Commit Graph

169 Commits

Author SHA1 Message Date
Damien Miller 3f0786bbe7 remove PAM dependencies on old packet API
Requires some caching of values, because the PAM code isn't
always called with packet context.
2019-01-20 10:22:18 +11:00
Damien Miller 8a22ffaa13 expose $SSH_CONNECTION in the PAM environment
This makes the connection 4-tuple available to PAM modules that
wish to use it in decision-making. bz#2741
2018-12-14 13:23:48 +11:00
Damien Miller 48f54b9d12 adapt -portable to OpenSSL 1.1x API
Polyfill missing API with replacement functions extracted from LibreSSL
2018-09-13 12:13:50 +10:00
Darren Tucker 3f420a692b Remove key.h from portable files too.
Commit 5467fbcb removed key.h so stop including it in portable files
too.  Fixes builds on lots of platforms.
2018-07-12 14:57:46 +10:00
Damien Miller 120a1ec74e Adapt portable to legacy buffer API removal 2018-07-10 19:39:52 +10:00
Damien Miller e8f474554e Expose SSH_AUTH_INFO_0 to PAM auth modules
bz#2408, patch from Radoslaw Ejsmont; ok dtucker@
2018-04-06 14:11:44 +10:00
Darren Tucker 13ef4cf53f Update PAM password change to new opts API. 2018-03-03 16:21:20 +11:00
djm@openbsd.org 7c85685760 upstream: switch over to the new authorized_keys options API and
remove the legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df
2018-03-03 14:37:16 +11:00
Damien Miller 94bc1e7ffb Expose list of completed auth methods to PAM
bz#2408; ok dtucker@
2017-07-28 15:04:00 +10:00
Darren Tucker 608ec1f62f Remove SSHv1 code path.
Server-side support for Protocol 1 has been removed so remove !compat20
PAM code path.
2017-03-29 09:50:54 +11:00
Darren Tucker bee0167be2 Check for NULL from malloc.
Part of bz#2687, from jjelen at redhat.com.
2017-03-10 13:40:18 +11:00
Darren Tucker e0259a82dd Remove do_pam_set_tty which is dead code.
The callers of do_pam_set_tty were removed in 2008, so this is now dead
code.  bz#2604, pointed out by jjelen at redhat.com.
2016-10-15 04:34:46 +11:00
Damien Miller 8bd81e1596 add --with-pam-service to specify PAM service name
Saves messing around with CFLAGS to do it.
2016-08-16 13:37:26 +10:00
Damien Miller 10358abd08 retry waitpid on EINTR failure
patch from Jakub Jelen on bz#2581; ok dtucker@
2016-07-22 14:07:08 +10:00
Darren Tucker 01558b7b07 Handle PAM_MAXTRIES from modules.
bz#2249: handle the case where PAM returns PAM_MAXTRIES by ceasing to offer
password and keyboard-interative authentication methods.  Should prevent
"sshd ignoring max retries" warnings in the log.  ok djm@

It probably won't trigger with keyboard-interactive in the default
configuration because the retry counter is stored in module-private
storage which goes away with the sshd PAM process (see bz#688).  On the
other hand, those cases probably won't log a warning either.
2016-07-18 09:33:25 +10:00
Darren Tucker 283b97ff33 Mitigate timing of disallowed users PAM logins.
When sshd decides to not allow a login (eg PermitRootLogin=no) and
it's using PAM, it sends a fake password to PAM so that the timing for
the failure is not noticeably different whether or not the password
is correct.  This behaviour can be detected by sending a very long
password string which is slower to hash than the fake password.

Mitigate by constructing an invalid password that is the same length
as the one from the client and thus takes the same time to hash.
Diff from djm@
2016-07-15 13:49:44 +10:00
Darren Tucker 009891afc8 Remove duplicate code from PAM. ok djm@ 2016-06-17 14:34:09 +10:00
Darren Tucker 39c0cecaa1 Fix comment about sshpam_const and AIX.
From mschwager via github.
2016-05-20 10:01:58 +10:00
Damien Miller 3ed9218c33 unbreak PAM after canohost refactor 2016-03-08 14:01:29 -08:00
Damien Miller 5ef4b0fdcc avoid FreeBSD RCS Id in comment
Change old $FreeBSD version string in comment so it doesn't
become an RCS ident downstream; requested by des AT des.no
2016-02-05 10:45:23 +11:00
Darren Tucker d1680d36e1 xrealloc -> xreallocarray in portable code too. 2015-04-30 09:18:11 +10:00
Darren Tucker 53f8e784dc - (dtucker) [auth-pam.c] bz#2163: check return value from pam_get_item().
Patch from Loganaden Velvindron.
2013-12-19 11:31:44 +11:00
Darren Tucker f60845fde2 - (dtucker) [M auth-chall.c auth-krb5.c auth-pam.c cipher-aes.c cipher-ctr.c
groupaccess.c loginrec.c monitor.c monitor_wrap.c session.c sshd.c
   sshlogin.c uidswap.c openbsd-compat/bsd-cygwin_util.c
   openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/port-aix.c
   openbsd-compat/port-linux.c] Replace portable-specific instances of xfree
   with the equivalent calls to free.
2013-06-02 08:07:31 +10:00
Darren Tucker 622d5c561b - (dtucker) [auth-pam.c] Bug #1534: move the deletion of PAM credentials on
logout to after the session close.  Patch from Anicka Bernathova, ok djm.
2009-07-12 22:07:21 +10:00
Darren Tucker 52358d6df3 - (dtucker) [auth-pam.c monitor.c session.c sshd.c] Bug #926: Move
pam_open_session and pam_close_session into the privsep monitor, which
   will ensure that pam_session_close is called as root.  Patch from Tomas
   Mraz.
2008-03-11 22:58:25 +11:00
Darren Tucker 57d4ca9681 - (dtucker) [auth-pam.c] Use sigdie here too. ok djm@ 2007-08-10 14:32:34 +10:00
Darren Tucker 2216471510 - (dtucker) [auth-pam.c] Return empty string if fgets fails in
sshpam_tty_conv.  Patch from ldv at altlinux.org.
2007-05-20 15:26:07 +10:00
Darren Tucker 29171e9f5c - (dtucker) [auth-pam.c] malloc+memset -> calloc. Patch from
ldv at altlinux.org.
2007-05-20 15:20:08 +10:00
Darren Tucker 54e1b2291c - (dtucker) [auth-pam.c] Propogate TZ environment variable to PAM auth
process so that any logging it does is with the right timezone.  From
   Scott Strickler, ok djm@.
2006-09-17 11:57:46 +10:00
Damien Miller ded319cca2 - (djm) [audit-bsm.c audit.c auth-bsdauth.c auth-chall.c auth-pam.c]
[auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c]
   [auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c]
   [cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c]
   [dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
   [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c]
   [md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c]
   [scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c]
   [ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c]
   [sshconnect1.c sshconnect2.c sshd.c rc4.diff]
   [openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c]
   [openbsd-compat/port-linux.c openbsd-compat/port-solaris.c]
   [openbsd-compat/port-uw.c]
   Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h;
   compile problems reported by rac AT tenzing.org
2006-09-01 15:38:36 +10:00
Damien Miller 75bb664458 - (djm) [auth-pam.c auth-shadow.c auth2-none.c cleanup.c sshd.c]
[openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Sprinkle more
   includes for Linux in
2006-08-05 14:07:20 +10:00
Damien Miller 4cbfe8ebeb - (djm) [auth-pam.c auth.c bufaux.h entropy.c openbsd-compat/port-tun.c]
remove last traces of bufaux.h - it was merged into buffer.h in the big
   includes.h commit
2006-08-05 12:49:30 +10:00
Damien Miller 2ab323e0bd - (djm) [auth-pam.c defines.h] Move PAM related bits to auth-pam.c 2006-08-05 12:43:32 +10:00
Damien Miller b8fe89c4d9 - (djm) [acss.c auth-krb5.c auth-options.c auth-pam.c auth-shadow.c]
[canohost.c channels.c cipher-acss.c defines.h dns.c gss-genr.c]
   [gss-serv-krb5.c gss-serv.c log.h loginrec.c logintest.c readconf.c]
   [servconf.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c]
   [ssh.c sshconnect.c sshd.c openbsd-compat/bindresvport.c]
   [openbsd-compat/bsd-arc4random.c openbsd-compat/bsd-misc.c]
   [openbsd-compat/getrrsetbyname.c openbsd-compat/glob.c]
   [openbsd-compat/mktemp.c openbsd-compat/port-linux.c]
   [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c]
   [openbsd-compat/setproctitle.c openbsd-compat/xmmap.c]
   make the portable tree compile again - sprinkle unistd.h and string.h
   back in. Don't redefine __unused, as it turned out to be used in
   headers on Linux, and replace its use in auth-pam.c with ARGSUSED
2006-07-24 14:51:00 +10:00
Darren Tucker 341dae59c8 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h 2006-07-13 08:45:14 +10:00
Darren Tucker 2c77b7f1c1 - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
do not allow kbdint again after the PAM account check fails.  ok djm@
2006-05-15 17:22:33 +10:00
Darren Tucker d8093e49bf - (dtucker) [auth-pam.c groupaccess.c monitor.c monitor_wrap.c scard-opensc.c
session.c ssh-rand-helper.c sshd.c openbsd-compat/bsd-cygwin_util.c
   openbsd-compat/setproctitle.c] Convert malloc(foo*bar) -> calloc(foo,bar)
   in Portable-only code; since calloc zeros, remove now-redundant memsets.
   Also add a couple of sanity checks.  With & ok djm@
2006-05-04 16:24:34 +10:00
Damien Miller 36812092ec - djm@cvs.openbsd.org 2006/03/25 01:13:23
[buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c]
     [sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c]
     [uidswap.c]
     change OpenSSH's xrealloc() function from being xrealloc(p, new_size)
     to xrealloc(p, new_nmemb, new_itemsize).

     realloc is particularly prone to integer overflows because it is
     almost always allocating "n * size" bytes, so this is a far safer
     API; ok deraadt@
2006-03-26 14:22:47 +11:00
Damien Miller b0fb6872ed - deraadt@cvs.openbsd.org 2006/03/19 18:51:18
[atomicio.c auth-bsdauth.c auth-chall.c auth-krb5.c auth-options.c]
     [auth-pam.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c]
     [auth-shadow.c auth-skey.c auth.c auth1.c auth2-chall.c]
     [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c]
     [auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c buffer.c]
     [canohost.c channels.c cipher-3des1.c cipher-acss.c cipher-aes.c]
     [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
     [compress.c deattack.c dh.c dispatch.c dns.c entropy.c fatal.c]
     [groupaccess.c hostfile.c includes.h kex.c kexdh.c kexdhc.c]
     [kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c loginrec.c]
     [loginrec.h logintest.c mac.c match.c md-sha256.c md5crypt.c misc.c]
     [monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c msg.c]
     [nchan.c packet.c progressmeter.c readconf.c readpass.c rsa.c]
     [scard.c scp.c servconf.c serverloop.c session.c sftp-client.c]
     [sftp-common.c sftp-glob.c sftp-server.c sftp.c ssh-add.c]
     [ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
     [ssh-rand-helper.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
     [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
     [uidswap.c uuencode.c xmalloc.c openbsd-compat/bsd-arc4random.c]
     [openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-cygwin_util.c]
     [openbsd-compat/bsd-getpeereid.c openbsd-compat/bsd-misc.c]
     [openbsd-compat/bsd-nextstep.c openbsd-compat/bsd-snprintf.c]
     [openbsd-compat/bsd-waitpid.c openbsd-compat/fake-rfc2553.c]
     RCSID() can die
2006-03-26 00:03:21 +11:00
Damien Miller 66f9eb65ff - (djm) [auth-pam.c] Fix memleak in error path, from Coverity via
elad AT NetBSD.org
2006-03-18 23:04:49 +11:00
Damien Miller 6645e7a70d - (djm) [auth-pam.c clientloop.c includes.h monitor.c session.c]
[sftp-client.c ssh-keysign.c ssh.c sshconnect.c sshconnect2.c]
   [sshd.c openbsd-compat/bsd-misc.c openbsd-compat/bsd-openpty.c]
   [openbsd-compat/glob.c openbsd-compat/mktemp.c]
   [openbsd-compat/readpassphrase.c] Lots of include fixes for
   OpenSolaris
2006-03-15 14:42:54 +11:00
Darren Tucker 1d4ebbf143 Correct format in debug message 2006-01-29 16:46:13 +11:00
Darren Tucker 7b1e695846 - (dtucker) [auth-pam.c] Bug #1028: send final non-query messages from
PAM via keyboard-interactive.  Patch tested by the folks at Vintela.
2005-09-28 22:33:27 +10:00
Damien Miller 37294fb630 - (djm) [auth-pam.c sftp.c] spaces vs. tabs at start of line 2005-07-17 17:18:49 +10:00
Damien Miller 94cf4c8448 - (djm) [acss.c auth-pam.c auth-shadow.c auth-skey.c auth1.c canohost.c]
[cipher-acss.c loginrec.c ssh-rand-helper.c sshd.c] Fix whitespace at EOL
   in portable too ("perl -p -i -e 's/\s+$/\n/' *.[ch]")
2005-07-17 17:04:47 +10:00
Darren Tucker 4f1adad4f6 - (dtucker) [auth-pam.c] Ensure that only one side of the authentication
socketpair stays open on in both the monitor and PAM process.  Patch from
   Joerg Sonnenberger.
2005-07-16 11:33:06 +10:00
Darren Tucker f08bdb5a7e - (dtucker) [auth-pam.c] Bug #1033: Fix warnings building with PAM on Linux:
warning: dereferencing type-punned pointer will break strict-aliasing rules
  warning: passing arg 3 of `pam_get_item' from incompatible pointer type
  The type-punned pointer fix is based on a patch from SuSE's rpm.  ok djm@
2005-05-26 19:59:48 +10:00
Darren Tucker 328118aa79 - (dtucker) [auth-pam.c] Since people don't seem to be getting the message
that USE_POSIX_THREADS is unsupported, not recommended and generally a bad
   idea, it is now known as UNSUPPORTED_POSIX_THREADS_HACK.  Attempting to use
   USE_POSIX_THREADS will now generate an error so we don't silently change
   behaviour.  ok djm@
2005-05-25 16:18:09 +10:00
Darren Tucker d5bfa8f9d8 Oops, did not intend to commit this yet 2005-01-20 13:29:51 +11:00
Darren Tucker d231186fd0 - djm@cvs.openbsd.org 2004/12/22 02:13:19
[cipher-ctr.c cipher.c]
     remove fallback AES support for old OpenSSL, as OpenBSD has had it for
     many years now; ok deraadt@
     (Id sync only: Portable will continue to support older OpenSSLs)
2005-01-20 13:27:56 +11:00