author | Jan Parcel <jan.parcel@oracle.com> |
Tue, 25 Apr 2017 15:08:28 -0700 | |
branch | s11u3-sru |
changeset 7946 | 165bf092aa9c |
parent 5324 | 5683175b6e99 |
permissions | -rw-r--r-- |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
1 |
# |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
2 |
# This patch contains a couple of PAM enhancements: |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
3 |
# 1) Each SSHv2 userauth method has its own PAM service name so that PAM can |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
4 |
# be used to control what userauth methods are allowed. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
5 |
# 2) The PAMServiceName and PAMServicePrefix options. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
6 |
# |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
7 |
# We have contributed back this feature to the OpenSSH upstream community. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
8 |
# For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2246 |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
9 |
# In the future, if these enhancements are accepted by the upsteam in a |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
10 |
# later release, we will remove this patch when we upgrade to that release. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
11 |
# |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
12 |
diff -pur old/auth-pam.c new/auth-pam.c |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
13 |
--- old/auth-pam.c |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
14 |
+++ new/auth-pam.c |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
15 |
@@ -617,6 +617,72 @@ sshpam_cleanup(void) |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
16 |
sshpam_handle = NULL; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
17 |
} |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
18 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
19 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
20 |
+char * |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
21 |
+derive_pam_service_name(Authctxt *authctxt) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
22 |
+{ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
23 |
+ char *svcname = xmalloc(BUFSIZ); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
24 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
25 |
+ /* |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
26 |
+ * If PamServiceName is set we use that for everything, including |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
27 |
+ * SSHv1 |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
28 |
+ */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
29 |
+ if (options.pam_service_name != NULL) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
30 |
+ (void) strlcpy(svcname, options.pam_service_name, BUFSIZ); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
31 |
+ return (svcname); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
32 |
+ } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
33 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
34 |
+ if (compat20) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
35 |
+ char *method_name = authctxt->authmethod_name; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
36 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
37 |
+ if (!method_name) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
38 |
+ fatal("Userauth method unknown while starting PAM"); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
39 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
40 |
+ /* |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
41 |
+ * For SSHv2 we use "sshd-<userauth name> |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
42 |
+ * The "sshd" prefix can be changed via the PAMServicePrefix |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
43 |
+ * sshd_config option. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
44 |
+ */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
45 |
+ if (strcmp(method_name, "none") == 0) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
46 |
+ snprintf(svcname, BUFSIZ, "%s-none", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
47 |
+ options.pam_service_prefix); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
48 |
+ } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
49 |
+ if (strcmp(method_name, "password") == 0) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
50 |
+ snprintf(svcname, BUFSIZ, "%s-password", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
51 |
+ options.pam_service_prefix); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
52 |
+ } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
53 |
+ if (strcmp(method_name, "keyboard-interactive") == 0) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
54 |
+ /* "keyboard-interactive" is too long, shorten it */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
55 |
+ snprintf(svcname, BUFSIZ, "%s-kbdint", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
56 |
+ options.pam_service_prefix); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
57 |
+ } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
58 |
+ if (strcmp(method_name, "publickey") == 0) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
59 |
+ /* "publickey" is too long, shorten it */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
60 |
+ snprintf(svcname, BUFSIZ, "%s-pubkey", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
61 |
+ options.pam_service_prefix); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
62 |
+ } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
63 |
+ if (strcmp(method_name, "hostbased") == 0) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
64 |
+ snprintf(svcname, BUFSIZ, "%s-hostbased", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
65 |
+ options.pam_service_prefix); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
66 |
+ } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
67 |
+ if (strncmp(method_name, "gssapi-", 7) == 0) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
68 |
+ /* |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
69 |
+ * Although OpenSSH only supports "gssapi-with-mic" |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
70 |
+ * for now. We will still map any userauth method |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
71 |
+ * prefixed with "gssapi-" to the gssapi PAM service. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
72 |
+ */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
73 |
+ snprintf(svcname, BUFSIZ, "%s-gssapi", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
74 |
+ options.pam_service_prefix); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
75 |
+ } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
76 |
+ return svcname; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
77 |
+ } else { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
78 |
+ /* SSHv1 doesn't get to be so cool */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
79 |
+ snprintf(svcname, BUFSIZ, "sshd-v1"); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
80 |
+ } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
81 |
+ return svcname; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
82 |
+} |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
83 |
+#endif /* PAM_ENHANCEMENT */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
84 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
85 |
static int |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
86 |
sshpam_init(Authctxt *authctxt) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
87 |
{ |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
88 |
@@ -624,18 +690,71 @@ sshpam_init(Authctxt *authctxt) |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
89 |
const char **ptr_pam_user = &pam_user; |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
90 |
struct ssh *ssh = active_state; /* XXX */ |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
91 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
92 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
93 |
+ const char *pam_service; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
94 |
+ const char **ptr_pam_service = &pam_service; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
95 |
+ char *svc = NULL; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
96 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
97 |
+ svc = derive_pam_service_name(authctxt); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
98 |
+ debug3("PAM service is %s", svc); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
99 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
100 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
101 |
if (sshpam_handle != NULL) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
102 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
103 |
+ /* get the pam service name */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
104 |
+ sshpam_err = pam_get_item(sshpam_handle, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
105 |
+ PAM_SERVICE, (sshpam_const void **)ptr_pam_service); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
106 |
+ if (sshpam_err != PAM_SUCCESS) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
107 |
+ fatal("Failed to get the PAM service name"); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
108 |
+ debug3("Previous pam_service is %s", pam_service ? |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
109 |
+ pam_service : "NULL"); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
110 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
111 |
+ /* get the pam user name */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
112 |
+ sshpam_err = pam_get_item(sshpam_handle, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
113 |
+ PAM_USER, (sshpam_const void **)ptr_pam_user); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
114 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
115 |
+ /* |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
116 |
+ * only need to re-start if either user or service is |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
117 |
+ * different. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
118 |
+ */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
119 |
+ if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0 |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
120 |
+ && strncmp(svc, pam_service, strlen(svc)) == 0) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
121 |
+ free(svc); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
122 |
+ return (0); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
123 |
+ } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
124 |
+ |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
125 |
+ /* |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
126 |
+ * Clean up previous PAM state. No need to clean up session |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
127 |
+ * and creds. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
128 |
+ */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
129 |
+ sshpam_authenticated = 0; |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
130 |
+ sshpam_account_status = -1; |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
131 |
+ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
132 |
+ sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, NULL); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
133 |
+ if (sshpam_err != PAM_SUCCESS) |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
134 |
+ debug3("Cannot remove PAM conv"); /* a warning only */ |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
135 |
+#else /* Original */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
136 |
/* We already have a PAM context; check if the user matches */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
137 |
sshpam_err = pam_get_item(sshpam_handle, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
138 |
PAM_USER, (sshpam_const void **)ptr_pam_user); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
139 |
if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
140 |
return (0); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
141 |
+#endif /* PAM_ENHANCEMENT */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
142 |
pam_end(sshpam_handle, sshpam_err); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
143 |
sshpam_handle = NULL; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
144 |
} |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
145 |
debug("PAM: initializing for \"%s\"", user); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
146 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
147 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
148 |
+ debug3("Starting PAM service %s for user %s method %s", svc, user, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
149 |
+ authctxt->authmethod_name); |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
150 |
+ sshpam_err = |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
151 |
+ pam_start(svc, user, &store_conv, &sshpam_handle); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
152 |
+ free(svc); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
153 |
+#else /* Original */ |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
154 |
sshpam_err = |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
155 |
pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
156 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
157 |
sshpam_authctxt = authctxt; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
158 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
159 |
if (sshpam_err != PAM_SUCCESS) { |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
160 |
diff -pur old/auth.h new/auth.h |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
161 |
--- old/auth.h |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
162 |
+++ new/auth.h |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
163 |
@@ -81,6 +81,9 @@ struct Authctxt { |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
164 |
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
165 |
struct sshkey **prev_userkeys; |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
166 |
u_int nprev_userkeys; |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
167 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
168 |
+ char *authmethod_name; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
169 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
170 |
}; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
171 |
/* |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
172 |
* Every authentication method has to handle authentication requests for |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
173 |
diff -pur old/auth2.c new/auth2.c |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
174 |
--- old/auth2.c |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
175 |
+++ new/auth2.c |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
176 |
@@ -243,10 +243,21 @@ input_userauth_request(int type, u_int32 |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
177 |
PRIVSEP(audit_event(SSH_INVALID_USER)); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
178 |
#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
179 |
} |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
180 |
+ |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
181 |
+ |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
182 |
#ifdef USE_PAM |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
183 |
+#ifdef PAM_ENHANCEMENT |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
184 |
+ /* |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
185 |
+ * Start PAM here and once only, if each userauth does not |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
186 |
+ * has its own PAM service. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
187 |
+ */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
188 |
+ if (options.use_pam && !options.pam_service_per_authmethod) |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
189 |
+ PRIVSEP(start_pam(authctxt)); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
190 |
+#else |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
191 |
if (options.use_pam) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
192 |
PRIVSEP(start_pam(authctxt)); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
193 |
#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
194 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
195 |
setproctitle("%s%s", authctxt->valid ? user : "unknown", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
196 |
use_privsep ? " [net]" : ""); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
197 |
authctxt->service = xstrdup(service); |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
198 |
@@ -277,6 +288,18 @@ input_userauth_request(int type, u_int32 |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
199 |
/* try to authenticate user */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
200 |
m = authmethod_lookup(authctxt, method); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
201 |
if (m != NULL && authctxt->failures < options.max_authtries) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
202 |
+ |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
203 |
+#if defined(USE_PAM) && defined(PAM_ENHANCEMENT) |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
204 |
+ /* start PAM service for each userauth */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
205 |
+ if (options.use_pam && options.pam_service_per_authmethod) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
206 |
+ if (authctxt->authmethod_name != NULL) |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
207 |
+ free(authctxt->authmethod_name); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
208 |
+ authctxt->authmethod_name = xstrdup(method); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
209 |
+ if (use_privsep) |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
210 |
+ mm_inform_authmethod(method); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
211 |
+ PRIVSEP(start_pam(authctxt)); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
212 |
+ } |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
213 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
214 |
debug2("input_userauth_request: try method %s", method); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
215 |
authenticated = m->userauth(authctxt); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
216 |
} |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
217 |
@@ -295,6 +318,10 @@ userauth_finish(Authctxt *authctxt, int |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
218 |
char *methods; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
219 |
int partial = 0; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
220 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
221 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
222 |
+ debug3("%s: entering", __func__); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
223 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
224 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
225 |
if (!authctxt->valid && authenticated) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
226 |
fatal("INTERNAL ERROR: authenticated invalid user %s", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
227 |
authctxt->user); |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
228 |
@@ -311,6 +338,25 @@ userauth_finish(Authctxt *authctxt, int |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
229 |
} |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
230 |
|
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
231 |
if (authenticated && options.num_auth_methods != 0) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
232 |
+ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
233 |
+#if defined(USE_PAM) && defined(PAM_ENHANCEMENT) |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
234 |
+ /* |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
235 |
+ * If each userauth has its own PAM service, then PAM need to |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
236 |
+ * perform account check for this service. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
237 |
+ */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
238 |
+ if (options.use_pam && options.pam_service_per_authmethod && |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
239 |
+ !PRIVSEP(do_pam_account())) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
240 |
+ /* if PAM returned a message, send it to the user */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
241 |
+ if (buffer_len(&loginmsg) > 0) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
242 |
+ buffer_append(&loginmsg, "\0", 1); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
243 |
+ userauth_send_banner(buffer_ptr(&loginmsg)); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
244 |
+ packet_write_wait(); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
245 |
+ } |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
246 |
+ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
247 |
+ fatal("Access denied for user %s by PAM account " |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
248 |
+ "configuration", authctxt->user); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
249 |
+ } |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
250 |
+#endif |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
251 |
if (!auth2_update_methods_lists(authctxt, method, submethod)) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
252 |
authenticated = 0; |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
253 |
partial = 1; |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
254 |
@@ -324,7 +370,20 @@ userauth_finish(Authctxt *authctxt, int |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
255 |
return; |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
256 |
|
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
257 |
#ifdef USE_PAM |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
258 |
+ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
259 |
+#ifdef PAM_ENHANCEMENT |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
260 |
+ /* |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
261 |
+ * PAM needs to perform account checks after auth. However, if each |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
262 |
+ * userauth has its own PAM service and options.num_auth_methods != 0, |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
263 |
+ * then no need to perform account checking, because it was done |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
264 |
+ * already. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
265 |
+ */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
266 |
+ if (options.use_pam && authenticated && |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
267 |
+ !(options.num_auth_methods != 0 && |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
268 |
+ options.pam_service_per_authmethod)){ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
269 |
+#else |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
270 |
if (options.use_pam && authenticated) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
271 |
+#endif |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
272 |
if (!PRIVSEP(do_pam_account())) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
273 |
/* if PAM returned a message, send it to the user */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
274 |
if (buffer_len(&loginmsg) > 0) { |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
275 |
@@ -615,5 +674,3 @@ auth2_update_methods_lists(Authctxt *aut |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
276 |
fatal("%s: method not in AuthenticationMethods", __func__); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
277 |
return 0; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
278 |
} |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
279 |
- |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
280 |
- |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
281 |
diff -pur old/monitor.c new/monitor.c |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
282 |
--- old/monitor.c |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
283 |
+++ new/monitor.c |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
284 |
@@ -127,6 +127,9 @@ int mm_answer_sign(int, Buffer *); |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
285 |
int mm_answer_pwnamallow(int, Buffer *); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
286 |
int mm_answer_auth2_read_banner(int, Buffer *); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
287 |
int mm_answer_authserv(int, Buffer *); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
288 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
289 |
+int mm_answer_authmethod(int, Buffer *); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
290 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
291 |
int mm_answer_authpassword(int, Buffer *); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
292 |
int mm_answer_bsdauthquery(int, Buffer *); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
293 |
int mm_answer_bsdauthrespond(int, Buffer *); |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
294 |
@@ -202,10 +205,17 @@ struct mon_table mon_dispatch_proto20[] |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
295 |
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
296 |
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
297 |
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
298 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
299 |
+ {MONITOR_REQ_AUTHMETHOD, MON_ISAUTH, mm_answer_authmethod}, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
300 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
301 |
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
302 |
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
303 |
#ifdef USE_PAM |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
304 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
305 |
+ {MONITOR_REQ_PAM_START, MON_ISAUTH, mm_answer_pam_start}, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
306 |
+#else |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
307 |
{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
308 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
309 |
{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
310 |
{MONITOR_REQ_PAM_INIT_CTX, MON_ONCE, mm_answer_pam_init_ctx}, |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
311 |
{MONITOR_REQ_PAM_QUERY, 0, mm_answer_pam_query}, |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
312 |
@@ -311,6 +321,23 @@ monitor_child_preauth(Authctxt *_authctx |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
313 |
|
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
314 |
/* Special handling for multiple required authentications */ |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
315 |
if (options.num_auth_methods != 0) { |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
316 |
+#if defined(USE_PAM) && defined(PAM_ENHANCEMENT) |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
317 |
+ /* |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
318 |
+ * If each userauth has its own PAM service, then PAM |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
319 |
+ * need to perform account check for this service. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
320 |
+ */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
321 |
+ if (options.use_pam && authenticated && |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
322 |
+ options.pam_service_per_authmethod) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
323 |
+ Buffer m; |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
324 |
+ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
325 |
+ buffer_init(&m); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
326 |
+ mm_request_receive_expect(pmonitor->m_sendfd, |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
327 |
+ MONITOR_REQ_PAM_ACCOUNT, &m); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
328 |
+ authenticated = |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
329 |
+ mm_answer_pam_account(pmonitor->m_sendfd, &m); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
330 |
+ buffer_free(&m); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
331 |
+ } |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
332 |
+#endif |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
333 |
if (authenticated && |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
334 |
!auth2_update_methods_lists(authctxt, |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
335 |
auth_method, auth_submethod)) { |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
336 |
@@ -329,8 +356,21 @@ monitor_child_preauth(Authctxt *_authctx |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
337 |
!auth_root_allowed(auth_method)) |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
338 |
authenticated = 0; |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
339 |
#ifdef USE_PAM |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
340 |
+#ifdef PAM_ENHANCEMENT |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
341 |
+ /* |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
342 |
+ * PAM needs to perform account checks after auth. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
343 |
+ * However, if each userauth has its own PAM service |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
344 |
+ * and options.num_auth_methods != 0, then no need to |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
345 |
+ * perform account checking, because it was done |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
346 |
+ * already. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
347 |
+ */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
348 |
+ if (options.use_pam && authenticated && |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
349 |
+ !(options.num_auth_methods != 0 && |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
350 |
+ options.pam_service_per_authmethod)) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
351 |
+#else |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
352 |
/* PAM needs to perform account checks after auth */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
353 |
if (options.use_pam && authenticated) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
354 |
+#endif |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
355 |
Buffer m; |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
356 |
|
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
357 |
buffer_init(&m); |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
358 |
@@ -770,6 +810,10 @@ mm_answer_pwnamallow(int sock, Buffer *m |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
359 |
/* Allow service/style information on the auth context */ |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
360 |
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
361 |
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
362 |
+#ifdef PAM_ENHANCEMENT |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
363 |
+ /* Allow authmethod information on the auth context */ |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
364 |
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHMETHOD, 1); |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
365 |
+#endif |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
366 |
|
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
367 |
#ifdef USE_PAM |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
368 |
if (options.use_pam) |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
369 |
@@ -810,6 +854,24 @@ mm_answer_authserv(int sock, Buffer *m) |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
370 |
return (0); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
371 |
} |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
372 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
373 |
+#ifdef PAM_ENHANCEMENT |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
374 |
+int |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
375 |
+mm_answer_authmethod(int sock, Buffer *m) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
376 |
+{ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
377 |
+ monitor_permit_authentications(1); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
378 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
379 |
+ authctxt->authmethod_name = buffer_get_string(m, NULL); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
380 |
+ debug3("%s: authmethod_name=%s", __func__, authctxt->authmethod_name); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
381 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
382 |
+ if (strlen(authctxt->authmethod_name) == 0) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
383 |
+ free(authctxt->authmethod_name); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
384 |
+ authctxt->authmethod_name = NULL; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
385 |
+ } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
386 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
387 |
+ return (0); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
388 |
+} |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
389 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
390 |
+ |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
391 |
int |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
392 |
mm_answer_authpassword(int sock, Buffer *m) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
393 |
{ |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
394 |
diff -pur old/monitor.h new/monitor.h |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
395 |
--- old/monitor.h |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
396 |
+++ new/monitor.h |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
397 |
@@ -65,6 +65,9 @@ enum monitor_reqtype { |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
398 |
MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
399 |
MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
400 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
401 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
402 |
+ MONITOR_REQ_AUTHMETHOD = 114, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
403 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
404 |
}; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
405 |
|
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
406 |
struct monitor { |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
407 |
diff -pur old/monitor_wrap.c new/monitor_wrap.c |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
408 |
--- old/monitor_wrap.c |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
409 |
+++ new/monitor_wrap.c |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
410 |
@@ -345,6 +345,24 @@ mm_inform_authserv(char *service, char * |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
411 |
buffer_free(&m); |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
412 |
} |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
413 |
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
414 |
+#ifdef PAM_ENHANCEMENT |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
415 |
+/* Inform the privileged process about the authentication method */ |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
416 |
+void |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
417 |
+mm_inform_authmethod(char *authmethod) |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
418 |
+{ |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
419 |
+ Buffer m; |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
420 |
+ |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
421 |
+ debug3("%s entering", __func__); |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
422 |
+ |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
423 |
+ buffer_init(&m); |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
424 |
+ buffer_put_cstring(&m, authmethod); |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
425 |
+ |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
426 |
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHMETHOD, &m); |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
427 |
+ |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
428 |
+ buffer_free(&m); |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
429 |
+} |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
430 |
+#endif |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
431 |
+ |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
432 |
/* Do the password authentication */ |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
433 |
int |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
434 |
mm_auth_password(Authctxt *authctxt, char *password) |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
435 |
diff -pur old/servconf.c new/servconf.c |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
436 |
--- old/servconf.c |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
437 |
+++ new/servconf.c |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
438 |
@@ -156,6 +156,18 @@ initialize_server_options(ServerOptions |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
439 |
options->authorized_keys_command_user = NULL; |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
440 |
options->revoked_keys_file = NULL; |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
441 |
options->trusted_user_ca_keys = NULL; |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
442 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
443 |
+ options->pam_service_name = NULL; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
444 |
+ options->pam_service_prefix = NULL; |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
445 |
+ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
446 |
+ /* |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
447 |
+ * Each user method will have its own PAM service by default. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
448 |
+ * However, if PAMServiceName is specified or the protocal version |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
449 |
+ * is not compat20, then there will be only one PAM service for the |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
450 |
+ * entire user authentication. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
451 |
+ */ |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
452 |
+ options->pam_service_per_authmethod = 1; |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
453 |
+#endif |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
454 |
options->authorized_principals_file = NULL; |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
455 |
options->authorized_principals_command = NULL; |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
456 |
options->authorized_principals_command_user = NULL; |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
457 |
@@ -330,6 +342,12 @@ fill_default_server_options(ServerOption |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
458 |
options->ip_qos_bulk = IPTOS_THROUGHPUT; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
459 |
if (options->version_addendum == NULL) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
460 |
options->version_addendum = xstrdup(""); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
461 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
462 |
+#ifdef PAM_ENHANCEMENT |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
463 |
+ if (options->pam_service_prefix == NULL) |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
464 |
+ options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX; |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
465 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
466 |
+ |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
467 |
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
468 |
options->fwd_opts.streamlocal_bind_mask = 0177; |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
469 |
if (options->fwd_opts.streamlocal_bind_unlink == -1) |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
470 |
@@ -416,6 +434,9 @@ typedef enum { |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
471 |
sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
472 |
sUsePrivilegeSeparation, sAllowAgentForwarding, |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
473 |
sHostCertificate, |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
474 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
475 |
+ sPAMServicePrefix, sPAMServiceName, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
476 |
+#endif |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
477 |
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
478 |
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
479 |
sKexAlgorithms, sIPQoS, sVersionAddendum, |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
480 |
@@ -554,6 +575,10 @@ static struct { |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
481 |
{ "forcecommand", sForceCommand, SSHCFG_ALL }, |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
482 |
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
483 |
{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
484 |
+#ifdef PAM_ENHANCEMENT |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
485 |
+ { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL }, |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
486 |
+ { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL }, |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
487 |
+#endif |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
488 |
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL }, |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
489 |
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
490 |
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
491 |
@@ -1854,6 +1879,37 @@ process_server_config_line(ServerOptions |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
492 |
options->fingerprint_hash = value; |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
493 |
break; |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
494 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
495 |
+ case sPAMServicePrefix: |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
496 |
+ arg = strdelim(&cp); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
497 |
+ if (!arg || *arg == '\0') |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
498 |
+ fatal("%s line %d: Missing argument.", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
499 |
+ filename, linenum); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
500 |
+ if (options->pam_service_name != NULL) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
501 |
+ fatal("%s line %d: PAMServiceName and PAMServicePrefix" |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
502 |
+ " are mutually exclusive.", filename, linenum); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
503 |
+ if (options->pam_service_prefix == NULL) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
504 |
+ options->pam_service_prefix = xstrdup(arg); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
505 |
+ break; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
506 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
507 |
+ case sPAMServiceName: |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
508 |
+ arg = strdelim(&cp); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
509 |
+ if (!arg || *arg == '\0') |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
510 |
+ fatal("%s line %d: Missing argument.", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
511 |
+ filename, linenum); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
512 |
+ if (options->pam_service_prefix != NULL) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
513 |
+ fatal("%s line %d: PAMServiceName and PAMServicePrefix" |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
514 |
+ " are mutually exclusive.", filename, linenum); |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
515 |
+ if (options->pam_service_name == NULL) { |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
516 |
+ options->pam_service_name = xstrdup(arg); |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
517 |
+ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
518 |
+ /* |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
519 |
+ * When this option is specified, we will not have |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
520 |
+ * PAM service for each auth method. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
521 |
+ */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
522 |
+ options->pam_service_per_authmethod = 0; |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
523 |
+ } |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
524 |
+ break; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
525 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
526 |
case sDeprecated: |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
527 |
case sIgnore: |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
528 |
case sUnsupported: |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
529 |
diff -pur old/servconf.h new/servconf.h |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
530 |
--- old/servconf.h |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
531 |
+++ new/servconf.h |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
532 |
@@ -54,6 +54,10 @@ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
533 |
/* Magic name for internal sftp-server */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
534 |
#define INTERNAL_SFTP_NAME "internal-sftp" |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
535 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
536 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
537 |
+#define _SSH_PAM_SERVICE_PREFIX "sshd" |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
538 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
539 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
540 |
typedef struct { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
541 |
u_int num_ports; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
542 |
u_int ports_from_cmdline; |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
543 |
@@ -188,6 +192,12 @@ typedef struct { |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
544 |
u_int num_auth_methods; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
545 |
char *auth_methods[MAX_AUTH_METHODS]; |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
546 |
|
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
547 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
548 |
+ char *pam_service_prefix; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
549 |
+ char *pam_service_name; |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
550 |
+ int pam_service_per_authmethod; |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
551 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
552 |
+ |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
553 |
int fingerprint_hash; |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
554 |
} ServerOptions; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
555 |
|
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
556 |
diff -pur old/sshd.8 new/sshd.8 |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
557 |
--- old/sshd.8 |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
558 |
+++ new/sshd.8 |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
559 |
@@ -920,6 +920,33 @@ concurrently for different ports, this c |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
560 |
started last). |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
561 |
The content of this file is not sensitive; it can be world-readable. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
562 |
.El |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
563 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
564 |
+.Sh SECURITY |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
565 |
+sshd uses pam(3PAM) for password and keyboard-interactive methods as well as |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
566 |
+for account management, session management, and the password management for all |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
567 |
+authentication methods. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
568 |
+.Pp |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
569 |
+Each SSHv2 userauth type has its own PAM service name: |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
570 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
571 |
+.Bd -literal -offset 3n |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
572 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
573 |
+----------------------------------------------- |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
574 |
+| SSHv2 Userauth | PAM Service Name | |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
575 |
+----------------------------------------------- |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
576 |
+| none | sshd-none | |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
577 |
+----------------------------------------------- |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
578 |
+| password | sshd-password | |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
579 |
+----------------------------------------------- |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
580 |
+| keyboard-interactive | sshd-kbdint | |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
581 |
+----------------------------------------------- |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
582 |
+| pubkey | sshd-pubkey | |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
583 |
+----------------------------------------------- |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
584 |
+| hostbased | sshd-hostbased | |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
585 |
+----------------------------------------------- |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
586 |
+| gssapi-with-mic | sshd-gssapi | |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
587 |
+----------------------------------------------- |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
588 |
+.Ed |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
589 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
590 |
.Sh SEE ALSO |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
591 |
.Xr scp 1 , |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
592 |
.Xr sftp 1 , |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
593 |
diff -pur old/sshd_config.5 new/sshd_config.5 |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
594 |
--- old/sshd_config.5 |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
595 |
+++ new/sshd_config.5 |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
596 |
@@ -813,6 +813,21 @@ is set to |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
597 |
.Cm yes ) . |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
598 |
.It Cm KerberosAuthentication |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
599 |
Specifies whether the password provided by the user for |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
600 |
+.It Cm PAMServiceName |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
601 |
+Specifies the PAM service name for the PAM session. The PAMServiceName and |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
602 |
+PAMServicePrefix options are mutually exclusive and if both set, sshd does not |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
603 |
+start. If this option is set the service name is the same for all user |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
604 |
+authentication methods. The option has no default value. See PAMServicePrefix |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
605 |
+for more information. |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
606 |
+.It Cm PAMServicePrefix |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
607 |
+Specifies the PAM service name prefix for service names used for individual |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
608 |
+user authentication methods. The default is sshd. The PAMServiceName and |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
609 |
+PAMServicePrefix options are mutually exclusive and if both set, sshd does not |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
610 |
+start. |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
611 |
+.Pp |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
612 |
+For example, if this option is set to admincli, the service name for the |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
613 |
+keyboard-interactive authentication method is admincli-kbdint instead of the |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
614 |
+default sshd-kbdint. |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
615 |
.Cm PasswordAuthentication |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
616 |
will be validated through the Kerberos KDC. |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
617 |
To use this option, the server needs a |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
618 |
@@ -1472,8 +1487,7 @@ If |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
619 |
is enabled, you will not be able to run |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
620 |
.Xr sshd 8 |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
621 |
as a non-root user. |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
622 |
-The default is |
7946
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
623 |
-.Cm no . |
165bf092aa9c
PSARC/2017/022 OpenSSH 7.4
Jan Parcel <jan.parcel@oracle.com>
parents:
5324
diff
changeset
|
624 |
++On Solaris, the option is always enabled. |
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
625 |
.It Cm UsePrivilegeSeparation |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
626 |
Specifies whether |
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4098
diff
changeset
|
627 |
.Xr sshd 8 |