- (djm) Make privsep work with PAM (still experimental)
diff --git a/monitor.c b/monitor.c
index b66dc2a..01adabe 100644
--- a/monitor.c
+++ b/monitor.c
@@ -113,6 +113,10 @@
int mm_answer_sesskey(int, Buffer *);
int mm_answer_sessid(int, Buffer *);
+#ifdef USE_PAM
+int mm_answer_pam_start(int, Buffer *);
+#endif
+
static Authctxt *authctxt;
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
@@ -143,8 +147,9 @@
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
-#if !defined(USE_PAM)
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
+#ifdef USE_PAM
+ {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
#endif
#ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -172,9 +177,7 @@
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
-#if !defined(USE_PAM)
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
-#endif
{MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH, mm_answer_rsa_keyallowed},
{MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
{MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge},
@@ -260,6 +263,10 @@
if (authctxt->pw->pw_uid == 0 &&
!auth_root_allowed(auth_method))
authenticated = 0;
+#ifdef USE_PAM
+ if (!do_pam_account(authctxt->pw->pw_name, NULL))
+ authenticated = 0;
+#endif
}
if (ent->flags & MON_AUTHDECIDE) {
@@ -457,6 +464,9 @@
/* Turn on permissions for getpwnam */
monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
+#ifdef USE_PAM
+ monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
+#endif
return (0);
}
@@ -537,7 +547,6 @@
return (0);
}
-#if !defined(USE_PAM)
int
mm_answer_authpassword(int socket, Buffer *m)
{
@@ -566,7 +575,6 @@
/* Causes monitor loop to terminate if authenticated */
return (authenticated);
}
-#endif
#ifdef BSD_AUTH
int
@@ -673,6 +681,22 @@
}
#endif
+#ifdef USE_PAM
+int
+mm_answer_pam_start(int socket, Buffer *m)
+{
+ char *user;
+
+ user = buffer_get_string(m, NULL);
+
+ start_pam(user);
+
+ xfree(user);
+
+ return (0);
+}
+#endif
+
static void
mm_append_debug(Buffer *m)
{