Bugzilla – Attachment 646 Details for
Bug 874
(Re)Add PAM PasswordAuthentication support
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
re-add PasswordAuthentication and UsePAM take 3
openssh-pam-passwd.patch (text/plain), 4.31 KB, created by
Darren Tucker
on 2004-05-28 23:06:48 AEST
(
hide
)
Description:
re-add PasswordAuthentication and UsePAM take 3
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2004-05-28 23:06:48 AEST
Size:
4.31 KB
patch
obsolete
>Index: auth-pam.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v >retrieving revision 1.102 >diff -u -p -r1.102 auth-pam.c >--- auth-pam.c 24 May 2004 01:55:36 -0000 1.102 >+++ auth-pam.c 28 May 2004 12:57:43 -0000 >@@ -169,6 +169,7 @@ static int sshpam_cred_established = 0; > static int sshpam_account_status = -1; > static char **sshpam_env = NULL; > static Authctxt *sshpam_authctxt = NULL; >+static const char *sshpam_password = NULL; > > /* Some PAM implementations don't implement this */ > #ifndef HAVE_PAM_GETENVLIST >@@ -951,4 +952,100 @@ free_pam_environment(char **env) > xfree(env); > } > >+/* >+ * "Blind" conversation function for password authentication. Assumes that >+ * echo-off prompts are for the password and stores messages for later >+ * display. >+ */ >+static int >+sshpam_passwd_conv(int n, const struct pam_message **msg, >+ struct pam_response **resp, void *data) >+{ >+ struct pam_response *reply; >+ int i; >+ size_t len; >+ >+ debug3("PAM: %s called with %d messages", __func__, n); >+ >+ *resp = NULL; >+ >+ if (n <= 0 || n > PAM_MAX_NUM_MSG) >+ return (PAM_CONV_ERR); >+ >+ if ((reply = malloc(n * sizeof(*reply))) == NULL) >+ return (PAM_CONV_ERR); >+ memset(reply, 0, n * sizeof(*reply)); >+ >+ for (i = 0; i < n; ++i) { >+ switch (PAM_MSG_MEMBER(msg, i, msg_style)) { >+ case PAM_PROMPT_ECHO_OFF: >+ if (sshpam_password == NULL) >+ goto fail; >+ reply[i].resp = xstrdup(sshpam_password); >+ reply[i].resp_retcode = PAM_SUCCESS; >+ break; >+ case PAM_ERROR_MSG: >+ case PAM_TEXT_INFO: >+ len = strlen(PAM_MSG_MEMBER(msg, i, msg)); >+ if (len > 0) { >+ buffer_append(&loginmsg, >+ PAM_MSG_MEMBER(msg, i, msg), len); >+ buffer_append(&loginmsg, "\n", 1); >+ } >+ reply[i].resp = xstrdup(""); >+ reply[i].resp_retcode = PAM_SUCCESS; >+ break; >+ default: >+ goto fail; >+ } >+ } >+ *resp = reply; >+ return (PAM_SUCCESS); >+ >+ fail: >+ for(i = 0; i < n; i++) { >+ if (reply[i].resp != NULL) >+ xfree(reply[i].resp); >+ } >+ xfree(reply); >+ return (PAM_CONV_ERR); >+} >+ >+static struct pam_conv passwd_conv = { sshpam_passwd_conv, NULL }; >+ >+/* >+ * Attempt password authentication via PAM >+ */ >+int >+sshpam_auth_passwd(Authctxt *authctxt, const char *password) >+{ >+ int flags = (options.permit_empty_passwd == 0 ? >+ PAM_DISALLOW_NULL_AUTHTOK : 0); >+ >+ if (!options.use_pam || sshpam_handle == NULL) >+ fatal("PAM: %s called when PAM disabled or failed to " >+ "initialise.", __func__); >+ >+ sshpam_password = password; >+ sshpam_authctxt = authctxt; >+ >+ sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, >+ (const void *)&passwd_conv); >+ if (sshpam_err != PAM_SUCCESS) >+ fatal("PAM: %s: failed to set PAM_CONV: %s", __func__, >+ pam_strerror(sshpam_handle, sshpam_err)); >+ >+ sshpam_err = pam_authenticate(sshpam_handle, flags); >+ sshpam_password = NULL; >+ if (sshpam_err == PAM_SUCCESS && authctxt->valid) { >+ debug("PAM: password authentication accepted for %.100s", >+ authctxt->user); >+ return 1; >+ } else { >+ debug("PAM: password authentication failed for %.100s: %s", >+ authctxt->valid ? authctxt->user : "an illegal user", >+ pam_strerror(sshpam_handle, sshpam_err)); >+ return 0; >+ } >+} > #endif /* USE_PAM */ >Index: auth-pam.h >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.h,v >retrieving revision 1.25 >diff -u -p -r1.25 auth-pam.h >--- auth-pam.h 8 Mar 2004 12:04:07 -0000 1.25 >+++ auth-pam.h 28 May 2004 11:18:05 -0000 >@@ -44,5 +44,6 @@ char ** fetch_pam_child_environment(void > void free_pam_environment(char **); > void sshpam_thread_cleanup(void); > void sshpam_cleanup(void); >+int sshpam_auth_passwd(Authctxt *, const char *); > > #endif /* USE_PAM */ >Index: auth-passwd.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-passwd.c,v >retrieving revision 1.73 >diff -u -p -r1.73 auth-passwd.c >--- auth-passwd.c 4 Mar 2004 11:59:37 -0000 1.73 >+++ auth-passwd.c 28 May 2004 11:18:30 -0000 >@@ -91,6 +91,10 @@ auth_password(Authctxt *authctxt, const > return ok; > } > #endif >+#ifdef USE_PAM >+ if (options.use_pam) >+ return (sshpam_auth_passwd(authctxt, password) && ok); >+#endif > #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) > if (!expire_checked) { > expire_checked = 1;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=646">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
djm
:
ok+
Actions:
View
|
Diff
Attachments on
bug 874
:
644
|
645
| 646