X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/4352744efeb46442c65a38beb92cb6fae415d55b..HEAD:/auth-pam.c diff --git a/auth-pam.c b/auth-pam.c index cb8754ec..675006e6 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -54,6 +54,9 @@ #include #include +#include +#include +#include #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -69,20 +72,31 @@ # define sshpam_const const /* LinuxPAM, OpenPAM */ #endif +/* Ambiguity in spec: is it an array of pointers or a pointer to an array? */ +#ifdef PAM_SUN_CODEBASE +# define PAM_MSG_MEMBER(msg, n, member) ((*(msg))[(n)].member) +#else +# define PAM_MSG_MEMBER(msg, n, member) ((msg)[(n)]->member) +#endif + +#include "xmalloc.h" +#include "buffer.h" +#include "key.h" +#include "hostfile.h" #include "auth.h" #include "auth-pam.h" -#include "buffer.h" -#include "bufaux.h" #include "canohost.h" #include "log.h" -#include "monitor_wrap.h" #include "msg.h" #include "packet.h" #include "misc.h" #include "servconf.h" #include "ssh2.h" -#include "xmalloc.h" #include "auth-options.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif +#include "monitor_wrap.h" extern ServerOptions options; extern Buffer loginmsg; @@ -147,19 +161,21 @@ sshpam_sigchld_handler(int sig) WTERMSIG(sshpam_thread_status) == SIGTERM) return; /* terminated by pthread_cancel */ if (!WIFEXITED(sshpam_thread_status)) - fatal("PAM: authentication thread exited unexpectedly"); + sigdie("PAM: authentication thread exited unexpectedly"); if (WEXITSTATUS(sshpam_thread_status) != 0) - fatal("PAM: authentication thread exited uncleanly"); + sigdie("PAM: authentication thread exited uncleanly"); } +/* ARGSUSED */ static void -pthread_exit(void *value __unused) +pthread_exit(void *value) { _exit(0); } +/* ARGSUSED */ static int -pthread_create(sp_pthread_t *thread, const void *attr __unused, +pthread_create(sp_pthread_t *thread, const void *attr, void *(*thread_start)(void *), void *arg) { pid_t pid; @@ -191,8 +207,9 @@ pthread_cancel(sp_pthread_t thread) return (kill(thread, SIGTERM)); } +/* ARGSUSED */ static int -pthread_join(sp_pthread_t thread, void **value __unused) +pthread_join(sp_pthread_t thread, void **value) { int status; @@ -420,10 +437,16 @@ sshpam_thread(void *ctxtp) u_int i; const char *pam_user; const char **ptr_pam_user = &pam_user; + char *tz = getenv("TZ"); pam_get_item(sshpam_handle, PAM_USER, (sshpam_const void **)ptr_pam_user); + environ[0] = NULL; + if (tz != NULL) + if (setenv("TZ", tz, 1) == -1) + error("PAM: could not set TZ environment: %s", + strerror(errno)); if (sshpam_authctxt != NULL) { setproctitle("%s [pam]", @@ -575,18 +598,20 @@ static struct pam_conv store_conv = { sshpam_store_conv, NULL }; void sshpam_cleanup(void) { - debug("PAM: cleanup"); - if (sshpam_handle == NULL) + if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor())) return; + debug("PAM: cleanup"); pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); - if (sshpam_cred_established) { - pam_setcred(sshpam_handle, PAM_DELETE_CRED); - sshpam_cred_established = 0; - } if (sshpam_session_open) { + debug("PAM: closing session"); pam_close_session(sshpam_handle, PAM_SILENT); sshpam_session_open = 0; } + if (sshpam_cred_established) { + debug("PAM: deleting credentials"); + pam_setcred(sshpam_handle, PAM_DELETE_CRED); + sshpam_cred_established = 0; + } sshpam_authenticated = 0; pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; @@ -663,8 +688,7 @@ sshpam_init_ctx(Authctxt *authctxt) return (NULL); } - ctxt = xmalloc(sizeof *ctxt); - memset(ctxt, 0, sizeof(*ctxt)); + ctxt = xcalloc(1, sizeof *ctxt); /* Start the authentication thread */ if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { @@ -962,7 +986,8 @@ sshpam_tty_conv(int n, sshpam_const struct pam_message **msg, break; case PAM_PROMPT_ECHO_ON: fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg)); - fgets(input, sizeof input, stdin); + if (fgets(input, sizeof input, stdin) == NULL) + input[0] = '\0'; if ((reply[i].resp = strdup(input)) == NULL) goto fail; reply[i].resp_retcode = PAM_SUCCESS; @@ -1107,9 +1132,8 @@ sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg, if (n <= 0 || n > PAM_MAX_NUM_MSG) return (PAM_CONV_ERR); - if ((reply = malloc(n * sizeof(*reply))) == NULL) + if ((reply = calloc(n, sizeof(*reply))) == NULL) return (PAM_CONV_ERR); - memset(reply, 0, n * sizeof(*reply)); for (i = 0; i < n; ++i) { switch (PAM_MSG_MEMBER(msg, i, msg_style)) {