tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add a sshd_config PamServiceName option 

Allows selecting which PAM service name to use when UsePAM is
enabled. Defaults to "sshd" unless overridden at compile time
by defining SSHD_PAM_SERVICE.

bz2102, ok dtucker@
This commit is contained in:
Damien Miller 2024-06-14 14:19:23 +10:00
parent 9f032a4dd1
commit b2c64bc170
No known key found for this signature in database
4 changed files with 37 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
auth-pam.c
View File

@ -67,10 +67,6 @@
#include <pam/pam_appl.h> #include <pam/pam_appl.h>
#endif #endif
#if !defined(SSHD_PAM_SERVICE)
# define SSHD_PAM_SERVICE "sshd"
#endif
/* OpenGroup RFC86.0 and XSSO specify no "const" on arguments */ /* OpenGroup RFC86.0 and XSSO specify no "const" on arguments */
#ifdef PAM_SUN_CODEBASE #ifdef PAM_SUN_CODEBASE
# define sshpam_const /* Solaris, HP-UX, SunOS */ # define sshpam_const /* Solaris, HP-UX, SunOS */
@ -693,6 +689,8 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
const char **ptr_pam_user = &pam_user; const char **ptr_pam_user = &pam_user;
int r; int r;
if (options.pam_service_name == NULL)
fatal_f("internal error: NULL PAM service name");
#if defined(PAM_SUN_CODEBASE) && defined(PAM_MAX_RESP_SIZE) #if defined(PAM_SUN_CODEBASE) && defined(PAM_MAX_RESP_SIZE)
/* Protect buggy PAM implementations from excessively long usernames */ /* Protect buggy PAM implementations from excessively long usernames */
if (strlen(user) >= PAM_MAX_RESP_SIZE) if (strlen(user) >= PAM_MAX_RESP_SIZE)
@ -714,9 +712,10 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
pam_end(sshpam_handle, sshpam_err); pam_end(sshpam_handle, sshpam_err);
sshpam_handle = NULL; sshpam_handle = NULL;
} }
debug("PAM: initializing for \"%s\"", user); debug("PAM: initializing for \"%s\" with service \"%s\"", user,
sshpam_err = options.pam_service_name);
pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle); sshpam_err = pam_start(options.pam_service_name, user,
&store_conv, &sshpam_handle);
sshpam_authctxt = authctxt; sshpam_authctxt = authctxt;
if (sshpam_err != PAM_SUCCESS) { if (sshpam_err != PAM_SUCCESS) {

22
servconf.c
View File

@ -69,6 +69,10 @@
#include "myproposal.h" #include "myproposal.h"
#include "digest.h" #include "digest.h"
#if !defined(SSHD_PAM_SERVICE)
# define SSHD_PAM_SERVICE "sshd"
#endif
static void add_listen_addr(ServerOptions *, const char *, static void add_listen_addr(ServerOptions *, const char *,
const char *, int); const char *, int);
static void add_one_listen_addr(ServerOptions *, const char *, static void add_one_listen_addr(ServerOptions *, const char *,
@ -88,6 +92,7 @@ initialize_server_options(ServerOptions *options)
/* Portable-specific options */ /* Portable-specific options */
options->use_pam = -1; options->use_pam = -1;
options->pam_service_name = NULL;
/* Standard Options */ /* Standard Options */
options->num_ports = 0; options->num_ports = 0;
@ -291,6 +296,8 @@ fill_default_server_options(ServerOptions *options)
/* Portable-specific options */ /* Portable-specific options */
if (options->use_pam == -1) if (options->use_pam == -1)
options->use_pam = 0; options->use_pam = 0;
if (options->pam_service_name == NULL)
options->pam_service_name = xstrdup(SSHD_PAM_SERVICE);
/* Standard Options */ /* Standard Options */
if (options->num_host_key_files == 0) { if (options->num_host_key_files == 0) {
@ -530,7 +537,7 @@ fill_default_server_options(ServerOptions *options)
typedef enum { typedef enum {
sBadOption, /* == unknown option */ sBadOption, /* == unknown option */
/* Portable-specific options */ /* Portable-specific options */
sUsePAM, sUsePAM, sPAMServiceName,
/* Standard Options */ /* Standard Options */
sPort, sHostKeyFile, sLoginGraceTime, sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
@ -583,8 +590,10 @@ static struct {
/* Portable-specific options */ /* Portable-specific options */
#ifdef USE_PAM #ifdef USE_PAM
{ "usepam", sUsePAM, SSHCFG_GLOBAL }, { "usepam", sUsePAM, SSHCFG_GLOBAL },
{ "pamservicename", sPAMServiceName, SSHCFG_ALL },
#else #else
{ "usepam", sUnsupported, SSHCFG_GLOBAL }, { "usepam", sUnsupported, SSHCFG_GLOBAL },
{ "pamservicename", sUnsupported, SSHCFG_ALL },
#endif #endif
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
/* Standard Options */ /* Standard Options */
@ -1318,6 +1327,16 @@ process_server_config_line_depth(ServerOptions *options, char *line,
case sUsePAM: case sUsePAM:
intptr = &options->use_pam; intptr = &options->use_pam;
goto parse_flag; goto parse_flag;
case sPAMServiceName:
charptr = &options->pam_service_name;
arg = argv_next(&ac, &av);
if (!arg || *arg == '\0') {
fatal("%s line %d: missing argument.",
filename, linenum);
}
if (*activep && *charptr == NULL)
*charptr = xstrdup(arg);
break;
/* Standard Options */ /* Standard Options */
case sBadOption: case sBadOption:
@ -3128,6 +3147,7 @@ dump_config(ServerOptions *o)
/* integer arguments */ /* integer arguments */
#ifdef USE_PAM #ifdef USE_PAM
dump_cfg_fmtint(sUsePAM, o->use_pam); dump_cfg_fmtint(sUsePAM, o->use_pam);
dump_cfg_string(sPAMServiceName, o->pam_service_name);
#endif #endif
dump_cfg_int(sLoginGraceTime, o->login_grace_time); dump_cfg_int(sLoginGraceTime, o->login_grace_time);
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);

2
servconf.h
View File

@ -210,6 +210,7 @@ typedef struct {
char *adm_forced_command; char *adm_forced_command;
int use_pam; /* Enable auth via PAM */ int use_pam; /* Enable auth via PAM */
char *pam_service_name;
int permit_tun; int permit_tun;
@ -294,6 +295,7 @@ TAILQ_HEAD(include_list, include_item);
M_CP_STROPT(ca_sign_algorithms); \ M_CP_STROPT(ca_sign_algorithms); \
M_CP_STROPT(routing_domain); \ M_CP_STROPT(routing_domain); \
M_CP_STROPT(permit_user_env_allowlist); \ M_CP_STROPT(permit_user_env_allowlist); \
M_CP_STROPT(pam_service_name); \
M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
M_CP_STRARRAYOPT(allow_users, num_allow_users); \ M_CP_STRARRAYOPT(allow_users, num_allow_users); \
M_CP_STRARRAYOPT(deny_users, num_deny_users); \ M_CP_STRARRAYOPT(deny_users, num_deny_users); \

9
sshd_config.5
View File

@ -1368,10 +1368,17 @@ and
key exchange methods. key exchange methods.
The default is The default is
.Pa /etc/moduli . .Pa /etc/moduli .
.It Cm PAMServiceName
Specifies the service name used for Pluggable Authentication Modules (PAM)
authentication, authorisation and session controls when
.Cm UsePAM
is enabled.
The default is
.Cm sshd .
.It Cm PasswordAuthentication .It Cm PasswordAuthentication
Specifies whether password authentication is allowed. Specifies whether password authentication is allowed.
The default is The default is
.Cm yes . .Cm sshd .
.It Cm PermitEmptyPasswords .It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings. server allows login to accounts with empty password strings.