upstream/oracle/userland-gate: components/openssh/patches/016-pam_enhancement.patch@165bf092aa9c (annotated)

3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	1	#
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	2	# This patch contains a couple of PAM enhancements:
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	3	# 1) Each SSHv2 userauth method has its own PAM service name so that PAM can
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	4	# be used to control what userauth methods are allowed.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	5	# 2) The PAMServiceName and PAMServicePrefix options.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	6	#
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	7	# We have contributed back this feature to the OpenSSH upstream community.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	8	# For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2246
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	9	# In the future, if these enhancements are accepted by the upsteam in a
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	10	# later release, we will remove this patch when we upgrade to that release.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	11	#
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	12	diff -pur old/auth-pam.c new/auth-pam.c
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	13	--- old/auth-pam.c
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	14	+++ new/auth-pam.c
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	15	@@ -617,6 +617,72 @@ sshpam_cleanup(void)
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	16	sshpam_handle = NULL;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	17	}
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	18
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	19	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	20	+char *
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	21	+derive_pam_service_name(Authctxt *authctxt)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	22	+{
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	23	+ char *svcname = xmalloc(BUFSIZ);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	24	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	25	+ /*
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	26	+ * If PamServiceName is set we use that for everything, including
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	27	+ * SSHv1
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	28	+ */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	29	+ if (options.pam_service_name != NULL) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	30	+ (void) strlcpy(svcname, options.pam_service_name, BUFSIZ);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	31	+ return (svcname);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	32	+ }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	33	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	34	+ if (compat20) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	35	+ char *method_name = authctxt->authmethod_name;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	36	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	37	+ if (!method_name)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	38	+ fatal("Userauth method unknown while starting PAM");
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	39	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	40	+ /*
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	41	+ * For SSHv2 we use "sshd-<userauth name>
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	42	+ * The "sshd" prefix can be changed via the PAMServicePrefix
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	43	+ * sshd_config option.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	44	+ */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	45	+ if (strcmp(method_name, "none") == 0) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	46	+ snprintf(svcname, BUFSIZ, "%s-none",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	47	+ options.pam_service_prefix);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	48	+ }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	49	+ if (strcmp(method_name, "password") == 0) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	50	+ snprintf(svcname, BUFSIZ, "%s-password",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	51	+ options.pam_service_prefix);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	52	+ }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	53	+ if (strcmp(method_name, "keyboard-interactive") == 0) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	54	+ /* "keyboard-interactive" is too long, shorten it */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	55	+ snprintf(svcname, BUFSIZ, "%s-kbdint",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	56	+ options.pam_service_prefix);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	57	+ }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	58	+ if (strcmp(method_name, "publickey") == 0) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	59	+ /* "publickey" is too long, shorten it */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	60	+ snprintf(svcname, BUFSIZ, "%s-pubkey",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	61	+ options.pam_service_prefix);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	62	+ }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	63	+ if (strcmp(method_name, "hostbased") == 0) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	64	+ snprintf(svcname, BUFSIZ, "%s-hostbased",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	65	+ options.pam_service_prefix);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	66	+ }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	67	+ if (strncmp(method_name, "gssapi-", 7) == 0) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	68	+ /*
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	69	+ * Although OpenSSH only supports "gssapi-with-mic"
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	70	+ * for now. We will still map any userauth method
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	71	+ * prefixed with "gssapi-" to the gssapi PAM service.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	72	+ */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	73	+ snprintf(svcname, BUFSIZ, "%s-gssapi",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	74	+ options.pam_service_prefix);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	75	+ }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	76	+ return svcname;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	77	+ } else {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	78	+ /* SSHv1 doesn't get to be so cool */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	79	+ snprintf(svcname, BUFSIZ, "sshd-v1");
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	80	+ }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	81	+ return svcname;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	82	+}
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	83	+#endif /* PAM_ENHANCEMENT */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	84	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	85	static int
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	86	sshpam_init(Authctxt *authctxt)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	87	{
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	88	@@ -624,18 +690,71 @@ sshpam_init(Authctxt *authctxt)
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	89	const char **ptr_pam_user = &pam_user;
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	90	struct ssh ssh = active_state; / XXX */
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	91
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	92	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	93	+ const char *pam_service;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	94	+ const char **ptr_pam_service = &pam_service;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	95	+ char *svc = NULL;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	96	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	97	+ svc = derive_pam_service_name(authctxt);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	98	+ debug3("PAM service is %s", svc);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	99	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	100	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	101	if (sshpam_handle != NULL) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	102	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	103	+ /* get the pam service name */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	104	+ sshpam_err = pam_get_item(sshpam_handle,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	105	+ PAM_SERVICE, (sshpam_const void **)ptr_pam_service);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	106	+ if (sshpam_err != PAM_SUCCESS)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	107	+ fatal("Failed to get the PAM service name");
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	108	+ debug3("Previous pam_service is %s", pam_service ?
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	109	+ pam_service : "NULL");
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	110	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	111	+ /* get the pam user name */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	112	+ sshpam_err = pam_get_item(sshpam_handle,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	113	+ PAM_USER, (sshpam_const void **)ptr_pam_user);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	114	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	115	+ /*
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	116	+ * only need to re-start if either user or service is
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	117	+ * different.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	118	+ */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	119	+ if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	120	+ && strncmp(svc, pam_service, strlen(svc)) == 0) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	121	+ free(svc);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	122	+ return (0);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	123	+ }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	124	+
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	125	+ /*
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	126	+ * Clean up previous PAM state. No need to clean up session
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	127	+ * and creds.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	128	+ */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	129	+ sshpam_authenticated = 0;
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	130	+ sshpam_account_status = -1;
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	131	+
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	132	+ sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, NULL);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	133	+ if (sshpam_err != PAM_SUCCESS)
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	134	+ debug3("Cannot remove PAM conv"); /* a warning only */
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	135	+#else /* Original */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	136	/* We already have a PAM context; check if the user matches */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	137	sshpam_err = pam_get_item(sshpam_handle,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	138	PAM_USER, (sshpam_const void **)ptr_pam_user);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	139	if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	140	return (0);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	141	+#endif /* PAM_ENHANCEMENT */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	142	pam_end(sshpam_handle, sshpam_err);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	143	sshpam_handle = NULL;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	144	}
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	145	debug("PAM: initializing for \"%s\"", user);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	146	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	147	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	148	+ debug3("Starting PAM service %s for user %s method %s", svc, user,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	149	+ authctxt->authmethod_name);
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	150	+ sshpam_err =
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	151	+ pam_start(svc, user, &store_conv, &sshpam_handle);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	152	+ free(svc);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	153	+#else /* Original */
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	154	sshpam_err =
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	155	pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	156	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	157	sshpam_authctxt = authctxt;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	158
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	159	if (sshpam_err != PAM_SUCCESS) {
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	160	diff -pur old/auth.h new/auth.h
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	161	--- old/auth.h
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	162	+++ new/auth.h
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	163	@@ -81,6 +81,9 @@ struct Authctxt {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	164
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	165	struct sshkey **prev_userkeys;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	166	u_int nprev_userkeys;
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	167	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	168	+ char *authmethod_name;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	169	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	170	};
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	171	/*
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	172	* Every authentication method has to handle authentication requests for
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	173	diff -pur old/auth2.c new/auth2.c
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	174	--- old/auth2.c
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	175	+++ new/auth2.c
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	176	@@ -243,10 +243,21 @@ input_userauth_request(int type, u_int32
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	177	PRIVSEP(audit_event(SSH_INVALID_USER));
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	178	#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	179	}
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	180	+
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	181	+
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	182	#ifdef USE_PAM
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	183	+#ifdef PAM_ENHANCEMENT
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	184	+ /*
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	185	+ * Start PAM here and once only, if each userauth does not
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	186	+ * has its own PAM service.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	187	+ */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	188	+ if (options.use_pam && !options.pam_service_per_authmethod)
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	189	+ PRIVSEP(start_pam(authctxt));
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	190	+#else
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	191	if (options.use_pam)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	192	PRIVSEP(start_pam(authctxt));
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	193	#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	194	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	195	setproctitle("%s%s", authctxt->valid ? user : "unknown",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	196	use_privsep ? " [net]" : "");
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	197	authctxt->service = xstrdup(service);
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	198	@@ -277,6 +288,18 @@ input_userauth_request(int type, u_int32
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	199	/* try to authenticate user */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	200	m = authmethod_lookup(authctxt, method);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	201	if (m != NULL && authctxt->failures < options.max_authtries) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	202	+
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	203	+#if defined(USE_PAM) && defined(PAM_ENHANCEMENT)
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	204	+ /* start PAM service for each userauth */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	205	+ if (options.use_pam && options.pam_service_per_authmethod) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	206	+ if (authctxt->authmethod_name != NULL)
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	207	+ free(authctxt->authmethod_name);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	208	+ authctxt->authmethod_name = xstrdup(method);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	209	+ if (use_privsep)
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	210	+ mm_inform_authmethod(method);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	211	+ PRIVSEP(start_pam(authctxt));
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	212	+ }
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	213	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	214	debug2("input_userauth_request: try method %s", method);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	215	authenticated = m->userauth(authctxt);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	216	}
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	217	@@ -295,6 +318,10 @@ userauth_finish(Authctxt *authctxt, int
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	218	char *methods;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	219	int partial = 0;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	220
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	221	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	222	+ debug3("%s: entering", __func__);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	223	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	224	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	225	if (!authctxt->valid && authenticated)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	226	fatal("INTERNAL ERROR: authenticated invalid user %s",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	227	authctxt->user);
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	228	@@ -311,6 +338,25 @@ userauth_finish(Authctxt *authctxt, int
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	229	}
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	230
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	231	if (authenticated && options.num_auth_methods != 0) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	232	+
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	233	+#if defined(USE_PAM) && defined(PAM_ENHANCEMENT)
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	234	+ /*
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	235	+ * If each userauth has its own PAM service, then PAM need to
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	236	+ * perform account check for this service.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	237	+ */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	238	+ if (options.use_pam && options.pam_service_per_authmethod &&
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	239	+ !PRIVSEP(do_pam_account())) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	240	+ /* if PAM returned a message, send it to the user */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	241	+ if (buffer_len(&loginmsg) > 0) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	242	+ buffer_append(&loginmsg, "\0", 1);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	243	+ userauth_send_banner(buffer_ptr(&loginmsg));
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	244	+ packet_write_wait();
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	245	+ }
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	246	+
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	247	+ fatal("Access denied for user %s by PAM account "
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	248	+ "configuration", authctxt->user);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	249	+ }
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	250	+#endif
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	251	if (!auth2_update_methods_lists(authctxt, method, submethod)) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	252	authenticated = 0;
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	253	partial = 1;
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	254	@@ -324,7 +370,20 @@ userauth_finish(Authctxt *authctxt, int
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	255	return;
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	256
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	257	#ifdef USE_PAM
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	258	+
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	259	+#ifdef PAM_ENHANCEMENT
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	260	+ /*
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	261	+ * PAM needs to perform account checks after auth. However, if each
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	262	+ * userauth has its own PAM service and options.num_auth_methods != 0,
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	263	+ * then no need to perform account checking, because it was done
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	264	+ * already.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	265	+ */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	266	+ if (options.use_pam && authenticated &&
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	267	+ !(options.num_auth_methods != 0 &&
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	268	+ options.pam_service_per_authmethod)){
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	269	+#else
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	270	if (options.use_pam && authenticated) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	271	+#endif
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	272	if (!PRIVSEP(do_pam_account())) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	273	/* if PAM returned a message, send it to the user */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	274	if (buffer_len(&loginmsg) > 0) {
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	275	@@ -615,5 +674,3 @@ auth2_update_methods_lists(Authctxt *aut
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	276	fatal("%s: method not in AuthenticationMethods", __func__);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	277	return 0;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	278	}
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	279	-
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	280	-
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	281	diff -pur old/monitor.c new/monitor.c
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	282	--- old/monitor.c
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	283	+++ new/monitor.c
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	284	@@ -127,6 +127,9 @@ int mm_answer_sign(int, Buffer *);
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	285	int mm_answer_pwnamallow(int, Buffer *);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	286	int mm_answer_auth2_read_banner(int, Buffer *);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	287	int mm_answer_authserv(int, Buffer *);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	288	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	289	+int mm_answer_authmethod(int, Buffer *);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	290	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	291	int mm_answer_authpassword(int, Buffer *);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	292	int mm_answer_bsdauthquery(int, Buffer *);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	293	int mm_answer_bsdauthrespond(int, Buffer *);
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	294	@@ -202,10 +205,17 @@ struct mon_table mon_dispatch_proto20[]
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	295	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	296	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	297	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	298	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	299	+ {MONITOR_REQ_AUTHMETHOD, MON_ISAUTH, mm_answer_authmethod},
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	300	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	301	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	302	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	303	#ifdef USE_PAM
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	304	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	305	+ {MONITOR_REQ_PAM_START, MON_ISAUTH, mm_answer_pam_start},
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	306	+#else
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	307	{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	308	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	309	{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	310	{MONITOR_REQ_PAM_INIT_CTX, MON_ONCE, mm_answer_pam_init_ctx},
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	311	{MONITOR_REQ_PAM_QUERY, 0, mm_answer_pam_query},
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	312	@@ -311,6 +321,23 @@ monitor_child_preauth(Authctxt *_authctx
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	313
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	314	/* Special handling for multiple required authentications */
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	315	if (options.num_auth_methods != 0) {
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	316	+#if defined(USE_PAM) && defined(PAM_ENHANCEMENT)
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	317	+ /*
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	318	+ * If each userauth has its own PAM service, then PAM
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	319	+ * need to perform account check for this service.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	320	+ */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	321	+ if (options.use_pam && authenticated &&
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	322	+ options.pam_service_per_authmethod) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	323	+ Buffer m;
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	324	+
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	325	+ buffer_init(&m);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	326	+ mm_request_receive_expect(pmonitor->m_sendfd,
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	327	+ MONITOR_REQ_PAM_ACCOUNT, &m);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	328	+ authenticated =
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	329	+ mm_answer_pam_account(pmonitor->m_sendfd, &m);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	330	+ buffer_free(&m);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	331	+ }
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	332	+#endif
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	333	if (authenticated &&
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	334	!auth2_update_methods_lists(authctxt,
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	335	auth_method, auth_submethod)) {
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	336	@@ -329,8 +356,21 @@ monitor_child_preauth(Authctxt *_authctx
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	337	!auth_root_allowed(auth_method))
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	338	authenticated = 0;
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	339	#ifdef USE_PAM
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	340	+#ifdef PAM_ENHANCEMENT
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	341	+ /*
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	342	+ * PAM needs to perform account checks after auth.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	343	+ * However, if each userauth has its own PAM service
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	344	+ * and options.num_auth_methods != 0, then no need to
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	345	+ * perform account checking, because it was done
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	346	+ * already.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	347	+ */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	348	+ if (options.use_pam && authenticated &&
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	349	+ !(options.num_auth_methods != 0 &&
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	350	+ options.pam_service_per_authmethod)) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	351	+#else
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	352	/* PAM needs to perform account checks after auth */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	353	if (options.use_pam && authenticated) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	354	+#endif
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	355	Buffer m;
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	356
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	357	buffer_init(&m);
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	358	@@ -770,6 +810,10 @@ mm_answer_pwnamallow(int sock, Buffer *m
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	359	/* Allow service/style information on the auth context */
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	360	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	361	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	362	+#ifdef PAM_ENHANCEMENT
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	363	+ /* Allow authmethod information on the auth context */
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	364	+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHMETHOD, 1);
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	365	+#endif
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	366
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	367	#ifdef USE_PAM
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	368	if (options.use_pam)
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	369	@@ -810,6 +854,24 @@ mm_answer_authserv(int sock, Buffer *m)
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	370	return (0);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	371	}
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	372
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	373	+#ifdef PAM_ENHANCEMENT
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	374	+int
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	375	+mm_answer_authmethod(int sock, Buffer *m)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	376	+{
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	377	+ monitor_permit_authentications(1);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	378	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	379	+ authctxt->authmethod_name = buffer_get_string(m, NULL);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	380	+ debug3("%s: authmethod_name=%s", __func__, authctxt->authmethod_name);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	381	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	382	+ if (strlen(authctxt->authmethod_name) == 0) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	383	+ free(authctxt->authmethod_name);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	384	+ authctxt->authmethod_name = NULL;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	385	+ }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	386	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	387	+ return (0);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	388	+}
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	389	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	390	+
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	391	int
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	392	mm_answer_authpassword(int sock, Buffer *m)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	393	{
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	394	diff -pur old/monitor.h new/monitor.h
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	395	--- old/monitor.h
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	396	+++ new/monitor.h
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	397	@@ -65,6 +65,9 @@ enum monitor_reqtype {
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	398	MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	399	MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	400
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	401	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	402	+ MONITOR_REQ_AUTHMETHOD = 114,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	403	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	404	};
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	405
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	406	struct monitor {
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	407	diff -pur old/monitor_wrap.c new/monitor_wrap.c
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	408	--- old/monitor_wrap.c
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	409	+++ new/monitor_wrap.c
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	410	@@ -345,6 +345,24 @@ mm_inform_authserv(char service, char
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	411	buffer_free(&m);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	412	}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	413
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	414	+#ifdef PAM_ENHANCEMENT
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	415	+/* Inform the privileged process about the authentication method */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	416	+void
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	417	+mm_inform_authmethod(char *authmethod)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	418	+{
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	419	+ Buffer m;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	420	+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	421	+ debug3("%s entering", __func__);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	422	+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	423	+ buffer_init(&m);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	424	+ buffer_put_cstring(&m, authmethod);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	425	+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	426	+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHMETHOD, &m);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	427	+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	428	+ buffer_free(&m);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	429	+}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	430	+#endif
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	431	+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	432	/* Do the password authentication */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	433	int
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	434	mm_auth_password(Authctxt authctxt, char password)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	435	diff -pur old/servconf.c new/servconf.c
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	436	--- old/servconf.c
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	437	+++ new/servconf.c
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	438	@@ -156,6 +156,18 @@ initialize_server_options(ServerOptions
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	439	options->authorized_keys_command_user = NULL;
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	440	options->revoked_keys_file = NULL;
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	441	options->trusted_user_ca_keys = NULL;
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	442	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	443	+ options->pam_service_name = NULL;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	444	+ options->pam_service_prefix = NULL;
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	445	+
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	446	+ /*
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	447	+ * Each user method will have its own PAM service by default.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	448	+ * However, if PAMServiceName is specified or the protocal version
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	449	+ * is not compat20, then there will be only one PAM service for the
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	450	+ * entire user authentication.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	451	+ */
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	452	+ options->pam_service_per_authmethod = 1;
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	453	+#endif
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	454	options->authorized_principals_file = NULL;
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	455	options->authorized_principals_command = NULL;
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	456	options->authorized_principals_command_user = NULL;
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	457	@@ -330,6 +342,12 @@ fill_default_server_options(ServerOption
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	458	options->ip_qos_bulk = IPTOS_THROUGHPUT;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	459	if (options->version_addendum == NULL)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	460	options->version_addendum = xstrdup("");
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	461	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	462	+#ifdef PAM_ENHANCEMENT
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	463	+ if (options->pam_service_prefix == NULL)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	464	+ options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX;
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	465	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	466	+
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	467	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	468	options->fwd_opts.streamlocal_bind_mask = 0177;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	469	if (options->fwd_opts.streamlocal_bind_unlink == -1)
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	470	@@ -416,6 +434,9 @@ typedef enum {
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	471	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	472	sUsePrivilegeSeparation, sAllowAgentForwarding,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	473	sHostCertificate,
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	474	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	475	+ sPAMServicePrefix, sPAMServiceName,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	476	+#endif
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	477	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	478	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	479	sKexAlgorithms, sIPQoS, sVersionAddendum,
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	480	@@ -554,6 +575,10 @@ static struct {
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	481	{ "forcecommand", sForceCommand, SSHCFG_ALL },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	482	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	483	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	484	+#ifdef PAM_ENHANCEMENT
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	485	+ { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	486	+ { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL },
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	487	+#endif
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	488	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	489	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	490	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	491	@@ -1854,6 +1879,37 @@ process_server_config_line(ServerOptions
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	492	options->fingerprint_hash = value;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	493	break;
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	494
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	495	+ case sPAMServicePrefix:
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	496	+ arg = strdelim(&cp);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	497	+ if (!arg \|\| *arg == '\0')
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	498	+ fatal("%s line %d: Missing argument.",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	499	+ filename, linenum);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	500	+ if (options->pam_service_name != NULL)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	501	+ fatal("%s line %d: PAMServiceName and PAMServicePrefix"
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	502	+ " are mutually exclusive.", filename, linenum);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	503	+ if (options->pam_service_prefix == NULL)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	504	+ options->pam_service_prefix = xstrdup(arg);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	505	+ break;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	506	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	507	+ case sPAMServiceName:
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	508	+ arg = strdelim(&cp);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	509	+ if (!arg \|\| *arg == '\0')
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	510	+ fatal("%s line %d: Missing argument.",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	511	+ filename, linenum);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	512	+ if (options->pam_service_prefix != NULL)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	513	+ fatal("%s line %d: PAMServiceName and PAMServicePrefix"
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	514	+ " are mutually exclusive.", filename, linenum);
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	515	+ if (options->pam_service_name == NULL) {
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	516	+ options->pam_service_name = xstrdup(arg);
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	517	+
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	518	+ /*
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	519	+ * When this option is specified, we will not have
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	520	+ * PAM service for each auth method.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	521	+ */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	522	+ options->pam_service_per_authmethod = 0;
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	523	+ }
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	524	+ break;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	525	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	526	case sDeprecated:
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	527	case sIgnore:
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	528	case sUnsupported:
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	529	diff -pur old/servconf.h new/servconf.h
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	530	--- old/servconf.h
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	531	+++ new/servconf.h
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	532	@@ -54,6 +54,10 @@
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	533	/* Magic name for internal sftp-server */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	534	#define INTERNAL_SFTP_NAME "internal-sftp"
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	535
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	536	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	537	+#define _SSH_PAM_SERVICE_PREFIX "sshd"
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	538	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	539	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	540	typedef struct {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	541	u_int num_ports;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	542	u_int ports_from_cmdline;
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	543	@@ -188,6 +192,12 @@ typedef struct {
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	544	u_int num_auth_methods;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	545	char *auth_methods[MAX_AUTH_METHODS];
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	546
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	547	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	548	+ char *pam_service_prefix;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	549	+ char *pam_service_name;
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	550	+ int pam_service_per_authmethod;
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	551	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	552	+
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	553	int fingerprint_hash;
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	554	} ServerOptions;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	555
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	556	diff -pur old/sshd.8 new/sshd.8
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	557	--- old/sshd.8
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	558	+++ new/sshd.8
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	559	@@ -920,6 +920,33 @@ concurrently for different ports, this c
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	560	started last).
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	561	The content of this file is not sensitive; it can be world-readable.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	562	.El
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	563	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	564	+.Sh SECURITY
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	565	+sshd uses pam(3PAM) for password and keyboard-interactive methods as well as
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	566	+for account management, session management, and the password management for all
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	567	+authentication methods.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	568	+.Pp
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	569	+Each SSHv2 userauth type has its own PAM service name:
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	570	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	571	+.Bd -literal -offset 3n
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	572	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	573	+-----------------------------------------------
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	574	+\| SSHv2 Userauth \| PAM Service Name \|
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	575	+-----------------------------------------------
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	576	+\| none \| sshd-none \|
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	577	+-----------------------------------------------
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	578	+\| password \| sshd-password \|
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	579	+-----------------------------------------------
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	580	+\| keyboard-interactive \| sshd-kbdint \|
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	581	+-----------------------------------------------
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	582	+\| pubkey \| sshd-pubkey \|
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	583	+-----------------------------------------------
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	584	+\| hostbased \| sshd-hostbased \|
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	585	+-----------------------------------------------
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	586	+\| gssapi-with-mic \| sshd-gssapi \|
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	587	+-----------------------------------------------
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	588	+.Ed
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	589	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	590	.Sh SEE ALSO
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	591	.Xr scp 1 ,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	592	.Xr sftp 1 ,
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	593	diff -pur old/sshd_config.5 new/sshd_config.5
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	594	--- old/sshd_config.5
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	595	+++ new/sshd_config.5
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	596	@@ -813,6 +813,21 @@ is set to
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	597	.Cm yes ) .
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	598	.It Cm KerberosAuthentication
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	599	Specifies whether the password provided by the user for
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	600	+.It Cm PAMServiceName
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	601	+Specifies the PAM service name for the PAM session. The PAMServiceName and
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	602	+PAMServicePrefix options are mutually exclusive and if both set, sshd does not
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	603	+start. If this option is set the service name is the same for all user
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	604	+authentication methods. The option has no default value. See PAMServicePrefix
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	605	+for more information.
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	606	+.It Cm PAMServicePrefix
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	607	+Specifies the PAM service name prefix for service names used for individual
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	608	+user authentication methods. The default is sshd. The PAMServiceName and
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	609	+PAMServicePrefix options are mutually exclusive and if both set, sshd does not
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	610	+start.
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	611	+.Pp
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	612	+For example, if this option is set to admincli, the service name for the
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	613	+keyboard-interactive authentication method is admincli-kbdint instead of the
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	614	+default sshd-kbdint.
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	615	.Cm PasswordAuthentication
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	616	will be validated through the Kerberos KDC.
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	617	To use this option, the server needs a
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	618	@@ -1472,8 +1487,7 @@ If
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	619	is enabled, you will not be able to run
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	620	.Xr sshd 8
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	621	as a non-root user.
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	622	-The default is
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	623	-.Cm no .
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 5324 diff changeset	624	++On Solaris, the option is always enabled.
5324 5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	625	.It Cm UsePrivilegeSeparation
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	626	Specifies whether
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1 Jan Parcel <jan.parcel@oracle.com> parents: 4098 diff changeset	627	.Xr sshd 8

author	Jan Parcel <jan.parcel@oracle.com>
	Tue, 25 Apr 2017 15:08:28 -0700
branch	s11u3-sru
changeset 7946	165bf092aa9c
parent 5324	5683175b6e99
permissions	-rw-r--r--