author | Rich Burridge <rich.burridge@oracle.com> |
Fri, 30 Oct 2015 15:07:45 -0700 | |
changeset 5036 | 06e4fcc325a1 |
parent 4503 | bf30d46ab06e |
child 7649 | 69d7508f0d66 |
permissions | -rw-r--r-- |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
1 |
# |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
2 |
# This patch contains a couple of PAM enhancements: |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
3 |
# 1) Each SSHv2 userauth method has its own PAM service name so that PAM can |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
4 |
# be used to control what userauth methods are allowed. |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
5 |
# 2) The PAMServiceName and PAMServicePrefix options. |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
6 |
# |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
7 |
# We have contributed back this feature to the OpenSSH upstream community. |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
8 |
# For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2246 |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
9 |
# In the future, if these enhancements are accepted by the upsteam in a |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
10 |
# later release, we will remove this patch when we upgrade to that release. |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
11 |
# |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
12 |
diff -pur old/auth-pam.c new/auth-pam.c |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
13 |
--- old/auth-pam.c 2015-04-28 06:15:57.335765454 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
14 |
+++ new/auth-pam.c 2015-04-28 06:15:57.417753483 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
15 |
@@ -617,6 +617,72 @@ sshpam_cleanup(void) |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
16 |
sshpam_handle = NULL; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
17 |
} |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
18 |
|
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
19 |
+#ifdef PAM_ENHANCEMENT |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
20 |
+char * |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
21 |
+derive_pam_service_name(Authctxt *authctxt) |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
22 |
+{ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
23 |
+ char *svcname = xmalloc(BUFSIZ); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
24 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
25 |
+ /* |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
26 |
+ * If PamServiceName is set we use that for everything, including |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
27 |
+ * SSHv1 |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
28 |
+ */ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
29 |
+ if (options.pam_service_name != NULL) { |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
30 |
+ (void) strlcpy(svcname, options.pam_service_name, BUFSIZ); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
31 |
+ return (svcname); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
32 |
+ } |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
33 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
34 |
+ if (compat20) { |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
35 |
+ char *method_name = authctxt->authmethod_name; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
36 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
37 |
+ if (!method_name) |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
38 |
+ fatal("Userauth method unknown while starting PAM"); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
39 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
40 |
+ /* |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
41 |
+ * For SSHv2 we use "sshd-<userauth name> |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
42 |
+ * The "sshd" prefix can be changed via the PAMServicePrefix |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
43 |
+ * sshd_config option. |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
44 |
+ */ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
45 |
+ if (strcmp(method_name, "none") == 0) { |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
46 |
+ snprintf(svcname, BUFSIZ, "%s-none", |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
47 |
+ options.pam_service_prefix); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
48 |
+ } |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
49 |
+ if (strcmp(method_name, "password") == 0) { |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
50 |
+ snprintf(svcname, BUFSIZ, "%s-password", |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
51 |
+ options.pam_service_prefix); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
52 |
+ } |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
53 |
+ if (strcmp(method_name, "keyboard-interactive") == 0) { |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
54 |
+ /* "keyboard-interactive" is too long, shorten it */ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
55 |
+ snprintf(svcname, BUFSIZ, "%s-kbdint", |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
56 |
+ options.pam_service_prefix); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
57 |
+ } |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
58 |
+ if (strcmp(method_name, "publickey") == 0) { |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
59 |
+ /* "publickey" is too long, shorten it */ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
60 |
+ snprintf(svcname, BUFSIZ, "%s-pubkey", |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
61 |
+ options.pam_service_prefix); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
62 |
+ } |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
63 |
+ if (strcmp(method_name, "hostbased") == 0) { |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
64 |
+ snprintf(svcname, BUFSIZ, "%s-hostbased", |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
65 |
+ options.pam_service_prefix); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
66 |
+ } |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
67 |
+ if (strncmp(method_name, "gssapi-", 7) == 0) { |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
68 |
+ /* |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
69 |
+ * Although OpenSSH only supports "gssapi-with-mic" |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
70 |
+ * for now. We will still map any userauth method |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
71 |
+ * prefixed with "gssapi-" to the gssapi PAM service. |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
72 |
+ */ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
73 |
+ snprintf(svcname, BUFSIZ, "%s-gssapi", |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
74 |
+ options.pam_service_prefix); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
75 |
+ } |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
76 |
+ return svcname; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
77 |
+ } else { |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
78 |
+ /* SSHv1 doesn't get to be so cool */ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
79 |
+ snprintf(svcname, BUFSIZ, "sshd-v1"); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
80 |
+ } |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
81 |
+ return svcname; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
82 |
+} |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
83 |
+#endif /* PAM_ENHANCEMENT */ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
84 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
85 |
static int |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
86 |
sshpam_init(Authctxt *authctxt) |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
87 |
{ |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
88 |
@@ -624,18 +690,71 @@ sshpam_init(Authctxt *authctxt) |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
89 |
const char *pam_rhost, *pam_user, *user = authctxt->user; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
90 |
const char **ptr_pam_user = &pam_user; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
91 |
|
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
92 |
+#ifdef PAM_ENHANCEMENT |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
93 |
+ const char *pam_service; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
94 |
+ const char **ptr_pam_service = &pam_service; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
95 |
+ char *svc = NULL; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
96 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
97 |
+ svc = derive_pam_service_name(authctxt); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
98 |
+ debug3("PAM service is %s", svc); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
99 |
+#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
100 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
101 |
if (sshpam_handle != NULL) { |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
102 |
+#ifdef PAM_ENHANCEMENT |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
103 |
+ /* get the pam service name */ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
104 |
+ sshpam_err = pam_get_item(sshpam_handle, |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
105 |
+ PAM_SERVICE, (sshpam_const void **)ptr_pam_service); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
106 |
+ if (sshpam_err != PAM_SUCCESS) |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
107 |
+ fatal("Failed to get the PAM service name"); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
108 |
+ debug3("Previous pam_service is %s", pam_service ? |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
109 |
+ pam_service : "NULL"); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
110 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
111 |
+ /* get the pam user name */ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
112 |
+ sshpam_err = pam_get_item(sshpam_handle, |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
113 |
+ PAM_USER, (sshpam_const void **)ptr_pam_user); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
114 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
115 |
+ /* |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
116 |
+ * only need to re-start if either user or service is |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
117 |
+ * different. |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
118 |
+ */ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
119 |
+ if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0 |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
120 |
+ && strncmp(svc, pam_service, strlen(svc)) == 0) { |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
121 |
+ free(svc); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
122 |
+ return (0); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
123 |
+ } |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
124 |
+ |
4071
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
125 |
+ /* |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
126 |
+ * Clean up previous PAM state. No need to clean up session |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
127 |
+ * and creds. |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
128 |
+ */ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
129 |
+ sshpam_authenticated = 0; |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
130 |
+ sshpam_account_status = -1; |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
131 |
+ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
132 |
+ sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, NULL); |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
133 |
+ if (sshpam_err != PAM_SUCCESS) |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
134 |
+ debug3("Cannot remove PAM conv"); /* a warning only */ |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
135 |
+#else /* Original */ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
136 |
/* We already have a PAM context; check if the user matches */ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
137 |
sshpam_err = pam_get_item(sshpam_handle, |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
138 |
PAM_USER, (sshpam_const void **)ptr_pam_user); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
139 |
if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0) |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
140 |
return (0); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
141 |
+#endif /* PAM_ENHANCEMENT */ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
142 |
pam_end(sshpam_handle, sshpam_err); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
143 |
sshpam_handle = NULL; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
144 |
} |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
145 |
debug("PAM: initializing for \"%s\"", user); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
146 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
147 |
+#ifdef PAM_ENHANCEMENT |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
148 |
+ debug3("Starting PAM service %s for user %s method %s", svc, user, |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
149 |
+ authctxt->authmethod_name); |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
150 |
+ sshpam_err = |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
151 |
+ pam_start(svc, user, &store_conv, &sshpam_handle); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
152 |
+ free(svc); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
153 |
+#else /* Original */ |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
154 |
sshpam_err = |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
155 |
pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
156 |
+#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
157 |
sshpam_authctxt = authctxt; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
158 |
|
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
159 |
if (sshpam_err != PAM_SUCCESS) { |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
160 |
diff -pur old/auth.h new/auth.h |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
161 |
--- old/auth.h 2015-03-16 22:49:20.000000000 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
162 |
+++ new/auth.h 2015-04-28 06:18:25.719914272 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
163 |
@@ -81,6 +81,9 @@ struct Authctxt { |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
164 |
|
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
165 |
struct sshkey **prev_userkeys; |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
166 |
u_int nprev_userkeys; |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
167 |
+#ifdef PAM_ENHANCEMENT |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
168 |
+ char *authmethod_name; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
169 |
+#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
170 |
}; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
171 |
/* |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
172 |
* Every authentication method has to handle authentication requests for |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
173 |
diff -pur old/auth2.c new/auth2.c |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
174 |
--- old/auth2.c 2015-03-16 22:49:20.000000000 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
175 |
+++ new/auth2.c 2015-04-28 06:15:57.419262466 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
176 |
@@ -243,10 +243,21 @@ input_userauth_request(int type, u_int32 |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
177 |
PRIVSEP(audit_event(SSH_INVALID_USER)); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
178 |
#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
179 |
} |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
180 |
+ |
4071
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
181 |
+ |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
182 |
#ifdef USE_PAM |
4071
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
183 |
+#ifdef PAM_ENHANCEMENT |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
184 |
+ /* |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
185 |
+ * Start PAM here and once only, if each userauth does not |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
186 |
+ * has its own PAM service. |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
187 |
+ */ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
188 |
+ if (options.use_pam && !options.pam_service_per_authmethod) |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
189 |
+ PRIVSEP(start_pam(authctxt)); |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
190 |
+#else |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
191 |
if (options.use_pam) |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
192 |
PRIVSEP(start_pam(authctxt)); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
193 |
#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
194 |
+#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
195 |
setproctitle("%s%s", authctxt->valid ? user : "unknown", |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
196 |
use_privsep ? " [net]" : ""); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
197 |
authctxt->service = xstrdup(service); |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
198 |
@@ -277,6 +288,18 @@ input_userauth_request(int type, u_int32 |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
199 |
/* try to authenticate user */ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
200 |
m = authmethod_lookup(authctxt, method); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
201 |
if (m != NULL && authctxt->failures < options.max_authtries) { |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
202 |
+ |
4071
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
203 |
+#if defined(USE_PAM) && defined(PAM_ENHANCEMENT) |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
204 |
+ /* start PAM service for each userauth */ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
205 |
+ if (options.use_pam && options.pam_service_per_authmethod) { |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
206 |
+ if (authctxt->authmethod_name != NULL) |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
207 |
+ free(authctxt->authmethod_name); |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
208 |
+ authctxt->authmethod_name = xstrdup(method); |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
209 |
+ if (use_privsep) |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
210 |
+ mm_inform_authmethod(method); |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
211 |
+ PRIVSEP(start_pam(authctxt)); |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
212 |
+ } |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
213 |
+#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
214 |
debug2("input_userauth_request: try method %s", method); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
215 |
authenticated = m->userauth(authctxt); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
216 |
} |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
217 |
@@ -295,6 +318,10 @@ userauth_finish(Authctxt *authctxt, int |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
218 |
char *methods; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
219 |
int partial = 0; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
220 |
|
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
221 |
+#ifdef PAM_ENHANCEMENT |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
222 |
+ debug3("%s: entering", __func__); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
223 |
+#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
224 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
225 |
if (!authctxt->valid && authenticated) |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
226 |
fatal("INTERNAL ERROR: authenticated invalid user %s", |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
227 |
authctxt->user); |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
228 |
@@ -311,6 +338,25 @@ userauth_finish(Authctxt *authctxt, int |
4071
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
229 |
} |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
230 |
|
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
231 |
if (authenticated && options.num_auth_methods != 0) { |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
232 |
+ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
233 |
+#if defined(USE_PAM) && defined(PAM_ENHANCEMENT) |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
234 |
+ /* |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
235 |
+ * If each userauth has its own PAM service, then PAM need to |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
236 |
+ * perform account check for this service. |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
237 |
+ */ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
238 |
+ if (options.use_pam && options.pam_service_per_authmethod && |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
239 |
+ !PRIVSEP(do_pam_account())) { |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
240 |
+ /* if PAM returned a message, send it to the user */ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
241 |
+ if (buffer_len(&loginmsg) > 0) { |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
242 |
+ buffer_append(&loginmsg, "\0", 1); |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
243 |
+ userauth_send_banner(buffer_ptr(&loginmsg)); |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
244 |
+ packet_write_wait(); |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
245 |
+ } |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
246 |
+ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
247 |
+ fatal("Access denied for user %s by PAM account " |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
248 |
+ "configuration", authctxt->user); |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
249 |
+ } |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
250 |
+#endif |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
251 |
if (!auth2_update_methods_lists(authctxt, method, submethod)) { |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
252 |
authenticated = 0; |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
253 |
partial = 1; |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
254 |
@@ -324,7 +370,20 @@ userauth_finish(Authctxt *authctxt, int |
4071
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
255 |
return; |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
256 |
|
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
257 |
#ifdef USE_PAM |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
258 |
+ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
259 |
+#ifdef PAM_ENHANCEMENT |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
260 |
+ /* |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
261 |
+ * PAM needs to perform account checks after auth. However, if each |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
262 |
+ * userauth has its own PAM service and options.num_auth_methods != 0, |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
263 |
+ * then no need to perform account checking, because it was done |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
264 |
+ * already. |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
265 |
+ */ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
266 |
+ if (options.use_pam && authenticated && |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
267 |
+ !(options.num_auth_methods != 0 && |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
268 |
+ options.pam_service_per_authmethod)){ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
269 |
+#else |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
270 |
if (options.use_pam && authenticated) { |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
271 |
+#endif |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
272 |
if (!PRIVSEP(do_pam_account())) { |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
273 |
/* if PAM returned a message, send it to the user */ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
274 |
if (buffer_len(&loginmsg) > 0) { |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
275 |
@@ -615,5 +674,3 @@ auth2_update_methods_lists(Authctxt *aut |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
276 |
fatal("%s: method not in AuthenticationMethods", __func__); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
277 |
return 0; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
278 |
} |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
279 |
- |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
280 |
- |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
281 |
diff -pur old/monitor.c new/monitor.c |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
282 |
--- old/monitor.c 2015-03-16 22:49:20.000000000 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
283 |
+++ new/monitor.c 2015-04-28 06:15:57.421294814 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
284 |
@@ -127,6 +127,9 @@ int mm_answer_sign(int, Buffer *); |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
285 |
int mm_answer_pwnamallow(int, Buffer *); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
286 |
int mm_answer_auth2_read_banner(int, Buffer *); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
287 |
int mm_answer_authserv(int, Buffer *); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
288 |
+#ifdef PAM_ENHANCEMENT |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
289 |
+int mm_answer_authmethod(int, Buffer *); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
290 |
+#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
291 |
int mm_answer_authpassword(int, Buffer *); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
292 |
int mm_answer_bsdauthquery(int, Buffer *); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
293 |
int mm_answer_bsdauthrespond(int, Buffer *); |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
294 |
@@ -206,10 +209,17 @@ struct mon_table mon_dispatch_proto20[] |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
295 |
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
296 |
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
297 |
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
298 |
+#ifdef PAM_ENHANCEMENT |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
299 |
+ {MONITOR_REQ_AUTHMETHOD, MON_ISAUTH, mm_answer_authmethod}, |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
300 |
+#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
301 |
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
302 |
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
303 |
#ifdef USE_PAM |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
304 |
+#ifdef PAM_ENHANCEMENT |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
305 |
+ {MONITOR_REQ_PAM_START, MON_ISAUTH, mm_answer_pam_start}, |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
306 |
+#else |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
307 |
{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
308 |
+#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
309 |
{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
310 |
{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
311 |
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
312 |
@@ -371,6 +381,24 @@ monitor_child_preauth(Authctxt *_authctx |
4071
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
313 |
if (!compat20) |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
314 |
fatal("AuthenticationMethods is not supported" |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
315 |
"with SSH protocol 1"); |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
316 |
+ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
317 |
+#if defined(USE_PAM) && defined(PAM_ENHANCEMENT) |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
318 |
+ /* |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
319 |
+ * If each userauth has its own PAM service, then PAM |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
320 |
+ * need to perform account check for this service. |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
321 |
+ */ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
322 |
+ if (options.use_pam && authenticated && |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
323 |
+ options.pam_service_per_authmethod) { |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
324 |
+ Buffer m; |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
325 |
+ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
326 |
+ buffer_init(&m); |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
327 |
+ mm_request_receive_expect(pmonitor->m_sendfd, |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
328 |
+ MONITOR_REQ_PAM_ACCOUNT, &m); |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
329 |
+ authenticated = |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
330 |
+ mm_answer_pam_account(pmonitor->m_sendfd, &m); |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
331 |
+ buffer_free(&m); |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
332 |
+ } |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
333 |
+#endif |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
334 |
if (authenticated && |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
335 |
!auth2_update_methods_lists(authctxt, |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
336 |
auth_method, auth_submethod)) { |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
337 |
@@ -389,8 +417,21 @@ monitor_child_preauth(Authctxt *_authctx |
4071
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
338 |
!auth_root_allowed(auth_method)) |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
339 |
authenticated = 0; |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
340 |
#ifdef USE_PAM |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
341 |
+#ifdef PAM_ENHANCEMENT |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
342 |
+ /* |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
343 |
+ * PAM needs to perform account checks after auth. |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
344 |
+ * However, if each userauth has its own PAM service |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
345 |
+ * and options.num_auth_methods != 0, then no need to |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
346 |
+ * perform account checking, because it was done |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
347 |
+ * already. |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
348 |
+ */ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
349 |
+ if (options.use_pam && authenticated && |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
350 |
+ !(options.num_auth_methods != 0 && |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
351 |
+ options.pam_service_per_authmethod)) { |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
352 |
+#else |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
353 |
/* PAM needs to perform account checks after auth */ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
354 |
if (options.use_pam && authenticated) { |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
355 |
+#endif |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
356 |
Buffer m; |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
357 |
|
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
358 |
buffer_init(&m); |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
359 |
@@ -863,6 +904,10 @@ mm_answer_pwnamallow(int sock, Buffer *m |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
360 |
/* Allow service/style information on the auth context */ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
361 |
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
362 |
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
363 |
+#ifdef PAM_ENHANCEMENT |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
364 |
+ /* Allow authmethod information on the auth context */ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
365 |
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHMETHOD, 1); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
366 |
+#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
367 |
} |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
368 |
#ifdef USE_PAM |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
369 |
if (options.use_pam) |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
370 |
@@ -903,6 +948,24 @@ mm_answer_authserv(int sock, Buffer *m) |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
371 |
return (0); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
372 |
} |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
373 |
|
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
374 |
+#ifdef PAM_ENHANCEMENT |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
375 |
+int |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
376 |
+mm_answer_authmethod(int sock, Buffer *m) |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
377 |
+{ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
378 |
+ monitor_permit_authentications(1); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
379 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
380 |
+ authctxt->authmethod_name = buffer_get_string(m, NULL); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
381 |
+ debug3("%s: authmethod_name=%s", __func__, authctxt->authmethod_name); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
382 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
383 |
+ if (strlen(authctxt->authmethod_name) == 0) { |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
384 |
+ free(authctxt->authmethod_name); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
385 |
+ authctxt->authmethod_name = NULL; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
386 |
+ } |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
387 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
388 |
+ return (0); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
389 |
+} |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
390 |
+#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
391 |
+ |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
392 |
int |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
393 |
mm_answer_authpassword(int sock, Buffer *m) |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
394 |
{ |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
395 |
diff -pur old/monitor.h new/monitor.h |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
396 |
--- old/monitor.h 2015-03-16 22:49:20.000000000 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
397 |
+++ new/monitor.h 2015-04-28 06:15:57.421684373 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
398 |
@@ -65,6 +65,9 @@ enum monitor_reqtype { |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
399 |
MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
400 |
MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
401 |
|
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
402 |
+#ifdef PAM_ENHANCEMENT |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
403 |
+ MONITOR_REQ_AUTHMETHOD = 114, |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
404 |
+#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
405 |
}; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
406 |
|
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
407 |
struct mm_master; |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
408 |
diff -pur old/monitor_wrap.c new/monitor_wrap.c |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
409 |
--- old/monitor_wrap.c 2015-03-16 22:49:20.000000000 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
410 |
+++ new/monitor_wrap.c 2015-04-28 06:15:57.419906674 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
411 |
@@ -347,6 +347,24 @@ mm_inform_authserv(char *service, char * |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
412 |
buffer_free(&m); |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
413 |
} |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
414 |
|
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
415 |
+#ifdef PAM_ENHANCEMENT |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
416 |
+/* Inform the privileged process about the authentication method */ |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
417 |
+void |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
418 |
+mm_inform_authmethod(char *authmethod) |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
419 |
+{ |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
420 |
+ Buffer m; |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
421 |
+ |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
422 |
+ debug3("%s entering", __func__); |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
423 |
+ |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
424 |
+ buffer_init(&m); |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
425 |
+ buffer_put_cstring(&m, authmethod); |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
426 |
+ |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
427 |
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHMETHOD, &m); |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
428 |
+ |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
429 |
+ buffer_free(&m); |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
430 |
+} |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
431 |
+#endif |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
432 |
+ |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
433 |
/* Do the password authentication */ |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
434 |
int |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
435 |
mm_auth_password(Authctxt *authctxt, char *password) |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
436 |
diff -pur old/servconf.c new/servconf.c |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
437 |
--- old/servconf.c 2015-04-28 06:15:57.300968063 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
438 |
+++ new/servconf.c 2015-04-28 06:27:06.330272555 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
439 |
@@ -163,6 +163,18 @@ initialize_server_options(ServerOptions |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
440 |
options->ip_qos_bulk = -1; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
441 |
options->version_addendum = NULL; |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
442 |
options->fingerprint_hash = -1; |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
443 |
+#ifdef PAM_ENHANCEMENT |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
444 |
+ options->pam_service_name = NULL; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
445 |
+ options->pam_service_prefix = NULL; |
4071
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
446 |
+ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
447 |
+ /* |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
448 |
+ * Each user method will have its own PAM service by default. |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
449 |
+ * However, if PAMServiceName is specified or the protocal version |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
450 |
+ * is not compat20, then there will be only one PAM service for the |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
451 |
+ * entire user authentication. |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
452 |
+ */ |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
453 |
+ options->pam_service_per_authmethod = 1; |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
454 |
+#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
455 |
} |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
456 |
|
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
457 |
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
458 |
@@ -332,6 +344,12 @@ fill_default_server_options(ServerOption |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
459 |
options->ip_qos_bulk = IPTOS_THROUGHPUT; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
460 |
if (options->version_addendum == NULL) |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
461 |
options->version_addendum = xstrdup(""); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
462 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
463 |
+#ifdef PAM_ENHANCEMENT |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
464 |
+ if (options->pam_service_prefix == NULL) |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
465 |
+ options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX; |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
466 |
+#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
467 |
+ |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
468 |
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
469 |
options->fwd_opts.streamlocal_bind_mask = 0177; |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
470 |
if (options->fwd_opts.streamlocal_bind_unlink == -1) |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
471 |
@@ -400,6 +418,9 @@ typedef enum { |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
472 |
sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
473 |
sUsePrivilegeSeparation, sAllowAgentForwarding, |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
474 |
sHostCertificate, |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
475 |
+#ifdef PAM_ENHANCEMENT |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
476 |
+ sPAMServicePrefix, sPAMServiceName, |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
477 |
+#endif |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
478 |
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
479 |
sKexAlgorithms, sIPQoS, sVersionAddendum, |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
480 |
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
481 |
@@ -534,6 +555,10 @@ static struct { |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
482 |
{ "forcecommand", sForceCommand, SSHCFG_ALL }, |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
483 |
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
484 |
{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
485 |
+#ifdef PAM_ENHANCEMENT |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
486 |
+ { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL }, |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
487 |
+ { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL }, |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
488 |
+#endif |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
489 |
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL }, |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
490 |
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
491 |
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
492 |
@@ -1765,6 +1790,37 @@ process_server_config_line(ServerOptions |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
493 |
options->fingerprint_hash = value; |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
494 |
break; |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
495 |
|
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
496 |
+ case sPAMServicePrefix: |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
497 |
+ arg = strdelim(&cp); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
498 |
+ if (!arg || *arg == '\0') |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
499 |
+ fatal("%s line %d: Missing argument.", |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
500 |
+ filename, linenum); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
501 |
+ if (options->pam_service_name != NULL) |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
502 |
+ fatal("%s line %d: PAMServiceName and PAMServicePrefix" |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
503 |
+ " are mutually exclusive.", filename, linenum); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
504 |
+ if (options->pam_service_prefix == NULL) |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
505 |
+ options->pam_service_prefix = xstrdup(arg); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
506 |
+ break; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
507 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
508 |
+ case sPAMServiceName: |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
509 |
+ arg = strdelim(&cp); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
510 |
+ if (!arg || *arg == '\0') |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
511 |
+ fatal("%s line %d: Missing argument.", |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
512 |
+ filename, linenum); |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
513 |
+ if (options->pam_service_prefix != NULL) |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
514 |
+ fatal("%s line %d: PAMServiceName and PAMServicePrefix" |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
515 |
+ " are mutually exclusive.", filename, linenum); |
4071
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
516 |
+ if (options->pam_service_name == NULL) { |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
517 |
+ options->pam_service_name = xstrdup(arg); |
4071
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
518 |
+ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
519 |
+ /* |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
520 |
+ * When this option is specified, we will not have |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
521 |
+ * PAM service for each auth method. |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
522 |
+ */ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
523 |
+ options->pam_service_per_authmethod = 0; |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
524 |
+ } |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
525 |
+ break; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
526 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
527 |
case sDeprecated: |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
528 |
logit("%s line %d: Deprecated option %s", |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
529 |
filename, linenum, arg); |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
530 |
diff -pur old/servconf.h new/servconf.h |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
531 |
--- old/servconf.h 2015-03-16 22:49:20.000000000 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
532 |
+++ new/servconf.h 2015-04-28 06:28:25.181429777 -0700 |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
533 |
@@ -54,6 +54,10 @@ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
534 |
/* Magic name for internal sftp-server */ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
535 |
#define INTERNAL_SFTP_NAME "internal-sftp" |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
536 |
|
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
537 |
+#ifdef PAM_ENHANCEMENT |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
538 |
+#define _SSH_PAM_SERVICE_PREFIX "sshd" |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
539 |
+#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
540 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
541 |
typedef struct { |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
542 |
u_int num_ports; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
543 |
u_int ports_from_cmdline; |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
544 |
@@ -188,6 +192,12 @@ typedef struct { |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
545 |
u_int num_auth_methods; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
546 |
char *auth_methods[MAX_AUTH_METHODS]; |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
547 |
|
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
548 |
+#ifdef PAM_ENHANCEMENT |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
549 |
+ char *pam_service_prefix; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
550 |
+ char *pam_service_name; |
4071
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
551 |
+ int pam_service_per_authmethod; |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
552 |
+#endif |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
553 |
+ |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
554 |
int fingerprint_hash; |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
555 |
} ServerOptions; |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
556 |
|
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
557 |
diff -pur old/sshd.8 new/sshd.8 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
558 |
--- old/sshd.8 2015-04-28 06:15:57.254681499 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
559 |
+++ new/sshd.8 2015-04-28 06:15:57.426325504 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
560 |
@@ -945,6 +945,33 @@ concurrently for different ports, this c |
1979
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
561 |
started last). |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
562 |
The content of this file is not sensitive; it can be world-readable. |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
563 |
.El |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
564 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
565 |
+.Sh SECURITY |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
566 |
+sshd uses pam(3PAM) for password and keyboard-interactive methods as well as |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
567 |
+for account management, session management, and the password management for all |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
568 |
+authentication methods. |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
569 |
+.Pp |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
570 |
+Each SSHv2 userauth type has its own PAM service name: |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
571 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
572 |
+.Bd -literal -offset 3n |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
573 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
574 |
+----------------------------------------------- |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
575 |
+| SSHv2 Userauth | PAM Service Name | |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
576 |
+----------------------------------------------- |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
577 |
+| none | sshd-none | |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
578 |
+----------------------------------------------- |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
579 |
+| password | sshd-password | |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
580 |
+----------------------------------------------- |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
581 |
+| keyboard-interactive | sshd-kbdint | |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
582 |
+----------------------------------------------- |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
583 |
+| pubkey | sshd-pubkey | |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
584 |
+----------------------------------------------- |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
585 |
+| hostbased | sshd-hostbased | |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
586 |
+----------------------------------------------- |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
587 |
+| gssapi-with-mic | sshd-gssapi | |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
588 |
+----------------------------------------------- |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
589 |
+.Ed |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
590 |
+ |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
591 |
.Sh SEE ALSO |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
592 |
.Xr scp 1 , |
bdbb0de8834e
19034156 PAM coversation function for passwd auth method has an incorrect assumption
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
593 |
.Xr sftp 1 , |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
594 |
diff -pur old/sshd.c new/sshd.c |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
595 |
--- old/sshd.c 2015-04-28 06:15:57.302106750 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
596 |
+++ new/sshd.c 2015-04-28 06:15:57.427449259 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
597 |
@@ -2146,6 +2146,11 @@ main(int ac, char **av) |
4071
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
598 |
|
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
599 |
sshd_exchange_identification(sock_in, sock_out); |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
600 |
|
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
601 |
+#ifdef PAM_ENHANCEMENT |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
602 |
+ if (!compat20) |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
603 |
+ options.pam_service_per_authmethod = 0; |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
604 |
+#endif |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
605 |
+ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
606 |
/* In inetd mode, generate ephemeral key only for proto 1 connections */ |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
607 |
if (!compat20 && inetd_flag && sensitive_data.server_key == NULL) |
4b68c2b0134b
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
1979
diff
changeset
|
608 |
generate_ephemeral_server_key(); |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
609 |
diff -pur old/sshd_config.5 new/sshd_config.5 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
610 |
--- old/sshd_config.5 2015-04-28 06:15:57.256560985 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
611 |
+++ new/sshd_config.5 2015-04-28 06:15:57.425661853 -0700 |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
612 |
@@ -1044,6 +1044,21 @@ The probability increases linearly and a |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
613 |
are refused if the number of unauthenticated connections reaches |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
614 |
.Dq full |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
615 |
(60). |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
616 |
+.It Cm PAMServiceName |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
617 |
+Specifies the PAM service name for the PAM session. The PAMServiceName and |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
618 |
+PAMServicePrefix options are mutually exclusive and if both set, sshd does not |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
619 |
+start. If this option is set the service name is the same for all user |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
620 |
+authentication methods. The option has no default value. See PAMServicePrefix |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
621 |
+for more information. |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
622 |
+.It Cm PAMServicePrefix |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
623 |
+Specifies the PAM service name prefix for service names used for individual |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
624 |
+user authentication methods. The default is sshd. The PAMServiceName and |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
625 |
+PAMServicePrefix options are mutually exclusive and if both set, sshd does not |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
626 |
+start. |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
627 |
+.Pp |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
628 |
+For example, if this option is set to admincli, the service name for the |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
629 |
+keyboard-interactive authentication method is admincli-kbdint instead of the |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
630 |
+default sshd-kbdint. |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
631 |
.It Cm PasswordAuthentication |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
632 |
Specifies whether password authentication is allowed. |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
633 |
The default is |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
634 |
@@ -1427,8 +1442,7 @@ If |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
635 |
is enabled, you will not be able to run |
5036
06e4fcc325a1
PSARC 2015/428 Normalization of Solaris man page section numbers
Rich Burridge <rich.burridge@oracle.com>
parents:
4503
diff
changeset
|
636 |
.Xr sshd 8 |
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
637 |
as a non-root user. |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
638 |
-The default is |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
639 |
-.Dq no . |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
640 |
+On Solaris, the option is always enabled. |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
641 |
.It Cm UsePrivilegeSeparation |
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
4071
diff
changeset
|
642 |
Specifies whether |
5036
06e4fcc325a1
PSARC 2015/428 Normalization of Solaris man page section numbers
Rich Burridge <rich.burridge@oracle.com>
parents:
4503
diff
changeset
|
643 |
.Xr sshd 8 |