upstream/oracle/userland-gate: components/openssh/patches/016-pam_enhancement.patch@3409fc90e641 (annotated)

3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	1	#
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	2	# This patch contains a couple of PAM enhancements:
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	3	# 1) Each SSHv2 userauth method has its own PAM service name so that PAM can
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	4	# be used to control what userauth methods are allowed.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	5	# 2) The PAMServiceName and PAMServicePrefix options.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	6	#
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	7	# We have contributed back this feature to the OpenSSH upstream community.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	8	# For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2246
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	9	# In the future, if these enhancements are accepted by the upsteam in a
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	10	# later release, we will remove this patch when we upgrade to that release.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	11	#
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	12	--- orig/auth-pam.c Mon Jan 26 18:02:09 2015
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	13	+++ new/auth-pam.c Mon Mar 30 15:24:11 2015
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	14	@@ -617,6 +617,72 @@
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	15	sshpam_handle = NULL;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	16	}
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	17
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	18	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	19	+char *
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	20	+derive_pam_service_name(Authctxt *authctxt)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	21	+{
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	22	+ char *svcname = xmalloc(BUFSIZ);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	23	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	24	+ /*
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	25	+ * If PamServiceName is set we use that for everything, including
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	26	+ * SSHv1
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	27	+ */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	28	+ if (options.pam_service_name != NULL) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	29	+ (void) strlcpy(svcname, options.pam_service_name, BUFSIZ);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	30	+ return (svcname);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	31	+ }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	32	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	33	+ if (compat20) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	34	+ char *method_name = authctxt->authmethod_name;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	35	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	36	+ if (!method_name)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	37	+ fatal("Userauth method unknown while starting PAM");
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	38	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	39	+ /*
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	40	+ * For SSHv2 we use "sshd-<userauth name>
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	41	+ * The "sshd" prefix can be changed via the PAMServicePrefix
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	42	+ * sshd_config option.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	43	+ */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	44	+ if (strcmp(method_name, "none") == 0) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	45	+ snprintf(svcname, BUFSIZ, "%s-none",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	46	+ options.pam_service_prefix);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	47	+ }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	48	+ if (strcmp(method_name, "password") == 0) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	49	+ snprintf(svcname, BUFSIZ, "%s-password",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	50	+ options.pam_service_prefix);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	51	+ }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	52	+ if (strcmp(method_name, "keyboard-interactive") == 0) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	53	+ /* "keyboard-interactive" is too long, shorten it */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	54	+ snprintf(svcname, BUFSIZ, "%s-kbdint",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	55	+ options.pam_service_prefix);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	56	+ }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	57	+ if (strcmp(method_name, "publickey") == 0) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	58	+ /* "publickey" is too long, shorten it */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	59	+ snprintf(svcname, BUFSIZ, "%s-pubkey",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	60	+ options.pam_service_prefix);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	61	+ }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	62	+ if (strcmp(method_name, "hostbased") == 0) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	63	+ snprintf(svcname, BUFSIZ, "%s-hostbased",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	64	+ options.pam_service_prefix);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	65	+ }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	66	+ if (strncmp(method_name, "gssapi-", 7) == 0) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	67	+ /*
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	68	+ * Although OpenSSH only supports "gssapi-with-mic"
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	69	+ * for now. We will still map any userauth method
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	70	+ * prefixed with "gssapi-" to the gssapi PAM service.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	71	+ */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	72	+ snprintf(svcname, BUFSIZ, "%s-gssapi",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	73	+ options.pam_service_prefix);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	74	+ }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	75	+ return svcname;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	76	+ } else {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	77	+ /* SSHv1 doesn't get to be so cool */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	78	+ snprintf(svcname, BUFSIZ, "sshd-v1");
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	79	+ }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	80	+ return svcname;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	81	+}
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	82	+#endif /* PAM_ENHANCEMENT */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	83	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	84	static int
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	85	sshpam_init(Authctxt *authctxt)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	86	{
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	87	@@ -624,18 +690,71 @@
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	88	const char pam_rhost, pam_user, *user = authctxt->user;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	89	const char **ptr_pam_user = &pam_user;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	90
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	91	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	92	+ const char *pam_service;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	93	+ const char **ptr_pam_service = &pam_service;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	94	+ char *svc = NULL;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	95	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	96	+ svc = derive_pam_service_name(authctxt);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	97	+ debug3("PAM service is %s", svc);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	98	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	99	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	100	if (sshpam_handle != NULL) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	101	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	102	+ /* get the pam service name */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	103	+ sshpam_err = pam_get_item(sshpam_handle,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	104	+ PAM_SERVICE, (sshpam_const void **)ptr_pam_service);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	105	+ if (sshpam_err != PAM_SUCCESS)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	106	+ fatal("Failed to get the PAM service name");
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	107	+ debug3("Previous pam_service is %s", pam_service ?
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	108	+ pam_service : "NULL");
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	109	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	110	+ /* get the pam user name */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	111	+ sshpam_err = pam_get_item(sshpam_handle,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	112	+ PAM_USER, (sshpam_const void **)ptr_pam_user);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	113	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	114	+ /*
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	115	+ * only need to re-start if either user or service is
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	116	+ * different.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	117	+ */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	118	+ if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	119	+ && strncmp(svc, pam_service, strlen(svc)) == 0) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	120	+ free(svc);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	121	+ return (0);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	122	+ }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	123	+
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	124	+ /*
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	125	+ * Clean up previous PAM state. No need to clean up session
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	126	+ * and creds.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	127	+ */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	128	+ sshpam_authenticated = 0;
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	129	+ sshpam_account_status = -1;
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	130	+
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	131	+ sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, NULL);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	132	+ if (sshpam_err != PAM_SUCCESS)
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	133	+ debug3("Cannot remove PAM conv"); /* a warning only */
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	134	+#else /* Original */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	135	/* We already have a PAM context; check if the user matches */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	136	sshpam_err = pam_get_item(sshpam_handle,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	137	PAM_USER, (sshpam_const void **)ptr_pam_user);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	138	if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	139	return (0);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	140	+#endif /* PAM_ENHANCEMENT */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	141	pam_end(sshpam_handle, sshpam_err);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	142	sshpam_handle = NULL;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	143	}
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	144	debug("PAM: initializing for \"%s\"", user);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	145	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	146	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	147	+ debug3("Starting PAM service %s for user %s method %s", svc, user,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	148	+ authctxt->authmethod_name);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	149	sshpam_err =
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	150	+ pam_start(svc, user, &store_conv, &sshpam_handle);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	151	+ free(svc);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	152	+#else /* Original */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	153	+ sshpam_err =
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	154	pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	155	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	156	sshpam_authctxt = authctxt;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	157
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	158	if (sshpam_err != PAM_SUCCESS) {
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	159	--- orig/auth.h Mon Jan 26 18:02:11 2015
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	160	+++ new/auth.h Mon Jan 26 18:02:11 2015
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	161	@@ -76,6 +76,9 @@
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	162	#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	163	Buffer *loginmsg;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	164	void *methoddata;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	165	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	166	+ char *authmethod_name;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	167	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	168	};
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	169	/*
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	170	* Every authentication method has to handle authentication requests for
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	171	--- orig/auth2.c Mon Jan 26 18:02:10 2015
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	172	+++ new/auth2.c Tue Mar 31 15:19:10 2015
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	173	@@ -249,10 +249,21 @@
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	174	PRIVSEP(audit_event(SSH_INVALID_USER));
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	175	#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	176	}
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	177	+
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	178	+
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	179	#ifdef USE_PAM
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	180	+#ifdef PAM_ENHANCEMENT
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	181	+ /*
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	182	+ * Start PAM here and once only, if each userauth does not
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	183	+ * has its own PAM service.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	184	+ */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	185	+ if (options.use_pam && !options.pam_service_per_authmethod)
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	186	+ PRIVSEP(start_pam(authctxt));
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	187	+#else
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	188	if (options.use_pam)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	189	PRIVSEP(start_pam(authctxt));
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	190	#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	191	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	192	setproctitle("%s%s", authctxt->valid ? user : "unknown",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	193	use_privsep ? " [net]" : "");
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	194	authctxt->service = xstrdup(service);
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	195	@@ -286,6 +297,18 @@
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	196	/* try to authenticate user */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	197	m = authmethod_lookup(authctxt, method);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	198	if (m != NULL && authctxt->failures < options.max_authtries) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	199	+
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	200	+#if defined(USE_PAM) && defined(PAM_ENHANCEMENT)
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	201	+ /* start PAM service for each userauth */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	202	+ if (options.use_pam && options.pam_service_per_authmethod) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	203	+ if (authctxt->authmethod_name != NULL)
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	204	+ free(authctxt->authmethod_name);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	205	+ authctxt->authmethod_name = xstrdup(method);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	206	+ if (use_privsep)
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	207	+ mm_inform_authmethod(method);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	208	+ PRIVSEP(start_pam(authctxt));
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	209	+ }
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	210	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	211	debug2("input_userauth_request: try method %s", method);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	212	authenticated = m->userauth(authctxt);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	213	}
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	214	@@ -303,6 +326,10 @@
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	215	char *methods;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	216	int partial = 0;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	217
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	218	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	219	+ debug3("%s: entering", __func__);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	220	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	221	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	222	if (!authctxt->valid && authenticated)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	223	fatal("INTERNAL ERROR: authenticated invalid user %s",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	224	authctxt->user);
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	225	@@ -319,6 +346,25 @@
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	226	}
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	227
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	228	if (authenticated && options.num_auth_methods != 0) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	229	+
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	230	+#if defined(USE_PAM) && defined(PAM_ENHANCEMENT)
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	231	+ /*
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	232	+ * If each userauth has its own PAM service, then PAM need to
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	233	+ * perform account check for this service.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	234	+ */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	235	+ if (options.use_pam && options.pam_service_per_authmethod &&
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	236	+ !PRIVSEP(do_pam_account())) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	237	+ /* if PAM returned a message, send it to the user */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	238	+ if (buffer_len(&loginmsg) > 0) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	239	+ buffer_append(&loginmsg, "\0", 1);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	240	+ userauth_send_banner(buffer_ptr(&loginmsg));
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	241	+ packet_write_wait();
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	242	+ }
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	243	+
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	244	+ fatal("Access denied for user %s by PAM account "
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	245	+ "configuration", authctxt->user);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	246	+ }
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	247	+#endif
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	248	if (!auth2_update_methods_lists(authctxt, method, submethod)) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	249	authenticated = 0;
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	250	partial = 1;
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	251	@@ -332,7 +378,20 @@
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	252	return;
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	253
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	254	#ifdef USE_PAM
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	255	+
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	256	+#ifdef PAM_ENHANCEMENT
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	257	+ /*
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	258	+ * PAM needs to perform account checks after auth. However, if each
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	259	+ * userauth has its own PAM service and options.num_auth_methods != 0,
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	260	+ * then no need to perform account checking, because it was done
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	261	+ * already.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	262	+ */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	263	+ if (options.use_pam && authenticated &&
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	264	+ !(options.num_auth_methods != 0 &&
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	265	+ options.pam_service_per_authmethod)){
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	266	+#else
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	267	if (options.use_pam && authenticated) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	268	+#endif
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	269	if (!PRIVSEP(do_pam_account())) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	270	/* if PAM returned a message, send it to the user */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	271	if (buffer_len(&loginmsg) > 0) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	272	@@ -623,5 +682,3 @@
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	273	fatal("%s: method not in AuthenticationMethods", __func__);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	274	return 0;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	275	}
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	276	-
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	277	-
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	278	--- orig/monitor_wrap.c Mon Jan 26 18:02:09 2015
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	279	+++ new/monitor_wrap.c Mon Jan 26 18:02:11 2015
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	280	@@ -338,6 +338,24 @@
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	281	buffer_free(&m);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	282	}
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	283
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	284	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	285	+/* Inform the privileged process about the authentication method */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	286	+void
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	287	+mm_inform_authmethod(char *authmethod)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	288	+{
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	289	+ Buffer m;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	290	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	291	+ debug3("%s entering", __func__);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	292	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	293	+ buffer_init(&m);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	294	+ buffer_put_cstring(&m, authmethod);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	295	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	296	+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHMETHOD, &m);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	297	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	298	+ buffer_free(&m);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	299	+}
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	300	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	301	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	302	/* Do the password authentication */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	303	int
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	304	mm_auth_password(Authctxt authctxt, char password)
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	305	--- orig/monitor.c Mon Jan 26 18:02:10 2015
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	306	+++ new/monitor.c Tue Mar 31 16:10:50 2015
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	307	@@ -146,6 +146,9 @@
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	308	int mm_answer_pwnamallow(int, Buffer *);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	309	int mm_answer_auth2_read_banner(int, Buffer *);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	310	int mm_answer_authserv(int, Buffer *);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	311	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	312	+int mm_answer_authmethod(int, Buffer *);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	313	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	314	int mm_answer_authpassword(int, Buffer *);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	315	int mm_answer_bsdauthquery(int, Buffer *);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	316	int mm_answer_bsdauthrespond(int, Buffer *);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	317	@@ -225,10 +228,17 @@
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	318	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	319	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	320	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	321	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	322	+ {MONITOR_REQ_AUTHMETHOD, MON_ISAUTH, mm_answer_authmethod},
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	323	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	324	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	325	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	326	#ifdef USE_PAM
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	327	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	328	+ {MONITOR_REQ_PAM_START, MON_ISAUTH, mm_answer_pam_start},
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	329	+#else
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	330	{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	331	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	332	{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	333	{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	334	{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	335	@@ -391,6 +401,24 @@
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	336	if (!compat20)
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	337	fatal("AuthenticationMethods is not supported"
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	338	"with SSH protocol 1");
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	339	+
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	340	+#if defined(USE_PAM) && defined(PAM_ENHANCEMENT)
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	341	+ /*
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	342	+ * If each userauth has its own PAM service, then PAM
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	343	+ * need to perform account check for this service.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	344	+ */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	345	+ if (options.use_pam && authenticated &&
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	346	+ options.pam_service_per_authmethod) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	347	+ Buffer m;
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	348	+
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	349	+ buffer_init(&m);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	350	+ mm_request_receive_expect(pmonitor->m_sendfd,
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	351	+ MONITOR_REQ_PAM_ACCOUNT, &m);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	352	+ authenticated =
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	353	+ mm_answer_pam_account(pmonitor->m_sendfd, &m);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	354	+ buffer_free(&m);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	355	+ }
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	356	+#endif
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	357	if (authenticated &&
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	358	!auth2_update_methods_lists(authctxt,
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	359	auth_method, auth_submethod)) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	360	@@ -409,8 +437,21 @@
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	361	!auth_root_allowed(auth_method))
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	362	authenticated = 0;
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	363	#ifdef USE_PAM
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	364	+#ifdef PAM_ENHANCEMENT
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	365	+ /*
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	366	+ * PAM needs to perform account checks after auth.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	367	+ * However, if each userauth has its own PAM service
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	368	+ * and options.num_auth_methods != 0, then no need to
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	369	+ * perform account checking, because it was done
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	370	+ * already.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	371	+ */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	372	+ if (options.use_pam && authenticated &&
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	373	+ !(options.num_auth_methods != 0 &&
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	374	+ options.pam_service_per_authmethod)) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	375	+#else
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	376	/* PAM needs to perform account checks after auth */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	377	if (options.use_pam && authenticated) {
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	378	+#endif
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	379	Buffer m;
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	380
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	381	buffer_init(&m);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	382	@@ -828,6 +869,10 @@
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	383	/* Allow service/style information on the auth context */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	384	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	385	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	386	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	387	+ /* Allow authmethod information on the auth context */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	388	+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHMETHOD, 1);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	389	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	390	}
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	391	#ifdef USE_PAM
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	392	if (options.use_pam)
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	393	@@ -868,7 +913,25 @@
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	394	return (0);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	395	}
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	396
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	397	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	398	int
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	399	+mm_answer_authmethod(int sock, Buffer *m)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	400	+{
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	401	+ monitor_permit_authentications(1);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	402	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	403	+ authctxt->authmethod_name = buffer_get_string(m, NULL);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	404	+ debug3("%s: authmethod_name=%s", __func__, authctxt->authmethod_name);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	405	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	406	+ if (strlen(authctxt->authmethod_name) == 0) {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	407	+ free(authctxt->authmethod_name);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	408	+ authctxt->authmethod_name = NULL;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	409	+ }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	410	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	411	+ return (0);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	412	+}
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	413	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	414	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	415	+int
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	416	mm_answer_authpassword(int sock, Buffer *m)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	417	{
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	418	static int call_count;
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	419	--- orig/monitor.h Mon Jan 26 18:02:10 2015
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	420	+++ new/monitor.h Mon Jan 26 18:02:11 2015
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	421	@@ -70,6 +70,9 @@
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	422	MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	423	MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	424
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	425	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	426	+ MONITOR_REQ_AUTHMETHOD = 114,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	427	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	428	};
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	429
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	430	struct mm_master;
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	431	--- orig/servconf.c Mon Jan 26 18:02:09 2015
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	432	+++ new/servconf.c Tue Mar 31 16:24:59 2015
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	433	@@ -154,6 +154,18 @@
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	434	options->ip_qos_interactive = -1;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	435	options->ip_qos_bulk = -1;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	436	options->version_addendum = NULL;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	437	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	438	+ options->pam_service_name = NULL;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	439	+ options->pam_service_prefix = NULL;
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	440	+
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	441	+ /*
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	442	+ * Each user method will have its own PAM service by default.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	443	+ * However, if PAMServiceName is specified or the protocal version
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	444	+ * is not compat20, then there will be only one PAM service for the
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	445	+ * entire user authentication.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	446	+ */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	447	+ options->pam_service_per_authmethod = 1;
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	448	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	449	}
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	450
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	451	void
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	452	@@ -303,6 +315,12 @@
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	453	options->ip_qos_bulk = IPTOS_THROUGHPUT;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	454	if (options->version_addendum == NULL)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	455	options->version_addendum = xstrdup("");
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	456	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	457	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	458	+ if (options->pam_service_prefix == NULL)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	459	+ options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	460	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	461	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	462	/* Turn privilege separation on by default */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	463	if (use_privsep == -1)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	464	use_privsep = PRIVSEP_NOSANDBOX;
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	465	@@ -351,6 +369,9 @@
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	466	sKexAlgorithms, sIPQoS, sVersionAddendum,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	467	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	468	sAuthenticationMethods, sHostKeyAgent,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	469	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	470	+ sPAMServicePrefix, sPAMServiceName,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	471	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	472	sDeprecated, sUnsupported
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	473	} ServerOpCodes;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	474
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	475	@@ -482,6 +503,10 @@
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	476	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	477	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	478	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	479	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	480	+ { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL },
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	481	+ { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL },
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	482	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	483	{ NULL, sBadOption, 0 }
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	484	};
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	485
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	486	@@ -1632,6 +1657,37 @@
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	487	}
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	488	return 0;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	489
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	490	+ case sPAMServicePrefix:
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	491	+ arg = strdelim(&cp);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	492	+ if (!arg \|\| *arg == '\0')
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	493	+ fatal("%s line %d: Missing argument.",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	494	+ filename, linenum);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	495	+ if (options->pam_service_name != NULL)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	496	+ fatal("%s line %d: PAMServiceName and PAMServicePrefix"
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	497	+ " are mutually exclusive.", filename, linenum);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	498	+ if (options->pam_service_prefix == NULL)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	499	+ options->pam_service_prefix = xstrdup(arg);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	500	+ break;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	501	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	502	+ case sPAMServiceName:
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	503	+ arg = strdelim(&cp);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	504	+ if (!arg \|\| *arg == '\0')
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	505	+ fatal("%s line %d: Missing argument.",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	506	+ filename, linenum);
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	507	+ if (options->pam_service_prefix != NULL)
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	508	+ fatal("%s line %d: PAMServiceName and PAMServicePrefix"
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	509	+ " are mutually exclusive.", filename, linenum);
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	510	+ if (options->pam_service_name == NULL) {
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	511	+ options->pam_service_name = xstrdup(arg);
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	512	+
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	513	+ /*
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	514	+ * When this option is specified, we will not have
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	515	+ * PAM service for each auth method.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	516	+ */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	517	+ options->pam_service_per_authmethod = 0;
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	518	+ }
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	519	+ break;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	520	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	521	case sDeprecated:
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	522	logit("%s line %d: Deprecated option %s",
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	523	filename, linenum, arg);
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	524	--- orig/servconf.h Mon Jan 26 18:02:10 2015
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	525	+++ new/servconf.h Tue Mar 31 15:07:14 2015
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	526	@@ -54,6 +54,10 @@
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	527	/* Magic name for internal sftp-server */
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	528	#define INTERNAL_SFTP_NAME "internal-sftp"
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	529
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	530	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	531	+#define _SSH_PAM_SERVICE_PREFIX "sshd"
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	532	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	533	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	534	typedef struct {
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	535	u_int num_ports;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	536	u_int ports_from_cmdline;
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	537	@@ -185,6 +189,13 @@
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	538
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	539	u_int num_auth_methods;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	540	char *auth_methods[MAX_AUTH_METHODS];
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	541	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	542	+#ifdef PAM_ENHANCEMENT
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	543	+ char *pam_service_prefix;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	544	+ char *pam_service_name;
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	545	+ int pam_service_per_authmethod;
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	546	+#endif
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	547	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	548	} ServerOptions;
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	549
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	550	/* Information about the incoming connection as used by Match */
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	551	--- orig/sshd_config.5 Mon Jan 26 18:02:10 2015
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	552	+++ new/sshd_config.5 Mon Jan 26 18:03:45 2015
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	553	@@ -868,6 +868,21 @@
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	554	are refused if the number of unauthenticated connections reaches
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	555	.Dq full
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	556	(60).
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	557	+.It Cm PAMServiceName
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	558	+Specifies the PAM service name for the PAM session. The PAMServiceName and
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	559	+PAMServicePrefix options are mutually exclusive and if both set, sshd does not
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	560	+start. If this option is set the service name is the same for all user
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	561	+authentication methods. The option has no default value. See PAMServicePrefix
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	562	+for more information.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	563	+.It Cm PAMServicePrefix
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	564	+Specifies the PAM service name prefix for service names used for individual
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	565	+user authentication methods. The default is sshd. The PAMServiceName and
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	566	+PAMServicePrefix options are mutually exclusive and if both set, sshd does not
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	567	+start.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	568	+.Pp
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	569	+For example, if this option is set to admincli, the service name for the
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	570	+keyboard-interactive authentication method is admincli-kbdint instead of the
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	571	+default sshd-kbdint.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	572	.It Cm PasswordAuthentication
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	573	Specifies whether password authentication is allowed.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	574	The default is
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	575	@@ -1203,8 +1218,7 @@
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	576	is enabled, you will not be able to run
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	577	.Xr sshd 8
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	578	as a non-root user.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	579	-The default is
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	580	-.Dq no .
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	581	+On Solaris, the option is always enabled.
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	582	.It Cm UsePrivilegeSeparation
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	583	Specifies whether
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	584	.Xr sshd 8
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	585	--- orig/sshd.8 Mon Jan 26 18:02:09 2015
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	586	+++ new/sshd.8 Mon Jan 26 18:02:11 2015
3946 b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	587	@@ -951,6 +951,33 @@
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	588	started last).
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	589	The content of this file is not sensitive; it can be world-readable.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	590	.El
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	591	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	592	+.Sh SECURITY
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	593	+sshd uses pam(3PAM) for password and keyboard-interactive methods as well as
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	594	+for account management, session management, and the password management for all
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	595	+authentication methods.
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	596	+.Pp
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	597	+Each SSHv2 userauth type has its own PAM service name:
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	598	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	599	+.Bd -literal -offset 3n
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	600	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	601	+-----------------------------------------------
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	602	+\| SSHv2 Userauth \| PAM Service Name \|
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	603	+-----------------------------------------------
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	604	+\| none \| sshd-none \|
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	605	+-----------------------------------------------
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	606	+\| password \| sshd-password \|
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	607	+-----------------------------------------------
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	608	+\| keyboard-interactive \| sshd-kbdint \|
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	609	+-----------------------------------------------
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	610	+\| pubkey \| sshd-pubkey \|
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	611	+-----------------------------------------------
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	612	+\| hostbased \| sshd-hostbased \|
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	613	+-----------------------------------------------
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	614	+\| gssapi-with-mic \| sshd-gssapi \|
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	615	+-----------------------------------------------
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	616	+.Ed
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	617	+
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	618	.Sh SEE ALSO
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	619	.Xr scp 1 ,
b1e0e68de63b PSARC 2012/335 OpenSSH migration Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	620	.Xr sftp 1 ,
4098 19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	621	--- orig/sshd.c Tue Mar 31 18:12:33 2015
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	622	+++ new/sshd.c Tue Mar 31 18:42:28 2015
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	623	@@ -2065,6 +2065,11 @@
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	624
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	625	sshd_exchange_identification(sock_in, sock_out);
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	626
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	627	+#ifdef PAM_ENHANCEMENT
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	628	+ if (!compat20)
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	629	+ options.pam_service_per_authmethod = 0;
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	630	+#endif
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	631	+
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	632	/* In inetd mode, generate ephemeral key only for proto 1 connections */
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	633	if (!compat20 && inetd_flag && sensitive_data.server_key == NULL)
19376bf84775 20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service Huie-Ying Lee <huieying.lee@oracle.com> parents: 3946 diff changeset	634	generate_ephemeral_server_key();

author	Ivo Raisr <ivo.raisr@oracle.com>
	Mon, 03 Aug 2015 15:31:47 -0700
branch	s11-update
changeset 4752	3409fc90e641
parent 4098	19376bf84775
child 4503	bf30d46ab06e
child 5324	5683175b6e99
permissions	-rw-r--r--