Attachment 369 Details for Bug 564 – Perform PAM account checks

[patch] Perform PAM account checks

openssh-pam-acct.diff (text/plain), 9.43 KB, created by Damien Miller on 2003-08-24 22:53:15 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Damien Miller

Created: 2003-08-24 22:53:15 AEST

Size: 9.43 KB

patch

obsolete

>Index: auth-pam.c
>===================================================================
>RCS file: /var/cvs/openssh/auth-pam.c,v
>retrieving revision 1.66
>diff -u -r1.66 auth-pam.c
>--- auth-pam.c	8 Aug 2003 03:43:37 -0000	1.66
>+++ auth-pam.c	24 Aug 2003 12:44:32 -0000
>@@ -49,6 +49,7 @@
> #include "servconf.h"
> #include "ssh2.h"
> #include "xmalloc.h"
>+#include "auth-options.h"
> 
> extern ServerOptions options;
> 
>@@ -130,10 +131,8 @@
>  * Conversation function for authentication thread.
>  */
> static int
>-sshpam_thread_conv(int n,
>-	 const struct pam_message **msg,
>-	 struct pam_response **resp,
>-	 void *data)
>+sshpam_thread_conv(int n, const struct pam_message **msg,
>+    struct pam_response **resp, void *data)
> {
> 	Buffer buffer;
> 	struct pam_ctxt *ctxt;
>@@ -216,9 +215,6 @@
> 	sshpam_err = pam_authenticate(sshpam_handle, 0);
> 	if (sshpam_err != PAM_SUCCESS)
> 		goto auth_fail;
>-	sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
>-	if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD)
>-		goto auth_fail;
> 	buffer_put_cstring(&buffer, "OK");
> 	ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer);
> 	buffer_free(&buffer);
>@@ -246,12 +242,9 @@
> }
> 
> static int
>-sshpam_null_conv(int n,
>-	 const struct pam_message **msg,
>-	 struct pam_response **resp,
>-	 void *data)
>+sshpam_null_conv(int n, const struct pam_message **msg,
>+    struct pam_response **resp, void *data)
> {
>-
> 	return (PAM_CONV_ERR);
> }
> 
>@@ -303,7 +296,7 @@
> 	debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
> 	sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);
> 	if (sshpam_err != PAM_SUCCESS) {
>-	pam_end(sshpam_handle, sshpam_err);
>+		pam_end(sshpam_handle, sshpam_err);
> 		sshpam_handle = NULL;
> 		return (-1);
> 	}
>@@ -403,9 +396,6 @@
> 			plen += snprintf(**prompts + plen, len, "%s", msg);
> 			xfree(msg);
> 			break;
>-		case PAM_NEW_AUTHTOK_REQD:
>-			sshpam_new_authtok_reqd = 1;
>-			/* FALLTHROUGH */
> 		case PAM_SUCCESS:
> 		case PAM_AUTH_ERR:
> 			if (**prompts != NULL) {
>@@ -519,10 +509,24 @@
> 	sshpam_cleanup(NULL);
> }
> 
>-int
>-do_pam_account(const char *user, const char *ruser)
>+u_int
>+do_pam_account(void)
> {
>-	/* XXX */
>+	sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
>+	debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err);
>+	
>+	if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD)
>+		return (0);
>+
>+	if (sshpam_err == PAM_NEW_AUTHTOK_REQD) {
>+		sshpam_new_authtok_reqd = 1;
>+
>+		/* Prevent forwardings until password changed */
>+		no_port_forwarding_flag |= 2;
>+		no_agent_forwarding_flag |= 2;
>+		no_x11_forwarding_flag |= 2;
>+	}
>+
> 	return (1);
> }
> 
>@@ -582,10 +586,8 @@
> }
> 
> static int
>-pam_chauthtok_conv(int n,
>-	 const struct pam_message **msg,
>-	 struct pam_response **resp,
>-	 void *data)
>+pam_chauthtok_conv(int n, const struct pam_message **msg,
>+    struct pam_response **resp, void *data)
> {
> 	char input[PAM_MAX_MSG_SIZE];
> 	int i;
>@@ -635,7 +637,7 @@
> 	struct pam_conv pam_conv = { pam_chauthtok_conv, NULL };
> 
> 	if (use_privsep)
>-		fatal("PAM: chauthtok not supprted with privsep");
>+		fatal("Password expired (unable to change with privsep)");
> 	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
> 	    (const void *)&pam_conv);
> 	if (sshpam_err != PAM_SUCCESS)
>Index: auth-pam.h
>===================================================================
>RCS file: /var/cvs/openssh/auth-pam.h,v
>retrieving revision 1.18
>diff -u -r1.18 auth-pam.h
>--- auth-pam.h	19 May 2003 01:28:44 -0000	1.18
>+++ auth-pam.h	24 Aug 2003 12:44:32 -0000
>@@ -33,7 +33,7 @@
> 
> void start_pam(const char *);
> void finish_pam(void);
>-int do_pam_account(const char *, const char *);
>+u_int do_pam_account(void);
> void do_pam_session(const char *, const char *);
> void do_pam_setcred(int );
> int is_pam_password_change_required(void);
>Index: auth1.c
>===================================================================
>RCS file: /var/cvs/openssh/auth1.c,v
>retrieving revision 1.88
>diff -u -r1.88 auth1.c
>--- auth1.c	13 Aug 2003 10:37:05 -0000	1.88
>+++ auth1.c	24 Aug 2003 12:44:32 -0000
>@@ -290,6 +290,12 @@
> 			authenticated = 0;
> #endif
> 
>+#ifdef USE_PAM
>+		if (options.use_pam && authenticated && 
>+		    !PRIVSEP(do_pam_account()))
>+			authenticated = 0;
>+#endif
>+
> 		/* Log before sending the reply */
> 		auth_log(authctxt, authenticated, get_authname(type), info);
> 
>Index: auth2.c
>===================================================================
>RCS file: /var/cvs/openssh/auth2.c,v
>retrieving revision 1.120
>diff -u -r1.120 auth2.c
>--- auth2.c	28 Jun 2003 02:38:02 -0000	1.120
>+++ auth2.c	24 Aug 2003 12:44:32 -0000
>@@ -213,6 +213,11 @@
> 	    !auth_root_allowed(method))
> 		authenticated = 0;
> 
>+#ifdef USE_PAM
>+	if (options.use_pam && authenticated && !PRIVSEP(do_pam_account()))
>+		authenticated = 0;
>+#endif
>+
> #ifdef _UNICOS
> 	if (authenticated && cray_access_denied(authctxt->user)) {
> 		authenticated = 0;
>Index: monitor.c
>===================================================================
>RCS file: /var/cvs/openssh/monitor.c,v
>retrieving revision 1.51
>diff -u -r1.51 monitor.c
>--- monitor.c	2 Aug 2003 12:24:49 -0000	1.51
>+++ monitor.c	24 Aug 2003 12:44:32 -0000
>@@ -118,6 +118,7 @@
> 
> #ifdef USE_PAM
> int mm_answer_pam_start(int, Buffer *);
>+int mm_answer_pam_account(int, Buffer *);
> int mm_answer_pam_init_ctx(int, Buffer *);
> int mm_answer_pam_query(int, Buffer *);
> int mm_answer_pam_respond(int, Buffer *);
>@@ -165,6 +166,7 @@
>     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
> #ifdef USE_PAM
>     {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
>+    {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
>     {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
>     {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
>     {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
>@@ -214,6 +216,7 @@
> #endif
> #ifdef USE_PAM
>     {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
>+    {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
>     {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
>     {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
>     {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
>@@ -295,6 +298,18 @@
> 			if (authctxt->pw->pw_uid == 0 &&
> 			    !auth_root_allowed(auth_method))
> 				authenticated = 0;
>+#ifdef USE_PAM
>+			/* PAM needs to perform account checks after auth */
>+			if (options.use_pam) {
>+				Buffer m;
>+
>+				buffer_init(&m);
>+				mm_request_receive_expect(pmonitor->m_sendfd, 
>+				    MONITOR_REQ_PAM_ACCOUNT, &m);
>+				authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m);
>+				buffer_free(&m);
>+			}
>+#endif
> 		}
> 
> 		if (ent->flags & MON_AUTHDECIDE) {
>@@ -771,7 +786,26 @@
> 
> 	xfree(user);
> 
>+	monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);
>+
> 	return (0);
>+}
>+
>+int
>+mm_answer_pam_account(int socket, Buffer *m)
>+{
>+	u_int ret;
>+	
>+	if (!options.use_pam)
>+		fatal("UsePAM not set, but ended up in %s anyway", __func__);
>+
>+	ret = do_pam_account();
>+
>+	buffer_put_int(m, ret);
>+
>+	mm_request_send(socket, MONITOR_ANS_PAM_ACCOUNT, m);
>+
>+	return (ret);
> }
> 
> static void *sshpam_ctxt, *sshpam_authok;
>Index: monitor.h
>===================================================================
>RCS file: /var/cvs/openssh/monitor.h,v
>retrieving revision 1.14
>diff -u -r1.14 monitor.h
>--- monitor.h	2 Aug 2003 14:17:30 -0000	1.14
>+++ monitor.h	24 Aug 2003 12:44:32 -0000
>@@ -51,6 +51,7 @@
> 	MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
>  	MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
> 	MONITOR_REQ_PAM_START,
>+	MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
> 	MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
> 	MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY,
> 	MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
>Index: monitor_wrap.c
>===================================================================
>RCS file: /var/cvs/openssh/monitor_wrap.c,v
>retrieving revision 1.30
>diff -u -r1.30 monitor_wrap.c
>--- monitor_wrap.c	2 Aug 2003 12:24:49 -0000	1.30
>+++ monitor_wrap.c	24 Aug 2003 12:44:32 -0000
>@@ -682,6 +682,30 @@
> 	buffer_free(&m);
> }
> 
>+u_int
>+mm_do_pam_account(void)
>+{
>+	Buffer m;
>+	u_int ret;
>+
>+	debug3("%s entering", __func__);
>+	if (!options.use_pam)
>+		fatal("UsePAM=no, but ended up in %s anyway", __func__);
>+
>+	buffer_init(&m);
>+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_ACCOUNT, &m);
>+
>+	mm_request_receive_expect(pmonitor->m_recvfd, 
>+	    MONITOR_ANS_PAM_ACCOUNT, &m);
>+	ret = buffer_get_int(&m);
>+
>+	buffer_free(&m);
>+	
>+	debug3("%s returning %d", __func__, ret);
>+
>+	return (ret);
>+}
>+
> void *
> mm_sshpam_init_ctx(Authctxt *authctxt)
> {
>Index: monitor_wrap.h
>===================================================================
>RCS file: /var/cvs/openssh/monitor_wrap.h,v
>retrieving revision 1.12
>diff -u -r1.12 monitor_wrap.h
>--- monitor_wrap.h	2 Aug 2003 12:24:49 -0000	1.12
>+++ monitor_wrap.h	24 Aug 2003 12:44:32 -0000
>@@ -57,6 +57,7 @@
> 
> #ifdef USE_PAM
> void mm_start_pam(char *);
>+u_int mm_do_pam_account(void);
> void *mm_sshpam_init_ctx(struct Authctxt *);
> int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);
> int mm_sshpam_respond(void *, u_int, char **);
>Index: session.c
>===================================================================
>RCS file: /var/cvs/openssh/session.c,v
>retrieving revision 1.246
>diff -u -r1.246 session.c
>--- session.c	13 Aug 2003 10:31:05 -0000	1.246
>+++ session.c	24 Aug 2003 12:44:32 -0000
>@@ -719,6 +719,11 @@
> 	if (options.use_pam && is_pam_password_change_required()) {
> 		print_pam_messages();
> 		do_pam_chauthtok();
>+		
>+		/* Permit forwardings if we succeed here */
>+		no_port_forwarding_flag &= ~2;
>+		no_agent_forwarding_flag &= ~2;
>+		no_x11_forwarding_flag &= ~2;
> 	}
> #endif
>

Flags:

dtucker: ok+

Actions: View | Diff

Attachments on bug 564: 369