Bugzilla – Attachment 1298 Details for
Bug 1215
sshd requires entry from getpwnam for PAM accounts
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
PermitPAMUserChange: runtime option that checks and handles PAM changing the username
openssh-4.6p1-pam-user-change.patch (text/plain), 5.65 KB, created by
James R. Leu
on 2007-05-30 02:38:44 AEST
(
hide
)
Description:
PermitPAMUserChange: runtime option that checks and handles PAM changing the username
Filename:
MIME Type:
Creator:
James R. Leu
Created:
2007-05-30 02:38:44 AEST
Size:
5.65 KB
patch
obsolete
>diff -uNr openssh-4.6p1/auth-pam.c openssh-4.6p1.jleu2/auth-pam.c >--- openssh-4.6p1/auth-pam.c 2006-09-16 20:57:47.000000000 -0500 >+++ openssh-4.6p1.jleu2/auth-pam.c 2007-05-29 11:12:45.000000000 -0500 >@@ -334,6 +334,40 @@ > #endif > } > >+static >+int sshpam_handle_user_change(pam_handle_t *sshpam_handle, Authctxt *authctxt) >+{ >+ const char *pam_user; >+ const char **ptr_pam_user = &pam_user; >+ >+ error("PAM: sshpam_handle_user_change enter"); >+ >+ if (pam_get_item(sshpam_handle, PAM_USER, >+ (sshpam_const void **)ptr_pam_user) != PAM_SUCCESS) >+ return PAM_AUTH_ERR; >+ >+ if (strcmp(authctxt->user, pam_user)) { >+ char *user = strdup(pam_user); >+ struct passwd *pw; >+ >+ if (!user) >+ return PAM_AUTH_ERR; >+ >+ if (!(pw = getpwnamallow(user))) { >+ free(user); >+ return PAM_AUTH_ERR; >+ } >+ >+ free(authctxt->pw); >+ authctxt->pw = pw; >+ free(authctxt->user); >+ authctxt->user = user; >+ error("PAM: sshpam_handle_user_change user changed to %s", user); >+ } >+ error("PAM: sshpam_handle_user_change exit"); >+ return PAM_SUCCESS; >+} >+ > /* > * Conversation function for authentication thread. > */ >@@ -469,6 +503,20 @@ > if (sshpam_err != PAM_SUCCESS) > goto auth_fail; > >+ if (options.permit_pam_user_change) { >+ /* >+ * this should work, but it doesn't. The monitor hands >+ * us a copy of the authctx and never copies the results >+ * back to the _real_ authctx. So the following call >+ * does all the right stuff to sshpam_authctxt, but no >+ * one is ever going to see it. >+ */ >+ sshpam_err = sshpam_handle_user_change(sshpam_handle, >+ sshpam_authctxt); >+ if (sshpam_err != PAM_SUCCESS) >+ goto auth_fail; >+ } >+ > if (compat20) { > if (!do_pam_account()) { > sshpam_err = PAM_ACCT_EXPIRED; >@@ -1206,15 +1254,25 @@ > > sshpam_err = pam_authenticate(sshpam_handle, flags); > sshpam_password = NULL; >- if (sshpam_err == PAM_SUCCESS && authctxt->valid) { >- debug("PAM: password authentication accepted for %.100s", >- authctxt->user); >- return 1; >- } else { >+ if (!(sshpam_err == PAM_SUCCESS && authctxt->valid)) { > debug("PAM: password authentication failed for %.100s: %s", > authctxt->valid ? authctxt->user : "an illegal user", > pam_strerror(sshpam_handle, sshpam_err)); > return 0; > } >+ >+ if (options.permit_pam_user_change) { >+ sshpam_err = sshpam_handle_user_change(sshpam_handle, >+ sshpam_authctxt); >+ if (sshpam_err != PAM_SUCCESS) { >+ debug("PAM: failure checking for user change: %s", >+ pam_strerror(sshpam_handle, sshpam_err)); >+ return 0; >+ } >+ } >+ >+ debug("PAM: password authentication accepted for %.100s", >+ authctxt->user); >+ return 1; > } > #endif /* USE_PAM */ >diff -uNr openssh-4.6p1/servconf.c openssh-4.6p1.jleu2/servconf.c >--- openssh-4.6p1/servconf.c 2007-03-01 04:31:29.000000000 -0600 >+++ openssh-4.6p1.jleu2/servconf.c 2007-05-29 11:13:45.000000000 -0500 >@@ -56,6 +56,7 @@ > > /* Portable-specific options */ > options->use_pam = -1; >+ options->permit_pam_user_change = -1; > > /* Standard Options */ > options->num_ports = 0; >@@ -130,6 +131,8 @@ > /* Portable-specific options */ > if (options->use_pam == -1) > options->use_pam = 0; >+ if (options->permit_pam_user_change == -1) >+ options->permit_pam_user_change = 0; > > /* Standard Options */ > if (options->protocol == SSH_PROTO_UNKNOWN) >@@ -269,7 +272,7 @@ > typedef enum { > sBadOption, /* == unknown option */ > /* Portable-specific options */ >- sUsePAM, >+ sUsePAM, sPermitPAMUserChange, > /* Standard Options */ > sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, > sPermitRootLogin, sLogFacility, sLogLevel, >@@ -309,8 +312,10 @@ > /* Portable-specific options */ > #ifdef USE_PAM > { "usepam", sUsePAM, SSHCFG_GLOBAL }, >+ { "permitpamuserchange", sPermitPAMUserChange, SSHCFG_GLOBAL } > #else > { "usepam", sUnsupported, SSHCFG_GLOBAL }, >+ { "permitpamuserchange", sUnsupported, SSHCFG_GLOBAL } > #endif > { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, > /* Standard Options */ >@@ -662,6 +667,10 @@ > intptr = &options->use_pam; > goto parse_flag; > >+ case sPermitPAMUserChange: >+ intptr = &options->permit_pam_user_change; >+ goto parse_flag; >+ > /* Standard Options */ > case sBadOption: > return -1; >diff -uNr openssh-4.6p1/servconf.h openssh-4.6p1.jleu2/servconf.h >--- openssh-4.6p1/servconf.h 2007-02-19 05:25:38.000000000 -0600 >+++ openssh-4.6p1.jleu2/servconf.h 2007-05-29 11:12:45.000000000 -0500 >@@ -137,6 +137,7 @@ > char *adm_forced_command; > > int use_pam; /* Enable auth via PAM */ >+ int permit_pam_user_change; /* Allow PAM to change user name */ > > int permit_tun; > >diff -uNr openssh-4.6p1/sshd_config openssh-4.6p1.jleu2/sshd_config >--- openssh-4.6p1/sshd_config 2006-07-23 23:06:47.000000000 -0500 >+++ openssh-4.6p1.jleu2/sshd_config 2007-05-29 11:14:36.000000000 -0500 >@@ -80,6 +80,10 @@ > # and ChallengeResponseAuthentication to 'no'. > #UsePAM no > >+# Set to 'yes' to allow the PAM stack to change the user name during >+# calls to authentication >+#PermitPAMUserChange no >+ > #AllowTcpForwarding yes > #GatewayPorts no > #X11Forwarding no >diff -uNr openssh-4.6p1/sshd_config.5 openssh-4.6p1.jleu2/sshd_config.5 >--- openssh-4.6p1/sshd_config.5 2007-03-06 04:21:18.000000000 -0600 >+++ openssh-4.6p1.jleu2/sshd_config.5 2007-05-29 11:12:45.000000000 -0500 >@@ -820,6 +820,12 @@ > as a non-root user. > The default is > .Dq no . >+.It Cm PermitPAMUserChange >+If set to >+.Dq yes >+this will enable PAM authentication to change the name of the user being >+authenticated. The default is >+.Dq no . > .It Cm UsePrivilegeSeparation > Specifies whether > .Xr sshd 8
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1298">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1215
:
1170
|
1171
|
1292
|
1293
| 1298 |
1300
|
1574
|
2228