Attachment #1298 for bug #1215




#endif
}

static
int sshpam_handle_user_change(pam_handle_t *sshpam_handle, Authctxt *authctxt)
{
	const char *pam_user;
	const char **ptr_pam_user = &pam_user;

	error("PAM: sshpam_handle_user_change enter");

        if (pam_get_item(sshpam_handle, PAM_USER,
                (sshpam_const void **)ptr_pam_user) != PAM_SUCCESS)
                return PAM_AUTH_ERR;

        if (strcmp(authctxt->user, pam_user)) {
                char *user = strdup(pam_user);
                struct passwd *pw;

                if (!user)
                	return PAM_AUTH_ERR;
		
                if (!(pw = getpwnamallow(user))) {
                        free(user);
                        return PAM_AUTH_ERR;
		}

                free(authctxt->pw);
                authctxt->pw = pw;
                free(authctxt->user);
                authctxt->user = user;
		error("PAM: sshpam_handle_user_change user changed to %s", user);
        }
	error("PAM: sshpam_handle_user_change exit");
	return PAM_SUCCESS;
}

/*
 * Conversation function for authentication thread.
 */

	if (sshpam_err != PAM_SUCCESS)
		goto auth_fail;

	if (options.permit_pam_user_change) {
		/*
		 * this should work, but it doesn't. The monitor hands
		 * us a copy of the authctx and never copies the results
		 * back to the _real_ authctx.  So the following call
		 * does all the right stuff to sshpam_authctxt, but no
		 * one is ever going to see it.
		 */
		sshpam_err = sshpam_handle_user_change(sshpam_handle,
		    sshpam_authctxt);
		if (sshpam_err != PAM_SUCCESS)
			goto auth_fail;
	}

	if (compat20) {
		if (!do_pam_account()) {
			sshpam_err = PAM_ACCT_EXPIRED;


	sshpam_err = pam_authenticate(sshpam_handle, flags);
	sshpam_password = NULL;
	if (!(sshpam_err == PAM_SUCCESS && authctxt->valid)) {
		debug("PAM: password authentication accepted for %.100s",
		    authctxt->user);
		return 1;
	} else {
		debug("PAM: password authentication failed for %.100s: %s",
		    authctxt->valid ? authctxt->user : "an illegal user",
		    pam_strerror(sshpam_handle, sshpam_err));
		return 0;
	}

	if (options.permit_pam_user_change) {
		sshpam_err = sshpam_handle_user_change(sshpam_handle,
		    sshpam_authctxt);
		if (sshpam_err != PAM_SUCCESS) {
			debug("PAM: failure checking for user change: %s",
			    pam_strerror(sshpam_handle, sshpam_err));
			return 0;
		}
	}

	debug("PAM: password authentication accepted for %.100s",
	    authctxt->user);
	return 1;
}
#endif /* USE_PAM */

Lines 56-61 Link Here

(-)openssh-4.6p1/servconf.c (-1 / +10 lines)
56		56
57	/* Portable-specific options */	57	/* Portable-specific options */
58	options->use_pam = -1;	58	options->use_pam = -1;
		59	options->permit_pam_user_change = -1;
59		60
60	/* Standard Options */	61	/* Standard Options */
61	options->num_ports = 0;	62	options->num_ports = 0;
Lines 130-135 Link Here
130	/* Portable-specific options */	131	/* Portable-specific options */
131	if (options->use_pam == -1)	132	if (options->use_pam == -1)
132	options->use_pam = 0;	133	options->use_pam = 0;
		134	if (options->permit_pam_user_change == -1)
		135	options->permit_pam_user_change = 0;
133		136
134	/* Standard Options */	137	/* Standard Options */
135	if (options->protocol == SSH_PROTO_UNKNOWN)	138	if (options->protocol == SSH_PROTO_UNKNOWN)
Lines 269-275 Link Here
269	typedef enum {	272	typedef enum {
270	sBadOption, /* == unknown option */	273	sBadOption, /* == unknown option */
271	/* Portable-specific options */	274	/* Portable-specific options */
272	sUsePAM,	275	sUsePAM, sPermitPAMUserChange,
273	/* Standard Options */	276	/* Standard Options */
274	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,	277	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
275	sPermitRootLogin, sLogFacility, sLogLevel,	278	sPermitRootLogin, sLogFacility, sLogLevel,
Lines 309-316 Link Here
309	/* Portable-specific options */	312	/* Portable-specific options */
310	#ifdef USE_PAM	313	#ifdef USE_PAM
311	{ "usepam", sUsePAM, SSHCFG_GLOBAL },	314	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
		315	{ "permitpamuserchange", sPermitPAMUserChange, SSHCFG_GLOBAL }
312	#else	316	#else
313	{ "usepam", sUnsupported, SSHCFG_GLOBAL },	317	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
		318	{ "permitpamuserchange", sUnsupported, SSHCFG_GLOBAL }
314	#endif	319	#endif
315	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },	320	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
316	/* Standard Options */	321	/* Standard Options */
Lines 662-667 Link Here
662	intptr = &options->use_pam;	667	intptr = &options->use_pam;
663	goto parse_flag;	668	goto parse_flag;
664		669
		670	case sPermitPAMUserChange:
		671	intptr = &options->permit_pam_user_change;
		672	goto parse_flag;
		673
665	/* Standard Options */	674	/* Standard Options */
666	case sBadOption:	675	case sBadOption:
667	return -1;	676	return -1;

Lines 137-142 Link Here

(-)openssh-4.6p1/servconf.h (+1 lines)
137	char *adm_forced_command;	137	char *adm_forced_command;
138		138
139	int use_pam; /* Enable auth via PAM */	139	int use_pam; /* Enable auth via PAM */
		140	int permit_pam_user_change; /* Allow PAM to change user name */
140		141
141	int permit_tun;	142	int permit_tun;
142		143

Lines 80-85 Link Here

(-)openssh-4.6p1/sshd_config (+4 lines)
80	# and ChallengeResponseAuthentication to 'no'.	80	# and ChallengeResponseAuthentication to 'no'.
81	#UsePAM no	81	#UsePAM no
82		82
		83	# Set to 'yes' to allow the PAM stack to change the user name during
		84	# calls to authentication
		85	#PermitPAMUserChange no
		86
83	#AllowTcpForwarding yes	87	#AllowTcpForwarding yes
84	#GatewayPorts no	88	#GatewayPorts no
85	#X11Forwarding no	89	#X11Forwarding no

Lines 820-825 Link Here

(-)openssh-4.6p1/sshd_config.5 (+6 lines)
820	as a non-root user.	820	as a non-root user.
821	The default is	821	The default is
822	.Dq no .	822	.Dq no .
		823	.It Cm PermitPAMUserChange
		824	If set to
		825	.Dq yes
		826	this will enable PAM authentication to change the name of the user being
		827	authenticated. The default is
		828	.Dq no .
823	.It Cm UsePrivilegeSeparation	829	.It Cm UsePrivilegeSeparation
824	Specifies whether	830	Specifies whether
825	.Xr sshd 8	831	.Xr sshd 8

Return to bug 1215

Lines 334-339 Link Here

(-)openssh-4.6p1/auth-pam.c (-5 / +63 lines)
334	#endif	334	#endif
335	}	335	}
336		336
		337	static
		338	int sshpam_handle_user_change(pam_handle_t sshpam_handle, Authctxt authctxt)
		339	{
		340	const char *pam_user;
		341	const char **ptr_pam_user = &pam_user;
		342
		343	error("PAM: sshpam_handle_user_change enter");
		344
		345	if (pam_get_item(sshpam_handle, PAM_USER,
		346	(sshpam_const void **)ptr_pam_user) != PAM_SUCCESS)
		347	return PAM_AUTH_ERR;
		348
		349	if (strcmp(authctxt->user, pam_user)) {
		350	char *user = strdup(pam_user);
		351	struct passwd *pw;
		352
		353	if (!user)
		354	return PAM_AUTH_ERR;
		355
		356	if (!(pw = getpwnamallow(user))) {
		357	free(user);
		358	return PAM_AUTH_ERR;
		359	}
		360
		361	free(authctxt->pw);
		362	authctxt->pw = pw;
		363	free(authctxt->user);
		364	authctxt->user = user;
		365	error("PAM: sshpam_handle_user_change user changed to %s", user);
		366	}
		367	error("PAM: sshpam_handle_user_change exit");
		368	return PAM_SUCCESS;
		369	}
		370
337	/*	371	/*
338	* Conversation function for authentication thread.	372	* Conversation function for authentication thread.
339	*/	373	*/
Lines 469-474 Link Here
469	if (sshpam_err != PAM_SUCCESS)	503	if (sshpam_err != PAM_SUCCESS)
470	goto auth_fail;	504	goto auth_fail;
471		505
		506	if (options.permit_pam_user_change) {
		507	/*
		508	* this should work, but it doesn't. The monitor hands
		509	* us a copy of the authctx and never copies the results
		510	* back to the _real_ authctx. So the following call
		511	* does all the right stuff to sshpam_authctxt, but no
		512	* one is ever going to see it.
		513	*/
		514	sshpam_err = sshpam_handle_user_change(sshpam_handle,
		515	sshpam_authctxt);
		516	if (sshpam_err != PAM_SUCCESS)
		517	goto auth_fail;
		518	}
		519
472	if (compat20) {	520	if (compat20) {
473	if (!do_pam_account()) {	521	if (!do_pam_account()) {
474	sshpam_err = PAM_ACCT_EXPIRED;	522	sshpam_err = PAM_ACCT_EXPIRED;
Lines 1206-1220 Link Here
1206		1254
1207	sshpam_err = pam_authenticate(sshpam_handle, flags);	1255	sshpam_err = pam_authenticate(sshpam_handle, flags);
1208	sshpam_password = NULL;	1256	sshpam_password = NULL;
1209	if (sshpam_err == PAM_SUCCESS && authctxt->valid) {	1257	if (!(sshpam_err == PAM_SUCCESS && authctxt->valid)) {
1210	debug("PAM: password authentication accepted for %.100s",
1211	authctxt->user);
1212	return 1;
1213	} else {
1214	debug("PAM: password authentication failed for %.100s: %s",	1258	debug("PAM: password authentication failed for %.100s: %s",
1215	authctxt->valid ? authctxt->user : "an illegal user",	1259	authctxt->valid ? authctxt->user : "an illegal user",
1216	pam_strerror(sshpam_handle, sshpam_err));	1260	pam_strerror(sshpam_handle, sshpam_err));
1217	return 0;	1261	return 0;
1218	}	1262	}
		1263
		1264	if (options.permit_pam_user_change) {
		1265	sshpam_err = sshpam_handle_user_change(sshpam_handle,
		1266	sshpam_authctxt);
		1267	if (sshpam_err != PAM_SUCCESS) {
		1268	debug("PAM: failure checking for user change: %s",
		1269	pam_strerror(sshpam_handle, sshpam_err));
		1270	return 0;
		1271	}
		1272	}
		1273
		1274	debug("PAM: password authentication accepted for %.100s",
		1275	authctxt->user);
		1276	return 1;
1219	}	1277	}
1220	#endif /* USE_PAM */	1278	#endif /* USE_PAM */