
                        break;
                case SSH_CMSG_X11_REQUEST_FORWARDING:
author	Damien Miller <djm@mindrot.org>	1999-12-09 10:16:54 +1100
committer	Damien Miller <djm@mindrot.org>	1999-12-09 10:16:54 +1100
commit	bf1c9b2012fadab02392126bece5d21e9ddffda6 (patch)
tree	371e5f27669fa28773e2b2bb008a81a03715cf2e /sshd.c
parent	fce1648681a20b99f569d4bfd9335bc4a956b119 (diff)

diff --git a/sshd.c b/sshd.c index 0c15e2837..2ff8f45b4 100644 --- a/sshd.c +++ b/sshd.c
@@ -11,7 +11,7 @@
11	*/	11	*/
12		12
13	#include "includes.h"	13	#include "includes.h"
14	RCSID("$Id: sshd.c,v 1.35 1999/12/07 04:38:32 damien Exp $");	14	RCSID("$Id: sshd.c,v 1.36 1999/12/08 23:16:55 damien Exp $");
15		15
16	#include "xmalloc.h"	16	#include "xmalloc.h"
17	#include "rsa.h"	17	#include "rsa.h"
@@ -138,7 +138,8 @@ void do_child(const char command, struct passwd pw, const char *term,
138	#ifdef HAVE_LIBPAM	138	#ifdef HAVE_LIBPAM
139	static int pamconv(int num_msg, const struct pam_message **msg,	139	static int pamconv(int num_msg, const struct pam_message **msg,
140	struct pam_response *resp, void appdata_ptr);	140	struct pam_response *resp, void appdata_ptr);
141	void do_pam_account_and_session(char username, char remote_user);	141	void do_pam_account(char username, char remote_user);
		142	void do_pam_session(char username, char ttyname);
142	void pam_cleanup_proc(void *context);	143	void pam_cleanup_proc(void *context);
143		144
144	static struct pam_conv conv = {	145	static struct pam_conv conv = {
@@ -228,7 +229,7 @@ void pam_cleanup_proc(void *context)
228	}	229	}
229	}	230	}
230		231
231	void do_pam_account_and_session(char username, char remote_user)	232	void do_pam_account(char username, char remote_user)
232	{	233	{
233	int pam_retval;	234	int pam_retval;
234		235
@@ -254,12 +255,22 @@ void do_pam_account_and_session(char username, char remote_user)
254	log("PAM rejected by account configuration: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));	255	log("PAM rejected by account configuration: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
255	do_fake_authloop(username);	256	do_fake_authloop(username);
256	}	257	}
		258	}
257		259
258	pam_retval = pam_open_session((pam_handle_t *)pamh, 0);	260	void do_pam_session(char username, char ttyname)
259	if (pam_retval != PAM_SUCCESS) {	261	{
260	log("PAM session setup failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));	262	int pam_retval;
261	do_fake_authloop(username);	263
		264	if (ttyname != NULL) {
		265	debug("PAM setting tty to \"%.200s\"", ttyname);
		266	pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, ttyname);
		267	if (pam_retval != PAM_SUCCESS)
		268	fatal("PAM set tty failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
262	}	269	}
		270
		271	pam_retval = pam_open_session((pam_handle_t *)pamh, 0);
		272	if (pam_retval != PAM_SUCCESS)
		273	fatal("PAM session setup failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
263	}	274	}
264	#endif /* HAVE_LIBPAM */	275	#endif /* HAVE_LIBPAM */
265		276
@@ -1476,12 +1487,16 @@ do_authloop(struct passwd * pw)
1476	pam_retval = pam_authenticate((pam_handle_t *)pamh, 0);	1487	pam_retval = pam_authenticate((pam_handle_t *)pamh, 0);
1477	if (pam_retval == PAM_SUCCESS) {	1488	if (pam_retval == PAM_SUCCESS) {
1478	log("PAM Password authentication accepted for user \"%.100s\"", pw->pw_name);	1489	log("PAM Password authentication accepted for user \"%.100s\"", pw->pw_name);
		1490	memset(password, 0, strlen(password));
		1491	xfree(password);
1479	authenticated = 1;	1492	authenticated = 1;
1480	break;	1493	break;
1481	}	1494	}
1482		1495
1483	log("PAM Password authentication for \"%.100s\" failed: %s",	1496	log("PAM Password authentication for \"%.100s\" failed: %s",
1484	pw->pw_name, PAM_STRERROR((pam_handle_t *)pamh, pam_retval));	1497	pw->pw_name, PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
		1498	memset(password, 0, strlen(password));
		1499	xfree(password);
1485	break;	1500	break;
1486	#else /* HAVE_LIBPAM */	1501	#else /* HAVE_LIBPAM */
1487	/* Try authentication with the password. */	1502	/* Try authentication with the password. */
@@ -1561,30 +1576,18 @@ do_authloop(struct passwd * pw)
1561	packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);	1576	packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
1562	#else /* HAVE_LIBPAM */	1577	#else /* HAVE_LIBPAM */
1563	if (authenticated) {	1578	if (authenticated) {
1564	do_pam_account_and_session(pw->pw_name, client_user);	1579	do_pam_account(pw->pw_name, client_user);
1565		1580
1566	/* Clean up */
1567	if (client_user != NULL)	1581	if (client_user != NULL)
1568	xfree(client_user);	1582	xfree(client_user);
1569		1583
1570	if (password != NULL) {
1571	memset(password, 0, strlen(password));
1572	xfree(password);
1573	}
1574
1575	return;	1584	return;
1576	}	1585	}
1577		1586
1578	if (attempt > AUTH_FAIL_MAX) {	1587	if (attempt > AUTH_FAIL_MAX) {
1579	/* Clean up */
1580	if (client_user != NULL)	1588	if (client_user != NULL)
1581	xfree(client_user);	1589	xfree(client_user);
1582		1590
1583	if (password != NULL) {
1584	memset(password, 0, strlen(password));
1585	xfree(password);
1586	}
1587
1588	packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);	1591	packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
1589	}	1592	}
1590	#endif /* HAVE_LIBPAM */	1593	#endif /* HAVE_LIBPAM */
@@ -1785,6 +1788,12 @@ do_authenticated(struct passwd * pw)
1785		1788
1786	/* Indicate that we now have a pty. */	1789	/* Indicate that we now have a pty. */
1787	have_pty = 1;	1790	have_pty = 1;
		1791
		1792	#ifdef HAVE_LIBPAM
		1793	/* do the pam_open_session since we have the pty */
		1794	do_pam_session(pw->pw_name,ttyname);
		1795	#endif /* HAVE_LIBPAM */
		1796
1788	break;	1797	break;
1789		1798
1790	case SSH_CMSG_X11_REQUEST_FORWARDING:	1799	case SSH_CMSG_X11_REQUEST_FORWARDING: