From 69687f4b65373e09269db8c18f18b4ac7225a382 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 11 Sep 2004 22:17:26 +1000 Subject: - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output from failing PAM session modules to user then exit, similar to the way /etc/nologin is handled. ok djm@ --- auth-pam.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) (limited to 'auth-pam.c') diff --git a/auth-pam.c b/auth-pam.c index b93241f48..27b9bab23 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -47,7 +47,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.114 2004/08/16 13:12:06 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.115 2004/09/11 12:17:26 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -949,10 +949,21 @@ do_pam_session(void) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); sshpam_err = pam_open_session(sshpam_handle, 0); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: pam_open_session(): %s", + if (sshpam_err == PAM_SUCCESS) + sshpam_session_open = 1; + else { + sshpam_session_open = 0; + disable_forwarding(); + error("PAM: pam_open_session(): %s", pam_strerror(sshpam_handle, sshpam_err)); - sshpam_session_open = 1; + } + +} + +int +is_pam_session_open(void) +{ + return sshpam_session_open; } /* -- cgit v1.2.3 From 0a7e3c6c899b7e25efd36cfb9ffb0a8fb36ca67a Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 11 Sep 2004 22:28:01 +1000 Subject: - (dtucker) [auth-pam.c] Relocate sshpam_store_conv(), no code change. --- ChangeLog | 3 +- auth-pam.c | 92 +++++++++++++++++++++++++++++++------------------------------- 2 files changed, 48 insertions(+), 47 deletions(-) (limited to 'auth-pam.c') diff --git a/ChangeLog b/ChangeLog index 2fed3fb38..9a14a06ea 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,7 @@ - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output from failing PAM session modules to user then exit, similar to the way /etc/nologin is handled. ok djm@ + - (dtucker) [auth-pam.c] Relocate sshpam_store_conv(), no code change. 20040830 - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only @@ -1722,4 +1723,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3541 2004/09/11 12:17:26 dtucker Exp $ +$Id: ChangeLog,v 1.3542 2004/09/11 12:28:01 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index 27b9bab23..4ad86de9e 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -47,7 +47,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.115 2004/09/11 12:17:26 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.116 2004/09/11 12:28:02 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -490,6 +490,51 @@ sshpam_null_conv(int n, struct pam_message **msg, static struct pam_conv null_conv = { sshpam_null_conv, NULL }; +static int +sshpam_store_conv(int n, struct pam_message **msg, + struct pam_response **resp, void *data) +{ + struct pam_response *reply; + int i; + size_t len; + + debug3("PAM: %s called with %d messages", __func__, n); + *resp = NULL; + + if (n <= 0 || n > PAM_MAX_NUM_MSG) + return (PAM_CONV_ERR); + + if ((reply = malloc(n * sizeof(*reply))) == NULL) + return (PAM_CONV_ERR); + memset(reply, 0, n * sizeof(*reply)); + + for (i = 0; i < n; ++i) { + switch (PAM_MSG_MEMBER(msg, i, msg_style)) { + case PAM_ERROR_MSG: + case PAM_TEXT_INFO: + len = strlen(PAM_MSG_MEMBER(msg, i, msg)); + buffer_append(&loginmsg, PAM_MSG_MEMBER(msg, i, msg), len); + buffer_append(&loginmsg, "\n", 1 ); + reply[i].resp_retcode = PAM_SUCCESS; + break; + default: + goto fail; + } + } + *resp = reply; + return (PAM_SUCCESS); + + fail: + for(i = 0; i < n; i++) { + if (reply[i].resp != NULL) + xfree(reply[i].resp); + } + xfree(reply); + return (PAM_CONV_ERR); +} + +static struct pam_conv store_conv = { sshpam_store_conv, NULL }; + void sshpam_cleanup(void) { @@ -894,51 +939,6 @@ do_pam_chauthtok(void) pam_strerror(sshpam_handle, sshpam_err)); } -static int -sshpam_store_conv(int n, struct pam_message **msg, - struct pam_response **resp, void *data) -{ - struct pam_response *reply; - int i; - size_t len; - - debug3("PAM: %s called with %d messages", __func__, n); - *resp = NULL; - - if (n <= 0 || n > PAM_MAX_NUM_MSG) - return (PAM_CONV_ERR); - - if ((reply = malloc(n * sizeof(*reply))) == NULL) - return (PAM_CONV_ERR); - memset(reply, 0, n * sizeof(*reply)); - - for (i = 0; i < n; ++i) { - switch (PAM_MSG_MEMBER(msg, i, msg_style)) { - case PAM_ERROR_MSG: - case PAM_TEXT_INFO: - len = strlen(PAM_MSG_MEMBER(msg, i, msg)); - buffer_append(&loginmsg, PAM_MSG_MEMBER(msg, i, msg), len); - buffer_append(&loginmsg, "\n", 1 ); - reply[i].resp_retcode = PAM_SUCCESS; - break; - default: - goto fail; - } - } - *resp = reply; - return (PAM_SUCCESS); - - fail: - for(i = 0; i < n; i++) { - if (reply[i].resp != NULL) - xfree(reply[i].resp); - } - xfree(reply); - return (PAM_CONV_ERR); -} - -static struct pam_conv store_conv = { sshpam_store_conv, NULL }; - void do_pam_session(void) { -- cgit v1.2.3 From 77fc29eeb382974ae063227c249ee3b98646e38a Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 11 Sep 2004 23:07:03 +1000 Subject: - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c] Bug #892: Send messages from failing PAM account modules to the client via SSH2_MSG_USERAUTH_BANNER messages. Note that this will not happen with SSH2 kbdint authentication, which need to be dealt with separately. ok djm@ --- ChangeLog | 6 +++++- auth-pam.c | 10 ++++++---- auth.h | 1 + auth2-none.c | 19 ++++++++++++++----- auth2.c | 15 +++++++++++++-- monitor.c | 3 +++ monitor_wrap.c | 5 +++++ 7 files changed, 47 insertions(+), 12 deletions(-) (limited to 'auth-pam.c') diff --git a/ChangeLog b/ChangeLog index 85366cbb1..0c0d2c6fc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,10 @@ - (dtucker) [auth-pam.c] Relocate sshpam_store_conv(), no code change. - (djm) [auth2-kbdint.c auth2-none.c auth2-passwd.c auth2-pubkey.c] Make cygwin code more consistent with that which surrounds it + - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c] + Bug #892: Send messages from failing PAM account modules to the client via + SSH2_MSG_USERAUTH_BANNER messages. Note that this will not happen with + SSH2 kbdint authentication, which need to be dealt with separately. ok djm@ 20040830 - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only @@ -1725,4 +1729,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3543 2004/09/11 12:42:09 djm Exp $ +$Id: ChangeLog,v 1.3544 2004/09/11 13:07:03 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index 4ad86de9e..0a6817d63 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -47,7 +47,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.116 2004/09/11 12:28:02 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.117 2004/09/11 13:07:03 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -572,7 +572,7 @@ sshpam_init(Authctxt *authctxt) } debug("PAM: initializing for \"%s\"", user); sshpam_err = - pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle); + pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle); sshpam_authctxt = authctxt; if (sshpam_err != PAM_SUCCESS) { @@ -804,11 +804,13 @@ finish_pam(void) u_int do_pam_account(void) { + debug("%s: called", __func__); if (sshpam_account_status != -1) return (sshpam_account_status); sshpam_err = pam_acct_mgmt(sshpam_handle, 0); - debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err); + debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err, + pam_strerror(sshpam_handle, sshpam_err)); if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { sshpam_account_status = 0; @@ -838,7 +840,7 @@ void do_pam_setcred(int init) { sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, - (const void *)&null_conv); + (const void *)&store_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); diff --git a/auth.h b/auth.h index 2f094403d..760337bea 100644 --- a/auth.h +++ b/auth.h @@ -137,6 +137,7 @@ void do_authentication2(Authctxt *); void auth_log(Authctxt *, int, char *, char *); void userauth_finish(Authctxt *, int, char *); +void userauth_send_banner(const char *); int auth_root_allowed(char *); char *auth2_read_banner(void); diff --git a/auth2-none.c b/auth2-none.c index 787458dad..1c30a3203 100644 --- a/auth2-none.c +++ b/auth2-none.c @@ -74,6 +74,19 @@ auth2_read_banner(void) return (banner); } +void +userauth_send_banner(const char *msg) +{ + if (datafellows & SSH_BUG_BANNER) + return; + + packet_start(SSH2_MSG_USERAUTH_BANNER); + packet_put_cstring(msg); + packet_put_cstring(""); /* language, unused */ + packet_send(); + debug("%s: sent", __func__); +} + static void userauth_banner(void) { @@ -84,12 +97,8 @@ userauth_banner(void) if ((banner = PRIVSEP(auth2_read_banner())) == NULL) goto done; + userauth_send_banner(banner); - packet_start(SSH2_MSG_USERAUTH_BANNER); - packet_put_cstring(banner); - packet_put_cstring(""); /* language, unused */ - packet_send(); - debug("userauth_banner: sent"); done: if (banner) xfree(banner); diff --git a/auth2.c b/auth2.c index b98309576..57e6db46b 100644 --- a/auth2.c +++ b/auth2.c @@ -35,6 +35,7 @@ RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $"); #include "dispatch.h" #include "pathnames.h" #include "monitor_wrap.h" +#include "buffer.h" #ifdef GSSAPI #include "ssh-gss.h" @@ -44,6 +45,7 @@ RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $"); extern ServerOptions options; extern u_char *session_id2; extern u_int session_id2_len; +extern Buffer loginmsg; /* methods */ @@ -216,8 +218,17 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) authenticated = 0; #ifdef USE_PAM - if (options.use_pam && authenticated && !PRIVSEP(do_pam_account())) - authenticated = 0; + if (options.use_pam && authenticated) { + if (!PRIVSEP(do_pam_account())) { + authenticated = 0; + /* if PAM returned a message, send it to the user */ + if (buffer_len(&loginmsg) > 0) { + buffer_append(&loginmsg, "\0", 1); + userauth_send_banner(buffer_ptr(&loginmsg)); + buffer_clear(&loginmsg); + } + } + } #endif #ifdef _UNICOS diff --git a/monitor.c b/monitor.c index b7463400e..00d4a785f 100644 --- a/monitor.c +++ b/monitor.c @@ -810,6 +810,9 @@ mm_answer_pam_account(int sock, Buffer *m) ret = do_pam_account(); buffer_put_int(m, ret); + buffer_append(&loginmsg, "\0", 1); + buffer_put_cstring(m, buffer_ptr(&loginmsg)); + buffer_clear(&loginmsg); mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m); diff --git a/monitor_wrap.c b/monitor_wrap.c index 0d7a0e3bd..23857639b 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -72,6 +72,7 @@ extern struct monitor *pmonitor; extern Buffer input, output; extern Buffer loginmsg; extern ServerOptions options; +extern Buffer loginmsg; int mm_is_monitor(void) @@ -716,6 +717,7 @@ mm_do_pam_account(void) { Buffer m; u_int ret; + char *msg; debug3("%s entering", __func__); if (!options.use_pam) @@ -727,6 +729,9 @@ mm_do_pam_account(void) mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_ACCOUNT, &m); ret = buffer_get_int(&m); + msg = buffer_get_string(&m, NULL); + buffer_append(&loginmsg, msg, strlen(msg)); + xfree(msg); buffer_free(&m); -- cgit v1.2.3 From daffc6a1152ccebdd6eb70a029e28cc5949110d7 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 16 Oct 2004 18:52:44 +1000 Subject: - (djm) [auth-pam.c] snprintf->strl*, fix server message length calculations --- ChangeLog | 5 ++++- auth-pam.c | 17 +++++++++++------ 2 files changed, 15 insertions(+), 7 deletions(-) (limited to 'auth-pam.c') diff --git a/ChangeLog b/ChangeLog index 6baa4bc66..47deee9c7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20041016 + - (djm) [auth-pam.c] snprintf->strl*, fix server message length calculations + 20041006 - (dtucker) [README.privsep] Bug #939: update info about HP-UX Trusted Mode and other PAM platforms. @@ -1763,4 +1766,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3558 2004/10/06 13:15:44 dtucker Exp $ +$Id: ChangeLog,v 1.3559 2004/10/16 08:52:44 djm Exp $ diff --git a/auth-pam.c b/auth-pam.c index 0a6817d63..a1b26cc59 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -47,7 +47,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.117 2004/09/11 13:07:03 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.118 2004/10/16 08:52:44 djm Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -654,7 +654,7 @@ sshpam_query(void *ctx, char **name, char **info, size_t plen; u_char type; char *msg; - size_t len; + size_t len, mlen; debug3("PAM: %s entering", __func__); buffer_init(&buffer); @@ -667,22 +667,27 @@ sshpam_query(void *ctx, char **name, char **info, while (ssh_msg_recv(ctxt->pam_psock, &buffer) == 0) { type = buffer_get_char(&buffer); msg = buffer_get_string(&buffer, NULL); + mlen = strlen(msg); switch (type) { case PAM_PROMPT_ECHO_ON: case PAM_PROMPT_ECHO_OFF: *num = 1; - len = plen + strlen(msg) + 1; + len = plen + mlen + 1; **prompts = xrealloc(**prompts, len); - plen += snprintf(**prompts + plen, len, "%s", msg); + strlcpy(**prompts + plen, msg, len - plen); + plen += mlen; **echo_on = (type == PAM_PROMPT_ECHO_ON); xfree(msg); return (0); case PAM_ERROR_MSG: case PAM_TEXT_INFO: /* accumulate messages */ - len = plen + strlen(msg) + 2; + len = plen + mlen + 2; **prompts = xrealloc(**prompts, len); - plen += snprintf(**prompts + plen, len, "%s\n", msg); + strlcpy(**prompts + plen, msg, len - plen); + plen += mlen; + strlcat(**prompts + plen, "\n", len - plen); + plen++; xfree(msg); break; case PAM_SUCCESS: -- cgit v1.2.3 From 36a3d60347f23528695e550317d5ba6d63e6b0f4 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 20 Jan 2005 12:43:38 +1100 Subject: - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user existence via keyboard-interactive/pam, in conjunction with previous auth2-chall.c change; with Colin Watson and djm. --- ChangeLog | 5 ++++- auth-pam.c | 17 ++++++++++++++--- 2 files changed, 18 insertions(+), 4 deletions(-) (limited to 'auth-pam.c') diff --git a/ChangeLog b/ChangeLog index cef110384..19101efd6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,9 @@ behaviour for bsdauth is maintained by checking authctxt->valid in the bsdauth driver. Note that any third-party kbdint drivers will now need to be able to handle responses for invalid logins. ok markus@ + - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user + existence via keyboard-interactive/pam, in conjunction with previous + auth2-chall.c change; with Colin Watson and djm. 20050118 - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement @@ -2002,4 +2005,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3616 2005/01/20 00:05:34 dtucker Exp $ +$Id: ChangeLog,v 1.3617 2005/01/20 01:43:38 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index a1b26cc59..996964fcd 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -47,7 +47,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.118 2004/10/16 08:52:44 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.119 2005/01/20 01:43:39 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -186,6 +186,7 @@ static int sshpam_account_status = -1; static char **sshpam_env = NULL; static Authctxt *sshpam_authctxt = NULL; static const char *sshpam_password = NULL; +static char badpw[] = "\b\n\r\177INCORRECT"; /* Some PAM implementations don't implement this */ #ifndef HAVE_PAM_GETENVLIST @@ -701,6 +702,12 @@ sshpam_query(void *ctx, char **name, char **info, **prompts = NULL; } if (type == PAM_SUCCESS) { + if (!sshpam_authctxt->valid || + (sshpam_authctxt->pw->pw_uid == 0 && + options.permit_root_login != PERMIT_YES)) + fatal("Internal error: PAM auth " + "succeeded when it should have " + "failed"); import_environments(&buffer); *num = 0; **echo_on = 0; @@ -746,7 +753,12 @@ sshpam_respond(void *ctx, u_int num, char **resp) return (-1); } buffer_init(&buffer); - buffer_put_cstring(&buffer, *resp); + if (sshpam_authctxt->valid && + (sshpam_authctxt->pw->pw_uid != 0 || + options.permit_root_login == PERMIT_YES)) + buffer_put_cstring(&buffer, *resp); + else + buffer_put_cstring(&buffer, badpw); if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { buffer_free(&buffer); return (-1); @@ -1093,7 +1105,6 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) { int flags = (options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); - static char badpw[] = "\b\n\r\177INCORRECT"; if (!options.use_pam || sshpam_handle == NULL) fatal("PAM: %s called when PAM disabled or failed to " -- cgit v1.2.3 From d231186fd0acb8fee480faf61c4e9e4cc6186faf Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 20 Jan 2005 13:27:56 +1100 Subject: - djm@cvs.openbsd.org 2004/12/22 02:13:19 [cipher-ctr.c cipher.c] remove fallback AES support for old OpenSSL, as OpenBSD has had it for many years now; ok deraadt@ (Id sync only: Portable will continue to support older OpenSSLs) --- ChangeLog | 7 ++++++- auth-pam.c | 26 ++++++++++++++++---------- cipher-ctr.c | 2 +- cipher.c | 2 +- 4 files changed, 24 insertions(+), 13 deletions(-) (limited to 'auth-pam.c') diff --git a/ChangeLog b/ChangeLog index 19101efd6..9eab2b462 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,11 @@ behaviour for bsdauth is maintained by checking authctxt->valid in the bsdauth driver. Note that any third-party kbdint drivers will now need to be able to handle responses for invalid logins. ok markus@ + - djm@cvs.openbsd.org 2004/12/22 02:13:19 + [cipher-ctr.c cipher.c] + remove fallback AES support for old OpenSSL, as OpenBSD has had it for + many years now; ok deraadt@ + (Id sync only: Portable will continue to support older OpenSSLs) - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user existence via keyboard-interactive/pam, in conjunction with previous auth2-chall.c change; with Colin Watson and djm. @@ -2005,4 +2010,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3617 2005/01/20 01:43:38 dtucker Exp $ +$Id: ChangeLog,v 1.3618 2005/01/20 02:27:56 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index 996964fcd..5bffe338f 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -47,7 +47,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.119 2005/01/20 01:43:39 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.120 2005/01/20 02:27:56 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -245,6 +245,17 @@ sshpam_password_change_required(int reqd) } } +/* Check ssh internal flags in addition to PAM */ + +static int +sshpam_login_allowed(Authctxt *ctxt) +{ + if (ctxt->valid && (ctxt->pw->pw_uid != 0 || + options.permit_root_login == PERMIT_YES)) + return 1; + return 0; +} + /* Import regular and PAM environment from subprocess */ static void import_environments(Buffer *b) @@ -702,9 +713,7 @@ sshpam_query(void *ctx, char **name, char **info, **prompts = NULL; } if (type == PAM_SUCCESS) { - if (!sshpam_authctxt->valid || - (sshpam_authctxt->pw->pw_uid == 0 && - options.permit_root_login != PERMIT_YES)) + if (!sshpam_login_allowed(sshpam_authctxt)) fatal("Internal error: PAM auth " "succeeded when it should have " "failed"); @@ -753,9 +762,7 @@ sshpam_respond(void *ctx, u_int num, char **resp) return (-1); } buffer_init(&buffer); - if (sshpam_authctxt->valid && - (sshpam_authctxt->pw->pw_uid != 0 || - options.permit_root_login == PERMIT_YES)) + if (sshpam_login_allowed(sshpam_authctxt)) buffer_put_cstring(&buffer, *resp); else buffer_put_cstring(&buffer, badpw); @@ -1118,8 +1125,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) * by PermitRootLogin, use an invalid password to prevent leaking * information via timing (eg if the PAM config has a delay on fail). */ - if (!authctxt->valid || (authctxt->pw->pw_uid == 0 && - options.permit_root_login != PERMIT_YES)) + if (!sshpam_login_allowed(authctxt)) sshpam_password = badpw; sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, @@ -1130,7 +1136,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) sshpam_err = pam_authenticate(sshpam_handle, flags); sshpam_password = NULL; - if (sshpam_err == PAM_SUCCESS && authctxt->valid) { + if (sshpam_err == PAM_SUCCESS && sshpam_login_allowed(authctxt)) { debug("PAM: password authentication accepted for %.100s", authctxt->user); return 1; diff --git a/cipher-ctr.c b/cipher-ctr.c index 395dabedd..43f1ede57 100644 --- a/cipher-ctr.c +++ b/cipher-ctr.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include "includes.h" -RCSID("$OpenBSD: cipher-ctr.c,v 1.4 2004/02/06 23:41:13 dtucker Exp $"); +RCSID("$OpenBSD: cipher-ctr.c,v 1.5 2004/12/22 02:13:19 djm Exp $"); #include diff --git a/cipher.c b/cipher.c index 075a4c5fc..64be0571f 100644 --- a/cipher.c +++ b/cipher.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: cipher.c,v 1.71 2004/07/28 09:40:29 markus Exp $"); +RCSID("$OpenBSD: cipher.c,v 1.72 2004/12/22 02:13:19 djm Exp $"); #include "xmalloc.h" #include "log.h" -- cgit v1.2.3 From d5bfa8f9d84b1abada09333994c8c889551a61fb Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 20 Jan 2005 13:29:51 +1100 Subject: Oops, did not intend to commit this yet --- auth-pam.c | 26 ++++++++++---------------- 1 file changed, 10 insertions(+), 16 deletions(-) (limited to 'auth-pam.c') diff --git a/auth-pam.c b/auth-pam.c index 5bffe338f..6ce8c429b 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -47,7 +47,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.120 2005/01/20 02:27:56 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.121 2005/01/20 02:29:51 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -245,17 +245,6 @@ sshpam_password_change_required(int reqd) } } -/* Check ssh internal flags in addition to PAM */ - -static int -sshpam_login_allowed(Authctxt *ctxt) -{ - if (ctxt->valid && (ctxt->pw->pw_uid != 0 || - options.permit_root_login == PERMIT_YES)) - return 1; - return 0; -} - /* Import regular and PAM environment from subprocess */ static void import_environments(Buffer *b) @@ -713,7 +702,9 @@ sshpam_query(void *ctx, char **name, char **info, **prompts = NULL; } if (type == PAM_SUCCESS) { - if (!sshpam_login_allowed(sshpam_authctxt)) + if (!sshpam_authctxt->valid || + (sshpam_authctxt->pw->pw_uid == 0 && + options.permit_root_login != PERMIT_YES)) fatal("Internal error: PAM auth " "succeeded when it should have " "failed"); @@ -762,7 +753,9 @@ sshpam_respond(void *ctx, u_int num, char **resp) return (-1); } buffer_init(&buffer); - if (sshpam_login_allowed(sshpam_authctxt)) + if (sshpam_authctxt->valid && + (sshpam_authctxt->pw->pw_uid != 0 || + options.permit_root_login == PERMIT_YES)) buffer_put_cstring(&buffer, *resp); else buffer_put_cstring(&buffer, badpw); @@ -1125,7 +1118,8 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) * by PermitRootLogin, use an invalid password to prevent leaking * information via timing (eg if the PAM config has a delay on fail). */ - if (!sshpam_login_allowed(authctxt)) + if (!authctxt->valid || (authctxt->pw->pw_uid == 0 && + options.permit_root_login != PERMIT_YES)) sshpam_password = badpw; sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, @@ -1136,7 +1130,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) sshpam_err = pam_authenticate(sshpam_handle, flags); sshpam_password = NULL; - if (sshpam_err == PAM_SUCCESS && sshpam_login_allowed(authctxt)) { + if (sshpam_err == PAM_SUCCESS && authctxt->valid) { debug("PAM: password authentication accepted for %.100s", authctxt->user); return 1; -- cgit v1.2.3