X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/dfddba3d7e01aaef75b0f84b9f3c53f34e2504c9..b5afdff53b51d529e596da3b4c2aa5ee14cc8b08:/openssh/auth-pam.c diff --git a/openssh/auth-pam.c b/openssh/auth-pam.c index 0b79f3a..90ec372 100644 --- a/openssh/auth-pam.c +++ b/openssh/auth-pam.c @@ -30,7 +30,7 @@ */ /* * Copyright (c) 2003,2004 Damien Miller - * Copyright (c) 2003,2004 Darren Tucker + * Copyright (c) 2003,2004,2006 Darren Tucker * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -47,7 +47,16 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id$"); + +#include +#include +#include + +#include +#include +#include +#include +#include #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -56,27 +65,55 @@ RCSID("$Id$"); #include #endif +/* OpenGroup RFC86.0 and XSSO specify no "const" on arguments */ +#ifdef PAM_SUN_CODEBASE +# define sshpam_const /* Solaris, HP-UX, AIX */ +#else +# define sshpam_const const /* LinuxPAM, OpenPAM */ +#endif + +/* Ambiguity in spec: is it an array of pointers or a pointer to an array? */ +#ifdef PAM_SUN_CODEBASE +# define PAM_MSG_MEMBER(msg, n, member) ((*(msg))[(n)].member) +#else +# define PAM_MSG_MEMBER(msg, n, member) ((msg)[(n)]->member) +#endif + +#include "xmalloc.h" +#include "buffer.h" +#include "key.h" +#include "hostfile.h" #include "auth.h" #include "auth-pam.h" -#include "buffer.h" -#include "bufaux.h" #include "canohost.h" #include "log.h" -#include "monitor_wrap.h" #include "msg.h" #include "packet.h" #include "misc.h" #include "servconf.h" #include "ssh2.h" -#include "xmalloc.h" #include "auth-options.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif +#include "monitor_wrap.h" extern ServerOptions options; extern Buffer loginmsg; extern int compat20; extern u_int utmp_len; +/* so we don't silently change behaviour */ #ifdef USE_POSIX_THREADS +# error "USE_POSIX_THREADS replaced by UNSUPPORTED_POSIX_THREADS_HACK" +#endif + +/* + * Formerly known as USE_POSIX_THREADS, using this is completely unsupported + * and generally a bad idea. Use at own risk and do not expect support if + * this breaks. + */ +#ifdef UNSUPPORTED_POSIX_THREADS_HACK #include /* * Avoid namespace clash when *not* using pthreads for systems *with* @@ -98,7 +135,7 @@ struct pam_ctxt { static void sshpam_free_ctx(void *); static struct pam_ctxt *cleanup_ctxt; -#ifndef USE_POSIX_THREADS +#ifndef UNSUPPORTED_POSIX_THREADS_HACK /* * Simulate threads with processes. */ @@ -106,14 +143,14 @@ static struct pam_ctxt *cleanup_ctxt; static int sshpam_thread_status = -1; static mysig_t sshpam_oldsig; -static void +static void sshpam_sigchld_handler(int sig) { signal(SIGCHLD, SIG_DFL); if (cleanup_ctxt == NULL) return; /* handler called after PAM cleanup, shouldn't happen */ if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, WNOHANG) - <= 0) { + <= 0) { /* PAM thread has not exitted, privsep slave must have */ kill(cleanup_ctxt->pam_thread, SIGTERM); if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0) @@ -124,22 +161,25 @@ sshpam_sigchld_handler(int sig) WTERMSIG(sshpam_thread_status) == SIGTERM) return; /* terminated by pthread_cancel */ if (!WIFEXITED(sshpam_thread_status)) - fatal("PAM: authentication thread exited unexpectedly"); + sigdie("PAM: authentication thread exited unexpectedly"); if (WEXITSTATUS(sshpam_thread_status) != 0) - fatal("PAM: authentication thread exited uncleanly"); + sigdie("PAM: authentication thread exited uncleanly"); } +/* ARGSUSED */ static void -pthread_exit(void *value __unused) +pthread_exit(void *value) { _exit(0); } +/* ARGSUSED */ static int -pthread_create(sp_pthread_t *thread, const void *attr __unused, +pthread_create(sp_pthread_t *thread, const void *attr, void *(*thread_start)(void *), void *arg) { pid_t pid; + struct pam_ctxt *ctx = arg; sshpam_thread_status = -1; switch ((pid = fork())) { @@ -147,10 +187,14 @@ pthread_create(sp_pthread_t *thread, const void *attr __unused, error("fork(): %s", strerror(errno)); return (-1); case 0: + close(ctx->pam_psock); + ctx->pam_psock = -1; thread_start(arg); _exit(1); default: *thread = pid; + close(ctx->pam_csock); + ctx->pam_csock = -1; sshpam_oldsig = signal(SIGCHLD, sshpam_sigchld_handler); return (0); } @@ -163,8 +207,9 @@ pthread_cancel(sp_pthread_t thread) return (kill(thread, SIGTERM)); } +/* ARGSUSED */ static int -pthread_join(sp_pthread_t thread, void **value __unused) +pthread_join(sp_pthread_t thread, void **value) { int status; @@ -227,6 +272,49 @@ sshpam_chauthtok_ruid(pam_handle_t *pamh, int flags) # define pam_chauthtok(a,b) (sshpam_chauthtok_ruid((a), (b))) #endif +struct passwd * +sshpam_getpw(const char *user) +{ + struct passwd *pw; + + if ((pw = getpwnam(user)) != NULL) + return(pw); + + debug("PAM: faking passwd struct for user '%.100s'", user); + if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) + return NULL; + pw->pw_name = xstrdup(user); /* XXX leak */ + pw->pw_shell = "/bin/true"; + pw->pw_gecos = "sshd fake PAM user"; + return (pw); +} + +void +sshpam_check_userchanged(void) +{ + int sshpam_err; + struct passwd *pw; + const char *user; + + debug("sshpam_check_userchanged"); + sshpam_err = pam_get_item(sshpam_handle, PAM_USER, &user); + if (sshpam_err != PAM_SUCCESS) + fatal("PAM: could not get PAM_USER: %s", + pam_strerror(sshpam_handle, sshpam_err)); + if (strcmp(user, sshpam_authctxt->pw->pw_name) != 0) { + debug("PAM: user mapped from '%.100s' to '%.100s'", + sshpam_authctxt->pw->pw_name, user); + if ((pw = getpwnam(user)) == NULL) + fatal("PAM: could not get passwd entry for user " + "'%.100s' provided by PAM_USER", user); + pwfree(sshpam_authctxt->pw); + sshpam_authctxt->pw = pw; + sshpam_authctxt->valid = allowed_user(pw); + debug("PAM: user '%.100s' now %svalid", user, + sshpam_authctxt->valid ? "" : "in"); + } +} + void sshpam_password_change_required(int reqd) { @@ -249,20 +337,32 @@ sshpam_password_change_required(int reqd) static void import_environments(Buffer *b) { - char *env; + char *env, *user; u_int i, num_env; int err; debug3("PAM: %s entering", __func__); -#ifndef USE_POSIX_THREADS +#ifndef UNSUPPORTED_POSIX_THREADS_HACK /* Import variables set by do_pam_account */ sshpam_account_status = buffer_get_int(b); sshpam_password_change_required(buffer_get_int(b)); + if (options.permit_pam_user_change) { + user = buffer_get_string(b, NULL); + debug("PAM: got username '%.100s' from thread", user); + if ((err = pam_set_item(sshpam_handle, PAM_USER, user)) != PAM_SUCCESS) + fatal("PAM: failed to set PAM_USER: %s", + pam_strerror(sshpam_handle, err)); + pwfree(sshpam_authctxt->pw); + sshpam_authctxt->pw = pwcopy(sshpam_getpw(user)); + } /* Import environment from subprocess */ num_env = buffer_get_int(b); - sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env)); + if (num_env > 1024) + fatal("%s: received %u environment variables, expected <= 1024", + __func__, num_env); + sshpam_env = xcalloc(num_env + 1, sizeof(*sshpam_env)); debug3("PAM: num env strings %d", num_env); for(i = 0; i < num_env; i++) sshpam_env[i] = buffer_get_string(b, NULL); @@ -290,7 +390,7 @@ import_environments(Buffer *b) * Conversation function for authentication thread. */ static int -sshpam_thread_conv(int n, struct pam_message **msg, +sshpam_thread_conv(int n, sshpam_const struct pam_message **msg, struct pam_response **resp, void *data) { Buffer buffer; @@ -309,9 +409,8 @@ sshpam_thread_conv(int n, struct pam_message **msg, if (n <= 0 || n > PAM_MAX_NUM_MSG) return (PAM_CONV_ERR); - if ((reply = malloc(n * sizeof(*reply))) == NULL) + if ((reply = calloc(n, sizeof(*reply))) == NULL) return (PAM_CONV_ERR); - memset(reply, 0, n * sizeof(*reply)); buffer_init(&buffer); for (i = 0; i < n; ++i) { @@ -384,14 +483,22 @@ sshpam_thread(void *ctxtp) struct pam_conv sshpam_conv; int flags = (options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); -#ifndef USE_POSIX_THREADS +#ifndef UNSUPPORTED_POSIX_THREADS_HACK extern char **environ; char **env_from_pam; u_int i; const char *pam_user; + const char **ptr_pam_user = &pam_user; + char *tz = getenv("TZ"); + + pam_get_item(sshpam_handle, PAM_USER, + (sshpam_const void **)ptr_pam_user); - pam_get_item(sshpam_handle, PAM_USER, (void **)&pam_user); environ[0] = NULL; + if (tz != NULL) + if (setenv("TZ", tz, 1) == -1) + error("PAM: could not set TZ environment: %s", + strerror(errno)); if (sshpam_authctxt != NULL) { setproctitle("%s [pam]", @@ -414,9 +521,14 @@ sshpam_thread(void *ctxtp) if (sshpam_err != PAM_SUCCESS) goto auth_fail; + if (options.permit_pam_user_change) { + sshpam_check_userchanged(); + } if (compat20) { - if (!do_pam_account()) + if (!do_pam_account()) { + sshpam_err = PAM_ACCT_EXPIRED; goto auth_fail; + } if (sshpam_authctxt->force_pwchange) { sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK); @@ -428,10 +540,13 @@ sshpam_thread(void *ctxtp) buffer_put_cstring(&buffer, "OK"); -#ifndef USE_POSIX_THREADS +#ifndef UNSUPPORTED_POSIX_THREADS_HACK /* Export variables set by do_pam_account */ buffer_put_int(&buffer, sshpam_account_status); buffer_put_int(&buffer, sshpam_authctxt->force_pwchange); + if (options.permit_pam_user_change) { + buffer_put_cstring(&buffer, sshpam_authctxt->pw->pw_name); + } /* Export any environment strings set in child */ for(i = 0; environ[i] != NULL; i++) @@ -447,7 +562,7 @@ sshpam_thread(void *ctxtp) buffer_put_int(&buffer, i); for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++) buffer_put_cstring(&buffer, env_from_pam[i]); -#endif /* USE_POSIX_THREADS */ +#endif /* UNSUPPORTED_POSIX_THREADS_HACK */ /* XXX - can't do much about an error here */ ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer); @@ -458,7 +573,10 @@ sshpam_thread(void *ctxtp) buffer_put_cstring(&buffer, pam_strerror(sshpam_handle, sshpam_err)); /* XXX - can't do much about an error here */ - ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); + if (sshpam_err == PAM_ACCT_EXPIRED) + ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, &buffer); + else + ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); buffer_free(&buffer); pthread_exit(NULL); @@ -482,7 +600,7 @@ sshpam_thread_cleanup(void) } static int -sshpam_null_conv(int n, struct pam_message **msg, +sshpam_null_conv(int n, sshpam_const struct pam_message **msg, struct pam_response **resp, void *data) { debug3("PAM: %s entering, %d messages", __func__, n); @@ -492,7 +610,7 @@ sshpam_null_conv(int n, struct pam_message **msg, static struct pam_conv null_conv = { sshpam_null_conv, NULL }; static int -sshpam_store_conv(int n, struct pam_message **msg, +sshpam_store_conv(int n, sshpam_const struct pam_message **msg, struct pam_response **resp, void *data) { struct pam_response *reply; @@ -505,9 +623,8 @@ sshpam_store_conv(int n, struct pam_message **msg, if (n <= 0 || n > PAM_MAX_NUM_MSG) return (PAM_CONV_ERR); - if ((reply = malloc(n * sizeof(*reply))) == NULL) + if ((reply = calloc(n, sizeof(*reply))) == NULL) return (PAM_CONV_ERR); - memset(reply, 0, n * sizeof(*reply)); for (i = 0; i < n; ++i) { switch (PAM_MSG_MEMBER(msg, i, msg_style)) { @@ -539,18 +656,20 @@ static struct pam_conv store_conv = { sshpam_store_conv, NULL }; void sshpam_cleanup(void) { - debug("PAM: cleanup"); - if (sshpam_handle == NULL) + if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor())) return; + debug("PAM: cleanup"); pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); - if (sshpam_cred_established) { - pam_setcred(sshpam_handle, PAM_DELETE_CRED); - sshpam_cred_established = 0; - } if (sshpam_session_open) { + debug("PAM: closing session"); pam_close_session(sshpam_handle, PAM_SILENT); sshpam_session_open = 0; } + if (sshpam_cred_established) { + debug("PAM: deleting credentials"); + pam_setcred(sshpam_handle, PAM_DELETE_CRED); + sshpam_cred_established = 0; + } sshpam_authenticated = 0; pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; @@ -561,11 +680,12 @@ sshpam_init(Authctxt *authctxt) { extern char *__progname; const char *pam_rhost, *pam_user, *user = authctxt->user; + const char **ptr_pam_user = &pam_user; if (sshpam_handle != NULL) { /* We already have a PAM context; check if the user matches */ sshpam_err = pam_get_item(sshpam_handle, - PAM_USER, (void **)&pam_user); + PAM_USER, (sshpam_const void **)ptr_pam_user); if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0) return (0); pam_end(sshpam_handle, sshpam_err); @@ -613,8 +733,11 @@ sshpam_init_ctx(Authctxt *authctxt) int socks[2]; debug3("PAM: %s entering", __func__); - /* Refuse to start if we don't have PAM enabled */ - if (!options.use_pam) + /* + * Refuse to start if we don't have PAM enabled or do_pam_account + * has previously failed. + */ + if (!options.use_pam || sshpam_account_status == 0) return NULL; /* Initialize PAM */ @@ -623,8 +746,7 @@ sshpam_init_ctx(Authctxt *authctxt) return (NULL); } - ctxt = xmalloc(sizeof *ctxt); - memset(ctxt, 0, sizeof(*ctxt)); + ctxt = xcalloc(1, sizeof *ctxt); /* Start the authentication thread */ if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { @@ -674,7 +796,7 @@ sshpam_query(void *ctx, char **name, char **info, case PAM_PROMPT_ECHO_OFF: *num = 1; len = plen + mlen + 1; - **prompts = xrealloc(**prompts, len); + **prompts = xrealloc(**prompts, 1, len); strlcpy(**prompts + plen, msg, len - plen); plen += mlen; **echo_on = (type == PAM_PROMPT_ECHO_ON); @@ -684,15 +806,29 @@ sshpam_query(void *ctx, char **name, char **info, case PAM_TEXT_INFO: /* accumulate messages */ len = plen + mlen + 2; - **prompts = xrealloc(**prompts, len); + **prompts = xrealloc(**prompts, 1, len); strlcpy(**prompts + plen, msg, len - plen); plen += mlen; strlcat(**prompts + plen, "\n", len - plen); plen++; xfree(msg); break; - case PAM_SUCCESS: + case PAM_ACCT_EXPIRED: + sshpam_account_status = 0; + /* FALLTHROUGH */ case PAM_AUTH_ERR: + debug3("PAM: %s", pam_strerror(sshpam_handle, type)); + if (**prompts != NULL && strlen(**prompts) != 0) { + *info = **prompts; + **prompts = NULL; + *num = 0; + **echo_on = 0; + ctxt->pam_done = -1; + xfree(msg); + return 0; + } + /* FALLTHROUGH */ + case PAM_SUCCESS: if (**prompts != NULL) { /* drain any accumulated messages */ debug("PAM: %s", **prompts); @@ -738,7 +874,7 @@ sshpam_respond(void *ctx, u_int num, char **resp) Buffer buffer; struct pam_ctxt *ctxt = ctx; - debug2("PAM: %s entering, %d responses", __func__, num); + debug2("PAM: %s entering, %u responses", __func__, num); switch (ctxt->pam_done) { case 1: sshpam_authenticated = 1; @@ -755,7 +891,7 @@ sshpam_respond(void *ctx, u_int num, char **resp) buffer_init(&buffer); if (sshpam_authctxt->valid && (sshpam_authctxt->pw->pw_uid != 0 || - options.permit_root_login == PERMIT_YES)) + options.permit_root_login == PERMIT_YES)) buffer_put_cstring(&buffer, *resp); else buffer_put_cstring(&buffer, badpw); @@ -828,7 +964,13 @@ do_pam_account(void) sshpam_err = pam_acct_mgmt(sshpam_handle, 0); debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err, pam_strerror(sshpam_handle, sshpam_err)); - + + if (options.permit_pam_user_change) { + sshpam_check_userchanged(); + if (getpwnam(sshpam_authctxt->pw->pw_name) == NULL) + fatal("PAM: completed authentication but PAM account invalid"); + } + if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { sshpam_account_status = 0; return (sshpam_account_status); @@ -881,7 +1023,7 @@ do_pam_setcred(int init) } static int -sshpam_tty_conv(int n, struct pam_message **msg, +sshpam_tty_conv(int n, sshpam_const struct pam_message **msg, struct pam_response **resp, void *data) { char input[PAM_MAX_MSG_SIZE]; @@ -895,9 +1037,8 @@ sshpam_tty_conv(int n, struct pam_message **msg, if (n <= 0 || n > PAM_MAX_NUM_MSG || !isatty(STDIN_FILENO)) return (PAM_CONV_ERR); - if ((reply = malloc(n * sizeof(*reply))) == NULL) + if ((reply = calloc(n, sizeof(*reply))) == NULL) return (PAM_CONV_ERR); - memset(reply, 0, n * sizeof(*reply)); for (i = 0; i < n; ++i) { switch (PAM_MSG_MEMBER(msg, i, msg_style)) { @@ -909,7 +1050,8 @@ sshpam_tty_conv(int n, struct pam_message **msg, break; case PAM_PROMPT_ECHO_ON: fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg)); - fgets(input, sizeof input, stdin); + if (fgets(input, sizeof input, stdin) == NULL) + input[0] = '\0'; if ((reply[i].resp = strdup(input)) == NULL) goto fail; reply[i].resp_retcode = PAM_SUCCESS; @@ -1040,7 +1182,7 @@ free_pam_environment(char **env) * display. */ static int -sshpam_passwd_conv(int n, struct pam_message **msg, +sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg, struct pam_response **resp, void *data) { struct pam_response *reply; @@ -1054,9 +1196,8 @@ sshpam_passwd_conv(int n, struct pam_message **msg, if (n <= 0 || n > PAM_MAX_NUM_MSG) return (PAM_CONV_ERR); - if ((reply = malloc(n * sizeof(*reply))) == NULL) + if ((reply = calloc(n, sizeof(*reply))) == NULL) return (PAM_CONV_ERR); - memset(reply, 0, n * sizeof(*reply)); for (i = 0; i < n; ++i) { switch (PAM_MSG_MEMBER(msg, i, msg_style)) { @@ -1086,7 +1227,7 @@ sshpam_passwd_conv(int n, struct pam_message **msg, *resp = reply; return (PAM_SUCCESS); - fail: + fail: for(i = 0; i < n; i++) { if (reply[i].resp != NULL) xfree(reply[i].resp); @@ -1119,7 +1260,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) * information via timing (eg if the PAM config has a delay on fail). */ if (!authctxt->valid || (authctxt->pw->pw_uid == 0 && - options.permit_root_login != PERMIT_YES)) + options.permit_root_login != PERMIT_YES)) sshpam_password = badpw; sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, @@ -1129,11 +1270,14 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) pam_strerror(sshpam_handle, sshpam_err)); sshpam_err = pam_authenticate(sshpam_handle, flags); + if (options.permit_pam_user_change) { + sshpam_check_userchanged(); + } sshpam_password = NULL; if (sshpam_err == PAM_SUCCESS && authctxt->valid) { debug("PAM: password authentication accepted for %.100s", authctxt->user); - return 1; + return 1; } else { debug("PAM: password authentication failed for %.100s: %s", authctxt->valid ? authctxt->user : "an illegal user",