From 7941855f09b067b639d72757ee3b1d5be1925d50 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2002 20:28:48 +1000 Subject: - (djm) Make privsep work with PAM (still experimental) --- ChangeLog | 3 ++- auth-pam.c | 3 ++- auth1.c | 5 +++-- auth2.c | 8 ++++---- monitor.c | 34 +++++++++++++++++++++++++++++----- monitor.h | 1 + monitor_wrap.c | 17 +++++++++++++++++ monitor_wrap.h | 4 ++++ 8 files changed, 62 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4fcc65148..c36e89a9a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ 20020423 - (djm) Bug #222: Fix tests for getaddrinfo on OSF/1. Spotted by Robert Urban + - (djm) Make privsep work with PAM (still experimental) 20020421 - (tim) [entropy.c.] Portability fix for SCO Unix 3.2v4.x (SCO OSR 3.0). @@ -8267,4 +8268,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.2062 2002/04/23 10:22:59 djm Exp $ +$Id: ChangeLog,v 1.2063 2002/04/23 10:28:48 djm Exp $ diff --git a/auth-pam.c b/auth-pam.c index daa83c72a..222b358cc 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -36,7 +36,7 @@ extern char *__progname; -RCSID("$Id: auth-pam.c,v 1.43 2002/04/04 19:02:28 stevesk Exp $"); +RCSID("$Id: auth-pam.c,v 1.44 2002/04/23 10:28:49 djm Exp $"); #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now" @@ -249,6 +249,7 @@ int do_pam_account(char *username, char *remote_user) } pam_retval = pam_acct_mgmt(__pamh, 0); + debug2("pam_acct_mgmt() = %d", pam_retval); switch (pam_retval) { case PAM_SUCCESS: /* This is what we want */ diff --git a/auth1.c b/auth1.c index c2a8936ae..1f6fcb29b 100644 --- a/auth1.c +++ b/auth1.c @@ -306,7 +306,8 @@ do_authloop(Authctxt *authctxt) authenticated = 0; #endif #ifdef USE_PAM - if (authenticated && !do_pam_account(pw->pw_name, client_user)) + if (!use_privsep && authenticated && + !do_pam_account(pw->pw_name, client_user)) authenticated = 0; #endif @@ -381,7 +382,7 @@ do_authentication(void) use_privsep ? " [net]" : ""); #ifdef USE_PAM - start_pam(authctxt->pw == NULL ? "NOUSER" : user); + PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user)); #endif /* diff --git a/auth2.c b/auth2.c index eadaa7135..4c18d232d 100644 --- a/auth2.c +++ b/auth2.c @@ -189,12 +189,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) authctxt->valid = 1; debug2("input_userauth_request: setting up authctxt for %s", user); #ifdef USE_PAM - start_pam(authctxt->pw->pw_name); + PRIVSEP(start_pam(authctxt->pw->pw_name)); #endif } else { log("input_userauth_request: illegal user %s", user); #ifdef USE_PAM - start_pam("NOUSER"); + PRIVSEP(start_pam("NOUSER")); #endif } setproctitle("%s%s", authctxt->pw ? user : "unknown", @@ -242,8 +242,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) authenticated = 0; #ifdef USE_PAM - if (authenticated && authctxt->user && !do_pam_account(authctxt->user, - NULL)) + if (!use_privsep && authenticated && authctxt->user && + !do_pam_account(authctxt->user, NULL)) authenticated = 0; #endif /* USE_PAM */ diff --git a/monitor.c b/monitor.c index b66dc2a16..01adabe38 100644 --- a/monitor.c +++ b/monitor.c @@ -113,6 +113,10 @@ int mm_answer_rsa_response(int, Buffer *); int mm_answer_sesskey(int, Buffer *); int mm_answer_sessid(int, Buffer *); +#ifdef USE_PAM +int mm_answer_pam_start(int, Buffer *); +#endif + static Authctxt *authctxt; static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ @@ -143,8 +147,9 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, -#if !defined(USE_PAM) {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, +#ifdef USE_PAM + {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, #endif #ifdef BSD_AUTH {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, @@ -172,9 +177,7 @@ struct mon_table mon_dispatch_proto15[] = { {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, -#if !defined(USE_PAM) {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, -#endif {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH, mm_answer_rsa_keyallowed}, {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge}, @@ -260,6 +263,10 @@ monitor_child_preauth(struct monitor *monitor) if (authctxt->pw->pw_uid == 0 && !auth_root_allowed(auth_method)) authenticated = 0; +#ifdef USE_PAM + if (!do_pam_account(authctxt->pw->pw_name, NULL)) + authenticated = 0; +#endif } if (ent->flags & MON_AUTHDECIDE) { @@ -457,6 +464,9 @@ mm_answer_sign(int socket, Buffer *m) /* Turn on permissions for getpwnam */ monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); +#ifdef USE_PAM + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); +#endif return (0); } @@ -537,7 +547,6 @@ mm_answer_authserv(int socket, Buffer *m) return (0); } -#if !defined(USE_PAM) int mm_answer_authpassword(int socket, Buffer *m) { @@ -566,7 +575,6 @@ mm_answer_authpassword(int socket, Buffer *m) /* Causes monitor loop to terminate if authenticated */ return (authenticated); } -#endif #ifdef BSD_AUTH int @@ -673,6 +681,22 @@ mm_answer_skeyrespond(int socket, Buffer *m) } #endif +#ifdef USE_PAM +int +mm_answer_pam_start(int socket, Buffer *m) +{ + char *user; + + user = buffer_get_string(m, NULL); + + start_pam(user); + + xfree(user); + + return (0); +} +#endif + static void mm_append_debug(Buffer *m) { diff --git a/monitor.h b/monitor.h index 681b5188b..56ec9d915 100644 --- a/monitor.h +++ b/monitor.h @@ -48,6 +48,7 @@ enum monitor_reqtype { MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED, MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, + MONITOR_REQ_PAM_START, MONITOR_REQ_TERM, }; diff --git a/monitor_wrap.c b/monitor_wrap.c index 53bf59b5b..0fe5bc10d 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -623,6 +623,23 @@ mm_session_pty_cleanup2(void *session) s->ttyfd = -1; } +#ifdef USE_PAM +void +mm_start_pam(char *user) +{ + Buffer m; + + debug3("%s entering", __FUNCTION__); + + buffer_init(&m); + buffer_put_cstring(&m, user); + + mm_request_send(monitor->m_recvfd, MONITOR_REQ_PAM_START, &m); + + buffer_free(&m); +} +#endif /* USE_PAM */ + /* Request process termination */ void diff --git a/monitor_wrap.h b/monitor_wrap.h index fe434d1e1..975ba0549 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -54,6 +54,10 @@ int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **); int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *); BIGNUM *mm_auth_rsa_generate_challenge(Key *); +#ifdef USE_PAM +void mm_start_pam(char *); +#endif + void mm_terminate(void); int mm_pty_allocate(int *, int *, char *, int); void mm_session_pty_cleanup2(void *); -- cgit v1.2.3