Attachment 370 Details for Bug 442 – Fix options.use_pam and log -> logit.

[patch] Fix options.use_pam and log -> logit.

openssh-pwlock7.patch (text/plain), 6.78 KB, created by Darren Tucker on 2003-08-25 10:37:40 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Darren Tucker

Created: 2003-08-25 10:37:40 AEST

Size: 6.78 KB

patch

obsolete

>Index: acconfig.h
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/acconfig.h,v
>retrieving revision 1.160
>diff -u -p -r1.160 acconfig.h
>--- acconfig.h	2 Aug 2003 12:24:49 -0000	1.160
>+++ acconfig.h	4 Aug 2003 12:05:46 -0000
>@@ -398,6 +398,11 @@
> /* Define if cmsg_type is not passed correctly */
> #undef BROKEN_CMSG_TYPE
> 
>+/* Strings used in /etc/passwd to denote locked account */
>+#undef LOCKED_PASSWD_STRING
>+#undef LOCKED_PASSWD_PREFIX
>+#undef LOCKED_PASSWD_SUBSTR
>+
> /* Define if DNS support is to be activated */
> #undef DNS
> 
>Index: auth.c
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v
>retrieving revision 1.74
>diff -u -p -r1.74 auth.c
>--- auth.c	8 Jul 2003 12:59:59 -0000	1.74
>+++ auth.c	25 Aug 2003 00:35:07 -0000
>@@ -73,23 +73,25 @@ int
> allowed_user(struct passwd * pw)
> {
> 	struct stat st;
>-	const char *hostname = NULL, *ipaddr = NULL;
>+	const char *hostname = NULL, *ipaddr = NULL, *passwd;
> 	char *shell;
> 	int i;
>-#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \
>-    defined(HAS_SHADOW_EXPIRE)
>-	struct spwd *spw;
>-	time_t today;
>+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
>+	struct spwd *spw = NULL;
> #endif
> 
> 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
> 	if (!pw || !pw->pw_name)
> 		return 0;
> 
>-#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \
>-    defined(HAS_SHADOW_EXPIRE)
>+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
>+	if (!options.use_pam)
>+		spw = getspnam(pw->pw_name);
>+#ifdef HAS_SHADOW_EXPIRE
> #define	DAY		(24L * 60 * 60) /* 1 day in seconds */
>-	if (!options.use_pam && (spw = getspnam(pw->pw_name)) != NULL) {
>+	if (!options.use_pam && spw != NULL) {
>+		time_t today;
>+
> 		today = time(NULL) / DAY;
> 		debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
> 		    " sp_max %d", (int)today, (int)spw->sp_expire,
>@@ -117,7 +119,40 @@ allowed_user(struct passwd * pw)
> 			return 0;
> 		}
> 	}
>+#endif /* !defined(USE_PAM) && defined(HAS_SHADOW_EXPIRE) */
>+#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
>+
>+    	/* grab passwd field for locked account check */
>+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
>+	if (spw != NULL)
>+		passwd = spw->sp_pwdp;
>+#else
>+	passwd = pw->pw_passwd;
>+#endif
>+
>+	/* check for locked account */ 
>+	if (passwd && *passwd) {
>+		int locked = 0;
>+
>+#ifdef LOCKED_PASSWD_STRING
>+		if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
>+			 locked = 1;
>+#endif
>+#ifdef LOCKED_PASSWD_PREFIX
>+		if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
>+		    strlen(LOCKED_PASSWD_PREFIX)) == 0)
>+			 locked = 1;
> #endif
>+#ifdef LOCKED_PASSWD_SUBSTR
>+		if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
>+			locked = 1;
>+#endif
>+		if (locked) {
>+			logit("User %.100s not allowed because account is locked",
>+			    pw->pw_name);
>+			return 0;
>+		}
>+	}
> 
> 	/*
> 	 * Get the shell from the password data.  An empty shell field is
>Index: configure.ac
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/configure.ac,v
>retrieving revision 1.140
>diff -u -p -r1.140 configure.ac
>--- configure.ac	21 Aug 2003 07:58:29 -0000	1.140
>+++ configure.ac	22 Aug 2003 03:32:26 -0000
>@@ -141,6 +141,7 @@ main() { if (NSVersionOfRunTimeLibrary("
> 	AC_DEFINE(LOGIN_NEEDS_UTMPX)
> 	AC_DEFINE(DISABLE_SHADOW)
> 	AC_DEFINE(DISABLE_UTMP)
>+	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
> 	AC_DEFINE(SPT_TYPE,SPT_PSTAT)
> 	LIBS="$LIBS -lsec -lsecpw"
> 	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
>@@ -157,6 +158,7 @@ main() { if (NSVersionOfRunTimeLibrary("
> 	AC_DEFINE(LOGIN_NEEDS_UTMPX)
> 	AC_DEFINE(DISABLE_SHADOW)
> 	AC_DEFINE(DISABLE_UTMP)
>+	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
> 	AC_DEFINE(SPT_TYPE,SPT_PSTAT)
> 	LIBS="$LIBS -lsec"
> 	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
>@@ -170,6 +172,7 @@ main() { if (NSVersionOfRunTimeLibrary("
> 	AC_DEFINE(LOGIN_NEEDS_UTMPX)
> 	AC_DEFINE(DISABLE_SHADOW)
> 	AC_DEFINE(DISABLE_UTMP)
>+	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
> 	AC_DEFINE(SPT_TYPE,SPT_PSTAT)
> 	LIBS="$LIBS -lsec"
> 	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
>@@ -180,6 +183,7 @@ main() { if (NSVersionOfRunTimeLibrary("
> 	PATH="$PATH:/usr/etc"
> 	AC_DEFINE(BROKEN_INET_NTOA)
> 	AC_DEFINE(WITH_ABBREV_NO_TTY)
>+	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
> 	;;
> *-*-irix6*)
> 	CPPFLAGS="$CPPFLAGS -I/usr/local/include"
>@@ -191,6 +195,7 @@ main() { if (NSVersionOfRunTimeLibrary("
> 	AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)])
> 	AC_DEFINE(BROKEN_INET_NTOA)
> 	AC_DEFINE(WITH_ABBREV_NO_TTY)
>+	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
> 	;;
> *-*-linux*)
> 	no_dev_ptmx=1
>@@ -198,6 +203,7 @@ main() { if (NSVersionOfRunTimeLibrary("
> 	check_for_openpty_ctty_bug=1
> 	AC_DEFINE(DONT_TRY_OTHER_AF)
> 	AC_DEFINE(PAM_TTY_KLUDGE)
>+	AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!")
> 	AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)
> 	inet6_default_4in6=yes
> 	case `uname -r` in
>@@ -237,6 +243,7 @@ mips-sony-bsd|mips-sony-newsos4)
> 	AC_DEFINE(LOGIN_NEEDS_UTMPX)
> 	AC_DEFINE(LOGIN_NEEDS_TERM)
> 	AC_DEFINE(PAM_TTY_KLUDGE)
>+	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
> 	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
> 	AC_DEFINE(SSHD_ACQUIRES_CTTY)
> 	# hardwire lastlog location (can't detect it on some versions)
>@@ -362,6 +369,7 @@ mips-sony-bsd|mips-sony-newsos4)
> 		fi
> 	fi
> 	AC_DEFINE(DISABLE_FD_PASSING)
>+	AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin")
> 	;;
> 
> *-*-nto-qnx)
>Index: sshd.8
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshd.8,v
>retrieving revision 1.156
>diff -u -p -r1.156 sshd.8
>--- sshd.8	13 Aug 2003 10:37:05 -0000	1.156
>+++ sshd.8	22 Aug 2003 03:29:49 -0000
>@@ -114,6 +114,29 @@ authentication combined with RSA host
> authentication, RSA challenge-response authentication, or password
> based authentication.
> .Pp
>+Regardless of the authentication type, the account is checked to
>+ensure that it is accessible.  An account is not accessible if it is
>+locked, listed in
>+.Cm DenyUsers
>+or its group is listed in
>+.Cm DenyGroups
>+\&.  The definition of a locked account is system dependant. Some platforms
>+have their own account database (eg AIX) and some modify the passwd field (
>+.Ql \&*LK\&*
>+on Solaris,
>+.Ql \&*
>+on HP-UX, containing
>+.Ql Nologin
>+on Tru64 and a leading
>+.Ql \&!!
>+on Linux).  If there is a requirement to disable password authentication
>+for the account while allowing still public-key, then the passwd field
>+should be set to something other than these values (eg
>+.Ql NP
>+or
>+.Ql \&*NP\&*
>+).
>+.Pp
> Rhosts authentication is normally disabled
> because it is fundamentally insecure, but can be enabled in the server
> configuration file if desired.

Flags:

djm: ok+

Actions: View | Diff

Attachments on bug 442: 181 | 183 | 237 | 239 | 249 | 368 | 370