diff options
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | auth-pam.c | 56 |
2 files changed, 30 insertions, 33 deletions
@@ -1,6 +1,9 @@ | |||
1 | 20031117 | 1 | 20031118 |
2 | - (djm) Fix early exit for root auth success when UsePAM=yes and | 2 | - (djm) Fix early exit for root auth success when UsePAM=yes and |
3 | PermitRootLogin=no | 3 | PermitRootLogin=no |
4 | - (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv, | ||
5 | and use it for do_pam_session. Fixes problems like pam_motd not displaying | ||
6 | anything. ok djm@ | ||
4 | 7 | ||
5 | 20031117 | 8 | 20031117 |
6 | - (djm) OpenBSD CVS Sync | 9 | - (djm) OpenBSD CVS Sync |
@@ -1476,4 +1479,4 @@ | |||
1476 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. | 1479 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. |
1477 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au | 1480 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au |
1478 | 1481 | ||
1479 | $Id: ChangeLog,v 1.3113 2003/11/17 23:45:20 djm Exp $ | 1482 | $Id: ChangeLog,v 1.3114 2003/11/18 01:42:07 dtucker Exp $ |
diff --git a/auth-pam.c b/auth-pam.c index 92a3da406..af8d37fab 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -31,7 +31,7 @@ | |||
31 | 31 | ||
32 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ | 32 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ |
33 | #include "includes.h" | 33 | #include "includes.h" |
34 | RCSID("$Id: auth-pam.c,v 1.80 2003/11/17 10:41:42 djm Exp $"); | 34 | RCSID("$Id: auth-pam.c,v 1.81 2003/11/18 01:42:08 dtucker Exp $"); |
35 | 35 | ||
36 | #ifdef USE_PAM | 36 | #ifdef USE_PAM |
37 | #include <security/pam_appl.h> | 37 | #include <security/pam_appl.h> |
@@ -52,6 +52,7 @@ RCSID("$Id: auth-pam.c,v 1.80 2003/11/17 10:41:42 djm Exp $"); | |||
52 | #include "auth-options.h" | 52 | #include "auth-options.h" |
53 | 53 | ||
54 | extern ServerOptions options; | 54 | extern ServerOptions options; |
55 | extern Buffer loginmsg; | ||
55 | 56 | ||
56 | #define __unused | 57 | #define __unused |
57 | 58 | ||
@@ -497,13 +498,9 @@ sshpam_query(void *ctx, char **name, char **info, | |||
497 | case PAM_AUTH_ERR: | 498 | case PAM_AUTH_ERR: |
498 | if (**prompts != NULL) { | 499 | if (**prompts != NULL) { |
499 | /* drain any accumulated messages */ | 500 | /* drain any accumulated messages */ |
500 | #if 0 /* XXX - not compatible with privsep */ | 501 | debug("PAM: %s", **prompts); |
501 | packet_start(SSH2_MSG_USERAUTH_BANNER); | 502 | buffer_append(&loginmsg, **prompts, |
502 | packet_put_cstring(**prompts); | 503 | strlen(**prompts)); |
503 | packet_put_cstring(""); | ||
504 | packet_send(); | ||
505 | packet_write_wait(); | ||
506 | #endif | ||
507 | xfree(**prompts); | 504 | xfree(**prompts); |
508 | **prompts = NULL; | 505 | **prompts = NULL; |
509 | } | 506 | } |
@@ -631,21 +628,6 @@ do_pam_account(void) | |||
631 | } | 628 | } |
632 | 629 | ||
633 | void | 630 | void |
634 | do_pam_session(void) | ||
635 | { | ||
636 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | ||
637 | (const void *)&null_conv); | ||
638 | if (sshpam_err != PAM_SUCCESS) | ||
639 | fatal("PAM: failed to set PAM_CONV: %s", | ||
640 | pam_strerror(sshpam_handle, sshpam_err)); | ||
641 | sshpam_err = pam_open_session(sshpam_handle, 0); | ||
642 | if (sshpam_err != PAM_SUCCESS) | ||
643 | fatal("PAM: pam_open_session(): %s", | ||
644 | pam_strerror(sshpam_handle, sshpam_err)); | ||
645 | sshpam_session_open = 1; | ||
646 | } | ||
647 | |||
648 | void | ||
649 | do_pam_set_tty(const char *tty) | 631 | do_pam_set_tty(const char *tty) |
650 | { | 632 | { |
651 | if (tty != NULL) { | 633 | if (tty != NULL) { |
@@ -691,7 +673,7 @@ is_pam_password_change_required(void) | |||
691 | } | 673 | } |
692 | 674 | ||
693 | static int | 675 | static int |
694 | pam_chauthtok_conv(int n, const struct pam_message **msg, | 676 | pam_tty_conv(int n, const struct pam_message **msg, |
695 | struct pam_response **resp, void *data) | 677 | struct pam_response **resp, void *data) |
696 | { | 678 | { |
697 | char input[PAM_MAX_MSG_SIZE]; | 679 | char input[PAM_MAX_MSG_SIZE]; |
@@ -700,7 +682,7 @@ pam_chauthtok_conv(int n, const struct pam_message **msg, | |||
700 | 682 | ||
701 | *resp = NULL; | 683 | *resp = NULL; |
702 | 684 | ||
703 | if (n <= 0 || n > PAM_MAX_NUM_MSG) | 685 | if (n <= 0 || n > PAM_MAX_NUM_MSG || !isatty(STDIN_FILENO)) |
704 | return (PAM_CONV_ERR); | 686 | return (PAM_CONV_ERR); |
705 | 687 | ||
706 | if ((reply = malloc(n * sizeof(*reply))) == NULL) | 688 | if ((reply = malloc(n * sizeof(*reply))) == NULL) |
@@ -742,6 +724,8 @@ pam_chauthtok_conv(int n, const struct pam_message **msg, | |||
742 | return (PAM_CONV_ERR); | 724 | return (PAM_CONV_ERR); |
743 | } | 725 | } |
744 | 726 | ||
727 | static struct pam_conv tty_conv = { pam_tty_conv, NULL }; | ||
728 | |||
745 | /* | 729 | /* |
746 | * XXX this should be done in the authentication phase, but ssh1 doesn't | 730 | * XXX this should be done in the authentication phase, but ssh1 doesn't |
747 | * support that | 731 | * support that |
@@ -749,15 +733,10 @@ pam_chauthtok_conv(int n, const struct pam_message **msg, | |||
749 | void | 733 | void |
750 | do_pam_chauthtok(void) | 734 | do_pam_chauthtok(void) |
751 | { | 735 | { |
752 | struct pam_conv pam_conv; | ||
753 | |||
754 | pam_conv.conv = pam_chauthtok_conv; | ||
755 | pam_conv.appdata_ptr = NULL; | ||
756 | |||
757 | if (use_privsep) | 736 | if (use_privsep) |
758 | fatal("Password expired (unable to change with privsep)"); | 737 | fatal("Password expired (unable to change with privsep)"); |
759 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | 738 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, |
760 | (const void *)&pam_conv); | 739 | (const void *)&tty_conv); |
761 | if (sshpam_err != PAM_SUCCESS) | 740 | if (sshpam_err != PAM_SUCCESS) |
762 | fatal("PAM: failed to set PAM_CONV: %s", | 741 | fatal("PAM: failed to set PAM_CONV: %s", |
763 | pam_strerror(sshpam_handle, sshpam_err)); | 742 | pam_strerror(sshpam_handle, sshpam_err)); |
@@ -768,6 +747,21 @@ do_pam_chauthtok(void) | |||
768 | pam_strerror(sshpam_handle, sshpam_err)); | 747 | pam_strerror(sshpam_handle, sshpam_err)); |
769 | } | 748 | } |
770 | 749 | ||
750 | void | ||
751 | do_pam_session(void) | ||
752 | { | ||
753 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | ||
754 | (const void *)&tty_conv); | ||
755 | if (sshpam_err != PAM_SUCCESS) | ||
756 | fatal("PAM: failed to set PAM_CONV: %s", | ||
757 | pam_strerror(sshpam_handle, sshpam_err)); | ||
758 | sshpam_err = pam_open_session(sshpam_handle, 0); | ||
759 | if (sshpam_err != PAM_SUCCESS) | ||
760 | fatal("PAM: pam_open_session(): %s", | ||
761 | pam_strerror(sshpam_handle, sshpam_err)); | ||
762 | sshpam_session_open = 1; | ||
763 | } | ||
764 | |||
771 | /* | 765 | /* |
772 | * Set a PAM environment string. We need to do this so that the session | 766 | * Set a PAM environment string. We need to do this so that the session |
773 | * modules can handle things like Kerberos/GSI credentials that appear | 767 | * modules can handle things like Kerberos/GSI credentials that appear |