diff --git a/ChangeLog b/ChangeLog index ff0659708..ca9f92983 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20040816 + - (dtucker) [acconfig.h auth-pam.c configure.ac] Set real uid to non-root + to convince Solaris PAM to honour password complexity rules. ok djm@ + 20040815 - (dtucker) [Makefile.in ssh-keysign.c ssh.c] Use permanently_set_uid() since it does the right thing on all platforms. ok djm@ @@ -1641,4 +1645,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3512 2004/08/15 11:01:37 dtucker Exp $ +$Id: ChangeLog,v 1.3513 2004/08/16 13:12:05 dtucker Exp $ diff --git a/acconfig.h b/acconfig.h index bb069630d..014413505 100644 --- a/acconfig.h +++ b/acconfig.h @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.179 2004/08/15 08:40:59 djm Exp $ */ +/* $Id: acconfig.h,v 1.180 2004/08/16 13:12:06 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -104,6 +104,9 @@ /* Work around problematic Linux PAM modules handling of PAM_TTY */ #undef PAM_TTY_KLUDGE +/* Define if pam_chauthtok wants real uid set to the unpriv'ed user */ +#undef SSHPAM_CHAUTHTOK_NEEDS_RUID + /* Use PIPES instead of a socketpair() */ #undef USE_PIPES diff --git a/auth-pam.c b/auth-pam.c index 7d610d0bb..b93241f48 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -47,7 +47,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.113 2004/07/21 10:54:47 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.114 2004/08/16 13:12:06 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -201,6 +201,31 @@ pam_getenvlist(pam_handle_t *pamh) } #endif +/* + * Some platforms, notably Solaris, do not enforce password complexity + * rules during pam_chauthtok() if the real uid of the calling process + * is 0, on the assumption that it's being called by "passwd" run by root. + * This wraps pam_chauthtok and sets/restore the real uid so PAM will do + * the right thing. + */ +#ifdef SSHPAM_CHAUTHTOK_NEEDS_RUID +static int +sshpam_chauthtok_ruid(pam_handle_t *pamh, int flags) +{ + int result; + + if (sshpam_authctxt == NULL) + fatal("PAM: sshpam_authctxt not initialized"); + if (setreuid(sshpam_authctxt->pw->pw_uid, -1) == -1) + fatal("%s: setreuid failed: %s", __func__, strerror(errno)); + result = pam_chauthtok(pamh, flags); + if (setreuid(0, -1) == -1) + fatal("%s: setreuid failed: %s", __func__, strerror(errno)); + return result; +} +# define pam_chauthtok(a,b) (sshpam_chauthtok_ruid((a), (b))) +#endif + void sshpam_password_change_required(int reqd) { diff --git a/configure.ac b/configure.ac index 6954fb47e..36c457728 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.225 2004/08/15 08:40:59 djm Exp $ +# $Id: configure.ac,v 1.226 2004/08/16 13:12:06 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -298,6 +298,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(LOGIN_NEEDS_UTMPX) AC_DEFINE(LOGIN_NEEDS_TERM) AC_DEFINE(PAM_TTY_KLUDGE) + AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID) AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") # Pushing STREAMS modules will cause sshd to acquire a controlling tty. AC_DEFINE(SSHD_ACQUIRES_CTTY)