Bugzilla – Attachment 2812 Details for
Bug 2408
Expose authentication information to PAM
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Also add a configuration option to control the exposure
0001-Add-ExposeAuthenticationMethods-configuration-option.patch (text/plain), 6.36 KB, created by
Vincent Brillault
on 2016-05-03 00:14:53 AEST
(
hide
)
Description:
Also add a configuration option to control the exposure
Filename:
MIME Type:
Creator:
Vincent Brillault
Created:
2016-05-03 00:14:53 AEST
Size:
6.36 KB
patch
obsolete
>From 80540c2ffd8c4482bd8a543aa25a4b307ff3fa97 Mon Sep 17 00:00:00 2001 >From: Vincent Brillault <vincent.brillault@cern.ch> >Date: Mon, 2 May 2016 16:07:32 +0200 >Subject: [PATCH] Add ExposeAuthenticationMethods configuration option > >--- > auth-pam.c | 3 ++- > servconf.c | 20 ++++++++++++++++++++ > servconf.h | 7 +++++++ > session.c | 9 ++++++++- > sshd_config.5 | 15 +++++++++++++++ > 5 files changed, 52 insertions(+), 2 deletions(-) > >diff --git a/auth-pam.c b/auth-pam.c >index c197edf..9efbf6a 100644 >--- a/auth-pam.c >+++ b/auth-pam.c >@@ -691,7 +691,8 @@ sshpam_init_ctx(Authctxt *authctxt) > } > > /* Notify PAM about any already successful auth methods */ >- if (authctxt->auth_details) >+ if (options.expose_auth_methods >= EXPOSE_AUTHMETH_PAMONLY && >+ authctxt->auth_details) > do_pam_putenv("SSH_USER_AUTH", authctxt->auth_details); > > ctxt = xcalloc(1, sizeof *ctxt); >diff --git a/servconf.c b/servconf.c >index 6111c5a..e362ab7 100644 >--- a/servconf.c >+++ b/servconf.c >@@ -169,6 +169,7 @@ initialize_server_options(ServerOptions *options) > options->ip_qos_bulk = -1; > options->version_addendum = NULL; > options->fingerprint_hash = -1; >+ options->expose_auth_methods = -1; > } > > /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ >@@ -353,6 +354,8 @@ fill_default_server_options(ServerOptions *options) > options->fwd_opts.streamlocal_bind_unlink = 0; > if (options->fingerprint_hash == -1) > options->fingerprint_hash = SSH_FP_HASH_DEFAULT; >+ if (options->expose_auth_methods == -1) >+ options->expose_auth_methods = EXPOSE_AUTHMETH_PAMONLY; > > assemble_algorithms(options); > >@@ -430,6 +433,7 @@ typedef enum { > sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, > sStreamLocalBindMask, sStreamLocalBindUnlink, > sAllowStreamLocalForwarding, sFingerprintHash, >+ sExposeAuthenticationMethods, > sDeprecated, sUnsupported > } ServerOpCodes; > >@@ -572,6 +576,7 @@ static struct { > { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, > { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, > { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, >+ { "exposeauthenticationmethods", sExposeAuthenticationMethods, SSHCFG_GLOBAL }, > { NULL, sBadOption, 0 } > }; > >@@ -961,6 +966,12 @@ static const struct multistate multistate_tcpfwd[] = { > { "local", FORWARD_LOCAL }, > { NULL, -1 } > }; >+static const struct multistate multistate_exposeauthmeth[] = { >+ { "never", EXPOSE_AUTHMETH_NEVER }, >+ { "pam-only", EXPOSE_AUTHMETH_PAMONLY }, >+ { "pam-and-env", EXPOSE_AUTHMETH_PAMENV }, >+ { NULL, -1} >+}; > > int > process_server_config_line(ServerOptions *options, char *line, >@@ -1851,6 +1862,11 @@ process_server_config_line(ServerOptions *options, char *line, > options->fingerprint_hash = value; > break; > >+ case sExposeAuthenticationMethods: >+ intptr = &options->expose_auth_methods; >+ multistate_ptr = multistate_exposeauthmeth; >+ goto parse_multistate; >+ > case sDeprecated: > logit("%s line %d: Deprecated option %s", > filename, linenum, arg); >@@ -2005,6 +2021,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) > M_CP_INTOPT(ip_qos_bulk); > M_CP_INTOPT(rekey_limit); > M_CP_INTOPT(rekey_interval); >+ M_CP_INTOPT(expose_auth_methods); > > /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */ > #define M_CP_STROPT(n) do {\ >@@ -2109,6 +2126,8 @@ fmt_intarg(ServerOpCodes code, int val) > return fmt_multistate_int(val, multistate_tcpfwd); > case sFingerprintHash: > return ssh_digest_alg_name(val); >+ case sExposeAuthenticationMethods: >+ return fmt_multistate_int(val, multistate_exposeauthmeth); > case sProtocol: > switch (val) { > case SSH_PROTO_1: >@@ -2295,6 +2314,7 @@ dump_config(ServerOptions *o) > dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); > dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); > dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); >+ dump_cfg_fmtint(sExposeAuthenticationMethods, o->expose_auth_methods); > > /* string arguments */ > dump_cfg_string(sPidFile, o->pid_file); >diff --git a/servconf.h b/servconf.h >index f4137af..1c9ba10 100644 >--- a/servconf.h >+++ b/servconf.h >@@ -48,6 +48,11 @@ > #define FORWARD_LOCAL (1<<1) > #define FORWARD_ALLOW (FORWARD_REMOTE|FORWARD_LOCAL) > >+/* Expose AuthenticationMethods */ >+#define EXPOSE_AUTHMETH_NEVER 0 >+#define EXPOSE_AUTHMETH_PAMONLY 1 >+#define EXPOSE_AUTHMETH_PAMENV 2 >+ > #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ > #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ > >@@ -195,6 +200,8 @@ typedef struct { > char *auth_methods[MAX_AUTH_METHODS]; > > int fingerprint_hash; >+ >+ int expose_auth_methods; /* EXPOSE_AUTHMETH_* above */ > } ServerOptions; > > /* Information about the incoming connection as used by Match */ >diff --git a/session.c b/session.c >index c59f77f..3da08ec 100644 >--- a/session.c >+++ b/session.c >@@ -1153,6 +1153,12 @@ copy_environment(char **source, char ***env, u_int *envsize) > } > *var_val++ = '\0'; > >+ if (options.expose_auth_methods < EXPOSE_AUTHMETH_PAMENV && >+ strcmp(var_name, "SSH_USER_AUTH") == 0) { >+ free(var_name); >+ continue; >+ } >+ > debug3("Copy environment: %s=%s", var_name, var_val); > child_set_env(env, envsize, var_name, var_val); > >@@ -1335,7 +1341,8 @@ do_setup_env(Session *s, const char *shell) > } > #endif /* USE_PAM */ > >- if (s->authctxt->auth_details) >+ if (options.expose_auth_methods >= EXPOSE_AUTHMETH_PAMENV && >+ s->authctxt->auth_details) > child_set_env(&env, &envsize, "SSH_USER_AUTH", > s->authctxt->auth_details); > >diff --git a/sshd_config.5 b/sshd_config.5 >index 63807c0..5d63f50 100644 >--- a/sshd_config.5 >+++ b/sshd_config.5 >@@ -574,6 +574,21 @@ and finally > See PATTERNS in > .Xr ssh_config 5 > for more information on patterns. >+.It Cm ExposeAuthenticationMethods >+When using SSH2, this option controls the exposure of the list of >+successful authentication methods to PAM during the authentication >+and to the shell environment via the >+.Cm SSH_USER_AUTH >+variable. See the description of this variable for more details. >+Valid options are: >+.Dq never >+(Do not expose successful authentication methods), >+.Dq pam-only >+(Only expose them to PAM during authentication, not afterwards), >+.Dq pam-and-env >+(Expose them to PAM and keep them in the shell environment). >+The default is >+.Dq pam-only . > .It Cm FingerprintHash > Specifies the hash algorithm used when logging key fingerprints. > Valid options are: >-- >2.8.2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2812">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2408
:
2754
|
2791
|
2792
|
2812
|
2846
|
2978
|
2980
|
2999
|
3022
|
3089
|
3091