Attachment 3213 Details for Bug 2741 – set SSH_CONNECTION in PAM environment

[patch] set SSH_CONNECTION in PAM environment

bz2741.diff (text/plain), 1.85 KB, created by Damien Miller on 2018-12-07 15:42:47 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Damien Miller

Created: 2018-12-07 15:42:47 AEDT

Size: 1.85 KB

patch

obsolete

>commit d08e362fa3693ec6ac1aafa494c62bf0cee23e3f
>Author: Damien Miller <djm@mindrot.org>
>Date:   Fri Dec 7 15:41:16 2018 +1100
>
>    bz2741
>
>diff --git a/auth-pam.c b/auth-pam.c
>index 1dec53e9..d67324e1 100644
>--- a/auth-pam.c
>+++ b/auth-pam.c
>@@ -673,6 +673,7 @@ sshpam_init(Authctxt *authctxt)
> {
> 	const char *pam_rhost, *pam_user, *user = authctxt->user;
> 	const char **ptr_pam_user = &pam_user;
>+	char *laddr, *conninfo;
> 	struct ssh *ssh = active_state; /* XXX */
> 
> 	if (sshpam_handle != NULL) {
>@@ -702,6 +703,15 @@ sshpam_init(Authctxt *authctxt)
> 		sshpam_handle = NULL;
> 		return (-1);
> 	}
>+
>+        laddr = get_local_ipaddr(packet_get_connection_in());
>+        xasprintf(&conninfo, "SSH_CONNECTION=%.50s %d %.50s %d",
>+	    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
>+	    laddr, ssh_local_port(ssh));
>+	pam_putenv(sshpam_handle, conninfo);
>+	free(laddr);
>+	free(conninfo);
>+
> #ifdef PAM_TTY_KLUDGE
> 	/*
> 	 * Some silly PAM modules (e.g. pam_time) require a TTY to operate.
>diff --git a/session.c b/session.c
>index 2d0958d1..11993340 100644
>--- a/session.c
>+++ b/session.c
>@@ -1162,15 +1162,18 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
> 		char **p;
> 
> 		/*
>-		 * Don't allow SSH_AUTH_INFO variables posted to PAM to leak
>-		 * back into the environment.
>+		 * Don't allow PAM-internal env vars to leak
>+		 * back into the session environment.
> 		 */
>+#define PAM_ENV_BLACKLIST  "SSH_AUTH_INFO*,SSH_CONNECTION*"
> 		p = fetch_pam_child_environment();
>-		copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*");
>+		copy_environment_blacklist(p, &env, &envsize,
>+		    PAM_ENV_BLACKLIST);
> 		free_pam_environment(p);
> 
> 		p = fetch_pam_environment();
>-		copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*");
>+		copy_environment_blacklist(p, &env, &envsize,
>+		    PAM_ENV_BLACKLIST);
> 		free_pam_environment(p);
> 	}
> #endif /* USE_PAM */

Flags:

dtucker: ok+

Actions: View | Diff

Attachments on bug 2741: 3213