Bugzilla – Attachment 681 Details for
Bug 892
Send output from PAM account modules to user
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Collect PAM auth messages and send with SSH2_BANNER
openssh-pam-banner.patch (text/plain), 8.16 KB, created by
Darren Tucker
on 2004-07-05 17:25:44 AEST
(
hide
)
Description:
Collect PAM auth messages and send with SSH2_BANNER
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2004-07-05 17:25:44 AEST
Size:
8.16 KB
patch
obsolete
>Index: auth-pam.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v >retrieving revision 1.110 >diff -u -p -r1.110 auth-pam.c >--- auth-pam.c 1 Jul 2004 04:00:15 -0000 1.110 >+++ auth-pam.c 5 Jul 2004 00:05:12 -0000 >@@ -461,6 +461,51 @@ sshpam_null_conv(int n, struct pam_messa > > static struct pam_conv null_conv = { sshpam_null_conv, NULL }; > >+static int >+sshpam_store_conv(int n, struct pam_message **msg, >+ struct pam_response **resp, void *data) >+{ >+ struct pam_response *reply; >+ int i; >+ size_t len; >+ >+ debug3("PAM: %s called with %d messages", __func__, n); >+ *resp = NULL; >+ >+ if (n <= 0 || n > PAM_MAX_NUM_MSG) >+ return (PAM_CONV_ERR); >+ >+ if ((reply = malloc(n * sizeof(*reply))) == NULL) >+ return (PAM_CONV_ERR); >+ memset(reply, 0, n * sizeof(*reply)); >+ >+ for (i = 0; i < n; ++i) { >+ switch (PAM_MSG_MEMBER(msg, i, msg_style)) { >+ case PAM_ERROR_MSG: >+ case PAM_TEXT_INFO: >+ len = strlen(PAM_MSG_MEMBER(msg, i, msg)); >+ buffer_append(&loginmsg, PAM_MSG_MEMBER(msg, i, msg), len); >+ buffer_append(&loginmsg, "\n", 1 ); >+ reply[i].resp_retcode = PAM_SUCCESS; >+ break; >+ default: >+ goto fail; >+ } >+ } >+ *resp = reply; >+ return (PAM_SUCCESS); >+ >+ fail: >+ for(i = 0; i < n; i++) { >+ if (reply[i].resp != NULL) >+ xfree(reply[i].resp); >+ } >+ xfree(reply); >+ return (PAM_CONV_ERR); >+} >+ >+static struct pam_conv store_conv = { sshpam_store_conv, NULL }; >+ > void > sshpam_cleanup(void) > { >@@ -498,7 +543,7 @@ sshpam_init(Authctxt *authctxt) > } > debug("PAM: initializing for \"%s\"", user); > sshpam_err = >- pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle); >+ pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle); > sshpam_authctxt = authctxt; > > if (sshpam_err != PAM_SUCCESS) { >@@ -730,11 +775,13 @@ finish_pam(void) > u_int > do_pam_account(void) > { >+ debug("%s: called", __func__); > if (sshpam_account_status != -1) > return (sshpam_account_status); > > sshpam_err = pam_acct_mgmt(sshpam_handle, 0); >- debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err); >+ debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err, >+ pam_strerror(sshpam_handle, sshpam_err)); > > if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { > sshpam_account_status = 0; >@@ -764,7 +811,7 @@ void > do_pam_setcred(int init) > { > sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, >- (const void *)&null_conv); >+ (const void *)&store_conv); > if (sshpam_err != PAM_SUCCESS) > fatal("PAM: failed to set PAM_CONV: %s", > pam_strerror(sshpam_handle, sshpam_err)); >@@ -863,51 +910,6 @@ do_pam_chauthtok(void) > fatal("PAM: pam_chauthtok(): %s", > pam_strerror(sshpam_handle, sshpam_err)); > } >- >-static int >-sshpam_store_conv(int n, struct pam_message **msg, >- struct pam_response **resp, void *data) >-{ >- struct pam_response *reply; >- int i; >- size_t len; >- >- debug3("PAM: %s called with %d messages", __func__, n); >- *resp = NULL; >- >- if (n <= 0 || n > PAM_MAX_NUM_MSG) >- return (PAM_CONV_ERR); >- >- if ((reply = malloc(n * sizeof(*reply))) == NULL) >- return (PAM_CONV_ERR); >- memset(reply, 0, n * sizeof(*reply)); >- >- for (i = 0; i < n; ++i) { >- switch (PAM_MSG_MEMBER(msg, i, msg_style)) { >- case PAM_ERROR_MSG: >- case PAM_TEXT_INFO: >- len = strlen(PAM_MSG_MEMBER(msg, i, msg)); >- buffer_append(&loginmsg, PAM_MSG_MEMBER(msg, i, msg), len); >- buffer_append(&loginmsg, "\n", 1 ); >- reply[i].resp_retcode = PAM_SUCCESS; >- break; >- default: >- goto fail; >- } >- } >- *resp = reply; >- return (PAM_SUCCESS); >- >- fail: >- for(i = 0; i < n; i++) { >- if (reply[i].resp != NULL) >- xfree(reply[i].resp); >- } >- xfree(reply); >- return (PAM_CONV_ERR); >-} >- >-static struct pam_conv store_conv = { sshpam_store_conv, NULL }; > > void > do_pam_session(void) >Index: auth.h >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.h,v >retrieving revision 1.62 >diff -u -p -r1.62 auth.h >--- auth.h 24 May 2004 00:36:23 -0000 1.62 >+++ auth.h 5 Jul 2004 03:51:48 -0000 >@@ -137,6 +137,7 @@ void do_authentication2(Authctxt *); > > void auth_log(Authctxt *, int, char *, char *); > void userauth_finish(Authctxt *, int, char *); >+void userauth_send_banner(const char *); > int auth_root_allowed(char *); > > char *auth2_read_banner(void); >Index: auth2-none.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2-none.c,v >retrieving revision 1.7 >diff -u -p -r1.7 auth2-none.c >--- auth2-none.c 13 May 2004 06:39:33 -0000 1.7 >+++ auth2-none.c 5 Jul 2004 03:56:10 -0000 >@@ -74,6 +74,19 @@ auth2_read_banner(void) > return (banner); > } > >+void >+userauth_send_banner(const char *msg) >+{ >+ if (datafellows & SSH_BUG_BANNER) >+ return; >+ >+ packet_start(SSH2_MSG_USERAUTH_BANNER); >+ packet_put_cstring(msg); >+ packet_put_cstring(""); /* language, unused */ >+ packet_send(); >+ debug("%s: sent", __func__); >+} >+ > static void > userauth_banner(void) > { >@@ -84,12 +97,8 @@ userauth_banner(void) > > if ((banner = PRIVSEP(auth2_read_banner())) == NULL) > goto done; >+ userauth_send_banner(banner); > >- packet_start(SSH2_MSG_USERAUTH_BANNER); >- packet_put_cstring(banner); >- packet_put_cstring(""); /* language, unused */ >- packet_send(); >- debug("userauth_banner: sent"); > done: > if (banner) > xfree(banner); >Index: auth2.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2.c,v >retrieving revision 1.128 >diff -u -p -r1.128 auth2.c >--- auth2.c 24 May 2004 00:36:23 -0000 1.128 >+++ auth2.c 5 Jul 2004 04:05:12 -0000 >@@ -35,6 +35,7 @@ RCSID("$OpenBSD: auth2.c,v 1.105 2004/05 > #include "dispatch.h" > #include "pathnames.h" > #include "monitor_wrap.h" >+#include "buffer.h" > > #ifdef GSSAPI > #include "ssh-gss.h" >@@ -44,6 +45,7 @@ RCSID("$OpenBSD: auth2.c,v 1.105 2004/05 > extern ServerOptions options; > extern u_char *session_id2; > extern u_int session_id2_len; >+extern Buffer loginmsg; > > /* methods */ > >@@ -216,8 +218,17 @@ userauth_finish(Authctxt *authctxt, int > authenticated = 0; > > #ifdef USE_PAM >- if (options.use_pam && authenticated && !PRIVSEP(do_pam_account())) >- authenticated = 0; >+ if (options.use_pam && authenticated) { >+ if (!PRIVSEP(do_pam_account())) { >+ authenticated = 0; >+ /* if PAM returned a message, send it to the user */ >+ if (buffer_len(&loginmsg) > 0) { >+ buffer_append(&loginmsg, "\0", 1); >+ userauth_send_banner(buffer_ptr(&loginmsg)); >+ buffer_clear(&loginmsg); >+ } >+ } >+ } > #endif > > #ifdef _UNICOS >Index: monitor.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor.c,v >retrieving revision 1.75 >diff -u -p -r1.75 monitor.c >--- monitor.c 22 Jun 2004 05:06:46 -0000 1.75 >+++ monitor.c 3 Jul 2004 10:06:41 -0000 >@@ -79,6 +79,7 @@ extern u_char session_id[]; > extern Buffer input, output; > extern Buffer auth_debug; > extern int auth_debug_init; >+extern Buffer loginmsg; > > /* State exported from the child */ > >@@ -809,6 +810,9 @@ mm_answer_pam_account(int sock, Buffer * > ret = do_pam_account(); > > buffer_put_int(m, ret); >+ buffer_append(&loginmsg, "\0", 1); >+ buffer_put_cstring(m, buffer_ptr(&loginmsg)); >+ buffer_clear(&loginmsg); > > mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m); > >Index: monitor_wrap.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor_wrap.c,v >retrieving revision 1.46 >diff -u -p -r1.46 monitor_wrap.c >--- monitor_wrap.c 22 Jun 2004 05:06:46 -0000 1.46 >+++ monitor_wrap.c 5 Jul 2004 03:59:51 -0000 >@@ -71,6 +71,7 @@ extern z_stream outgoing_stream; > extern struct monitor *pmonitor; > extern Buffer input, output; > extern ServerOptions options; >+extern Buffer loginmsg; > > int > mm_is_monitor(void) >@@ -711,6 +712,7 @@ mm_do_pam_account(void) > { > Buffer m; > u_int ret; >+ char *msg; > > debug3("%s entering", __func__); > if (!options.use_pam) >@@ -722,6 +724,9 @@ mm_do_pam_account(void) > mm_request_receive_expect(pmonitor->m_recvfd, > MONITOR_ANS_PAM_ACCOUNT, &m); > ret = buffer_get_int(&m); >+ msg = buffer_get_string(&m, NULL); >+ buffer_append(&loginmsg, msg, strlen(msg)); >+ xfree(msg); > > buffer_free(&m); >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=681">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
djm
:
ok+
Actions:
View
|
Diff
Attachments on
bug 892
: 681