diff options
-rw-r--r-- | ChangeLog | 11 | ||||
-rw-r--r-- | acconfig.h | 62 | ||||
-rw-r--r-- | auth-passwd.c | 47 | ||||
-rw-r--r-- | bsd-login.c | 46 | ||||
-rw-r--r-- | bsd-login.h | 21 | ||||
-rw-r--r-- | configure.in | 47 | ||||
-rw-r--r-- | includes.h | 1 | ||||
-rw-r--r-- | login.c | 40 | ||||
-rw-r--r-- | packages/redhat/openssh.spec | 2 | ||||
-rw-r--r-- | packages/redhat/sshd.pam | 2 | ||||
-rw-r--r-- | packages/suse/openssh.spec | 2 | ||||
-rw-r--r-- | sshd.c | 43 | ||||
-rw-r--r-- | sshd.pam.generic | 2 |
13 files changed, 197 insertions, 129 deletions
@@ -1,3 +1,14 @@ | |||
1 | 19991225 | ||
2 | - More fixes from Andre Lucas <andre.lucas@dial.pipex.com> | ||
3 | - Cleanup of auth-passwd.c for shadow and MD5 passwords | ||
4 | - Cleanup and bugfix of PAM authentication code | ||
5 | |||
6 | 19991223 | ||
7 | - Merged later HPUX patch from Andre Lucas | ||
8 | <andre.lucas@dial.pipex.com> | ||
9 | - Above patch included better utmpx support from Ben Taylor | ||
10 | <bent@clark.net>: | ||
11 | |||
1 | 19991222 | 12 | 19991222 |
2 | - Fix undefined fd_set type in ssh.h from Povl H. Pedersen | 13 | - Fix undefined fd_set type in ssh.h from Povl H. Pedersen |
3 | <pope@netguide.dk> | 14 | <pope@netguide.dk> |
diff --git a/acconfig.h b/acconfig.h index b02abbafe..1e706ff58 100644 --- a/acconfig.h +++ b/acconfig.h | |||
@@ -30,6 +30,9 @@ | |||
30 | /* Define is utmpx.h has a ut_host field */ | 30 | /* Define is utmpx.h has a ut_host field */ |
31 | #undef HAVE_HOST_IN_UTMPX | 31 | #undef HAVE_HOST_IN_UTMPX |
32 | 32 | ||
33 | /* Define is utmpx.h has a syslen field */ | ||
34 | #undef HAVE_SYSLEN_IN_UTMPX | ||
35 | |||
33 | /* Define if you want to use utmpx */ | 36 | /* Define if you want to use utmpx */ |
34 | #undef USE_UTMPX | 37 | #undef USE_UTMPX |
35 | 38 | ||
@@ -63,6 +66,9 @@ | |||
63 | /* Define if xauth is found in your path */ | 66 | /* Define if xauth is found in your path */ |
64 | #undef XAUTH_PATH | 67 | #undef XAUTH_PATH |
65 | 68 | ||
69 | /* Define if rsh is found in your path */ | ||
70 | #undef RSH_PATH | ||
71 | |||
66 | /* Define if you want to allow MD5 passwords */ | 72 | /* Define if you want to allow MD5 passwords */ |
67 | #undef HAVE_MD5_PASSWORDS | 73 | #undef HAVE_MD5_PASSWORDS |
68 | 74 | ||
@@ -76,6 +82,9 @@ | |||
76 | /* to pam_strerror */ | 82 | /* to pam_strerror */ |
77 | #undef HAVE_OLD_PAM | 83 | #undef HAVE_OLD_PAM |
78 | 84 | ||
85 | /* Set this to your mail directory if you don't have maillock.h */ | ||
86 | #undef MAIL_DIRECTORY | ||
87 | |||
79 | /* Data types */ | 88 | /* Data types */ |
80 | #undef HAVE_QUAD_T | 89 | #undef HAVE_QUAD_T |
81 | #undef HAVE_INTXX_T | 90 | #undef HAVE_INTXX_T |
@@ -197,36 +206,19 @@ enum | |||
197 | # endif | 206 | # endif |
198 | #endif | 207 | #endif |
199 | 208 | ||
200 | /* Use utmpx if supported */ | ||
201 | #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) | ||
202 | # define UTMP_STR utmpx | ||
203 | #else | ||
204 | # ifdef HAVE_UTMP_H | ||
205 | # define UTMP_STR utmp | ||
206 | # endif | ||
207 | #endif | ||
208 | |||
209 | #ifndef _PATH_UTMP | 209 | #ifndef _PATH_UTMP |
210 | # if defined(UTMPX_FILE) && defined(USE_UTMPX) | 210 | # ifdef UTMP_FILE |
211 | # define _PATH_UTMP UTMPX_FILE | 211 | # define _PATH_UTMP UTMP_FILE |
212 | # else | 212 | # else |
213 | # ifdef UTMP_FILE | 213 | # define _PATH_UTMP "/var/adm/utmp" |
214 | # define _PATH_UTMP UTMP_FILE | ||
215 | # else | ||
216 | # define _PATH_UTMP "/var/adm/utmp" | ||
217 | # endif | ||
218 | # endif | 214 | # endif |
219 | #endif | 215 | #endif |
220 | 216 | ||
221 | #ifndef _PATH_WTMP | 217 | #ifndef _PATH_WTMP |
222 | # if defined(WTMPX_FILE) && defined(USE_UTMPX) | 218 | # ifdef WTMP_FILE |
223 | # define _PATH_WTMP WTMPX_FILE | 219 | # define _PATH_WTMP WTMP_FILE |
224 | # else | 220 | # else |
225 | # ifdef WTMP_FILE | 221 | # define _PATH_WTMP "/var/adm/wtmp" |
226 | # define _PATH_WTMP WTMP_FILE | ||
227 | # else | ||
228 | # define _PATH_WTMP "/var/adm/wtmp" | ||
229 | # endif | ||
230 | # endif | 222 | # endif |
231 | #endif | 223 | #endif |
232 | 224 | ||
@@ -242,16 +234,14 @@ enum | |||
242 | # define _PATH_DEVNULL "/dev/null" | 234 | # define _PATH_DEVNULL "/dev/null" |
243 | #endif | 235 | #endif |
244 | 236 | ||
245 | #ifndef _PATH_MAILDIR | 237 | #ifndef MAILDIR |
246 | # ifdef MAILDIR | 238 | # define MAILDIR MAIL_DIRECTORY |
247 | # define _PATH_MAILDIR MAILDIR | ||
248 | # else | ||
249 | # ifdef MAIL_DIRECTORY | ||
250 | # define _PATH_MAILDIR MAIL_DIRECTORY | ||
251 | # endif | ||
252 | # endif | ||
253 | #endif | 239 | #endif |
254 | 240 | ||
241 | #if !defined(_PATH_MAILDIR) && defined(MAILDIR) | ||
242 | # define _PATH_MAILDIR MAILDIR | ||
243 | #endif /* !defined(_PATH_MAILDIR) && defined(MAILDIR) */ | ||
244 | |||
255 | #ifndef MAX | 245 | #ifndef MAX |
256 | # define MAX(a,b) (((a)>(b))?(a):(b)) | 246 | # define MAX(a,b) (((a)>(b))?(a):(b)) |
257 | # define MIN(a,b) (((a)<(b))?(a):(b)) | 247 | # define MIN(a,b) (((a)<(b))?(a):(b)) |
@@ -287,3 +277,13 @@ enum | |||
287 | #if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) | 277 | #if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) |
288 | # define seteuid(a) setreuid(-1,a) | 278 | # define seteuid(a) setreuid(-1,a) |
289 | #endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */ | 279 | #endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */ |
280 | |||
281 | #ifndef HAVE_INNETGR | ||
282 | # define innetgr(a,b,c,d) (0) | ||
283 | #endif /* HAVE_INNETGR */ | ||
284 | |||
285 | #ifndef _PATH_RSH | ||
286 | # ifdef RSH_PATH | ||
287 | # define _PATH_RSH RSH_PATH | ||
288 | # endif /* RSH_PATH */ | ||
289 | #endif /* _PATH_RSH */ | ||
diff --git a/auth-passwd.c b/auth-passwd.c index fc0809e16..058dde82b 100644 --- a/auth-passwd.c +++ b/auth-passwd.c | |||
@@ -9,9 +9,9 @@ | |||
9 | 9 | ||
10 | #include "includes.h" | 10 | #include "includes.h" |
11 | 11 | ||
12 | #ifndef HAVE_PAM | 12 | #ifndef HAVE_LIBPAM |
13 | 13 | ||
14 | RCSID("$Id: auth-passwd.c,v 1.10 1999/12/21 10:03:09 damien Exp $"); | 14 | RCSID("$Id: auth-passwd.c,v 1.11 1999/12/24 23:11:29 damien Exp $"); |
15 | 15 | ||
16 | #include "packet.h" | 16 | #include "packet.h" |
17 | #include "ssh.h" | 17 | #include "ssh.h" |
@@ -35,6 +35,8 @@ auth_password(struct passwd * pw, const char *password) | |||
35 | { | 35 | { |
36 | extern ServerOptions options; | 36 | extern ServerOptions options; |
37 | char *encrypted_password; | 37 | char *encrypted_password; |
38 | char *pw_password; | ||
39 | char *salt; | ||
38 | #ifdef HAVE_SHADOW_H | 40 | #ifdef HAVE_SHADOW_H |
39 | struct spwd *spw; | 41 | struct spwd *spw; |
40 | #endif | 42 | #endif |
@@ -68,48 +70,35 @@ auth_password(struct passwd * pw, const char *password) | |||
68 | if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) | 70 | if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) |
69 | return 1; | 71 | return 1; |
70 | 72 | ||
73 | pw_password = pw->pw_passwd; | ||
74 | |||
71 | #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) | 75 | #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) |
72 | spw = getspnam(pw->pw_name); | 76 | spw = getspnam(pw->pw_name); |
73 | if (spw == NULL) | 77 | if (spw == NULL) |
74 | return(0); | 78 | return(0); |
75 | 79 | ||
76 | if ((spw->sp_namp == NULL) || (strcmp(pw->pw_name, spw->sp_namp) != 0)) | ||
77 | fatal("Shadow lookup returned garbage."); | ||
78 | |||
79 | /* Check for users with no password. */ | 80 | /* Check for users with no password. */ |
80 | if (strcmp(password, "") == 0 && strcmp(spw->sp_pwdp, "") == 0) | 81 | if (strcmp(password, "") == 0 && strcmp(spw->sp_pwdp, "") == 0) |
81 | return 1; | 82 | return 1; |
82 | 83 | ||
83 | if (strlen(spw->sp_pwdp) < 3) | 84 | pw_password = spw->sp_pwdp; |
84 | return(0); | 85 | #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ |
85 | 86 | ||
86 | /* Encrypt the candidate password using the proper salt. */ | 87 | if (pw_password[0] != '\0') |
87 | #ifdef HAVE_MD5_PASSWORDS | 88 | salt = pw_password; |
88 | if (is_md5_salt(spw->sp_pwdp)) | ||
89 | encrypted_password = md5_crypt(password, spw->sp_pwdp); | ||
90 | else | 89 | else |
91 | encrypted_password = crypt(password, spw->sp_pwdp); | 90 | salt = "xx"; |
92 | #else /* HAVE_MD5_PASSWORDS */ | ||
93 | encrypted_password = crypt(password, spw->sp_pwdp); | ||
94 | #endif /* HAVE_MD5_PASSWORDS */ | ||
95 | /* Authentication is accepted if the encrypted passwords are identical. */ | ||
96 | return (strcmp(encrypted_password, spw->sp_pwdp) == 0); | ||
97 | #else /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ | ||
98 | |||
99 | if (strlen(pw->pw_passwd) < 3) | ||
100 | return(0); | ||
101 | 91 | ||
102 | #ifdef HAVE_MD5_PASSWORDS | 92 | #ifdef HAVE_MD5_PASSWORDS |
103 | if (is_md5_salt(pw->pw_passwd)) | 93 | if (is_md5_salt(salt)) |
104 | encrypted_password = md5_crypt(password, pw->pw_passwd); | 94 | encrypted_password = md5_crypt(password, salt); |
105 | else | 95 | else |
106 | encrypted_password = crypt(password, pw->pw_passwd); | 96 | encrypted_password = crypt(password, salt); |
107 | #else /* HAVE_MD5_PASSWORDS */ | 97 | #else /* HAVE_MD5_PASSWORDS */ |
108 | encrypted_password = crypt(password, pw->pw_passwd); | 98 | encrypted_password = crypt(password, salt); |
109 | #endif /* HAVE_MD5_PASSWORDS */ | 99 | #endif /* HAVE_MD5_PASSWORDS */ |
110 | 100 | ||
111 | /* Authentication is accepted if the encrypted passwords are identical. */ | 101 | /* Authentication is accepted if the encrypted passwords are identical. */ |
112 | return (strcmp(encrypted_password, pw->pw_passwd) == 0); | 102 | return (strcmp(encrypted_password, pw_password) == 0); |
113 | #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ | ||
114 | } | 103 | } |
115 | #endif /* !HAVE_PAM */ | 104 | #endif /* !HAVE_LIBPAM */ |
diff --git a/bsd-login.c b/bsd-login.c index c0f4c1ab0..d81e46914 100644 --- a/bsd-login.c +++ b/bsd-login.c | |||
@@ -54,53 +54,63 @@ static char *rcsid = "$OpenBSD: login.c,v 1.5 1998/07/13 02:11:12 millert Exp $" | |||
54 | #include <stdio.h> | 54 | #include <stdio.h> |
55 | #include <string.h> | 55 | #include <string.h> |
56 | 56 | ||
57 | #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) | ||
58 | void | ||
59 | login(utp,utx) | ||
60 | struct utmp *utp; | ||
61 | struct utmpx *utx; | ||
62 | #else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ | ||
57 | void | 63 | void |
58 | login(utp) | 64 | login(utp) |
59 | struct UTMP_STR *utp; | 65 | struct utmp *utp; |
66 | #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ | ||
60 | { | 67 | { |
61 | struct UTMP_STR old_ut; | 68 | struct utmp old_ut; |
69 | #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) | ||
70 | struct utmpx *old_utx; | ||
71 | #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ | ||
62 | register int fd; | 72 | register int fd; |
63 | int tty; | 73 | int tty; |
64 | 74 | ||
65 | #ifndef UT_LINESIZE | 75 | #ifndef UT_LINESIZE |
66 | # define UT_LINESIZE (sizeof(old_ut.ut_line)) | 76 | # define UT_LINESIZE (sizeof(old_ut.ut_line)) |
67 | # if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) | 77 | # define UT_NAMESIZE (sizeof(old_ut.ut_name)) |
68 | # define UT_NAMESIZE (sizeof(old_ut.ut_user)) | ||
69 | # else | ||
70 | # define UT_NAMESIZE (sizeof(old_ut.ut_name)) | ||
71 | # endif | ||
72 | # ifdef HAVE_HOST_IN_UTMP | 78 | # ifdef HAVE_HOST_IN_UTMP |
73 | # define UT_HOSTSIZE (sizeof(old_ut.ut_host)) | 79 | # define UT_HOSTSIZE (sizeof(old_ut.ut_host)) |
74 | # endif | 80 | # endif |
75 | # if defined(HAVE_HOST_IN_UTMPX) && defined(USE_UTMPX) | ||
76 | # define UT_HOSTSIZE (sizeof(old_ut.ut_host)) | ||
77 | # endif | ||
78 | #endif | 81 | #endif |
79 | 82 | ||
80 | tty = ttyslot(); | 83 | tty = ttyslot(); |
81 | if (tty > 0 && (fd = open(_PATH_UTMP, O_RDWR|O_CREAT, 0644)) >= 0) { | 84 | if (tty > 0 && (fd = open(_PATH_UTMP, O_RDWR|O_CREAT, 0644)) >= 0) { |
82 | #if defined(HAVE_HOST_IN_UTMP) || defined(HAVE_HOST_IN_UTMPX) | 85 | #if defined(HAVE_HOST_IN_UTMP) |
83 | (void)lseek(fd, (off_t)(tty * sizeof(struct UTMP_STR)), SEEK_SET); | 86 | (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); |
84 | /* | 87 | /* |
85 | * Prevent luser from zero'ing out ut_host. | 88 | * Prevent luser from zero'ing out ut_host. |
86 | * If the new ut_line is empty but the old one is not | 89 | * If the new ut_line is empty but the old one is not |
87 | * and ut_line and ut_name match, preserve the old ut_line. | 90 | * and ut_line and ut_name match, preserve the old ut_line. |
88 | */ | 91 | */ |
89 | if (read(fd, &old_ut, sizeof(struct UTMP_STR)) == | 92 | if (read(fd, &old_ut, sizeof(struct utmp)) == |
90 | sizeof(struct UTMP_STR) && utp->ut_host[0] == '\0' && | 93 | sizeof(struct utmp) && utp->ut_host[0] == '\0' && |
91 | old_ut.ut_host[0] != '\0' && | 94 | old_ut.ut_host[0] != '\0' && |
92 | strncmp(old_ut.ut_line, utp->ut_line, UT_LINESIZE) == 0 && | 95 | strncmp(old_ut.ut_line, utp->ut_line, UT_LINESIZE) == 0 && |
93 | strncmp(old_ut.ut_name, utp->ut_name, UT_NAMESIZE) == 0) | 96 | strncmp(old_ut.ut_name, utp->ut_name, UT_NAMESIZE) == 0) |
94 | (void)memcpy(utp->ut_host, old_ut.ut_host, UT_HOSTSIZE); | 97 | (void)memcpy(utp->ut_host, old_ut.ut_host, UT_HOSTSIZE); |
95 | #endif /* defined(HAVE_HOST_IN_UTMP) || defined(HAVE_HOST_IN_UTMPX) */ | 98 | #endif /* defined(HAVE_HOST_IN_UTMP) */ |
96 | (void)lseek(fd, (off_t)(tty * sizeof(struct UTMP_STR)), SEEK_SET); | 99 | (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); |
97 | (void)write(fd, utp, sizeof(struct UTMP_STR)); | 100 | (void)write(fd, utp, sizeof(struct utmp)); |
98 | (void)close(fd); | 101 | (void)close(fd); |
99 | } | 102 | } |
100 | if ((fd = open(_PATH_WTMP, O_WRONLY|O_APPEND, 0)) >= 0) { | 103 | if ((fd = open(_PATH_WTMP, O_WRONLY|O_APPEND, 0)) >= 0) { |
101 | (void)write(fd, utp, sizeof(struct UTMP_STR)); | 104 | (void)write(fd, utp, sizeof(struct utmp)); |
102 | (void)close(fd); | 105 | (void)close(fd); |
103 | } | 106 | } |
107 | #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) | ||
108 | old_utx = pututxline(utx); | ||
109 | # ifdef HAVE_UPDWTMPX | ||
110 | updwtmpx(_PATH_WTMPX, utx); | ||
111 | # endif /* HAVE_UPDWTMPX */ | ||
112 | endutxent(); | ||
113 | #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ | ||
104 | } | 114 | } |
105 | 115 | ||
106 | #endif /* HAVE_LOGIN */ | 116 | #endif /* HAVE_LOGIN */ |
diff --git a/bsd-login.h b/bsd-login.h index 8891ae342..f26f47084 100644 --- a/bsd-login.h +++ b/bsd-login.h | |||
@@ -1,13 +1,22 @@ | |||
1 | #ifndef _BSD_LOGIN_H | 1 | #ifndef _BSD_LOGIN_H |
2 | #define _BSD_LOGIN_H | 2 | # define _BSD_LOGIN_H |
3 | 3 | ||
4 | #include "config.h" | 4 | # include "config.h" |
5 | #ifndef HAVE_LOGIN | 5 | # ifndef HAVE_LOGIN |
6 | 6 | ||
7 | #include <utmp.h> | 7 | # include <utmp.h> |
8 | 8 | ||
9 | void login(struct UTMP_STR *utp); | 9 | # if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) |
10 | # include <utmpx.h> | ||
10 | 11 | ||
11 | #endif /* !HAVE_LOGIN */ | 12 | void login(struct utmp *utp, struct utmpx *utx); |
13 | |||
14 | # else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ | ||
15 | |||
16 | void login(struct utmp *utp); | ||
17 | |||
18 | # endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ | ||
19 | |||
20 | # endif /* !HAVE_LOGIN */ | ||
12 | 21 | ||
13 | #endif /* _BSD_LOGIN_H */ | 22 | #endif /* _BSD_LOGIN_H */ |
diff --git a/configure.in b/configure.in index b5ffee79e..7bb96270a 100644 --- a/configure.in +++ b/configure.in | |||
@@ -9,10 +9,25 @@ AC_PROG_CPP | |||
9 | AC_PROG_RANLIB | 9 | AC_PROG_RANLIB |
10 | AC_PROG_INSTALL | 10 | AC_PROG_INSTALL |
11 | AC_CHECK_PROG(AR, ar, ar) | 11 | AC_CHECK_PROG(AR, ar, ar) |
12 | |||
13 | dnl Check for the path to xauth | ||
14 | AC_PATH_PROG(xauth_path, xauth) | 12 | AC_PATH_PROG(xauth_path, xauth) |
15 | AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path") | 13 | |
14 | dnl Use ip address instead of hostname in $DISPLAY | ||
15 | AC_ARG_WITH(rsh, | ||
16 | [ --with-rsh=PATH Specify path to remote shell program ], | ||
17 | [ | ||
18 | AC_DEFINE_UNQUOTED(RSH_PATH, "$withval") | ||
19 | ], | ||
20 | [ | ||
21 | AC_PATH_PROG(rsh_path, rsh) | ||
22 | ] | ||
23 | ) | ||
24 | |||
25 | if test ! -z "$xauth_path" ; then | ||
26 | AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path") | ||
27 | fi | ||
28 | if test ! -z "$rsh_path" ; then | ||
29 | AC_DEFINE_UNQUOTED(RSH_PATH, "$rsh_path") | ||
30 | fi | ||
16 | 31 | ||
17 | dnl Checks for compiler characteristics | 32 | dnl Checks for compiler characteristics |
18 | if test "$GCC" = "yes"; then CFLAGS="$CFLAGS -Wall"; fi | 33 | if test "$GCC" = "yes"; then CFLAGS="$CFLAGS -Wall"; fi |
@@ -27,6 +42,7 @@ case "$host" in | |||
27 | fi | 42 | fi |
28 | CFLAGS="$CFLAGS -D_HPUX_SOURCE" | 43 | CFLAGS="$CFLAGS -D_HPUX_SOURCE" |
29 | AC_DEFINE(IPADDR_IN_DISPLAY) | 44 | AC_DEFINE(IPADDR_IN_DISPLAY) |
45 | AC_DEFINE(USE_UTMPX) | ||
30 | AC_MSG_CHECKING(for HPUX trusted system password database) | 46 | AC_MSG_CHECKING(for HPUX trusted system password database) |
31 | if test -f /tcb/files/auth/system/default; then | 47 | if test -f /tcb/files/auth/system/default; then |
32 | AC_MSG_RESULT(yes) | 48 | AC_MSG_RESULT(yes) |
@@ -80,15 +96,22 @@ AC_CHECK_LIB(util, login, AC_DEFINE(HAVE_LIBUTIL_LOGIN) LIBS="$LIBS -lutil") | |||
80 | AC_CHECK_LIB(nsl, yp_match, , ) | 96 | AC_CHECK_LIB(nsl, yp_match, , ) |
81 | AC_CHECK_LIB(socket, main, , ) | 97 | AC_CHECK_LIB(socket, main, , ) |
82 | 98 | ||
83 | dnl libdl is needed by PAM on Redhat systems | 99 | dnl Use ip address instead of hostname in $DISPLAY |
84 | AC_CHECK_LIB(dl, dlopen, , ) | 100 | AC_ARG_WITH(pam, |
85 | AC_CHECK_LIB(pam, pam_authenticate, , ) | 101 | [ --without-pam Disable PAM support ], |
102 | [ | ||
103 | if test "x$withval" != "xno" ; then | ||
104 | AC_CHECK_LIB(dl, dlopen, , ) | ||
105 | AC_CHECK_LIB(pam, pam_authenticate, , ) | ||
106 | fi | ||
107 | ] | ||
108 | ) | ||
86 | 109 | ||
87 | dnl Checks for header files. | 110 | dnl Checks for header files. |
88 | AC_CHECK_HEADERS(endian.h lastlog.h login.h maillock.h netgroup.h paths.h poll.h pty.h shadow_h util.h utmp.h utmpx.h sys/bsdtty.h sys/poll.h sys/select.h sys/stropts.h sys/time.h) | 111 | AC_CHECK_HEADERS(endian.h lastlog.h login.h maillock.h netgroup.h paths.h poll.h pty.h shadow.h util.h utmp.h utmpx.h sys/bsdtty.h sys/poll.h sys/select.h sys/stropts.h sys/time.h sys/ttcompat.h) |
89 | 112 | ||
90 | dnl Checks for library functions. | 113 | dnl Checks for library functions. |
91 | AC_CHECK_FUNCS(arc4random mkdtemp openpty _getpty setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy vsnprintf) | 114 | AC_CHECK_FUNCS(arc4random updwtmpx mkdtemp openpty _getpty innetgr setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy vsnprintf) |
92 | 115 | ||
93 | AC_CHECK_FUNC(login, | 116 | AC_CHECK_FUNC(login, |
94 | [AC_DEFINE(HAVE_LOGIN)], | 117 | [AC_DEFINE(HAVE_LOGIN)], |
@@ -220,19 +243,21 @@ if test -z "$RANDOM_POOL" -a -z "$EGD_POOL"; then | |||
220 | AC_MSG_ERROR([No random device found, and no EGD random pool specified]) | 243 | AC_MSG_ERROR([No random device found, and no EGD random pool specified]) |
221 | fi | 244 | fi |
222 | 245 | ||
223 | dnl Check for ut_host field in utmp | ||
224 | AC_MSG_CHECKING([whether utmp.h has ut_host field]) | 246 | AC_MSG_CHECKING([whether utmp.h has ut_host field]) |
225 | AC_EGREP_HEADER(ut_host, utmp.h, | 247 | AC_EGREP_HEADER(ut_host, utmp.h, |
226 | [AC_DEFINE(HAVE_HOST_IN_UTMP) AC_MSG_RESULT(yes); ], | 248 | [AC_DEFINE(HAVE_HOST_IN_UTMP) AC_MSG_RESULT(yes); ], |
227 | [AC_MSG_RESULT(no)] | 249 | [AC_MSG_RESULT(no)] |
228 | ) | 250 | ) |
229 | |||
230 | dnl Check for ut_host field in utmpx | ||
231 | AC_MSG_CHECKING([whether utmpx.h has ut_host field]) | 251 | AC_MSG_CHECKING([whether utmpx.h has ut_host field]) |
232 | AC_EGREP_HEADER(ut_host, utmpx.h, | 252 | AC_EGREP_HEADER(ut_host, utmpx.h, |
233 | [AC_DEFINE(HAVE_HOST_IN_UTMPX) AC_MSG_RESULT(yes); ], | 253 | [AC_DEFINE(HAVE_HOST_IN_UTMPX) AC_MSG_RESULT(yes); ], |
234 | [AC_MSG_RESULT(no)] | 254 | [AC_MSG_RESULT(no)] |
235 | ) | 255 | ) |
256 | AC_MSG_CHECKING([whether utmpx.h has syslen field]) | ||
257 | AC_EGREP_HEADER(syslen, utmpx.h, | ||
258 | [AC_DEFINE(HAVE_SYSLEN_IN_UTMPX) AC_MSG_RESULT(yes); ], | ||
259 | [AC_MSG_RESULT(no)] | ||
260 | ) | ||
236 | 261 | ||
237 | dnl Look for lastlog location | 262 | dnl Look for lastlog location |
238 | AC_ARG_WITH(lastlog, | 263 | AC_ARG_WITH(lastlog, |
diff --git a/includes.h b/includes.h index 308e674c0..0538bfbc3 100644 --- a/includes.h +++ b/includes.h | |||
@@ -81,6 +81,7 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg } | |||
81 | #include "bsd-mktemp.h" | 81 | #include "bsd-mktemp.h" |
82 | #include "bsd-snprintf.h" | 82 | #include "bsd-snprintf.h" |
83 | #include "bsd-daemon.h" | 83 | #include "bsd-daemon.h" |
84 | #include "bsd-login.h" | ||
84 | 85 | ||
85 | /* Define this to be the path of the xauth program. */ | 86 | /* Define this to be the path of the xauth program. */ |
86 | #ifndef XAUTH_PATH | 87 | #ifndef XAUTH_PATH |
@@ -18,7 +18,7 @@ | |||
18 | */ | 18 | */ |
19 | 19 | ||
20 | #include "includes.h" | 20 | #include "includes.h" |
21 | RCSID("$Id: login.c,v 1.10 1999/12/22 05:09:48 damien Exp $"); | 21 | RCSID("$Id: login.c,v 1.11 1999/12/24 23:11:29 damien Exp $"); |
22 | 22 | ||
23 | #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) | 23 | #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) |
24 | # include <utmpx.h> | 24 | # include <utmpx.h> |
@@ -133,28 +133,44 @@ record_login(int pid, const char *ttyname, const char *user, uid_t uid, | |||
133 | struct lastlog ll; | 133 | struct lastlog ll; |
134 | char *lastlog; | 134 | char *lastlog; |
135 | #endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ | 135 | #endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ |
136 | struct UTMP_STR u; | 136 | struct utmp u; |
137 | const char *utmp, *wtmp; | 137 | #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) |
138 | struct utmpx utx; | ||
139 | #endif | ||
138 | 140 | ||
139 | /* Construct an utmp/wtmp entry. */ | 141 | /* Construct an utmp/wtmp entry. */ |
140 | memset(&u, 0, sizeof(u)); | 142 | memset(&u, 0, sizeof(u)); |
141 | strncpy(u.ut_line, ttyname + 5, sizeof(u.ut_line)); | 143 | strncpy(u.ut_line, ttyname + 5, sizeof(u.ut_line)); |
142 | #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) | 144 | u.ut_pid = (pid_t)pid; |
143 | u.ut_tv.tv_sec = time(NULL); | ||
144 | strncpy(u.ut_user, user, sizeof(u.ut_name)); | ||
145 | #else | ||
146 | u.ut_time = time(NULL); | 145 | u.ut_time = time(NULL); |
147 | strncpy(u.ut_name, user, sizeof(u.ut_name)); | 146 | strncpy(u.ut_name, user, sizeof(u.ut_name)); |
148 | #endif | 147 | u.ut_type = (uid == -1)?DEAD_PROCESS:USER_PROCESS; |
149 | #if defined(HAVE_HOST_IN_UTMP) || defined(HAVE_HOST_IN_UTMPX) | 148 | #if defined(HAVE_HOST_IN_UTMP) |
150 | strncpy(u.ut_host, host, sizeof(u.ut_host)); | 149 | strncpy(u.ut_host, host, sizeof(u.ut_host)); |
151 | #endif | 150 | #endif |
152 | 151 | ||
153 | /* Figure out the file names. */ | 152 | #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) |
154 | utmp = _PATH_UTMP; | 153 | memset(&utx, 0, sizeof(utx)); |
155 | wtmp = _PATH_WTMP; | 154 | strncpy(utx.ut_user, user, sizeof(utx.ut_name)); |
155 | strncpy(utx.ut_line, ttyname + 5, sizeof(utx.ut_line)); | ||
156 | utx.ut_pid = (pid_t)pid; | ||
157 | utx.ut_tv.tv_sec = time(NULL); | ||
158 | u.ut_type = (uid == -1)?DEAD_PROCESS:USER_PROCESS; | ||
159 | #ifdef HAVE_HOST_IN_UTMPX | ||
160 | #ifdef HAVE_SYSLEN_IN_UTMPX | ||
161 | utx.ut_syslen = strlen(host); | ||
162 | strncpy(utx.ut_host, host, utx.ut_syslen ); | ||
163 | #else | ||
164 | strncpy(utx.ut_host, host, sizeof(utx.ut_host)); | ||
165 | #endif /* HAVE_SYSLEN_IN_UTMPX */ | ||
166 | #endif | ||
167 | #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ | ||
156 | 168 | ||
169 | #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) && !defined(HAVE_LOGIN) | ||
170 | login(&u, &utx); | ||
171 | #else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ | ||
157 | login(&u); | 172 | login(&u); |
173 | #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ | ||
158 | 174 | ||
159 | #if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) | 175 | #if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) |
160 | lastlog = _PATH_LASTLOG; | 176 | lastlog = _PATH_LASTLOG; |
diff --git a/packages/redhat/openssh.spec b/packages/redhat/openssh.spec index d036f5c37..a3e51bb81 100644 --- a/packages/redhat/openssh.spec +++ b/packages/redhat/openssh.spec | |||
@@ -1,6 +1,6 @@ | |||
1 | Summary: OpenSSH free Secure Shell (SSH) implementation | 1 | Summary: OpenSSH free Secure Shell (SSH) implementation |
2 | Name: openssh | 2 | Name: openssh |
3 | Version: 1.2.1pre19 | 3 | Version: 1.2.1pre20 |
4 | Release: 1 | 4 | Release: 1 |
5 | Packager: Damien Miller <djm@ibs.com.au> | 5 | Packager: Damien Miller <djm@ibs.com.au> |
6 | Source0: openssh-%{version}.tar.gz | 6 | Source0: openssh-%{version}.tar.gz |
diff --git a/packages/redhat/sshd.pam b/packages/redhat/sshd.pam index f466f9ba3..f01055022 100644 --- a/packages/redhat/sshd.pam +++ b/packages/redhat/sshd.pam | |||
@@ -1,5 +1,5 @@ | |||
1 | #%PAM-1.0 | 1 | #%PAM-1.0 |
2 | auth required /lib/security/pam_pwdb.so shadow | 2 | auth required /lib/security/pam_pwdb.so shadow nowait |
3 | auth required /lib/security/pam_nologin.so | 3 | auth required /lib/security/pam_nologin.so |
4 | account required /lib/security/pam_pwdb.so | 4 | account required /lib/security/pam_pwdb.so |
5 | password required /lib/security/pam_cracklib.so | 5 | password required /lib/security/pam_cracklib.so |
diff --git a/packages/suse/openssh.spec b/packages/suse/openssh.spec index 4632763c6..c649ef235 100644 --- a/packages/suse/openssh.spec +++ b/packages/suse/openssh.spec | |||
@@ -1,6 +1,6 @@ | |||
1 | Summary: OpenSSH, a free Secure Shell (SSH) implementation | 1 | Summary: OpenSSH, a free Secure Shell (SSH) implementation |
2 | Name: openssh | 2 | Name: openssh |
3 | Version: 1.2.1pre19 | 3 | Version: 1.2.1pre20 |
4 | Release: 1 | 4 | Release: 1 |
5 | Source0: openssh-%{version}.tar.gz | 5 | Source0: openssh-%{version}.tar.gz |
6 | Copyright: BSD | 6 | Copyright: BSD |
@@ -11,7 +11,7 @@ | |||
11 | */ | 11 | */ |
12 | 12 | ||
13 | #include "includes.h" | 13 | #include "includes.h" |
14 | RCSID("$Id: sshd.c,v 1.39 1999/12/14 04:43:03 damien Exp $"); | 14 | RCSID("$Id: sshd.c,v 1.40 1999/12/24 23:11:29 damien Exp $"); |
15 | 15 | ||
16 | #ifdef HAVE_POLL_H | 16 | #ifdef HAVE_POLL_H |
17 | # include <poll.h> | 17 | # include <poll.h> |
@@ -146,6 +146,7 @@ void do_child(const char *command, struct passwd * pw, const char *term, | |||
146 | #ifdef HAVE_LIBPAM | 146 | #ifdef HAVE_LIBPAM |
147 | static int pamconv(int num_msg, const struct pam_message **msg, | 147 | static int pamconv(int num_msg, const struct pam_message **msg, |
148 | struct pam_response **resp, void *appdata_ptr); | 148 | struct pam_response **resp, void *appdata_ptr); |
149 | int do_pam_auth(const char *user, const char *password); | ||
149 | void do_pam_account(char *username, char *remote_user); | 150 | void do_pam_account(char *username, char *remote_user); |
150 | void do_pam_session(char *username, char *ttyname); | 151 | void do_pam_session(char *username, char *ttyname); |
151 | void pam_cleanup_proc(void *context); | 152 | void pam_cleanup_proc(void *context); |
@@ -237,6 +238,23 @@ void pam_cleanup_proc(void *context) | |||
237 | } | 238 | } |
238 | } | 239 | } |
239 | 240 | ||
241 | int do_pam_auth(const char *user, const char *password) | ||
242 | { | ||
243 | int pam_retval; | ||
244 | |||
245 | pampasswd = password; | ||
246 | |||
247 | pam_retval = pam_authenticate((pam_handle_t *)pamh, 0); | ||
248 | if (pam_retval == PAM_SUCCESS) { | ||
249 | log("PAM Password authentication accepted for user \"%.100s\"", user); | ||
250 | return 1; | ||
251 | } else { | ||
252 | log("PAM Password authentication for \"%.100s\" failed: %s", | ||
253 | user, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); | ||
254 | return 0; | ||
255 | } | ||
256 | } | ||
257 | |||
240 | void do_pam_account(char *username, char *remote_user) | 258 | void do_pam_account(char *username, char *remote_user) |
241 | { | 259 | { |
242 | int pam_retval; | 260 | int pam_retval; |
@@ -1292,7 +1310,11 @@ do_authentication(char *user) | |||
1292 | #ifdef KRB4 | 1310 | #ifdef KRB4 |
1293 | (!options.kerberos_authentication || options.kerberos_or_local_passwd) && | 1311 | (!options.kerberos_authentication || options.kerberos_or_local_passwd) && |
1294 | #endif /* KRB4 */ | 1312 | #endif /* KRB4 */ |
1313 | #ifdef HAVE_LIBPAM | ||
1314 | do_pam_auth(pw->pw_name, "")) { | ||
1315 | #else /* HAVE_LIBPAM */ | ||
1295 | auth_password(pw, "")) { | 1316 | auth_password(pw, "")) { |
1317 | #endif /* HAVE_LIBPAM */ | ||
1296 | /* Authentication with empty password succeeded. */ | 1318 | /* Authentication with empty password succeeded. */ |
1297 | log("Login for user %s from %.100s, accepted without authentication.", | 1319 | log("Login for user %s from %.100s, accepted without authentication.", |
1298 | pw->pw_name, get_remote_ipaddr()); | 1320 | pw->pw_name, get_remote_ipaddr()); |
@@ -1503,29 +1525,14 @@ do_authloop(struct passwd * pw) | |||
1503 | 1525 | ||
1504 | #ifdef HAVE_LIBPAM | 1526 | #ifdef HAVE_LIBPAM |
1505 | /* Do PAM auth with password */ | 1527 | /* Do PAM auth with password */ |
1506 | pampasswd = password; | 1528 | authenticated = do_pam_auth(pw->pw_name, password); |
1507 | pam_retval = pam_authenticate((pam_handle_t *)pamh, 0); | ||
1508 | if (pam_retval == PAM_SUCCESS) { | ||
1509 | log("PAM Password authentication accepted for user \"%.100s\"", pw->pw_name); | ||
1510 | memset(password, 0, strlen(password)); | ||
1511 | xfree(password); | ||
1512 | authenticated = 1; | ||
1513 | break; | ||
1514 | } | ||
1515 | |||
1516 | log("PAM Password authentication for \"%.100s\" failed: %s", | ||
1517 | pw->pw_name, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); | ||
1518 | memset(password, 0, strlen(password)); | ||
1519 | xfree(password); | ||
1520 | break; | ||
1521 | #else /* HAVE_LIBPAM */ | 1529 | #else /* HAVE_LIBPAM */ |
1522 | /* Try authentication with the password. */ | 1530 | /* Try authentication with the password. */ |
1523 | authenticated = auth_password(pw, password); | 1531 | authenticated = auth_password(pw, password); |
1524 | 1532 | #endif /* HAVE_LIBPAM */ | |
1525 | memset(password, 0, strlen(password)); | 1533 | memset(password, 0, strlen(password)); |
1526 | xfree(password); | 1534 | xfree(password); |
1527 | break; | 1535 | break; |
1528 | #endif /* HAVE_LIBPAM */ | ||
1529 | 1536 | ||
1530 | #ifdef SKEY | 1537 | #ifdef SKEY |
1531 | case SSH_CMSG_AUTH_TIS: | 1538 | case SSH_CMSG_AUTH_TIS: |
diff --git a/sshd.pam.generic b/sshd.pam.generic index 4ec2a2a00..8c4f32daf 100644 --- a/sshd.pam.generic +++ b/sshd.pam.generic | |||
@@ -1,5 +1,5 @@ | |||
1 | #%PAM-1.0 | 1 | #%PAM-1.0 |
2 | auth required /lib/security/pam_unix.so shadow | 2 | auth required /lib/security/pam_unix.so shadow nowait |
3 | auth required /lib/security/pam_nologin.so | 3 | auth required /lib/security/pam_nologin.so |
4 | account required /lib/security/pam_unix.so | 4 | account required /lib/security/pam_unix.so |
5 | password required /lib/security/pam_cracklib.so | 5 | password required /lib/security/pam_cracklib.so |