Attachment 2582 Details for Bug 2378 – patch implementing login to a role

[patch] patch implementing login to a role

pam_auser.patch.txt (text/plain), 4.90 KB, created by Tomas Kuthan on 2015-04-13 23:15:25 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Tomas Kuthan

Created: 2015-04-13 23:15:25 AEST

Size: 4.90 KB

patch

obsolete

>diff -pur old/auth-pam.c new/auth-pam.c
>--- old/auth-pam.c	2015-03-17 06:49:20.000000000 +0100
>+++ new/auth-pam.c	2015-04-13 14:16:05.882903324 +0200
>@@ -919,6 +919,20 @@ do_pam_account(void)
> 	return (sshpam_account_status);
> }
> 
>+#ifdef HAVE_PAM_AUSER
>+void
>+do_pam_set_auser(const char* auser)
>+{
>+	if (auser != NULL) {
>+		debug("PAM: setting PAM_AUSER to \"%s\"", auser);
>+		sshpam_err = pam_set_item(sshpam_handle, PAM_AUSER, auser);
>+		if (sshpam_err != PAM_SUCCESS)
>+			error("PAM: failed to set PAM_AUSER: %s",
>+			    pam_strerror(sshpam_handle, sshpam_err));
>+	}
>+}
>+#endif
>+
> void
> do_pam_set_tty(const char *tty)
> {
>diff -pur old/auth-pam.h new/auth-pam.h
>--- old/auth-pam.h	2015-03-17 06:49:20.000000000 +0100
>+++ new/auth-pam.h	2015-04-13 14:16:05.920983364 +0200
>@@ -35,6 +35,9 @@ void start_pam(Authctxt *);
> void finish_pam(void);
> u_int do_pam_account(void);
> void do_pam_session(void);
>+#ifdef HAVE_PAM_AUSER
>+void do_pam_set_auser(const char *);
>+#endif
> void do_pam_set_tty(const char *);
> void do_pam_setcred(int );
> void do_pam_chauthtok(void);
>diff -pur old/auth.h new/auth.h
>--- old/auth.h	2015-03-17 06:49:20.000000000 +0100
>+++ new/auth.h	2015-04-13 14:17:27.059663903 +0200
>@@ -81,6 +81,9 @@ struct Authctxt {
> 
> 	struct sshkey	**prev_userkeys;
> 	u_int		 nprev_userkeys;
>+#ifdef HAVE_PAM_AUSER
>+	char		*auser;
>+#endif 
> };
> /*
>  * Every authentication method has to handle authentication requests for
>diff -pur old/auth2-hostbased.c new/auth2-hostbased.c
>--- old/auth2-hostbased.c	2015-03-17 06:49:20.000000000 +0100
>+++ new/auth2-hostbased.c	2015-04-13 14:16:05.922226099 +0200
>@@ -85,6 +85,9 @@ userauth_hostbased(Authctxt *authctxt)
> 	buffer_dump(&b);
> 	buffer_free(&b);
> #endif
>+#ifdef HAVE_PAM_AUSER
>+	authctxt->auser = NULL;
>+#endif
> 	pktype = key_type_from_name(pkalg);
> 	if (pktype == KEY_UNSPEC) {
> 		/* this is perfectly legal */
>@@ -143,6 +146,13 @@ userauth_hostbased(Authctxt *authctxt)
> 			buffer_len(&b))) == 1)
> 		authenticated = 1;
> 
>+#ifdef HAVE_PAM_AUSER
>+	if (authenticated) {
>+		authctxt->auser = cuser;
>+		cuser = NULL;
>+	}
>+#endif
>+
> 	buffer_free(&b);
> done:
> 	debug2("userauth_hostbased: authenticated %d", authenticated);
>diff -pur old/auth2.c new/auth2.c
>--- old/auth2.c	2015-03-17 06:49:20.000000000 +0100
>+++ new/auth2.c	2015-04-13 14:16:05.922781466 +0200
>@@ -325,6 +325,13 @@ userauth_finish(Authctxt *authctxt, int
> 
> #ifdef USE_PAM
> 	if (options.use_pam && authenticated) {
>+#ifdef HAVE_PAM_AUSER
>+		if (!use_privsep) {
>+			do_pam_set_auser(authctxt->auser);
>+			free(authctxt->auser);
>+			authctxt->auser = NULL;	
>+		}
>+#endif
> 		if (!PRIVSEP(do_pam_account())) {
> 			/* if PAM returned a message, send it to the user */
> 			if (buffer_len(&loginmsg) > 0) {
>diff -pur old/config.h.in new/config.h.in
>--- old/config.h.in	2015-03-18 05:27:22.000000000 +0100
>+++ new/config.h.in	2015-04-13 14:16:05.923563226 +0200
>@@ -827,6 +827,9 @@
> /* Define if you have Digital Unix Security Integration Architecture */
> #undef HAVE_OSF_SIA
> 
>+/* Define if you have PAM_AUSER PAM item */
>+#undef HAVE_PAM_AUSER
>+
> /* Define to 1 if you have the `pam_getenvlist' function. */
> #undef HAVE_PAM_GETENVLIST
> 
>diff -pur old/configure new/configure
>--- old/configure	2015-03-18 05:27:17.000000000 +0100
>+++ new/configure	2015-04-13 14:22:48.235187627 +0200
>@@ -10870,6 +10870,7 @@ fi
> fi
> 
> 	TEST_SHELL=$SHELL	# let configure find us a capable shell
>+        $as_echo "#define HAVE_PAM_AUSER 1" >>confdefs.h
> 	;;
> *-*-sunos4*)
> 	CPPFLAGS="$CPPFLAGS -DSUNOS4"
>diff -pur old/configure.ac new/configure.ac
>--- old/configure.ac	2015-03-17 06:49:20.000000000 +0100
>+++ new/configure.ac	2015-04-13 14:22:23.623725033 +0200
>@@ -902,6 +902,7 @@ mips-sony-bsd|mips-sony-newsos4)
> 		],
> 	)
> 	TEST_SHELL=$SHELL	# let configure find us a capable shell
>+        AC_DEFINE([HAVE_PAM_AUSER])
> 	;;
> *-*-sunos4*)
> 	CPPFLAGS="$CPPFLAGS -DSUNOS4"
>diff -pur old/monitor.c new/monitor.c
>--- old/monitor.c	2015-03-17 06:49:20.000000000 +0100
>+++ new/monitor.c	2015-04-13 14:16:05.942609757 +0200
>@@ -409,6 +409,12 @@ monitor_child_preauth(Authctxt *_authctx
> 		}
> 	}
> 
>+#if defined(HAVE_PAM_AUSER) && defined(USE_PAM)
>+	if (hostbased_cuser != NULL) {
>+		free(hostbased_cuser);
>+		hostbased_cuser = NULL;
>+	}
>+#endif
> 	if (!authctxt->valid)
> 		fatal("%s: authenticated invalid user", __func__);
> 	if (strcmp(auth_method, "unknown") == 0)
>@@ -638,12 +644,14 @@ monitor_reset_key_state(void)
> {
> 	/* reset state */
> 	free(key_blob);
>+#if !defined(HAVE_PAM_AUSER) || !defined(USE_PAM)
> 	free(hostbased_cuser);
>+	hostbased_cuser = NULL;
>+#endif
> 	free(hostbased_chost);
> 	key_blob = NULL;
> 	key_bloblen = 0;
> 	key_blobtype = MM_NOKEY;
>-	hostbased_cuser = NULL;
> 	hostbased_chost = NULL;
> }
> 
>@@ -1068,6 +1076,11 @@ mm_answer_pam_account(int sock, Buffer *
> 	if (!options.use_pam)
> 		fatal("UsePAM not set, but ended up in %s anyway", __func__);
> 
>+#ifdef HAVE_PAM_AUSER
>+	if (hostbased_cuser != NULL)
>+		do_pam_set_auser(hostbased_cuser);
>+#endif
>+
> 	ret = do_pam_account();
> 
> 	buffer_put_int(m, ret);

Actions: View | Diff

Attachments on bug 2378: 2582