diff options
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | auth-pam.c | 3 | ||||
| -rw-r--r-- | auth1.c | 5 | ||||
| -rw-r--r-- | auth2.c | 8 | ||||
| -rw-r--r-- | monitor.c | 34 | ||||
| -rw-r--r-- | monitor.h | 1 | ||||
| -rw-r--r-- | monitor_wrap.c | 17 | ||||
| -rw-r--r-- | monitor_wrap.h | 4 |
8 files changed, 62 insertions, 13 deletions
| @@ -1,6 +1,7 @@ | |||
| 1 | 20020423 | 1 | 20020423 |
| 2 | - (djm) Bug #222: Fix tests for getaddrinfo on OSF/1. Spotted by | 2 | - (djm) Bug #222: Fix tests for getaddrinfo on OSF/1. Spotted by |
| 3 | Robert Urban <urban@spielwiese.de> | 3 | Robert Urban <urban@spielwiese.de> |
| 4 | - (djm) Make privsep work with PAM (still experimental) | ||
| 4 | 5 | ||
| 5 | 20020421 | 6 | 20020421 |
| 6 | - (tim) [entropy.c.] Portability fix for SCO Unix 3.2v4.x (SCO OSR 3.0). | 7 | - (tim) [entropy.c.] Portability fix for SCO Unix 3.2v4.x (SCO OSR 3.0). |
| @@ -8267,4 +8268,4 @@ | |||
| 8267 | - Wrote replacements for strlcpy and mkdtemp | 8268 | - Wrote replacements for strlcpy and mkdtemp |
| 8268 | - Released 1.0pre1 | 8269 | - Released 1.0pre1 |
| 8269 | 8270 | ||
| 8270 | $Id: ChangeLog,v 1.2062 2002/04/23 10:22:59 djm Exp $ | 8271 | $Id: ChangeLog,v 1.2063 2002/04/23 10:28:48 djm Exp $ |
diff --git a/auth-pam.c b/auth-pam.c index daa83c72a..222b358cc 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
| @@ -36,7 +36,7 @@ | |||
| 36 | 36 | ||
| 37 | extern char *__progname; | 37 | extern char *__progname; |
| 38 | 38 | ||
| 39 | RCSID("$Id: auth-pam.c,v 1.43 2002/04/04 19:02:28 stevesk Exp $"); | 39 | RCSID("$Id: auth-pam.c,v 1.44 2002/04/23 10:28:49 djm Exp $"); |
| 40 | 40 | ||
| 41 | #define NEW_AUTHTOK_MSG \ | 41 | #define NEW_AUTHTOK_MSG \ |
| 42 | "Warning: Your password has expired, please change it now" | 42 | "Warning: Your password has expired, please change it now" |
| @@ -249,6 +249,7 @@ int do_pam_account(char *username, char *remote_user) | |||
| 249 | } | 249 | } |
| 250 | 250 | ||
| 251 | pam_retval = pam_acct_mgmt(__pamh, 0); | 251 | pam_retval = pam_acct_mgmt(__pamh, 0); |
| 252 | debug2("pam_acct_mgmt() = %d", pam_retval); | ||
| 252 | switch (pam_retval) { | 253 | switch (pam_retval) { |
| 253 | case PAM_SUCCESS: | 254 | case PAM_SUCCESS: |
| 254 | /* This is what we want */ | 255 | /* This is what we want */ |
| @@ -306,7 +306,8 @@ do_authloop(Authctxt *authctxt) | |||
| 306 | authenticated = 0; | 306 | authenticated = 0; |
| 307 | #endif | 307 | #endif |
| 308 | #ifdef USE_PAM | 308 | #ifdef USE_PAM |
| 309 | if (authenticated && !do_pam_account(pw->pw_name, client_user)) | 309 | if (!use_privsep && authenticated && |
| 310 | !do_pam_account(pw->pw_name, client_user)) | ||
| 310 | authenticated = 0; | 311 | authenticated = 0; |
| 311 | #endif | 312 | #endif |
| 312 | 313 | ||
| @@ -381,7 +382,7 @@ do_authentication(void) | |||
| 381 | use_privsep ? " [net]" : ""); | 382 | use_privsep ? " [net]" : ""); |
| 382 | 383 | ||
| 383 | #ifdef USE_PAM | 384 | #ifdef USE_PAM |
| 384 | start_pam(authctxt->pw == NULL ? "NOUSER" : user); | 385 | PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user)); |
| 385 | #endif | 386 | #endif |
| 386 | 387 | ||
| 387 | /* | 388 | /* |
| @@ -189,12 +189,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
| 189 | authctxt->valid = 1; | 189 | authctxt->valid = 1; |
| 190 | debug2("input_userauth_request: setting up authctxt for %s", user); | 190 | debug2("input_userauth_request: setting up authctxt for %s", user); |
| 191 | #ifdef USE_PAM | 191 | #ifdef USE_PAM |
| 192 | start_pam(authctxt->pw->pw_name); | 192 | PRIVSEP(start_pam(authctxt->pw->pw_name)); |
| 193 | #endif | 193 | #endif |
| 194 | } else { | 194 | } else { |
| 195 | log("input_userauth_request: illegal user %s", user); | 195 | log("input_userauth_request: illegal user %s", user); |
| 196 | #ifdef USE_PAM | 196 | #ifdef USE_PAM |
| 197 | start_pam("NOUSER"); | 197 | PRIVSEP(start_pam("NOUSER")); |
| 198 | #endif | 198 | #endif |
| 199 | } | 199 | } |
| 200 | setproctitle("%s%s", authctxt->pw ? user : "unknown", | 200 | setproctitle("%s%s", authctxt->pw ? user : "unknown", |
| @@ -242,8 +242,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) | |||
| 242 | authenticated = 0; | 242 | authenticated = 0; |
| 243 | 243 | ||
| 244 | #ifdef USE_PAM | 244 | #ifdef USE_PAM |
| 245 | if (authenticated && authctxt->user && !do_pam_account(authctxt->user, | 245 | if (!use_privsep && authenticated && authctxt->user && |
| 246 | NULL)) | 246 | !do_pam_account(authctxt->user, NULL)) |
| 247 | authenticated = 0; | 247 | authenticated = 0; |
| 248 | #endif /* USE_PAM */ | 248 | #endif /* USE_PAM */ |
| 249 | 249 | ||
| @@ -113,6 +113,10 @@ int mm_answer_rsa_response(int, Buffer *); | |||
| 113 | int mm_answer_sesskey(int, Buffer *); | 113 | int mm_answer_sesskey(int, Buffer *); |
| 114 | int mm_answer_sessid(int, Buffer *); | 114 | int mm_answer_sessid(int, Buffer *); |
| 115 | 115 | ||
| 116 | #ifdef USE_PAM | ||
| 117 | int mm_answer_pam_start(int, Buffer *); | ||
| 118 | #endif | ||
| 119 | |||
| 116 | static Authctxt *authctxt; | 120 | static Authctxt *authctxt; |
| 117 | static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ | 121 | static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ |
| 118 | 122 | ||
| @@ -143,8 +147,9 @@ struct mon_table mon_dispatch_proto20[] = { | |||
| 143 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | 147 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
| 144 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 148 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
| 145 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | 149 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
| 146 | #if !defined(USE_PAM) | ||
| 147 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 150 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
| 151 | #ifdef USE_PAM | ||
| 152 | {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, | ||
| 148 | #endif | 153 | #endif |
| 149 | #ifdef BSD_AUTH | 154 | #ifdef BSD_AUTH |
| 150 | {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, | 155 | {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, |
| @@ -172,9 +177,7 @@ struct mon_table mon_dispatch_proto15[] = { | |||
| 172 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 177 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
| 173 | {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, | 178 | {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, |
| 174 | {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, | 179 | {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, |
| 175 | #if !defined(USE_PAM) | ||
| 176 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 180 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
| 177 | #endif | ||
| 178 | {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH, mm_answer_rsa_keyallowed}, | 181 | {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH, mm_answer_rsa_keyallowed}, |
| 179 | {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, | 182 | {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, |
| 180 | {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge}, | 183 | {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge}, |
| @@ -260,6 +263,10 @@ monitor_child_preauth(struct monitor *monitor) | |||
| 260 | if (authctxt->pw->pw_uid == 0 && | 263 | if (authctxt->pw->pw_uid == 0 && |
| 261 | !auth_root_allowed(auth_method)) | 264 | !auth_root_allowed(auth_method)) |
| 262 | authenticated = 0; | 265 | authenticated = 0; |
| 266 | #ifdef USE_PAM | ||
| 267 | if (!do_pam_account(authctxt->pw->pw_name, NULL)) | ||
| 268 | authenticated = 0; | ||
| 269 | #endif | ||
| 263 | } | 270 | } |
| 264 | 271 | ||
| 265 | if (ent->flags & MON_AUTHDECIDE) { | 272 | if (ent->flags & MON_AUTHDECIDE) { |
| @@ -457,6 +464,9 @@ mm_answer_sign(int socket, Buffer *m) | |||
| 457 | /* Turn on permissions for getpwnam */ | 464 | /* Turn on permissions for getpwnam */ |
| 458 | monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); | 465 | monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); |
| 459 | 466 | ||
| 467 | #ifdef USE_PAM | ||
| 468 | monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); | ||
| 469 | #endif | ||
| 460 | return (0); | 470 | return (0); |
| 461 | } | 471 | } |
| 462 | 472 | ||
| @@ -537,7 +547,6 @@ mm_answer_authserv(int socket, Buffer *m) | |||
| 537 | return (0); | 547 | return (0); |
| 538 | } | 548 | } |
| 539 | 549 | ||
| 540 | #if !defined(USE_PAM) | ||
| 541 | int | 550 | int |
| 542 | mm_answer_authpassword(int socket, Buffer *m) | 551 | mm_answer_authpassword(int socket, Buffer *m) |
| 543 | { | 552 | { |
| @@ -566,7 +575,6 @@ mm_answer_authpassword(int socket, Buffer *m) | |||
| 566 | /* Causes monitor loop to terminate if authenticated */ | 575 | /* Causes monitor loop to terminate if authenticated */ |
| 567 | return (authenticated); | 576 | return (authenticated); |
| 568 | } | 577 | } |
| 569 | #endif | ||
| 570 | 578 | ||
| 571 | #ifdef BSD_AUTH | 579 | #ifdef BSD_AUTH |
| 572 | int | 580 | int |
| @@ -673,6 +681,22 @@ mm_answer_skeyrespond(int socket, Buffer *m) | |||
| 673 | } | 681 | } |
| 674 | #endif | 682 | #endif |
| 675 | 683 | ||
| 684 | #ifdef USE_PAM | ||
| 685 | int | ||
| 686 | mm_answer_pam_start(int socket, Buffer *m) | ||
| 687 | { | ||
| 688 | char *user; | ||
| 689 | |||
| 690 | user = buffer_get_string(m, NULL); | ||
| 691 | |||
| 692 | start_pam(user); | ||
| 693 | |||
| 694 | xfree(user); | ||
| 695 | |||
| 696 | return (0); | ||
| 697 | } | ||
| 698 | #endif | ||
| 699 | |||
| 676 | static void | 700 | static void |
| 677 | mm_append_debug(Buffer *m) | 701 | mm_append_debug(Buffer *m) |
| 678 | { | 702 | { |
| @@ -48,6 +48,7 @@ enum monitor_reqtype { | |||
| 48 | MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED, | 48 | MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED, |
| 49 | MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, | 49 | MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, |
| 50 | MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, | 50 | MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, |
| 51 | MONITOR_REQ_PAM_START, | ||
| 51 | MONITOR_REQ_TERM, | 52 | MONITOR_REQ_TERM, |
| 52 | }; | 53 | }; |
| 53 | 54 | ||
diff --git a/monitor_wrap.c b/monitor_wrap.c index 53bf59b5b..0fe5bc10d 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
| @@ -623,6 +623,23 @@ mm_session_pty_cleanup2(void *session) | |||
| 623 | s->ttyfd = -1; | 623 | s->ttyfd = -1; |
| 624 | } | 624 | } |
| 625 | 625 | ||
| 626 | #ifdef USE_PAM | ||
| 627 | void | ||
| 628 | mm_start_pam(char *user) | ||
| 629 | { | ||
| 630 | Buffer m; | ||
| 631 | |||
| 632 | debug3("%s entering", __FUNCTION__); | ||
| 633 | |||
| 634 | buffer_init(&m); | ||
| 635 | buffer_put_cstring(&m, user); | ||
| 636 | |||
| 637 | mm_request_send(monitor->m_recvfd, MONITOR_REQ_PAM_START, &m); | ||
| 638 | |||
| 639 | buffer_free(&m); | ||
| 640 | } | ||
| 641 | #endif /* USE_PAM */ | ||
| 642 | |||
| 626 | /* Request process termination */ | 643 | /* Request process termination */ |
| 627 | 644 | ||
| 628 | void | 645 | void |
diff --git a/monitor_wrap.h b/monitor_wrap.h index fe434d1e1..975ba0549 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h | |||
| @@ -54,6 +54,10 @@ int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **); | |||
| 54 | int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *); | 54 | int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *); |
| 55 | BIGNUM *mm_auth_rsa_generate_challenge(Key *); | 55 | BIGNUM *mm_auth_rsa_generate_challenge(Key *); |
| 56 | 56 | ||
| 57 | #ifdef USE_PAM | ||
| 58 | void mm_start_pam(char *); | ||
| 59 | #endif | ||
| 60 | |||
| 57 | void mm_terminate(void); | 61 | void mm_terminate(void); |
| 58 | int mm_pty_allocate(int *, int *, char *, int); | 62 | int mm_pty_allocate(int *, int *, char *, int); |
| 59 | void mm_session_pty_cleanup2(void *); | 63 | void mm_session_pty_cleanup2(void *); |