Attachment #681 for bug #892

View | Details | Raw Unified | Return to bug 892
Collapse All | Expand All





static struct pam_conv null_conv = { sshpam_null_conv, NULL };

static int
sshpam_store_conv(int n, struct pam_message **msg,
    struct pam_response **resp, void *data)
{
	struct pam_response *reply;
	int i;
	size_t len;

	debug3("PAM: %s called with %d messages", __func__, n);
	*resp = NULL;

	if (n <= 0 || n > PAM_MAX_NUM_MSG)
		return (PAM_CONV_ERR);

	if ((reply = malloc(n * sizeof(*reply))) == NULL)
		return (PAM_CONV_ERR);
	memset(reply, 0, n * sizeof(*reply));

	for (i = 0; i < n; ++i) {
		switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
		case PAM_ERROR_MSG:
		case PAM_TEXT_INFO:
			len = strlen(PAM_MSG_MEMBER(msg, i, msg));
			buffer_append(&loginmsg, PAM_MSG_MEMBER(msg, i, msg), len);
			buffer_append(&loginmsg, "\n", 1 );
			reply[i].resp_retcode = PAM_SUCCESS;
			break;
		default:
			goto fail;
		}
	}
	*resp = reply;
	return (PAM_SUCCESS);

 fail:
	for(i = 0; i < n; i++) {
		if (reply[i].resp != NULL)
			xfree(reply[i].resp);
	}
	xfree(reply);
	return (PAM_CONV_ERR);
}

static struct pam_conv store_conv = { sshpam_store_conv, NULL };

void
sshpam_cleanup(void)
{

	}
	debug("PAM: initializing for \"%s\"", user);
	sshpam_err =
	    pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
	sshpam_authctxt = authctxt;

	if (sshpam_err != PAM_SUCCESS) {

u_int
do_pam_account(void)
{
	debug("%s: called", __func__);
	if (sshpam_account_status != -1)
		return (sshpam_account_status);

	sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
	debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err,
	    pam_strerror(sshpam_handle, sshpam_err));
	
	if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
		sshpam_account_status = 0;

do_pam_setcred(int init)
{
	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
	    (const void *)&store_conv);
	if (sshpam_err != PAM_SUCCESS)
		fatal("PAM: failed to set PAM_CONV: %s",
		    pam_strerror(sshpam_handle, sshpam_err));

		fatal("PAM: pam_chauthtok(): %s",
		    pam_strerror(sshpam_handle, sshpam_err));
}

static int
sshpam_store_conv(int n, struct pam_message **msg,
    struct pam_response **resp, void *data)
{
	struct pam_response *reply;
	int i;
	size_t len;

	debug3("PAM: %s called with %d messages", __func__, n);
	*resp = NULL;

	if (n <= 0 || n > PAM_MAX_NUM_MSG)
		return (PAM_CONV_ERR);

	if ((reply = malloc(n * sizeof(*reply))) == NULL)
		return (PAM_CONV_ERR);
	memset(reply, 0, n * sizeof(*reply));

	for (i = 0; i < n; ++i) {
		switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
		case PAM_ERROR_MSG:
		case PAM_TEXT_INFO:
			len = strlen(PAM_MSG_MEMBER(msg, i, msg));
			buffer_append(&loginmsg, PAM_MSG_MEMBER(msg, i, msg), len);
			buffer_append(&loginmsg, "\n", 1 );
			reply[i].resp_retcode = PAM_SUCCESS;
			break;
		default:
			goto fail;
		}
	}
	*resp = reply;
	return (PAM_SUCCESS);

 fail:
	for(i = 0; i < n; i++) {
		if (reply[i].resp != NULL)
			xfree(reply[i].resp);
	}
	xfree(reply);
	return (PAM_CONV_ERR);
}

static struct pam_conv store_conv = { sshpam_store_conv, NULL };

void
do_pam_session(void)

Lines 137-142 void do_authentication2(Authctxt *); Link Here

(-)auth.h (+1 lines)
137		137
138	void auth_log(Authctxt , int, char , char *);	138	void auth_log(Authctxt , int, char , char *);
139	void userauth_finish(Authctxt , int, char );	139	void userauth_finish(Authctxt , int, char );
		140	void userauth_send_banner(const char *);
140	int auth_root_allowed(char *);	141	int auth_root_allowed(char *);
141		142
142	char *auth2_read_banner(void);	143	char *auth2_read_banner(void);




	return (banner);
}

void
userauth_send_banner(const char *msg)
{
	if (datafellows & SSH_BUG_BANNER)
		return;

	packet_start(SSH2_MSG_USERAUTH_BANNER);
	packet_put_cstring(msg);
	packet_put_cstring("");		/* language, unused */
	packet_send();
	debug("%s: sent", __func__);
}

static void
userauth_banner(void)
{


	if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
		goto done;
	userauth_send_banner(banner);

	packet_start(SSH2_MSG_USERAUTH_BANNER);
	packet_put_cstring(banner);
	packet_put_cstring("");		/* language, unused */
	packet_send();
	debug("userauth_banner: sent");
done:
	if (banner)
		xfree(banner);




#include "dispatch.h"
#include "pathnames.h"
#include "monitor_wrap.h"
#include "buffer.h"

#ifdef GSSAPI
#include "ssh-gss.h"

extern ServerOptions options;
extern u_char *session_id2;
extern u_int session_id2_len;
extern Buffer loginmsg;

/* methods */


		authenticated = 0;

#ifdef USE_PAM
	if (options.use_pam && authenticated) {
		if (!PRIVSEP(do_pam_account())) {
			authenticated = 0;
			/* if PAM returned a message, send it to the user */
			if (buffer_len(&loginmsg) > 0) {
				buffer_append(&loginmsg, "\0", 1);
				userauth_send_banner(buffer_ptr(&loginmsg));
				buffer_clear(&loginmsg);
			}
		}
	}
#endif

#ifdef _UNICOS

Lines 79-84 extern u_char session_id[]; Link Here

(-)monitor.c (+4 lines)
79	extern Buffer input, output;	79	extern Buffer input, output;
80	extern Buffer auth_debug;	80	extern Buffer auth_debug;
81	extern int auth_debug_init;	81	extern int auth_debug_init;
		82	extern Buffer loginmsg;
82		83
83	/* State exported from the child */	84	/* State exported from the child */
84		85
Lines 809-814 mm_answer_pam_account(int sock, Buffer * Link Here
809	ret = do_pam_account();	810	ret = do_pam_account();
810		811
811	buffer_put_int(m, ret);	812	buffer_put_int(m, ret);
		813	buffer_append(&loginmsg, "\0", 1);
		814	buffer_put_cstring(m, buffer_ptr(&loginmsg));
		815	buffer_clear(&loginmsg);
812		816
813	mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m);	817	mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m);
814		818

Lines 71-76 extern z_stream outgoing_stream; Link Here

(-)monitor_wrap.c (+5 lines)
71	extern struct monitor *pmonitor;	71	extern struct monitor *pmonitor;
72	extern Buffer input, output;	72	extern Buffer input, output;
73	extern ServerOptions options;	73	extern ServerOptions options;
		74	extern Buffer loginmsg;
74		75
75	int	76	int
76	mm_is_monitor(void)	77	mm_is_monitor(void)
Lines 711-716 mm_do_pam_account(void) Link Here
711	{	712	{
712	Buffer m;	713	Buffer m;
713	u_int ret;	714	u_int ret;
		715	char *msg;
714		716
715	debug3("%s entering", __func__);	717	debug3("%s entering", __func__);
716	if (!options.use_pam)	718	if (!options.use_pam)
Lines 722-727 mm_do_pam_account(void) Link Here
722	mm_request_receive_expect(pmonitor->m_recvfd,	724	mm_request_receive_expect(pmonitor->m_recvfd,
723	MONITOR_ANS_PAM_ACCOUNT, &m);	725	MONITOR_ANS_PAM_ACCOUNT, &m);
724	ret = buffer_get_int(&m);	726	ret = buffer_get_int(&m);
		727	msg = buffer_get_string(&m, NULL);
		728	buffer_append(&loginmsg, msg, strlen(msg));
		729	xfree(msg);
725		730
726	buffer_free(&m);	731	buffer_free(&m);
727		732

Return to bug 892

Lines 461-466 sshpam_null_conv(int n, struct pam_messa Link Here

(-)auth-pam.c (-48 / +50 lines)
461		461
462	static struct pam_conv null_conv = { sshpam_null_conv, NULL };	462	static struct pam_conv null_conv = { sshpam_null_conv, NULL };
463		463
		464	static int
		465	sshpam_store_conv(int n, struct pam_message **msg,
		466	struct pam_response *resp, void data)
		467	{
		468	struct pam_response *reply;
		469	int i;
		470	size_t len;
		471
		472	debug3("PAM: %s called with %d messages", __func__, n);
		473	*resp = NULL;
		474
		475	if (n <= 0 \|\| n > PAM_MAX_NUM_MSG)
		476	return (PAM_CONV_ERR);
		477
		478	if ((reply = malloc(n * sizeof(*reply))) == NULL)
		479	return (PAM_CONV_ERR);
		480	memset(reply, 0, n * sizeof(*reply));
		481
		482	for (i = 0; i < n; ++i) {
		483	switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
		484	case PAM_ERROR_MSG:
		485	case PAM_TEXT_INFO:
		486	len = strlen(PAM_MSG_MEMBER(msg, i, msg));
		487	buffer_append(&loginmsg, PAM_MSG_MEMBER(msg, i, msg), len);
		488	buffer_append(&loginmsg, "\n", 1 );
		489	reply[i].resp_retcode = PAM_SUCCESS;
		490	break;
		491	default:
		492	goto fail;
		493	}
		494	}
		495	*resp = reply;
		496	return (PAM_SUCCESS);
		497
		498	fail:
		499	for(i = 0; i < n; i++) {
		500	if (reply[i].resp != NULL)
		501	xfree(reply[i].resp);
		502	}
		503	xfree(reply);
		504	return (PAM_CONV_ERR);
		505	}
		506
		507	static struct pam_conv store_conv = { sshpam_store_conv, NULL };
		508
464	void	509	void
465	sshpam_cleanup(void)	510	sshpam_cleanup(void)
466	{	511	{
Lines 498-504 sshpam_init(Authctxt *authctxt) Link Here
498	}	543	}
499	debug("PAM: initializing for \"%s\"", user);	544	debug("PAM: initializing for \"%s\"", user);
500	sshpam_err =	545	sshpam_err =
501	pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle);	546	pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
502	sshpam_authctxt = authctxt;	547	sshpam_authctxt = authctxt;
503		548
504	if (sshpam_err != PAM_SUCCESS) {	549	if (sshpam_err != PAM_SUCCESS) {
Lines 730-740 finish_pam(void) Link Here
730	u_int	775	u_int
731	do_pam_account(void)	776	do_pam_account(void)
732	{	777	{
		778	debug("%s: called", __func__);
733	if (sshpam_account_status != -1)	779	if (sshpam_account_status != -1)
734	return (sshpam_account_status);	780	return (sshpam_account_status);
735		781
736	sshpam_err = pam_acct_mgmt(sshpam_handle, 0);	782	sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
737	debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err);	783	debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err,
		784	pam_strerror(sshpam_handle, sshpam_err));
738		785
739	if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {	786	if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
740	sshpam_account_status = 0;	787	sshpam_account_status = 0;
Lines 764-770 void Link Here
764	do_pam_setcred(int init)	811	do_pam_setcred(int init)
765	{	812	{
766	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,	813	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
767	(const void *)&null_conv);	814	(const void *)&store_conv);
768	if (sshpam_err != PAM_SUCCESS)	815	if (sshpam_err != PAM_SUCCESS)
769	fatal("PAM: failed to set PAM_CONV: %s",	816	fatal("PAM: failed to set PAM_CONV: %s",
770	pam_strerror(sshpam_handle, sshpam_err));	817	pam_strerror(sshpam_handle, sshpam_err));
Lines 863-913 do_pam_chauthtok(void) Link Here
863	fatal("PAM: pam_chauthtok(): %s",	910	fatal("PAM: pam_chauthtok(): %s",
864	pam_strerror(sshpam_handle, sshpam_err));	911	pam_strerror(sshpam_handle, sshpam_err));
865	}	912	}
866
867	static int
868	sshpam_store_conv(int n, struct pam_message **msg,
869	struct pam_response *resp, void data)
870	{
871	struct pam_response *reply;
872	int i;
873	size_t len;
874
875	debug3("PAM: %s called with %d messages", __func__, n);
876	*resp = NULL;
877
878	if (n <= 0 \|\| n > PAM_MAX_NUM_MSG)
879	return (PAM_CONV_ERR);
880
881	if ((reply = malloc(n * sizeof(*reply))) == NULL)
882	return (PAM_CONV_ERR);
883	memset(reply, 0, n * sizeof(*reply));
884
885	for (i = 0; i < n; ++i) {
886	switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
887	case PAM_ERROR_MSG:
888	case PAM_TEXT_INFO:
889	len = strlen(PAM_MSG_MEMBER(msg, i, msg));
890	buffer_append(&loginmsg, PAM_MSG_MEMBER(msg, i, msg), len);
891	buffer_append(&loginmsg, "\n", 1 );
892	reply[i].resp_retcode = PAM_SUCCESS;
893	break;
894	default:
895	goto fail;
896	}
897	}
898	*resp = reply;
899	return (PAM_SUCCESS);
900
901	fail:
902	for(i = 0; i < n; i++) {
903	if (reply[i].resp != NULL)
904	xfree(reply[i].resp);
905	}
906	xfree(reply);
907	return (PAM_CONV_ERR);
908	}
909
910	static struct pam_conv store_conv = { sshpam_store_conv, NULL };
911		913
912	void	914	void
913	do_pam_session(void)	915	do_pam_session(void)

Lines 35-40 RCSID("$OpenBSD: auth2.c,v 1.105 2004/05 Link Here

(-)auth2.c (-2 / +13 lines)
35	#include "dispatch.h"	35	#include "dispatch.h"
36	#include "pathnames.h"	36	#include "pathnames.h"
37	#include "monitor_wrap.h"	37	#include "monitor_wrap.h"
		38	#include "buffer.h"
38		39
39	#ifdef GSSAPI	40	#ifdef GSSAPI
40	#include "ssh-gss.h"	41	#include "ssh-gss.h"
Lines 44-49 RCSID("$OpenBSD: auth2.c,v 1.105 2004/05 Link Here
44	extern ServerOptions options;	45	extern ServerOptions options;
45	extern u_char *session_id2;	46	extern u_char *session_id2;
46	extern u_int session_id2_len;	47	extern u_int session_id2_len;
		48	extern Buffer loginmsg;
47		49
48	/* methods */	50	/* methods */
49		51
Lines 216-223 userauth_finish(Authctxt *authctxt, int Link Here
216	authenticated = 0;	218	authenticated = 0;
217		219
218	#ifdef USE_PAM	220	#ifdef USE_PAM
219	if (options.use_pam && authenticated && !PRIVSEP(do_pam_account()))	221	if (options.use_pam && authenticated) {
220	authenticated = 0;	222	if (!PRIVSEP(do_pam_account())) {
		223	authenticated = 0;
		224	/* if PAM returned a message, send it to the user */
		225	if (buffer_len(&loginmsg) > 0) {
		226	buffer_append(&loginmsg, "\0", 1);
		227	userauth_send_banner(buffer_ptr(&loginmsg));
		228	buffer_clear(&loginmsg);
		229	}
		230	}
		231	}
221	#endif	232	#endif
222		233
223	#ifdef _UNICOS	234	#ifdef _UNICOS

Lines 74-79 auth2_read_banner(void) Link Here

(-)auth2-none.c (-5 / +14 lines)
74	return (banner);	74	return (banner);
75	}	75	}
76		76
		77	void
		78	userauth_send_banner(const char *msg)
		79	{
		80	if (datafellows & SSH_BUG_BANNER)
		81	return;
		82
		83	packet_start(SSH2_MSG_USERAUTH_BANNER);
		84	packet_put_cstring(msg);
		85	packet_put_cstring(""); /* language, unused */
		86	packet_send();
		87	debug("%s: sent", __func__);
		88	}
		89
77	static void	90	static void
78	userauth_banner(void)	91	userauth_banner(void)
79	{	92	{
Lines 84-95 userauth_banner(void) Link Here
84		97
85	if ((banner = PRIVSEP(auth2_read_banner())) == NULL)	98	if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
86	goto done;	99	goto done;
		100	userauth_send_banner(banner);
87		101
88	packet_start(SSH2_MSG_USERAUTH_BANNER);
89	packet_put_cstring(banner);
90	packet_put_cstring(""); /* language, unused */
91	packet_send();
92	debug("userauth_banner: sent");
93	done:	102	done:
94	if (banner)	103	if (banner)
95	xfree(banner);	104	xfree(banner);