Attachment 1658 Details for Bug 1228 – Patch for AIX LAM authentication kbdint device

[patch] Patch for AIX LAM authentication kbdint device

aixlam2.patch (text/plain), 18.61 KB, created by Ted Percival on 2009-07-02 05:46:50 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Ted Percival

Created: 2009-07-02 05:46:50 AEST

Size: 18.61 KB

patch

obsolete

>This patch is copyright (c) 2009 Quest Software, Inc.
>All rights reserved.
>
>Redistribution and use in source and binary forms, with or without
>modification, are permitted provided that the following conditions
>are met:
>
> 1. Redistributions of source code must retain the above copyright
>    notice, this list of conditions and the following disclaimer.
>
> 2. Redistributions in binary form must reproduce the above copyright
>    notice, this list of conditions and the following disclaimer in the
>    documentation and/or other materials provided with the distribution.
>
> 3. Neither the name of Quest Software, Inc. nor the names of its contributors
>    may be used to endorse or promote products derived from this software
>    without specific prior written permission. 
>
>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
>"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
>LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
>A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
>OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
>SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
>LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>
>diff --git a/Makefile.in b/Makefile.in
>index 75eb06d..8205fe8 100644
>--- a/Makefile.in
>+++ b/Makefile.in
>@@ -87,6 +87,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
> 	auth-krb5.o \
> 	auth2-gss.o gss-serv.o gss-serv-krb5.o \
> 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
>+	auth-lam.o \
> 	audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
> 	roaming_common.o
> 
>diff --git a/auth-lam.c b/auth-lam.c
>new file mode 100644
>index 0000000..2f7ef07
>--- /dev/null
>+++ b/auth-lam.c
>@@ -0,0 +1,283 @@
>+/*-
>+ * Copyright (c) 2009 Quest Software, Inc. All rights reserved.
>+ *
>+ * Permission to use, copy, modify, and distribute this software for any
>+ * purpose with or without fee is hereby granted, provided that the above
>+ * copyright notice and this permission notice appear in all copies.
>+ *
>+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
>+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
>+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
>+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
>+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
>+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
>+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
>+ */
>+
>+#include "includes.h"
>+#ifdef WITH_AIXAUTHENTICATE
>+#include <sys/audit.h>
>+#include <usersec.h>
>+#include <pwd.h>
>+#include "auth.h"
>+#include "buffer.h"
>+#include "bufaux.h"
>+#include "canohost.h"
>+#include "log.h"
>+#include "monitor_wrap.h"
>+#include "msg.h"
>+#include "packet.h"
>+#include "misc.h"
>+#include "servconf.h"
>+#include "ssh2.h"
>+#include "uidswap.h"
>+#include "xmalloc.h"
>+#include "auth-options.h"
>+#include "openbsd-compat/port-aix.h"
>+
>+extern ServerOptions options;
>+extern Buffer loginmsg;
>+
>+struct lam_ctxt {
>+	char *		 user;
>+	char *		 message;
>+        int              reenter;
>+        int              faking_noent;
>+};
>+struct Authctxt *sshlam_authctxt;
>+
>+static void * sshlam_init_ctx(Authctxt *authctxt);
>+static int sshlam_query(void *ctx, char **name, char **info,
>+    u_int *num, char ***prompts, u_int **echo_on);
>+static int sshlam_respond(void *ctx, u_int num, char **resp);
>+static void sshlam_free_ctx(void *ctxtp);
>+static void sshlam_force_pwchange(int reqd);
>+
>+KbdintDevice sshlam_device = {
>+	"lam",
>+	sshlam_init_ctx,
>+	sshlam_query,
>+	sshlam_respond,
>+	sshlam_free_ctx
>+};
>+
>+KbdintDevice mm_sshlam_device = {
>+	"lam",
>+	mm_sshlam_init_ctx,
>+	mm_sshlam_query,
>+	mm_sshlam_respond,
>+	mm_sshlam_free_ctx
>+};
>+
>+/*
>+ * Allocates and initialises storage for LAM authentication state.
>+ * Returns NULL if LAM authentication is not available.
>+ */
>+static void *
>+sshlam_init_ctx(Authctxt *authctxt)
>+{
>+	struct lam_ctxt *ctxt;
>+
>+	debug3("LAM: sshlam_init_ctx entering");
>+
>+	ctxt = xmalloc(sizeof *ctxt);
>+	memset(ctxt, 0, sizeof *ctxt);
>+
>+	ctxt->user = xstrdup(authctxt->user);
>+	ctxt->message = NULL;
>+	ctxt->faking_noent = 0;
>+        ctxt->reenter = 0;
>+	sshlam_authctxt = authctxt;
>+
>+        debug3("LAM: AUTHSTATE=%s", getenv("AUTHSTATE") ?
>+                    getenv("AUTHSTATE") : "NULL");
>+
>+        /* aix_setauthdb(ctxt->user); */
>+	if (authenticate(ctxt->user, NULL, &ctxt->reenter, &ctxt->message))
>+	{
>+            error("LAM: authenticate(%.100s) failed: %.100s", ctxt->user,
>+                    strerror(errno));
>+            if (errno == ENOENT) {
>+                char buf[200];
>+                /*
>+                 * When a user is known not to exist, we pretend
>+                 * that they do, and fake a password prompt
>+                 */
>+	        logit("LAM: pretending that user '%.100s' exists", ctxt->user);
>+                ctxt->faking_noent = 1;
>+                snprintf(buf, sizeof buf, "%.100s's Password:", ctxt->user);
>+                ctxt->message = xstrdup(buf);
>+                ctxt->reenter = 1;
>+            } else {
>+                goto fail;
>+            }
>+	}
>+
>+	/* Instant authentication should never happen here;
>+         * 'none' authentication should have permitted it */
>+	if (!ctxt->reenter) {
>+	    error("LAM: %.100s authenticated immediately; ignoring",
>+		    ctxt->user);
>+	    goto fail;
>+	}
>+
>+	return (ctxt);
>+
>+    fail:
>+	sshlam_free_ctx(ctxt);
>+	return (NULL);
>+}
>+
>+/*
>+ * Releases storage associated with the context
>+ * returned from sshlam_init_ctx
>+ */
>+static void
>+sshlam_free_ctx(void *ctxtp)
>+{
>+	struct lam_ctxt *ctxt = ctxtp;
>+
>+	debug3("LAM: sshlam_free_ctx entering");
>+
>+        /* aix_restoreauthdb(); */
>+	if (ctxt->message)
>+	    xfree(ctxt->message);
>+	xfree(ctxt->user);
>+	xfree(ctxt);
>+}
>+
>+/*
>+ * Returns the user prompt for the current round of
>+ * AIX LAM authentication.
>+ */
>+static int
>+sshlam_query(void *ctx, char **name, char **info,
>+    u_int *num, char ***prompts, u_int **echo_on)
>+{
>+	struct lam_ctxt *ctxt = ctx;
>+
>+	debug3("LAM: sshlam_query entering");
>+
>+	*name = xstrdup("");
>+	*info = xstrdup("");
>+	*prompts = (char **)xmalloc(sizeof(char *));
>+	*echo_on = (u_int *)xmalloc(sizeof(u_int));
>+	if (ctxt->message) {
>+	    **prompts = xstrdup(ctxt->message);
>+	    **echo_on = 0;
>+	    *num = 1;
>+	} else
>+	    *num = 0;
>+
>+	return 0;
>+}
>+
>+/*
>+ * Processes a user response for an AIX LAM authentication round.
>+ * Returns
>+ *     1 if another round must be performed
>+ *     0 if authentication completed with success
>+ *    -1 if authentication failed
>+ */
>+static int
>+sshlam_respond(void *ctx, u_int num, char **resp)
>+{
>+	struct lam_ctxt *ctxt = ctx;
>+	int e;
>+	char *message = NULL;
>+	struct passwd *pwuser = NULL;
>+	char badpw[] = "\b\n\r\177INCORRECT"; /* XXX: Duplicated from auth-pam.c */
>+	char *authpw = NULL;
>+
>+	debug2("LAM: sshlam_respond entering, %u responses", num);
>+
>+	if (num != 1) {
>+	    error("LAM: expected one response, got %u", num);
>+	    return (-1);
>+	}
>+
>+        if (ctxt->faking_noent)
>+            return (-1);
>+
>+	pwuser = getpwnam(ctxt->user);
>+	if (!pwuser) {
>+	    error("LAM: could not resolve user %.100s", ctxt->user);
>+	    return (-1);
>+	}
>+
>+	/* Have LAM process a junk password to avoid timing-based disclosure. */
>+	if (pwuser->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
>+	    authpw = badpw;
>+	else
>+	    authpw = *resp;
>+
>+	/* Perform an authentication round */
>+	e = authenticate(ctxt->user, authpw, &ctxt->reenter, &message);
>+        if (e) {
>+            if (message)
>+                xfree(message);
>+	    error("LAM: authenticate %s: %d %.100s", ctxt->user, e,
>+                    strerror(errno));
>+	    return (-1);
>+	}
>+
>+	if (pwuser->pw_uid == 0 && options.permit_root_login != PERMIT_YES) {
>+	    error("LAM: denying root access");
>+	    return (-1);
>+	}
>+
>+	if (ctxt->reenter) {
>+	    if (message == NULL) {
>+		error("LAM: authenticate %s returned NULL message", ctxt->user);
>+		return (-1);
>+	    }
>+	    ctxt->message = message;
>+	    return 1;
>+	}
>+
>+	/* Handle extra messages by adding them to the login banner */
>+	if (message) {
>+	    debug3("LAM: authenticate: %.100s", message);
>+	    buffer_append(&loginmsg, message, strlen(message));
>+	    xfree(message);
>+	    message = NULL;
>+	}
>+
>+	/* Detect expired passwords */
>+	e = passwdexpired(ctxt->user, &message);
>+	if (e == -1) {
>+	    error("LAM: passwdexpired %s: %.100s", ctxt->user, strerror(errno));
>+	    return (-1);
>+	}
>+	if (message) {
>+	    debug3("LAM: passwdexpired: %.100s", message);
>+	    buffer_append(&loginmsg, message, strlen(message));
>+	    xfree(message);
>+	    message = NULL;
>+	}
>+	switch (e) {
>+	case 0:
>+	    break;
>+	case 1:
>+	    logit("LAM: password for %s expired", ctxt->user);
>+	    sshlam_force_pwchange(1);
>+	    break;
>+	case 2:
>+	    error("LAM: password for %s expired and unchangeable", ctxt->user);
>+	    return (-1);
>+	default:
>+	    error("LAM: passwdexpired returned %d", e);
>+	    return (-1);
>+	}
>+
>+	return 0;
>+}
>+
>+static void
>+sshlam_force_pwchange(int reqd)
>+{
>+    sshlam_authctxt->force_pwchange = reqd;
>+}
>+
>+#endif /* WITH_AIXAUTHENTICATE */
>+
>diff --git a/auth2-chall.c b/auth2-chall.c
>index e6dbffe..78df52b 100644
>--- a/auth2-chall.c
>+++ b/auth2-chall.c
>@@ -56,6 +56,9 @@ extern KbdintDevice bsdauth_device;
> #ifdef USE_PAM
> extern KbdintDevice sshpam_device;
> #endif
>+#ifdef WITH_AIXAUTHENTICATE
>+extern KbdintDevice sshlam_device;
>+#endif
> #ifdef SKEY
> extern KbdintDevice skey_device;
> #endif
>@@ -68,6 +71,9 @@ KbdintDevice *devices[] = {
> #ifdef USE_PAM
> 	&sshpam_device,
> #endif
>+#ifdef WITH_AIXAUTHENTICATE
>+	&sshlam_device,
>+#endif
> #ifdef SKEY
> 	&skey_device,
> #endif
>@@ -348,7 +354,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
> void
> privsep_challenge_enable(void)
> {
>-#if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY)
>+#if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY) || defined(WITH_AIXAUTHENTICATE)
> 	int n = 0;
> #endif
> #ifdef BSD_AUTH
>@@ -357,6 +363,9 @@ privsep_challenge_enable(void)
> #ifdef USE_PAM
> 	extern KbdintDevice mm_sshpam_device;
> #endif
>+#ifdef WITH_AIXAUTHENTICATE
>+	extern KbdintDevice mm_sshlam_device;
>+#endif
> #ifdef SKEY
> 	extern KbdintDevice mm_skey_device;
> #endif
>@@ -367,6 +376,9 @@ privsep_challenge_enable(void)
> #ifdef USE_PAM
> 	devices[n++] = &mm_sshpam_device;
> #endif
>+#ifdef WITH_AIXAUTHENTICATE
>+	devices[n++] = &mm_sshlam_device;
>+#endif
> #ifdef SKEY
> 	devices[n++] = &mm_skey_device;
> #endif
>diff --git a/monitor.c b/monitor.c
>index ace25c4..3b024fb 100644
>--- a/monitor.c
>+++ b/monitor.c
>@@ -167,6 +167,13 @@ int mm_answer_pam_respond(int, Buffer *);
> int mm_answer_pam_free_ctx(int, Buffer *);
> #endif
> 
>+#ifdef WITH_AIXAUTHENTICATE
>+int mm_answer_lam_init_ctx(int, Buffer *);
>+int mm_answer_lam_query(int, Buffer *);
>+int mm_answer_lam_respond(int, Buffer *);
>+int mm_answer_lam_free_ctx(int, Buffer *);
>+#endif
>+
> #ifdef GSSAPI
> int mm_answer_gss_setup_ctx(int, Buffer *);
> int mm_answer_gss_accept_ctx(int, Buffer *);
>@@ -223,6 +230,12 @@ struct mon_table mon_dispatch_proto20[] = {
>     {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
>     {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
> #endif
>+#ifdef WITH_AIXAUTHENTICATE
>+    {MONITOR_REQ_LAM_INIT_CTX, MON_ISAUTH, mm_answer_lam_init_ctx},
>+    {MONITOR_REQ_LAM_QUERY, MON_ISAUTH, mm_answer_lam_query},
>+    {MONITOR_REQ_LAM_RESPOND, MON_ISAUTH, mm_answer_lam_respond},
>+    {MONITOR_REQ_LAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_lam_free_ctx},
>+#endif
> #ifdef SSH_AUDIT_EVENTS
>     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
> #endif
>@@ -290,6 +303,12 @@ struct mon_table mon_dispatch_proto15[] = {
>     {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
>     {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
> #endif
>+#ifdef WITH_AIXAUTHENTICATE
>+    {MONITOR_REQ_LAM_INIT_CTX, MON_ISAUTH, mm_answer_lam_init_ctx},
>+    {MONITOR_REQ_LAM_QUERY, MON_ISAUTH, mm_answer_lam_query},
>+    {MONITOR_REQ_LAM_RESPOND, MON_ISAUTH, mm_answer_lam_respond},
>+    {MONITOR_REQ_LAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_lam_free_ctx},
>+#endif
> #ifdef SSH_AUDIT_EVENTS
>     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
> #endif
>@@ -997,6 +1016,106 @@ mm_answer_pam_free_ctx(int sock, Buffer *m)
> }
> #endif
> 
>+#ifdef WITH_AIXAUTHENTICATE
>+static void *sshlam_ctxt, *sshlam_authok;
>+extern KbdintDevice sshlam_device;
>+
>+int
>+mm_answer_lam_init_ctx(int sock, Buffer *m)
>+{
>+
>+	debug3("%s", __func__);
>+	authctxt->user = buffer_get_string(m, NULL);
>+	sshlam_ctxt = (sshlam_device.init_ctx)(authctxt);
>+        sshlam_authok = NULL;
>+	buffer_clear(m);
>+	if (sshlam_ctxt != NULL) {
>+		monitor_permit(mon_dispatch, MONITOR_REQ_LAM_FREE_CTX, 1);
>+		buffer_put_int(m, 1);
>+	} else {
>+		buffer_put_int(m, 0);
>+	}
>+	mm_request_send(sock, MONITOR_ANS_LAM_INIT_CTX, m);
>+	return (0);
>+}
>+
>+int
>+mm_answer_lam_query(int sock, Buffer *m)
>+{
>+	char *name, *info, **prompts;
>+	u_int i, num, *echo_on;
>+	int ret;
>+
>+	debug3("%s", __func__);
>+        sshlam_authok = NULL;
>+	ret = (sshlam_device.query)(sshlam_ctxt, &name, &info, &num, &prompts, &echo_on);
>+	if (ret == 0 && num == 0)
>+		sshlam_authok = sshlam_ctxt;
>+	if (num > 1 || name == NULL || info == NULL)
>+		ret = -1;
>+	buffer_clear(m);
>+	buffer_put_int(m, ret);
>+	buffer_put_cstring(m, name);
>+	xfree(name);
>+	buffer_put_cstring(m, info);
>+	xfree(info);
>+	buffer_put_int(m, num);
>+	for (i = 0; i < num; ++i) {
>+		buffer_put_cstring(m, prompts[i]);
>+		xfree(prompts[i]);
>+		buffer_put_int(m, echo_on[i]);
>+	}
>+	if (prompts != NULL)
>+		xfree(prompts);
>+	if (echo_on != NULL)
>+		xfree(echo_on);
>+	mm_request_send(sock, MONITOR_ANS_LAM_QUERY, m);
>+	return (0);
>+}
>+
>+int
>+mm_answer_lam_respond(int sock, Buffer *m)
>+{
>+	char **resp;
>+	u_int i, num;
>+	int ret;
>+
>+	debug3("%s", __func__);
>+	sshlam_authok = NULL;
>+	num = buffer_get_int(m);
>+	if (num > 0) {
>+		resp = xmalloc(num * sizeof(char *));
>+		for (i = 0; i < num; ++i)
>+			resp[i] = buffer_get_string(m, NULL);
>+		ret = (sshlam_device.respond)(sshlam_ctxt, num, resp);
>+		for (i = 0; i < num; ++i)
>+			xfree(resp[i]);
>+		xfree(resp);
>+	} else {
>+		ret = (sshlam_device.respond)(sshlam_ctxt, num, NULL);
>+	}
>+	buffer_clear(m);
>+	buffer_put_int(m, ret);
>+	mm_request_send(sock, MONITOR_ANS_LAM_RESPOND, m);
>+	auth_method = "keyboard-interactive/lam";
>+	if (ret == 0)
>+		sshlam_authok = sshlam_ctxt;
>+	return (0);
>+}
>+
>+int
>+mm_answer_lam_free_ctx(int sock, Buffer *m)
>+{
>+
>+	debug3("%s", __func__);
>+	(sshlam_device.free_ctx)(sshlam_ctxt);
>+	buffer_clear(m);
>+	mm_request_send(sock, MONITOR_ANS_LAM_FREE_CTX, m);
>+	return (sshlam_authok && sshlam_authok == sshlam_ctxt);
>+}
>+#endif /* WITH_AIXAUTHENTICATE */
>+
>+
> static void
> mm_append_debug(Buffer *m)
> {
>diff --git a/monitor.h b/monitor.h
>index a8a2c0c..2520c8c 100644
>--- a/monitor.h
>+++ b/monitor.h
>@@ -59,6 +59,10 @@ enum monitor_reqtype {
> 	MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY,
> 	MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
> 	MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
>+	MONITOR_REQ_LAM_INIT_CTX, MONITOR_ANS_LAM_INIT_CTX,
>+	MONITOR_REQ_LAM_QUERY, MONITOR_ANS_LAM_QUERY,
>+	MONITOR_REQ_LAM_RESPOND, MONITOR_ANS_LAM_RESPOND,
>+	MONITOR_REQ_LAM_FREE_CTX, MONITOR_ANS_LAM_FREE_CTX,
> 	MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,
> 	MONITOR_REQ_TERM,
> 	MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
>diff --git a/monitor_wrap.c b/monitor_wrap.c
>index b8e8710..68605c7 100644
>--- a/monitor_wrap.c
>+++ b/monitor_wrap.c
>@@ -876,6 +876,93 @@ mm_sshpam_free_ctx(void *ctxtp)
> }
> #endif /* USE_PAM */
> 
>+#if WITH_AIXAUTHENTICATE
>+void *
>+mm_sshlam_init_ctx(Authctxt *authctxt)
>+{
>+	Buffer m;
>+	int success;
>+
>+	debug3("%s", __func__);
>+	buffer_init(&m);
>+	buffer_put_cstring(&m, authctxt->user);
>+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_LAM_INIT_CTX, &m);
>+	debug3("%s: waiting for MONITOR_ANS_LAM_INIT_CTX", __func__);
>+	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_LAM_INIT_CTX, &m);
>+	success = buffer_get_int(&m);
>+	if (success == 0) {
>+		debug3("%s: lam_init_ctx failed", __func__);
>+		buffer_free(&m);
>+		return (NULL);
>+	}
>+	buffer_free(&m);
>+	return (authctxt);
>+}
>+
>+int
>+mm_sshlam_query(void *ctx, char **name, char **info,
>+    u_int *num, char ***prompts, u_int **echo_on)
>+{
>+	Buffer m;
>+	u_int i;
>+	int ret;
>+
>+	debug3("%s", __func__);
>+	buffer_init(&m);
>+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_LAM_QUERY, &m);
>+	debug3("%s: waiting for MONITOR_ANS_LAM_QUERY", __func__);
>+	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_LAM_QUERY, &m);
>+	ret = buffer_get_int(&m);
>+	debug3("%s: lam_query returned %d", __func__, ret);
>+	*name = buffer_get_string(&m, NULL);
>+	*info = buffer_get_string(&m, NULL);
>+	*num = buffer_get_int(&m);
>+	*prompts = xmalloc((*num + 1) * sizeof(char *));
>+	*echo_on = xmalloc((*num + 1) * sizeof(u_int));
>+	for (i = 0; i < *num; ++i) {
>+		(*prompts)[i] = buffer_get_string(&m, NULL);
>+		(*echo_on)[i] = buffer_get_int(&m);
>+	}
>+	buffer_free(&m);
>+	return (ret);
>+}
>+
>+int
>+mm_sshlam_respond(void *ctx, u_int num, char **resp)
>+{
>+	Buffer m;
>+	u_int i;
>+	int ret;
>+
>+	debug3("%s", __func__);
>+	buffer_init(&m);
>+	buffer_put_int(&m, num);
>+	for (i = 0; i < num; ++i)
>+		buffer_put_cstring(&m, resp[i]);
>+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_LAM_RESPOND, &m);
>+	debug3("%s: waiting for MONITOR_ANS_LAM_RESPOND", __func__);
>+	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_LAM_RESPOND, &m);
>+	ret = buffer_get_int(&m);
>+	debug3("%s: lam_respond returned %d", __func__, ret);
>+	buffer_free(&m);
>+	return (ret);
>+}
>+
>+void
>+mm_sshlam_free_ctx(void *ctxtp)
>+{
>+	Buffer m;
>+
>+	debug3("%s", __func__);
>+	buffer_init(&m);
>+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_LAM_FREE_CTX, &m);
>+	debug3("%s: waiting for MONITOR_ANS_LAM_FREE_CTX", __func__);
>+	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_LAM_FREE_CTX, &m);
>+	buffer_free(&m);
>+}
>+#endif /* WITH_AIXAUTHENTICATE */
>+
>+
> /* Request process termination */
> 
> void
>diff --git a/monitor_wrap.h b/monitor_wrap.h
>index de2d16f..de1b874 100644
>--- a/monitor_wrap.h
>+++ b/monitor_wrap.h
>@@ -70,6 +70,13 @@ int mm_sshpam_respond(void *, u_int, char **);
> void mm_sshpam_free_ctx(void *);
> #endif
> 
>+#ifdef WITH_AIXAUTHENTICATE
>+void *mm_sshlam_init_ctx(struct Authctxt *);
>+int mm_sshlam_query(void *, char **, char **, u_int *, char ***, u_int **);
>+int mm_sshlam_respond(void *, u_int, char **);
>+void mm_sshlam_free_ctx(void *);
>+#endif
>+
> #ifdef SSH_AUDIT_EVENTS
> #include "audit.h"
> void mm_audit_event(ssh_audit_event_t);

Actions: View | Diff

Attachments on bug 1228: 1183 | 1658