tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-28 16:24:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

- (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c]

Browse Source 
Bug #892: Send messages from failing PAM account modules to the client via
   SSH2_MSG_USERAUTH_BANNER messages.  Note that this will not happen with
   SSH2 kbdint authentication, which need to be dealt with separately.  ok djm@
This commit is contained in:
Darren Tucker 2004-09-11 23:07:03 +10:00
parent 4765679649
commit 77fc29eeb3
7 changed files with 47 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ChangeLog
View File

@ -6,6 +6,10 @@
- (dtucker) [auth-pam.c] Relocate sshpam_store_conv(), no code change. - (dtucker) [auth-pam.c] Relocate sshpam_store_conv(), no code change.
- (djm) [auth2-kbdint.c auth2-none.c auth2-passwd.c auth2-pubkey.c] - (djm) [auth2-kbdint.c auth2-none.c auth2-passwd.c auth2-pubkey.c]
Make cygwin code more consistent with that which surrounds it Make cygwin code more consistent with that which surrounds it
- (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c]
Bug #892: Send messages from failing PAM account modules to the client via
SSH2_MSG_USERAUTH_BANNER messages. Note that this will not happen with
SSH2 kbdint authentication, which need to be dealt with separately. ok djm@
20040830 20040830
- (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only
@ -1725,4 +1729,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
$Id: ChangeLog,v 1.3543 2004/09/11 12:42:09 djm Exp $ $Id: ChangeLog,v 1.3544 2004/09/11 13:07:03 dtucker Exp $

10
auth-pam.c
View File

@ -47,7 +47,7 @@
/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
#include "includes.h" #include "includes.h"
RCSID("$Id: auth-pam.c,v 1.116 2004/09/11 12:28:02 dtucker Exp $"); RCSID("$Id: auth-pam.c,v 1.117 2004/09/11 13:07:03 dtucker Exp $");
#ifdef USE_PAM #ifdef USE_PAM
#if defined(HAVE_SECURITY_PAM_APPL_H) #if defined(HAVE_SECURITY_PAM_APPL_H)
@ -572,7 +572,7 @@ sshpam_init(Authctxt *authctxt)
} }
debug("PAM: initializing for \"%s\"", user); debug("PAM: initializing for \"%s\"", user);
sshpam_err = sshpam_err =
pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle); pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
sshpam_authctxt = authctxt; sshpam_authctxt = authctxt;
if (sshpam_err != PAM_SUCCESS) { if (sshpam_err != PAM_SUCCESS) {
@ -804,11 +804,13 @@ finish_pam(void)
u_int u_int
do_pam_account(void) do_pam_account(void)
{ {
debug("%s: called", __func__);
if (sshpam_account_status != -1) if (sshpam_account_status != -1)
return (sshpam_account_status); return (sshpam_account_status);
sshpam_err = pam_acct_mgmt(sshpam_handle, 0); sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err); debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err,
pam_strerror(sshpam_handle, sshpam_err));
if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
sshpam_account_status = 0; sshpam_account_status = 0;
@ -838,7 +840,7 @@ void
do_pam_setcred(int init) do_pam_setcred(int init)
{ {
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&null_conv); (const void *)&store_conv);
if (sshpam_err != PAM_SUCCESS) if (sshpam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s", fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(sshpam_handle, sshpam_err)); pam_strerror(sshpam_handle, sshpam_err));

1
auth.h
View File

@ -137,6 +137,7 @@ void do_authentication2(Authctxt *);
void auth_log(Authctxt *, int, char *, char *); void auth_log(Authctxt *, int, char *, char *);
void userauth_finish(Authctxt *, int, char *); void userauth_finish(Authctxt *, int, char *);
void userauth_send_banner(const char *);
int auth_root_allowed(char *); int auth_root_allowed(char *);
char *auth2_read_banner(void); char *auth2_read_banner(void);

19
auth2-none.c
View File

@ -74,6 +74,19 @@ auth2_read_banner(void)
return (banner); return (banner);
} }
void
userauth_send_banner(const char *msg)
{
if (datafellows & SSH_BUG_BANNER)
return;
packet_start(SSH2_MSG_USERAUTH_BANNER);
packet_put_cstring(msg);
packet_put_cstring(""); /* language, unused */
packet_send();
debug("%s: sent", __func__);
}
static void static void
userauth_banner(void) userauth_banner(void)
{ {
@ -84,12 +97,8 @@ userauth_banner(void)
if ((banner = PRIVSEP(auth2_read_banner())) == NULL) if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
goto done; goto done;
userauth_send_banner(banner);
packet_start(SSH2_MSG_USERAUTH_BANNER);
packet_put_cstring(banner);
packet_put_cstring(""); /* language, unused */
packet_send();
debug("userauth_banner: sent");
done: done:
if (banner) if (banner)
xfree(banner); xfree(banner);

13
auth2.c
View File

@ -35,6 +35,7 @@ RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $");
#include "dispatch.h" #include "dispatch.h"
#include "pathnames.h" #include "pathnames.h"
#include "monitor_wrap.h" #include "monitor_wrap.h"
#include "buffer.h"
#ifdef GSSAPI #ifdef GSSAPI
#include "ssh-gss.h" #include "ssh-gss.h"
@ -44,6 +45,7 @@ RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $");
extern ServerOptions options; extern ServerOptions options;
extern u_char *session_id2; extern u_char *session_id2;
extern u_int session_id2_len; extern u_int session_id2_len;
extern Buffer loginmsg;
/* methods */ /* methods */
@ -216,8 +218,17 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
authenticated = 0; authenticated = 0;
#ifdef USE_PAM #ifdef USE_PAM
if (options.use_pam && authenticated && !PRIVSEP(do_pam_account())) if (options.use_pam && authenticated) {
if (!PRIVSEP(do_pam_account())) {
authenticated = 0; authenticated = 0;
/* if PAM returned a message, send it to the user */
if (buffer_len(&loginmsg) > 0) {
buffer_append(&loginmsg, "\0", 1);
userauth_send_banner(buffer_ptr(&loginmsg));
buffer_clear(&loginmsg);
}
}
}
#endif #endif
#ifdef _UNICOS #ifdef _UNICOS

3
monitor.c
View File

@ -810,6 +810,9 @@ mm_answer_pam_account(int sock, Buffer *m)
ret = do_pam_account(); ret = do_pam_account();
buffer_put_int(m, ret); buffer_put_int(m, ret);
buffer_append(&loginmsg, "\0", 1);
buffer_put_cstring(m, buffer_ptr(&loginmsg));
buffer_clear(&loginmsg);
mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m); mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m);

5
monitor_wrap.c
View File

@ -72,6 +72,7 @@ extern struct monitor *pmonitor;
extern Buffer input, output; extern Buffer input, output;
extern Buffer loginmsg; extern Buffer loginmsg;
extern ServerOptions options; extern ServerOptions options;
extern Buffer loginmsg;
int int
mm_is_monitor(void) mm_is_monitor(void)
@ -716,6 +717,7 @@ mm_do_pam_account(void)
{ {
Buffer m; Buffer m;
u_int ret; u_int ret;
char *msg;
debug3("%s entering", __func__); debug3("%s entering", __func__);
if (!options.use_pam) if (!options.use_pam)
@ -727,6 +729,9 @@ mm_do_pam_account(void)
mm_request_receive_expect(pmonitor->m_recvfd, mm_request_receive_expect(pmonitor->m_recvfd,
MONITOR_ANS_PAM_ACCOUNT, &m); MONITOR_ANS_PAM_ACCOUNT, &m);
ret = buffer_get_int(&m); ret = buffer_get_int(&m);
msg = buffer_get_string(&m, NULL);
buffer_append(&loginmsg, msg, strlen(msg));
xfree(msg);
buffer_free(&m); buffer_free(&m);