Bugzilla – Attachment 3022 Details for
Bug 2408
Expose authentication information to PAM
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Expose SSH_AUTH_INFO_0 environment to both session and accounting modules
bz2408.diff (text/plain), 3.15 KB, created by
Damien Miller
on 2017-07-28 14:55:14 AEST
(
hide
)
Description:
Expose SSH_AUTH_INFO_0 environment to both session and accounting modules
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2017-07-28 14:55:14 AEST
Size:
3.15 KB
patch
obsolete
>commit 8d3b68b9f23503c86de3f0863d97fd100032833d >Author: Damien Miller <djm@mindrot.org> >Date: Fri Jul 28 14:50:59 2017 +1000 > > Expose list of completed auth methods to PAM > > bz#2408 > >diff --git a/auth-pam.c b/auth-pam.c >index 9574d9ac..de29c04c 100644 >--- a/auth-pam.c >+++ b/auth-pam.c >@@ -926,6 +926,27 @@ finish_pam(void) > sshpam_cleanup(); > } > >+static void >+expose_authinfo(const char *caller) >+{ >+ char *auth_info; >+ >+ /* >+ * Expose authentication information to PAM. >+ * The enviornment variable is versioned. Please increment the >+ * version suffix if the format of session_info changes. >+ */ >+ if (sshpam_authctxt->session_info == NULL) >+ auth_info = xstrdup(""); >+ else if ((auth_info = sshbuf_dup_string( >+ sshpam_authctxt->session_info)) == NULL) >+ fatal("%s: sshbuf_dup_string failed", __func__); >+ >+ debug2("%s: auth information in SSH_AUTH_INFO_0", caller); >+ do_pam_putenv("SSH_AUTH_INFO_0", auth_info); >+ free(auth_info); >+} >+ > u_int > do_pam_account(void) > { >@@ -933,6 +954,8 @@ do_pam_account(void) > if (sshpam_account_status != -1) > return (sshpam_account_status); > >+ expose_authinfo(__func__); >+ > sshpam_err = pam_acct_mgmt(sshpam_handle, 0); > debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err, > pam_strerror(sshpam_handle, sshpam_err)); >@@ -1057,6 +1080,9 @@ void > do_pam_session(void) > { > debug3("PAM: opening session"); >+ >+ expose_authinfo(__func__); >+ > sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, > (const void *)&store_conv); > if (sshpam_err != PAM_SUCCESS) >diff --git a/session.c b/session.c >index a2588e74..698eaa87 100644 >--- a/session.c >+++ b/session.c >@@ -984,8 +984,9 @@ read_etc_default_login(char ***env, u_int *envsize, uid_t uid) > } > #endif /* HAVE_ETC_DEFAULT_LOGIN */ > >-void >-copy_environment(char **source, char ***env, u_int *envsize) >+static void >+copy_environment_blacklist(char **source, char ***env, u_int *envsize, >+ const char *blacklist) > { > char *var_name, *var_val; > int i; >@@ -1001,13 +1002,22 @@ copy_environment(char **source, char ***env, u_int *envsize) > } > *var_val++ = '\0'; > >- debug3("Copy environment: %s=%s", var_name, var_val); >- child_set_env(env, envsize, var_name, var_val); >+ if (blacklist == NULL || >+ match_pattern_list(var_name, blacklist, 0) != 1) { >+ debug3("Copy environment: %s=%s", var_name, var_val); >+ child_set_env(env, envsize, var_name, var_val); >+ } > > free(var_name); > } > } > >+void >+copy_environment(char **source, char ***env, u_int *envsize) >+{ >+ copy_environment_blacklist(source, env, envsize, NULL); >+} >+ > static char ** > do_setup_env(Session *s, const char *shell) > { >@@ -1169,12 +1179,16 @@ do_setup_env(Session *s, const char *shell) > if (options.use_pam) { > char **p; > >+ /* >+ * Don't allow SSH_AUTH_INFO variables posted to PAM to leak >+ * back into the environment. >+ */ > p = fetch_pam_child_environment(); >- copy_environment(p, &env, &envsize); >+ copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*"); > free_pam_environment(p); > > p = fetch_pam_environment(); >- copy_environment(p, &env, &envsize); >+ copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*"); > free_pam_environment(p); > } > #endif /* USE_PAM */
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Flags:
dtucker
:
ok+
Actions:
View
|
Diff
Attachments on
bug 2408
:
2754
|
2791
|
2792
|
2812
|
2846
|
2978
|
2980
|
2999
| 3022 |
3089
|
3091