3 files changed, 63 insertions, 31 deletions
diff --git a/ChangeLog b/ChangeLog
index d53e33ae8..8a954adcb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,9 @@
 - Incorporated latest changes from OpenBSD's CVS
 - Integrated Makefile patch from  Niels Kristian Bech Jensen <nkbj@image.dk>
 - Integrated PAM env patch from Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
+ - Make distclean now removed configure script
+ - Improved PAM logging
+ - Added some debug() calls for PAM
 19991028
 - Further PAM enhancements.
diff --git a/Makefile.in b/Makefile.in
index 436bc2ea1..d1aec1330 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -76,7 +76,7 @@ install:
        install -m644 -c sshd.8 $(mandir)/man8/sshd.8
 distclean: clean
-        rm -f Makefile config.h *~
+        rm -f Makefile config.h core configure *~
        rm -rf bin
 mrproper: distclean
diff --git a/sshd.c b/sshd.c
index 39dd3675b..028c495f7 100644
--- a/sshd.c
+++ b/sshd.c
@@ -18,7 +18,7 @@ agent connections.
 */
 #include "includes.h"
-RCSID("$Id: sshd.c,v 1.7 1999/10/29 00:21:15 damien Exp $");
+RCSID("$Id: sshd.c,v 1.8 1999/10/29 01:49:20 damien Exp $");
 #include "xmalloc.h"
 #include "rsa.h"
@@ -188,40 +188,63 @@ static int pamconv(int num_msg, const struct pam_message **msg,
 void pam_cleanup_proc(void *context)
 {
-  int retval;
+  int pam_retval;
  
  if (pamh != NULL)
  {
-    retval = pam_close_session((pam_handle_t *)pamh, 0);
+    pam_retval = pam_close_session((pam_handle_t *)pamh, 0);
-         
+    if (pam_retval != PAM_SUCCESS)
-    if (pam_end((pam_handle_t *)pamh, retval) != PAM_SUCCESS)
+    {
-      log("Cannot release PAM authentication.");
+      log("Cannot close PAM session: %.200s", 
+          pam_strerror((pam_handle_t *)pamh, pam_retval));
+    }
+     
+    pam_retval = pam_end((pam_handle_t *)pamh, pam_retval);
+    if (pam_retval != PAM_SUCCESS)
+    {
+      log("Cannot release PAM authentication: %.200s", 
+          pam_strerror((pam_handle_t *)pamh, pam_retval));
+    }
  }
 }
 void do_pam_account_and_session(const char *username, const char *password, const char *remote_user, const char *remote_host)
 {
-  if (remote_host && (PAM_SUCCESS != pam_set_item((pam_handle_t *)pamh, PAM_RHOST, remote_host)))
+  int pam_retval;
+  
+  if (remote_host != NULL)
  {
-    log("PAM setup failed.");
+    debug("PAM setting rhost to \"%.200s\"", remote_host);
-         eat_packets_and_disconnect(username);
+    pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, remote_host);
+    if (pam_retval != PAM_SUCCESS)
+    {
+      log("PAM set rhost failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval));
+           eat_packets_and_disconnect(username);
+    }
  }
+  
-  if (remote_user && (PAM_SUCCESS != pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user)))
+  if (remote_user != NULL)
  {
-    log("PAM setup failed.");
+    debug("PAM setting ruser to \"%.200s\"", remote_user);
-         eat_packets_and_disconnect(username);
+    pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user);
+    if (pam_retval != PAM_SUCCESS)
+    {
+      log("PAM set ruser failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval));
+           eat_packets_and_disconnect(username);
+    }
  }
-    
+  
-  if (PAM_SUCCESS != pam_acct_mgmt((pam_handle_t *)pamh, 0))
+  pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0);
+  if (pam_retval != PAM_SUCCESS)
  {
-    log("PAM rejected by account configuration.");
+    log("PAM rejected by account configuration: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval));
         eat_packets_and_disconnect(username);
  }
-  if (PAM_SUCCESS != pam_open_session((pam_handle_t *)pamh, 0))
+  pam_retval = pam_open_session((pam_handle_t *)pamh, 0);
+  if (pam_retval != PAM_SUCCESS)
  {
-    log("PAM session setup failed.");
+    log("PAM session setup failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval));
         eat_packets_and_disconnect(username);
  }
 }
@@ -815,8 +838,10 @@ main(int ac, char **av)
    
    if (pamh != NULL)
    {
+           debug("Closing PAM session.");
      retval = pam_close_session((pam_handle_t *)pamh, 0);
+           debug("Terminating PAM library.");
      if (pam_end((pam_handle_t *)pamh, retval) != PAM_SUCCESS)
        log("Cannot release PAM authentication.");
         
@@ -1111,7 +1136,10 @@ do_authentication(char *user, int privileged_port)
  char *client_user = NULL;
  unsigned int client_host_key_bits;
  BIGNUM *client_host_key_e, *client_host_key_n;
-                         
+#ifdef HAVE_LIBPAM
+  int pam_retval;
+#endif /* HAVE_LIBPAM */
+                         
 #ifdef AFS
  /* If machine has AFS, set process authentication group. */
  if (k_hasafs()) {
@@ -1136,15 +1164,14 @@ do_authentication(char *user, int privileged_port)
  pw = &pwcopy;
 #ifdef HAVE_LIBPAM
-  if (PAM_SUCCESS != pam_start("sshd", pw->pw_name, &conv, (pam_handle_t**)&pamh))
+  debug("Starting up PAM with username \"%.200s\"", pw->pw_name);
+  pam_retval = pam_start("sshd", pw->pw_name, &conv, (pam_handle_t**)&pamh);
+  if (pam_retval != PAM_SUCCESS)
  {
-    packet_start(SSH_SMSG_FAILURE);
+    log("PAM initialisation failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval));
-    packet_send();
+    eat_packets_and_disconnect(user);
-    packet_write_wait();
-    packet_disconnect("PAM initialisation failed.");
  }
+ fatal_add_cleanup(&pam_cleanup_proc, NULL);
-  fatal_add_cleanup(&pam_cleanup_proc, NULL); 
 #endif
  /* If we are not running as root, the user must have the same uid as the
@@ -1405,15 +1432,17 @@ do_authentication(char *user, int privileged_port)
 #ifdef HAVE_LIBPAM
          pampasswd = password;
-  
+          
-          if (PAM_SUCCESS == pam_authenticate((pam_handle_t *)pamh, 0))
+          pam_retval = pam_authenticate((pam_handle_t *)pamh, 0);
+          if (pam_retval == PAM_SUCCESS)
          {
-            log("PAM Password authentication accepted for %.100s.", user);
+            log("PAM Password authentication accepted for \"%.100s\"", user);
            authenticated = 1;
            break;
          } else
          {
-            log("PAM Password authentication for %.100s failed.", user);
+            log("PAM Password authentication for \"%.100s\" failed: %s", 
+                user, pam_strerror((pam_handle_t *)pamh, pam_retval));
            break;
          }
 #else /* HAVE_LIBPAM */

diff --git a/ChangeLog b/ChangeLog index d53e33ae8..8a954adcb 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -3,6 +3,9 @@
3	- Incorporated latest changes from OpenBSD's CVS	3	- Incorporated latest changes from OpenBSD's CVS
4	- Integrated Makefile patch from Niels Kristian Bech Jensen <nkbj@image.dk>	4	- Integrated Makefile patch from Niels Kristian Bech Jensen <nkbj@image.dk>
5	- Integrated PAM env patch from Nalin Dahyabhai <nalin.dahyabhai@pobox.com>	5	- Integrated PAM env patch from Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
		6	- Make distclean now removed configure script
		7	- Improved PAM logging
		8	- Added some debug() calls for PAM
6		9
7	19991028	10	19991028
8	- Further PAM enhancements.	11	- Further PAM enhancements.


diff --git a/Makefile.in b/Makefile.in index 436bc2ea1..d1aec1330 100644 --- a/Makefile.in +++ b/Makefile.in
@@ -76,7 +76,7 @@ install:
76	install -m644 -c sshd.8 $(mandir)/man8/sshd.8	76	install -m644 -c sshd.8 $(mandir)/man8/sshd.8
77		77
78	distclean: clean	78	distclean: clean
79	rm -f Makefile config.h *~	79	rm -f Makefile config.h core configure *~
80	rm -rf bin	80	rm -rf bin
81		81
82	mrproper: distclean	82	mrproper: distclean


diff --git a/sshd.c b/sshd.c index 39dd3675b..028c495f7 100644 --- a/sshd.c +++ b/sshd.c
@@ -18,7 +18,7 @@ agent connections.
18	*/	18	*/
19		19
20	#include "includes.h"	20	#include "includes.h"
21	RCSID("$Id: sshd.c,v 1.7 1999/10/29 00:21:15 damien Exp $");	21	RCSID("$Id: sshd.c,v 1.8 1999/10/29 01:49:20 damien Exp $");
22		22
23	#include "xmalloc.h"	23	#include "xmalloc.h"
24	#include "rsa.h"	24	#include "rsa.h"
@@ -188,40 +188,63 @@ static int pamconv(int num_msg, const struct pam_message **msg,
188		188
189	void pam_cleanup_proc(void *context)	189	void pam_cleanup_proc(void *context)
190	{	190	{
191	int retval;	191	int pam_retval;
192		192
193	if (pamh != NULL)	193	if (pamh != NULL)
194	{	194	{
195	retval = pam_close_session((pam_handle_t *)pamh, 0);	195	pam_retval = pam_close_session((pam_handle_t *)pamh, 0);
196		196	if (pam_retval != PAM_SUCCESS)
197	if (pam_end((pam_handle_t *)pamh, retval) != PAM_SUCCESS)	197	{
198	log("Cannot release PAM authentication.");	198	log("Cannot close PAM session: %.200s",
		199	pam_strerror((pam_handle_t *)pamh, pam_retval));
		200	}
		201
		202	pam_retval = pam_end((pam_handle_t *)pamh, pam_retval);
		203	if (pam_retval != PAM_SUCCESS)
		204	{
		205	log("Cannot release PAM authentication: %.200s",
		206	pam_strerror((pam_handle_t *)pamh, pam_retval));
		207	}
199	}	208	}
200	}	209	}
201		210
202	void do_pam_account_and_session(const char username, const char password, const char remote_user, const char remote_host)	211	void do_pam_account_and_session(const char username, const char password, const char remote_user, const char remote_host)
203	{	212	{
204	if (remote_host && (PAM_SUCCESS != pam_set_item((pam_handle_t *)pamh, PAM_RHOST, remote_host)))	213	int pam_retval;
		214
		215	if (remote_host != NULL)
205	{	216	{
206	log("PAM setup failed.");	217	debug("PAM setting rhost to \"%.200s\"", remote_host);
207	eat_packets_and_disconnect(username);	218	pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, remote_host);
		219	if (pam_retval != PAM_SUCCESS)
		220	{
		221	log("PAM set rhost failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval));
		222	eat_packets_and_disconnect(username);
		223	}
208	}	224	}
209		225
210	if (remote_user && (PAM_SUCCESS != pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user)))	226	if (remote_user != NULL)
211	{	227	{
212	log("PAM setup failed.");	228	debug("PAM setting ruser to \"%.200s\"", remote_user);
213	eat_packets_and_disconnect(username);	229	pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user);
		230	if (pam_retval != PAM_SUCCESS)
		231	{
		232	log("PAM set ruser failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval));
		233	eat_packets_and_disconnect(username);
		234	}
214	}	235	}
215		236
216	if (PAM_SUCCESS != pam_acct_mgmt((pam_handle_t *)pamh, 0))	237	pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0);
		238	if (pam_retval != PAM_SUCCESS)
217	{	239	{
218	log("PAM rejected by account configuration.");	240	log("PAM rejected by account configuration: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval));
219	eat_packets_and_disconnect(username);	241	eat_packets_and_disconnect(username);
220	}	242	}
221		243
222	if (PAM_SUCCESS != pam_open_session((pam_handle_t *)pamh, 0))	244	pam_retval = pam_open_session((pam_handle_t *)pamh, 0);
		245	if (pam_retval != PAM_SUCCESS)
223	{	246	{
224	log("PAM session setup failed.");	247	log("PAM session setup failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval));
225	eat_packets_and_disconnect(username);	248	eat_packets_and_disconnect(username);
226	}	249	}
227	}	250	}
@@ -815,8 +838,10 @@ main(int ac, char **av)
815		838
816	if (pamh != NULL)	839	if (pamh != NULL)
817	{	840	{
		841	debug("Closing PAM session.");
818	retval = pam_close_session((pam_handle_t *)pamh, 0);	842	retval = pam_close_session((pam_handle_t *)pamh, 0);
819		843
		844	debug("Terminating PAM library.");
820	if (pam_end((pam_handle_t *)pamh, retval) != PAM_SUCCESS)	845	if (pam_end((pam_handle_t *)pamh, retval) != PAM_SUCCESS)
821	log("Cannot release PAM authentication.");	846	log("Cannot release PAM authentication.");
822		847
@@ -1111,7 +1136,10 @@ do_authentication(char *user, int privileged_port)
1111	char *client_user = NULL;	1136	char *client_user = NULL;
1112	unsigned int client_host_key_bits;	1137	unsigned int client_host_key_bits;
1113	BIGNUM client_host_key_e, client_host_key_n;	1138	BIGNUM client_host_key_e, client_host_key_n;
1114		1139	#ifdef HAVE_LIBPAM
		1140	int pam_retval;
		1141	#endif /* HAVE_LIBPAM */
		1142
1115	#ifdef AFS	1143	#ifdef AFS
1116	/* If machine has AFS, set process authentication group. */	1144	/* If machine has AFS, set process authentication group. */
1117	if (k_hasafs()) {	1145	if (k_hasafs()) {
@@ -1136,15 +1164,14 @@ do_authentication(char *user, int privileged_port)
1136	pw = &pwcopy;	1164	pw = &pwcopy;
1137		1165
1138	#ifdef HAVE_LIBPAM	1166	#ifdef HAVE_LIBPAM
1139	if (PAM_SUCCESS != pam_start("sshd", pw->pw_name, &conv, (pam_handle_t**)&pamh))	1167	debug("Starting up PAM with username \"%.200s\"", pw->pw_name);
		1168	pam_retval = pam_start("sshd", pw->pw_name, &conv, (pam_handle_t**)&pamh);
		1169	if (pam_retval != PAM_SUCCESS)
1140	{	1170	{
1141	packet_start(SSH_SMSG_FAILURE);	1171	log("PAM initialisation failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval));
1142	packet_send();	1172	eat_packets_and_disconnect(user);
1143	packet_write_wait();
1144	packet_disconnect("PAM initialisation failed.");
1145	}	1173	}
1146		1174	fatal_add_cleanup(&pam_cleanup_proc, NULL);
1147	fatal_add_cleanup(&pam_cleanup_proc, NULL);
1148	#endif	1175	#endif
1149		1176
1150	/* If we are not running as root, the user must have the same uid as the	1177	/* If we are not running as root, the user must have the same uid as the
@@ -1405,15 +1432,17 @@ do_authentication(char *user, int privileged_port)
1405		1432
1406	#ifdef HAVE_LIBPAM	1433	#ifdef HAVE_LIBPAM
1407	pampasswd = password;	1434	pampasswd = password;
1408		1435
1409	if (PAM_SUCCESS == pam_authenticate((pam_handle_t *)pamh, 0))	1436	pam_retval = pam_authenticate((pam_handle_t *)pamh, 0);
		1437	if (pam_retval == PAM_SUCCESS)
1410	{	1438	{
1411	log("PAM Password authentication accepted for %.100s.", user);	1439	log("PAM Password authentication accepted for \"%.100s\"", user);
1412	authenticated = 1;	1440	authenticated = 1;
1413	break;	1441	break;
1414	} else	1442	} else
1415	{	1443	{
1416	log("PAM Password authentication for %.100s failed.", user);	1444	log("PAM Password authentication for \"%.100s\" failed: %s",
		1445	user, pam_strerror((pam_handle_t *)pamh, pam_retval));
1417	break;	1446	break;
1418	}	1447	}
1419	#else /* HAVE_LIBPAM */	1448	#else /* HAVE_LIBPAM */