Attachment #2583 for bug #2380

View | Details | Raw Unified | Return to bug 2380
Collapse All | Expand All

Lines 929-942 do_pam_set_tty(const char *tty) Link Here

(-)a/auth-pam.c (-1 / +15 lines)
929	fatal("PAM: failed to set PAM_TTY: %s",	929	fatal("PAM: failed to set PAM_TTY: %s",
930	pam_strerror(sshpam_handle, sshpam_err));	930	pam_strerror(sshpam_handle, sshpam_err));
931	}	931	}
932	}	932	}
933		933
934	void	934	void
935	do_pam_setcred(int init)	935	do_pam_setcred(int init, struct passwd *pw)
936	{	936	{
		937	gid_t gid_pre_setcred, gid_post_setcred;
		938
		939	gid_pre_setcred = getgid();
937	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,	940	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
938	(const void *)&store_conv);	941	(const void *)&store_conv);
939	if (sshpam_err != PAM_SUCCESS)	942	if (sshpam_err != PAM_SUCCESS)
940	fatal("PAM: failed to set PAM_CONV: %s",	943	fatal("PAM: failed to set PAM_CONV: %s",
941	pam_strerror(sshpam_handle, sshpam_err));	944	pam_strerror(sshpam_handle, sshpam_err));
942	if (init) {	945	if (init) {
Lines 945-956 do_pam_setcred(int init) Link Here
945	} else {	948	} else {
946	debug("PAM: reinitializing credentials");	949	debug("PAM: reinitializing credentials");
947	sshpam_err = pam_setcred(sshpam_handle, PAM_REINITIALIZE_CRED);	950	sshpam_err = pam_setcred(sshpam_handle, PAM_REINITIALIZE_CRED);
948	}	951	}
949	if (sshpam_err == PAM_SUCCESS) {	952	if (sshpam_err == PAM_SUCCESS) {
950	sshpam_cred_established = 1;	953	sshpam_cred_established = 1;
		954	gid_post_setcred = getgid();
		955
		956	/* If PermitGidOverride=yes, persist the new gid if a PAM module
		957	* overrides it */
		958	if (options.permit_gid_override &&
		959	gid_pre_setcred != gid_post_setcred) {
		960	verbose("Overriding gid to %u from %u",
		961	(u_int)gid_post_setcred,
		962	(u_int)gid_pre_setcred);
		963	pw->pw_gid = gid_post_setcred;
		964	}
951	return;	965	return;
952	}	966	}
953	if (sshpam_authenticated)	967	if (sshpam_authenticated)
954	fatal("PAM: pam_setcred(): %s",	968	fatal("PAM: pam_setcred(): %s",
955	pam_strerror(sshpam_handle, sshpam_err));	969	pam_strerror(sshpam_handle, sshpam_err));
956	else	970	else





void start_pam(Authctxt *);
void finish_pam(void);
u_int do_pam_account(void);
void do_pam_session(void);
void do_pam_set_tty(const char *);
void do_pam_setcred(int, struct passwd *);
void do_pam_chauthtok(void);
int do_pam_putenv(char *, char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
void sshpam_thread_cleanup(void);




	/*
	 * If we have both LOGIN_CAP and PAM, we want to establish creds
	 * before calling setusercontext (in session.c:do_setusercontext).
	 */
	if (getuid() == 0 || geteuid() == 0) {
		if (options.use_pam) {
			do_pam_setcred(use_privsep, pw);
		}
	}
# endif /* USE_PAM */

#if !defined(HAVE_LOGIN_CAP) && defined(HAVE_GETLUID) && defined(HAVE_SETLUID)
	if (getuid() == 0 || geteuid() == 0) {

	/*
	 * PAM credentials may take the form of supplementary groups.
	 * These will have been wiped by the above initgroups() call.
	 * Reestablish them here.
	 */
	if (options.use_pam) {
		do_pam_setcred(use_privsep, pw);
	}
#endif /* USE_PAM */

#if !defined(HAVE_LOGIN_CAP) && (defined(WITH_IRIX_PROJECT) || \
    defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY))
	irix_setusercontext(pw);




initialize_server_options(ServerOptions *options)
{
	memset(options, 0, sizeof(*options));

	/* Portable-specific options */
	options->use_pam = -1;
	options->permit_gid_override = -1;

	/* Standard Options */
	options->num_ports = 0;
	options->ports_from_cmdline = 0;
	options->listen_addrs = NULL;
	options->address_family = -1;

{
	int i;

	/* Portable-specific options */
	if (options->use_pam == -1)
		options->use_pam = 0;
	if (options->permit_gid_override == -1)
		options->permit_gid_override = 0;

	/* Standard Options */
	if (options->protocol == SSH_PROTO_UNKNOWN)
		options->protocol = SSH_PROTO_2;
	if (options->num_host_key_files == 0) {
		/* fill default hostkeys for protocols */

}

/* Keyword tokens. */
typedef enum {
	sBadOption,		/* == unknown option */
	/* Portable-specific options */
	sUsePAM, sPermitGidOverride,
	/* Standard Options */
	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime,
	sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
	sRhostsRSAAuthentication, sRSAAuthentication,
	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
	sKerberosGetAFSToken,

	ServerOpCodes opcode;
	u_int flags;
} keywords[] = {
	/* Portable-specific options */
#ifdef USE_PAM
	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
	{ "permitgidoverride", sPermitGidOverride, SSHCFG_GLOBAL },
#else
	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
#endif
	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
	/* Standard Options */
	{ "port", sPort, SSHCFG_GLOBAL },

		goto parse_flag;

	case sPermitUserEnvironment:
		intptr = &options->permit_user_env;
		goto parse_flag;

	case sPermitGidOverride:
		intptr = &options->permit_gid_override;
		goto parse_flag;

	case sUseLogin:
		intptr = &options->use_login;
		goto parse_flag;

	case sCompression:
		intptr = &options->compression;

		}
	}

	/* integer arguments */
#ifdef USE_PAM
	dump_cfg_int(sUsePAM, o->use_pam);
	dump_cfg_fmtint(sPermitGidOverride, o->permit_gid_override);
#endif
	dump_cfg_int(sServerKeyBits, o->server_key_bits);
	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
	dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
	dump_cfg_int(sMaxAuthTries, o->max_authtries);




						 * authentication. */
	int     kbd_interactive_authentication;	/* If true, permit */
	int     challenge_response_authentication;
	int     permit_empty_passwd;	/* If false, do not permit empty
					 * passwords. */
	int     permit_user_env;	/* If true, read ~/.ssh/environment */
	int     permit_gid_override;	/* Allow gid to be overriden by PAM */
	int     use_login;	/* If true, login(1) is used */
	int     compression;	/* If true, compression is allowed */
	int	allow_tcp_forwarding; /* One of FORWARD_* */
	int	allow_streamlocal_forwarding; /* One of FORWARD_* */
	int	allow_agent_forwarding;
	u_int num_allow_users;




		ssh_gssapi_storecreds();
		restore_uid();
	}
#endif
#ifdef USE_PAM
	if (options.use_pam) {
		do_pam_setcred(1, authctxt->pw);
		do_pam_session();
	}
#endif

	/*
	 * In privilege separation, we fork another child and prepare

Lines 93-104 AuthorizedKeysFile .ssh/authorized_keys Link Here

(-)a/sshd_config (+3 lines)
93	# the setting of "PermitRootLogin without-password".	93	# the setting of "PermitRootLogin without-password".
94	# If you just want the PAM account and session checks to run without	94	# If you just want the PAM account and session checks to run without
95	# PAM authentication, then enable this but set PasswordAuthentication	95	# PAM authentication, then enable this but set PasswordAuthentication
96	# and ChallengeResponseAuthentication to 'no'.	96	# and ChallengeResponseAuthentication to 'no'.
97	#UsePAM no	97	#UsePAM no
98		98
		99	# Allow PAM to override the process's gid
		100	#PermitGidOverride no
		101
99	#AllowAgentForwarding yes	102	#AllowAgentForwarding yes
100	#AllowTcpForwarding yes	103	#AllowTcpForwarding yes
101	#GatewayPorts no	104	#GatewayPorts no
102	#X11Forwarding no	105	#X11Forwarding no
103	#X11DisplayOffset 10	106	#X11DisplayOffset 10
104	#X11UseLocalhost yes	107	#X11UseLocalhost yes




.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
.Cm PasswordAuthentication ,
.Cm PermitEmptyPasswords ,
.Cm PermitGidOverride ,
.Cm PermitOpen ,
.Cm PermitRootLogin ,
.Cm PermitTTY ,
.Cm PermitTunnel ,
.Cm PermitUserRC ,
.Cm PubkeyAcceptedKeyTypes ,

.Dq yes .
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
The default is
.Dq no .
.It Cm PermitGidOverride
Allow PAM modules to override the gid of a process. The default is
.Dq no .
.It Cm PermitOpen
Specifies the destinations to which TCP port forwarding is permitted.
The forwarding specification must be one of the following forms:
.Pp
.Bl -item -offset indent -compact
.It

Return to bug 2380

Lines 121-133 platform_setusercontext(struct passwd *pw) Link Here

(-)a/platform.c (-2 / +2 lines)
121	/*	121	/*
122	* If we have both LOGIN_CAP and PAM, we want to establish creds	122	* If we have both LOGIN_CAP and PAM, we want to establish creds
123	* before calling setusercontext (in session.c:do_setusercontext).	123	* before calling setusercontext (in session.c:do_setusercontext).
124	*/	124	*/
125	if (getuid() == 0 \|\| geteuid() == 0) {	125	if (getuid() == 0 \|\| geteuid() == 0) {
126	if (options.use_pam) {	126	if (options.use_pam) {
127	do_pam_setcred(use_privsep);	127	do_pam_setcred(use_privsep, pw);
128	}	128	}
129	}	129	}
130	# endif /* USE_PAM */	130	# endif /* USE_PAM */
131		131
132	#if !defined(HAVE_LOGIN_CAP) && defined(HAVE_GETLUID) && defined(HAVE_SETLUID)	132	#if !defined(HAVE_LOGIN_CAP) && defined(HAVE_GETLUID) && defined(HAVE_SETLUID)
133	if (getuid() == 0 \|\| geteuid() == 0) {	133	if (getuid() == 0 \|\| geteuid() == 0) {
Lines 149-161 platform_setusercontext_post_groups(struct passwd *pw) Link Here
149	/*	149	/*
150	* PAM credentials may take the form of supplementary groups.	150	* PAM credentials may take the form of supplementary groups.
151	* These will have been wiped by the above initgroups() call.	151	* These will have been wiped by the above initgroups() call.
152	* Reestablish them here.	152	* Reestablish them here.
153	*/	153	*/
154	if (options.use_pam) {	154	if (options.use_pam) {
155	do_pam_setcred(use_privsep);	155	do_pam_setcred(use_privsep, pw);
156	}	156	}
157	#endif /* USE_PAM */	157	#endif /* USE_PAM */
158		158
159	#if !defined(HAVE_LOGIN_CAP) && (defined(WITH_IRIX_PROJECT) \|\| \	159	#if !defined(HAVE_LOGIN_CAP) && (defined(WITH_IRIX_PROJECT) \|\| \
160	defined(WITH_IRIX_JOBS) \|\| defined(WITH_IRIX_ARRAY))	160	defined(WITH_IRIX_JOBS) \|\| defined(WITH_IRIX_ARRAY))
161	irix_setusercontext(pw);	161	irix_setusercontext(pw);

Lines 71-82 void Link Here

(-)a/servconf.c (-1 / +10 lines)
71	initialize_server_options(ServerOptions *options)	71	initialize_server_options(ServerOptions *options)
72	{	72	{
73	memset(options, 0, sizeof(*options));	73	memset(options, 0, sizeof(*options));
74		74
75	/* Portable-specific options */	75	/* Portable-specific options */
76	options->use_pam = -1;	76	options->use_pam = -1;
		77	options->permit_gid_override = -1;
77		78
78	/* Standard Options */	79	/* Standard Options */
79	options->num_ports = 0;	80	options->num_ports = 0;
80	options->ports_from_cmdline = 0;	81	options->ports_from_cmdline = 0;
81	options->listen_addrs = NULL;	82	options->listen_addrs = NULL;
82	options->address_family = -1;	83	options->address_family = -1;
Lines 177-188 fill_default_server_options(ServerOptions *options) Link Here
177	{	178	{
178	int i;	179	int i;
179		180
180	/* Portable-specific options */	181	/* Portable-specific options */
181	if (options->use_pam == -1)	182	if (options->use_pam == -1)
182	options->use_pam = 0;	183	options->use_pam = 0;
		184	if (options->permit_gid_override == -1)
		185	options->permit_gid_override = 0;
183		186
184	/* Standard Options */	187	/* Standard Options */
185	if (options->protocol == SSH_PROTO_UNKNOWN)	188	if (options->protocol == SSH_PROTO_UNKNOWN)
186	options->protocol = SSH_PROTO_2;	189	options->protocol = SSH_PROTO_2;
187	if (options->num_host_key_files == 0) {	190	if (options->num_host_key_files == 0) {
188	/* fill default hostkeys for protocols */	191	/* fill default hostkeys for protocols */
Lines 367-379 fill_default_server_options(ServerOptions *options) Link Here
367	}	370	}
368		371
369	/* Keyword tokens. */	372	/* Keyword tokens. */
370	typedef enum {	373	typedef enum {
371	sBadOption, /* == unknown option */	374	sBadOption, /* == unknown option */
372	/* Portable-specific options */	375	/* Portable-specific options */
373	sUsePAM,	376	sUsePAM, sPermitGidOverride,
374	/* Standard Options */	377	/* Standard Options */
375	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime,	378	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime,
376	sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,	379	sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
377	sRhostsRSAAuthentication, sRSAAuthentication,	380	sRhostsRSAAuthentication, sRSAAuthentication,
378	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,	381	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
379	sKerberosGetAFSToken,	382	sKerberosGetAFSToken,
Lines 414-425 static struct { Link Here
414	ServerOpCodes opcode;	417	ServerOpCodes opcode;
415	u_int flags;	418	u_int flags;
416	} keywords[] = {	419	} keywords[] = {
417	/* Portable-specific options */	420	/* Portable-specific options */
418	#ifdef USE_PAM	421	#ifdef USE_PAM
419	{ "usepam", sUsePAM, SSHCFG_GLOBAL },	422	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
		423	{ "permitgidoverride", sPermitGidOverride, SSHCFG_GLOBAL },
420	#else	424	#else
421	{ "usepam", sUnsupported, SSHCFG_GLOBAL },	425	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
422	#endif	426	#endif
423	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },	427	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
424	/* Standard Options */	428	/* Standard Options */
425	{ "port", sPort, SSHCFG_GLOBAL },	429	{ "port", sPort, SSHCFG_GLOBAL },
Lines 1227-1238 process_server_config_line(ServerOptions options, char line, Link Here
1227	goto parse_flag;	1231	goto parse_flag;
1228		1232
1229	case sPermitUserEnvironment:	1233	case sPermitUserEnvironment:
1230	intptr = &options->permit_user_env;	1234	intptr = &options->permit_user_env;
1231	goto parse_flag;	1235	goto parse_flag;
1232		1236
		1237	case sPermitGidOverride:
		1238	intptr = &options->permit_gid_override;
		1239	goto parse_flag;
		1240
1233	case sUseLogin:	1241	case sUseLogin:
1234	intptr = &options->use_login;	1242	intptr = &options->use_login;
1235	goto parse_flag;	1243	goto parse_flag;
1236		1244
1237	case sCompression:	1245	case sCompression:
1238	intptr = &options->compression;	1246	intptr = &options->compression;
Lines 2092-2103 dump_config(ServerOptions *o) Link Here
2092	}	2100	}
2093	}	2101	}
2094		2102
2095	/* integer arguments */	2103	/* integer arguments */
2096	#ifdef USE_PAM	2104	#ifdef USE_PAM
2097	dump_cfg_int(sUsePAM, o->use_pam);	2105	dump_cfg_int(sUsePAM, o->use_pam);
		2106	dump_cfg_fmtint(sPermitGidOverride, o->permit_gid_override);
2098	#endif	2107	#endif
2099	dump_cfg_int(sServerKeyBits, o->server_key_bits);	2108	dump_cfg_int(sServerKeyBits, o->server_key_bits);
2100	dump_cfg_int(sLoginGraceTime, o->login_grace_time);	2109	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2101	dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);	2110	dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
2102	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);	2111	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2103	dump_cfg_int(sMaxAuthTries, o->max_authtries);	2112	dump_cfg_int(sMaxAuthTries, o->max_authtries);

Lines 120-131 typedef struct { Link Here

(-)a/servconf.h (+1 lines)
120	* authentication. */	120	* authentication. */
121	int kbd_interactive_authentication; /* If true, permit */	121	int kbd_interactive_authentication; /* If true, permit */
122	int challenge_response_authentication;	122	int challenge_response_authentication;
123	int permit_empty_passwd; /* If false, do not permit empty	123	int permit_empty_passwd; /* If false, do not permit empty
124	* passwords. */	124	* passwords. */
125	int permit_user_env; /* If true, read ~/.ssh/environment */	125	int permit_user_env; /* If true, read ~/.ssh/environment */
		126	int permit_gid_override; /* Allow gid to be overriden by PAM */
126	int use_login; /* If true, login(1) is used */	127	int use_login; /* If true, login(1) is used */
127	int compression; /* If true, compression is allowed */	128	int compression; /* If true, compression is allowed */
128	int allow_tcp_forwarding; /* One of FORWARD_* */	129	int allow_tcp_forwarding; /* One of FORWARD_* */
129	int allow_streamlocal_forwarding; /* One of FORWARD_* */	130	int allow_streamlocal_forwarding; /* One of FORWARD_* */
130	int allow_agent_forwarding;	131	int allow_agent_forwarding;
131	u_int num_allow_users;	132	u_int num_allow_users;

Lines 2217-2229 main(int ac, char **av) Link Here

(-)a/sshd.c (-1 / +1 lines)
2217	ssh_gssapi_storecreds();	2217	ssh_gssapi_storecreds();
2218	restore_uid();	2218	restore_uid();
2219	}	2219	}
2220	#endif	2220	#endif
2221	#ifdef USE_PAM	2221	#ifdef USE_PAM
2222	if (options.use_pam) {	2222	if (options.use_pam) {
2223	do_pam_setcred(1);	2223	do_pam_setcred(1, authctxt->pw);
2224	do_pam_session();	2224	do_pam_session();
2225	}	2225	}
2226	#endif	2226	#endif
2227		2227
2228	/*	2228	/*
2229	* In privilege separation, we fork another child and prepare	2229	* In privilege separation, we fork another child and prepare

Lines 990-1001 Available keywords are Link Here

(-)a/sshd_config.5 (+4 lines)
990	.Cm KbdInteractiveAuthentication ,	990	.Cm KbdInteractiveAuthentication ,
991	.Cm KerberosAuthentication ,	991	.Cm KerberosAuthentication ,
992	.Cm MaxAuthTries ,	992	.Cm MaxAuthTries ,
993	.Cm MaxSessions ,	993	.Cm MaxSessions ,
994	.Cm PasswordAuthentication ,	994	.Cm PasswordAuthentication ,
995	.Cm PermitEmptyPasswords ,	995	.Cm PermitEmptyPasswords ,
		996	.Cm PermitGidOverride ,
996	.Cm PermitOpen ,	997	.Cm PermitOpen ,
997	.Cm PermitRootLogin ,	998	.Cm PermitRootLogin ,
998	.Cm PermitTTY ,	999	.Cm PermitTTY ,
999	.Cm PermitTunnel ,	1000	.Cm PermitTunnel ,
1000	.Cm PermitUserRC ,	1001	.Cm PermitUserRC ,
1001	.Cm PubkeyAcceptedKeyTypes ,	1002	.Cm PubkeyAcceptedKeyTypes ,
Lines 1050-1061 The default is Link Here
1050	.Dq yes .	1051	.Dq yes .
1051	.It Cm PermitEmptyPasswords	1052	.It Cm PermitEmptyPasswords
1052	When password authentication is allowed, it specifies whether the	1053	When password authentication is allowed, it specifies whether the
1053	server allows login to accounts with empty password strings.	1054	server allows login to accounts with empty password strings.
1054	The default is	1055	The default is
1055	.Dq no .	1056	.Dq no .
		1057	.It Cm PermitGidOverride
		1058	Allow PAM modules to override the gid of a process. The default is
		1059	.Dq no .
1056	.It Cm PermitOpen	1060	.It Cm PermitOpen
1057	Specifies the destinations to which TCP port forwarding is permitted.	1061	Specifies the destinations to which TCP port forwarding is permitted.
1058	The forwarding specification must be one of the following forms:	1062	The forwarding specification must be one of the following forms:
1059	.Pp	1063	.Pp
1060	.Bl -item -offset indent -compact	1064	.Bl -item -offset indent -compact
1061	.It	1065	.It

Lines 33-45 Link Here

(-)a/auth-pam.h (-1 / +1 lines)
33		33
34	void start_pam(Authctxt *);	34	void start_pam(Authctxt *);
35	void finish_pam(void);	35	void finish_pam(void);
36	u_int do_pam_account(void);	36	u_int do_pam_account(void);
37	void do_pam_session(void);	37	void do_pam_session(void);
38	void do_pam_set_tty(const char *);	38	void do_pam_set_tty(const char *);
39	void do_pam_setcred(int );	39	void do_pam_setcred(int, struct passwd *);
40	void do_pam_chauthtok(void);	40	void do_pam_chauthtok(void);
41	int do_pam_putenv(char , char );	41	int do_pam_putenv(char , char );
42	char ** fetch_pam_environment(void);	42	char ** fetch_pam_environment(void);
43	char ** fetch_pam_child_environment(void);	43	char ** fetch_pam_child_environment(void);
44	void free_pam_environment(char **);	44	void free_pam_environment(char **);
45	void sshpam_thread_cleanup(void);	45	void sshpam_thread_cleanup(void);