- (djm) Added patch from Chris Adams <cmadams@hiwaay.net> to add OSF SIA
support. Enable using "USE_SIA=1 ./configure [options]"
diff --git a/CREDITS b/CREDITS
index 1774e27..4bcb1ae 100644
--- a/CREDITS
+++ b/CREDITS
@@ -13,6 +13,7 @@
Ben Taylor <bent@clark.net> - Solaris debugging and fixes
Bratislav ILICH <bilic@zepter.ru> - Configure fix
Chip Salzenberg <chip@valinux.com> - Assorted patches
+Chris Adams <cmadams@hiwaay.net> - OSF SIA support
Chris Saia <csaia@wtower.com> - SuSE packaging
Chris, the Young One <cky@pobox.com> - Password auth fixes
Christos Zoulas <christos@zoulas.com> - Autoconf fixes
diff --git a/ChangeLog b/ChangeLog
index 6398238..ea4667a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,7 +4,9 @@
- (djm) Patch from Michael Stone <mstone@cs.loyola.edu> to add support for
Irix 6.x array sessions, project id's, and system audit trail id.
- (djm) Added 'distprep' make target to simplify packaging
-
+ - (djm) Added patch from Chris Adams <cmadams@hiwaay.net> to add OSF SIA
+ support. Enable using "USE_SIA=1 ./configure [options]"
+
20000627
- (djm) Fixes to login code - not setting li->uid, cleanups
- (djm) Formatting
diff --git a/acconfig.h b/acconfig.h
index 0a04258..6f37521 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -148,6 +148,9 @@
/* Define if you want have trusted HPUX */
#undef HAVE_HPUX_TRUSTED_SYSTEM_PW
+/* Define if you have Digital Unix Security Integration Architecture */
+#undef HAVE_OSF_SIA
+
/* Define if you have getpwanam(3) [SunOS 4.x] */
#undef HAVE_GETPWANAM
diff --git a/auth-passwd.c b/auth-passwd.c
index d722122..93756e9 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -9,10 +9,10 @@
#include "includes.h"
-#ifndef USE_PAM
-
RCSID("$OpenBSD: auth-passwd.c,v 1.16 2000/06/20 01:39:38 markus Exp $");
+#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
+
#include "packet.h"
#include "ssh.h"
#include "servconf.h"
@@ -139,4 +139,4 @@
/* Authentication is accepted if the encrypted passwords are identical. */
return (strcmp(encrypted_password, pw_password) == 0);
}
-#endif /* !USE_PAM */
+#endif /* !USE_PAM && !HAVE_OSF_SIA */
diff --git a/auth1.c b/auth1.c
index 3e7efcb..0d440e5 100644
--- a/auth1.c
+++ b/auth1.c
@@ -18,6 +18,11 @@
#include "auth.h"
#include "session.h"
+#ifdef HAVE_OSF_SIA
+# include <sia.h>
+# include <siad.h>
+#endif
+
/* import */
extern ServerOptions options;
extern char *forced_command;
@@ -141,6 +146,10 @@
unsigned int ulen;
int type = 0;
void (*authlog) (const char *fmt,...) = verbose;
+#ifdef HAVE_OSF_SIA
+ extern int saved_argc;
+ extern char **saved_argv;
+#endif /* HAVE_OSF_SIA */
/* Indicate that authentication is needed. */
packet_start(SSH_SMSG_FAILURE);
@@ -299,7 +308,15 @@
#ifdef USE_PAM
/* Do PAM auth with password */
authenticated = auth_pam_password(pw, password);
-#else /* USE_PAM */
+#elif defined(HAVE_OSF_SIA)
+ /* Do SIA auth with password */
+ host = get_canonical_hostname();
+ if (sia_validate_user(NULL, saved_argc, saved_argv,
+ get_canonical_hostname(), pw->pw_name, NULL, 0,
+ NULL, password) == SIASUCCESS) {
+ authenticated = 1;
+ }
+#else /* !USE_PAM && !HAVE_OSF_SIA */
/* Try authentication with the password. */
authenticated = auth_password(pw, password);
#endif /* USE_PAM */
diff --git a/auth2.c b/auth2.c
index a3d4ab6..f20953a 100644
--- a/auth2.c
+++ b/auth2.c
@@ -56,6 +56,11 @@
#include "uidswap.h"
#include "auth-options.h"
+#ifdef HAVE_OSF_SIA
+# include <sia.h>
+# include <siad.h>
+#endif
+
/* import */
extern ServerOptions options;
extern unsigned char *session_id2;
@@ -244,10 +249,20 @@
int
ssh2_auth_none(struct passwd *pw)
{
+#ifdef HAVE_OSF_SIA
+ extern int saved_argc;
+ extern char **saved_argv;
+#endif
+
packet_done();
+
#ifdef USE_PAM
return auth_pam_password(pw, "");
-#else /* USE_PAM */
+#elif defined(HAVE_OSF_SIA)
+ return(sia_validate_user(NULL, saved_argc, saved_argv,
+ get_canonical_hostname(), pw->pw_name, NULL, 0, NULL,
+ "") == SIASUCCESS);
+#else /* !HAVE_OSF_SIA && !USE_PAM */
return auth_password(pw, "");
#endif /* USE_PAM */
}
@@ -258,6 +273,10 @@
int authenticated = 0;
int change;
unsigned int len;
+#ifdef HAVE_OSF_SIA
+ extern int saved_argc;
+ extern char **saved_argv;
+#endif
change = packet_get_char();
if (change)
log("password change not supported");
@@ -266,7 +285,11 @@
if (options.password_authentication &&
#ifdef USE_PAM
auth_pam_password(pw, password) == 1)
-#else /* USE_PAM */
+#elif defined(HAVE_OSF_SIA)
+ sia_validate_user(NULL, saved_argc, saved_argv,
+ get_canonical_hostname(), pw->pw_name, NULL, 0,
+ NULL, password) == SIASUCCESS)
+#else /* !USE_PAM && !HAVE_OSF_SIA */
auth_password(pw, password) == 1)
#endif /* USE_PAM */
authenticated = 1;
diff --git a/bsd-snprintf.c b/bsd-snprintf.c
index 69534ec..c31fc38 100644
--- a/bsd-snprintf.c
+++ b/bsd-snprintf.c
@@ -126,7 +126,7 @@
char *str;
size_t n;
char *fmt;
- va_list *ap;
+ va_list ap;
{
struct sigaction osa, nsa;
char *p;
diff --git a/bsd-snprintf.h b/bsd-snprintf.h
index 8f24460..6be2047 100644
--- a/bsd-snprintf.h
+++ b/bsd-snprintf.h
@@ -10,7 +10,7 @@
#endif /* !HAVE_SNPRINTF */
#ifndef HAVE_VSNPRINTF
-int vsnprintf(char *str, size_t n, char *fmt, va_list *ap);
+int vsnprintf(char *str, size_t n, char *fmt, va_list ap);
#endif /* !HAVE_SNPRINTF */
diff --git a/configure.in b/configure.in
index c1bcb34..4dd08c7 100644
--- a/configure.in
+++ b/configure.in
@@ -150,6 +150,20 @@
LIBS="$LIBS -lgen -lsocket"
no_dev_ptmx=1
;;
+*-dec-osf*)
+# This is untested
+ if test ! -z "USE_SIA" ; then
+ AC_MSG_CHECKING(for Digital Unix Security Integration Architecture)
+ if test -f /etc/sia/matrix.conf; then
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(HAVE_OSF_SIA)
+ AC_DEFINE(DISABLE_LOGIN)
+ LIBS="$LIBS -lsecurity -ldb -lm -laud"
+ else
+ AC_MSG_RESULT(no)
+ fi
+ fi
+ ;;
esac
# Allow user to specify flags
diff --git a/session.c b/session.c
index 1e22f47..ca4a994 100644
--- a/session.c
+++ b/session.c
@@ -32,6 +32,11 @@
#include <proj.h>
#endif /* WITH_IRIX_PROJECT */
+#ifdef HAVE_OSF_SIA
+# include <sia.h>
+# include <siad.h>
+#endif
+
/* types */
#define TTYSZ 64
@@ -823,14 +828,32 @@
}
#endif /* USE_PAM */
+#ifndef HAVE_OSF_SIA
/* Set login name in the kernel. */
if (setlogin(pw->pw_name) < 0)
error("setlogin failed: %s", strerror(errno));
+#endif
/* Set uid, gid, and groups. */
/* Login(1) does this as well, and it needs uid 0 for the "-h"
switch, so we let login(1) to this for us. */
if (!options.use_login) {
+#ifdef HAVE_OSF_SIA
+ extern char **saved_argv;
+ extern int saved_argc;
+ char *host = get_canonical_hostname ();
+
+ if (sia_become_user(NULL, saved_argc, saved_argv, host,
+ pw->pw_name, ttyname, 0, NULL, NULL, SIA_BEU_SETLUID) !=
+ SIASUCCESS) {
+ perror("sia_become_user");
+ exit(1);
+ }
+ if (setreuid(geteuid(), geteuid()) < 0) {
+ perror("setreuid");
+ exit(1);
+ }
+#else /* HAVE_OSF_SIA */
if (getuid() == 0 || geteuid() == 0) {
if (setgid(pw->pw_gid) < 0) {
perror("setgid");
@@ -867,6 +890,7 @@
}
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %d.", (int) pw->pw_uid);
+#endif /* HAVE_OSF_SIA */
}
/*
* Get the shell from the password data. An empty shell field is
diff --git a/sshd.c b/sshd.c
index 32a6fac..a4749fb 100644
--- a/sshd.c
+++ b/sshd.c
@@ -88,6 +88,7 @@
/* Saved arguments to main(). */
char **saved_argv;
+int saved_argc;
/*
* The sockets that the server is listening; this is used in the SIGHUP
@@ -422,6 +423,7 @@
int listen_sock, maxfd;
/* Save argv[0]. */
+ saved_argc = ac;
saved_argv = av;
if (strchr(av[0], '/'))
av0 = strrchr(av[0], '/') + 1;