Commit Graph

32 Commits

Author SHA1 Message Date
djm@openbsd.org 7c85685760 upstream: switch over to the new authorized_keys options API and
remove the legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df
2018-03-03 14:37:16 +11:00
Darren Tucker e0259a82dd Remove do_pam_set_tty which is dead code.
The callers of do_pam_set_tty were removed in 2008, so this is now dead
code.  bz#2604, pointed out by jjelen at redhat.com.
2016-10-15 04:34:46 +11:00
Darren Tucker 1e8013a17f Remove obsolete CVS $Id from source files.
Since -portable switched to git the CVS $Id tags are no longer being
updated and are becoming increasingly misleading.  Remove them.
2016-08-17 14:08:42 +10:00
Damien Miller 8bd81e1596 add --with-pam-service to specify PAM service name
Saves messing around with CFLAGS to do it.
2016-08-16 13:37:26 +10:00
Darren Tucker 01558b7b07 Handle PAM_MAXTRIES from modules.
bz#2249: handle the case where PAM returns PAM_MAXTRIES by ceasing to offer
password and keyboard-interative authentication methods.  Should prevent
"sshd ignoring max retries" warnings in the log.  ok djm@

It probably won't trigger with keyboard-interactive in the default
configuration because the retry counter is stored in module-private
storage which goes away with the sshd PAM process (see bz#688).  On the
other hand, those cases probably won't log a warning either.
2016-07-18 09:33:25 +10:00
Darren Tucker 69687f4b65 - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output from
failing PAM session modules to user then exit, similar to the way
   /etc/nologin is handled.  ok djm@
2004-09-11 22:17:26 +10:00
Darren Tucker 450a158d7e - (dtucker) [auth-pam.c auth-pam.h auth-passwd.c]: Bug #874: Re-add PAM
support for PasswordAuthentication=yes.  ok djm@
2004-05-30 20:43:59 +10:00
Darren Tucker dbf7a74ee5 - (dtucker) [auth-pam.c auth-pam.h auth1.c auth2.c monitor.c monitor_wrap.c
monitor_wrap.h] Bug #808: Ensure force_pwchange is correctly initialized
   even if keyboard-interactive is not used by the client.  Prevents segfaults
   in some cases where the user's password is expired (note this is not
   considered a security exposure).  ok djm@
2004-03-08 23:04:06 +11:00
Darren Tucker 1921ed9f96 - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #14: Use do_pwchange to
change expired PAM passwords for SSHv1 connections without privsep.
   pam_chauthtok is still used when privsep is disabled.  ok djm@
2004-02-10 13:23:28 +11:00
Damien Miller c756e9b56e - (djm) Export environment variables from authentication subprocess to
parent. Part of Bug #717
2003-11-17 21:41:42 +11:00
Darren Tucker 8846a07639 - (dtucker) [auth-pam.c auth-pam.h session.c] Make PAM use the new static
cleanup functions.  With & ok djm@
2003-10-07 11:30:15 +10:00
Damien Miller 341c6e687c - (djm) Bug #423: reorder setting of PAM_TTY and calling of PAM session
management (now done in do_setusercontext). Largely from
   michael_steffens AT hp.com
2003-09-02 23:18:52 +10:00
Darren Tucker 49aaf4ad52 - (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h
configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c
   sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson.
2003-08-26 11:58:16 +10:00
Damien Miller 1f499fd368 - (djm) Bug #564: Perform PAM account checks for all authentications when
UsePAM=yes; ok dtucker
2003-08-25 13:08:49 +10:00
Damien Miller eb0e969a4f - (djm) Sync auth-pam.h with what we actually implement 2003-05-19 11:28:44 +10:00
Damien Miller 4f9f42a9bb - (djm) Merge FreeBSD PAM code: replaces PAM password auth kludge with
proper challenge-response module
2003-05-10 19:28:02 +10:00
Kevin Steves 38b050a0f5 - (stevesk) [auth-pam.[ch] session.c] pam_getenvlist() must be
freed by the caller; add free_pam_environment() and use it.
2002-07-23 00:44:07 +00:00
Kevin Steves 287077eaf2 - (stevesk) [auth-pam.[ch] ssh.h] move SSHD_PAM_SERVICE to auth-pam.h 2002-07-21 23:59:39 +00:00
Kevin Steves 21e04eb2be - (stevesk) [auth-pam.h] unneeded include 2002-07-21 23:20:07 +00:00
Kevin Steves 7ba4970498 - (stevesk) [auth-pam.h] license 2002-07-21 23:16:00 +00:00
Kevin Steves e683e76439 - (stevesk) [auth-pam.c auth-pam.h auth-passwd.c auth-sia.c auth-sia.h
auth1.c auth2.c] PAM, OSF_SIA password auth cleanup; from djm.
2002-04-04 19:02:28 +00:00
Damien Miller f9e9300947 - (djm) Reestablish PAM credentials (which can be supplemental group
memberships) after initgroups() blows them away. Report and suggested
   fix from Nalin Dahyabhai <nalin@redhat.com>
2001-03-27 16:12:24 +10:00
Damien Miller 646aa60b41 - (djm) Clean up PAM namespace. Suggested by Darren Moffat
<Darren.Moffat@eng.sun.com>
2001-02-15 11:51:32 +11:00
Damien Miller e9cf357a99 - (djm) Add CVS Id's to files that we have missed 2001-02-09 12:55:35 +11:00
Damien Miller 63dc3e90e5 - (djm) Much KNF on PAM code
- (djm) Revise auth-pam.c conversation function to be a little more readable.
 - (djm) Revise kbd-int PAM conversation function to fold all text messages
   to before first prompt. Fixes hangs if last pam_message did not require
   a reply.
 - (djm) Fix password changing when using PAM kbd-int authentication
2001-02-07 12:58:33 +11:00
Damien Miller 22e22bf9ba - (djm) Merge patch from Tim Waugh (via Nalin Dahyabhai <nalin@redhat.com>)
to fix NULL pointer deref and fake authloop breakage in PAM code.
2001-01-19 15:46:38 +11:00
Damien Miller b84815880e - (djm) Added patch from Nalin Dahyabhai <nalin@redhat.com> to enable
PAM authentication using KbdInteractive.
 - (djm) Added another TODO
2000-12-03 11:51:51 +11:00
Kevin Steves 6beac8c5a0 function prototype and definition consistency cleanup. 2000-10-14 15:08:49 +00:00
Kevin Steves 092f2effc5 - (stevesk) ~/.hushlogin shouldn't cause required password change to
be bypassed.
2000-10-14 13:36:13 +00:00
Damien Miller 9d5705a4b3 - (djm) Add Steve VanDevender's <stevev@darkwing.uoregon.edu> PAM
password change patch.
 - (djm) Bring licenses on my stuff in line with OpenBSD's
2000-09-16 16:09:27 +11:00
Damien Miller 3e955e78fa Add const to suppress compiler warning 2000-01-27 10:55:38 +11:00
Damien Miller e72b7af17e - Removed most of the pam code into its own file auth-pam.[ch]. This
cleaned up sshd.c up significantly.
 - Several other cleanups
1999-12-30 15:08:44 +11:00