diff --git a/CREDITS b/CREDITS index 1774e2760..4bcb1ae68 100644 --- a/CREDITS +++ b/CREDITS @@ -13,6 +13,7 @@ Ben Lindstrom - NeXT support Ben Taylor - Solaris debugging and fixes Bratislav ILICH - Configure fix Chip Salzenberg - Assorted patches +Chris Adams - OSF SIA support Chris Saia - SuSE packaging Chris, the Young One - Password auth fixes Christos Zoulas - Autoconf fixes diff --git a/ChangeLog b/ChangeLog index 6398238b3..ea4667ad2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,7 +4,9 @@ - (djm) Patch from Michael Stone to add support for Irix 6.x array sessions, project id's, and system audit trail id. - (djm) Added 'distprep' make target to simplify packaging - + - (djm) Added patch from Chris Adams to add OSF SIA + support. Enable using "USE_SIA=1 ./configure [options]" + 20000627 - (djm) Fixes to login code - not setting li->uid, cleanups - (djm) Formatting diff --git a/acconfig.h b/acconfig.h index 0a042587f..6f375212c 100644 --- a/acconfig.h +++ b/acconfig.h @@ -148,6 +148,9 @@ /* Define if you want have trusted HPUX */ #undef HAVE_HPUX_TRUSTED_SYSTEM_PW +/* Define if you have Digital Unix Security Integration Architecture */ +#undef HAVE_OSF_SIA + /* Define if you have getpwanam(3) [SunOS 4.x] */ #undef HAVE_GETPWANAM diff --git a/auth-passwd.c b/auth-passwd.c index d722122c7..93756e9e6 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -9,10 +9,10 @@ #include "includes.h" -#ifndef USE_PAM - RCSID("$OpenBSD: auth-passwd.c,v 1.16 2000/06/20 01:39:38 markus Exp $"); +#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) + #include "packet.h" #include "ssh.h" #include "servconf.h" @@ -139,4 +139,4 @@ auth_password(struct passwd * pw, const char *password) /* Authentication is accepted if the encrypted passwords are identical. */ return (strcmp(encrypted_password, pw_password) == 0); } -#endif /* !USE_PAM */ +#endif /* !USE_PAM && !HAVE_OSF_SIA */ diff --git a/auth1.c b/auth1.c index 3e7efcb2a..0d440e521 100644 --- a/auth1.c +++ b/auth1.c @@ -18,6 +18,11 @@ RCSID("$OpenBSD: auth1.c,v 1.2 2000/04/29 18:11:52 markus Exp $"); #include "auth.h" #include "session.h" +#ifdef HAVE_OSF_SIA +# include +# include +#endif + /* import */ extern ServerOptions options; extern char *forced_command; @@ -141,6 +146,10 @@ do_authloop(struct passwd * pw) unsigned int ulen; int type = 0; void (*authlog) (const char *fmt,...) = verbose; +#ifdef HAVE_OSF_SIA + extern int saved_argc; + extern char **saved_argv; +#endif /* HAVE_OSF_SIA */ /* Indicate that authentication is needed. */ packet_start(SSH_SMSG_FAILURE); @@ -299,7 +308,15 @@ do_authloop(struct passwd * pw) #ifdef USE_PAM /* Do PAM auth with password */ authenticated = auth_pam_password(pw, password); -#else /* USE_PAM */ +#elif defined(HAVE_OSF_SIA) + /* Do SIA auth with password */ + host = get_canonical_hostname(); + if (sia_validate_user(NULL, saved_argc, saved_argv, + get_canonical_hostname(), pw->pw_name, NULL, 0, + NULL, password) == SIASUCCESS) { + authenticated = 1; + } +#else /* !USE_PAM && !HAVE_OSF_SIA */ /* Try authentication with the password. */ authenticated = auth_password(pw, password); #endif /* USE_PAM */ diff --git a/auth2.c b/auth2.c index a3d4ab60e..f20953a86 100644 --- a/auth2.c +++ b/auth2.c @@ -56,6 +56,11 @@ RCSID("$OpenBSD: auth2.c,v 1.11 2000/06/19 00:50:11 markus Exp $"); #include "uidswap.h" #include "auth-options.h" +#ifdef HAVE_OSF_SIA +# include +# include +#endif + /* import */ extern ServerOptions options; extern unsigned char *session_id2; @@ -244,10 +249,20 @@ input_userauth_request(int type, int plen) int ssh2_auth_none(struct passwd *pw) { +#ifdef HAVE_OSF_SIA + extern int saved_argc; + extern char **saved_argv; +#endif + packet_done(); + #ifdef USE_PAM return auth_pam_password(pw, ""); -#else /* USE_PAM */ +#elif defined(HAVE_OSF_SIA) + return(sia_validate_user(NULL, saved_argc, saved_argv, + get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, + "") == SIASUCCESS); +#else /* !HAVE_OSF_SIA && !USE_PAM */ return auth_password(pw, ""); #endif /* USE_PAM */ } @@ -258,6 +273,10 @@ ssh2_auth_password(struct passwd *pw) int authenticated = 0; int change; unsigned int len; +#ifdef HAVE_OSF_SIA + extern int saved_argc; + extern char **saved_argv; +#endif change = packet_get_char(); if (change) log("password change not supported"); @@ -266,7 +285,11 @@ ssh2_auth_password(struct passwd *pw) if (options.password_authentication && #ifdef USE_PAM auth_pam_password(pw, password) == 1) -#else /* USE_PAM */ +#elif defined(HAVE_OSF_SIA) + sia_validate_user(NULL, saved_argc, saved_argv, + get_canonical_hostname(), pw->pw_name, NULL, 0, + NULL, password) == SIASUCCESS) +#else /* !USE_PAM && !HAVE_OSF_SIA */ auth_password(pw, password) == 1) #endif /* USE_PAM */ authenticated = 1; diff --git a/bsd-snprintf.c b/bsd-snprintf.c index 69534ecf1..c31fc38d6 100644 --- a/bsd-snprintf.c +++ b/bsd-snprintf.c @@ -126,7 +126,7 @@ vsnprintf(str, n, fmt, ap) char *str; size_t n; char *fmt; - va_list *ap; + va_list ap; { struct sigaction osa, nsa; char *p; diff --git a/bsd-snprintf.h b/bsd-snprintf.h index 8f244604c..6be2047e1 100644 --- a/bsd-snprintf.h +++ b/bsd-snprintf.h @@ -10,7 +10,7 @@ int snprintf(char *str, size_t n, char const *fmt, ...); #endif /* !HAVE_SNPRINTF */ #ifndef HAVE_VSNPRINTF -int vsnprintf(char *str, size_t n, char *fmt, va_list *ap); +int vsnprintf(char *str, size_t n, char *fmt, va_list ap); #endif /* !HAVE_SNPRINTF */ diff --git a/configure.in b/configure.in index c1bcb3424..4dd08c71a 100644 --- a/configure.in +++ b/configure.in @@ -150,6 +150,20 @@ case "$host" in LIBS="$LIBS -lgen -lsocket" no_dev_ptmx=1 ;; +*-dec-osf*) +# This is untested + if test ! -z "USE_SIA" ; then + AC_MSG_CHECKING(for Digital Unix Security Integration Architecture) + if test -f /etc/sia/matrix.conf; then + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_OSF_SIA) + AC_DEFINE(DISABLE_LOGIN) + LIBS="$LIBS -lsecurity -ldb -lm -laud" + else + AC_MSG_RESULT(no) + fi + fi + ;; esac # Allow user to specify flags diff --git a/session.c b/session.c index 1e22f477f..ca4a994e3 100644 --- a/session.c +++ b/session.c @@ -32,6 +32,11 @@ RCSID("$OpenBSD: session.c,v 1.20 2000/06/18 04:42:54 markus Exp $"); #include #endif /* WITH_IRIX_PROJECT */ +#ifdef HAVE_OSF_SIA +# include +# include +#endif + /* types */ #define TTYSZ 64 @@ -823,14 +828,32 @@ do_child(const char *command, struct passwd * pw, const char *term, } #endif /* USE_PAM */ +#ifndef HAVE_OSF_SIA /* Set login name in the kernel. */ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); +#endif /* Set uid, gid, and groups. */ /* Login(1) does this as well, and it needs uid 0 for the "-h" switch, so we let login(1) to this for us. */ if (!options.use_login) { +#ifdef HAVE_OSF_SIA + extern char **saved_argv; + extern int saved_argc; + char *host = get_canonical_hostname (); + + if (sia_become_user(NULL, saved_argc, saved_argv, host, + pw->pw_name, ttyname, 0, NULL, NULL, SIA_BEU_SETLUID) != + SIASUCCESS) { + perror("sia_become_user"); + exit(1); + } + if (setreuid(geteuid(), geteuid()) < 0) { + perror("setreuid"); + exit(1); + } +#else /* HAVE_OSF_SIA */ if (getuid() == 0 || geteuid() == 0) { if (setgid(pw->pw_gid) < 0) { perror("setgid"); @@ -867,6 +890,7 @@ do_child(const char *command, struct passwd * pw, const char *term, } if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %d.", (int) pw->pw_uid); +#endif /* HAVE_OSF_SIA */ } /* * Get the shell from the password data. An empty shell field is diff --git a/sshd.c b/sshd.c index 32a6fac7f..a4749fbe4 100644 --- a/sshd.c +++ b/sshd.c @@ -88,6 +88,7 @@ char *av0; /* Saved arguments to main(). */ char **saved_argv; +int saved_argc; /* * The sockets that the server is listening; this is used in the SIGHUP @@ -422,6 +423,7 @@ main(int ac, char **av) int listen_sock, maxfd; /* Save argv[0]. */ + saved_argc = ac; saved_argv = av; if (strchr(av[0], '/')) av0 = strrchr(av[0], '/') + 1;