- (djm) Make privsep work with PAM (still experimental)
diff --git a/ChangeLog b/ChangeLog
index 4fcc651..c36e89a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
20020423
- (djm) Bug #222: Fix tests for getaddrinfo on OSF/1. Spotted by
Robert Urban <urban@spielwiese.de>
+ - (djm) Make privsep work with PAM (still experimental)
20020421
- (tim) [entropy.c.] Portability fix for SCO Unix 3.2v4.x (SCO OSR 3.0).
@@ -8267,4 +8268,4 @@
- Wrote replacements for strlcpy and mkdtemp
- Released 1.0pre1
-$Id: ChangeLog,v 1.2062 2002/04/23 10:22:59 djm Exp $
+$Id: ChangeLog,v 1.2063 2002/04/23 10:28:48 djm Exp $
diff --git a/auth-pam.c b/auth-pam.c
index daa83c7..222b358 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -36,7 +36,7 @@
extern char *__progname;
-RCSID("$Id: auth-pam.c,v 1.43 2002/04/04 19:02:28 stevesk Exp $");
+RCSID("$Id: auth-pam.c,v 1.44 2002/04/23 10:28:49 djm Exp $");
#define NEW_AUTHTOK_MSG \
"Warning: Your password has expired, please change it now"
@@ -249,6 +249,7 @@
}
pam_retval = pam_acct_mgmt(__pamh, 0);
+ debug2("pam_acct_mgmt() = %d", pam_retval);
switch (pam_retval) {
case PAM_SUCCESS:
/* This is what we want */
diff --git a/auth1.c b/auth1.c
index c2a8936..1f6fcb2 100644
--- a/auth1.c
+++ b/auth1.c
@@ -306,7 +306,8 @@
authenticated = 0;
#endif
#ifdef USE_PAM
- if (authenticated && !do_pam_account(pw->pw_name, client_user))
+ if (!use_privsep && authenticated &&
+ !do_pam_account(pw->pw_name, client_user))
authenticated = 0;
#endif
@@ -381,7 +382,7 @@
use_privsep ? " [net]" : "");
#ifdef USE_PAM
- start_pam(authctxt->pw == NULL ? "NOUSER" : user);
+ PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user));
#endif
/*
diff --git a/auth2.c b/auth2.c
index eadaa71..4c18d23 100644
--- a/auth2.c
+++ b/auth2.c
@@ -189,12 +189,12 @@
authctxt->valid = 1;
debug2("input_userauth_request: setting up authctxt for %s", user);
#ifdef USE_PAM
- start_pam(authctxt->pw->pw_name);
+ PRIVSEP(start_pam(authctxt->pw->pw_name));
#endif
} else {
log("input_userauth_request: illegal user %s", user);
#ifdef USE_PAM
- start_pam("NOUSER");
+ PRIVSEP(start_pam("NOUSER"));
#endif
}
setproctitle("%s%s", authctxt->pw ? user : "unknown",
@@ -242,8 +242,8 @@
authenticated = 0;
#ifdef USE_PAM
- if (authenticated && authctxt->user && !do_pam_account(authctxt->user,
- NULL))
+ if (!use_privsep && authenticated && authctxt->user &&
+ !do_pam_account(authctxt->user, NULL))
authenticated = 0;
#endif /* USE_PAM */
diff --git a/monitor.c b/monitor.c
index b66dc2a..01adabe 100644
--- a/monitor.c
+++ b/monitor.c
@@ -113,6 +113,10 @@
int mm_answer_sesskey(int, Buffer *);
int mm_answer_sessid(int, Buffer *);
+#ifdef USE_PAM
+int mm_answer_pam_start(int, Buffer *);
+#endif
+
static Authctxt *authctxt;
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
@@ -143,8 +147,9 @@
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
-#if !defined(USE_PAM)
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
+#ifdef USE_PAM
+ {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
#endif
#ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -172,9 +177,7 @@
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
-#if !defined(USE_PAM)
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
-#endif
{MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH, mm_answer_rsa_keyallowed},
{MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
{MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge},
@@ -260,6 +263,10 @@
if (authctxt->pw->pw_uid == 0 &&
!auth_root_allowed(auth_method))
authenticated = 0;
+#ifdef USE_PAM
+ if (!do_pam_account(authctxt->pw->pw_name, NULL))
+ authenticated = 0;
+#endif
}
if (ent->flags & MON_AUTHDECIDE) {
@@ -457,6 +464,9 @@
/* Turn on permissions for getpwnam */
monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
+#ifdef USE_PAM
+ monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
+#endif
return (0);
}
@@ -537,7 +547,6 @@
return (0);
}
-#if !defined(USE_PAM)
int
mm_answer_authpassword(int socket, Buffer *m)
{
@@ -566,7 +575,6 @@
/* Causes monitor loop to terminate if authenticated */
return (authenticated);
}
-#endif
#ifdef BSD_AUTH
int
@@ -673,6 +681,22 @@
}
#endif
+#ifdef USE_PAM
+int
+mm_answer_pam_start(int socket, Buffer *m)
+{
+ char *user;
+
+ user = buffer_get_string(m, NULL);
+
+ start_pam(user);
+
+ xfree(user);
+
+ return (0);
+}
+#endif
+
static void
mm_append_debug(Buffer *m)
{
diff --git a/monitor.h b/monitor.h
index 681b518..56ec9d9 100644
--- a/monitor.h
+++ b/monitor.h
@@ -48,6 +48,7 @@
MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
+ MONITOR_REQ_PAM_START,
MONITOR_REQ_TERM,
};
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 53bf59b..0fe5bc1 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -623,6 +623,23 @@
s->ttyfd = -1;
}
+#ifdef USE_PAM
+void
+mm_start_pam(char *user)
+{
+ Buffer m;
+
+ debug3("%s entering", __FUNCTION__);
+
+ buffer_init(&m);
+ buffer_put_cstring(&m, user);
+
+ mm_request_send(monitor->m_recvfd, MONITOR_REQ_PAM_START, &m);
+
+ buffer_free(&m);
+}
+#endif /* USE_PAM */
+
/* Request process termination */
void
diff --git a/monitor_wrap.h b/monitor_wrap.h
index fe434d1..975ba05 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -54,6 +54,10 @@
int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *);
BIGNUM *mm_auth_rsa_generate_challenge(Key *);
+#ifdef USE_PAM
+void mm_start_pam(char *);
+#endif
+
void mm_terminate(void);
int mm_pty_allocate(int *, int *, char *, int);
void mm_session_pty_cleanup2(void *);