summaryrefslogtreecommitdiff
path: root/auth-pam.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth-pam.c')
-rw-r--r--auth-pam.c68
1 files changed, 42 insertions, 26 deletions
diff --git a/auth-pam.c b/auth-pam.c
index d67324e1f..bde0a8f56 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -248,6 +248,9 @@ static int sshpam_maxtries_reached = 0;
248static char **sshpam_env = NULL; 248static char **sshpam_env = NULL;
249static Authctxt *sshpam_authctxt = NULL; 249static Authctxt *sshpam_authctxt = NULL;
250static const char *sshpam_password = NULL; 250static const char *sshpam_password = NULL;
251static char *sshpam_rhost = NULL;
252static char *sshpam_laddr = NULL;
253static char *sshpam_conninfo = NULL;
251 254
252/* Some PAM implementations don't implement this */ 255/* Some PAM implementations don't implement this */
253#ifndef HAVE_PAM_GETENVLIST 256#ifndef HAVE_PAM_GETENVLIST
@@ -669,14 +672,17 @@ sshpam_cleanup(void)
669} 672}
670 673
671static int 674static int
672sshpam_init(Authctxt *authctxt) 675sshpam_init(struct ssh *ssh, Authctxt *authctxt)
673{ 676{
674 const char *pam_rhost, *pam_user, *user = authctxt->user; 677 const char *pam_user, *user = authctxt->user;
675 const char **ptr_pam_user = &pam_user; 678 const char **ptr_pam_user = &pam_user;
676 char *laddr, *conninfo;
677 struct ssh *ssh = active_state; /* XXX */
678 679
679 if (sshpam_handle != NULL) { 680 if (sshpam_handle == NULL) {
681 if (ssh == NULL) {
682 fatal("%s: called initially with no "
683 "packet context", __func__);
684 }
685 } if (sshpam_handle != NULL) {
680 /* We already have a PAM context; check if the user matches */ 686 /* We already have a PAM context; check if the user matches */
681 sshpam_err = pam_get_item(sshpam_handle, 687 sshpam_err = pam_get_item(sshpam_handle,
682 PAM_USER, (sshpam_const void **)ptr_pam_user); 688 PAM_USER, (sshpam_const void **)ptr_pam_user);
@@ -695,22 +701,32 @@ sshpam_init(Authctxt *authctxt)
695 sshpam_handle = NULL; 701 sshpam_handle = NULL;
696 return (-1); 702 return (-1);
697 } 703 }
698 pam_rhost = auth_get_canonical_hostname(ssh, options.use_dns);
699 debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
700 sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);
701 if (sshpam_err != PAM_SUCCESS) {
702 pam_end(sshpam_handle, sshpam_err);
703 sshpam_handle = NULL;
704 return (-1);
705 }
706 704
707 laddr = get_local_ipaddr(packet_get_connection_in()); 705 if (ssh != NULL && sshpam_rhost == NULL) {
708 xasprintf(&conninfo, "SSH_CONNECTION=%.50s %d %.50s %d", 706 /*
709 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), 707 * We need to cache these as we don't have packet context
710 laddr, ssh_local_port(ssh)); 708 * during the kbdint flow.
711 pam_putenv(sshpam_handle, conninfo); 709 */
712 free(laddr); 710 sshpam_rhost = xstrdup(auth_get_canonical_hostname(ssh,
713 free(conninfo); 711 options.use_dns));
712 sshpam_laddr = get_local_ipaddr(
713 ssh_packet_get_connection_in(ssh));
714 xasprintf(&sshpam_conninfo, "SSH_CONNECTION=%.50s %d %.50s %d",
715 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
716 sshpam_laddr, ssh_local_port(ssh));
717 }
718 if (sshpam_rhost != NULL) {
719 debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost);
720 sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST,
721 sshpam_rhost);
722 if (sshpam_err != PAM_SUCCESS) {
723 pam_end(sshpam_handle, sshpam_err);
724 sshpam_handle = NULL;
725 return (-1);
726 }
727 /* Put SSH_CONNECTION in the PAM environment too */
728 pam_putenv(sshpam_handle, sshpam_conninfo);
729 }
714 730
715#ifdef PAM_TTY_KLUDGE 731#ifdef PAM_TTY_KLUDGE
716 /* 732 /*
@@ -765,7 +781,7 @@ sshpam_init_ctx(Authctxt *authctxt)
765 return NULL; 781 return NULL;
766 782
767 /* Initialize PAM */ 783 /* Initialize PAM */
768 if (sshpam_init(authctxt) == -1) { 784 if (sshpam_init(NULL, authctxt) == -1) {
769 error("PAM: initialization failed"); 785 error("PAM: initialization failed");
770 return (NULL); 786 return (NULL);
771 } 787 }
@@ -797,7 +813,6 @@ static int
797sshpam_query(void *ctx, char **name, char **info, 813sshpam_query(void *ctx, char **name, char **info,
798 u_int *num, char ***prompts, u_int **echo_on) 814 u_int *num, char ***prompts, u_int **echo_on)
799{ 815{
800 struct ssh *ssh = active_state; /* XXX */
801 struct sshbuf *buffer; 816 struct sshbuf *buffer;
802 struct pam_ctxt *ctxt = ctx; 817 struct pam_ctxt *ctxt = ctx;
803 size_t plen; 818 size_t plen;
@@ -887,8 +902,7 @@ sshpam_query(void *ctx, char **name, char **info,
887 } 902 }
888 error("PAM: %s for %s%.100s from %.100s", msg, 903 error("PAM: %s for %s%.100s from %.100s", msg,
889 sshpam_authctxt->valid ? "" : "illegal user ", 904 sshpam_authctxt->valid ? "" : "illegal user ",
890 sshpam_authctxt->user, 905 sshpam_authctxt->user, sshpam_rhost);
891 auth_get_canonical_hostname(ssh, options.use_dns));
892 /* FALLTHROUGH */ 906 /* FALLTHROUGH */
893 default: 907 default:
894 *num = 0; 908 *num = 0;
@@ -1005,12 +1019,14 @@ KbdintDevice mm_sshpam_device = {
1005 * This replaces auth-pam.c 1019 * This replaces auth-pam.c
1006 */ 1020 */
1007void 1021void
1008start_pam(Authctxt *authctxt) 1022start_pam(struct ssh *ssh)
1009{ 1023{
1024 Authctxt *authctxt = (Authctxt *)ssh->authctxt;
1025
1010 if (!options.use_pam) 1026 if (!options.use_pam)
1011 fatal("PAM: initialisation requested when UsePAM=no"); 1027 fatal("PAM: initialisation requested when UsePAM=no");
1012 1028
1013 if (sshpam_init(authctxt) == -1) 1029 if (sshpam_init(ssh, authctxt) == -1)
1014 fatal("PAM: initialisation failed"); 1030 fatal("PAM: initialisation failed");
1015} 1031}
1016 1032