diff --git a/ChangeLog b/ChangeLog index f1162fac1..0bf1e54aa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,8 @@ be our 'mysignal' by default. OK djm@ - (dtucker) [acconfig.h auth.c configure.ac sshd.8] Bug #422 again: deny any access to locked accounts. ok djm@ + - (djm) Bug #564: Perform PAM account checks for all authentications when + UsePAM=yes; ok dtucker 20030822 - (djm) s/get_progname/ssh_get_progname/g to avoid conflict with Heimdal @@ -862,4 +864,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2902 2003/08/25 01:51:19 dtucker Exp $ +$Id: ChangeLog,v 1.2903 2003/08/25 03:08:49 djm Exp $ diff --git a/auth-pam.c b/auth-pam.c index 970ff61cb..c0b6ded12 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.66 2003/08/08 03:43:37 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.67 2003/08/25 03:08:49 djm Exp $"); #ifdef USE_PAM #include @@ -49,6 +49,7 @@ RCSID("$Id: auth-pam.c,v 1.66 2003/08/08 03:43:37 dtucker Exp $"); #include "servconf.h" #include "ssh2.h" #include "xmalloc.h" +#include "auth-options.h" extern ServerOptions options; @@ -130,10 +131,8 @@ static void sshpam_free_ctx(void *); * Conversation function for authentication thread. */ static int -sshpam_thread_conv(int n, - const struct pam_message **msg, - struct pam_response **resp, - void *data) +sshpam_thread_conv(int n, const struct pam_message **msg, + struct pam_response **resp, void *data) { Buffer buffer; struct pam_ctxt *ctxt; @@ -216,9 +215,6 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; - sshpam_err = pam_acct_mgmt(sshpam_handle, 0); - if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) - goto auth_fail; buffer_put_cstring(&buffer, "OK"); ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer); buffer_free(&buffer); @@ -246,12 +242,9 @@ sshpam_thread_cleanup(void *ctxtp) } static int -sshpam_null_conv(int n, - const struct pam_message **msg, - struct pam_response **resp, - void *data) +sshpam_null_conv(int n, const struct pam_message **msg, + struct pam_response **resp, void *data) { - return (PAM_CONV_ERR); } @@ -303,7 +296,7 @@ sshpam_init(const char *user) debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost); sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost); if (sshpam_err != PAM_SUCCESS) { - pam_end(sshpam_handle, sshpam_err); + pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; return (-1); } @@ -403,9 +396,6 @@ sshpam_query(void *ctx, char **name, char **info, plen += snprintf(**prompts + plen, len, "%s", msg); xfree(msg); break; - case PAM_NEW_AUTHTOK_REQD: - sshpam_new_authtok_reqd = 1; - /* FALLTHROUGH */ case PAM_SUCCESS: case PAM_AUTH_ERR: if (**prompts != NULL) { @@ -519,10 +509,24 @@ finish_pam(void) sshpam_cleanup(NULL); } -int -do_pam_account(const char *user, const char *ruser) +u_int +do_pam_account(void) { - /* XXX */ + sshpam_err = pam_acct_mgmt(sshpam_handle, 0); + debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err); + + if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) + return (0); + + if (sshpam_err == PAM_NEW_AUTHTOK_REQD) { + sshpam_new_authtok_reqd = 1; + + /* Prevent forwardings until password changed */ + no_port_forwarding_flag |= 2; + no_agent_forwarding_flag |= 2; + no_x11_forwarding_flag |= 2; + } + return (1); } @@ -582,10 +586,8 @@ is_pam_password_change_required(void) } static int -pam_chauthtok_conv(int n, - const struct pam_message **msg, - struct pam_response **resp, - void *data) +pam_chauthtok_conv(int n, const struct pam_message **msg, + struct pam_response **resp, void *data) { char input[PAM_MAX_MSG_SIZE]; int i; @@ -635,7 +637,7 @@ do_pam_chauthtok(void) struct pam_conv pam_conv = { pam_chauthtok_conv, NULL }; if (use_privsep) - fatal("PAM: chauthtok not supprted with privsep"); + fatal("Password expired (unable to change with privsep)"); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&pam_conv); if (sshpam_err != PAM_SUCCESS) diff --git a/auth-pam.h b/auth-pam.h index fdbd0febd..7f7c16d2e 100644 --- a/auth-pam.h +++ b/auth-pam.h @@ -1,4 +1,4 @@ -/* $Id: auth-pam.h,v 1.18 2003/05/19 01:28:44 djm Exp $ */ +/* $Id: auth-pam.h,v 1.19 2003/08/25 03:08:49 djm Exp $ */ /* * Copyright (c) 2000 Damien Miller. All rights reserved. @@ -33,7 +33,7 @@ void start_pam(const char *); void finish_pam(void); -int do_pam_account(const char *, const char *); +u_int do_pam_account(void); void do_pam_session(const char *, const char *); void do_pam_setcred(int ); int is_pam_password_change_required(void); diff --git a/auth1.c b/auth1.c index 7c0100103..d8b5836ba 100644 --- a/auth1.c +++ b/auth1.c @@ -290,6 +290,12 @@ do_authloop(Authctxt *authctxt) authenticated = 0; #endif +#ifdef USE_PAM + if (options.use_pam && authenticated && + !PRIVSEP(do_pam_account())) + authenticated = 0; +#endif + /* Log before sending the reply */ auth_log(authctxt, authenticated, get_authname(type), info); diff --git a/auth2.c b/auth2.c index 639bf9117..e6ec8ddcd 100644 --- a/auth2.c +++ b/auth2.c @@ -213,6 +213,11 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) !auth_root_allowed(method)) authenticated = 0; +#ifdef USE_PAM + if (options.use_pam && authenticated && !PRIVSEP(do_pam_account())) + authenticated = 0; +#endif + #ifdef _UNICOS if (authenticated && cray_access_denied(authctxt->user)) { authenticated = 0; diff --git a/monitor.c b/monitor.c index 95fd0cf64..80b1a8fba 100644 --- a/monitor.c +++ b/monitor.c @@ -118,6 +118,7 @@ int mm_answer_sessid(int, Buffer *); #ifdef USE_PAM int mm_answer_pam_start(int, Buffer *); +int mm_answer_pam_account(int, Buffer *); int mm_answer_pam_init_ctx(int, Buffer *); int mm_answer_pam_query(int, Buffer *); int mm_answer_pam_respond(int, Buffer *); @@ -165,6 +166,7 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, + {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, @@ -214,6 +216,7 @@ struct mon_table mon_dispatch_proto15[] = { #endif #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, + {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, @@ -295,6 +298,18 @@ monitor_child_preauth(struct monitor *pmonitor) if (authctxt->pw->pw_uid == 0 && !auth_root_allowed(auth_method)) authenticated = 0; +#ifdef USE_PAM + /* PAM needs to perform account checks after auth */ + if (options.use_pam) { + Buffer m; + + buffer_init(&m); + mm_request_receive_expect(pmonitor->m_sendfd, + MONITOR_REQ_PAM_ACCOUNT, &m); + authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m); + buffer_free(&m); + } +#endif } if (ent->flags & MON_AUTHDECIDE) { @@ -771,9 +786,28 @@ mm_answer_pam_start(int socket, Buffer *m) xfree(user); + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1); + return (0); } +int +mm_answer_pam_account(int socket, Buffer *m) +{ + u_int ret; + + if (!options.use_pam) + fatal("UsePAM not set, but ended up in %s anyway", __func__); + + ret = do_pam_account(); + + buffer_put_int(m, ret); + + mm_request_send(socket, MONITOR_ANS_PAM_ACCOUNT, m); + + return (ret); +} + static void *sshpam_ctxt, *sshpam_authok; extern KbdintDevice sshpam_device; diff --git a/monitor.h b/monitor.h index 13b21aa42..eeac78e03 100644 --- a/monitor.h +++ b/monitor.h @@ -51,6 +51,7 @@ enum monitor_reqtype { MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, MONITOR_REQ_KRB5, MONITOR_ANS_KRB5, MONITOR_REQ_PAM_START, + MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY, MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND, diff --git a/monitor_wrap.c b/monitor_wrap.c index c7ba86ffc..9e7e6b3c3 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -682,6 +682,30 @@ mm_start_pam(char *user) buffer_free(&m); } +u_int +mm_do_pam_account(void) +{ + Buffer m; + u_int ret; + + debug3("%s entering", __func__); + if (!options.use_pam) + fatal("UsePAM=no, but ended up in %s anyway", __func__); + + buffer_init(&m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_ACCOUNT, &m); + + mm_request_receive_expect(pmonitor->m_recvfd, + MONITOR_ANS_PAM_ACCOUNT, &m); + ret = buffer_get_int(&m); + + buffer_free(&m); + + debug3("%s returning %d", __func__, ret); + + return (ret); +} + void * mm_sshpam_init_ctx(Authctxt *authctxt) { diff --git a/monitor_wrap.h b/monitor_wrap.h index e0dd73bd0..ddd42ee28 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -57,6 +57,7 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *); #ifdef USE_PAM void mm_start_pam(char *); +u_int mm_do_pam_account(void); void *mm_sshpam_init_ctx(struct Authctxt *); int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); int mm_sshpam_respond(void *, u_int, char **); diff --git a/session.c b/session.c index d3ef89a0c..20c4b8a97 100644 --- a/session.c +++ b/session.c @@ -719,6 +719,7 @@ do_login(Session *s, const char *command) if (options.use_pam && is_pam_password_change_required()) { print_pam_messages(); do_pam_chauthtok(); + /* XXX - signal [net] parent to enable forwardings */ } #endif