1 files changed, 43 insertions, 17 deletions
diff --git a/auth-pam.c b/auth-pam.c
index 1dec53e92..bde0a8f56 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -248,6 +248,9 @@ static int sshpam_maxtries_reached = 0;
 static char **sshpam_env = NULL;
 static Authctxt *sshpam_authctxt = NULL;
 static const char *sshpam_password = NULL;
+static char *sshpam_rhost = NULL;
+static char *sshpam_laddr = NULL;
+static char *sshpam_conninfo = NULL;
 /* Some PAM implementations don't implement this */
 #ifndef HAVE_PAM_GETENVLIST
@@ -669,13 +672,17 @@ sshpam_cleanup(void)
 }
 static int
-sshpam_init(Authctxt *authctxt)
+sshpam_init(struct ssh *ssh, Authctxt *authctxt)
 {
-        const char *pam_rhost, *pam_user, *user = authctxt->user;
+        const char *pam_user, *user = authctxt->user;
        const char **ptr_pam_user = &pam_user;
-        struct ssh *ssh = active_state; /* XXX */
-        if (sshpam_handle != NULL) {
+        if (sshpam_handle == NULL) {
+                if (ssh == NULL) {
+                        fatal("%s: called initially with no "
+                            "packet context", __func__);
+                }
+        } if (sshpam_handle != NULL) {
                /* We already have a PAM context; check if the user matches */
                sshpam_err = pam_get_item(sshpam_handle,
                    PAM_USER, (sshpam_const void **)ptr_pam_user);
@@ -694,14 +701,33 @@ sshpam_init(Authctxt *authctxt)
                sshpam_handle = NULL;
                return (-1);
        }
-        pam_rhost = auth_get_canonical_hostname(ssh, options.use_dns);
-        debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
+        if (ssh != NULL && sshpam_rhost == NULL) {
-        sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);
+                /*
-        if (sshpam_err != PAM_SUCCESS) {
+                 * We need to cache these as we don't have packet context
-                pam_end(sshpam_handle, sshpam_err);
+                 * during the kbdint flow.
-                sshpam_handle = NULL;
+                 */
-                return (-1);
+                sshpam_rhost = xstrdup(auth_get_canonical_hostname(ssh,
+                    options.use_dns));
+                sshpam_laddr = get_local_ipaddr(
+                    ssh_packet_get_connection_in(ssh));
+                xasprintf(&sshpam_conninfo, "SSH_CONNECTION=%.50s %d %.50s %d",
+                    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
+                    sshpam_laddr, ssh_local_port(ssh));
        }
+        if (sshpam_rhost != NULL) {
+                debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost);
+                sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST,
+                    sshpam_rhost);
+                if (sshpam_err != PAM_SUCCESS) {
+                        pam_end(sshpam_handle, sshpam_err);
+                        sshpam_handle = NULL;
+                        return (-1);
+                }
+                /* Put SSH_CONNECTION in the PAM environment too */
+                pam_putenv(sshpam_handle, sshpam_conninfo);
+        }
 #ifdef PAM_TTY_KLUDGE
        /*
         * Some silly PAM modules (e.g. pam_time) require a TTY to operate.
@@ -755,7 +781,7 @@ sshpam_init_ctx(Authctxt *authctxt)
                return NULL;
        /* Initialize PAM */
-        if (sshpam_init(authctxt) == -1) {
+        if (sshpam_init(NULL, authctxt) == -1) {
                error("PAM: initialization failed");
                return (NULL);
        }
@@ -787,7 +813,6 @@ static int
 sshpam_query(void *ctx, char **name, char **info,
    u_int *num, char ***prompts, u_int **echo_on)
 {
-        struct ssh *ssh = active_state; /* XXX */
        struct sshbuf *buffer;
        struct pam_ctxt *ctxt = ctx;
        size_t plen;
@@ -877,8 +902,7 @@ sshpam_query(void *ctx, char **name, char **info,
                        }
                        error("PAM: %s for %s%.100s from %.100s", msg,
                            sshpam_authctxt->valid ? "" : "illegal user ",
-                            sshpam_authctxt->user,
+                            sshpam_authctxt->user, sshpam_rhost);
-                            auth_get_canonical_hostname(ssh, options.use_dns));
                        /* FALLTHROUGH */
                default:
                        *num = 0;
@@ -995,12 +1019,14 @@ KbdintDevice mm_sshpam_device = {
 * This replaces auth-pam.c
 */
 void
-start_pam(Authctxt *authctxt)
+start_pam(struct ssh *ssh)
 {
+        Authctxt *authctxt = (Authctxt *)ssh->authctxt;
        if (!options.use_pam)
                fatal("PAM: initialisation requested when UsePAM=no");
-        if (sshpam_init(authctxt) == -1)
+        if (sshpam_init(ssh, authctxt) == -1)
                fatal("PAM: initialisation failed");
 }

diff --git a/auth-pam.c b/auth-pam.c index 1dec53e92..bde0a8f56 100644 --- a/auth-pam.c +++ b/auth-pam.c
@@ -248,6 +248,9 @@ static int sshpam_maxtries_reached = 0;
248	static char **sshpam_env = NULL;	248	static char **sshpam_env = NULL;
249	static Authctxt *sshpam_authctxt = NULL;	249	static Authctxt *sshpam_authctxt = NULL;
250	static const char *sshpam_password = NULL;	250	static const char *sshpam_password = NULL;
		251	static char *sshpam_rhost = NULL;
		252	static char *sshpam_laddr = NULL;
		253	static char *sshpam_conninfo = NULL;
251		254
252	/* Some PAM implementations don't implement this */	255	/* Some PAM implementations don't implement this */
253	#ifndef HAVE_PAM_GETENVLIST	256	#ifndef HAVE_PAM_GETENVLIST
@@ -669,13 +672,17 @@ sshpam_cleanup(void)
669	}	672	}
670		673
671	static int	674	static int
672	sshpam_init(Authctxt *authctxt)	675	sshpam_init(struct ssh ssh, Authctxt authctxt)
673	{	676	{
674	const char pam_rhost, pam_user, *user = authctxt->user;	677	const char pam_user, user = authctxt->user;
675	const char **ptr_pam_user = &pam_user;	678	const char **ptr_pam_user = &pam_user;
676	struct ssh ssh = active_state; / XXX */
677		679
678	if (sshpam_handle != NULL) {	680	if (sshpam_handle == NULL) {
		681	if (ssh == NULL) {
		682	fatal("%s: called initially with no "
		683	"packet context", __func__);
		684	}
		685	} if (sshpam_handle != NULL) {
679	/* We already have a PAM context; check if the user matches */	686	/* We already have a PAM context; check if the user matches */
680	sshpam_err = pam_get_item(sshpam_handle,	687	sshpam_err = pam_get_item(sshpam_handle,
681	PAM_USER, (sshpam_const void **)ptr_pam_user);	688	PAM_USER, (sshpam_const void **)ptr_pam_user);
@@ -694,14 +701,33 @@ sshpam_init(Authctxt *authctxt)
694	sshpam_handle = NULL;	701	sshpam_handle = NULL;
695	return (-1);	702	return (-1);
696	}	703	}
697	pam_rhost = auth_get_canonical_hostname(ssh, options.use_dns);	704
698	debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);	705	if (ssh != NULL && sshpam_rhost == NULL) {
699	sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);	706	/*
700	if (sshpam_err != PAM_SUCCESS) {	707	* We need to cache these as we don't have packet context
701	pam_end(sshpam_handle, sshpam_err);	708	* during the kbdint flow.
702	sshpam_handle = NULL;	709	*/
703	return (-1);	710	sshpam_rhost = xstrdup(auth_get_canonical_hostname(ssh,
		711	options.use_dns));
		712	sshpam_laddr = get_local_ipaddr(
		713	ssh_packet_get_connection_in(ssh));
		714	xasprintf(&sshpam_conninfo, "SSH_CONNECTION=%.50s %d %.50s %d",
		715	ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
		716	sshpam_laddr, ssh_local_port(ssh));
704	}	717	}
		718	if (sshpam_rhost != NULL) {
		719	debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost);
		720	sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST,
		721	sshpam_rhost);
		722	if (sshpam_err != PAM_SUCCESS) {
		723	pam_end(sshpam_handle, sshpam_err);
		724	sshpam_handle = NULL;
		725	return (-1);
		726	}
		727	/* Put SSH_CONNECTION in the PAM environment too */
		728	pam_putenv(sshpam_handle, sshpam_conninfo);
		729	}
		730
705	#ifdef PAM_TTY_KLUDGE	731	#ifdef PAM_TTY_KLUDGE
706	/*	732	/*
707	* Some silly PAM modules (e.g. pam_time) require a TTY to operate.	733	* Some silly PAM modules (e.g. pam_time) require a TTY to operate.
@@ -755,7 +781,7 @@ sshpam_init_ctx(Authctxt *authctxt)
755	return NULL;	781	return NULL;
756		782
757	/* Initialize PAM */	783	/* Initialize PAM */
758	if (sshpam_init(authctxt) == -1) {	784	if (sshpam_init(NULL, authctxt) == -1) {
759	error("PAM: initialization failed");	785	error("PAM: initialization failed");
760	return (NULL);	786	return (NULL);
761	}	787	}
@@ -787,7 +813,6 @@ static int
787	sshpam_query(void ctx, char name, char *info,	813	sshpam_query(void ctx, char name, char *info,
788	u_int num, char prompts, u_int echo_on)	814	u_int num, char prompts, u_int echo_on)
789	{	815	{
790	struct ssh ssh = active_state; / XXX */
791	struct sshbuf *buffer;	816	struct sshbuf *buffer;
792	struct pam_ctxt *ctxt = ctx;	817	struct pam_ctxt *ctxt = ctx;
793	size_t plen;	818	size_t plen;
@@ -877,8 +902,7 @@ sshpam_query(void ctx, char name, char *info,
877	}	902	}
878	error("PAM: %s for %s%.100s from %.100s", msg,	903	error("PAM: %s for %s%.100s from %.100s", msg,
879	sshpam_authctxt->valid ? "" : "illegal user ",	904	sshpam_authctxt->valid ? "" : "illegal user ",
880	sshpam_authctxt->user,	905	sshpam_authctxt->user, sshpam_rhost);
881	auth_get_canonical_hostname(ssh, options.use_dns));
882	/* FALLTHROUGH */	906	/* FALLTHROUGH */
883	default:	907	default:
884	*num = 0;	908	*num = 0;
@@ -995,12 +1019,14 @@ KbdintDevice mm_sshpam_device = {
995	* This replaces auth-pam.c	1019	* This replaces auth-pam.c
996	*/	1020	*/
997	void	1021	void
998	start_pam(Authctxt *authctxt)	1022	start_pam(struct ssh *ssh)
999	{	1023	{
		1024	Authctxt authctxt = (Authctxt )ssh->authctxt;
		1025
1000	if (!options.use_pam)	1026	if (!options.use_pam)
1001	fatal("PAM: initialisation requested when UsePAM=no");	1027	fatal("PAM: initialisation requested when UsePAM=no");
1002		1028
1003	if (sshpam_init(authctxt) == -1)	1029	if (sshpam_init(ssh, authctxt) == -1)
1004	fatal("PAM: initialisation failed");	1030	fatal("PAM: initialisation failed");
1005	}	1031	}
1006		1032