diff options
-rw-r--r-- | auth-pam.c | 26 | ||||
-rw-r--r-- | session.c | 26 |
2 files changed, 46 insertions, 6 deletions
diff --git a/auth-pam.c b/auth-pam.c index 9574d9ac7..de29c04c9 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -926,6 +926,27 @@ finish_pam(void) | |||
926 | sshpam_cleanup(); | 926 | sshpam_cleanup(); |
927 | } | 927 | } |
928 | 928 | ||
929 | static void | ||
930 | expose_authinfo(const char *caller) | ||
931 | { | ||
932 | char *auth_info; | ||
933 | |||
934 | /* | ||
935 | * Expose authentication information to PAM. | ||
936 | * The enviornment variable is versioned. Please increment the | ||
937 | * version suffix if the format of session_info changes. | ||
938 | */ | ||
939 | if (sshpam_authctxt->session_info == NULL) | ||
940 | auth_info = xstrdup(""); | ||
941 | else if ((auth_info = sshbuf_dup_string( | ||
942 | sshpam_authctxt->session_info)) == NULL) | ||
943 | fatal("%s: sshbuf_dup_string failed", __func__); | ||
944 | |||
945 | debug2("%s: auth information in SSH_AUTH_INFO_0", caller); | ||
946 | do_pam_putenv("SSH_AUTH_INFO_0", auth_info); | ||
947 | free(auth_info); | ||
948 | } | ||
949 | |||
929 | u_int | 950 | u_int |
930 | do_pam_account(void) | 951 | do_pam_account(void) |
931 | { | 952 | { |
@@ -933,6 +954,8 @@ do_pam_account(void) | |||
933 | if (sshpam_account_status != -1) | 954 | if (sshpam_account_status != -1) |
934 | return (sshpam_account_status); | 955 | return (sshpam_account_status); |
935 | 956 | ||
957 | expose_authinfo(__func__); | ||
958 | |||
936 | sshpam_err = pam_acct_mgmt(sshpam_handle, 0); | 959 | sshpam_err = pam_acct_mgmt(sshpam_handle, 0); |
937 | debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err, | 960 | debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err, |
938 | pam_strerror(sshpam_handle, sshpam_err)); | 961 | pam_strerror(sshpam_handle, sshpam_err)); |
@@ -1057,6 +1080,9 @@ void | |||
1057 | do_pam_session(void) | 1080 | do_pam_session(void) |
1058 | { | 1081 | { |
1059 | debug3("PAM: opening session"); | 1082 | debug3("PAM: opening session"); |
1083 | |||
1084 | expose_authinfo(__func__); | ||
1085 | |||
1060 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | 1086 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, |
1061 | (const void *)&store_conv); | 1087 | (const void *)&store_conv); |
1062 | if (sshpam_err != PAM_SUCCESS) | 1088 | if (sshpam_err != PAM_SUCCESS) |
@@ -984,8 +984,9 @@ read_etc_default_login(char ***env, u_int *envsize, uid_t uid) | |||
984 | } | 984 | } |
985 | #endif /* HAVE_ETC_DEFAULT_LOGIN */ | 985 | #endif /* HAVE_ETC_DEFAULT_LOGIN */ |
986 | 986 | ||
987 | void | 987 | static void |
988 | copy_environment(char **source, char ***env, u_int *envsize) | 988 | copy_environment_blacklist(char **source, char ***env, u_int *envsize, |
989 | const char *blacklist) | ||
989 | { | 990 | { |
990 | char *var_name, *var_val; | 991 | char *var_name, *var_val; |
991 | int i; | 992 | int i; |
@@ -1001,13 +1002,22 @@ copy_environment(char **source, char ***env, u_int *envsize) | |||
1001 | } | 1002 | } |
1002 | *var_val++ = '\0'; | 1003 | *var_val++ = '\0'; |
1003 | 1004 | ||
1004 | debug3("Copy environment: %s=%s", var_name, var_val); | 1005 | if (blacklist == NULL || |
1005 | child_set_env(env, envsize, var_name, var_val); | 1006 | match_pattern_list(var_name, blacklist, 0) != 1) { |
1007 | debug3("Copy environment: %s=%s", var_name, var_val); | ||
1008 | child_set_env(env, envsize, var_name, var_val); | ||
1009 | } | ||
1006 | 1010 | ||
1007 | free(var_name); | 1011 | free(var_name); |
1008 | } | 1012 | } |
1009 | } | 1013 | } |
1010 | 1014 | ||
1015 | void | ||
1016 | copy_environment(char **source, char ***env, u_int *envsize) | ||
1017 | { | ||
1018 | copy_environment_blacklist(source, env, envsize, NULL); | ||
1019 | } | ||
1020 | |||
1011 | static char ** | 1021 | static char ** |
1012 | do_setup_env(Session *s, const char *shell) | 1022 | do_setup_env(Session *s, const char *shell) |
1013 | { | 1023 | { |
@@ -1169,12 +1179,16 @@ do_setup_env(Session *s, const char *shell) | |||
1169 | if (options.use_pam) { | 1179 | if (options.use_pam) { |
1170 | char **p; | 1180 | char **p; |
1171 | 1181 | ||
1182 | /* | ||
1183 | * Don't allow SSH_AUTH_INFO variables posted to PAM to leak | ||
1184 | * back into the environment. | ||
1185 | */ | ||
1172 | p = fetch_pam_child_environment(); | 1186 | p = fetch_pam_child_environment(); |
1173 | copy_environment(p, &env, &envsize); | 1187 | copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*"); |
1174 | free_pam_environment(p); | 1188 | free_pam_environment(p); |
1175 | 1189 | ||
1176 | p = fetch_pam_environment(); | 1190 | p = fetch_pam_environment(); |
1177 | copy_environment(p, &env, &envsize); | 1191 | copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*"); |
1178 | free_pam_environment(p); | 1192 | free_pam_environment(p); |
1179 | } | 1193 | } |
1180 | #endif /* USE_PAM */ | 1194 | #endif /* USE_PAM */ |