Bugzilla – Attachment 1171 Details for
Bug 1215
sshd requires entry from getpwnam for PAM accounts
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
make sshd handle when getpwnam doesn't know about the user but PAM does
openssh-4.3p2-pam-validuser3.patch (text/plain), 6.34 KB, created by
Darren Tucker
on 2006-08-10 08:01:22 AEST
(
hide
)
Description:
make sshd handle when getpwnam doesn't know about the user but PAM does
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2006-08-10 08:01:22 AEST
Size:
6.34 KB
patch
obsolete
>Index: auth-pam.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v >retrieving revision 1.128 >diff -u -p -r1.128 auth-pam.c >--- auth-pam.c 29 Jan 2006 05:46:13 -0000 1.128 >+++ auth-pam.c 9 Aug 2006 21:48:32 -0000 >@@ -30,7 +30,7 @@ > */ > /* > * Copyright (c) 2003,2004 Damien Miller <djm@mindrot.org> >- * Copyright (c) 2003,2004 Darren Tucker <dtucker@zip.com.au> >+ * Copyright (c) 2003,2004,2006 Darren Tucker <dtucker@zip.com.au> > * > * Permission to use, copy, modify, and distribute this software for any > * purpose with or without fee is hereby granted, provided that the above >@@ -249,6 +249,49 @@ sshpam_chauthtok_ruid(pam_handle_t *pamh > # define pam_chauthtok(a,b) (sshpam_chauthtok_ruid((a), (b))) > #endif > >+struct passwd * >+sshpam_getpw(const char *user) >+{ >+ struct passwd *pw; >+ >+ if ((pw = getpwnam(user)) != NULL) >+ return(pw); >+ >+ debug("PAM: faking passwd struct for user '%.100s'", user); >+ if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) >+ return NULL; >+ pw->pw_name = xstrdup(user); /* XXX leak */ >+ pw->pw_shell = "/bin/true"; >+ pw->pw_gecos = "sshd fake PAM user"; >+ return (pw); >+} >+ >+void >+sshpam_check_userchanged(void) >+{ >+ int sshpam_err; >+ struct passwd *pw; >+ const char *user; >+ >+ debug("sshpam_check_userchanged"); >+ sshpam_err = pam_get_item(sshpam_handle, PAM_USER, &user); >+ if (sshpam_err != PAM_SUCCESS) >+ fatal("PAM: could not get PAM_USER: %s", >+ pam_strerror(sshpam_handle, sshpam_err)); >+ if (strcmp(user, sshpam_authctxt->pw->pw_name) != 0) { >+ debug("PAM: user mapped from '%.100s' to '%.100s'", >+ sshpam_authctxt->pw->pw_name, user); >+ if ((pw = getpwnam(user)) == NULL) >+ fatal("PAM: could not get passwd entry for user " >+ "'%.100s' provided by PAM_USER", user); >+ pwfree(sshpam_authctxt->pw); >+ sshpam_authctxt->pw = pw; >+ sshpam_authctxt->valid = allowed_user(pw); >+ debug("PAM: user '%.100s' now %svalid", user, >+ sshpam_authctxt->valid ? "" : "in"); >+ } >+} >+ > void > sshpam_password_change_required(int reqd) > { >@@ -271,7 +314,7 @@ sshpam_password_change_required(int reqd > static void > import_environments(Buffer *b) > { >- char *env; >+ char *env, *user; > u_int i, num_env; > int err; > >@@ -281,6 +324,13 @@ import_environments(Buffer *b) > /* Import variables set by do_pam_account */ > sshpam_account_status = buffer_get_int(b); > sshpam_password_change_required(buffer_get_int(b)); >+ user = buffer_get_string(b, NULL); >+ debug("PAM: got username '%.100s' from thread", user); >+ if ((err = pam_set_item(sshpam_handle, PAM_USER, user)) != PAM_SUCCESS) >+ fatal("PAM: failed to set PAM_USER: %s", >+ pam_strerror(sshpam_handle, err)); >+ pwfree(sshpam_authctxt->pw); >+ sshpam_authctxt->pw = pwcopy(sshpam_getpw(user)); > > /* Import environment from subprocess */ > num_env = buffer_get_int(b); >@@ -438,6 +488,7 @@ sshpam_thread(void *ctxtp) > if (sshpam_err != PAM_SUCCESS) > goto auth_fail; > >+ sshpam_check_userchanged(); > if (compat20) { > if (!do_pam_account()) > goto auth_fail; >@@ -456,6 +507,7 @@ sshpam_thread(void *ctxtp) > /* Export variables set by do_pam_account */ > buffer_put_int(&buffer, sshpam_account_status); > buffer_put_int(&buffer, sshpam_authctxt->force_pwchange); >+ buffer_put_cstring(&buffer, sshpam_authctxt->pw->pw_name); > > /* Export any environment strings set in child */ > for(i = 0; environ[i] != NULL; i++) >@@ -864,6 +916,10 @@ do_pam_account(void) > debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err, > pam_strerror(sshpam_handle, sshpam_err)); > >+ sshpam_check_userchanged(); >+ if (getpwnam(sshpam_authctxt->pw->pw_name) == NULL) >+ fatal("PAM: completed authentication but PAM account invalid"); >+ > if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { > sshpam_account_status = 0; > return (sshpam_account_status); >@@ -1164,6 +1220,7 @@ sshpam_auth_passwd(Authctxt *authctxt, c > pam_strerror(sshpam_handle, sshpam_err)); > > sshpam_err = pam_authenticate(sshpam_handle, flags); >+ sshpam_check_userchanged(); > sshpam_password = NULL; > if (sshpam_err == PAM_SUCCESS && authctxt->valid) { > debug("PAM: password authentication accepted for %.100s", >Index: auth-pam.h >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.h,v >retrieving revision 1.27 >diff -u -p -r1.27 auth-pam.h >--- auth-pam.h 11 Sep 2004 12:17:26 -0000 1.27 >+++ auth-pam.h 9 Aug 2006 14:36:35 -0000 >@@ -46,5 +46,7 @@ void sshpam_thread_cleanup(void); > void sshpam_cleanup(void); > int sshpam_auth_passwd(Authctxt *, const char *); > int is_pam_session_open(void); >+void sshpam_invalid_user(void); >+struct passwd *sshpam_getpw(const char *); > > #endif /* USE_PAM */ >Index: auth.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v >retrieving revision 1.101 >diff -u -p -r1.101 auth.c >--- auth.c 31 Aug 2005 16:59:49 -0000 1.101 >+++ auth.c 9 Aug 2006 14:36:39 -0000 >@@ -493,6 +493,10 @@ getpwnamallow(const char *user) > struct passwd *pw; > > pw = getpwnam(user); >+#ifdef USE_PAM >+ if (options.use_pam && pw == NULL) >+ pw = sshpam_getpw(user); >+#endif > if (pw == NULL) { > logit("Invalid user %.100s from %.100s", > user, get_remote_ipaddr()); >Index: misc.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/misc.c,v >retrieving revision 1.59 >diff -u -p -r1.59 misc.c >--- misc.c 31 Jan 2006 10:49:28 -0000 1.59 >+++ misc.c 9 Aug 2006 21:34:15 -0000 >@@ -177,6 +177,20 @@ pwcopy(struct passwd *pw) > return copy; > } > >+void >+pwfree(struct passwd *pw) >+{ >+ xfree(pw->pw_name); >+ xfree(pw->pw_passwd); >+ xfree(pw->pw_gecos); >+#ifdef HAVE_PW_CLASS_IN_PASSWD >+ xfree(pw->pw_class); >+#endif >+ xfree(pw->pw_dir); >+ xfree(pw->pw_shell); >+ xfree(pw); >+} >+ > /* > * Convert ASCII string to TCP/IP port number. > * Port must be >0 and <=65535. >Index: misc.h >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/misc.h,v >retrieving revision 1.32 >diff -u -p -r1.32 misc.h >--- misc.h 31 Jan 2006 10:49:28 -0000 1.32 >+++ misc.h 9 Aug 2006 21:34:41 -0000 >@@ -31,6 +31,7 @@ char *tohex(const u_char *, u_int); > void sanitise_stdfd(void); > > struct passwd *pwcopy(struct passwd *); >+void pwfree(struct passwd *); > > typedef struct arglist arglist; > struct arglist {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1171">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1215
:
1170
| 1171 |
1292
|
1293
|
1298
|
1300
|
1574
|
2228