Attachment 3022 Details for Bug 2408 – Expose SSH_AUTH_INFO_0 environment to both session and accounting modules

[patch] Expose SSH_AUTH_INFO_0 environment to both session and accounting modules

bz2408.diff (text/plain), 3.15 KB, created by Damien Miller on 2017-07-28 14:55:14 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Damien Miller

Created: 2017-07-28 14:55:14 AEST

Size: 3.15 KB

patch

obsolete

>commit 8d3b68b9f23503c86de3f0863d97fd100032833d
>Author: Damien Miller <djm@mindrot.org>
>Date:   Fri Jul 28 14:50:59 2017 +1000
>
>    Expose list of completed auth methods to PAM
>    
>    bz#2408
>
>diff --git a/auth-pam.c b/auth-pam.c
>index 9574d9ac..de29c04c 100644
>--- a/auth-pam.c
>+++ b/auth-pam.c
>@@ -926,6 +926,27 @@ finish_pam(void)
> 	sshpam_cleanup();
> }
> 
>+static void
>+expose_authinfo(const char *caller)
>+{
>+	char *auth_info;
>+
>+	/*
>+	 * Expose authentication information to PAM.
>+	 * The enviornment variable is versioned. Please increment the
>+	 * version suffix if the format of session_info changes.
>+	 */
>+	if (sshpam_authctxt->session_info == NULL)
>+		auth_info = xstrdup("");
>+	else if ((auth_info = sshbuf_dup_string(
>+	    sshpam_authctxt->session_info)) == NULL)
>+		fatal("%s: sshbuf_dup_string failed", __func__);
>+
>+	debug2("%s: auth information in SSH_AUTH_INFO_0", caller);
>+	do_pam_putenv("SSH_AUTH_INFO_0", auth_info);
>+	free(auth_info);
>+}
>+
> u_int
> do_pam_account(void)
> {
>@@ -933,6 +954,8 @@ do_pam_account(void)
> 	if (sshpam_account_status != -1)
> 		return (sshpam_account_status);
> 
>+	expose_authinfo(__func__);
>+
> 	sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
> 	debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err,
> 	    pam_strerror(sshpam_handle, sshpam_err));
>@@ -1057,6 +1080,9 @@ void
> do_pam_session(void)
> {
> 	debug3("PAM: opening session");
>+
>+	expose_authinfo(__func__);
>+
> 	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
> 	    (const void *)&store_conv);
> 	if (sshpam_err != PAM_SUCCESS)
>diff --git a/session.c b/session.c
>index a2588e74..698eaa87 100644
>--- a/session.c
>+++ b/session.c
>@@ -984,8 +984,9 @@ read_etc_default_login(char ***env, u_int *envsize, uid_t uid)
> }
> #endif /* HAVE_ETC_DEFAULT_LOGIN */
> 
>-void
>-copy_environment(char **source, char ***env, u_int *envsize)
>+static void
>+copy_environment_blacklist(char **source, char ***env, u_int *envsize,
>+    const char *blacklist)
> {
> 	char *var_name, *var_val;
> 	int i;
>@@ -1001,13 +1002,22 @@ copy_environment(char **source, char ***env, u_int *envsize)
> 		}
> 		*var_val++ = '\0';
> 
>-		debug3("Copy environment: %s=%s", var_name, var_val);
>-		child_set_env(env, envsize, var_name, var_val);
>+		if (blacklist == NULL ||
>+		    match_pattern_list(var_name, blacklist, 0) != 1) {
>+			debug3("Copy environment: %s=%s", var_name, var_val);
>+			child_set_env(env, envsize, var_name, var_val);
>+		}
> 
> 		free(var_name);
> 	}
> }
> 
>+void
>+copy_environment(char **source, char ***env, u_int *envsize)
>+{
>+	copy_environment_blacklist(source, env, envsize, NULL);
>+}
>+
> static char **
> do_setup_env(Session *s, const char *shell)
> {
>@@ -1169,12 +1179,16 @@ do_setup_env(Session *s, const char *shell)
> 	if (options.use_pam) {
> 		char **p;
> 
>+		/*
>+		 * Don't allow SSH_AUTH_INFO variables posted to PAM to leak
>+		 * back into the environment.
>+		 */
> 		p = fetch_pam_child_environment();
>-		copy_environment(p, &env, &envsize);
>+		copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*");
> 		free_pam_environment(p);
> 
> 		p = fetch_pam_environment();
>-		copy_environment(p, &env, &envsize);
>+		copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*");
> 		free_pam_environment(p);
> 	}
> #endif /* USE_PAM */

Flags:

dtucker: ok+

Actions: View | Diff

Attachments on bug 2408: 2754 | 2791 | 2792 | 2812 | 2846 | 2978 | 2980 | 2999 | 3022 | 3089 | 3091