Attachment #2504 for bug #2246




	sshpam_handle = NULL;
}

#ifdef PAM_ENHANCEMENT
char *
derive_pam_service_name(Authctxt *authctxt)
{
	char *svcname = NULL;
        char *method_name;

	if (!compat20 && options.pam_service_per_authmethod) 
		fatal("PAMServiceName -%m can not be used in protocol 1");
      
        if (options.pam_service_name == NULL) {
                /* default to "sshd" */
                svcname = xstrdup("sshd");
		return (svcname);
        }

        if (!options.pam_service_per_authmethod) {
	        /*
		 * no -%m in PAMServiceName option, so 
		 * options.pam_service_name is the PAM Service Name.
		 */
		svcname = xstrdup(options.pam_service_name);
		return (svcname);
	} else {
		char *method_name = authctxt->authmethod_name;
	        int svcname_len;

		if (!method_name)
			fatal("Userauth method unknown while starting PAM");

                /*
		 * Expand -%m; options.pam_service_name is now the prefix. 
		 * Should allocate sufficient space for the expanded PAM 
		 * service name.
		 */
                svcname_len = strlen(options.pam_service_name) + 20;
                svcname = xmalloc(svcname_len);
	       
		if (strcmp(method_name, "none") == 0) {
			snprintf(svcname, svcname_len, "%s-none",
			    options.pam_service_name);
		}
		if (strcmp(method_name, "password") == 0) {
			snprintf(svcname, svcname_len, "%s-password",
			    options.pam_service_name);
		}
		if (strcmp(method_name, "keyboard-interactive") == 0) {
			/* "keyboard-interactive" is too long, shorten it */
			snprintf(svcname, svcname_len, "%s-kbdint",
			    options.pam_service_name);
		}
		if (strcmp(method_name, "publickey") == 0) {
			/* "publickey" is too long, shorten it */
			snprintf(svcname, svcname_len, "%s-pubkey",
			    options.pam_service_name);
		}
		if (strcmp(method_name, "hostbased") == 0) {
			snprintf(svcname, svcname_len, "%s-hostbased",
			    options.pam_service_name);
		}
		if (strncmp(method_name, "gssapi-", 7) == 0) {
		        /*
			 * Although OpenSSH only supports "gssapi-with-mic"
			 * for now. We will still map any userauth method
                         * prefixed with "gssapi-" to the gssapi PAM service.
			 */ 
			snprintf(svcname, svcname_len, "%s-gssapi",
			    options.pam_service_name);
		}
		return svcname;
	}
}
#endif /* PAM_ENHANCEMENT */

static int
sshpam_init(Authctxt *authctxt)
{

	const char *pam_rhost, *pam_user, *user = authctxt->user;
	const char **ptr_pam_user = &pam_user;

#ifdef PAM_ENHANCEMENT
	const char *pam_service;
        const char **ptr_pam_service = &pam_service;
	char *svc = NULL;

	svc = derive_pam_service_name(authctxt);
        debug3("PAM service is %s", svc);
#endif

	if (sshpam_handle != NULL) {
#ifdef PAM_ENHANCEMENT
	        /* get the pam service name */
		sshpam_err = pam_get_item(sshpam_handle,
		    PAM_SERVICE, (sshpam_const void **)ptr_pam_service);
                if (sshpam_err != PAM_SUCCESS) 
		    fatal("Failed to get the PAM service name");
		debug3("Previous pam_service is %s", pam_service ?
                    pam_service : "NULL");

		/* get the pam user name */
		sshpam_err = pam_get_item(sshpam_handle,
		    PAM_USER, (sshpam_const void **)ptr_pam_user);

		/*
		 * only need to re-start if either user or service is 
                 * different.
                 */
		if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0
		    && strncmp(svc, pam_service, strlen(svc)) == 0) {
		        free(svc);
			return (0);
                }

                /*
		 * Clean up previous PAM state.  No need to clean up session 
		 * and creds.
		 */
                sshpam_authenticated = 0;
                sshpam_account_status = -1;

		sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, NULL);
         	if (sshpam_err != PAM_SUCCESS)
		        debug3("Cannot remove PAM conv"); /* a warning only */

		pam_end(sshpam_handle, sshpam_err);
		sshpam_handle = NULL;

#else /* Original */
		/* We already have a PAM context; check if the user matches */
		sshpam_err = pam_get_item(sshpam_handle,
		    PAM_USER, (sshpam_const void **)ptr_pam_user);

			return (0);
		pam_end(sshpam_handle, sshpam_err);
		sshpam_handle = NULL;
#endif /* PAM_ENHANCEMENT */
	}
	debug("PAM: initializing for \"%s\"", user);

#ifdef PAM_ENHANCEMENT
        debug("Starting PAM service %s for user %s method %s", svc, user,
            authctxt->authmethod_name);
	sshpam_err =
	    pam_start(svc, user, &store_conv, &sshpam_handle);
	free(svc);
#else /* Original */
	sshpam_err =
	    pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
#endif
	sshpam_authctxt = authctxt;

	if (sshpam_err != PAM_SUCCESS) {

Lines 76-81 Link Here

(-)orig/auth.h (+3 lines)
76	#endif	76	#endif
77	Buffer *loginmsg;	77	Buffer *loginmsg;
78	void *methoddata;	78	void *methoddata;
		79	#ifdef PAM_ENHANCEMENT
		80	char *authmethod_name;
		81	#endif
79	};	82	};
80	/*	83	/*
81	* Every authentication method has to handle authentication requests for	84	* Every authentication method has to handle authentication requests for

Lines 249-258 Link Here

(-)orig/auth2.c (+56 lines)
249	PRIVSEP(audit_event(SSH_INVALID_USER));	249	PRIVSEP(audit_event(SSH_INVALID_USER));
250	#endif	250	#endif
251	}	251	}
		252
252	#ifdef USE_PAM	253	#ifdef USE_PAM
		254	#ifdef PAM_ENHANCEMENT
		255	/*
		256	* Start PAM here and once only, if each userauth does not
		257	* has its own PAM service.
		258	*/
		259	if (options.use_pam && !options.pam_service_per_authmethod)
		260	PRIVSEP(start_pam(authctxt));
		261	#else
253	if (options.use_pam)	262	if (options.use_pam)
254	PRIVSEP(start_pam(authctxt));	263	PRIVSEP(start_pam(authctxt));
255	#endif	264	#endif
		265	#endif
256	setproctitle("%s%s", authctxt->valid ? user : "unknown",	266	setproctitle("%s%s", authctxt->valid ? user : "unknown",
257	use_privsep ? " [net]" : "");	267	use_privsep ? " [net]" : "");
258	authctxt->service = xstrdup(service);	268	authctxt->service = xstrdup(service);
Lines 286-291 Link Here
286	/* try to authenticate user */	296	/* try to authenticate user */
287	m = authmethod_lookup(authctxt, method);	297	m = authmethod_lookup(authctxt, method);
288	if (m != NULL && authctxt->failures < options.max_authtries) {	298	if (m != NULL && authctxt->failures < options.max_authtries) {
		299
		300	#if defined(USE_PAM) && defined(PAM_ENHANCEMENT)
		301	/* start PAM service for each userauth */
		302	if (options.use_pam && options.pam_service_per_authmethod) {
		303	if (authctxt->authmethod_name != NULL)
		304	free(authctxt->authmethod_name);
		305	authctxt->authmethod_name = xstrdup(method);
		306	if (use_privsep)
		307	mm_inform_authmethod(method);
		308	PRIVSEP(start_pam(authctxt));
		309	}
		310	#endif
289	debug2("input_userauth_request: try method %s", method);	311	debug2("input_userauth_request: try method %s", method);
290	authenticated = m->userauth(authctxt);	312	authenticated = m->userauth(authctxt);
291	}	313	}
Lines 303-308 Link Here
303	char *methods;	325	char *methods;
304	int partial = 0;	326	int partial = 0;
305		327
		328	#ifdef PAM_ENHANCEMENT
		329	debug3("%s: entering", __func__);
		330	#endif
		331
306	if (!authctxt->valid && authenticated)	332	if (!authctxt->valid && authenticated)
307	fatal("INTERNAL ERROR: authenticated invalid user %s",	333	fatal("INTERNAL ERROR: authenticated invalid user %s",
308	authctxt->user);	334	authctxt->user);
Lines 319-324 Link Here
319	}	345	}
320		346
321	if (authenticated && options.num_auth_methods != 0) {	347	if (authenticated && options.num_auth_methods != 0) {
		348	#if defined(USE_PAM) && defined(PAM_ENHANCEMENT)
		349	/*
		350	* If each userauth has its own PAM service, then PAM need to
		351	* perform account check for this service.
		352	*/
		353	if (options.use_pam && options.pam_service_per_authmethod &&
		354	!PRIVSEP(do_pam_account())) {
		355	/* if PAM returned a message, send it to the user */
		356	if (buffer_len(&loginmsg) > 0) {
		357	buffer_append(&loginmsg, "\0", 1);
		358	userauth_send_banner(buffer_ptr(&loginmsg));
		359	packet_write_wait();
		360	}
		361
		362	fatal("Access denied for user %s by PAM account "
		363	"configuration", authctxt->user);
		364	}
		365	#endif
322	if (!auth2_update_methods_lists(authctxt, method, submethod)) {	366	if (!auth2_update_methods_lists(authctxt, method, submethod)) {
323	authenticated = 0;	367	authenticated = 0;
324	partial = 1;	368	partial = 1;
Lines 332-338 Link Here
332	return;	376	return;
333		377
334	#ifdef USE_PAM	378	#ifdef USE_PAM
		379	#ifdef PAM_ENHANCEMENT
		380	/*
		381	* PAM needs to perform account checks after auth. However, if each
		382	* userauth has its own PAM service and options.num_auth_methods != 0,
		383	* then no need to perform account checking, because it was done
		384	* already.
		385	*/
		386	if (options.use_pam && authenticated &&
		387	!(options.num_auth_methods != 0 &&
		388	options.pam_service_per_authmethod)){
		389	#else
335	if (options.use_pam && authenticated) {	390	if (options.use_pam && authenticated) {
		391	#endif
336	if (!PRIVSEP(do_pam_account())) {	392	if (!PRIVSEP(do_pam_account())) {
337	/* if PAM returned a message, send it to the user */	393	/* if PAM returned a message, send it to the user */
338	if (buffer_len(&loginmsg) > 0) {	394	if (buffer_len(&loginmsg) > 0) {




	buffer_free(&m);
}

#ifdef PAM_ENHANCEMENT
/* Inform the privileged process about the authentication method */
void
mm_inform_authmethod(char *authmethod)
{
	Buffer m;

	debug3("%s entering", __func__);

	buffer_init(&m);
	buffer_put_cstring(&m, authmethod);

	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHMETHOD, &m);

	buffer_free(&m);
}
#endif

/* Do the password authentication */
int
mm_auth_password(Authctxt *authctxt, char *password)

Lines 42-47 Link Here

(-)orig/monitor_wrap.h (+5 lines)
42	DH *mm_choose_dh(int, int, int);	42	DH *mm_choose_dh(int, int, int);
43	int mm_key_sign(Key , u_char , u_int , u_char *, u_int);	43	int mm_key_sign(Key , u_char , u_int , u_char *, u_int);
44	void mm_inform_authserv(char , char );	44	void mm_inform_authserv(char , char );
		45
		46	#ifdef PAM_ENHANCEMENT
		47	void mm_inform_authmethod(char *);
		48	#endif
		49
45	struct passwd mm_getpwnamallow(const char );	50	struct passwd mm_getpwnamallow(const char );
46	char *mm_auth2_read_banner(void);	51	char *mm_auth2_read_banner(void);
47	int mm_auth_password(struct Authctxt , char );	52	int mm_auth_password(struct Authctxt , char );

Lines 146-151 Link Here

(-)orig/monitor.c (-1 / +67 lines)
146	int mm_answer_pwnamallow(int, Buffer *);	146	int mm_answer_pwnamallow(int, Buffer *);
147	int mm_answer_auth2_read_banner(int, Buffer *);	147	int mm_answer_auth2_read_banner(int, Buffer *);
148	int mm_answer_authserv(int, Buffer *);	148	int mm_answer_authserv(int, Buffer *);
		149	#ifdef PAM_ENHANCEMENT
		150	int mm_answer_authmethod(int, Buffer *);
		151	#endif
149	int mm_answer_authpassword(int, Buffer *);	152	int mm_answer_authpassword(int, Buffer *);
150	int mm_answer_bsdauthquery(int, Buffer *);	153	int mm_answer_bsdauthquery(int, Buffer *);
151	int mm_answer_bsdauthrespond(int, Buffer *);	154	int mm_answer_bsdauthrespond(int, Buffer *);
Lines 225-234 Link Here
225	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},	228	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
226	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},	229	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
227	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},	230	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
		231	#ifdef PAM_ENHANCEMENT
		232	{MONITOR_REQ_AUTHMETHOD, MON_ISAUTH, mm_answer_authmethod},
		233	#endif
228	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},	234	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
229	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},	235	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
230	#ifdef USE_PAM	236	#ifdef USE_PAM
		237	#ifdef PAM_ENHANCEMENT
		238	{MONITOR_REQ_PAM_START, MON_ISAUTH, mm_answer_pam_start},
		239	#else
231	{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},	240	{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
		241	#endif
232	{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},	242	{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
233	{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},	243	{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
234	{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},	244	{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
Lines 385-396 Link Here
385	auth_method = "unknown";	395	auth_method = "unknown";
386	auth_submethod = NULL;	396	auth_submethod = NULL;
387	authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);	397	authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
388
389	/* Special handling for multiple required authentications */	398	/* Special handling for multiple required authentications */
390	if (options.num_auth_methods != 0) {	399	if (options.num_auth_methods != 0) {
391	if (!compat20)	400	if (!compat20)
392	fatal("AuthenticationMethods is not supported"	401	fatal("AuthenticationMethods is not supported"
393	"with SSH protocol 1");	402	"with SSH protocol 1");
		403
		404	#if defined(USE_PAM) && defined(PAM_ENHANCEMENT)
		405	/*
		406	* If each userauth has its own PAM service, then PAM
		407	* need to perform account check for this service.
		408	*/
		409	if (options.use_pam && authenticated &&
		410	options.pam_service_per_authmethod) {
		411	Buffer m;
		412
		413	buffer_init(&m);
		414	mm_request_receive_expect(pmonitor->m_sendfd,
		415	MONITOR_REQ_PAM_ACCOUNT, &m);
		416	authenticated =
		417	mm_answer_pam_account(pmonitor->m_sendfd, &m);
		418	buffer_free(&m);
		419	}
		420	#endif
394	if (authenticated &&	421	if (authenticated &&
395	!auth2_update_methods_lists(authctxt,	422	!auth2_update_methods_lists(authctxt,
396	auth_method, auth_submethod)) {	423	auth_method, auth_submethod)) {
Lines 399-404 Link Here
399	authenticated = 0;	426	authenticated = 0;
400	partial = 1;	427	partial = 1;
401	}	428	}
		429
402	}	430	}
403		431
404	if (authenticated) {	432	if (authenticated) {
Lines 409-416 Link Here
409	!auth_root_allowed(auth_method))	437	!auth_root_allowed(auth_method))
410	authenticated = 0;	438	authenticated = 0;
411	#ifdef USE_PAM	439	#ifdef USE_PAM
		440	#ifdef PAM_ENHANCEMENT
		441	/*
		442	* PAM needs to perform account checks after auth.
		443	* However, if each userauth has its own PAM service
		444	* and options.num_auth_methods != 0, then no need to
		445	* perform account checking, because it was done
		446	* already.
		447	*/
		448	if (options.use_pam && authenticated &&
		449	!(options.num_auth_methods != 0 &&
		450	options.pam_service_per_authmethod)) {
		451	#else
412	/* PAM needs to perform account checks after auth */	452	/* PAM needs to perform account checks after auth */
413	if (options.use_pam && authenticated) {	453	if (options.use_pam && authenticated) {
		454	#endif
414	Buffer m;	455	Buffer m;
415		456
416	buffer_init(&m);	457	buffer_init(&m);
Lines 828-833 Link Here
828	/* Allow service/style information on the auth context */	869	/* Allow service/style information on the auth context */
829	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);	870	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
830	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);	871	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
		872	#ifdef PAM_ENHANCEMENT
		873	/* Allow authmethod information on the auth context */
		874	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHMETHOD, 1);
		875	#endif
831	}	876	}
832	#ifdef USE_PAM	877	#ifdef USE_PAM
833	if (options.use_pam)	878	if (options.use_pam)
Lines 868-874 Link Here
868	return (0);	913	return (0);
869	}	914	}
870		915
		916	#ifdef PAM_ENHANCEMENT
871	int	917	int
		918	mm_answer_authmethod(int sock, Buffer *m)
		919	{
		920	monitor_permit_authentications(1);
		921
		922	if (authctxt->authmethod_name != NULL)
		923	free(authctxt->authmethod_name);
		924
		925	authctxt->authmethod_name = buffer_get_string(m, NULL);
		926	debug3("%s: authmethod_name=%s", __func__, authctxt->authmethod_name);
		927
		928	if (strlen(authctxt->authmethod_name) == 0) {
		929	free(authctxt->authmethod_name);
		930	authctxt->authmethod_name = NULL;
		931	}
		932
		933	return (0);
		934	}
		935	#endif
		936
		937	int
872	mm_answer_authpassword(int sock, Buffer *m)	938	mm_answer_authpassword(int sock, Buffer *m)
873	{	939	{
874	static int call_count;	940	static int call_count;

Lines 70-75 Link Here

(-)orig/monitor.h (+3 lines)
70	MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,	70	MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
71	MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,	71	MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
72		72
		73	#ifdef PAM_ENHANCEMENT
		74	MONITOR_REQ_AUTHMETHOD = 114,
		75	#endif
73	};	76	};
74		77
75	struct mm_master;	78	struct mm_master;

Lines 1-4 Link Here

(-)orig/servconf.c (-1 / +50 lines)
1
2	/* $OpenBSD: servconf.c,v 1.248 2013/12/06 13:39:49 markus Exp $ */	1	/* $OpenBSD: servconf.c,v 1.248 2013/12/06 13:39:49 markus Exp $ */
3	/*	2	/*
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
Lines 154-159 Link Here
154	options->ip_qos_interactive = -1;	153	options->ip_qos_interactive = -1;
155	options->ip_qos_bulk = -1;	154	options->ip_qos_bulk = -1;
156	options->version_addendum = NULL;	155	options->version_addendum = NULL;
		156	#ifdef PAM_ENHANCEMENT
		157	options->pam_service_name = NULL;
		158	options->pam_service_per_authmethod = 0;
		159	#endif
157	}	160	}
158		161
159	void	162	void
Lines 351-356 Link Here
351	sKexAlgorithms, sIPQoS, sVersionAddendum,	354	sKexAlgorithms, sIPQoS, sVersionAddendum,
352	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,	355	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
353	sAuthenticationMethods, sHostKeyAgent,	356	sAuthenticationMethods, sHostKeyAgent,
		357	#ifdef PAM_ENHANCEMENT
		358	sPAMServiceName,
		359	#endif
354	sDeprecated, sUnsupported	360	sDeprecated, sUnsupported
355	} ServerOpCodes;	361	} ServerOpCodes;
356		362
Lines 482-487 Link Here
482	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },	488	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
483	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },	489	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
484	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },	490	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
		491	#ifdef PAM_ENHANCEMENT
		492	{ "pamservicename", sPAMServiceName, SSHCFG_GLOBAL },
		493	#endif
485	{ NULL, sBadOption, 0 }	494	{ NULL, sBadOption, 0 }
486	};	495	};
487		496
Lines 1632-1637 Link Here
1632	}	1641	}
1633	return 0;	1642	return 0;
1634		1643
		1644	#ifdef PAM_ENHANCEMENT
		1645	case sPAMServiceName:
		1646	arg = strdelim(&cp);
		1647	if (!arg \|\| *arg == '\0')
		1648	fatal("%s line %d: Missing argument.",
		1649	filename, linenum);
		1650
		1651	if (options->pam_service_name == NULL) {
		1652	char *svc_ptr;
		1653	int len;
		1654
		1655	svc_ptr = strstr(arg, "-%m");
		1656	if (svc_ptr == NULL) { /* no "-%m" */
		1657	options->pam_service_name = xstrdup(arg);
		1658	options->pam_service_per_authmethod = 0;
		1659	} else {
		1660	options->pam_service_per_authmethod = 1;
		1661
		1662	if ((strlen(svc_ptr) == strlen(arg)) \|\|
		1663	(strcmp(svc_ptr, "-%m") != 0)) {
		1664	/*
		1665	* have nothing before -%m or
		1666	* have something after -%m.
		1667	*/
		1668	fatal("%s line %d: "
		1669	"invalid PAMServiceName %s",
		1670	filename, linenum, arg);
		1671	} else {
		1672	len = svc_ptr - arg + 1;
		1673	options->pam_service_name =
		1674	xmalloc(len);
		1675	strlcpy(options->pam_service_name, arg,
		1676	len);
		1677
		1678	}
		1679	}
		1680	}
		1681	break;
		1682	#endif
		1683
1635	case sDeprecated:	1684	case sDeprecated:
1636	logit("%s line %d: Deprecated option %s",	1685	logit("%s line %d: Deprecated option %s",
1637	filename, linenum, arg);	1686	filename, linenum, arg);

Lines 185-190 Link Here

(-)orig/servconf.h (+6 lines)
185		185
186	u_int num_auth_methods;	186	u_int num_auth_methods;
187	char *auth_methods[MAX_AUTH_METHODS];	187	char *auth_methods[MAX_AUTH_METHODS];
		188
		189	#ifdef PAM_ENHANCEMENT
		190	char pam_service_name; / for PAMServiceName option */
		191	int pam_service_per_authmethod;
		192	#endif
		193
188	} ServerOptions;	194	} ServerOptions;
189		195
190	/* Information about the incoming connection as used by Match */	196	/* Information about the incoming connection as used by Match */




are refused if the number of unauthenticated connections reaches
.Dq full
(60).
.It Cm PAMServiceName
Specifies the PAM service name for the PAM session. The valid arguments are "service_name" or "service_name-%m".
.Pp
1) PAMServiceName service_name
.Pp
Specifies the PAM service for all user authentications, where 
"service_name" is the PAM service name.  For example, if 
"PAMServiceName mysshd" is specified, then "mysshd" is the 
PAM service name for all user authentications.
.Pp
2) PAMServiceName service_name-%m
.Pp
This option only applies to SSH protocol 2. 
.Pp
With "-%m", each user authentication type has its own PAM service
name.
.Pp
For example, if "PAMServiceName sshd-%m" is specified, then the
PAM service name is expanded to sshd-pubkey for public key
authentication, to sshd-kbdint for keyboard-interactive
authentication, and so on.
.Bd -literal -offset 5n
  SSHv2 Userauth         Expanded PAMServiceName
  --------------         -----------------------
  none                   sshd-none               
  password               sshd-password       
  keyboard-interactive   sshd-kbdint         
  pubkey                 sshd-pubkey         
  hostbased              sshd-hostbased      
  gssapi-with-mic        sshd-gssapi
.Ed
.Pp
If "PAMServiceName mysshd-%m" is specified, then the PAM service
name is expanded to mysshd-pubkey for public key authentication,
to mysshd-kbdint for keyboard-interactive authentication, and so
on.
.Bd -literal -offset 5n
  SSHv2 Userauth         Expanded PAMServiceName
  --------------         -----------------------
  none                   mysshd-none               
  password               mysshd-password       
  keyboard-interactive   mysshd-kbdint         
  pubkey                 mysshd-pubkey         
  hostbased              mysshd-hostbased      
  gssapi-with-mic        mysshd-gssapi
.Ed
.Pp
3) If "PAMServiceName service_name" or "PAMServiceName service_name-%m" is not
specified, then "sshd" is the PAM service name for all user authentications.
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is

is enabled, you will not be able to run
.Xr sshd 8
as a non-root user.
On Solaris, the option is always enabled.
.Dq no .
.It Cm UsePrivilegeSeparation
Specifies whether
.Xr sshd 8

Return to bug 2246

Lines 617-622 Link Here

(-)orig/auth-pam.c (+131 lines)
617	sshpam_handle = NULL;	617	sshpam_handle = NULL;
618	}	618	}
619		619
		620	#ifdef PAM_ENHANCEMENT
		621	char *
		622	derive_pam_service_name(Authctxt *authctxt)
		623	{
		624	char *svcname = NULL;
		625	char *method_name;
		626
		627	if (!compat20 && options.pam_service_per_authmethod)
		628	fatal("PAMServiceName -%m can not be used in protocol 1");
		629
		630	if (options.pam_service_name == NULL) {
		631	/* default to "sshd" */
		632	svcname = xstrdup("sshd");
		633	return (svcname);
		634	}
		635
		636	if (!options.pam_service_per_authmethod) {
		637	/*
		638	* no -%m in PAMServiceName option, so
		639	* options.pam_service_name is the PAM Service Name.
		640	*/
		641	svcname = xstrdup(options.pam_service_name);
		642	return (svcname);
		643	} else {
		644	char *method_name = authctxt->authmethod_name;
		645	int svcname_len;
		646
		647	if (!method_name)
		648	fatal("Userauth method unknown while starting PAM");
		649
		650	/*
		651	* Expand -%m; options.pam_service_name is now the prefix.
		652	* Should allocate sufficient space for the expanded PAM
		653	* service name.
		654	*/
		655	svcname_len = strlen(options.pam_service_name) + 20;
		656	svcname = xmalloc(svcname_len);
		657
		658	if (strcmp(method_name, "none") == 0) {
		659	snprintf(svcname, svcname_len, "%s-none",
		660	options.pam_service_name);
		661	}
		662	if (strcmp(method_name, "password") == 0) {
		663	snprintf(svcname, svcname_len, "%s-password",
		664	options.pam_service_name);
		665	}
		666	if (strcmp(method_name, "keyboard-interactive") == 0) {
		667	/* "keyboard-interactive" is too long, shorten it */
		668	snprintf(svcname, svcname_len, "%s-kbdint",
		669	options.pam_service_name);
		670	}
		671	if (strcmp(method_name, "publickey") == 0) {
		672	/* "publickey" is too long, shorten it */
		673	snprintf(svcname, svcname_len, "%s-pubkey",
		674	options.pam_service_name);
		675	}
		676	if (strcmp(method_name, "hostbased") == 0) {
		677	snprintf(svcname, svcname_len, "%s-hostbased",
		678	options.pam_service_name);
		679	}
		680	if (strncmp(method_name, "gssapi-", 7) == 0) {
		681	/*
		682	* Although OpenSSH only supports "gssapi-with-mic"
		683	* for now. We will still map any userauth method
684	* prefixed with "gssapi-" to the gssapi PAM service.
685	*/
686	snprintf(svcname, svcname_len, "%s-gssapi",
687	options.pam_service_name);
688	}
689	return svcname;
690	}
691	}
692	#endif /* PAM_ENHANCEMENT */
693
620	static int	694	static int
621	sshpam_init(Authctxt *authctxt)	695	sshpam_init(Authctxt *authctxt)
622	{	696	{
Lines 624-630 Link Here
624	const char pam_rhost, pam_user, *user = authctxt->user;	698	const char pam_rhost, pam_user, *user = authctxt->user;
625	const char **ptr_pam_user = &pam_user;	699	const char **ptr_pam_user = &pam_user;
626		700
		701	#ifdef PAM_ENHANCEMENT
		702	const char *pam_service;
		703	const char **ptr_pam_service = &pam_service;
		704	char *svc = NULL;
		705
		706	svc = derive_pam_service_name(authctxt);
		707	debug3("PAM service is %s", svc);
		708	#endif
		709
627	if (sshpam_handle != NULL) {	710	if (sshpam_handle != NULL) {
		711	#ifdef PAM_ENHANCEMENT
		712	/* get the pam service name */
		713	sshpam_err = pam_get_item(sshpam_handle,
		714	PAM_SERVICE, (sshpam_const void **)ptr_pam_service);
		715	if (sshpam_err != PAM_SUCCESS)
		716	fatal("Failed to get the PAM service name");
		717	debug3("Previous pam_service is %s", pam_service ?
		718	pam_service : "NULL");
		719
		720	/* get the pam user name */
		721	sshpam_err = pam_get_item(sshpam_handle,
		722	PAM_USER, (sshpam_const void **)ptr_pam_user);
		723
		724	/*
		725	* only need to re-start if either user or service is
		726	* different.
		727	*/
		728	if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0
		729	&& strncmp(svc, pam_service, strlen(svc)) == 0) {
		730	free(svc);
		731	return (0);
		732	}
		733
		734	/*
		735	* Clean up previous PAM state. No need to clean up session
		736	* and creds.
		737	*/
		738	sshpam_authenticated = 0;
		739	sshpam_account_status = -1;
		740
		741	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, NULL);
		742	if (sshpam_err != PAM_SUCCESS)
		743	debug3("Cannot remove PAM conv"); /* a warning only */
		744
		745	pam_end(sshpam_handle, sshpam_err);
		746	sshpam_handle = NULL;
		747
		748	#else /* Original */
628	/* We already have a PAM context; check if the user matches */	749	/* We already have a PAM context; check if the user matches */
629	sshpam_err = pam_get_item(sshpam_handle,	750	sshpam_err = pam_get_item(sshpam_handle,
630	PAM_USER, (sshpam_const void **)ptr_pam_user);	751	PAM_USER, (sshpam_const void **)ptr_pam_user);
Lines 632-641 Link Here
632	return (0);	753	return (0);
633	pam_end(sshpam_handle, sshpam_err);	754	pam_end(sshpam_handle, sshpam_err);
634	sshpam_handle = NULL;	755	sshpam_handle = NULL;
		756	#endif /* PAM_ENHANCEMENT */
635	}	757	}
636	debug("PAM: initializing for \"%s\"", user);	758	debug("PAM: initializing for \"%s\"", user);
		759
		760	#ifdef PAM_ENHANCEMENT
		761	debug("Starting PAM service %s for user %s method %s", svc, user,
		762	authctxt->authmethod_name);
637	sshpam_err =	763	sshpam_err =
		764	pam_start(svc, user, &store_conv, &sshpam_handle);
		765	free(svc);
		766	#else /* Original */
		767	sshpam_err =
638	pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);	768	pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
		769	#endif
639	sshpam_authctxt = authctxt;	770	sshpam_authctxt = authctxt;
640		771
641	if (sshpam_err != PAM_SUCCESS) {	772	if (sshpam_err != PAM_SUCCESS) {

Lines 338-343 Link Here

(-)orig/monitor_wrap.c (+18 lines)
338	buffer_free(&m);	338	buffer_free(&m);
339	}	339	}
340		340
		341	#ifdef PAM_ENHANCEMENT
		342	/* Inform the privileged process about the authentication method */
		343	void
		344	mm_inform_authmethod(char *authmethod)
		345	{
		346	Buffer m;
		347
		348	debug3("%s entering", __func__);
		349
		350	buffer_init(&m);
		351	buffer_put_cstring(&m, authmethod);
		352
		353	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHMETHOD, &m);
		354
		355	buffer_free(&m);
		356	}
		357	#endif
		358
341	/* Do the password authentication */	359	/* Do the password authentication */
342	int	360	int
343	mm_auth_password(Authctxt authctxt, char password)	361	mm_auth_password(Authctxt authctxt, char password)

Lines 868-873 Link Here

(-)orig/sshd_config.5 (-2 / +50 lines)
868	are refused if the number of unauthenticated connections reaches	868	are refused if the number of unauthenticated connections reaches
869	.Dq full	869	.Dq full
870	(60).	870	(60).
		871	.It Cm PAMServiceName
		872	Specifies the PAM service name for the PAM session. The valid arguments are "service_name" or "service_name-%m".
		873	.Pp
		874	1) PAMServiceName service_name
		875	.Pp
		876	Specifies the PAM service for all user authentications, where
		877	"service_name" is the PAM service name. For example, if
		878	"PAMServiceName mysshd" is specified, then "mysshd" is the
		879	PAM service name for all user authentications.
		880	.Pp
		881	2) PAMServiceName service_name-%m
		882	.Pp
		883	This option only applies to SSH protocol 2.
		884	.Pp
		885	With "-%m", each user authentication type has its own PAM service
		886	name.
		887	.Pp
		888	For example, if "PAMServiceName sshd-%m" is specified, then the
		889	PAM service name is expanded to sshd-pubkey for public key
		890	authentication, to sshd-kbdint for keyboard-interactive
		891	authentication, and so on.
		892	.Bd -literal -offset 5n
		893	SSHv2 Userauth Expanded PAMServiceName
		894	-------------- -----------------------
		895	none sshd-none
		896	password sshd-password
		897	keyboard-interactive sshd-kbdint
		898	pubkey sshd-pubkey
		899	hostbased sshd-hostbased
		900	gssapi-with-mic sshd-gssapi
		901	.Ed
		902	.Pp
		903	If "PAMServiceName mysshd-%m" is specified, then the PAM service
		904	name is expanded to mysshd-pubkey for public key authentication,
		905	to mysshd-kbdint for keyboard-interactive authentication, and so
		906	on.
		907	.Bd -literal -offset 5n
		908	SSHv2 Userauth Expanded PAMServiceName
		909	-------------- -----------------------
		910	none mysshd-none
		911	password mysshd-password
		912	keyboard-interactive mysshd-kbdint
		913	pubkey mysshd-pubkey
		914	hostbased mysshd-hostbased
		915	gssapi-with-mic mysshd-gssapi
		916	.Ed
		917	.Pp
		918	3) If "PAMServiceName service_name" or "PAMServiceName service_name-%m" is not
		919	specified, then "sshd" is the PAM service name for all user authentications.
871	.It Cm PasswordAuthentication	920	.It Cm PasswordAuthentication
872	Specifies whether password authentication is allowed.	921	Specifies whether password authentication is allowed.
873	The default is	922	The default is
Lines 1203-1210 Link Here
1203	is enabled, you will not be able to run	1252	is enabled, you will not be able to run
1204	.Xr sshd 8	1253	.Xr sshd 8
1205	as a non-root user.	1254	as a non-root user.
1206	The default is	1255	On Solaris, the option is always enabled.
1207	.Dq no .
1208	.It Cm UsePrivilegeSeparation	1256	.It Cm UsePrivilegeSeparation
1209	Specifies whether	1257	Specifies whether
1210	.Xr sshd 8	1258	.Xr sshd 8