diff options
-rw-r--r-- | auth-pam.c | 68 | ||||
-rw-r--r-- | auth-pam.h | 2 | ||||
-rw-r--r-- | auth2.c | 2 | ||||
-rw-r--r-- | monitor.c | 2 | ||||
-rw-r--r-- | monitor_wrap.c | 2 | ||||
-rw-r--r-- | monitor_wrap.h | 2 |
6 files changed, 47 insertions, 31 deletions
diff --git a/auth-pam.c b/auth-pam.c index d67324e1f..bde0a8f56 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -248,6 +248,9 @@ static int sshpam_maxtries_reached = 0; | |||
248 | static char **sshpam_env = NULL; | 248 | static char **sshpam_env = NULL; |
249 | static Authctxt *sshpam_authctxt = NULL; | 249 | static Authctxt *sshpam_authctxt = NULL; |
250 | static const char *sshpam_password = NULL; | 250 | static const char *sshpam_password = NULL; |
251 | static char *sshpam_rhost = NULL; | ||
252 | static char *sshpam_laddr = NULL; | ||
253 | static char *sshpam_conninfo = NULL; | ||
251 | 254 | ||
252 | /* Some PAM implementations don't implement this */ | 255 | /* Some PAM implementations don't implement this */ |
253 | #ifndef HAVE_PAM_GETENVLIST | 256 | #ifndef HAVE_PAM_GETENVLIST |
@@ -669,14 +672,17 @@ sshpam_cleanup(void) | |||
669 | } | 672 | } |
670 | 673 | ||
671 | static int | 674 | static int |
672 | sshpam_init(Authctxt *authctxt) | 675 | sshpam_init(struct ssh *ssh, Authctxt *authctxt) |
673 | { | 676 | { |
674 | const char *pam_rhost, *pam_user, *user = authctxt->user; | 677 | const char *pam_user, *user = authctxt->user; |
675 | const char **ptr_pam_user = &pam_user; | 678 | const char **ptr_pam_user = &pam_user; |
676 | char *laddr, *conninfo; | ||
677 | struct ssh *ssh = active_state; /* XXX */ | ||
678 | 679 | ||
679 | if (sshpam_handle != NULL) { | 680 | if (sshpam_handle == NULL) { |
681 | if (ssh == NULL) { | ||
682 | fatal("%s: called initially with no " | ||
683 | "packet context", __func__); | ||
684 | } | ||
685 | } if (sshpam_handle != NULL) { | ||
680 | /* We already have a PAM context; check if the user matches */ | 686 | /* We already have a PAM context; check if the user matches */ |
681 | sshpam_err = pam_get_item(sshpam_handle, | 687 | sshpam_err = pam_get_item(sshpam_handle, |
682 | PAM_USER, (sshpam_const void **)ptr_pam_user); | 688 | PAM_USER, (sshpam_const void **)ptr_pam_user); |
@@ -695,22 +701,32 @@ sshpam_init(Authctxt *authctxt) | |||
695 | sshpam_handle = NULL; | 701 | sshpam_handle = NULL; |
696 | return (-1); | 702 | return (-1); |
697 | } | 703 | } |
698 | pam_rhost = auth_get_canonical_hostname(ssh, options.use_dns); | ||
699 | debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost); | ||
700 | sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost); | ||
701 | if (sshpam_err != PAM_SUCCESS) { | ||
702 | pam_end(sshpam_handle, sshpam_err); | ||
703 | sshpam_handle = NULL; | ||
704 | return (-1); | ||
705 | } | ||
706 | 704 | ||
707 | laddr = get_local_ipaddr(packet_get_connection_in()); | 705 | if (ssh != NULL && sshpam_rhost == NULL) { |
708 | xasprintf(&conninfo, "SSH_CONNECTION=%.50s %d %.50s %d", | 706 | /* |
709 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), | 707 | * We need to cache these as we don't have packet context |
710 | laddr, ssh_local_port(ssh)); | 708 | * during the kbdint flow. |
711 | pam_putenv(sshpam_handle, conninfo); | 709 | */ |
712 | free(laddr); | 710 | sshpam_rhost = xstrdup(auth_get_canonical_hostname(ssh, |
713 | free(conninfo); | 711 | options.use_dns)); |
712 | sshpam_laddr = get_local_ipaddr( | ||
713 | ssh_packet_get_connection_in(ssh)); | ||
714 | xasprintf(&sshpam_conninfo, "SSH_CONNECTION=%.50s %d %.50s %d", | ||
715 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), | ||
716 | sshpam_laddr, ssh_local_port(ssh)); | ||
717 | } | ||
718 | if (sshpam_rhost != NULL) { | ||
719 | debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost); | ||
720 | sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, | ||
721 | sshpam_rhost); | ||
722 | if (sshpam_err != PAM_SUCCESS) { | ||
723 | pam_end(sshpam_handle, sshpam_err); | ||
724 | sshpam_handle = NULL; | ||
725 | return (-1); | ||
726 | } | ||
727 | /* Put SSH_CONNECTION in the PAM environment too */ | ||
728 | pam_putenv(sshpam_handle, sshpam_conninfo); | ||
729 | } | ||
714 | 730 | ||
715 | #ifdef PAM_TTY_KLUDGE | 731 | #ifdef PAM_TTY_KLUDGE |
716 | /* | 732 | /* |
@@ -765,7 +781,7 @@ sshpam_init_ctx(Authctxt *authctxt) | |||
765 | return NULL; | 781 | return NULL; |
766 | 782 | ||
767 | /* Initialize PAM */ | 783 | /* Initialize PAM */ |
768 | if (sshpam_init(authctxt) == -1) { | 784 | if (sshpam_init(NULL, authctxt) == -1) { |
769 | error("PAM: initialization failed"); | 785 | error("PAM: initialization failed"); |
770 | return (NULL); | 786 | return (NULL); |
771 | } | 787 | } |
@@ -797,7 +813,6 @@ static int | |||
797 | sshpam_query(void *ctx, char **name, char **info, | 813 | sshpam_query(void *ctx, char **name, char **info, |
798 | u_int *num, char ***prompts, u_int **echo_on) | 814 | u_int *num, char ***prompts, u_int **echo_on) |
799 | { | 815 | { |
800 | struct ssh *ssh = active_state; /* XXX */ | ||
801 | struct sshbuf *buffer; | 816 | struct sshbuf *buffer; |
802 | struct pam_ctxt *ctxt = ctx; | 817 | struct pam_ctxt *ctxt = ctx; |
803 | size_t plen; | 818 | size_t plen; |
@@ -887,8 +902,7 @@ sshpam_query(void *ctx, char **name, char **info, | |||
887 | } | 902 | } |
888 | error("PAM: %s for %s%.100s from %.100s", msg, | 903 | error("PAM: %s for %s%.100s from %.100s", msg, |
889 | sshpam_authctxt->valid ? "" : "illegal user ", | 904 | sshpam_authctxt->valid ? "" : "illegal user ", |
890 | sshpam_authctxt->user, | 905 | sshpam_authctxt->user, sshpam_rhost); |
891 | auth_get_canonical_hostname(ssh, options.use_dns)); | ||
892 | /* FALLTHROUGH */ | 906 | /* FALLTHROUGH */ |
893 | default: | 907 | default: |
894 | *num = 0; | 908 | *num = 0; |
@@ -1005,12 +1019,14 @@ KbdintDevice mm_sshpam_device = { | |||
1005 | * This replaces auth-pam.c | 1019 | * This replaces auth-pam.c |
1006 | */ | 1020 | */ |
1007 | void | 1021 | void |
1008 | start_pam(Authctxt *authctxt) | 1022 | start_pam(struct ssh *ssh) |
1009 | { | 1023 | { |
1024 | Authctxt *authctxt = (Authctxt *)ssh->authctxt; | ||
1025 | |||
1010 | if (!options.use_pam) | 1026 | if (!options.use_pam) |
1011 | fatal("PAM: initialisation requested when UsePAM=no"); | 1027 | fatal("PAM: initialisation requested when UsePAM=no"); |
1012 | 1028 | ||
1013 | if (sshpam_init(authctxt) == -1) | 1029 | if (sshpam_init(ssh, authctxt) == -1) |
1014 | fatal("PAM: initialisation failed"); | 1030 | fatal("PAM: initialisation failed"); |
1015 | } | 1031 | } |
1016 | 1032 | ||
diff --git a/auth-pam.h b/auth-pam.h index 419860745..9fcea270f 100644 --- a/auth-pam.h +++ b/auth-pam.h | |||
@@ -27,7 +27,7 @@ | |||
27 | 27 | ||
28 | struct ssh; | 28 | struct ssh; |
29 | 29 | ||
30 | void start_pam(Authctxt *); | 30 | void start_pam(struct ssh *); |
31 | void finish_pam(void); | 31 | void finish_pam(void); |
32 | u_int do_pam_account(void); | 32 | u_int do_pam_account(void); |
33 | void do_pam_session(struct ssh *); | 33 | void do_pam_session(struct ssh *); |
@@ -299,7 +299,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | |||
299 | } | 299 | } |
300 | #ifdef USE_PAM | 300 | #ifdef USE_PAM |
301 | if (options.use_pam) | 301 | if (options.use_pam) |
302 | PRIVSEP(start_pam(authctxt)); | 302 | PRIVSEP(start_pam(ssh)); |
303 | #endif | 303 | #endif |
304 | ssh_packet_set_log_preamble(ssh, "%suser %s", | 304 | ssh_packet_set_log_preamble(ssh, "%suser %s", |
305 | authctxt->valid ? "authenticating " : "invalid ", user); | 305 | authctxt->valid ? "authenticating " : "invalid ", user); |
@@ -991,7 +991,7 @@ mm_answer_pam_start(struct ssh *ssh, int sock, struct sshbuf *m) | |||
991 | if (!options.use_pam) | 991 | if (!options.use_pam) |
992 | fatal("UsePAM not set, but ended up in %s anyway", __func__); | 992 | fatal("UsePAM not set, but ended up in %s anyway", __func__); |
993 | 993 | ||
994 | start_pam(authctxt); | 994 | start_pam(ssh); |
995 | 995 | ||
996 | monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1); | 996 | monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1); |
997 | if (options.kbd_interactive_authentication) | 997 | if (options.kbd_interactive_authentication) |
diff --git a/monitor_wrap.c b/monitor_wrap.c index 5a0964b69..f52b9c88c 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -626,7 +626,7 @@ mm_session_pty_cleanup2(Session *s) | |||
626 | 626 | ||
627 | #ifdef USE_PAM | 627 | #ifdef USE_PAM |
628 | void | 628 | void |
629 | mm_start_pam(Authctxt *authctxt) | 629 | mm_start_pam(struct ssh *ssh) |
630 | { | 630 | { |
631 | struct sshbuf *m; | 631 | struct sshbuf *m; |
632 | 632 | ||
diff --git a/monitor_wrap.h b/monitor_wrap.h index 2b7052202..c7e0c91dd 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h | |||
@@ -66,7 +66,7 @@ OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); | |||
66 | #endif | 66 | #endif |
67 | 67 | ||
68 | #ifdef USE_PAM | 68 | #ifdef USE_PAM |
69 | void mm_start_pam(struct Authctxt *); | 69 | void mm_start_pam(struct ssh *ssh); |
70 | u_int mm_do_pam_account(void); | 70 | u_int mm_do_pam_account(void); |
71 | void *mm_sshpam_init_ctx(struct Authctxt *); | 71 | void *mm_sshpam_init_ctx(struct Authctxt *); |
72 | int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); | 72 | int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); |