From 82cf0ceea899d4c7a47bdec79eea6dc2a8576bc7 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Wed, 20 Dec 2000 13:34:48 +1100
Subject: [PATCH]  - (djm) Workaround PAM inconsistencies between Solaris
 derived PAM code    and Linux-PAM. Based on report and fix from Andrew Morgan
    <morgan@transmeta.com>

---
 CREDITS      |  1 +
 ChangeLog    |  5 +++++
 acconfig.h   |  4 ++++
 auth-pam.c   | 12 ++++++------
 auth2-pam.c  | 18 +++++++++---------
 configure.in | 10 ++++++++++
 defines.h    |  6 ++++++
 7 files changed, 41 insertions(+), 15 deletions(-)

diff --git a/CREDITS b/CREDITS
index b8c54824a..797b1895a 100644
--- a/CREDITS
+++ b/CREDITS
@@ -8,6 +8,7 @@ Alexandre Oliva <oliva@lsd.ic.unicamp.br> - AIX fixes
 Andre Lucas <andre.lucas@dial.pipex.com> - new login code, many fixes
 Andreas Steinmetz <ast@domdv.de> - Shadow password expiry support
 Andrew McGill <andrewm@datrix.co.za> - SCO fixes
+Andrew Morgan <morgan@transmeta.com> - PAM bugfixes
 Andrew Stribblehill <a.d.stribblehill@durham.ac.uk> - Bugfixes
 Andy Sloane <andy@guildsoftware.com> - bugfixes
 Aran Cox <acox@cv.telegroup.com> - SCO bugfixes
diff --git a/ChangeLog b/ChangeLog
index 38bd2b3f4..a99195e5d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+20001220
+ - (djm) Workaround PAM inconsistencies between Solaris derived PAM code 
+   and Linux-PAM. Based on report and fix from Andrew Morgan
+   <morgan@transmeta.com>
+
 20001218
  - (stevesk) rsa.c: entropy.h not needed.
  - (bal) split CFLAGS into CFLAGS and CPPFLAGS in configure.in and Makefile.
diff --git a/acconfig.h b/acconfig.h
index bfbacba42..21832fe2d 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -218,6 +218,10 @@
 /* to pam_strerror */
 #undef HAVE_OLD_PAM
 
+/* Define if you are using Solaris-derived PAM which passes pam_messages  */
+/* to the conversation function with an extra level of indirection */
+#undef PAM_SUN_CODEBASE
+ 
 /* Set this to your mail directory if you don't have maillock.h */
 #undef MAIL_DIRECTORY
 
diff --git a/auth-pam.c b/auth-pam.c
index 1e077602e..07847cb9d 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -29,7 +29,7 @@
 #include "xmalloc.h"
 #include "servconf.h"
 
-RCSID("$Id: auth-pam.c,v 1.19 2000/12/03 00:51:51 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.20 2000/12/20 02:34:49 djm Exp $");
 
 #define NEW_AUTHTOK_MSG \
 	"Warning: Your password has expired, please change it now"
@@ -97,13 +97,13 @@ static int pamconv(int num_msg, const struct pam_message **msg,
 		return PAM_CONV_ERR; 
 
 	for (count = 0; count < num_msg; count++) {
-		switch ((*msg)[count].msg_style) {
+		switch(PAM_MSG_MEMBER(msg, count, msg_style)) {
 			case PAM_PROMPT_ECHO_ON:
 				if (pamstate == INITIAL_LOGIN) {
 					free(reply);
 					return PAM_CONV_ERR;
 				} else {
-					fputs((*msg)[count].msg, stderr);
+					fputs(PAM_MSG_MEMBER(msg, count, msg), stderr);
 					fgets(buf, sizeof(buf), stdin);
 					reply[count].resp = xstrdup(buf);
 					reply[count].resp_retcode = PAM_SUCCESS;
@@ -118,7 +118,7 @@ static int pamconv(int num_msg, const struct pam_message **msg,
 					reply[count].resp = xstrdup(pampasswd);
 				} else {
 					reply[count].resp = 
-						xstrdup(read_passphrase((*msg)[count].msg, 1));
+						xstrdup(read_passphrase(PAM_MSG_MEMBER(msg, count, msg), 1));
 				}
 				reply[count].resp_retcode = PAM_SUCCESS;
 				break;
@@ -126,9 +126,9 @@ static int pamconv(int num_msg, const struct pam_message **msg,
 			case PAM_TEXT_INFO:
 				if ((*msg)[count].msg != NULL) {
 					if (pamstate == INITIAL_LOGIN)
-						pam_msg_cat((*msg)[count].msg);
+						pam_msg_cat(PAM_MSG_MEMBER(msg, count, msg));
 					else {
-						fputs((*msg)[count].msg, stderr);
+						fputs(PAM_MSG_MEMBER(msg, count, msg), stderr);
 						fputs("\n", stderr);
 					}
 				}
diff --git a/auth2-pam.c b/auth2-pam.c
index 8ffbc244c..30e02101e 100644
--- a/auth2-pam.c
+++ b/auth2-pam.c
@@ -1,5 +1,5 @@
 #include "includes.h"
-RCSID("$Id: auth2-pam.c,v 1.1 2000/12/03 00:51:51 djm Exp $");
+RCSID("$Id: auth2-pam.c,v 1.2 2000/12/20 02:34:49 djm Exp $");
 
 #ifdef USE_PAM
 #include "ssh.h"
@@ -70,8 +70,8 @@ do_conversation2(int num_msg, const struct pam_message **msg,
 	packet_put_cstring("");				/* Instructions */
 	packet_put_cstring("");				/* Language */
 	for (i = 0, j = 0; i < num_msg; i++) {
-		if(((*msg)[i].msg_style == PAM_PROMPT_ECHO_ON) ||
-		   ((*msg)[i].msg_style == PAM_PROMPT_ECHO_OFF) ||
+		if((PAM_MSG_MEMBER(msg, i, msg_style) == PAM_PROMPT_ECHO_ON) ||
+		   (PAM_MSG_MEMBER(msg, i, msg_style) == PAM_PROMPT_ECHO_OFF) ||
 		   (i == num_msg - 1)) {
 			j++;
 		}
@@ -79,7 +79,7 @@ do_conversation2(int num_msg, const struct pam_message **msg,
 	packet_put_int(j);				/* Number of prompts. */
 	context_pam2.num_expected = j;
 	for (i = 0, j = 0; i < num_msg; i++) {
-		switch((*msg)[i].msg_style) {
+		switch(PAM_MSG_MEMBER(msg, i, msg_style)) {
 			case PAM_PROMPT_ECHO_ON:
 				echo = 1;
 				break;
@@ -91,18 +91,18 @@ do_conversation2(int num_msg, const struct pam_message **msg,
 				break;
 		}
 		if(text) {
-			tmp = xmalloc(strlen(text) + strlen((*msg)[i].msg) + 2);
+			tmp = xmalloc(strlen(text) + strlen(PAM_MSG_MEMBER(msg, i, msg)) + 2);
 			strcpy(tmp, text);
 			strcat(tmp, "\n");
-			strcat(tmp, (*msg)[i].msg);
+			strcat(tmp, PAM_MSG_MEMBER(msg, i, msg));
 			xfree(text);
 			text = tmp;
 			tmp = NULL;
 		} else {
-			text = xstrdup((*msg)[i].msg);
+			text = xstrdup(PAM_MSG_MEMBER(msg, i, msg));
 		}
-		if(((*msg)[i].msg_style == PAM_PROMPT_ECHO_ON) ||
-		   ((*msg)[i].msg_style == PAM_PROMPT_ECHO_OFF) ||
+		if((PAM_MSG_MEMBER(msg, i, msg_style) == PAM_PROMPT_ECHO_ON) ||
+		   (PAM_MSG_MEMBER(msg, i, msg_style) == PAM_PROMPT_ECHO_OFF) ||
 		   (i == num_msg - 1)) {
 			debug("sending prompt ssh-%d(pam-%d) = \"%s\"",
 			      j, i, text);
diff --git a/configure.in b/configure.in
index 9f3b10c43..4601cd38b 100644
--- a/configure.in
+++ b/configure.in
@@ -88,6 +88,7 @@ case "$host" in
 *-*-hpux11*)
 	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE"
 	IPADDR_IN_DISPLAY=yes
+	AC_DEFINE(PAM_SUN_CODEBASE)
 	AC_DEFINE(USE_PIPES)
 	AC_DEFINE(DISABLE_SHADOW)
 	AC_DEFINE(DISABLE_UTMP)
@@ -149,6 +150,7 @@ mips-sony-bsd|mips-sony-newsos4)
 	CPPFLAGS="$CPPFLAGS -I/usr/local/include"
 	LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib -L/usr/ucblib -R/usr/ucblib"
 	need_dash_r=1
+	AC_DEFINE(PAM_SUN_CODEBASE)
 	# hardwire lastlog location (can't detect it on some versions)
 	conf_lastlog_location="/var/adm/lastlog"
 	AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x)
@@ -164,6 +166,7 @@ mips-sony-bsd|mips-sony-newsos4)
 *-*-sunos4*)
 	CPPFLAGS="$CPPFLAGS -DSUNOS4"
 	AC_CHECK_FUNCS(getpwanam)
+	AC_DEFINE(PAM_SUN_CODEBASE)
 	conf_utmp_location=/etc/utmp
 	conf_wtmp_location=/var/adm/wtmp
 	conf_lastlog_location=/var/adm/lastlog
@@ -1614,6 +1617,13 @@ echo "         Libraries: ${LIBS}"
 
 echo ""
 
+if test "x$PAM_MSG" = "xyes" ; then
+	echo "PAM is enabled. You may need to install a PAM control file for sshd,"
+	echo "otherwise password authentication may fail. Example PAM control files"
+	echo "can be found in the contrib/ subdirectory"
+	echo ""
+fi
+
 if test ! -z "$BUILTIN_RNG" ; then
 	echo "WARNING: you are using the builtin random number collection service."
 	echo "Please read WARNING.RNG and request that your OS vendor includes"
diff --git a/defines.h b/defines.h
index 642b00797..4c3941cad 100644
--- a/defines.h
+++ b/defines.h
@@ -340,6 +340,12 @@ struct winsize {
 # define PAM_STRERROR(a,b) pam_strerror((a),(b))
 #endif
 
+#ifdef PAM_SUN_CODEBASE
+# define PAM_MSG_MEMBER(msg, n, member) ((*(msg))[(n)].member)
+#else
+# define PAM_MSG_MEMBER(msg, n, member) ((msg)[(n)]->member)
+#endif
+
 #if defined(BROKEN_GETADDRINFO) && defined(HAVE_GETADDRINFO)
 # undef HAVE_GETADDRINFO
 #endif /* defined(BROKEN_GETADDRINFO) && defined(HAVE_GETADDRINFO) */