Bugzilla – Attachment 3213 Details for
Bug 2741
Export client port to PAM
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
set SSH_CONNECTION in PAM environment
bz2741.diff (text/plain), 1.85 KB, created by
Damien Miller
on 2018-12-07 15:42:47 AEDT
(
hide
)
Description:
set SSH_CONNECTION in PAM environment
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2018-12-07 15:42:47 AEDT
Size:
1.85 KB
patch
obsolete
>commit d08e362fa3693ec6ac1aafa494c62bf0cee23e3f >Author: Damien Miller <djm@mindrot.org> >Date: Fri Dec 7 15:41:16 2018 +1100 > > bz2741 > >diff --git a/auth-pam.c b/auth-pam.c >index 1dec53e9..d67324e1 100644 >--- a/auth-pam.c >+++ b/auth-pam.c >@@ -673,6 +673,7 @@ sshpam_init(Authctxt *authctxt) > { > const char *pam_rhost, *pam_user, *user = authctxt->user; > const char **ptr_pam_user = &pam_user; >+ char *laddr, *conninfo; > struct ssh *ssh = active_state; /* XXX */ > > if (sshpam_handle != NULL) { >@@ -702,6 +703,15 @@ sshpam_init(Authctxt *authctxt) > sshpam_handle = NULL; > return (-1); > } >+ >+ laddr = get_local_ipaddr(packet_get_connection_in()); >+ xasprintf(&conninfo, "SSH_CONNECTION=%.50s %d %.50s %d", >+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), >+ laddr, ssh_local_port(ssh)); >+ pam_putenv(sshpam_handle, conninfo); >+ free(laddr); >+ free(conninfo); >+ > #ifdef PAM_TTY_KLUDGE > /* > * Some silly PAM modules (e.g. pam_time) require a TTY to operate. >diff --git a/session.c b/session.c >index 2d0958d1..11993340 100644 >--- a/session.c >+++ b/session.c >@@ -1162,15 +1162,18 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) > char **p; > > /* >- * Don't allow SSH_AUTH_INFO variables posted to PAM to leak >- * back into the environment. >+ * Don't allow PAM-internal env vars to leak >+ * back into the session environment. > */ >+#define PAM_ENV_BLACKLIST "SSH_AUTH_INFO*,SSH_CONNECTION*" > p = fetch_pam_child_environment(); >- copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*"); >+ copy_environment_blacklist(p, &env, &envsize, >+ PAM_ENV_BLACKLIST); > free_pam_environment(p); > > p = fetch_pam_environment(); >- copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*"); >+ copy_environment_blacklist(p, &env, &envsize, >+ PAM_ENV_BLACKLIST); > free_pam_environment(p); > } > #endif /* USE_PAM */
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Flags:
dtucker
:
ok+
Actions:
View
|
Diff
Attachments on
bug 2741
: 3213