diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | auth-pam.c | 7 | ||||
-rw-r--r-- | auth.c | 10 | ||||
-rw-r--r-- | auth1.c | 8 | ||||
-rw-r--r-- | auth2.c | 16 | ||||
-rw-r--r-- | monitor.c | 6 | ||||
-rw-r--r-- | monitor_wrap.c | 4 | ||||
-rw-r--r-- | servconf.c | 18 | ||||
-rw-r--r-- | servconf.h | 2 | ||||
-rw-r--r-- | session.c | 30 | ||||
-rw-r--r-- | sshd.c | 3 | ||||
-rw-r--r-- | sshd_config.5 | 15 |
12 files changed, 70 insertions, 54 deletions
@@ -68,6 +68,9 @@ | |||
68 | implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ | 68 | implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ |
69 | server interops with commercial client; ok jakob@ djm@ | 69 | server interops with commercial client; ok jakob@ djm@ |
70 | - (djm) Make portable build with MIT krb5 (some issues remain) | 70 | - (djm) Make portable build with MIT krb5 (some issues remain) |
71 | - (djm) Add new UsePAM configuration directive to allow runtime control | ||
72 | over usage of PAM. This allows non-root use of sshd when built with | ||
73 | --with-pam | ||
71 | 74 | ||
72 | 20030512 | 75 | 20030512 |
73 | - (djm) Redhat spec: Don't install profile.d scripts when not | 76 | - (djm) Redhat spec: Don't install profile.d scripts when not |
@@ -1455,4 +1458,4 @@ | |||
1455 | save auth method before monitor_reset_key_state(); bugzilla bug #284; | 1458 | save auth method before monitor_reset_key_state(); bugzilla bug #284; |
1456 | ok provos@ | 1459 | ok provos@ |
1457 | 1460 | ||
1458 | $Id: ChangeLog,v 1.2693 2003/05/14 04:31:11 djm Exp $ | 1461 | $Id: ChangeLog,v 1.2694 2003/05/14 05:11:48 djm Exp $ |
diff --git a/auth-pam.c b/auth-pam.c index f4718035d..234e8f435 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -49,6 +49,8 @@ RCSID("$FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48: | |||
49 | #include "ssh2.h" | 49 | #include "ssh2.h" |
50 | #include "xmalloc.h" | 50 | #include "xmalloc.h" |
51 | 51 | ||
52 | extern ServerOptions options; | ||
53 | |||
52 | #define __unused | 54 | #define __unused |
53 | 55 | ||
54 | #ifdef USE_POSIX_THREADS | 56 | #ifdef USE_POSIX_THREADS |
@@ -276,7 +278,6 @@ sshpam_cleanup(void *arg) | |||
276 | static int | 278 | static int |
277 | sshpam_init(const char *user) | 279 | sshpam_init(const char *user) |
278 | { | 280 | { |
279 | extern ServerOptions options; | ||
280 | extern u_int utmp_len; | 281 | extern u_int utmp_len; |
281 | const char *pam_rhost, *pam_user; | 282 | const char *pam_rhost, *pam_user; |
282 | 283 | ||
@@ -313,6 +314,10 @@ sshpam_init_ctx(Authctxt *authctxt) | |||
313 | struct pam_ctxt *ctxt; | 314 | struct pam_ctxt *ctxt; |
314 | int socks[2]; | 315 | int socks[2]; |
315 | 316 | ||
317 | /* Refuse to start if we don't have PAM enabled */ | ||
318 | if (!options.use_pam) | ||
319 | return NULL; | ||
320 | |||
316 | /* Initialize PAM */ | 321 | /* Initialize PAM */ |
317 | if (sshpam_init(authctxt->user) == -1) { | 322 | if (sshpam_init(authctxt->user) == -1) { |
318 | error("PAM: initialization failed"); | 323 | error("PAM: initialization failed"); |
@@ -78,8 +78,8 @@ allowed_user(struct passwd * pw) | |||
78 | #ifdef WITH_AIXAUTHENTICATE | 78 | #ifdef WITH_AIXAUTHENTICATE |
79 | char *loginmsg; | 79 | char *loginmsg; |
80 | #endif /* WITH_AIXAUTHENTICATE */ | 80 | #endif /* WITH_AIXAUTHENTICATE */ |
81 | #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ | 81 | #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ |
82 | !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) | 82 | defined(HAS_SHADOW_EXPIRE) |
83 | struct spwd *spw; | 83 | struct spwd *spw; |
84 | time_t today; | 84 | time_t today; |
85 | #endif | 85 | #endif |
@@ -88,10 +88,10 @@ allowed_user(struct passwd * pw) | |||
88 | if (!pw || !pw->pw_name) | 88 | if (!pw || !pw->pw_name) |
89 | return 0; | 89 | return 0; |
90 | 90 | ||
91 | #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ | 91 | #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ |
92 | !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) | 92 | defined(HAS_SHADOW_EXPIRE) |
93 | #define DAY (24L * 60 * 60) /* 1 day in seconds */ | 93 | #define DAY (24L * 60 * 60) /* 1 day in seconds */ |
94 | if ((spw = getspnam(pw->pw_name)) != NULL) { | 94 | if (!options.use_pam && (spw = getspnam(pw->pw_name)) != NULL) { |
95 | today = time(NULL) / DAY; | 95 | today = time(NULL) / DAY; |
96 | debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" | 96 | debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" |
97 | " sp_max %d", (int)today, (int)spw->sp_expire, | 97 | " sp_max %d", (int)today, (int)spw->sp_expire, |
@@ -342,11 +342,6 @@ do_authloop(Authctxt *authctxt) | |||
342 | !auth_root_allowed(get_authname(type))) | 342 | !auth_root_allowed(get_authname(type))) |
343 | authenticated = 0; | 343 | authenticated = 0; |
344 | #endif | 344 | #endif |
345 | #ifdef USE_PAM | ||
346 | if (!use_privsep && authenticated && | ||
347 | !do_pam_account(pw->pw_name, client_user)) | ||
348 | authenticated = 0; | ||
349 | #endif | ||
350 | 345 | ||
351 | /* Log before sending the reply */ | 346 | /* Log before sending the reply */ |
352 | auth_log(authctxt, authenticated, get_authname(type), info); | 347 | auth_log(authctxt, authenticated, get_authname(type), info); |
@@ -413,7 +408,8 @@ do_authentication(void) | |||
413 | use_privsep ? " [net]" : ""); | 408 | use_privsep ? " [net]" : ""); |
414 | 409 | ||
415 | #ifdef USE_PAM | 410 | #ifdef USE_PAM |
416 | PRIVSEP(start_pam(user)); | 411 | if (options.use_pam) |
412 | PRIVSEP(start_pam(user)); | ||
417 | #endif | 413 | #endif |
418 | 414 | ||
419 | /* | 415 | /* |
@@ -91,10 +91,6 @@ do_authentication2(void) | |||
91 | /* challenge-response is implemented via keyboard interactive */ | 91 | /* challenge-response is implemented via keyboard interactive */ |
92 | if (options.challenge_response_authentication) | 92 | if (options.challenge_response_authentication) |
93 | options.kbd_interactive_authentication = 1; | 93 | options.kbd_interactive_authentication = 1; |
94 | if (options.pam_authentication_via_kbd_int) | ||
95 | options.kbd_interactive_authentication = 1; | ||
96 | if (use_privsep) | ||
97 | options.pam_authentication_via_kbd_int = 0; | ||
98 | 94 | ||
99 | dispatch_init(&dispatch_protocol_error); | 95 | dispatch_init(&dispatch_protocol_error); |
100 | dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); | 96 | dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); |
@@ -163,12 +159,14 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
163 | authctxt->valid = 1; | 159 | authctxt->valid = 1; |
164 | debug2("input_userauth_request: setting up authctxt for %s", user); | 160 | debug2("input_userauth_request: setting up authctxt for %s", user); |
165 | #ifdef USE_PAM | 161 | #ifdef USE_PAM |
166 | PRIVSEP(start_pam(authctxt->pw->pw_name)); | 162 | if (options.use_pam) |
163 | PRIVSEP(start_pam(authctxt->pw->pw_name)); | ||
167 | #endif | 164 | #endif |
168 | } else { | 165 | } else { |
169 | logit("input_userauth_request: illegal user %s", user); | 166 | logit("input_userauth_request: illegal user %s", user); |
170 | #ifdef USE_PAM | 167 | #ifdef USE_PAM |
171 | PRIVSEP(start_pam(user)); | 168 | if (options.use_pam) |
169 | PRIVSEP(start_pam(user)); | ||
172 | #endif | 170 | #endif |
173 | } | 171 | } |
174 | setproctitle("%s%s", authctxt->pw ? user : "unknown", | 172 | setproctitle("%s%s", authctxt->pw ? user : "unknown", |
@@ -215,12 +213,6 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) | |||
215 | !auth_root_allowed(method)) | 213 | !auth_root_allowed(method)) |
216 | authenticated = 0; | 214 | authenticated = 0; |
217 | 215 | ||
218 | #ifdef USE_PAM | ||
219 | if (!use_privsep && authenticated && authctxt->user && | ||
220 | !do_pam_account(authctxt->user, NULL)) | ||
221 | authenticated = 0; | ||
222 | #endif /* USE_PAM */ | ||
223 | |||
224 | #ifdef _UNICOS | 216 | #ifdef _UNICOS |
225 | if (authenticated && cray_access_denied(authctxt->user)) { | 217 | if (authenticated && cray_access_denied(authctxt->user)) { |
226 | authenticated = 0; | 218 | authenticated = 0; |
@@ -567,7 +567,8 @@ mm_answer_pwnamallow(int socket, Buffer *m) | |||
567 | } | 567 | } |
568 | 568 | ||
569 | #ifdef USE_PAM | 569 | #ifdef USE_PAM |
570 | monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); | 570 | if (options.use_pam) |
571 | monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); | ||
571 | #endif | 572 | #endif |
572 | 573 | ||
573 | return (0); | 574 | return (0); |
@@ -750,6 +751,9 @@ mm_answer_pam_start(int socket, Buffer *m) | |||
750 | { | 751 | { |
751 | char *user; | 752 | char *user; |
752 | 753 | ||
754 | if (!options.use_pam) | ||
755 | fatal("UsePAM not set, but ended up in %s anyway", __func__); | ||
756 | |||
753 | user = buffer_get_string(m, NULL); | 757 | user = buffer_get_string(m, NULL); |
754 | 758 | ||
755 | start_pam(user); | 759 | start_pam(user); |
diff --git a/monitor_wrap.c b/monitor_wrap.c index a83413a5f..bd3a01a2b 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -47,6 +47,7 @@ RCSID("$OpenBSD: monitor_wrap.c,v 1.26 2003/04/07 08:29:57 markus Exp $"); | |||
47 | #include "atomicio.h" | 47 | #include "atomicio.h" |
48 | #include "monitor_fdpass.h" | 48 | #include "monitor_fdpass.h" |
49 | #include "getput.h" | 49 | #include "getput.h" |
50 | #include "servconf.h" | ||
50 | 51 | ||
51 | #include "auth.h" | 52 | #include "auth.h" |
52 | #include "channels.h" | 53 | #include "channels.h" |
@@ -59,6 +60,7 @@ extern z_stream incoming_stream; | |||
59 | extern z_stream outgoing_stream; | 60 | extern z_stream outgoing_stream; |
60 | extern struct monitor *pmonitor; | 61 | extern struct monitor *pmonitor; |
61 | extern Buffer input, output; | 62 | extern Buffer input, output; |
63 | extern ServerOptions options; | ||
62 | 64 | ||
63 | void | 65 | void |
64 | mm_request_send(int socket, enum monitor_reqtype type, Buffer *m) | 66 | mm_request_send(int socket, enum monitor_reqtype type, Buffer *m) |
@@ -669,6 +671,8 @@ mm_start_pam(char *user) | |||
669 | Buffer m; | 671 | Buffer m; |
670 | 672 | ||
671 | debug3("%s entering", __func__); | 673 | debug3("%s entering", __func__); |
674 | if (!options.use_pam) | ||
675 | fatal("UsePAM=no, but ended up in %s anyway", __func__); | ||
672 | 676 | ||
673 | buffer_init(&m); | 677 | buffer_init(&m); |
674 | buffer_put_cstring(&m, user); | 678 | buffer_put_cstring(&m, user); |
diff --git a/servconf.c b/servconf.c index 8e2839085..fbdc4d8fa 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -59,8 +59,10 @@ initialize_server_options(ServerOptions *options) | |||
59 | { | 59 | { |
60 | memset(options, 0, sizeof(*options)); | 60 | memset(options, 0, sizeof(*options)); |
61 | 61 | ||
62 | #ifdef USE_PAM | ||
62 | /* Portable-specific options */ | 63 | /* Portable-specific options */ |
63 | options->pam_authentication_via_kbd_int = -1; | 64 | options->use_pam = -1; |
65 | #endif | ||
64 | 66 | ||
65 | /* Standard Options */ | 67 | /* Standard Options */ |
66 | options->num_ports = 0; | 68 | options->num_ports = 0; |
@@ -136,8 +138,10 @@ void | |||
136 | fill_default_server_options(ServerOptions *options) | 138 | fill_default_server_options(ServerOptions *options) |
137 | { | 139 | { |
138 | /* Portable-specific options */ | 140 | /* Portable-specific options */ |
139 | if (options->pam_authentication_via_kbd_int == -1) | 141 | #ifdef USE_PAM |
140 | options->pam_authentication_via_kbd_int = 0; | 142 | if (options->use_pam == -1) |
143 | options->use_pam = 1; | ||
144 | #endif | ||
141 | 145 | ||
142 | /* Standard Options */ | 146 | /* Standard Options */ |
143 | if (options->protocol == SSH_PROTO_UNKNOWN) | 147 | if (options->protocol == SSH_PROTO_UNKNOWN) |
@@ -279,7 +283,7 @@ fill_default_server_options(ServerOptions *options) | |||
279 | typedef enum { | 283 | typedef enum { |
280 | sBadOption, /* == unknown option */ | 284 | sBadOption, /* == unknown option */ |
281 | /* Portable-specific options */ | 285 | /* Portable-specific options */ |
282 | sPAMAuthenticationViaKbdInt, | 286 | sUsePAM, |
283 | /* Standard Options */ | 287 | /* Standard Options */ |
284 | sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, | 288 | sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, |
285 | sPermitRootLogin, sLogFacility, sLogLevel, | 289 | sPermitRootLogin, sLogFacility, sLogLevel, |
@@ -315,7 +319,7 @@ static struct { | |||
315 | ServerOpCodes opcode; | 319 | ServerOpCodes opcode; |
316 | } keywords[] = { | 320 | } keywords[] = { |
317 | /* Portable-specific options */ | 321 | /* Portable-specific options */ |
318 | { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt }, | 322 | { "UsePAM", sUsePAM }, |
319 | /* Standard Options */ | 323 | /* Standard Options */ |
320 | { "port", sPort }, | 324 | { "port", sPort }, |
321 | { "hostkey", sHostKeyFile }, | 325 | { "hostkey", sHostKeyFile }, |
@@ -462,8 +466,8 @@ process_server_config_line(ServerOptions *options, char *line, | |||
462 | opcode = parse_token(arg, filename, linenum); | 466 | opcode = parse_token(arg, filename, linenum); |
463 | switch (opcode) { | 467 | switch (opcode) { |
464 | /* Portable-specific options */ | 468 | /* Portable-specific options */ |
465 | case sPAMAuthenticationViaKbdInt: | 469 | case sUsePAM: |
466 | intptr = &options->pam_authentication_via_kbd_int; | 470 | intptr = &options->use_pam; |
467 | goto parse_flag; | 471 | goto parse_flag; |
468 | 472 | ||
469 | /* Standard Options */ | 473 | /* Standard Options */ |
diff --git a/servconf.h b/servconf.h index 024987dd6..afa80675e 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -131,7 +131,7 @@ typedef struct { | |||
131 | 131 | ||
132 | char *authorized_keys_file; /* File containing public keys */ | 132 | char *authorized_keys_file; /* File containing public keys */ |
133 | char *authorized_keys_file2; | 133 | char *authorized_keys_file2; |
134 | int pam_authentication_via_kbd_int; | 134 | int use_pam; /* Enable auth via PAM */ |
135 | } ServerOptions; | 135 | } ServerOptions; |
136 | 136 | ||
137 | void initialize_server_options(ServerOptions *); | 137 | void initialize_server_options(ServerOptions *); |
@@ -456,11 +456,13 @@ do_exec_no_pty(Session *s, const char *command) | |||
456 | session_proctitle(s); | 456 | session_proctitle(s); |
457 | 457 | ||
458 | #if defined(USE_PAM) | 458 | #if defined(USE_PAM) |
459 | do_pam_session(s->pw->pw_name, NULL); | 459 | if (options.use_pam) { |
460 | do_pam_setcred(1); | 460 | do_pam_session(s->pw->pw_name, NULL); |
461 | if (is_pam_password_change_required()) | 461 | do_pam_setcred(1); |
462 | packet_disconnect("Password change required but no " | 462 | if (is_pam_password_change_required()) |
463 | "TTY available"); | 463 | packet_disconnect("Password change required but no " |
464 | "TTY available"); | ||
465 | } | ||
464 | #endif /* USE_PAM */ | 466 | #endif /* USE_PAM */ |
465 | 467 | ||
466 | /* Fork the child. */ | 468 | /* Fork the child. */ |
@@ -583,8 +585,10 @@ do_exec_pty(Session *s, const char *command) | |||
583 | ttyfd = s->ttyfd; | 585 | ttyfd = s->ttyfd; |
584 | 586 | ||
585 | #if defined(USE_PAM) | 587 | #if defined(USE_PAM) |
586 | do_pam_session(s->pw->pw_name, s->tty); | 588 | if (options.use_pam) { |
587 | do_pam_setcred(1); | 589 | do_pam_session(s->pw->pw_name, s->tty); |
590 | do_pam_setcred(1); | ||
591 | } | ||
588 | #endif | 592 | #endif |
589 | 593 | ||
590 | /* Fork the child. */ | 594 | /* Fork the child. */ |
@@ -753,7 +757,7 @@ do_login(Session *s, const char *command) | |||
753 | * If password change is needed, do it now. | 757 | * If password change is needed, do it now. |
754 | * This needs to occur before the ~/.hushlogin check. | 758 | * This needs to occur before the ~/.hushlogin check. |
755 | */ | 759 | */ |
756 | if (is_pam_password_change_required()) { | 760 | if (options.use_pam && is_pam_password_change_required()) { |
757 | print_pam_messages(); | 761 | print_pam_messages(); |
758 | do_pam_chauthtok(); | 762 | do_pam_chauthtok(); |
759 | } | 763 | } |
@@ -763,7 +767,7 @@ do_login(Session *s, const char *command) | |||
763 | return; | 767 | return; |
764 | 768 | ||
765 | #ifdef USE_PAM | 769 | #ifdef USE_PAM |
766 | if (!is_pam_password_change_required()) | 770 | if (options.use_pam && !is_pam_password_change_required()) |
767 | print_pam_messages(); | 771 | print_pam_messages(); |
768 | #endif /* USE_PAM */ | 772 | #endif /* USE_PAM */ |
769 | #ifdef WITH_AIXAUTHENTICATE | 773 | #ifdef WITH_AIXAUTHENTICATE |
@@ -1077,10 +1081,9 @@ do_setup_env(Session *s, const char *shell) | |||
1077 | * Pull in any environment variables that may have | 1081 | * Pull in any environment variables that may have |
1078 | * been set by PAM. | 1082 | * been set by PAM. |
1079 | */ | 1083 | */ |
1080 | { | 1084 | if (options.use_pam) { |
1081 | char **p; | 1085 | char **p = fetch_pam_environment(); |
1082 | 1086 | ||
1083 | p = fetch_pam_environment(); | ||
1084 | copy_environment(p, &env, &envsize); | 1087 | copy_environment(p, &env, &envsize); |
1085 | free_pam_environment(p); | 1088 | free_pam_environment(p); |
1086 | } | 1089 | } |
@@ -1248,7 +1251,8 @@ do_setusercontext(struct passwd *pw) | |||
1248 | * These will have been wiped by the above initgroups() call. | 1251 | * These will have been wiped by the above initgroups() call. |
1249 | * Reestablish them here. | 1252 | * Reestablish them here. |
1250 | */ | 1253 | */ |
1251 | do_pam_setcred(0); | 1254 | if (options.use_pam) |
1255 | do_pam_setcred(0); | ||
1252 | # endif /* USE_PAM */ | 1256 | # endif /* USE_PAM */ |
1253 | # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) | 1257 | # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) |
1254 | irix_setusercontext(pw); | 1258 | irix_setusercontext(pw); |
@@ -1544,7 +1544,8 @@ main(int ac, char **av) | |||
1544 | verbose("Closing connection to %.100s", remote_ip); | 1544 | verbose("Closing connection to %.100s", remote_ip); |
1545 | 1545 | ||
1546 | #ifdef USE_PAM | 1546 | #ifdef USE_PAM |
1547 | finish_pam(); | 1547 | if (options.use_pam) |
1548 | finish_pam(); | ||
1548 | #endif /* USE_PAM */ | 1549 | #endif /* USE_PAM */ |
1549 | 1550 | ||
1550 | packet_close(); | 1551 | packet_close(); |
diff --git a/sshd_config.5 b/sshd_config.5 index 31ef3996d..1278cb61f 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -422,12 +422,15 @@ The probability increases linearly and all connection attempts | |||
422 | are refused if the number of unauthenticated connections reaches | 422 | are refused if the number of unauthenticated connections reaches |
423 | .Dq full | 423 | .Dq full |
424 | (60). | 424 | (60). |
425 | .It Cm PAMAuthenticationViaKbdInt | 425 | |
426 | Specifies whether PAM challenge response authentication is allowed. This | 426 | .It Cm UsePAM |
427 | allows the use of most PAM challenge response authentication modules, but | 427 | Enables PAM authentication (via challenge-response) and session set up. |
428 | it will allow password authentication regardless of whether | 428 | If you enable this, you should probably disable |
429 | .Cm PasswordAuthentication | 429 | .Cm PasswordAuthentication . |
430 | is enabled. | 430 | If you enable |
431 | .CM UsePAM | ||
432 | then you will not be able to run sshd as a non-root user. | ||
433 | |||
431 | .It Cm PasswordAuthentication | 434 | .It Cm PasswordAuthentication |
432 | Specifies whether password authentication is allowed. | 435 | Specifies whether password authentication is allowed. |
433 | The default is | 436 | The default is |