- (djm) Make privsep work with PAM (still experimental)

ChangeLog

@@ -1,6 +1,7 @@
 20020423
  - (djm) Bug #222: Fix tests for getaddrinfo on OSF/1. Spotted by
    Robert Urban <urban@spielwiese.de>
+ - (djm) Make privsep work with PAM (still experimental)
 
 20020421
  - (tim) [entropy.c.] Portability fix for SCO Unix 3.2v4.x (SCO OSR 3.0).
@@ -8267,4 +8268,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.2062 2002/04/23 10:22:59 djm Exp $
+$Id: ChangeLog,v 1.2063 2002/04/23 10:28:48 djm Exp $

auth-pam.c

@@ -36,7 +36,7 @@
 
 extern char *__progname;
 
-RCSID("$Id: auth-pam.c,v 1.43 2002/04/04 19:02:28 stevesk Exp $");
+RCSID("$Id: auth-pam.c,v 1.44 2002/04/23 10:28:49 djm Exp $");
 
 #define NEW_AUTHTOK_MSG \
 	"Warning: Your password has expired, please change it now"
@@ -249,6 +249,7 @@ int do_pam_account(char *username, char *remote_user)
 	}
 
 	pam_retval = pam_acct_mgmt(__pamh, 0);
+	debug2("pam_acct_mgmt() = %d", pam_retval);
 	switch (pam_retval) {
 		case PAM_SUCCESS:
 			/* This is what we want */

auth1.c

@@ -306,7 +306,8 @@ do_authloop(Authctxt *authctxt)
 			authenticated = 0;
 #endif
 #ifdef USE_PAM
-		if (authenticated && !do_pam_account(pw->pw_name, client_user))
+		if (!use_privsep && authenticated && 
+		    !do_pam_account(pw->pw_name, client_user))
 			authenticated = 0;
 #endif
 
@@ -381,7 +382,7 @@ do_authentication(void)
 	    use_privsep ? " [net]" : "");
 
 #ifdef USE_PAM
-	start_pam(authctxt->pw == NULL ? "NOUSER" : user);
+	PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user));
 #endif
 
 	/*

auth2.c

@@ -189,12 +189,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 			authctxt->valid = 1;
 			debug2("input_userauth_request: setting up authctxt for %s", user);
 #ifdef USE_PAM
-			start_pam(authctxt->pw->pw_name);
+			PRIVSEP(start_pam(authctxt->pw->pw_name));
 #endif
 		} else {
 			log("input_userauth_request: illegal user %s", user);
 #ifdef USE_PAM
-			start_pam("NOUSER");
+			PRIVSEP(start_pam("NOUSER"));
 #endif
 		}
 		setproctitle("%s%s", authctxt->pw ? user : "unknown",
@@ -242,8 +242,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 		authenticated = 0;
 
 #ifdef USE_PAM
-	if (authenticated && authctxt->user && !do_pam_account(authctxt->user,
-	    NULL))
+	if (!use_privsep && authenticated && authctxt->user && 
+	    !do_pam_account(authctxt->user, NULL))
 		authenticated = 0;
 #endif /* USE_PAM */
 

monitor.c

@@ -113,6 +113,10 @@ int mm_answer_rsa_response(int, Buffer *);
 int mm_answer_sesskey(int, Buffer *);
 int mm_answer_sessid(int, Buffer *);
 
+#ifdef USE_PAM
+int mm_answer_pam_start(int, Buffer *);
+#endif
+
 static Authctxt *authctxt;
 static BIGNUM *ssh1_challenge = NULL;	/* used for ssh1 rsa auth */
 
@@ -143,8 +147,9 @@ struct mon_table mon_dispatch_proto20[] = {
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
-#if !defined(USE_PAM)
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
+#ifdef USE_PAM
+    {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
 #endif
 #ifdef BSD_AUTH
     {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -172,9 +177,7 @@ struct mon_table mon_dispatch_proto15[] = {
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
     {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
-#if !defined(USE_PAM)
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
-#endif
     {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH, mm_answer_rsa_keyallowed},
     {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
     {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge},
@@ -260,6 +263,10 @@ monitor_child_preauth(struct monitor *monitor)
 			if (authctxt->pw->pw_uid == 0 &&
 			    !auth_root_allowed(auth_method))
 				authenticated = 0;
+#ifdef USE_PAM
+			if (!do_pam_account(authctxt->pw->pw_name, NULL))
+				authenticated = 0;
+#endif
 		}
 
 		if (ent->flags & MON_AUTHDECIDE) {
@@ -457,6 +464,9 @@ mm_answer_sign(int socket, Buffer *m)
 	/* Turn on permissions for getpwnam */
 	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
 
+#ifdef USE_PAM
+	monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
+#endif
 	return (0);
 }
 
@@ -537,7 +547,6 @@ mm_answer_authserv(int socket, Buffer *m)
 	return (0);
 }
 
-#if !defined(USE_PAM)
 int
 mm_answer_authpassword(int socket, Buffer *m)
 {
@@ -566,7 +575,6 @@ mm_answer_authpassword(int socket, Buffer *m)
 	/* Causes monitor loop to terminate if authenticated */
 	return (authenticated);
 }
-#endif
 
 #ifdef BSD_AUTH
 int
@@ -673,6 +681,22 @@ mm_answer_skeyrespond(int socket, Buffer *m)
 }
 #endif
 
+#ifdef USE_PAM
+int
+mm_answer_pam_start(int socket, Buffer *m)
+{
+	char *user;
+	
+	user = buffer_get_string(m, NULL);
+
+	start_pam(user);
+
+	xfree(user);
+
+	return (0);
+}
+#endif
+
 static void
 mm_append_debug(Buffer *m)
 {

monitor.h

@@ -48,6 +48,7 @@ enum monitor_reqtype {
 	MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
 	MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
 	MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
+	MONITOR_REQ_PAM_START,
 	MONITOR_REQ_TERM,
 };
 

monitor_wrap.c

@@ -623,6 +623,23 @@ mm_session_pty_cleanup2(void *session)
 	s->ttyfd = -1;
 }
 
+#ifdef USE_PAM
+void
+mm_start_pam(char *user)
+{
+	Buffer m;
+
+	debug3("%s entering", __FUNCTION__);
+
+	buffer_init(&m);
+	buffer_put_cstring(&m, user);
+
+	mm_request_send(monitor->m_recvfd, MONITOR_REQ_PAM_START, &m);
+
+	buffer_free(&m);
+}
+#endif /* USE_PAM */
+
 /* Request process termination */
 
 void

monitor_wrap.h

@@ -54,6 +54,10 @@ int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
 int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *);
 BIGNUM *mm_auth_rsa_generate_challenge(Key *);
 
+#ifdef USE_PAM
+void mm_start_pam(char *);
+#endif
+
 void mm_terminate(void);
 int mm_pty_allocate(int *, int *, char *, int);
 void mm_session_pty_cleanup2(void *);