blob: 490990dece5fcf38186fa30e855f749f05f805be [file] [log] [blame]
Damien Millere72b7af1999-12-30 15:08:44 +11001/*
Damien Millere69f18c2000-06-12 16:38:54 +10002 * Copyright (c) 2000 Damien Miller. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
Damien Millere69f18c2000-06-12 16:38:54 +100012 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Damien Millere72b7af1999-12-30 15:08:44 +110023 */
24
25#include "includes.h"
26
27#ifdef USE_PAM
28#include "ssh.h"
29#include "xmalloc.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000030#include "log.h"
Kevin Stevese683e762002-04-04 19:02:28 +000031#include "auth.h"
Damien Miller63dc3e92001-02-07 12:58:33 +110032#include "auth-pam.h"
Damien Millere72b7af1999-12-30 15:08:44 +110033#include "servconf.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000034#include "canohost.h"
35#include "readpass.h"
Damien Millere72b7af1999-12-30 15:08:44 +110036
Kevin Steves85ecbe72001-04-20 17:43:47 +000037extern char *__progname;
38
Damien Millerf762a4b2002-05-08 12:27:55 +100039RCSID("$Id: auth-pam.c,v 1.46 2002/05/08 02:27:56 djm Exp $");
Damien Miller2f6a0ad2000-05-31 11:20:11 +100040
41#define NEW_AUTHTOK_MSG \
Damien Miller9d5705a2000-09-16 16:09:27 +110042 "Warning: Your password has expired, please change it now"
Damien Millere72b7af1999-12-30 15:08:44 +110043
Damien Miller63dc3e92001-02-07 12:58:33 +110044static int do_pam_conversation(int num_msg, const struct pam_message **msg,
45 struct pam_response **resp, void *appdata_ptr);
Damien Millere72b7af1999-12-30 15:08:44 +110046
47/* module-local variables */
48static struct pam_conv conv = {
Damien Miller63dc3e92001-02-07 12:58:33 +110049 do_pam_conversation,
Damien Millere72b7af1999-12-30 15:08:44 +110050 NULL
51};
Damien Miller646aa602001-02-15 11:51:32 +110052static char *__pam_msg = NULL;
53static pam_handle_t *__pamh = NULL;
54static const char *__pampasswd = NULL;
Damien Millere72b7af1999-12-30 15:08:44 +110055
Damien Miller63dc3e92001-02-07 12:58:33 +110056/* states for do_pam_conversation() */
Damien Millerb8481582000-12-03 11:51:51 +110057enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN;
Damien Miller9d5705a2000-09-16 16:09:27 +110058/* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */
59static int password_change_required = 0;
Damien Millerb8481582000-12-03 11:51:51 +110060/* remember whether the last pam_authenticate() succeeded or not */
61static int was_authenticated = 0;
62
Damien Miller646aa602001-02-15 11:51:32 +110063/* Remember what has been initialised */
64static int session_opened = 0;
65static int creds_set = 0;
66
Damien Millerb8481582000-12-03 11:51:51 +110067/* accessor which allows us to switch conversation structs according to
68 * the authentication method being used */
Damien Miller646aa602001-02-15 11:51:32 +110069void do_pam_set_conv(struct pam_conv *conv)
Damien Millerb8481582000-12-03 11:51:51 +110070{
Damien Miller646aa602001-02-15 11:51:32 +110071 pam_set_item(__pamh, PAM_CONV, conv);
Damien Millerb8481582000-12-03 11:51:51 +110072}
73
74/* start an authentication run */
75int do_pam_authenticate(int flags)
76{
Damien Miller646aa602001-02-15 11:51:32 +110077 int retval = pam_authenticate(__pamh, flags);
Damien Millerb8481582000-12-03 11:51:51 +110078 was_authenticated = (retval == PAM_SUCCESS);
79 return retval;
80}
Damien Miller9d5705a2000-09-16 16:09:27 +110081
82/*
83 * PAM conversation function.
84 * There are two states this can run in.
85 *
86 * INITIAL_LOGIN mode simply feeds the password from the client into
87 * PAM in response to PAM_PROMPT_ECHO_OFF, and collects output
Damien Miller646aa602001-02-15 11:51:32 +110088 * messages with into __pam_msg. This is used during initial
Damien Miller9d5705a2000-09-16 16:09:27 +110089 * authentication to bypass the normal PAM password prompt.
90 *
Damien Miller09256482001-10-28 22:36:55 +110091 * OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase()
Damien Miller9d5705a2000-09-16 16:09:27 +110092 * and outputs messages to stderr. This mode is used if pam_chauthtok()
93 * is called to update expired passwords.
94 */
Damien Miller63dc3e92001-02-07 12:58:33 +110095static int do_pam_conversation(int num_msg, const struct pam_message **msg,
Damien Millere72b7af1999-12-30 15:08:44 +110096 struct pam_response **resp, void *appdata_ptr)
97{
98 struct pam_response *reply;
99 int count;
Damien Miller9d5705a2000-09-16 16:09:27 +1100100 char buf[1024];
Damien Millere72b7af1999-12-30 15:08:44 +1100101
102 /* PAM will free this later */
103 reply = malloc(num_msg * sizeof(*reply));
104 if (reply == NULL)
Kevin Stevesef4eea92001-02-05 12:42:17 +0000105 return PAM_CONV_ERR;
Damien Millere72b7af1999-12-30 15:08:44 +1100106
Damien Miller9d5705a2000-09-16 16:09:27 +1100107 for (count = 0; count < num_msg; count++) {
Damien Miller63dc3e92001-02-07 12:58:33 +1100108 if (pamstate == INITIAL_LOGIN) {
109 /*
110 * We can't use stdio yet, queue messages for
111 * printing later
112 */
113 switch(PAM_MSG_MEMBER(msg, count, msg_style)) {
Damien Miller9d5705a2000-09-16 16:09:27 +1100114 case PAM_PROMPT_ECHO_ON:
Damien Miller63dc3e92001-02-07 12:58:33 +1100115 free(reply);
116 return PAM_CONV_ERR;
117 case PAM_PROMPT_ECHO_OFF:
Damien Miller646aa602001-02-15 11:51:32 +1100118 if (__pampasswd == NULL) {
Damien Miller60819b42000-10-14 11:16:12 +1100119 free(reply);
120 return PAM_CONV_ERR;
Damien Miller60819b42000-10-14 11:16:12 +1100121 }
Damien Miller646aa602001-02-15 11:51:32 +1100122 reply[count].resp = xstrdup(__pampasswd);
Damien Millere72b7af1999-12-30 15:08:44 +1100123 reply[count].resp_retcode = PAM_SUCCESS;
Damien Miller9d5705a2000-09-16 16:09:27 +1100124 break;
125 case PAM_ERROR_MSG:
126 case PAM_TEXT_INFO:
127 if ((*msg)[count].msg != NULL) {
Damien Miller646aa602001-02-15 11:51:32 +1100128 message_cat(&__pam_msg,
Damien Miller63dc3e92001-02-07 12:58:33 +1100129 PAM_MSG_MEMBER(msg, count, msg));
Damien Miller9d5705a2000-09-16 16:09:27 +1100130 }
Damien Millere72b7af1999-12-30 15:08:44 +1100131 reply[count].resp = xstrdup("");
Damien Miller9d5705a2000-09-16 16:09:27 +1100132 reply[count].resp_retcode = PAM_SUCCESS;
Damien Millere72b7af1999-12-30 15:08:44 +1100133 break;
Damien Millere72b7af1999-12-30 15:08:44 +1100134 default:
135 free(reply);
136 return PAM_CONV_ERR;
Damien Miller63dc3e92001-02-07 12:58:33 +1100137 }
138 } else {
139 /*
140 * stdio is connected, so interact directly
141 */
142 switch(PAM_MSG_MEMBER(msg, count, msg_style)) {
143 case PAM_PROMPT_ECHO_ON:
144 fputs(PAM_MSG_MEMBER(msg, count, msg), stderr);
145 fgets(buf, sizeof(buf), stdin);
146 reply[count].resp = xstrdup(buf);
147 reply[count].resp_retcode = PAM_SUCCESS;
148 break;
149 case PAM_PROMPT_ECHO_OFF:
Damien Miller09256482001-10-28 22:36:55 +1100150 reply[count].resp =
Kevin Stevesfe2f4a12001-10-28 17:32:38 +0000151 read_passphrase(PAM_MSG_MEMBER(msg, count,
152 msg), RP_ALLOW_STDIN);
Damien Miller63dc3e92001-02-07 12:58:33 +1100153 reply[count].resp_retcode = PAM_SUCCESS;
154 break;
155 case PAM_ERROR_MSG:
156 case PAM_TEXT_INFO:
157 if ((*msg)[count].msg != NULL)
158 fprintf(stderr, "%s\n",
159 PAM_MSG_MEMBER(msg, count, msg));
160 reply[count].resp = xstrdup("");
161 reply[count].resp_retcode = PAM_SUCCESS;
162 break;
163 default:
164 free(reply);
165 return PAM_CONV_ERR;
166 }
Damien Millere72b7af1999-12-30 15:08:44 +1100167 }
168 }
169
170 *resp = reply;
171
172 return PAM_SUCCESS;
173}
174
175/* Called at exit to cleanly shutdown PAM */
Damien Miller646aa602001-02-15 11:51:32 +1100176void do_pam_cleanup_proc(void *context)
Damien Millere72b7af1999-12-30 15:08:44 +1100177{
Damien Miller2e9adb22001-03-21 12:16:24 +1100178 int pam_retval = PAM_SUCCESS;
Damien Millere72b7af1999-12-30 15:08:44 +1100179
Damien Miller646aa602001-02-15 11:51:32 +1100180 if (__pamh && session_opened) {
181 pam_retval = pam_close_session(__pamh, 0);
Damien Miller63dc3e92001-02-07 12:58:33 +1100182 if (pam_retval != PAM_SUCCESS)
Kevin Stevesef4eea92001-02-05 12:42:17 +0000183 log("Cannot close PAM session[%d]: %.200s",
Damien Miller646aa602001-02-15 11:51:32 +1100184 pam_retval, PAM_STRERROR(__pamh, pam_retval));
Damien Miller3dfeee42001-02-14 00:43:55 +1100185 }
Damien Millere72b7af1999-12-30 15:08:44 +1100186
Damien Miller646aa602001-02-15 11:51:32 +1100187 if (__pamh && creds_set) {
188 pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED);
Damien Miller63dc3e92001-02-07 12:58:33 +1100189 if (pam_retval != PAM_SUCCESS)
190 debug("Cannot delete credentials[%d]: %.200s",
Damien Miller646aa602001-02-15 11:51:32 +1100191 pam_retval, PAM_STRERROR(__pamh, pam_retval));
Damien Miller3dfeee42001-02-14 00:43:55 +1100192 }
Damien Millere72b7af1999-12-30 15:08:44 +1100193
Damien Miller646aa602001-02-15 11:51:32 +1100194 if (__pamh) {
195 pam_retval = pam_end(__pamh, pam_retval);
Damien Miller63dc3e92001-02-07 12:58:33 +1100196 if (pam_retval != PAM_SUCCESS)
Kevin Stevesef4eea92001-02-05 12:42:17 +0000197 log("Cannot release PAM authentication[%d]: %.200s",
Damien Miller646aa602001-02-15 11:51:32 +1100198 pam_retval, PAM_STRERROR(__pamh, pam_retval));
Damien Millere72b7af1999-12-30 15:08:44 +1100199 }
200}
201
202/* Attempt password authentation using PAM */
Kevin Stevese683e762002-04-04 19:02:28 +0000203int auth_pam_password(Authctxt *authctxt, const char *password)
Damien Millere72b7af1999-12-30 15:08:44 +1100204{
205 extern ServerOptions options;
206 int pam_retval;
Kevin Stevese683e762002-04-04 19:02:28 +0000207 struct passwd *pw = authctxt->pw;
Damien Millere72b7af1999-12-30 15:08:44 +1100208
Damien Miller646aa602001-02-15 11:51:32 +1100209 do_pam_set_conv(&conv);
Damien Millerb8481582000-12-03 11:51:51 +1100210
Damien Millere72b7af1999-12-30 15:08:44 +1100211 /* deny if no user. */
212 if (pw == NULL)
213 return 0;
Kevin Steves706e7a92001-04-23 18:38:37 +0000214 if (pw->pw_uid == 0 && options.permit_root_login == PERMIT_NO_PASSWD)
Damien Millere72b7af1999-12-30 15:08:44 +1100215 return 0;
216 if (*password == '\0' && options.permit_empty_passwd == 0)
217 return 0;
218
Damien Miller646aa602001-02-15 11:51:32 +1100219 __pampasswd = password;
Kevin Stevesef4eea92001-02-05 12:42:17 +0000220
Damien Miller9d5705a2000-09-16 16:09:27 +1100221 pamstate = INITIAL_LOGIN;
Kevin Stevesde77b462001-11-09 20:22:16 +0000222 pam_retval = do_pam_authenticate(
223 options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
Damien Millere72b7af1999-12-30 15:08:44 +1100224 if (pam_retval == PAM_SUCCESS) {
Damien Miller63dc3e92001-02-07 12:58:33 +1100225 debug("PAM Password authentication accepted for "
226 "user \"%.100s\"", pw->pw_name);
Damien Millere72b7af1999-12-30 15:08:44 +1100227 return 1;
228 } else {
Damien Miller63dc3e92001-02-07 12:58:33 +1100229 debug("PAM Password authentication for \"%.100s\" "
230 "failed[%d]: %s", pw->pw_name, pam_retval,
Damien Miller646aa602001-02-15 11:51:32 +1100231 PAM_STRERROR(__pamh, pam_retval));
Damien Millere72b7af1999-12-30 15:08:44 +1100232 return 0;
233 }
234}
235
236/* Do account management using PAM */
237int do_pam_account(char *username, char *remote_user)
238{
239 int pam_retval;
Kevin Stevesef4eea92001-02-05 12:42:17 +0000240
Damien Miller646aa602001-02-15 11:51:32 +1100241 do_pam_set_conv(&conv);
Damien Miller63dc3e92001-02-07 12:58:33 +1100242
Damien Miller63dc3e92001-02-07 12:58:33 +1100243 if (remote_user) {
Damien Millere72b7af1999-12-30 15:08:44 +1100244 debug("PAM setting ruser to \"%.200s\"", remote_user);
Damien Miller646aa602001-02-15 11:51:32 +1100245 pam_retval = pam_set_item(__pamh, PAM_RUSER, remote_user);
Damien Miller63dc3e92001-02-07 12:58:33 +1100246 if (pam_retval != PAM_SUCCESS)
247 fatal("PAM set ruser failed[%d]: %.200s", pam_retval,
Damien Miller646aa602001-02-15 11:51:32 +1100248 PAM_STRERROR(__pamh, pam_retval));
Damien Millere72b7af1999-12-30 15:08:44 +1100249 }
250
Damien Miller646aa602001-02-15 11:51:32 +1100251 pam_retval = pam_acct_mgmt(__pamh, 0);
Damien Miller79418552002-04-23 20:28:48 +1000252 debug2("pam_acct_mgmt() = %d", pam_retval);
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000253 switch (pam_retval) {
254 case PAM_SUCCESS:
255 /* This is what we want */
256 break;
Damien Millerae9d5af2002-04-26 11:27:24 +1000257#if 0
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000258 case PAM_NEW_AUTHTOK_REQD:
Damien Miller646aa602001-02-15 11:51:32 +1100259 message_cat(&__pam_msg, NEW_AUTHTOK_MSG);
Damien Miller9d5705a2000-09-16 16:09:27 +1100260 /* flag that password change is necessary */
261 password_change_required = 1;
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000262 break;
Damien Millerae9d5af2002-04-26 11:27:24 +1000263#endif
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000264 default:
Damien Miller63dc3e92001-02-07 12:58:33 +1100265 log("PAM rejected by account configuration[%d]: "
Damien Miller646aa602001-02-15 11:51:32 +1100266 "%.200s", pam_retval, PAM_STRERROR(__pamh,
Damien Miller63dc3e92001-02-07 12:58:33 +1100267 pam_retval));
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000268 return(0);
Damien Millere72b7af1999-12-30 15:08:44 +1100269 }
Kevin Stevesef4eea92001-02-05 12:42:17 +0000270
Damien Millere72b7af1999-12-30 15:08:44 +1100271 return(1);
272}
273
274/* Do PAM-specific session initialisation */
Damien Miller3e955e72000-01-27 10:55:38 +1100275void do_pam_session(char *username, const char *ttyname)
Damien Millere72b7af1999-12-30 15:08:44 +1100276{
277 int pam_retval;
278
Damien Miller882c2ee2001-03-01 09:18:57 +1100279 do_pam_set_conv(&conv);
280
Damien Millere72b7af1999-12-30 15:08:44 +1100281 if (ttyname != NULL) {
282 debug("PAM setting tty to \"%.200s\"", ttyname);
Damien Miller646aa602001-02-15 11:51:32 +1100283 pam_retval = pam_set_item(__pamh, PAM_TTY, ttyname);
Damien Miller63dc3e92001-02-07 12:58:33 +1100284 if (pam_retval != PAM_SUCCESS)
Kevin Stevesef4eea92001-02-05 12:42:17 +0000285 fatal("PAM set tty failed[%d]: %.200s",
Damien Miller646aa602001-02-15 11:51:32 +1100286 pam_retval, PAM_STRERROR(__pamh, pam_retval));
Damien Millere72b7af1999-12-30 15:08:44 +1100287 }
288
Damien Miller646aa602001-02-15 11:51:32 +1100289 pam_retval = pam_open_session(__pamh, 0);
Damien Miller63dc3e92001-02-07 12:58:33 +1100290 if (pam_retval != PAM_SUCCESS)
Kevin Stevesef4eea92001-02-05 12:42:17 +0000291 fatal("PAM session setup failed[%d]: %.200s",
Damien Miller646aa602001-02-15 11:51:32 +1100292 pam_retval, PAM_STRERROR(__pamh, pam_retval));
Damien Miller31a501d2001-02-27 09:20:48 +1100293
Damien Miller3dfeee42001-02-14 00:43:55 +1100294 session_opened = 1;
Damien Millere72b7af1999-12-30 15:08:44 +1100295}
296
Kevin Stevesef4eea92001-02-05 12:42:17 +0000297/* Set PAM credentials */
Damien Millerf9e93002001-03-27 16:12:24 +1000298void do_pam_setcred(int init)
Damien Millere72b7af1999-12-30 15:08:44 +1100299{
300 int pam_retval;
Kevin Stevesef4eea92001-02-05 12:42:17 +0000301
Damien Millerf762a4b2002-05-08 12:27:55 +1000302 if (__pamh == NULL)
303 return;
304
Damien Miller882c2ee2001-03-01 09:18:57 +1100305 do_pam_set_conv(&conv);
306
Damien Millere72b7af1999-12-30 15:08:44 +1100307 debug("PAM establishing creds");
Damien Millerf9e93002001-03-27 16:12:24 +1000308 pam_retval = pam_setcred(__pamh,
309 init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED);
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000310 if (pam_retval != PAM_SUCCESS) {
Damien Miller63dc3e92001-02-07 12:58:33 +1100311 if (was_authenticated)
Kevin Stevesef4eea92001-02-05 12:42:17 +0000312 fatal("PAM setcred failed[%d]: %.200s",
Damien Miller646aa602001-02-15 11:51:32 +1100313 pam_retval, PAM_STRERROR(__pamh, pam_retval));
Damien Miller63dc3e92001-02-07 12:58:33 +1100314 else
Kevin Stevesef4eea92001-02-05 12:42:17 +0000315 debug("PAM setcred failed[%d]: %.200s",
Damien Miller646aa602001-02-15 11:51:32 +1100316 pam_retval, PAM_STRERROR(__pamh, pam_retval));
Damien Miller3dfeee42001-02-14 00:43:55 +1100317 } else
318 creds_set = 1;
Damien Miller9d5705a2000-09-16 16:09:27 +1100319}
320
Kevin Steves092f2ef2000-10-14 13:36:13 +0000321/* accessor function for file scope static variable */
Damien Miller646aa602001-02-15 11:51:32 +1100322int is_pam_password_change_required(void)
Kevin Steves092f2ef2000-10-14 13:36:13 +0000323{
324 return password_change_required;
325}
326
Kevin Stevesef4eea92001-02-05 12:42:17 +0000327/*
Damien Miller9d5705a2000-09-16 16:09:27 +1100328 * Have user change authentication token if pam_acct_mgmt() indicated
329 * it was expired. This needs to be called after an interactive
330 * session is established and the user's pty is connected to
331 * stdin/stout/stderr.
332 */
Kevin Steves6beac8c2000-10-14 15:08:49 +0000333void do_pam_chauthtok(void)
Damien Miller9d5705a2000-09-16 16:09:27 +1100334{
335 int pam_retval;
336
Damien Miller882c2ee2001-03-01 09:18:57 +1100337 do_pam_set_conv(&conv);
338
Damien Miller9d5705a2000-09-16 16:09:27 +1100339 if (password_change_required) {
340 pamstate = OTHER;
Damien Millerec7e1b12001-03-21 13:01:35 +1100341 pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
342 if (pam_retval != PAM_SUCCESS)
343 fatal("PAM pam_chauthtok failed[%d]: %.200s",
344 pam_retval, PAM_STRERROR(__pamh, pam_retval));
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000345 }
Damien Millere72b7af1999-12-30 15:08:44 +1100346}
347
348/* Cleanly shutdown PAM */
349void finish_pam(void)
350{
Damien Miller646aa602001-02-15 11:51:32 +1100351 do_pam_cleanup_proc(NULL);
352 fatal_remove_cleanup(&do_pam_cleanup_proc, NULL);
Damien Millere72b7af1999-12-30 15:08:44 +1100353}
354
355/* Start PAM authentication for specified account */
Damien Miller22e22bf2001-01-19 15:46:38 +1100356void start_pam(const char *user)
Damien Millere72b7af1999-12-30 15:08:44 +1100357{
358 int pam_retval;
Damien Millerac2b1a52001-02-11 22:39:19 +1100359 extern ServerOptions options;
Kevin Steves5f3b9b92001-04-23 17:28:28 +0000360 extern u_int utmp_len;
361 const char *rhost;
Damien Millere72b7af1999-12-30 15:08:44 +1100362
Damien Miller22e22bf2001-01-19 15:46:38 +1100363 debug("Starting up PAM with username \"%.200s\"", user);
Damien Millere72b7af1999-12-30 15:08:44 +1100364
Damien Miller646aa602001-02-15 11:51:32 +1100365 pam_retval = pam_start(SSHD_PAM_SERVICE, user, &conv, &__pamh);
Damien Millere72b7af1999-12-30 15:08:44 +1100366
Damien Miller63dc3e92001-02-07 12:58:33 +1100367 if (pam_retval != PAM_SUCCESS)
Kevin Stevesef4eea92001-02-05 12:42:17 +0000368 fatal("PAM initialisation failed[%d]: %.200s",
Damien Miller646aa602001-02-15 11:51:32 +1100369 pam_retval, PAM_STRERROR(__pamh, pam_retval));
Damien Millerbd5817d2001-02-11 22:35:11 +1100370
Damien Millerf3451a22002-02-05 12:40:46 +1100371 rhost = get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping);
Kevin Steves5f3b9b92001-04-23 17:28:28 +0000372 debug("PAM setting rhost to \"%.200s\"", rhost);
373
374 pam_retval = pam_set_item(__pamh, PAM_RHOST, rhost);
Damien Millerbd5817d2001-02-11 22:35:11 +1100375 if (pam_retval != PAM_SUCCESS)
376 fatal("PAM set rhost failed[%d]: %.200s", pam_retval,
Damien Miller646aa602001-02-15 11:51:32 +1100377 PAM_STRERROR(__pamh, pam_retval));
Damien Miller4e997202000-07-09 21:21:52 +1000378#ifdef PAM_TTY_KLUDGE
Damien Millerc19fd5f2000-06-22 21:44:54 +1000379 /*
380 * Some PAM modules (e.g. pam_time) require a TTY to operate,
Kevin Stevesef4eea92001-02-05 12:42:17 +0000381 * and will fail in various stupid ways if they don't get one.
Damien Millerc19fd5f2000-06-22 21:44:54 +1000382 * sshd doesn't set the tty until too late in the auth process and may
383 * not even need one (for tty-less connections)
Kevin Stevesef4eea92001-02-05 12:42:17 +0000384 * Kludge: Set a fake PAM_TTY
Damien Millerc19fd5f2000-06-22 21:44:54 +1000385 */
Damien Miller33cdd9e2001-10-28 22:33:48 +1100386 pam_retval = pam_set_item(__pamh, PAM_TTY, "NODEVssh");
Damien Miller63dc3e92001-02-07 12:58:33 +1100387 if (pam_retval != PAM_SUCCESS)
Kevin Stevesef4eea92001-02-05 12:42:17 +0000388 fatal("PAM set tty failed[%d]: %.200s",
Damien Miller646aa602001-02-15 11:51:32 +1100389 pam_retval, PAM_STRERROR(__pamh, pam_retval));
Damien Miller4e997202000-07-09 21:21:52 +1000390#endif /* PAM_TTY_KLUDGE */
Damien Miller7b22d652000-06-18 14:07:04 +1000391
Damien Miller646aa602001-02-15 11:51:32 +1100392 fatal_add_cleanup(&do_pam_cleanup_proc, NULL);
Damien Millere72b7af1999-12-30 15:08:44 +1100393}
394
395/* Return list of PAM enviornment strings */
396char **fetch_pam_environment(void)
397{
Damien Miller1bead332000-04-30 00:47:29 +1000398#ifdef HAVE_PAM_GETENVLIST
Damien Miller646aa602001-02-15 11:51:32 +1100399 return(pam_getenvlist(__pamh));
Damien Miller1bead332000-04-30 00:47:29 +1000400#else /* HAVE_PAM_GETENVLIST */
401 return(NULL);
402#endif /* HAVE_PAM_GETENVLIST */
Damien Millere72b7af1999-12-30 15:08:44 +1100403}
404
405/* Print any messages that have been generated during authentication */
406/* or account checking to stderr */
407void print_pam_messages(void)
408{
Damien Miller646aa602001-02-15 11:51:32 +1100409 if (__pam_msg != NULL)
410 fputs(__pam_msg, stderr);
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000411}
412
Damien Miller63dc3e92001-02-07 12:58:33 +1100413/* Append a message to buffer */
414void message_cat(char **p, const char *a)
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000415{
Damien Miller63dc3e92001-02-07 12:58:33 +1100416 char *cp;
417 size_t new_len;
Kevin Stevesef4eea92001-02-05 12:42:17 +0000418
Damien Miller63dc3e92001-02-07 12:58:33 +1100419 new_len = strlen(a);
Kevin Stevesef4eea92001-02-05 12:42:17 +0000420
Damien Miller63dc3e92001-02-07 12:58:33 +1100421 if (*p) {
422 size_t len = strlen(*p);
Damien Miller2f6a0ad2000-05-31 11:20:11 +1000423
Damien Miller63dc3e92001-02-07 12:58:33 +1100424 *p = xrealloc(*p, new_len + len + 2);
425 cp = *p + len;
426 } else
427 *p = cp = xmalloc(new_len + 2);
428
429 memcpy(cp, a, new_len);
430 cp[new_len] = '\n';
431 cp[new_len + 1] = '\0';
Damien Millere72b7af1999-12-30 15:08:44 +1100432}
433
434#endif /* USE_PAM */