From 23fe57c51caeacf58c24cc4efc8d701db3cb0fdc Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 2 Jul 2002 17:08:23 +1000 Subject: - (djm) Use PAM_MSG_MEMBER for PAM_TEXT_INFO messages, use xmalloc & friends consistently. Spotted by Solar Designer --- auth-pam.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) (limited to 'auth-pam.c') diff --git a/auth-pam.c b/auth-pam.c index 490990dec..6bf10d2f9 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -36,7 +36,7 @@ extern char *__progname; -RCSID("$Id: auth-pam.c,v 1.46 2002/05/08 02:27:56 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.47 2002/07/02 07:08:24 djm Exp $"); #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now" @@ -100,9 +100,7 @@ static int do_pam_conversation(int num_msg, const struct pam_message **msg, char buf[1024]; /* PAM will free this later */ - reply = malloc(num_msg * sizeof(*reply)); - if (reply == NULL) - return PAM_CONV_ERR; + reply = xmalloc(num_msg * sizeof(*reply)); for (count = 0; count < num_msg; count++) { if (pamstate == INITIAL_LOGIN) { @@ -112,11 +110,11 @@ static int do_pam_conversation(int num_msg, const struct pam_message **msg, */ switch(PAM_MSG_MEMBER(msg, count, msg_style)) { case PAM_PROMPT_ECHO_ON: - free(reply); + xfree(reply); return PAM_CONV_ERR; case PAM_PROMPT_ECHO_OFF: if (__pampasswd == NULL) { - free(reply); + xfree(reply); return PAM_CONV_ERR; } reply[count].resp = xstrdup(__pampasswd); @@ -124,7 +122,7 @@ static int do_pam_conversation(int num_msg, const struct pam_message **msg, break; case PAM_ERROR_MSG: case PAM_TEXT_INFO: - if ((*msg)[count].msg != NULL) { + if (PAM_MSG_MEMBER(msg, count, msg) != NULL) { message_cat(&__pam_msg, PAM_MSG_MEMBER(msg, count, msg)); } @@ -132,7 +130,7 @@ static int do_pam_conversation(int num_msg, const struct pam_message **msg, reply[count].resp_retcode = PAM_SUCCESS; break; default: - free(reply); + xfree(reply); return PAM_CONV_ERR; } } else { @@ -161,7 +159,7 @@ static int do_pam_conversation(int num_msg, const struct pam_message **msg, reply[count].resp_retcode = PAM_SUCCESS; break; default: - free(reply); + xfree(reply); return PAM_CONV_ERR; } } -- cgit v1.2.3 From 6cdecd0892b9b9a7a8e3e3917272d04727eb82fa Mon Sep 17 00:00:00 2001 From: Kevin Steves Date: Sun, 21 Jul 2002 17:26:54 +0000 Subject: - (stevesk) [auth-pam.c] merge cosmetic changes from solar's openssh-3.4p1-owl-password-changing.diff --- ChangeLog | 6 +++++- auth-pam.c | 8 ++++---- 2 files changed, 9 insertions(+), 5 deletions(-) (limited to 'auth-pam.c') diff --git a/ChangeLog b/ChangeLog index 940edc8d3..702b6b6db 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20020721 + - (stevesk) [auth-pam.c] merge cosmetic changes from solar's + openssh-3.4p1-owl-password-changing.diff + 20020720 - (stevesk) [ssh-keygen.c] bug #231: always init/seed_rng(). @@ -1397,4 +1401,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2380 2002/07/20 19:05:40 stevesk Exp $ +$Id: ChangeLog,v 1.2381 2002/07/21 17:26:54 stevesk Exp $ diff --git a/auth-pam.c b/auth-pam.c index 6bf10d2f9..f31641c28 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -36,10 +36,10 @@ extern char *__progname; -RCSID("$Id: auth-pam.c,v 1.47 2002/07/02 07:08:24 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.48 2002/07/21 17:26:54 stevesk Exp $"); #define NEW_AUTHTOK_MSG \ - "Warning: Your password has expired, please change it now" + "Warning: Your password has expired, please change it now." static int do_pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); @@ -55,7 +55,7 @@ static const char *__pampasswd = NULL; /* states for do_pam_conversation() */ enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN; -/* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */ +/* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */ static int password_change_required = 0; /* remember whether the last pam_authenticate() succeeded or not */ static int was_authenticated = 0; @@ -326,7 +326,7 @@ int is_pam_password_change_required(void) * Have user change authentication token if pam_acct_mgmt() indicated * it was expired. This needs to be called after an interactive * session is established and the user's pty is connected to - * stdin/stout/stderr. + * stdin/stdout/stderr. */ void do_pam_chauthtok(void) { -- cgit v1.2.3 From 63007d42ee68157abc5a31a5003dae4448b03f7b Mon Sep 17 00:00:00 2001 From: Kevin Steves Date: Sun, 21 Jul 2002 17:57:01 +0000 Subject: - (stevesk) [auth-pam.c] merge rest of solar's PAM patch; PAM_NEW_AUTHTOK_REQD remains in #if 0 for now. --- ChangeLog | 4 +++- auth-pam.c | 26 ++++++++++++++++++++++++-- 2 files changed, 27 insertions(+), 3 deletions(-) (limited to 'auth-pam.c') diff --git a/ChangeLog b/ChangeLog index 702b6b6db..440aa914f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20020721 - (stevesk) [auth-pam.c] merge cosmetic changes from solar's openssh-3.4p1-owl-password-changing.diff + - (stevesk) [auth-pam.c] merge rest of solar's PAM patch; + PAM_NEW_AUTHTOK_REQD remains in #if 0 for now. 20020720 - (stevesk) [ssh-keygen.c] bug #231: always init/seed_rng(). @@ -1401,4 +1403,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2381 2002/07/21 17:26:54 stevesk Exp $ +$Id: ChangeLog,v 1.2382 2002/07/21 17:57:01 stevesk Exp $ diff --git a/auth-pam.c b/auth-pam.c index f31641c28..22807f1a9 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -29,6 +29,7 @@ #include "xmalloc.h" #include "log.h" #include "auth.h" +#include "auth-options.h" #include "auth-pam.h" #include "servconf.h" #include "canohost.h" @@ -36,10 +37,14 @@ extern char *__progname; -RCSID("$Id: auth-pam.c,v 1.48 2002/07/21 17:26:54 stevesk Exp $"); +extern int use_privsep; + +RCSID("$Id: auth-pam.c,v 1.49 2002/07/21 17:57:01 stevesk Exp $"); #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now." +#define NEW_AUTHTOK_MSG_PRIVSEP \ + "Your password has expired, the session cannot proceed." static int do_pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); @@ -254,9 +259,14 @@ int do_pam_account(char *username, char *remote_user) break; #if 0 case PAM_NEW_AUTHTOK_REQD: - message_cat(&__pam_msg, NEW_AUTHTOK_MSG); + message_cat(&__pam_msg, use_privsep ? + NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); /* flag that password change is necessary */ password_change_required = 1; + /* disallow other functionality for now */ + no_port_forwarding_flag |= 2; + no_agent_forwarding_flag |= 2; + no_x11_forwarding_flag |= 2; break; #endif default: @@ -335,11 +345,23 @@ void do_pam_chauthtok(void) do_pam_set_conv(&conv); if (password_change_required) { + if (use_privsep) + fatal("Password changing is currently unsupported" + " with privilege separation"); pamstate = OTHER; pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); if (pam_retval != PAM_SUCCESS) fatal("PAM pam_chauthtok failed[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); +#if 0 + /* XXX: This would need to be done in the parent process, + * but there's currently no way to pass such request. */ + no_port_forwarding_flag &= ~2; + no_agent_forwarding_flag &= ~2; + no_x11_forwarding_flag &= ~2; + if (!no_port_forwarding_flag && options.allow_tcp_forwarding) + channel_permit_all_opens(); +#endif } } -- cgit v1.2.3 From 3429a1bf6063f2c8c3ed2429da6455f1b2c1ccc7 Mon Sep 17 00:00:00 2001 From: Kevin Steves Date: Sun, 21 Jul 2002 22:49:47 +0000 Subject: - (stevesk) [auth-pam.c] cast to avoid initialization type mismatch warning on pam_conv struct conversation function. --- ChangeLog | 4 +++- auth-pam.c | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'auth-pam.c') diff --git a/ChangeLog b/ChangeLog index 440aa914f..2847b0bd0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,8 @@ openssh-3.4p1-owl-password-changing.diff - (stevesk) [auth-pam.c] merge rest of solar's PAM patch; PAM_NEW_AUTHTOK_REQD remains in #if 0 for now. + - (stevesk) [auth-pam.c] cast to avoid initialization type mismatch + warning on pam_conv struct conversation function. 20020720 - (stevesk) [ssh-keygen.c] bug #231: always init/seed_rng(). @@ -1403,4 +1405,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2382 2002/07/21 17:57:01 stevesk Exp $ +$Id: ChangeLog,v 1.2383 2002/07/21 22:49:47 stevesk Exp $ diff --git a/auth-pam.c b/auth-pam.c index 22807f1a9..48d5afa0f 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -39,7 +39,7 @@ extern char *__progname; extern int use_privsep; -RCSID("$Id: auth-pam.c,v 1.49 2002/07/21 17:57:01 stevesk Exp $"); +RCSID("$Id: auth-pam.c,v 1.50 2002/07/21 22:49:47 stevesk Exp $"); #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now." @@ -51,7 +51,7 @@ static int do_pam_conversation(int num_msg, const struct pam_message **msg, /* module-local variables */ static struct pam_conv conv = { - do_pam_conversation, + (int (*)())do_pam_conversation, NULL }; static char *__pam_msg = NULL; -- cgit v1.2.3 From 287077eaf2db7115a08f0fa9bd811ddda6119209 Mon Sep 17 00:00:00 2001 From: Kevin Steves Date: Sun, 21 Jul 2002 23:59:39 +0000 Subject: - (stevesk) [auth-pam.[ch] ssh.h] move SSHD_PAM_SERVICE to auth-pam.h --- ChangeLog | 3 ++- auth-pam.c | 3 +-- auth-pam.h | 6 +++++- ssh.h | 4 ---- 4 files changed, 8 insertions(+), 8 deletions(-) (limited to 'auth-pam.c') diff --git a/ChangeLog b/ChangeLog index ae78d0a96..cfe70b218 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,7 @@ warning on pam_conv struct conversation function. - (stevesk) [auth-pam.h] license - (stevesk) [auth-pam.h] unneeded include + - (stevesk) [auth-pam.[ch] ssh.h] move SSHD_PAM_SERVICE to auth-pam.h 20020720 - (stevesk) [ssh-keygen.c] bug #231: always init/seed_rng(). @@ -1407,4 +1408,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2385 2002/07/21 23:20:07 stevesk Exp $ +$Id: ChangeLog,v 1.2386 2002/07/21 23:59:40 stevesk Exp $ diff --git a/auth-pam.c b/auth-pam.c index 48d5afa0f..79af58a0b 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -25,7 +25,6 @@ #include "includes.h" #ifdef USE_PAM -#include "ssh.h" #include "xmalloc.h" #include "log.h" #include "auth.h" @@ -39,7 +38,7 @@ extern char *__progname; extern int use_privsep; -RCSID("$Id: auth-pam.c,v 1.50 2002/07/21 22:49:47 stevesk Exp $"); +RCSID("$Id: auth-pam.c,v 1.51 2002/07/21 23:59:39 stevesk Exp $"); #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now." diff --git a/auth-pam.h b/auth-pam.h index 8cb7389e1..215e75282 100644 --- a/auth-pam.h +++ b/auth-pam.h @@ -1,4 +1,4 @@ -/* $Id: auth-pam.h,v 1.14 2002/07/21 23:20:07 stevesk Exp $ */ +/* $Id: auth-pam.h,v 1.15 2002/07/21 23:59:39 stevesk Exp $ */ /* * Copyright (c) 2000 Damien Miller. All rights reserved. @@ -27,6 +27,10 @@ #include "includes.h" #ifdef USE_PAM +#if !defined(SSHD_PAM_SERVICE) +# define SSHD_PAM_SERVICE __progname +#endif + void start_pam(const char *user); void finish_pam(void); int auth_pam_password(Authctxt *authctxt, const char *password); diff --git a/ssh.h b/ssh.h index 07eee78b6..0a6ad1317 100644 --- a/ssh.h +++ b/ssh.h @@ -60,10 +60,6 @@ */ #define SSH_SERVICE_NAME "ssh" -#if defined(USE_PAM) && !defined(SSHD_PAM_SERVICE) -# define SSHD_PAM_SERVICE __progname -#endif - /* * Name of the environment variable containing the process ID of the * authentication agent. -- cgit v1.2.3 From 38b050a0f526d1b7982deb9d19f59c95f7b91b22 Mon Sep 17 00:00:00 2001 From: Kevin Steves Date: Tue, 23 Jul 2002 00:44:07 +0000 Subject: - (stevesk) [auth-pam.[ch] session.c] pam_getenvlist() must be freed by the caller; add free_pam_environment() and use it. --- ChangeLog | 4 +++- auth-pam.c | 12 +++++++++++- auth-pam.h | 3 ++- session.c | 13 +++++++++++-- 4 files changed, 27 insertions(+), 5 deletions(-) (limited to 'auth-pam.c') diff --git a/ChangeLog b/ChangeLog index 0bfeeddeb..b444df906 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,8 @@ - (bal) [configure.ac] Missing ;; from cray patch. - (bal) [monitor_mm.c openbsd-compat/xmmap.h] Move xmmap() defines into it's own header. + - (stevesk) [auth-pam.[ch] session.c] pam_getenvlist() must be + freed by the caller; add free_pam_environment() and use it. 20020721 - (stevesk) [auth-pam.c] merge cosmetic changes from solar's @@ -1417,4 +1419,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2391 2002/07/23 00:03:33 mouring Exp $ +$Id: ChangeLog,v 1.2392 2002/07/23 00:44:07 stevesk Exp $ diff --git a/auth-pam.c b/auth-pam.c index 79af58a0b..8e1498296 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -38,7 +38,7 @@ extern char *__progname; extern int use_privsep; -RCSID("$Id: auth-pam.c,v 1.51 2002/07/21 23:59:39 stevesk Exp $"); +RCSID("$Id: auth-pam.c,v 1.52 2002/07/23 00:44:07 stevesk Exp $"); #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now." @@ -421,6 +421,16 @@ char **fetch_pam_environment(void) #endif /* HAVE_PAM_GETENVLIST */ } +void free_pam_environment(char **env) +{ + int i; + + if (env != NULL) { + for (i = 0; env[i] != NULL; i++) + xfree(env[i]); + } +} + /* Print any messages that have been generated during authentication */ /* or account checking to stderr */ void print_pam_messages(void) diff --git a/auth-pam.h b/auth-pam.h index 215e75282..7881b6b80 100644 --- a/auth-pam.h +++ b/auth-pam.h @@ -1,4 +1,4 @@ -/* $Id: auth-pam.h,v 1.15 2002/07/21 23:59:39 stevesk Exp $ */ +/* $Id: auth-pam.h,v 1.16 2002/07/23 00:44:07 stevesk Exp $ */ /* * Copyright (c) 2000 Damien Miller. All rights reserved. @@ -35,6 +35,7 @@ void start_pam(const char *user); void finish_pam(void); int auth_pam_password(Authctxt *authctxt, const char *password); char **fetch_pam_environment(void); +void free_pam_environment(char **env); int do_pam_authenticate(int flags); int do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, const char *ttyname); diff --git a/session.c b/session.c index 5fb1ace00..3c759e472 100644 --- a/session.c +++ b/session.c @@ -1042,8 +1042,17 @@ do_setup_env(Session *s, const char *shell) s->authctxt->krb5_ticket_file); #endif #ifdef USE_PAM - /* Pull in any environment variables that may have been set by PAM. */ - copy_environment(fetch_pam_environment(), &env, &envsize); + /* + * Pull in any environment variables that may have + * been set by PAM. + */ + { + char **p; + + p = fetch_pam_environment(); + copy_environment(p, &env, &envsize); + free_pam_environment(p); + } #endif /* USE_PAM */ if (auth_sock_name != NULL) -- cgit v1.2.3 From 6fa740ba84f811cfcb12fcd94dffdd4c28cdf29e Mon Sep 17 00:00:00 2001 From: Kevin Steves Date: Tue, 23 Jul 2002 00:51:53 +0000 Subject: - (stevesk) [auth-pam.c] typo in comment --- ChangeLog | 3 ++- auth-pam.c | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) (limited to 'auth-pam.c') diff --git a/ChangeLog b/ChangeLog index b444df906..fee08680a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,7 @@ into it's own header. - (stevesk) [auth-pam.[ch] session.c] pam_getenvlist() must be freed by the caller; add free_pam_environment() and use it. + - (stevesk) [auth-pam.c] typo in comment 20020721 - (stevesk) [auth-pam.c] merge cosmetic changes from solar's @@ -1419,4 +1420,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2392 2002/07/23 00:44:07 stevesk Exp $ +$Id: ChangeLog,v 1.2393 2002/07/23 00:51:53 stevesk Exp $ diff --git a/auth-pam.c b/auth-pam.c index 8e1498296..39c2ac6a3 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -38,7 +38,7 @@ extern char *__progname; extern int use_privsep; -RCSID("$Id: auth-pam.c,v 1.52 2002/07/23 00:44:07 stevesk Exp $"); +RCSID("$Id: auth-pam.c,v 1.53 2002/07/23 00:51:53 stevesk Exp $"); #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now." @@ -411,7 +411,7 @@ void start_pam(const char *user) fatal_add_cleanup(&do_pam_cleanup_proc, NULL); } -/* Return list of PAM enviornment strings */ +/* Return list of PAM environment strings */ char **fetch_pam_environment(void) { #ifdef HAVE_PAM_GETENVLIST -- cgit v1.2.3 From 6a998ebfa96c93994e9d98cd07f228de95d71a67 Mon Sep 17 00:00:00 2001 From: Kevin Steves Date: Sun, 28 Jul 2002 20:24:07 +0000 Subject: - (stevesk) [auth-pam.c] should use PAM_MSG_MEMBER(); from solar --- ChangeLog | 5 ++++- auth-pam.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'auth-pam.c') diff --git a/ChangeLog b/ChangeLog index f787ee406..0cc6459df 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20020728 + - (stevesk) [auth-pam.c] should use PAM_MSG_MEMBER(); from solar + 20020725 - (djm) Remove some cruft from INSTALL - (djm) Latest config.guess and config.sub from ftp://ftp.gnu.org/gnu/config/ @@ -1456,4 +1459,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2405 2002/07/25 04:40:22 djm Exp $ +$Id: ChangeLog,v 1.2406 2002/07/28 20:24:07 stevesk Exp $ diff --git a/auth-pam.c b/auth-pam.c index 39c2ac6a3..99b03f45b 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -38,7 +38,7 @@ extern char *__progname; extern int use_privsep; -RCSID("$Id: auth-pam.c,v 1.53 2002/07/23 00:51:53 stevesk Exp $"); +RCSID("$Id: auth-pam.c,v 1.54 2002/07/28 20:24:08 stevesk Exp $"); #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now." @@ -156,7 +156,7 @@ static int do_pam_conversation(int num_msg, const struct pam_message **msg, break; case PAM_ERROR_MSG: case PAM_TEXT_INFO: - if ((*msg)[count].msg != NULL) + if (PAM_MSG_MEMBER(msg, count, msg) != NULL) fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, count, msg)); reply[count].resp = xstrdup(""); -- cgit v1.2.3