tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-29 16:54:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

- (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv,

Browse Source 
and use it for do_pam_session.  Fixes problems like pam_motd not displaying
   anything.  ok djm@
This commit is contained in:
Darren Tucker 2003-11-18 12:42:07 +11:00
parent 6aef38f5ac
commit 18df00cc77
2 changed files with 30 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ChangeLog
View File

@ -1,6 +1,9 @@
20031117 20031118
- (djm) Fix early exit for root auth success when UsePAM=yes and - (djm) Fix early exit for root auth success when UsePAM=yes and
PermitRootLogin=no PermitRootLogin=no
- (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv,
and use it for do_pam_session. Fixes problems like pam_motd not displaying
anything. ok djm@
20031117 20031117
- (djm) OpenBSD CVS Sync - (djm) OpenBSD CVS Sync
@ -1476,4 +1479,4 @@
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
Report from murple@murple.net, diagnosis from dtucker@zip.com.au Report from murple@murple.net, diagnosis from dtucker@zip.com.au
$Id: ChangeLog,v 1.3113 2003/11/17 23:45:20 djm Exp $ $Id: ChangeLog,v 1.3114 2003/11/18 01:42:07 dtucker Exp $

56
auth-pam.c
View File

@ -31,7 +31,7 @@
/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
#include "includes.h" #include "includes.h"
RCSID("$Id: auth-pam.c,v 1.80 2003/11/17 10:41:42 djm Exp $"); RCSID("$Id: auth-pam.c,v 1.81 2003/11/18 01:42:08 dtucker Exp $");
#ifdef USE_PAM #ifdef USE_PAM
#include <security/pam_appl.h> #include <security/pam_appl.h>
@ -52,6 +52,7 @@ RCSID("$Id: auth-pam.c,v 1.80 2003/11/17 10:41:42 djm Exp $");
#include "auth-options.h" #include "auth-options.h"
extern ServerOptions options; extern ServerOptions options;
extern Buffer loginmsg;
#define __unused #define __unused
@ -497,13 +498,9 @@ sshpam_query(void *ctx, char **name, char **info,
case PAM_AUTH_ERR: case PAM_AUTH_ERR:
if (**prompts != NULL) { if (**prompts != NULL) {
/* drain any accumulated messages */ /* drain any accumulated messages */
#if 0 /* XXX - not compatible with privsep */ debug("PAM: %s", **prompts);
packet_start(SSH2_MSG_USERAUTH_BANNER); buffer_append(&loginmsg, **prompts,
packet_put_cstring(**prompts); strlen(**prompts));
packet_put_cstring("");
packet_send();
packet_write_wait();
#endif
xfree(**prompts); xfree(**prompts);
**prompts = NULL; **prompts = NULL;
} }
@ -630,21 +627,6 @@ do_pam_account(void)
return (1); return (1);
} }
void
do_pam_session(void)
{
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&null_conv);
if (sshpam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(sshpam_handle, sshpam_err));
sshpam_err = pam_open_session(sshpam_handle, 0);
if (sshpam_err != PAM_SUCCESS)
fatal("PAM: pam_open_session(): %s",
pam_strerror(sshpam_handle, sshpam_err));
sshpam_session_open = 1;
}
void void
do_pam_set_tty(const char *tty) do_pam_set_tty(const char *tty)
{ {
@ -691,7 +673,7 @@ is_pam_password_change_required(void)
} }
static int static int
pam_chauthtok_conv(int n, const struct pam_message **msg, pam_tty_conv(int n, const struct pam_message **msg,
struct pam_response **resp, void *data) struct pam_response **resp, void *data)
{ {
char input[PAM_MAX_MSG_SIZE]; char input[PAM_MAX_MSG_SIZE];
@ -700,7 +682,7 @@ pam_chauthtok_conv(int n, const struct pam_message **msg,
*resp = NULL; *resp = NULL;
if (n <= 0 || n > PAM_MAX_NUM_MSG) if (n <= 0 || n > PAM_MAX_NUM_MSG || !isatty(STDIN_FILENO))
return (PAM_CONV_ERR); return (PAM_CONV_ERR);
if ((reply = malloc(n * sizeof(*reply))) == NULL) if ((reply = malloc(n * sizeof(*reply))) == NULL)
@ -742,6 +724,8 @@ pam_chauthtok_conv(int n, const struct pam_message **msg,
return (PAM_CONV_ERR); return (PAM_CONV_ERR);
} }
static struct pam_conv tty_conv = { pam_tty_conv, NULL };
/* /*
* XXX this should be done in the authentication phase, but ssh1 doesn't * XXX this should be done in the authentication phase, but ssh1 doesn't
* support that * support that
@ -749,15 +733,10 @@ pam_chauthtok_conv(int n, const struct pam_message **msg,
void void
do_pam_chauthtok(void) do_pam_chauthtok(void)
{ {
struct pam_conv pam_conv;
pam_conv.conv = pam_chauthtok_conv;
pam_conv.appdata_ptr = NULL;
if (use_privsep) if (use_privsep)
fatal("Password expired (unable to change with privsep)"); fatal("Password expired (unable to change with privsep)");
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&pam_conv); (const void *)&tty_conv);
if (sshpam_err != PAM_SUCCESS) if (sshpam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s", fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(sshpam_handle, sshpam_err)); pam_strerror(sshpam_handle, sshpam_err));
@ -768,6 +747,21 @@ do_pam_chauthtok(void)
pam_strerror(sshpam_handle, sshpam_err)); pam_strerror(sshpam_handle, sshpam_err));
} }
void
do_pam_session(void)
{
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&tty_conv);
if (sshpam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(sshpam_handle, sshpam_err));
sshpam_err = pam_open_session(sshpam_handle, 0);
if (sshpam_err != PAM_SUCCESS)
fatal("PAM: pam_open_session(): %s",
pam_strerror(sshpam_handle, sshpam_err));
sshpam_session_open = 1;
}
/* /*
* Set a PAM environment string. We need to do this so that the session * Set a PAM environment string. We need to do this so that the session
* modules can handle things like Kerberos/GSI credentials that appear * modules can handle things like Kerberos/GSI credentials that appear