[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
[linux-security] Re: sshd and PAM [summary]
- From: Pawel Krawczyk <kravietz ceti com pl>
- To: rafael llinuxsite czacki waw ids edu pl, linux-security redhat com
- Subject: [linux-security] Re: sshd and PAM [summary]
- Date: Thu, 8 Oct 1998 12:16:02 +0200
On Wed, Oct 07, 1998 at 06:39:12PM +0200, Rafael J. Wysocki wrote:
> of the PAM settings. Similarly, if I turn pam_limits.so on and set
> maxlogins (in /etc/security/limits.conf) to, say, 2 for everyone, the
> RSA-authenticated client is allowed to log in as many times as (s)he wants
> (if the same client is password-authenticated, the limit takes effect, of
> course). There are some other useful PAM modules which I suspect may not
> work with this version of (PAMified) sshd. I'll verify this in a few days,
> I hope.
I have modified the original patch moving the call to pam_sm_open_session()
to do_exec_pty() and do_exec_no_pty() and it seems to work (i.e. set limits)
for all types of authentication. Here's the diff against ssh-1.2.26, apply
to clean sources:
--- sshd.c.orig Tue Oct 6 18:15:32 1998
+++ sshd.c Tue Oct 6 18:14:31 1998
@@ -89,6 +89,9 @@
* feature. Added {Allow,Deny}Users feature from Steve Kann
* <stevek SteveK COM>.
*
+ * Revision 1.42a 1997/06/06 18:40:00 jonchen
+ * Added support for PAM
+ *
* Revision 1.42 1997/04/23 00:05:35 kivinen
* Added ifdefs around password expiration and inactivity checks,
* because some systems dont have sp_expire and sp_inact fields.
@@ -525,6 +528,14 @@
char *ticket = "none\0";
#endif /* KERBEROS */
+#ifdef HAVE_PAM
+#include <security/pam_appl.h>
+struct pam_handle_t *pamh=NULL;
+char *pampasswd=NULL;
+int retval;
+int origretval;
+#endif /* HAVE_PAM */
+
/* Server configuration options. */
ServerOptions options;
@@ -620,7 +631,56 @@
void do_child(const char *command, struct passwd *pw, const char *term,
const char *display, const char *auth_proto,
const char *auth_data, const char *ttyname);
+#ifdef HAVE_PAM
+static int pamconv (int num_msg,
+ const struct pam_message **msg,
+ struct pam_response **resp,
+ void *appdata_ptr) {
+ int count = 0, replies = 0;
+ struct pam_response *reply = NULL;
+ int size = sizeof(struct pam_response);
+
+ for (count = 0; count < num_msg; count++) {
+ switch (msg[count]->msg_style) {
+ case PAM_PROMPT_ECHO_ON:
+ case PAM_PROMPT_ECHO_OFF:
+ if (reply)
+ realloc(reply, size);
+ else
+ reply = malloc(size);
+ if (!reply) return PAM_CONV_ERR;
+ size += sizeof(struct pam_response);
+ reply[replies].resp_retcode = PAM_SUCCESS;
+ reply[replies++].resp = xstrdup (pampasswd);
+ /* PAM frees resp */
+ break;
+ case PAM_TEXT_INFO:
+ /* ignore it... */
+ break;
+ case PAM_ERROR_MSG:
+ default:
+ /* Must be an error of some sort... */
+ free (reply);
+ return PAM_CONV_ERR;
+ }
+ }
+ if (reply) *resp = reply;
+ return PAM_SUCCESS;
+}
+
+static struct pam_conv conv = {
+ pamconv,
+ NULL
+};
+
+void pam_cleanup_proc (void *context) {
+ if (retval == PAM_SUCCESS)
+ retval = pam_close_session ((pam_handle_t *)pamh, 0);
+ if (pam_end ((pam_handle_t *)pamh, retval) != PAM_SUCCESS)
+ log_msg ("Cannot release PAM authentication.");
+}
+#endif /* HAVE_PAM */
/* Signal handler for SIGHUP. Sshd execs itself when it receives SIGHUP;
the effect is to reread the configuration file (and to regenerate
@@ -1379,6 +1439,13 @@
/* The connection has been terminated. */
log_msg("Closing connection to %.100s", get_remote_ipaddr());
+#ifdef HAVE_PAM
+ if (retval == PAM_SUCCESS)
+ retval = pam_close_session ((pam_handle_t *)pamh, 0);
+ if (pam_end ((pam_handle_t *)pamh, retval) != PAM_SUCCESS)
+ log_msg ("Cannot release PAM authentication.");
+ fatal_remove_cleanup (&pam_cleanup_proc, NULL);
+#endif /* HAVE_PAM */
packet_close();
exit(0);
}
@@ -2157,7 +2224,13 @@
with any characters that are commonly used to start NIS entries. */
pw = getpwnam(user);
if (!pw || user[0] == '-' || user[0] == '+' || user[0] == '@' ||
- !login_permitted(user, pw))
+ !login_permitted(user, pw)
+#ifdef HAVE_PAM
+ || ((retval=pam_start("ssh", pw->pw_name, &conv, (pam_handle_t **)&pamh)),
+ (fatal_add_cleanup (&pam_cleanup_proc, NULL)),
+ (origretval = retval), (retval != PAM_SUCCESS))
+#endif /* HAVE_PAM */
+ )
do_authentication_fail_loop();
/* Take a copy of the returned structure. */
@@ -2189,6 +2262,7 @@
debug("Attempting authentication for %.100s.", user);
+
#if defined (KERBEROS) && defined (KRB5)
if (!options.kerberos_authentication && options.password_authentication &&
auth_password(user, "", 0))
@@ -3043,6 +3117,10 @@
int inout[2], err[2];
#endif /* USE_PIPES */
+#ifdef HAVE_PAM
+ retval = pam_open_session ((pam_handle_t *)pamh, 0);
+#endif /* HAVE_PAM */
+
#ifdef HAVE_OSF1_C2_SECURITY
{
const char *str;
@@ -3203,6 +3281,10 @@
#if defined (__bsdi__) && _BSDI_VERSION >= 199510
struct timeval tp;
#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
+
+#ifdef HAVE_PAM
+ retval = pam_open_session ((pam_handle_t *)pamh, 0);
+#endif /* HAVE_PAM */
#ifdef HAVE_OSF1_C2_SECURITY
{
--- auth-passwd.c.orig Tue Oct 6 18:15:46 1998
+++ auth-passwd.c Tue Oct 6 18:14:35 1998
@@ -47,6 +47,9 @@
* Fixed kerberos ticket name handling. Added OSF C2 account
* locking and expiration support.
*
+ * Revision 1.11a 1997/06/06 06:40:00 jonchen
+ * Added support for PAM
+ *
* Revision 1.11 1997/04/17 03:57:05 kivinen
* Kept FILE: prefix in kerberos ticket filename as DCE cache
* code requires it (patch from Doug Engert <DEEngert anl gov>).
@@ -138,6 +141,13 @@
#include <auth.h>
#include <sys/svcinfo.h>
#endif /* HAVE_ULTRIX_SHADOW_PASSWORDS */
+#ifdef HAVE_PAM
+#include <security/pam_appl.h>
+extern pam_handle_t *pamh;
+extern int retval;
+extern char* pampasswd;
+extern int origretval;
+#endif /* HAVE_PAM */
#include "packet.h"
#include "ssh.h"
#include "servconf.h"
@@ -712,6 +722,17 @@
seteuid(UID_ROOT); /* just let it fail if ran by user */
#endif /* SECURE_RPC */
+#ifdef HAVE_PAM
+ {
+ retval = origretval;
+ pampasswd = xstrdup(password);
+ if (retval == PAM_SUCCESS)
+ retval = pam_authenticate ((pam_handle_t *)pamh, 0);
+ if (retval == PAM_SUCCESS)
+ retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0);
+ xfree(pampasswd);
+ }
+#else /* HAVE_PAM */
#ifdef HAVE_OSF1_C2_SECURITY
if (osf1c2_getprpwent(correct_passwd, saved_pw_name,
sizeof(correct_passwd)))
@@ -823,6 +844,7 @@
#endif /* HAVE_ETC_SHADOW */
#endif /* HAVE_SCO_ETC_SHADOW */
#endif /* HAVE_OSF1_C2_SECURITY */
+#endif /* HAVE_PAM */
/* Check for users with no password. */
if (strcmp(password, "") == 0 && strcmp(correct_passwd, "") == 0)
@@ -844,6 +866,14 @@
xfree(saved_pw_name);
xfree(saved_pw_passwd);
+
+#if 0
+ {
+ if (retval == PAM_SUCCESS)
+ retval = pam_open_session ((pam_handle_t *)pamh, 0);
+ return (retval == PAM_SUCCESS);
+ }
+#endif /* HAVE_PAM */
#ifdef HAVE_ULTRIX_SHADOW_PASSWORDS
{
--- acconfig.h.pam Wed Jul 8 18:40:35 1998
+++ acconfig.h Sun Sep 27 18:38:10 1998
@@ -266,6 +266,9 @@
/* Define this if your spwd struct defined shadow.h have sp_inact field */
#undef HAVE_STRUCT_SPWD_INACT
+/* Define this if you use PAM */
+#undef HAVE_PAM
+
/* Define this if you want to enable TCP_NODELAY option */
#undef ENABLE_TCP_NODELAY
--- config.h.in.pam Wed Jul 8 18:41:12 1998
+++ config.h.in Sun Sep 27 18:38:10 1998
@@ -344,6 +344,9 @@
file */
#undef SCP_ALL_STATISTICS_ENABLED
+/* Define this if you use PAM */
+#undef HAVE_PAM
+
/* The number of bytes in a int. */
#undef SIZEOF_INT
--- configure.in.pam Wed Jul 8 18:41:10 1998
+++ configure.in Sun Sep 27 18:38:10 1998
@@ -362,6 +362,11 @@
AC_CHECK_SIZEOF(int,4)
AC_CHECK_SIZEOF(short,2)
+if test -f /usr/include/security/pam_appl.h; then
+ AC_DEFINE(HAVE_PAM)
+ LIBS="$LIBS -lpam -ldl"
+fi
+
if test -z "$no_termios"; then
AC_CHECK_HEADERS(termios.h)
fi
--
Pawel Krawczyk, CETI internet, Krakow. http://www.ceti.com.pl/
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]