Bugzilla – Attachment 1170 Details for
Bug 1215
sshd requires entry from getpwnam for PAM accounts
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
attempt to make sshd handle when getpwnam doesn't know about the user but PAM does
openssh-pam-validuser2.patch (text/plain), 5.51 KB, created by
Darren Tucker
on 2006-08-10 00:38:34 AEST
(
hide
)
Description:
attempt to make sshd handle when getpwnam doesn't know about the user but PAM does
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2006-08-10 00:38:34 AEST
Size:
5.51 KB
patch
obsolete
>Index: auth-pam.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v >retrieving revision 1.128 >diff -u -p -r1.128 auth-pam.c >--- auth-pam.c 29 Jan 2006 05:46:13 -0000 1.128 >+++ auth-pam.c 9 Aug 2006 14:36:52 -0000 >@@ -30,7 +30,7 @@ > */ > /* > * Copyright (c) 2003,2004 Damien Miller <djm@mindrot.org> >- * Copyright (c) 2003,2004 Darren Tucker <dtucker@zip.com.au> >+ * Copyright (c) 2003,2004,2006 Darren Tucker <dtucker@zip.com.au> > * > * Permission to use, copy, modify, and distribute this software for any > * purpose with or without fee is hereby granted, provided that the above >@@ -205,6 +205,7 @@ static int sshpam_authenticated = 0; > static int sshpam_session_open = 0; > static int sshpam_cred_established = 0; > static int sshpam_account_status = -1; >+static int sshpam_faked_user = 0; > static char **sshpam_env = NULL; > static Authctxt *sshpam_authctxt = NULL; > static const char *sshpam_password = NULL; >@@ -249,6 +250,50 @@ sshpam_chauthtok_ruid(pam_handle_t *pamh > # define pam_chauthtok(a,b) (sshpam_chauthtok_ruid((a), (b))) > #endif > >+struct passwd * >+sshpam_getpw(const char *user) >+{ >+ struct passwd *pw; >+ >+ if ((pw = getpwnam(user)) != NULL) >+ return(pw); >+ >+ debug("PAM: faking passwd struct for user '%.100s'", user); >+ sshpam_faked_user = 1; >+ if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) >+ return NULL; >+ pw->pw_name = xstrdup(user); /* XXX leak */ >+ pw->pw_shell = "/bin/true"; >+ pw->pw_gecos = "sshd fake PAM user"; >+ return (pw); >+} >+ >+void >+sshpam_check_userchanged(void) >+{ >+ int sshpam_err; >+ struct passwd *pw; >+ const char *user; >+ >+ debug("sshpam_check_userchanged"); >+ sshpam_err = pam_get_item(sshpam_handle, PAM_USER, &user); >+ if (sshpam_err != PAM_SUCCESS) >+ fatal("PAM: could not get PAM_USER: %s", >+ pam_strerror(sshpam_handle, sshpam_err)); >+ if (strcmp(user, sshpam_authctxt->pw->pw_name) != 0) { >+ debug("PAM: user mapped from '%.100s' to '%.100s'", >+ sshpam_authctxt->pw->pw_name, user); >+ if ((pw = getpwnam(user)) == NULL) >+ fatal("PAM: could not get passwd entry for user " >+ "'%.100s' provided by PAM_USER", user); >+ sshpam_authctxt->pw = pw; /* XXX leak */ >+ sshpam_authctxt->valid = allowed_user(pw); >+ sshpam_faked_user = 0; >+ debug("PAM: user '%.100s' now %svalid", user, >+ sshpam_authctxt->valid ? "" : "in"); >+ } >+} >+ > void > sshpam_password_change_required(int reqd) > { >@@ -271,7 +316,7 @@ sshpam_password_change_required(int reqd > static void > import_environments(Buffer *b) > { >- char *env; >+ char *env, *user; > u_int i, num_env; > int err; > >@@ -281,6 +326,12 @@ import_environments(Buffer *b) > /* Import variables set by do_pam_account */ > sshpam_account_status = buffer_get_int(b); > sshpam_password_change_required(buffer_get_int(b)); >+ user = buffer_get_string(b, NULL); >+ debug("PAM: got username '%.100s' from thread", user); >+ if ((err = pam_set_item(sshpam_handle, PAM_USER, user)) != PAM_SUCCESS) >+ fatal("PAM: failed to set PAM_USER: %s", >+ pam_strerror(sshpam_handle, err)); >+ sshpam_authctxt-> pw = sshpam_getpw(user); > > /* Import environment from subprocess */ > num_env = buffer_get_int(b); >@@ -438,6 +489,7 @@ sshpam_thread(void *ctxtp) > if (sshpam_err != PAM_SUCCESS) > goto auth_fail; > >+ sshpam_check_userchanged(); > if (compat20) { > if (!do_pam_account()) > goto auth_fail; >@@ -456,6 +508,7 @@ sshpam_thread(void *ctxtp) > /* Export variables set by do_pam_account */ > buffer_put_int(&buffer, sshpam_account_status); > buffer_put_int(&buffer, sshpam_authctxt->force_pwchange); >+ buffer_put_cstring(&buffer, sshpam_authctxt->pw->pw_name); > > /* Export any environment strings set in child */ > for(i = 0; environ[i] != NULL; i++) >@@ -864,6 +917,10 @@ do_pam_account(void) > debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err, > pam_strerror(sshpam_handle, sshpam_err)); > >+ sshpam_check_userchanged(); >+ if (sshpam_faked_user) >+ fatal("PAM: completed authentication but PAM account invalid"); >+ > if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { > sshpam_account_status = 0; > return (sshpam_account_status); >@@ -1164,6 +1221,7 @@ sshpam_auth_passwd(Authctxt *authctxt, c > pam_strerror(sshpam_handle, sshpam_err)); > > sshpam_err = pam_authenticate(sshpam_handle, flags); >+ sshpam_check_userchanged(); > sshpam_password = NULL; > if (sshpam_err == PAM_SUCCESS && authctxt->valid) { > debug("PAM: password authentication accepted for %.100s", >Index: auth-pam.h >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.h,v >retrieving revision 1.27 >diff -u -p -r1.27 auth-pam.h >--- auth-pam.h 11 Sep 2004 12:17:26 -0000 1.27 >+++ auth-pam.h 9 Aug 2006 14:36:35 -0000 >@@ -46,5 +46,7 @@ void sshpam_thread_cleanup(void); > void sshpam_cleanup(void); > int sshpam_auth_passwd(Authctxt *, const char *); > int is_pam_session_open(void); >+void sshpam_invalid_user(void); >+struct passwd *sshpam_getpw(const char *); > > #endif /* USE_PAM */ >Index: auth.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v >retrieving revision 1.101 >diff -u -p -r1.101 auth.c >--- auth.c 31 Aug 2005 16:59:49 -0000 1.101 >+++ auth.c 9 Aug 2006 14:36:39 -0000 >@@ -493,6 +493,10 @@ getpwnamallow(const char *user) > struct passwd *pw; > > pw = getpwnam(user); >+#ifdef USE_PAM >+ if (options.use_pam && pw == NULL) >+ pw = sshpam_getpw(user); >+#endif > if (pw == NULL) { > logit("Invalid user %.100s from %.100s", > user, get_remote_ipaddr());
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1170">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1215
:
1170
|
1171
|
1292
|
1293
|
1298
|
1300
|
1574
|
2228