Attachment #1183 for bug #1228

Lines 47-52 Link Here

(-)openssh/auth2-chall.c (-1 / +13 lines)
47	#ifdef USE_PAM	47	#ifdef USE_PAM
48	extern KbdintDevice sshpam_device;	48	extern KbdintDevice sshpam_device;
49	#endif	49	#endif
		50	#ifdef WITH_AIXAUTHENTICATE
		51	extern KbdintDevice sshlam_device;
		52	#endif
50	#ifdef SKEY	53	#ifdef SKEY
51	extern KbdintDevice skey_device;	54	extern KbdintDevice skey_device;
52	#endif	55	#endif
Lines 59-64 Link Here
59	#ifdef USE_PAM	62	#ifdef USE_PAM
60	&sshpam_device,	63	&sshpam_device,
61	#endif	64	#endif
		65	#ifdef WITH_AIXAUTHENTICATE
		66	&sshlam_device,
		67	#endif
62	#ifdef SKEY	68	#ifdef SKEY
63	&skey_device,	69	&skey_device,
64	#endif	70	#endif
Lines 343-349 Link Here
343	void	349	void
344	privsep_challenge_enable(void)	350	privsep_challenge_enable(void)
345	{	351	{
346	#if defined(BSD_AUTH) \|\| defined(USE_PAM) \|\| defined(SKEY)	352	#if defined(BSD_AUTH) \|\| defined(USE_PAM) \|\| defined(SKEY) \|\| defined(WITH_AIXAUTHENTICATE)
347	int n = 0;	353	int n = 0;
348	#endif	354	#endif
349	#ifdef BSD_AUTH	355	#ifdef BSD_AUTH
Lines 352-357 Link Here
352	#ifdef USE_PAM	358	#ifdef USE_PAM
353	extern KbdintDevice mm_sshpam_device;	359	extern KbdintDevice mm_sshpam_device;
354	#endif	360	#endif
		361	#ifdef WITH_AIXAUTHENTICATE
		362	extern KbdintDevice mm_sshlam_device;
		363	#endif
355	#ifdef SKEY	364	#ifdef SKEY
356	extern KbdintDevice mm_skey_device;	365	extern KbdintDevice mm_skey_device;
357	#endif	366	#endif
Lines 362-367 Link Here
362	#ifdef USE_PAM	371	#ifdef USE_PAM
363	devices[n++] = &mm_sshpam_device;	372	devices[n++] = &mm_sshpam_device;
364	#endif	373	#endif
		374	#ifdef WITH_AIXAUTHENTICATE
		375	devices[n++] = &mm_sshlam_device;
		376	#endif
365	#ifdef SKEY	377	#ifdef SKEY
366	devices[n++] = &mm_skey_device;	378	devices[n++] = &mm_skey_device;
367	#endif	379	#endif

Lines 86-91 Link Here

(-)openssh/Makefile.in (+1 lines)
86	auth-krb5.o \	86	auth-krb5.o \
87	auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\	87	auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
88	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \	88	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
		89	auth-lam.o \
89	audit.o audit-bsm.o	90	audit.o audit-bsm.o
90		91
91	MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out	92	MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out

Lines 136-141 Link Here

(-)openssh/monitor.c (+119 lines)
136	int mm_answer_pam_free_ctx(int, Buffer *);	136	int mm_answer_pam_free_ctx(int, Buffer *);
137	#endif	137	#endif
138		138
		139	#ifdef WITH_AIXAUTHENTICATE
		140	int mm_answer_lam_init_ctx(int, Buffer *);
		141	int mm_answer_lam_query(int, Buffer *);
		142	int mm_answer_lam_respond(int, Buffer *);
		143	int mm_answer_lam_free_ctx(int, Buffer *);
		144	#endif
		145
139	#ifdef GSSAPI	146	#ifdef GSSAPI
140	int mm_answer_gss_setup_ctx(int, Buffer *);	147	int mm_answer_gss_setup_ctx(int, Buffer *);
141	int mm_answer_gss_accept_ctx(int, Buffer *);	148	int mm_answer_gss_accept_ctx(int, Buffer *);
Lines 192-197 Link Here
192	{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},	199	{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
193	{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE\|MON_AUTHDECIDE, mm_answer_pam_free_ctx},	200	{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE\|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
194	#endif	201	#endif
		202	#ifdef WITH_AIXAUTHENTICATE
		203	{MONITOR_REQ_LAM_INIT_CTX, MON_ISAUTH, mm_answer_lam_init_ctx},
		204	{MONITOR_REQ_LAM_QUERY, MON_ISAUTH, mm_answer_lam_query},
		205	{MONITOR_REQ_LAM_RESPOND, MON_ISAUTH, mm_answer_lam_respond},
		206	{MONITOR_REQ_LAM_FREE_CTX, MON_ONCE\|MON_AUTHDECIDE, mm_answer_lam_free_ctx},
		207	#endif
195	#ifdef SSH_AUDIT_EVENTS	208	#ifdef SSH_AUDIT_EVENTS
196	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},	209	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
197	#endif	210	#endif
Lines 258-263 Link Here
258	{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},	271	{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
259	{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE\|MON_AUTHDECIDE, mm_answer_pam_free_ctx},	272	{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE\|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
260	#endif	273	#endif
		274	#ifdef WITH_AIXAUTHENTICATE
		275	{MONITOR_REQ_LAM_INIT_CTX, MON_ISAUTH, mm_answer_lam_init_ctx},
		276	{MONITOR_REQ_LAM_QUERY, MON_ISAUTH, mm_answer_lam_query},
		277	{MONITOR_REQ_LAM_RESPOND, MON_ISAUTH, mm_answer_lam_respond},
		278	{MONITOR_REQ_LAM_FREE_CTX, MON_ONCE\|MON_AUTHDECIDE, mm_answer_lam_free_ctx},
		279	#endif
261	#ifdef SSH_AUDIT_EVENTS	280	#ifdef SSH_AUDIT_EVENTS
262	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},	281	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
263	#endif	282	#endif
Lines 959-964 Link Here
959	}	978	}
960	#endif	979	#endif
961		980
		981	#ifdef WITH_AIXAUTHENTICATE
		982	static void sshlam_ctxt, sshlam_authok;
		983	extern KbdintDevice sshlam_device;
		984
		985	int
		986	mm_answer_lam_init_ctx(int sock, Buffer *m)
		987	{
		988
		989	debug3("%s", __func__);
		990	authctxt->user = buffer_get_string(m, NULL);
		991	sshlam_ctxt = (sshlam_device.init_ctx)(authctxt);
		992	sshlam_authok = NULL;
		993	buffer_clear(m);
		994	if (sshlam_ctxt != NULL) {
		995	monitor_permit(mon_dispatch, MONITOR_REQ_LAM_FREE_CTX, 1);
		996	buffer_put_int(m, 1);
		997	} else {
		998	buffer_put_int(m, 0);
		999	}
		1000	mm_request_send(sock, MONITOR_ANS_LAM_INIT_CTX, m);
		1001	return (0);
		1002	}
		1003
		1004	int
		1005	mm_answer_lam_query(int sock, Buffer *m)
		1006	{
		1007	char name, info, **prompts;
		1008	u_int i, num, *echo_on;
		1009	int ret;
		1010
		1011	debug3("%s", __func__);
		1012	sshlam_authok = NULL;
		1013	ret = (sshlam_device.query)(sshlam_ctxt, &name, &info, &num, &prompts, &echo_on);
		1014	if (ret == 0 && num == 0)
		1015	sshlam_authok = sshlam_ctxt;
		1016	if (num > 1 \|\| name == NULL \|\| info == NULL)
		1017	ret = -1;
		1018	buffer_clear(m);
		1019	buffer_put_int(m, ret);
		1020	buffer_put_cstring(m, name);
		1021	xfree(name);
		1022	buffer_put_cstring(m, info);
		1023	xfree(info);
		1024	buffer_put_int(m, num);
		1025	for (i = 0; i < num; ++i) {
		1026	buffer_put_cstring(m, prompts[i]);
		1027	xfree(prompts[i]);
		1028	buffer_put_int(m, echo_on[i]);
		1029	}
		1030	if (prompts != NULL)
		1031	xfree(prompts);
		1032	if (echo_on != NULL)
		1033	xfree(echo_on);
		1034	mm_request_send(sock, MONITOR_ANS_LAM_QUERY, m);
		1035	return (0);
		1036	}
		1037
		1038	int
		1039	mm_answer_lam_respond(int sock, Buffer *m)
		1040	{
		1041	char **resp;
		1042	u_int i, num;
		1043	int ret;
		1044
1045	debug3("%s", __func__);
1046	sshlam_authok = NULL;
1047	num = buffer_get_int(m);
1048	if (num > 0) {
1049	resp = xmalloc(num * sizeof(char *));
1050	for (i = 0; i < num; ++i)
1051	resp[i] = buffer_get_string(m, NULL);
1052	ret = (sshlam_device.respond)(sshlam_ctxt, num, resp);
1053	for (i = 0; i < num; ++i)
1054	xfree(resp[i]);
1055	xfree(resp);
1056	} else {
1057	ret = (sshlam_device.respond)(sshlam_ctxt, num, NULL);
1058	}
1059	buffer_clear(m);
1060	buffer_put_int(m, ret);
1061	mm_request_send(sock, MONITOR_ANS_LAM_RESPOND, m);
1062	auth_method = "keyboard-interactive/lam";
1063	if (ret == 0)
1064	sshlam_authok = sshlam_ctxt;
1065	return (0);
1066	}
1067
1068	int
1069	mm_answer_lam_free_ctx(int sock, Buffer *m)
1070	{
1071
1072	debug3("%s", __func__);
1073	(sshlam_device.free_ctx)(sshlam_ctxt);
1074	buffer_clear(m);
1075	mm_request_send(sock, MONITOR_ANS_LAM_FREE_CTX, m);
1076	return (sshlam_authok && sshlam_authok == sshlam_ctxt);
1077	}
1078	#endif /* WITH_AIXAUTHENTICATE */
1079
1080
962	static void	1081	static void
963	mm_append_debug(Buffer *m)	1082	mm_append_debug(Buffer *m)
964	{	1083	{

Lines 60-65 Link Here

(-)openssh/monitor.h (+4 lines)
60	MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY,	60	MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY,
61	MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,	61	MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
62	MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,	62	MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
		63	MONITOR_REQ_LAM_INIT_CTX, MONITOR_ANS_LAM_INIT_CTX,
		64	MONITOR_REQ_LAM_QUERY, MONITOR_ANS_LAM_QUERY,
		65	MONITOR_REQ_LAM_RESPOND, MONITOR_ANS_LAM_RESPOND,
		66	MONITOR_REQ_LAM_FREE_CTX, MONITOR_ANS_LAM_FREE_CTX,
63	MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,	67	MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,
64	MONITOR_REQ_TERM	68	MONITOR_REQ_TERM
65	};	69	};




/*-
 * Copyright (c) 2006 Quest Software, Inc. All rights reserved.
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include "includes.h"
#ifdef WITH_AIXAUTHENTICATE
#include <sys/audit.h>
#include <usersec.h>
#include "auth.h"
#include "buffer.h"
#include "bufaux.h"
#include "canohost.h"
#include "log.h"
#include "monitor_wrap.h"
#include "msg.h"
#include "packet.h"
#include "misc.h"
#include "servconf.h"
#include "ssh2.h"
#include "uidswap.h"
#include "xmalloc.h"
#include "auth-options.h"
#include "openbsd-compat/port-aix.h"

extern ServerOptions options;
extern Buffer loginmsg;

struct lam_ctxt {
	char *		 user;
	char *		 message;
        int              reenter;
        int              faking_noent;
};
struct Authctxt *sshlam_authctxt;

static void * sshlam_init_ctx(Authctxt *authctxt);
static int sshlam_query(void *ctx, char **name, char **info,
    u_int *num, char ***prompts, u_int **echo_on);
static int sshlam_respond(void *ctx, u_int num, char **resp);
static void sshlam_free_ctx(void *ctxtp);
static void sshlam_force_pwchange(int reqd);

KbdintDevice sshlam_device = {
	"lam",
	sshlam_init_ctx,
	sshlam_query,
	sshlam_respond,
	sshlam_free_ctx
};

KbdintDevice mm_sshlam_device = {
	"lam",
	mm_sshlam_init_ctx,
	mm_sshlam_query,
	mm_sshlam_respond,
	mm_sshlam_free_ctx
};

/*
 * Allocates and initialises storage for LAM authentication state.
 * Returns NULL if LAM authentication is not available.
 */
static void *
sshlam_init_ctx(Authctxt *authctxt)
{
	struct lam_ctxt *ctxt;

	debug3("LAM: sshlam_init_ctx entering");

	ctxt = xmalloc(sizeof *ctxt);
	memset(ctxt, 0, sizeof *ctxt);

	ctxt->user = xstrdup(authctxt->user);
	ctxt->message = NULL;
	ctxt->faking_noent = 0;
        ctxt->reenter = 0;
	sshlam_authctxt = authctxt;

        debug3("LAM: AUTHSTATE=%s", getenv("AUTHSTATE") ? 
                    getenv("AUTHSTATE") : "NULL");

        /* aix_setauthdb(ctxt->user); */
	if (authenticate(ctxt->user, NULL, &ctxt->reenter, &ctxt->message))
	{
            error("LAM: authenticate(%.100s) failed: %.100s", ctxt->user, 
                    strerror(errno));
            if (errno == ENOENT) {
                char buf[200];
                /*
                 * When a user is known not to exist, we pretend
                 * that they do, and fake a password prompt 
                 */
	        logit("LAM: pretending that user '%.100s' exists", ctxt->user);
                ctxt->faking_noent = 1;
                snprintf(buf, sizeof buf, "%.100s's Password:", ctxt->user);
                ctxt->message = xstrdup(buf);
                ctxt->reenter = 1;
            } else {
                goto fail;
            }
	}

	/* Instant authentication should never happen here;
         * 'none' authentication should have permitted it */
	if (!ctxt->reenter) {
	    error("LAM: %.100s authenticated immediately; ignoring", 
		    ctxt->user);
	    goto fail;
	}

	return (ctxt);

    fail:
	sshlam_free_ctx(ctxt);
	return (NULL);
}

/*
 * Releases storage associated with the context
 * returned from sshlam_init_ctx
 */
static void
sshlam_free_ctx(void *ctxtp)
{
	struct lam_ctxt *ctxt = ctxtp;

	debug3("LAM: sshlam_free_ctx entering");

        /* aix_restoreauthdb(); */
	if (ctxt->message)
	    xfree(ctxt->message);
	xfree(ctxt->user);
	xfree(ctxt);
}

/*
 * Returns the user prompt for the current round of 
 * AIX LAM authentication.
 */
static int
sshlam_query(void *ctx, char **name, char **info,
    u_int *num, char ***prompts, u_int **echo_on)
{
	struct lam_ctxt *ctxt = ctx;

	debug3("LAM: sshlam_query entering");

	*name = xstrdup("");
	*info = xstrdup("");
	*prompts = (char **)xmalloc(sizeof(char *));
	*echo_on = (u_int *)xmalloc(sizeof(u_int));
	if (ctxt->message) {
	    **prompts = ctxt->message;
	    **echo_on = 0;
	    *num = 1;
	} else
	    *num = 0;

	return 0;
}

/*
 * Processes a user response for an AIX LAM authentication round.
 * Returns 
 *     1 if another round must be performed
 *     0 if authentication completed with success
 *    -1 if authentication failed
 */
static int
sshlam_respond(void *ctx, u_int num, char **resp)
{
	struct lam_ctxt *ctxt = ctx;
	int e;
	char *message = NULL;

	debug2("LAM: sshlam_respond entering, %u responses", num);

	if (num != 1) {
	    error("LAM: expected one response, got %u", num);
	    return (-1);
	}

        if (ctxt->faking_noent)
            return (-1);

	/* Perform an authentication round */
	e = authenticate(ctxt->user, *resp, &ctxt->reenter, &message);
        if (e) {
            if (message)
                xfree(message);
	    error("LAM: authenticate %s: %d %.100s", ctxt->user, e, 
                    strerror(errno));
	    return (-1);
	}
	if (ctxt->reenter) {
	    if (message == NULL) {
		error("LAM: authenticate %s returned NULL message", ctxt->user);
		return (-1);
	    }
	    ctxt->message = message;
	    return 1;
	}

	/* Handle extra messages by adding them to the login banner */
	if (message) {
	    debug3("LAM: authenticate: %.100s", message);
	    buffer_append(&loginmsg, message, strlen(message));
	    xfree(message);
	    message = NULL;
	}

	/* Detect expired passwords */
	e = passwdexpired(ctxt->user, &message);
	if (e == -1) {
	    error("LAM: passwdexpired %s: %.100s", ctxt->user, strerror(errno));
	    return (-1);
	}
	if (message) {
	    debug3("LAM: passwdexpired: %.100s", message);
	    buffer_append(&loginmsg, message, strlen(message));
	    xfree(message);
	    message = NULL;
	}
	switch (e) {
	case 0:
	    break;
	case 1:
	    logit("LAM: password for %s expired", ctxt->user);
	    sshlam_force_pwchange(1);
	    break;
	case 2:
	    error("LAM: password for %s expired and unchangeable", ctxt->user);
	    return (-1);
	default:
	    error("LAM: passwdexpired returned %d", e);
	    return (-1);
	}

	return 0;
}

static void
sshlam_force_pwchange(int reqd)
{
    sshlam_authctxt->force_pwchange = reqd;
}

#endif /* WITH_AIXAUTHENTICATE */





}
#endif /* USE_PAM */

#if WITH_AIXAUTHENTICATE
void *
mm_sshlam_init_ctx(Authctxt *authctxt)
{
	Buffer m;
	int success;

	debug3("%s", __func__);
	buffer_init(&m);
	buffer_put_cstring(&m, authctxt->user);
	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_LAM_INIT_CTX, &m);
	debug3("%s: waiting for MONITOR_ANS_LAM_INIT_CTX", __func__);
	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_LAM_INIT_CTX, &m);
	success = buffer_get_int(&m);
	if (success == 0) {
		debug3("%s: lam_init_ctx failed", __func__);
		buffer_free(&m);
		return (NULL);
	}
	buffer_free(&m);
	return (authctxt);
}

int
mm_sshlam_query(void *ctx, char **name, char **info,
    u_int *num, char ***prompts, u_int **echo_on)
{
	Buffer m;
	u_int i;
	int ret;

	debug3("%s", __func__);
	buffer_init(&m);
	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_LAM_QUERY, &m);
	debug3("%s: waiting for MONITOR_ANS_LAM_QUERY", __func__);
	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_LAM_QUERY, &m);
	ret = buffer_get_int(&m);
	debug3("%s: lam_query returned %d", __func__, ret);
	*name = buffer_get_string(&m, NULL);
	*info = buffer_get_string(&m, NULL);
	*num = buffer_get_int(&m);
	*prompts = xmalloc((*num + 1) * sizeof(char *));
	*echo_on = xmalloc((*num + 1) * sizeof(u_int));
	for (i = 0; i < *num; ++i) {
		(*prompts)[i] = buffer_get_string(&m, NULL);
		(*echo_on)[i] = buffer_get_int(&m);
	}
	buffer_free(&m);
	return (ret);
}

int
mm_sshlam_respond(void *ctx, u_int num, char **resp)
{
	Buffer m;
	u_int i;
	int ret;

	debug3("%s", __func__);
	buffer_init(&m);
	buffer_put_int(&m, num);
	for (i = 0; i < num; ++i)
		buffer_put_cstring(&m, resp[i]);
	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_LAM_RESPOND, &m);
	debug3("%s: waiting for MONITOR_ANS_LAM_RESPOND", __func__);
	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_LAM_RESPOND, &m);
	ret = buffer_get_int(&m);
	debug3("%s: lam_respond returned %d", __func__, ret);
	buffer_free(&m);
	return (ret);
}

void
mm_sshlam_free_ctx(void *ctxtp)
{
	Buffer m;

	debug3("%s", __func__);
	buffer_init(&m);
	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_LAM_FREE_CTX, &m);
	debug3("%s: waiting for MONITOR_ANS_LAM_FREE_CTX", __func__);
	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_LAM_FREE_CTX, &m);
	buffer_free(&m);
}
#endif /* WITH_AIXAUTHENTICATE */


/* Request process termination */

void

Lines 75-80 Link Here

(-)openssh/monitor_wrap.h (+7 lines)
75	void mm_sshpam_free_ctx(void *);	75	void mm_sshpam_free_ctx(void *);
76	#endif	76	#endif
77		77
		78	#ifdef WITH_AIXAUTHENTICATE
		79	void mm_sshlam_init_ctx(struct Authctxt );
		80	int mm_sshlam_query(void , char , char , u_int , char *, u_int );
		81	int mm_sshlam_respond(void , u_int, char *);
		82	void mm_sshlam_free_ctx(void *);
		83	#endif
		84
78	#ifdef SSH_AUDIT_EVENTS	85	#ifdef SSH_AUDIT_EVENTS
79	#include "audit.h"	86	#include "audit.h"
80	void mm_audit_event(ssh_audit_event_t);	87	void mm_audit_event(ssh_audit_event_t);

Return to bug 1228

Lines 821-826 Link Here

(-)openssh/monitor_wrap.c (+87 lines)
821	}	821	}
822	#endif /* USE_PAM */	822	#endif /* USE_PAM */
823		823
		824	#if WITH_AIXAUTHENTICATE
		825	void *
		826	mm_sshlam_init_ctx(Authctxt *authctxt)
		827	{
		828	Buffer m;
		829	int success;
		830
		831	debug3("%s", __func__);
		832	buffer_init(&m);
		833	buffer_put_cstring(&m, authctxt->user);
		834	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_LAM_INIT_CTX, &m);
		835	debug3("%s: waiting for MONITOR_ANS_LAM_INIT_CTX", __func__);
		836	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_LAM_INIT_CTX, &m);
		837	success = buffer_get_int(&m);
		838	if (success == 0) {
		839	debug3("%s: lam_init_ctx failed", __func__);
		840	buffer_free(&m);
		841	return (NULL);
		842	}
		843	buffer_free(&m);
		844	return (authctxt);
		845	}
		846
		847	int
		848	mm_sshlam_query(void ctx, char name, char *info,
		849	u_int num, char prompts, u_int echo_on)
		850	{
		851	Buffer m;
		852	u_int i;
		853	int ret;
		854
		855	debug3("%s", __func__);
		856	buffer_init(&m);
		857	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_LAM_QUERY, &m);
		858	debug3("%s: waiting for MONITOR_ANS_LAM_QUERY", __func__);
		859	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_LAM_QUERY, &m);
		860	ret = buffer_get_int(&m);
		861	debug3("%s: lam_query returned %d", __func__, ret);
		862	*name = buffer_get_string(&m, NULL);
		863	*info = buffer_get_string(&m, NULL);
		864	*num = buffer_get_int(&m);
		865	prompts = xmalloc((num + 1) * sizeof(char *));
		866	echo_on = xmalloc((num + 1) * sizeof(u_int));
		867	for (i = 0; i < *num; ++i) {
		868	(*prompts)[i] = buffer_get_string(&m, NULL);
		869	(*echo_on)[i] = buffer_get_int(&m);
		870	}
		871	buffer_free(&m);
		872	return (ret);
		873	}
		874
		875	int
		876	mm_sshlam_respond(void ctx, u_int num, char *resp)
		877	{
		878	Buffer m;
		879	u_int i;
		880	int ret;
		881
		882	debug3("%s", __func__);
		883	buffer_init(&m);
		884	buffer_put_int(&m, num);
		885	for (i = 0; i < num; ++i)
		886	buffer_put_cstring(&m, resp[i]);
		887	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_LAM_RESPOND, &m);
888	debug3("%s: waiting for MONITOR_ANS_LAM_RESPOND", __func__);
889	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_LAM_RESPOND, &m);
890	ret = buffer_get_int(&m);
891	debug3("%s: lam_respond returned %d", __func__, ret);
892	buffer_free(&m);
893	return (ret);
894	}
895
896	void
897	mm_sshlam_free_ctx(void *ctxtp)
898	{
899	Buffer m;
900
901	debug3("%s", __func__);
902	buffer_init(&m);
903	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_LAM_FREE_CTX, &m);
904	debug3("%s: waiting for MONITOR_ANS_LAM_FREE_CTX", __func__);
905	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_LAM_FREE_CTX, &m);
906	buffer_free(&m);
907	}
908	#endif /* WITH_AIXAUTHENTICATE */
909
910
824	/* Request process termination */	911	/* Request process termination */
825		912
826	void	913	void

Line 0 Link Here

(-)openssh/auth-lam.c (+261 lines)
		1	/*-
		2	* Copyright (c) 2006 Quest Software, Inc. All rights reserved.
		3	*
		4	* Permission to use, copy, modify, and distribute this software for any
		5	* purpose with or without fee is hereby granted, provided that the above
		6	* copyright notice and this permission notice appear in all copies.
		7	*
		8	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		9	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		10	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		11	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		12	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		13	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		14	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		15	*/
		16
		17	#include "includes.h"
		18	#ifdef WITH_AIXAUTHENTICATE
		19	#include <sys/audit.h>
		20	#include <usersec.h>
		21	#include "auth.h"
		22	#include "buffer.h"
		23	#include "bufaux.h"
		24	#include "canohost.h"
		25	#include "log.h"
		26	#include "monitor_wrap.h"
		27	#include "msg.h"
		28	#include "packet.h"
		29	#include "misc.h"
		30	#include "servconf.h"
		31	#include "ssh2.h"
		32	#include "uidswap.h"
		33	#include "xmalloc.h"
		34	#include "auth-options.h"
		35	#include "openbsd-compat/port-aix.h"
		36
		37	extern ServerOptions options;
		38	extern Buffer loginmsg;
		39
		40	struct lam_ctxt {
		41	char * user;
		42	char * message;
		43	int reenter;
		44	int faking_noent;
		45	};
		46	struct Authctxt *sshlam_authctxt;
		47
		48	static void * sshlam_init_ctx(Authctxt *authctxt);
		49	static int sshlam_query(void ctx, char name, char *info,
		50	u_int num, char prompts, u_int echo_on);
		51	static int sshlam_respond(void ctx, u_int num, char *resp);
		52	static void sshlam_free_ctx(void *ctxtp);
		53	static void sshlam_force_pwchange(int reqd);
		54
		55	KbdintDevice sshlam_device = {
		56	"lam",
		57	sshlam_init_ctx,
		58	sshlam_query,
		59	sshlam_respond,
		60	sshlam_free_ctx
		61	};
		62
		63	KbdintDevice mm_sshlam_device = {
		64	"lam",
65	mm_sshlam_init_ctx,
66	mm_sshlam_query,
67	mm_sshlam_respond,
68	mm_sshlam_free_ctx
69	};
70
71	/*
72	* Allocates and initialises storage for LAM authentication state.
73	* Returns NULL if LAM authentication is not available.
74	*/
75	static void *
76	sshlam_init_ctx(Authctxt *authctxt)
77	{
78	struct lam_ctxt *ctxt;
79
80	debug3("LAM: sshlam_init_ctx entering");
81
82	ctxt = xmalloc(sizeof *ctxt);
83	memset(ctxt, 0, sizeof *ctxt);
84
85	ctxt->user = xstrdup(authctxt->user);
86	ctxt->message = NULL;
87	ctxt->faking_noent = 0;
88	ctxt->reenter = 0;
89	sshlam_authctxt = authctxt;
90
91	debug3("LAM: AUTHSTATE=%s", getenv("AUTHSTATE") ?
92	getenv("AUTHSTATE") : "NULL");
93
94	/* aix_setauthdb(ctxt->user); */
95	if (authenticate(ctxt->user, NULL, &ctxt->reenter, &ctxt->message))
96	{
97	error("LAM: authenticate(%.100s) failed: %.100s", ctxt->user,
98	strerror(errno));
99	if (errno == ENOENT) {
100	char buf[200];
101	/*
102	* When a user is known not to exist, we pretend
103	* that they do, and fake a password prompt
104	*/
105	logit("LAM: pretending that user '%.100s' exists", ctxt->user);
106	ctxt->faking_noent = 1;
107	snprintf(buf, sizeof buf, "%.100s's Password:", ctxt->user);
108	ctxt->message = xstrdup(buf);
109	ctxt->reenter = 1;
110	} else {
111	goto fail;
112	}
113	}
114
115	/* Instant authentication should never happen here;
116	* 'none' authentication should have permitted it */
117	if (!ctxt->reenter) {
118	error("LAM: %.100s authenticated immediately; ignoring",
119	ctxt->user);
120	goto fail;
121	}
122
123	return (ctxt);
124
125	fail:
126	sshlam_free_ctx(ctxt);
127	return (NULL);
128	}
129
130	/*
131	* Releases storage associated with the context
132	* returned from sshlam_init_ctx
133	*/
134	static void
135	sshlam_free_ctx(void *ctxtp)
136	{
137	struct lam_ctxt *ctxt = ctxtp;
138
139	debug3("LAM: sshlam_free_ctx entering");
140
141	/* aix_restoreauthdb(); */
142	if (ctxt->message)
143	xfree(ctxt->message);
144	xfree(ctxt->user);
145	xfree(ctxt);
146	}
147
148	/*
149	* Returns the user prompt for the current round of
150	* AIX LAM authentication.
151	*/
152	static int
153	sshlam_query(void ctx, char name, char *info,
154	u_int num, char prompts, u_int echo_on)
155	{
156	struct lam_ctxt *ctxt = ctx;
157
158	debug3("LAM: sshlam_query entering");
159
160	*name = xstrdup("");
161	*info = xstrdup("");
162	prompts = (char )xmalloc(sizeof(char ));
163	echo_on = (u_int )xmalloc(sizeof(u_int));
164	if (ctxt->message) {
165	**prompts = ctxt->message;
166	**echo_on = 0;
167	*num = 1;
168	} else
169	*num = 0;
170
171	return 0;
172	}
173
174	/*
175	* Processes a user response for an AIX LAM authentication round.
176	* Returns
177	* 1 if another round must be performed
178	* 0 if authentication completed with success
179	* -1 if authentication failed
180	*/
181	static int
182	sshlam_respond(void ctx, u_int num, char *resp)
183	{
184	struct lam_ctxt *ctxt = ctx;
185	int e;
186	char *message = NULL;
187
188	debug2("LAM: sshlam_respond entering, %u responses", num);
189
190	if (num != 1) {
191	error("LAM: expected one response, got %u", num);
192	return (-1);
193	}
194
195	if (ctxt->faking_noent)
196	return (-1);
197
198	/* Perform an authentication round */
199	e = authenticate(ctxt->user, *resp, &ctxt->reenter, &message);
200	if (e) {
201	if (message)
202	xfree(message);
203	error("LAM: authenticate %s: %d %.100s", ctxt->user, e,
204	strerror(errno));
205	return (-1);
206	}
207	if (ctxt->reenter) {
208	if (message == NULL) {
209	error("LAM: authenticate %s returned NULL message", ctxt->user);
210	return (-1);
211	}
212	ctxt->message = message;
213	return 1;
214	}
215
216	/* Handle extra messages by adding them to the login banner */
217	if (message) {
218	debug3("LAM: authenticate: %.100s", message);
219	buffer_append(&loginmsg, message, strlen(message));
220	xfree(message);
221	message = NULL;
222	}
223
224	/* Detect expired passwords */
225	e = passwdexpired(ctxt->user, &message);
226	if (e == -1) {
227	error("LAM: passwdexpired %s: %.100s", ctxt->user, strerror(errno));
228	return (-1);
229	}
230	if (message) {
231	debug3("LAM: passwdexpired: %.100s", message);
232	buffer_append(&loginmsg, message, strlen(message));
233	xfree(message);
234	message = NULL;
235	}
236	switch (e) {
237	case 0:
238	break;
239	case 1:
240	logit("LAM: password for %s expired", ctxt->user);
241	sshlam_force_pwchange(1);
242	break;
243	case 2:
244	error("LAM: password for %s expired and unchangeable", ctxt->user);
245	return (-1);
246	default:
247	error("LAM: passwdexpired returned %d", e);
248	return (-1);
249	}
250
251	return 0;
252	}
253
254	static void
255	sshlam_force_pwchange(int reqd)
256	{
257	sshlam_authctxt->force_pwchange = reqd;
258	}
259
260	#endif /* WITH_AIXAUTHENTICATE */
261