From ad200abba6e2ba7e102ec813c05f07f3281236e3 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 23 Apr 2002 10:28:48 +0000 Subject: [PATCH] - (djm) Make privsep work with PAM (still experimental) --- ChangeLog | 1 + auth-pam.c | 1 + auth1.c | 5 +++-- auth2.c | 8 ++++---- monitor.c | 34 +++++++++++++++++++++++++++++----- monitor.h | 1 + monitor_wrap.c | 17 +++++++++++++++++ monitor_wrap.h | 4 ++++ 8 files changed, 60 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index f0165b93..4d85273f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ 20020423 - (djm) Bug #222: Fix tests for getaddrinfo on OSF/1. Spotted by Robert Urban + - (djm) Make privsep work with PAM (still experimental) 20020421 - (tim) [entropy.c.] Portability fix for SCO Unix 3.2v4.x (SCO OSR 3.0). diff --git a/auth-pam.c b/auth-pam.c index 0740fcef..9459637b 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -249,6 +249,7 @@ int do_pam_account(char *username, char *remote_user) } pam_retval = pam_acct_mgmt(__pamh, 0); + debug2("pam_acct_mgmt() = %d", pam_retval); switch (pam_retval) { case PAM_SUCCESS: /* This is what we want */ diff --git a/auth1.c b/auth1.c index c2a8936a..1f6fcb29 100644 --- a/auth1.c +++ b/auth1.c @@ -306,7 +306,8 @@ do_authloop(Authctxt *authctxt) authenticated = 0; #endif #ifdef USE_PAM - if (authenticated && !do_pam_account(pw->pw_name, client_user)) + if (!use_privsep && authenticated && + !do_pam_account(pw->pw_name, client_user)) authenticated = 0; #endif @@ -381,7 +382,7 @@ do_authentication(void) use_privsep ? " [net]" : ""); #ifdef USE_PAM - start_pam(authctxt->pw == NULL ? "NOUSER" : user); + PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user)); #endif /* diff --git a/auth2.c b/auth2.c index eadaa713..4c18d232 100644 --- a/auth2.c +++ b/auth2.c @@ -189,12 +189,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) authctxt->valid = 1; debug2("input_userauth_request: setting up authctxt for %s", user); #ifdef USE_PAM - start_pam(authctxt->pw->pw_name); + PRIVSEP(start_pam(authctxt->pw->pw_name)); #endif } else { log("input_userauth_request: illegal user %s", user); #ifdef USE_PAM - start_pam("NOUSER"); + PRIVSEP(start_pam("NOUSER")); #endif } setproctitle("%s%s", authctxt->pw ? user : "unknown", @@ -242,8 +242,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) authenticated = 0; #ifdef USE_PAM - if (authenticated && authctxt->user && !do_pam_account(authctxt->user, - NULL)) + if (!use_privsep && authenticated && authctxt->user && + !do_pam_account(authctxt->user, NULL)) authenticated = 0; #endif /* USE_PAM */ diff --git a/monitor.c b/monitor.c index b66dc2a1..01adabe3 100644 --- a/monitor.c +++ b/monitor.c @@ -113,6 +113,10 @@ int mm_answer_rsa_response(int, Buffer *); int mm_answer_sesskey(int, Buffer *); int mm_answer_sessid(int, Buffer *); +#ifdef USE_PAM +int mm_answer_pam_start(int, Buffer *); +#endif + static Authctxt *authctxt; static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ @@ -143,8 +147,9 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, -#if !defined(USE_PAM) {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, +#ifdef USE_PAM + {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, #endif #ifdef BSD_AUTH {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, @@ -172,9 +177,7 @@ struct mon_table mon_dispatch_proto15[] = { {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, -#if !defined(USE_PAM) {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, -#endif {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH, mm_answer_rsa_keyallowed}, {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge}, @@ -260,6 +263,10 @@ monitor_child_preauth(struct monitor *monitor) if (authctxt->pw->pw_uid == 0 && !auth_root_allowed(auth_method)) authenticated = 0; +#ifdef USE_PAM + if (!do_pam_account(authctxt->pw->pw_name, NULL)) + authenticated = 0; +#endif } if (ent->flags & MON_AUTHDECIDE) { @@ -457,6 +464,9 @@ mm_answer_sign(int socket, Buffer *m) /* Turn on permissions for getpwnam */ monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); +#ifdef USE_PAM + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); +#endif return (0); } @@ -537,7 +547,6 @@ mm_answer_authserv(int socket, Buffer *m) return (0); } -#if !defined(USE_PAM) int mm_answer_authpassword(int socket, Buffer *m) { @@ -566,7 +575,6 @@ mm_answer_authpassword(int socket, Buffer *m) /* Causes monitor loop to terminate if authenticated */ return (authenticated); } -#endif #ifdef BSD_AUTH int @@ -673,6 +681,22 @@ mm_answer_skeyrespond(int socket, Buffer *m) } #endif +#ifdef USE_PAM +int +mm_answer_pam_start(int socket, Buffer *m) +{ + char *user; + + user = buffer_get_string(m, NULL); + + start_pam(user); + + xfree(user); + + return (0); +} +#endif + static void mm_append_debug(Buffer *m) { diff --git a/monitor.h b/monitor.h index 681b5188..56ec9d91 100644 --- a/monitor.h +++ b/monitor.h @@ -48,6 +48,7 @@ enum monitor_reqtype { MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED, MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, + MONITOR_REQ_PAM_START, MONITOR_REQ_TERM, }; diff --git a/monitor_wrap.c b/monitor_wrap.c index 53bf59b5..0fe5bc10 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -623,6 +623,23 @@ mm_session_pty_cleanup2(void *session) s->ttyfd = -1; } +#ifdef USE_PAM +void +mm_start_pam(char *user) +{ + Buffer m; + + debug3("%s entering", __FUNCTION__); + + buffer_init(&m); + buffer_put_cstring(&m, user); + + mm_request_send(monitor->m_recvfd, MONITOR_REQ_PAM_START, &m); + + buffer_free(&m); +} +#endif /* USE_PAM */ + /* Request process termination */ void diff --git a/monitor_wrap.h b/monitor_wrap.h index fe434d1e..975ba054 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -54,6 +54,10 @@ int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **); int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *); BIGNUM *mm_auth_rsa_generate_challenge(Key *); +#ifdef USE_PAM +void mm_start_pam(char *); +#endif + void mm_terminate(void); int mm_pty_allocate(int *, int *, char *, int); void mm_session_pty_cleanup2(void *); -- 2.45.2