auth2-pam.c

   1 #include "includes.h"
   2 RCSID("$Id$");
   3
   4 #ifdef USE_PAM
   5 #include <security/pam_appl.h>
   6
   7 #include "ssh.h"
   8 #include "ssh2.h"
   9 #include "auth.h"
  10 #include "auth-pam.h"
  11 #include "packet.h"
  12 #include "xmalloc.h"
  13 #include "dispatch.h"
  14 #include "log.h"
  15
  16 static int do_pam_conversation_kbd_int(int num_msg,
  17     const struct pam_message **msg, struct pam_response **resp,
  18     void *appdata_ptr);
  19 void input_userauth_info_response_pam(int type, int plen, void *ctxt);
  20
  21 struct {
  22         int finished, num_received, num_expected;
  23         int *prompts;
  24         struct pam_response *responses;
  25 } context_pam2 = {0, 0, 0, NULL};
  26
  27 static struct pam_conv conv2 = {
  28         do_pam_conversation_kbd_int,
  29         NULL,
  30 };
  31
  32 int
  33 auth2_pam(Authctxt *authctxt)
  34 {
  35         int retval = -1;
  36
  37         if (authctxt->user == NULL)
  38                 fatal("auth2_pam: internal error: no user");
  39
  40         conv2.appdata_ptr = authctxt;
  41         pam_set_conv(&conv2);
  42
  43         dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
  44             &input_userauth_info_response_pam);
  45         retval = (do_pam_authenticate(0) == PAM_SUCCESS);
  46         dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
  47
  48         return retval;
  49 }
  50
  51 static int
  52 do_pam_conversation_kbd_int(int num_msg, const struct pam_message **msg,
  53     struct pam_response **resp, void *appdata_ptr)
  54 {
  55         int i, j, done;
  56         char *text;
  57
  58         context_pam2.finished = 0;
  59         context_pam2.num_received = 0;
  60         context_pam2.num_expected = 0;
  61         context_pam2.prompts = xmalloc(sizeof(int) * num_msg);
  62         context_pam2.responses = xmalloc(sizeof(struct pam_response) * num_msg);
  63         memset(context_pam2.responses, 0, sizeof(struct pam_response) * num_msg);
  64
  65         text = NULL;
  66         for (i = 0, context_pam2.num_expected = 0; i < num_msg; i++) {
  67                 int style = PAM_MSG_MEMBER(msg, i, msg_style);
  68                 switch (style) {
  69                 case PAM_PROMPT_ECHO_ON:
  70                 case PAM_PROMPT_ECHO_OFF:
  71                         context_pam2.num_expected++;
  72                         break;
  73                 case PAM_TEXT_INFO:
  74                 case PAM_ERROR_MSG:
  75                 default:
  76                         /* Capture all these messages to be sent at once */
  77                         message_cat(&text, PAM_MSG_MEMBER(msg, i, msg));
  78                         break;
  79                 }
  80         }
  81
  82         if (context_pam2.num_expected == 0)
  83                 return PAM_SUCCESS;
  84
  85         packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
  86         packet_put_cstring(""); /* Name */
  87         packet_put_cstring(""); /* Instructions */
  88         packet_put_cstring(""); /* Language */
  89         packet_put_int(context_pam2.num_expected);
  90
  91         for (i = 0, j = 0; i < num_msg; i++) {
  92                 int style = PAM_MSG_MEMBER(msg, i, msg_style);
  93
  94                 /* Skip messages which don't need a reply */
  95                 if (style != PAM_PROMPT_ECHO_ON && style != PAM_PROMPT_ECHO_OFF)
  96                         continue;
  97
  98                 context_pam2.prompts[j++] = i;
  99                 if (text) {
 100                         message_cat(&text, PAM_MSG_MEMBER(msg, i, msg));
 101                         packet_put_cstring(text);
 102                         text = NULL;
 103                 } else
 104                         packet_put_cstring(PAM_MSG_MEMBER(msg, i, msg));
 105                 packet_put_char(style == PAM_PROMPT_ECHO_ON);
 106         }
 107         packet_send();
 108         packet_write_wait();
 109
 110         /* Grabbing control of execution and spinning until we get what
 111          * we want is probably rude, but it seems to work properly, and
 112          * the client *should* be in lock-step with us, so the loop should
 113          * only be traversed once. */
 114         while(context_pam2.finished == 0) {
 115                 done = 1;
 116                 dispatch_run(DISPATCH_BLOCK, &done, appdata_ptr);
 117                 if(context_pam2.finished == 0)
 118                         debug("extra packet during conversation");
 119         }
 120
 121         if(context_pam2.num_received == context_pam2.num_expected) {
 122                 *resp = context_pam2.responses;
 123                 return PAM_SUCCESS;
 124         } else
 125                 return PAM_CONV_ERR;
 126 }
 127
 128 void
 129 input_userauth_info_response_pam(int type, int plen, void *ctxt)
 130 {
 131         Authctxt *authctxt = ctxt;
 132         unsigned int nresp = 0, rlen = 0, i = 0;
 133         char *resp;
 134
 135         if (authctxt == NULL)
 136                 fatal("input_userauth_info_response_pam: no authentication context");
 137
 138         if (authctxt->attempt++ >= AUTH_FAIL_MAX)
 139                 packet_disconnect("too many failed userauth_requests");
 140
 141         nresp = packet_get_int();       /* Number of responses. */
 142         debug("got %d responses", nresp);
 143
 144         for (i = 0; i < nresp; i++) {
 145                 int j = context_pam2.prompts[i];
 146
 147                 resp = packet_get_string(&rlen);
 148                 context_pam2.responses[j].resp_retcode = PAM_SUCCESS;
 149                 context_pam2.responses[j].resp = xstrdup(resp);
 150                 xfree(resp);
 151                 context_pam2.num_received++;
 152         }
 153
 154         context_pam2.finished = 1;
 155
 156         packet_done();
 157 }
 158
 159 #endif