- (djm) Added patch from Chris Adams <cmadams@hiwaay.net> to add OSF SIA

support. Enable using "USE_SIA=1 ./configure [options]"

CREDITS

@@ -13,6 +13,7 @@ Ben Lindstrom <mouring@pconline.com> - NeXT support
 Ben Taylor <bent@clark.net> - Solaris debugging and fixes
 Bratislav ILICH <bilic@zepter.ru> - Configure fix
 Chip Salzenberg <chip@valinux.com> - Assorted patches
+Chris Adams <cmadams@hiwaay.net> - OSF SIA support
 Chris Saia <csaia@wtower.com> - SuSE packaging
 Chris, the Young One <cky@pobox.com> - Password auth fixes
 Christos Zoulas <christos@zoulas.com> - Autoconf fixes

ChangeLog

@@ -4,7 +4,9 @@
  - (djm) Patch from Michael Stone <mstone@cs.loyola.edu> to add support for
    Irix 6.x array sessions, project id's, and system audit trail id.
  - (djm) Added 'distprep' make target to simplify packaging
-
+ - (djm) Added patch from Chris Adams <cmadams@hiwaay.net> to add OSF SIA 
+   support. Enable using "USE_SIA=1 ./configure [options]"
+   
 20000627
  - (djm) Fixes to login code - not setting li->uid, cleanups
  - (djm) Formatting

acconfig.h

@@ -148,6 +148,9 @@
 /* Define if you want have trusted HPUX */
 #undef HAVE_HPUX_TRUSTED_SYSTEM_PW
 
+/* Define if you have Digital Unix Security Integration Architecture */
+#undef HAVE_OSF_SIA
+
 /* Define if you have getpwanam(3) [SunOS 4.x] */
 #undef HAVE_GETPWANAM
 

auth-passwd.c

@@ -9,10 +9,10 @@
 
 #include "includes.h"
 
-#ifndef USE_PAM
-
 RCSID("$OpenBSD: auth-passwd.c,v 1.16 2000/06/20 01:39:38 markus Exp $");
 
+#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
+
 #include "packet.h"
 #include "ssh.h"
 #include "servconf.h"
@@ -139,4 +139,4 @@ auth_password(struct passwd * pw, const char *password)
 	/* Authentication is accepted if the encrypted passwords are identical. */
 	return (strcmp(encrypted_password, pw_password) == 0);
 }
-#endif /* !USE_PAM */
+#endif /* !USE_PAM && !HAVE_OSF_SIA */

auth1.c

@@ -18,6 +18,11 @@ RCSID("$OpenBSD: auth1.c,v 1.2 2000/04/29 18:11:52 markus Exp $");
 #include "auth.h"
 #include "session.h"
 
+#ifdef HAVE_OSF_SIA
+# include <sia.h>
+# include <siad.h>
+#endif
+
 /* import */
 extern ServerOptions options;
 extern char *forced_command;
@@ -141,6 +146,10 @@ do_authloop(struct passwd * pw)
 	unsigned int ulen;
 	int type = 0;
 	void (*authlog) (const char *fmt,...) = verbose;
+#ifdef HAVE_OSF_SIA
+	extern int saved_argc;
+	extern char **saved_argv;
+#endif /* HAVE_OSF_SIA */
 
 	/* Indicate that authentication is needed. */
 	packet_start(SSH_SMSG_FAILURE);
@@ -299,7 +308,15 @@ do_authloop(struct passwd * pw)
 #ifdef USE_PAM
 			/* Do PAM auth with password */
 			authenticated = auth_pam_password(pw, password);
-#else /* USE_PAM */
+#elif defined(HAVE_OSF_SIA)
+			/* Do SIA auth with password */
+			host = get_canonical_hostname();
+			if (sia_validate_user(NULL, saved_argc, saved_argv, 
+				get_canonical_hostname(), pw->pw_name, NULL, 0, 
+				NULL, password) == SIASUCCESS) {
+				authenticated = 1;
+			}
+#else /* !USE_PAM && !HAVE_OSF_SIA */
 			/* Try authentication with the password. */
 			authenticated = auth_password(pw, password);
 #endif /* USE_PAM */

auth2.c

@@ -56,6 +56,11 @@ RCSID("$OpenBSD: auth2.c,v 1.11 2000/06/19 00:50:11 markus Exp $");
 #include "uidswap.h"
 #include "auth-options.h"
 
+#ifdef HAVE_OSF_SIA
+# include <sia.h>
+# include <siad.h>
+#endif
+
 /* import */
 extern ServerOptions options;
 extern unsigned char *session_id2;
@@ -244,10 +249,20 @@ input_userauth_request(int type, int plen)
 int
 ssh2_auth_none(struct passwd *pw)
 {
+#ifdef HAVE_OSF_SIA
+	extern int saved_argc;
+	extern char **saved_argv;
+#endif
+
 	packet_done();
+
 #ifdef USE_PAM
 	return auth_pam_password(pw, "");
-#else /* USE_PAM */
+#elif defined(HAVE_OSF_SIA)
+	return(sia_validate_user(NULL, saved_argc, saved_argv, 
+		get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, 
+		"") == SIASUCCESS);
+#else /* !HAVE_OSF_SIA && !USE_PAM */
 	return auth_password(pw, "");
 #endif /* USE_PAM */
 }
@@ -258,6 +273,10 @@ ssh2_auth_password(struct passwd *pw)
 	int authenticated = 0;
 	int change;
 	unsigned int len;
+#ifdef HAVE_OSF_SIA
+	extern int saved_argc;
+	extern char **saved_argv;
+#endif
 	change = packet_get_char();
 	if (change)
 		log("password change not supported");
@@ -266,7 +285,11 @@ ssh2_auth_password(struct passwd *pw)
 	if (options.password_authentication &&
 #ifdef USE_PAM
 	    auth_pam_password(pw, password) == 1)
-#else /* USE_PAM */
+#elif defined(HAVE_OSF_SIA)
+	    sia_validate_user(NULL, saved_argc, saved_argv, 
+		 	get_canonical_hostname(), pw->pw_name, NULL, 0, 
+			NULL, password) == SIASUCCESS)
+#else /* !USE_PAM && !HAVE_OSF_SIA */
 	    auth_password(pw, password) == 1)
 #endif /* USE_PAM */
 		authenticated = 1;

bsd-snprintf.c

@@ -126,7 +126,7 @@ vsnprintf(str, n, fmt, ap)
 	char *str;
 	size_t n;
 	char *fmt;
-	va_list *ap;
+	va_list ap;
 {
 	struct sigaction osa, nsa;
 	char *p;

bsd-snprintf.h

@@ -10,7 +10,7 @@ int snprintf(char *str, size_t n, char const *fmt, ...);
 #endif /* !HAVE_SNPRINTF */
 
 #ifndef HAVE_VSNPRINTF
-int vsnprintf(char *str, size_t n, char *fmt, va_list *ap);
+int vsnprintf(char *str, size_t n, char *fmt, va_list ap);
 #endif /* !HAVE_SNPRINTF */
 
 

configure.in

@@ -150,6 +150,20 @@ case "$host" in
 	LIBS="$LIBS -lgen -lsocket"
 	no_dev_ptmx=1
 	;;
+*-dec-osf*)
+# This is untested
+	if test ! -z "USE_SIA" ; then
+		AC_MSG_CHECKING(for Digital Unix Security Integration Architecture)
+		if test -f /etc/sia/matrix.conf; then
+			AC_MSG_RESULT(yes)
+			AC_DEFINE(HAVE_OSF_SIA)
+			AC_DEFINE(DISABLE_LOGIN)
+			LIBS="$LIBS -lsecurity -ldb -lm -laud"
+		else
+			AC_MSG_RESULT(no)
+		fi
+	fi
+	;;
 esac
 
 # Allow user to specify flags

session.c

@@ -32,6 +32,11 @@ RCSID("$OpenBSD: session.c,v 1.20 2000/06/18 04:42:54 markus Exp $");
 #include <proj.h>
 #endif /* WITH_IRIX_PROJECT */
 
+#ifdef HAVE_OSF_SIA
+# include <sia.h>
+# include <siad.h>
+#endif
+
 /* types */
 
 #define TTYSZ 64
@@ -823,14 +828,32 @@ do_child(const char *command, struct passwd * pw, const char *term,
 	}
 #endif /* USE_PAM */
 
+#ifndef HAVE_OSF_SIA
 	/* Set login name in the kernel. */
 	if (setlogin(pw->pw_name) < 0)
 		error("setlogin failed: %s", strerror(errno));
+#endif
 
 	/* Set uid, gid, and groups. */
 	/* Login(1) does this as well, and it needs uid 0 for the "-h"
 	   switch, so we let login(1) to this for us. */
 	if (!options.use_login) {
+#ifdef HAVE_OSF_SIA
+		extern char **saved_argv;
+		extern int saved_argc;
+		char *host = get_canonical_hostname ();
+
+		if (sia_become_user(NULL, saved_argc, saved_argv, host,
+		    pw->pw_name, ttyname, 0, NULL, NULL, SIA_BEU_SETLUID) !=
+		    SIASUCCESS) {
+			perror("sia_become_user");
+			exit(1);
+		}
+		if (setreuid(geteuid(), geteuid()) < 0) {
+			perror("setreuid");
+			exit(1);
+		}
+#else /* HAVE_OSF_SIA */
 		if (getuid() == 0 || geteuid() == 0) {
 			if (setgid(pw->pw_gid) < 0) {
 				perror("setgid");
@@ -867,6 +890,7 @@ do_child(const char *command, struct passwd * pw, const char *term,
 		}
 		if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
 			fatal("Failed to set uids to %d.", (int) pw->pw_uid);
+#endif /* HAVE_OSF_SIA */
 	}
 	/*
 	 * Get the shell from the password data.  An empty shell field is

sshd.c

@@ -88,6 +88,7 @@ char *av0;
 
 /* Saved arguments to main(). */
 char **saved_argv;
+int saved_argc;
 
 /*
  * The sockets that the server is listening; this is used in the SIGHUP
@@ -422,6 +423,7 @@ main(int ac, char **av)
 	int listen_sock, maxfd;
 
 	/* Save argv[0]. */
+	saved_argc = ac;
 	saved_argv = av;
 	if (strchr(av[0], '/'))
 		av0 = strrchr(av[0], '/') + 1;