| author | Tomas Kuthan <tomas.kuthan@oracle.com> |
| Wed, 11 Jan 2017 12:12:15 -0800 | |
| changeset 7562 | 2adf9e2cdc69 |
| parent 5612 | ece68a956e2f |
| permissions | -rw-r--r-- |
|
5612
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
1 |
# |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
2 |
# Allow PAM conversation for pam_setcred for keyboard-interactive auth |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
3 |
# |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
4 |
# Currently OpenSSH runs pam_setcred with 'fake' conversation function |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
5 |
# sshpam_store_conv. If some PAM module actually tries to converse for |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
6 |
# pam_setcred, sshpam_store_conv fails with PAM_CONV_ERR. |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
7 |
# |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
8 |
# This patch moves calling pam_setcred to the end of actual PAM |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
9 |
# authentication, where there still is a real conversation function |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
10 |
# available. If pam_setcred was already called, doesn't call it the |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
11 |
# second time in do_pam_setcred. |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
12 |
# |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
13 |
# Patch origin: in-house |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
14 |
# |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
15 |
# Reported upstream: |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
16 |
# https://bugzilla.mindrot.org/show_bug.cgi?id=2549 |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
17 |
# |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
18 |
|
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
19 |
diff -pur old/auth-pam.c new/auth-pam.c |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
20 |
--- old/auth-pam.c |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
21 |
+++ new/auth-pam.c |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
22 |
@@ -399,6 +399,10 @@ sshpam_thread(struct pam_ctxt *ctxt) |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
23 |
goto auth_fail; |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
24 |
sshpam_password_change_required(0); |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
25 |
} |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
26 |
+ sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED); |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
27 |
+ if (sshpam_err != PAM_SUCCESS) |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
28 |
+ goto auth_fail; |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
29 |
+ |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
30 |
} |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
31 |
|
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
32 |
ctxt->pam_done = 1; |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
33 |
@@ -968,6 +972,8 @@ do_pam_set_tty(const char *tty) |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
34 |
void |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
35 |
do_pam_setcred(int init) |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
36 |
{
|
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
37 |
+ if (compat20 && (sshpam_authenticated == 1)) |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
38 |
+ return; /* pam_setcred already done */ |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
39 |
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
40 |
(const void *)&store_conv); |
|
ece68a956e2f
21937600 pam_set_data doesn't work in OpenSSH PAM implementation
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
41 |
if (sshpam_err != PAM_SUCCESS) |