Attachment 2711 Details for Bug 2102 – rebased patch for curent HEAD

[patch] rebased patch for curent HEAD

0001-Allow-to-specify-PAM-service-name.patch (text/plain), 4.99 KB, created by Jakub Jelen on 2015-09-18 02:41:19 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Jakub Jelen

Created: 2015-09-18 02:41:19 AEST

Size: 4.99 KB

patch

obsolete

>From a82f5c4f9dbdc1391eddd04ea48060ee41e92be1 Mon Sep 17 00:00:00 2001
>From: Jakub Jelen <jjelen@redhat.com>
>Date: Thu, 17 Sep 2015 18:24:36 +0200
>Subject: [PATCH 01/10] Allow to specify PAM service name
>
>---
> auth-pam.c    |  3 +--
> auth-pam.h    |  4 ----
> servconf.c    | 23 ++++++++++++++++++++++-
> servconf.h    |  1 +
> sshd_config   |  1 +
> sshd_config.5 |  4 ++++
> 6 files changed, 29 insertions(+), 7 deletions(-)
>
>diff --git a/auth-pam.c b/auth-pam.c
>index d94c828..604e64e 100644
>--- a/auth-pam.c
>+++ b/auth-pam.c
>@@ -620,7 +620,6 @@ sshpam_cleanup(void)
> static int
> sshpam_init(Authctxt *authctxt)
> {
>-	extern char *__progname;
> 	const char *pam_rhost, *pam_user, *user = authctxt->user;
> 	const char **ptr_pam_user = &pam_user;
> 
>@@ -635,7 +634,7 @@ sshpam_init(Authctxt *authctxt)
> 	}
> 	debug("PAM: initializing for \"%s\"", user);
> 	sshpam_err =
>-	    pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
>+	    pam_start(options.pam_service_name, user, &store_conv, &sshpam_handle);
> 	sshpam_authctxt = authctxt;
> 
> 	if (sshpam_err != PAM_SUCCESS) {
>diff --git a/auth-pam.h b/auth-pam.h
>index a1a2b52..3055d0a 100644
>--- a/auth-pam.h
>+++ b/auth-pam.h
>@@ -27,10 +27,6 @@
> #include "includes.h"
> #ifdef USE_PAM
> 
>-#if !defined(SSHD_PAM_SERVICE)
>-# define SSHD_PAM_SERVICE		__progname
>-#endif
>-
> void start_pam(Authctxt *);
> void finish_pam(void);
> u_int do_pam_account(void);
>diff --git a/servconf.c b/servconf.c
>index b5db0f7..02a2697 100644
>--- a/servconf.c
>+++ b/servconf.c
>@@ -74,6 +74,7 @@ initialize_server_options(ServerOptions *options)
> 
> 	/* Portable-specific options */
> 	options->use_pam = -1;
>+	options->pam_service_name = NULL;
> 
> 	/* Standard Options */
> 	options->num_ports = 0;
>@@ -186,6 +187,10 @@ fill_default_server_options(ServerOptions *options)
> 	/* Portable-specific options */
> 	if (options->use_pam == -1)
> 		options->use_pam = 0;
>+	if (options->pam_service_name == NULL) {
>+		extern char *__progname;
>+		options->pam_service_name = xstrdup(__progname);
>+	}
> 
> 	/* Standard Options */
> 	if (options->protocol == SSH_PROTO_UNKNOWN)
>@@ -389,7 +394,7 @@ fill_default_server_options(ServerOptions *options)
> typedef enum {
> 	sBadOption,		/* == unknown option */
> 	/* Portable-specific options */
>-	sUsePAM,
>+	sUsePAM, sPAMServiceName,
> 	/* Standard Options */
> 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime,
> 	sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
>@@ -439,8 +444,10 @@ static struct {
> 	/* Portable-specific options */
> #ifdef USE_PAM
> 	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
>+	{ "pamservicename", sPAMServiceName, SSHCFG_ALL },
> #else
> 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
>+	{ "pamservicename", sUnsupported, SSHCFG_ALL },
> #endif
> 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
> 	/* Standard Options */
>@@ -1000,6 +1007,18 @@ process_server_config_line(ServerOptions *options, char *line,
> 		intptr = &options->use_pam;
> 		goto parse_flag;
> 
>+	case sPAMServiceName:
>+		arg = strdelim(&cp);
>+		if (!arg || *arg == '\0')
>+			fatal("%s line %d: Missing Pam Service Name",
>+			    filename, linenum);
>+		if (*activep) {
>+			if(options->pam_service_name != NULL)
>+				free(options->pam_service_name);
>+			options->pam_service_name = xstrdup(arg);
>+		}
>+		break;
>+
> 	/* Standard Options */
> 	case sBadOption:
> 		return -1;
>@@ -2024,6 +2043,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
> 
> 	M_CP_STROPT(adm_forced_command);
> 	M_CP_STROPT(chroot_directory);
>+	M_CP_STROPT(pam_service_name);
> }
> 
> #undef M_CP_INTOPT
>@@ -2215,6 +2235,7 @@ dump_config(ServerOptions *o)
> 	/* integer arguments */
> #ifdef USE_PAM
> 	dump_cfg_fmtint(sUsePAM, o->use_pam);
>+	dump_cfg_string(sPAMServiceName, o->pam_service_name);
> #endif
> 	dump_cfg_int(sServerKeyBits, o->server_key_bits);
> 	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
>diff --git a/servconf.h b/servconf.h
>index f4137af..eeaea19 100644
>--- a/servconf.h
>+++ b/servconf.h
>@@ -172,6 +172,7 @@ typedef struct {
> 	char   *adm_forced_command;
> 
> 	int	use_pam;		/* Enable auth via PAM */
>+	char	*pam_service_name;
> 
> 	int	permit_tun;
> 
>diff --git a/sshd_config b/sshd_config
>index 4d77f05..c84be9e 100644
>--- a/sshd_config
>+++ b/sshd_config
>@@ -95,6 +95,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
> # PAM authentication, then enable this but set PasswordAuthentication
> # and ChallengeResponseAuthentication to 'no'.
> #UsePAM no
>+#PAMServiceName sshd
> 
> #AllowAgentForwarding yes
> #AllowTcpForwarding yes
>diff --git a/sshd_config.5 b/sshd_config.5
>index cd3b5cf..69b6da3 100644
>--- a/sshd_config.5
>+++ b/sshd_config.5
>@@ -1110,6 +1110,7 @@ Available keywords are
> .Cm KerberosAuthentication ,
> .Cm MaxAuthTries ,
> .Cm MaxSessions ,
>+.Cm PAMServiceName ,
> .Cm PasswordAuthentication ,
> .Cm PermitEmptyPasswords ,
> .Cm PermitOpen ,
>@@ -1578,6 +1579,9 @@ is enabled, you will not be able to run
> as a non-root user.
> The default is
> .Dq no .
>+.It Cm PamServiceName
>+Specifies which pam service name is used by sshd.  The default is the 
>+name of the process.
> .It Cm UsePrivilegeSeparation
> Specifies whether
> .Xr sshd 8
>-- 
>2.1.0
>

Actions: View | Diff

Attachments on bug 2102: 2267 | 2439 | 2711