- (djm) Make privsep work with PAM (still experimental)

diff --git a/ChangeLog b/ChangeLog
index f0165b93c112538ced00e0c9782896928e7460e6..4d85273f401b86017c41acfe3ab9c0453a087bfb 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
 20020423
  - (djm) Bug #222: Fix tests for getaddrinfo on OSF/1. Spotted by
    Robert Urban <urban@spielwiese.de>
+ - (djm) Make privsep work with PAM (still experimental)
 
 20020421
  - (tim) [entropy.c.] Portability fix for SCO Unix 3.2v4.x (SCO OSR 3.0).

diff --git a/auth-pam.c b/auth-pam.c
index 0740fcef22139953bfacbc36dcd10845c7b7e155..9459637b4b1c8c45c0c065708d9885f6516e1d61 100644 (file)
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -249,6 +249,7 @@ int do_pam_account(char *username, char *remote_user)
        }
 
        pam_retval = pam_acct_mgmt(__pamh, 0);
+       debug2("pam_acct_mgmt() = %d", pam_retval);
        switch (pam_retval) {
                case PAM_SUCCESS:
                        /* This is what we want */

diff --git a/auth1.c b/auth1.c
index c2a8936aebca76656c3590d454e0ffa7959f75b7..1f6fcb29b9a921f134c257d6a0005b0be44c2274 100644 (file)
--- a/auth1.c
+++ b/auth1.c
@@ -306,7 +306,8 @@ do_authloop(Authctxt *authctxt)
                        authenticated = 0;
 #endif
 #ifdef USE_PAM
-               if (authenticated && !do_pam_account(pw->pw_name, client_user))
+               if (!use_privsep && authenticated && 
+                   !do_pam_account(pw->pw_name, client_user))
                        authenticated = 0;
 #endif
 
@@ -381,7 +382,7 @@ do_authentication(void)
            use_privsep ? " [net]" : "");
 
 #ifdef USE_PAM
-       start_pam(authctxt->pw == NULL ? "NOUSER" : user);
+       PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user));
 #endif
 
        /*

diff --git a/auth2.c b/auth2.c
index eadaa7135a0ec86620487a91333a05a0080f9000..4c18d232d9c5ffe7e1138364392cc4ebe3014769 100644 (file)
--- a/auth2.c
+++ b/auth2.c
@@ -189,12 +189,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
                        authctxt->valid = 1;
                        debug2("input_userauth_request: setting up authctxt for %s", user);
 #ifdef USE_PAM
-                       start_pam(authctxt->pw->pw_name);
+                       PRIVSEP(start_pam(authctxt->pw->pw_name));
 #endif
                } else {
                        log("input_userauth_request: illegal user %s", user);
 #ifdef USE_PAM
-                       start_pam("NOUSER");
+                       PRIVSEP(start_pam("NOUSER"));
 #endif
                }
                setproctitle("%s%s", authctxt->pw ? user : "unknown",
@@ -242,8 +242,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                authenticated = 0;
 
 #ifdef USE_PAM
-       if (authenticated && authctxt->user && !do_pam_account(authctxt->user,
-           NULL))
+       if (!use_privsep && authenticated && authctxt->user && 
+           !do_pam_account(authctxt->user, NULL))
                authenticated = 0;
 #endif /* USE_PAM */
 

diff --git a/monitor.c b/monitor.c
index b66dc2a16da8eebaffae62d3af8da4ff2e46c689..01adabe38381f8cc2432d994acda0ad018ef5e0d 100644 (file)
--- a/monitor.c
+++ b/monitor.c
@@ -113,6 +113,10 @@ int mm_answer_rsa_response(int, Buffer *);
 int mm_answer_sesskey(int, Buffer *);
 int mm_answer_sessid(int, Buffer *);
 
+#ifdef USE_PAM
+int mm_answer_pam_start(int, Buffer *);
+#endif
+
 static Authctxt *authctxt;
 static BIGNUM *ssh1_challenge = NULL;  /* used for ssh1 rsa auth */
 
@@ -143,8 +147,9 @@ struct mon_table mon_dispatch_proto20[] = {
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
-#if !defined(USE_PAM)
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
+#ifdef USE_PAM
+    {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
 #endif
 #ifdef BSD_AUTH
     {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -172,9 +177,7 @@ struct mon_table mon_dispatch_proto15[] = {
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
     {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
-#if !defined(USE_PAM)
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
-#endif
     {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH, mm_answer_rsa_keyallowed},
     {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
     {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge},
@@ -260,6 +263,10 @@ monitor_child_preauth(struct monitor *monitor)
                        if (authctxt->pw->pw_uid == 0 &&
                            !auth_root_allowed(auth_method))
                                authenticated = 0;
+#ifdef USE_PAM
+                       if (!do_pam_account(authctxt->pw->pw_name, NULL))
+                               authenticated = 0;
+#endif
                }
 
                if (ent->flags & MON_AUTHDECIDE) {
@@ -457,6 +464,9 @@ mm_answer_sign(int socket, Buffer *m)
        /* Turn on permissions for getpwnam */
        monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
 
+#ifdef USE_PAM
+       monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
+#endif
        return (0);
 }
 
@@ -537,7 +547,6 @@ mm_answer_authserv(int socket, Buffer *m)
        return (0);
 }
 
-#if !defined(USE_PAM)
 int
 mm_answer_authpassword(int socket, Buffer *m)
 {
@@ -566,7 +575,6 @@ mm_answer_authpassword(int socket, Buffer *m)
        /* Causes monitor loop to terminate if authenticated */
        return (authenticated);
 }
-#endif
 
 #ifdef BSD_AUTH
 int
@@ -673,6 +681,22 @@ mm_answer_skeyrespond(int socket, Buffer *m)
 }
 #endif
 
+#ifdef USE_PAM
+int
+mm_answer_pam_start(int socket, Buffer *m)
+{
+       char *user;
+       
+       user = buffer_get_string(m, NULL);
+
+       start_pam(user);
+
+       xfree(user);
+
+       return (0);
+}
+#endif
+
 static void
 mm_append_debug(Buffer *m)
 {

diff --git a/monitor.h b/monitor.h
index 681b5188b608092706a20cca471e2e3478b4e36a..56ec9d9158d02700f60fae9d73dbb58af944b9e1 100644 (file)
--- a/monitor.h
+++ b/monitor.h
@@ -48,6 +48,7 @@ enum monitor_reqtype {
        MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
        MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
        MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
+       MONITOR_REQ_PAM_START,
        MONITOR_REQ_TERM,
 };
 

diff --git a/monitor_wrap.c b/monitor_wrap.c
index 53bf59b5b257d82f95fa0de6f2a2a177a455e936..0fe5bc10d8790f8bdc9281585a5baf41df9cf367 100644 (file)
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -623,6 +623,23 @@ mm_session_pty_cleanup2(void *session)
        s->ttyfd = -1;
 }
 
+#ifdef USE_PAM
+void
+mm_start_pam(char *user)
+{
+       Buffer m;
+
+       debug3("%s entering", __FUNCTION__);
+
+       buffer_init(&m);
+       buffer_put_cstring(&m, user);
+
+       mm_request_send(monitor->m_recvfd, MONITOR_REQ_PAM_START, &m);
+
+       buffer_free(&m);
+}
+#endif /* USE_PAM */
+
 /* Request process termination */
 
 void

diff --git a/monitor_wrap.h b/monitor_wrap.h
index fe434d1e182c6bc2b988953b1ec74b0c2baf5971..975ba05499061a492dc0c3821521917eecfde35a 100644 (file)
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -54,6 +54,10 @@ int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
 int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *);
 BIGNUM *mm_auth_rsa_generate_challenge(Key *);
 
+#ifdef USE_PAM
+void mm_start_pam(char *);
+#endif
+
 void mm_terminate(void);
 int mm_pty_allocate(int *, int *, char *, int);
 void mm_session_pty_cleanup2(void *);