X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/0943f13cae67861c0a0ad89a3a6bb452637f691f..9fa42d41556e6b9a31ca61e782f3c937e900e1fa:/auth-pam.c diff --git a/auth-pam.c b/auth-pam.c index 95930a93..e1b8e783 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -76,7 +76,17 @@ extern Buffer loginmsg; extern int compat20; extern u_int utmp_len; +/* so we don't silently change behaviour */ #ifdef USE_POSIX_THREADS +# error "USE_POSIX_THREADS replaced by UNSUPPORTED_POSIX_THREADS_HACK" +#endif + +/* + * Formerly known as USE_POSIX_THREADS, using this is completely unsupported + * and generally a bad idea. Use at own risk and do not expect support if + * this breaks. + */ +#ifdef UNSUPPORTED_POSIX_THREADS_HACK #include /* * Avoid namespace clash when *not* using pthreads for systems *with* @@ -98,7 +108,7 @@ struct pam_ctxt { static void sshpam_free_ctx(void *); static struct pam_ctxt *cleanup_ctxt; -#ifndef USE_POSIX_THREADS +#ifndef UNSUPPORTED_POSIX_THREADS_HACK /* * Simulate threads with processes. */ @@ -113,11 +123,11 @@ sshpam_sigchld_handler(int sig) if (cleanup_ctxt == NULL) return; /* handler called after PAM cleanup, shouldn't happen */ if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, WNOHANG) - == -1) { + <= 0) { /* PAM thread has not exitted, privsep slave must have */ kill(cleanup_ctxt->pam_thread, SIGTERM); if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0) - == -1) + <= 0) return; /* could not wait */ } if (WIFSIGNALED(sshpam_thread_status) && @@ -186,6 +196,7 @@ static int sshpam_account_status = -1; static char **sshpam_env = NULL; static Authctxt *sshpam_authctxt = NULL; static const char *sshpam_password = NULL; +static char badpw[] = "\b\n\r\177INCORRECT"; /* Some PAM implementations don't implement this */ #ifndef HAVE_PAM_GETENVLIST @@ -201,6 +212,31 @@ pam_getenvlist(pam_handle_t *pamh) } #endif +/* + * Some platforms, notably Solaris, do not enforce password complexity + * rules during pam_chauthtok() if the real uid of the calling process + * is 0, on the assumption that it's being called by "passwd" run by root. + * This wraps pam_chauthtok and sets/restore the real uid so PAM will do + * the right thing. + */ +#ifdef SSHPAM_CHAUTHTOK_NEEDS_RUID +static int +sshpam_chauthtok_ruid(pam_handle_t *pamh, int flags) +{ + int result; + + if (sshpam_authctxt == NULL) + fatal("PAM: sshpam_authctxt not initialized"); + if (setreuid(sshpam_authctxt->pw->pw_uid, -1) == -1) + fatal("%s: setreuid failed: %s", __func__, strerror(errno)); + result = pam_chauthtok(pamh, flags); + if (setreuid(0, -1) == -1) + fatal("%s: setreuid failed: %s", __func__, strerror(errno)); + return result; +} +# define pam_chauthtok(a,b) (sshpam_chauthtok_ruid((a), (b))) +#endif + void sshpam_password_change_required(int reqd) { @@ -229,7 +265,7 @@ import_environments(Buffer *b) debug3("PAM: %s entering", __func__); -#ifndef USE_POSIX_THREADS +#ifndef UNSUPPORTED_POSIX_THREADS_HACK /* Import variables set by do_pam_account */ sshpam_account_status = buffer_get_int(b); sshpam_password_change_required(buffer_get_int(b)); @@ -356,15 +392,21 @@ sshpam_thread(void *ctxtp) struct pam_ctxt *ctxt = ctxtp; Buffer buffer; struct pam_conv sshpam_conv; -#ifndef USE_POSIX_THREADS + int flags = (options.permit_empty_passwd == 0 ? + PAM_DISALLOW_NULL_AUTHTOK : 0); +#ifndef UNSUPPORTED_POSIX_THREADS_HACK extern char **environ; char **env_from_pam; u_int i; const char *pam_user; pam_get_item(sshpam_handle, PAM_USER, (void **)&pam_user); - setproctitle("%s [pam]", pam_user); environ[0] = NULL; + + if (sshpam_authctxt != NULL) { + setproctitle("%s [pam]", + sshpam_authctxt->valid ? pam_user : "unknown"); + } #endif sshpam_conv.conv = sshpam_thread_conv; @@ -378,7 +420,7 @@ sshpam_thread(void *ctxtp) (const void *)&sshpam_conv); if (sshpam_err != PAM_SUCCESS) goto auth_fail; - sshpam_err = pam_authenticate(sshpam_handle, 0); + sshpam_err = pam_authenticate(sshpam_handle, flags); if (sshpam_err != PAM_SUCCESS) goto auth_fail; @@ -396,7 +438,7 @@ sshpam_thread(void *ctxtp) buffer_put_cstring(&buffer, "OK"); -#ifndef USE_POSIX_THREADS +#ifndef UNSUPPORTED_POSIX_THREADS_HACK /* Export variables set by do_pam_account */ buffer_put_int(&buffer, sshpam_account_status); buffer_put_int(&buffer, sshpam_authctxt->force_pwchange); @@ -415,7 +457,7 @@ sshpam_thread(void *ctxtp) buffer_put_int(&buffer, i); for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++) buffer_put_cstring(&buffer, env_from_pam[i]); -#endif /* USE_POSIX_THREADS */ +#endif /* UNSUPPORTED_POSIX_THREADS_HACK */ /* XXX - can't do much about an error here */ ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer); @@ -459,6 +501,51 @@ sshpam_null_conv(int n, struct pam_message **msg, static struct pam_conv null_conv = { sshpam_null_conv, NULL }; +static int +sshpam_store_conv(int n, struct pam_message **msg, + struct pam_response **resp, void *data) +{ + struct pam_response *reply; + int i; + size_t len; + + debug3("PAM: %s called with %d messages", __func__, n); + *resp = NULL; + + if (n <= 0 || n > PAM_MAX_NUM_MSG) + return (PAM_CONV_ERR); + + if ((reply = malloc(n * sizeof(*reply))) == NULL) + return (PAM_CONV_ERR); + memset(reply, 0, n * sizeof(*reply)); + + for (i = 0; i < n; ++i) { + switch (PAM_MSG_MEMBER(msg, i, msg_style)) { + case PAM_ERROR_MSG: + case PAM_TEXT_INFO: + len = strlen(PAM_MSG_MEMBER(msg, i, msg)); + buffer_append(&loginmsg, PAM_MSG_MEMBER(msg, i, msg), len); + buffer_append(&loginmsg, "\n", 1 ); + reply[i].resp_retcode = PAM_SUCCESS; + break; + default: + goto fail; + } + } + *resp = reply; + return (PAM_SUCCESS); + + fail: + for(i = 0; i < n; i++) { + if (reply[i].resp != NULL) + xfree(reply[i].resp); + } + xfree(reply); + return (PAM_CONV_ERR); +} + +static struct pam_conv store_conv = { sshpam_store_conv, NULL }; + void sshpam_cleanup(void) { @@ -496,7 +583,7 @@ sshpam_init(Authctxt *authctxt) } debug("PAM: initializing for \"%s\"", user); sshpam_err = - pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle); + pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle); sshpam_authctxt = authctxt; if (sshpam_err != PAM_SUCCESS) { @@ -578,7 +665,7 @@ sshpam_query(void *ctx, char **name, char **info, size_t plen; u_char type; char *msg; - size_t len; + size_t len, mlen; debug3("PAM: %s entering", __func__); buffer_init(&buffer); @@ -591,22 +678,27 @@ sshpam_query(void *ctx, char **name, char **info, while (ssh_msg_recv(ctxt->pam_psock, &buffer) == 0) { type = buffer_get_char(&buffer); msg = buffer_get_string(&buffer, NULL); + mlen = strlen(msg); switch (type) { case PAM_PROMPT_ECHO_ON: case PAM_PROMPT_ECHO_OFF: *num = 1; - len = plen + strlen(msg) + 1; + len = plen + mlen + 1; **prompts = xrealloc(**prompts, len); - plen += snprintf(**prompts + plen, len, "%s", msg); + strlcpy(**prompts + plen, msg, len - plen); + plen += mlen; **echo_on = (type == PAM_PROMPT_ECHO_ON); xfree(msg); return (0); case PAM_ERROR_MSG: case PAM_TEXT_INFO: /* accumulate messages */ - len = plen + strlen(msg) + 2; + len = plen + mlen + 2; **prompts = xrealloc(**prompts, len); - plen += snprintf(**prompts + plen, len, "%s\n", msg); + strlcpy(**prompts + plen, msg, len - plen); + plen += mlen; + strlcat(**prompts + plen, "\n", len - plen); + plen++; xfree(msg); break; case PAM_SUCCESS: @@ -620,6 +712,12 @@ sshpam_query(void *ctx, char **name, char **info, **prompts = NULL; } if (type == PAM_SUCCESS) { + if (!sshpam_authctxt->valid || + (sshpam_authctxt->pw->pw_uid == 0 && + options.permit_root_login != PERMIT_YES)) + fatal("Internal error: PAM auth " + "succeeded when it should have " + "failed"); import_environments(&buffer); *num = 0; **echo_on = 0; @@ -665,7 +763,12 @@ sshpam_respond(void *ctx, u_int num, char **resp) return (-1); } buffer_init(&buffer); - buffer_put_cstring(&buffer, *resp); + if (sshpam_authctxt->valid && + (sshpam_authctxt->pw->pw_uid != 0 || + options.permit_root_login == PERMIT_YES)) + buffer_put_cstring(&buffer, *resp); + else + buffer_put_cstring(&buffer, badpw); if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { buffer_free(&buffer); return (-1); @@ -728,11 +831,13 @@ finish_pam(void) u_int do_pam_account(void) { + debug("%s: called", __func__); if (sshpam_account_status != -1) return (sshpam_account_status); sshpam_err = pam_acct_mgmt(sshpam_handle, 0); - debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err); + debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err, + pam_strerror(sshpam_handle, sshpam_err)); if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { sshpam_account_status = 0; @@ -762,7 +867,7 @@ void do_pam_setcred(int init) { sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, - (const void *)&null_conv); + (const void *)&store_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); @@ -815,7 +920,8 @@ sshpam_tty_conv(int n, struct pam_message **msg, case PAM_PROMPT_ECHO_ON: fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg)); fgets(input, sizeof input, stdin); - reply[i].resp = xstrdup(input); + if ((reply[i].resp = strdup(input)) == NULL) + goto fail; reply[i].resp_retcode = PAM_SUCCESS; break; case PAM_ERROR_MSG: @@ -862,51 +968,6 @@ do_pam_chauthtok(void) pam_strerror(sshpam_handle, sshpam_err)); } -static int -sshpam_store_conv(int n, struct pam_message **msg, - struct pam_response **resp, void *data) -{ - struct pam_response *reply; - int i; - size_t len; - - debug3("PAM: %s called with %d messages", __func__, n); - *resp = NULL; - - if (n <= 0 || n > PAM_MAX_NUM_MSG) - return (PAM_CONV_ERR); - - if ((reply = malloc(n * sizeof(*reply))) == NULL) - return (PAM_CONV_ERR); - memset(reply, 0, n * sizeof(*reply)); - - for (i = 0; i < n; ++i) { - switch (PAM_MSG_MEMBER(msg, i, msg_style)) { - case PAM_ERROR_MSG: - case PAM_TEXT_INFO: - len = strlen(PAM_MSG_MEMBER(msg, i, msg)); - buffer_append(&loginmsg, PAM_MSG_MEMBER(msg, i, msg), len); - buffer_append(&loginmsg, "\n", 1 ); - reply[i].resp_retcode = PAM_SUCCESS; - break; - default: - goto fail; - } - } - *resp = reply; - return (PAM_SUCCESS); - - fail: - for(i = 0; i < n; i++) { - if (reply[i].resp != NULL) - xfree(reply[i].resp); - } - xfree(reply); - return (PAM_CONV_ERR); -} - -static struct pam_conv store_conv = { sshpam_store_conv, NULL }; - void do_pam_session(void) { @@ -917,10 +978,21 @@ do_pam_session(void) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); sshpam_err = pam_open_session(sshpam_handle, 0); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: pam_open_session(): %s", + if (sshpam_err == PAM_SUCCESS) + sshpam_session_open = 1; + else { + sshpam_session_open = 0; + disable_forwarding(); + error("PAM: pam_open_session(): %s", pam_strerror(sshpam_handle, sshpam_err)); - sshpam_session_open = 1; + } + +} + +int +is_pam_session_open(void) +{ + return sshpam_session_open; } /* @@ -1001,7 +1073,8 @@ sshpam_passwd_conv(int n, struct pam_message **msg, case PAM_PROMPT_ECHO_OFF: if (sshpam_password == NULL) goto fail; - reply[i].resp = xstrdup(sshpam_password); + if ((reply[i].resp = strdup(sshpam_password)) == NULL) + goto fail; reply[i].resp_retcode = PAM_SUCCESS; break; case PAM_ERROR_MSG: @@ -1012,7 +1085,8 @@ sshpam_passwd_conv(int n, struct pam_message **msg, PAM_MSG_MEMBER(msg, i, msg), len); buffer_append(&loginmsg, "\n", 1); } - reply[i].resp = xstrdup(""); + if ((reply[i].resp = strdup("")) == NULL) + goto fail; reply[i].resp_retcode = PAM_SUCCESS; break; default: @@ -1041,7 +1115,6 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password) { int flags = (options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); - static char badpw[] = "\b\n\r\177INCORRECT"; if (!options.use_pam || sshpam_handle == NULL) fatal("PAM: %s called when PAM disabled or failed to "