author | Ivo Raisr <ivo.raisr@oracle.com> |
Mon, 03 Aug 2015 15:31:47 -0700 | |
branch | s11-update |
changeset 4752 | 3409fc90e641 |
parent 4098 | 19376bf84775 |
child 4503 | bf30d46ab06e |
child 5324 | 5683175b6e99 |
permissions | -rw-r--r-- |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
1 |
# |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
2 |
# This patch contains a couple of PAM enhancements: |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
3 |
# 1) Each SSHv2 userauth method has its own PAM service name so that PAM can |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
4 |
# be used to control what userauth methods are allowed. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
5 |
# 2) The PAMServiceName and PAMServicePrefix options. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
6 |
# |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
7 |
# We have contributed back this feature to the OpenSSH upstream community. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
8 |
# For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2246 |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
9 |
# In the future, if these enhancements are accepted by the upsteam in a |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
10 |
# later release, we will remove this patch when we upgrade to that release. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
11 |
# |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
12 |
--- orig/auth-pam.c Mon Jan 26 18:02:09 2015 |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
13 |
+++ new/auth-pam.c Mon Mar 30 15:24:11 2015 |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
14 |
@@ -617,6 +617,72 @@ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
15 |
sshpam_handle = NULL; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
16 |
} |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
17 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
18 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
19 |
+char * |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
20 |
+derive_pam_service_name(Authctxt *authctxt) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
21 |
+{ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
22 |
+ char *svcname = xmalloc(BUFSIZ); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
23 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
24 |
+ /* |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
25 |
+ * If PamServiceName is set we use that for everything, including |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
26 |
+ * SSHv1 |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
27 |
+ */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
28 |
+ if (options.pam_service_name != NULL) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
29 |
+ (void) strlcpy(svcname, options.pam_service_name, BUFSIZ); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
30 |
+ return (svcname); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
31 |
+ } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
32 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
33 |
+ if (compat20) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
34 |
+ char *method_name = authctxt->authmethod_name; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
35 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
36 |
+ if (!method_name) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
37 |
+ fatal("Userauth method unknown while starting PAM"); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
38 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
39 |
+ /* |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
40 |
+ * For SSHv2 we use "sshd-<userauth name> |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
41 |
+ * The "sshd" prefix can be changed via the PAMServicePrefix |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
42 |
+ * sshd_config option. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
43 |
+ */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
44 |
+ if (strcmp(method_name, "none") == 0) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
45 |
+ snprintf(svcname, BUFSIZ, "%s-none", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
46 |
+ options.pam_service_prefix); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
47 |
+ } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
48 |
+ if (strcmp(method_name, "password") == 0) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
49 |
+ snprintf(svcname, BUFSIZ, "%s-password", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
50 |
+ options.pam_service_prefix); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
51 |
+ } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
52 |
+ if (strcmp(method_name, "keyboard-interactive") == 0) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
53 |
+ /* "keyboard-interactive" is too long, shorten it */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
54 |
+ snprintf(svcname, BUFSIZ, "%s-kbdint", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
55 |
+ options.pam_service_prefix); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
56 |
+ } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
57 |
+ if (strcmp(method_name, "publickey") == 0) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
58 |
+ /* "publickey" is too long, shorten it */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
59 |
+ snprintf(svcname, BUFSIZ, "%s-pubkey", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
60 |
+ options.pam_service_prefix); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
61 |
+ } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
62 |
+ if (strcmp(method_name, "hostbased") == 0) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
63 |
+ snprintf(svcname, BUFSIZ, "%s-hostbased", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
64 |
+ options.pam_service_prefix); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
65 |
+ } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
66 |
+ if (strncmp(method_name, "gssapi-", 7) == 0) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
67 |
+ /* |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
68 |
+ * Although OpenSSH only supports "gssapi-with-mic" |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
69 |
+ * for now. We will still map any userauth method |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
70 |
+ * prefixed with "gssapi-" to the gssapi PAM service. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
71 |
+ */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
72 |
+ snprintf(svcname, BUFSIZ, "%s-gssapi", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
73 |
+ options.pam_service_prefix); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
74 |
+ } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
75 |
+ return svcname; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
76 |
+ } else { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
77 |
+ /* SSHv1 doesn't get to be so cool */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
78 |
+ snprintf(svcname, BUFSIZ, "sshd-v1"); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
79 |
+ } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
80 |
+ return svcname; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
81 |
+} |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
82 |
+#endif /* PAM_ENHANCEMENT */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
83 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
84 |
static int |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
85 |
sshpam_init(Authctxt *authctxt) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
86 |
{ |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
87 |
@@ -624,18 +690,71 @@ |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
88 |
const char *pam_rhost, *pam_user, *user = authctxt->user; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
89 |
const char **ptr_pam_user = &pam_user; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
90 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
91 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
92 |
+ const char *pam_service; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
93 |
+ const char **ptr_pam_service = &pam_service; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
94 |
+ char *svc = NULL; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
95 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
96 |
+ svc = derive_pam_service_name(authctxt); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
97 |
+ debug3("PAM service is %s", svc); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
98 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
99 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
100 |
if (sshpam_handle != NULL) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
101 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
102 |
+ /* get the pam service name */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
103 |
+ sshpam_err = pam_get_item(sshpam_handle, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
104 |
+ PAM_SERVICE, (sshpam_const void **)ptr_pam_service); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
105 |
+ if (sshpam_err != PAM_SUCCESS) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
106 |
+ fatal("Failed to get the PAM service name"); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
107 |
+ debug3("Previous pam_service is %s", pam_service ? |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
108 |
+ pam_service : "NULL"); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
109 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
110 |
+ /* get the pam user name */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
111 |
+ sshpam_err = pam_get_item(sshpam_handle, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
112 |
+ PAM_USER, (sshpam_const void **)ptr_pam_user); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
113 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
114 |
+ /* |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
115 |
+ * only need to re-start if either user or service is |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
116 |
+ * different. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
117 |
+ */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
118 |
+ if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0 |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
119 |
+ && strncmp(svc, pam_service, strlen(svc)) == 0) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
120 |
+ free(svc); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
121 |
+ return (0); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
122 |
+ } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
123 |
+ |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
124 |
+ /* |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
125 |
+ * Clean up previous PAM state. No need to clean up session |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
126 |
+ * and creds. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
127 |
+ */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
128 |
+ sshpam_authenticated = 0; |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
129 |
+ sshpam_account_status = -1; |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
130 |
+ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
131 |
+ sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, NULL); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
132 |
+ if (sshpam_err != PAM_SUCCESS) |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
133 |
+ debug3("Cannot remove PAM conv"); /* a warning only */ |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
134 |
+#else /* Original */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
135 |
/* We already have a PAM context; check if the user matches */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
136 |
sshpam_err = pam_get_item(sshpam_handle, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
137 |
PAM_USER, (sshpam_const void **)ptr_pam_user); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
138 |
if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
139 |
return (0); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
140 |
+#endif /* PAM_ENHANCEMENT */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
141 |
pam_end(sshpam_handle, sshpam_err); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
142 |
sshpam_handle = NULL; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
143 |
} |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
144 |
debug("PAM: initializing for \"%s\"", user); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
145 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
146 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
147 |
+ debug3("Starting PAM service %s for user %s method %s", svc, user, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
148 |
+ authctxt->authmethod_name); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
149 |
sshpam_err = |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
150 |
+ pam_start(svc, user, &store_conv, &sshpam_handle); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
151 |
+ free(svc); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
152 |
+#else /* Original */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
153 |
+ sshpam_err = |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
154 |
pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
155 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
156 |
sshpam_authctxt = authctxt; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
157 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
158 |
if (sshpam_err != PAM_SUCCESS) { |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
159 |
--- orig/auth.h Mon Jan 26 18:02:11 2015 |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
160 |
+++ new/auth.h Mon Jan 26 18:02:11 2015 |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
161 |
@@ -76,6 +76,9 @@ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
162 |
#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
163 |
Buffer *loginmsg; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
164 |
void *methoddata; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
165 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
166 |
+ char *authmethod_name; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
167 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
168 |
}; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
169 |
/* |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
170 |
* Every authentication method has to handle authentication requests for |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
171 |
--- orig/auth2.c Mon Jan 26 18:02:10 2015 |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
172 |
+++ new/auth2.c Tue Mar 31 15:19:10 2015 |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
173 |
@@ -249,10 +249,21 @@ |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
174 |
PRIVSEP(audit_event(SSH_INVALID_USER)); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
175 |
#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
176 |
} |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
177 |
+ |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
178 |
+ |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
179 |
#ifdef USE_PAM |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
180 |
+#ifdef PAM_ENHANCEMENT |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
181 |
+ /* |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
182 |
+ * Start PAM here and once only, if each userauth does not |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
183 |
+ * has its own PAM service. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
184 |
+ */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
185 |
+ if (options.use_pam && !options.pam_service_per_authmethod) |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
186 |
+ PRIVSEP(start_pam(authctxt)); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
187 |
+#else |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
188 |
if (options.use_pam) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
189 |
PRIVSEP(start_pam(authctxt)); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
190 |
#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
191 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
192 |
setproctitle("%s%s", authctxt->valid ? user : "unknown", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
193 |
use_privsep ? " [net]" : ""); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
194 |
authctxt->service = xstrdup(service); |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
195 |
@@ -286,6 +297,18 @@ |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
196 |
/* try to authenticate user */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
197 |
m = authmethod_lookup(authctxt, method); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
198 |
if (m != NULL && authctxt->failures < options.max_authtries) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
199 |
+ |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
200 |
+#if defined(USE_PAM) && defined(PAM_ENHANCEMENT) |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
201 |
+ /* start PAM service for each userauth */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
202 |
+ if (options.use_pam && options.pam_service_per_authmethod) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
203 |
+ if (authctxt->authmethod_name != NULL) |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
204 |
+ free(authctxt->authmethod_name); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
205 |
+ authctxt->authmethod_name = xstrdup(method); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
206 |
+ if (use_privsep) |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
207 |
+ mm_inform_authmethod(method); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
208 |
+ PRIVSEP(start_pam(authctxt)); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
209 |
+ } |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
210 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
211 |
debug2("input_userauth_request: try method %s", method); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
212 |
authenticated = m->userauth(authctxt); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
213 |
} |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
214 |
@@ -303,6 +326,10 @@ |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
215 |
char *methods; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
216 |
int partial = 0; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
217 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
218 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
219 |
+ debug3("%s: entering", __func__); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
220 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
221 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
222 |
if (!authctxt->valid && authenticated) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
223 |
fatal("INTERNAL ERROR: authenticated invalid user %s", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
224 |
authctxt->user); |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
225 |
@@ -319,6 +346,25 @@ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
226 |
} |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
227 |
|
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
228 |
if (authenticated && options.num_auth_methods != 0) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
229 |
+ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
230 |
+#if defined(USE_PAM) && defined(PAM_ENHANCEMENT) |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
231 |
+ /* |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
232 |
+ * If each userauth has its own PAM service, then PAM need to |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
233 |
+ * perform account check for this service. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
234 |
+ */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
235 |
+ if (options.use_pam && options.pam_service_per_authmethod && |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
236 |
+ !PRIVSEP(do_pam_account())) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
237 |
+ /* if PAM returned a message, send it to the user */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
238 |
+ if (buffer_len(&loginmsg) > 0) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
239 |
+ buffer_append(&loginmsg, "\0", 1); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
240 |
+ userauth_send_banner(buffer_ptr(&loginmsg)); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
241 |
+ packet_write_wait(); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
242 |
+ } |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
243 |
+ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
244 |
+ fatal("Access denied for user %s by PAM account " |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
245 |
+ "configuration", authctxt->user); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
246 |
+ } |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
247 |
+#endif |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
248 |
if (!auth2_update_methods_lists(authctxt, method, submethod)) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
249 |
authenticated = 0; |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
250 |
partial = 1; |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
251 |
@@ -332,7 +378,20 @@ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
252 |
return; |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
253 |
|
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
254 |
#ifdef USE_PAM |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
255 |
+ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
256 |
+#ifdef PAM_ENHANCEMENT |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
257 |
+ /* |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
258 |
+ * PAM needs to perform account checks after auth. However, if each |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
259 |
+ * userauth has its own PAM service and options.num_auth_methods != 0, |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
260 |
+ * then no need to perform account checking, because it was done |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
261 |
+ * already. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
262 |
+ */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
263 |
+ if (options.use_pam && authenticated && |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
264 |
+ !(options.num_auth_methods != 0 && |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
265 |
+ options.pam_service_per_authmethod)){ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
266 |
+#else |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
267 |
if (options.use_pam && authenticated) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
268 |
+#endif |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
269 |
if (!PRIVSEP(do_pam_account())) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
270 |
/* if PAM returned a message, send it to the user */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
271 |
if (buffer_len(&loginmsg) > 0) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
272 |
@@ -623,5 +682,3 @@ |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
273 |
fatal("%s: method not in AuthenticationMethods", __func__); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
274 |
return 0; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
275 |
} |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
276 |
- |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
277 |
- |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
278 |
--- orig/monitor_wrap.c Mon Jan 26 18:02:09 2015 |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
279 |
+++ new/monitor_wrap.c Mon Jan 26 18:02:11 2015 |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
280 |
@@ -338,6 +338,24 @@ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
281 |
buffer_free(&m); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
282 |
} |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
283 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
284 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
285 |
+/* Inform the privileged process about the authentication method */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
286 |
+void |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
287 |
+mm_inform_authmethod(char *authmethod) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
288 |
+{ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
289 |
+ Buffer m; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
290 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
291 |
+ debug3("%s entering", __func__); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
292 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
293 |
+ buffer_init(&m); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
294 |
+ buffer_put_cstring(&m, authmethod); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
295 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
296 |
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHMETHOD, &m); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
297 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
298 |
+ buffer_free(&m); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
299 |
+} |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
300 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
301 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
302 |
/* Do the password authentication */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
303 |
int |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
304 |
mm_auth_password(Authctxt *authctxt, char *password) |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
305 |
--- orig/monitor.c Mon Jan 26 18:02:10 2015 |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
306 |
+++ new/monitor.c Tue Mar 31 16:10:50 2015 |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
307 |
@@ -146,6 +146,9 @@ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
308 |
int mm_answer_pwnamallow(int, Buffer *); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
309 |
int mm_answer_auth2_read_banner(int, Buffer *); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
310 |
int mm_answer_authserv(int, Buffer *); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
311 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
312 |
+int mm_answer_authmethod(int, Buffer *); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
313 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
314 |
int mm_answer_authpassword(int, Buffer *); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
315 |
int mm_answer_bsdauthquery(int, Buffer *); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
316 |
int mm_answer_bsdauthrespond(int, Buffer *); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
317 |
@@ -225,10 +228,17 @@ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
318 |
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
319 |
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
320 |
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
321 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
322 |
+ {MONITOR_REQ_AUTHMETHOD, MON_ISAUTH, mm_answer_authmethod}, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
323 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
324 |
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
325 |
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
326 |
#ifdef USE_PAM |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
327 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
328 |
+ {MONITOR_REQ_PAM_START, MON_ISAUTH, mm_answer_pam_start}, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
329 |
+#else |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
330 |
{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
331 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
332 |
{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
333 |
{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
334 |
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
335 |
@@ -391,6 +401,24 @@ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
336 |
if (!compat20) |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
337 |
fatal("AuthenticationMethods is not supported" |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
338 |
"with SSH protocol 1"); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
339 |
+ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
340 |
+#if defined(USE_PAM) && defined(PAM_ENHANCEMENT) |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
341 |
+ /* |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
342 |
+ * If each userauth has its own PAM service, then PAM |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
343 |
+ * need to perform account check for this service. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
344 |
+ */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
345 |
+ if (options.use_pam && authenticated && |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
346 |
+ options.pam_service_per_authmethod) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
347 |
+ Buffer m; |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
348 |
+ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
349 |
+ buffer_init(&m); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
350 |
+ mm_request_receive_expect(pmonitor->m_sendfd, |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
351 |
+ MONITOR_REQ_PAM_ACCOUNT, &m); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
352 |
+ authenticated = |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
353 |
+ mm_answer_pam_account(pmonitor->m_sendfd, &m); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
354 |
+ buffer_free(&m); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
355 |
+ } |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
356 |
+#endif |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
357 |
if (authenticated && |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
358 |
!auth2_update_methods_lists(authctxt, |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
359 |
auth_method, auth_submethod)) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
360 |
@@ -409,8 +437,21 @@ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
361 |
!auth_root_allowed(auth_method)) |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
362 |
authenticated = 0; |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
363 |
#ifdef USE_PAM |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
364 |
+#ifdef PAM_ENHANCEMENT |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
365 |
+ /* |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
366 |
+ * PAM needs to perform account checks after auth. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
367 |
+ * However, if each userauth has its own PAM service |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
368 |
+ * and options.num_auth_methods != 0, then no need to |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
369 |
+ * perform account checking, because it was done |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
370 |
+ * already. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
371 |
+ */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
372 |
+ if (options.use_pam && authenticated && |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
373 |
+ !(options.num_auth_methods != 0 && |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
374 |
+ options.pam_service_per_authmethod)) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
375 |
+#else |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
376 |
/* PAM needs to perform account checks after auth */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
377 |
if (options.use_pam && authenticated) { |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
378 |
+#endif |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
379 |
Buffer m; |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
380 |
|
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
381 |
buffer_init(&m); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
382 |
@@ -828,6 +869,10 @@ |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
383 |
/* Allow service/style information on the auth context */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
384 |
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
385 |
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
386 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
387 |
+ /* Allow authmethod information on the auth context */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
388 |
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHMETHOD, 1); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
389 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
390 |
} |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
391 |
#ifdef USE_PAM |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
392 |
if (options.use_pam) |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
393 |
@@ -868,7 +913,25 @@ |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
394 |
return (0); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
395 |
} |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
396 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
397 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
398 |
int |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
399 |
+mm_answer_authmethod(int sock, Buffer *m) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
400 |
+{ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
401 |
+ monitor_permit_authentications(1); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
402 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
403 |
+ authctxt->authmethod_name = buffer_get_string(m, NULL); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
404 |
+ debug3("%s: authmethod_name=%s", __func__, authctxt->authmethod_name); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
405 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
406 |
+ if (strlen(authctxt->authmethod_name) == 0) { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
407 |
+ free(authctxt->authmethod_name); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
408 |
+ authctxt->authmethod_name = NULL; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
409 |
+ } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
410 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
411 |
+ return (0); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
412 |
+} |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
413 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
414 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
415 |
+int |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
416 |
mm_answer_authpassword(int sock, Buffer *m) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
417 |
{ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
418 |
static int call_count; |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
419 |
--- orig/monitor.h Mon Jan 26 18:02:10 2015 |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
420 |
+++ new/monitor.h Mon Jan 26 18:02:11 2015 |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
421 |
@@ -70,6 +70,9 @@ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
422 |
MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
423 |
MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
424 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
425 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
426 |
+ MONITOR_REQ_AUTHMETHOD = 114, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
427 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
428 |
}; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
429 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
430 |
struct mm_master; |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
431 |
--- orig/servconf.c Mon Jan 26 18:02:09 2015 |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
432 |
+++ new/servconf.c Tue Mar 31 16:24:59 2015 |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
433 |
@@ -154,6 +154,18 @@ |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
434 |
options->ip_qos_interactive = -1; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
435 |
options->ip_qos_bulk = -1; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
436 |
options->version_addendum = NULL; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
437 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
438 |
+ options->pam_service_name = NULL; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
439 |
+ options->pam_service_prefix = NULL; |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
440 |
+ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
441 |
+ /* |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
442 |
+ * Each user method will have its own PAM service by default. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
443 |
+ * However, if PAMServiceName is specified or the protocal version |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
444 |
+ * is not compat20, then there will be only one PAM service for the |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
445 |
+ * entire user authentication. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
446 |
+ */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
447 |
+ options->pam_service_per_authmethod = 1; |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
448 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
449 |
} |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
450 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
451 |
void |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
452 |
@@ -303,6 +315,12 @@ |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
453 |
options->ip_qos_bulk = IPTOS_THROUGHPUT; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
454 |
if (options->version_addendum == NULL) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
455 |
options->version_addendum = xstrdup(""); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
456 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
457 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
458 |
+ if (options->pam_service_prefix == NULL) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
459 |
+ options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
460 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
461 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
462 |
/* Turn privilege separation on by default */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
463 |
if (use_privsep == -1) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
464 |
use_privsep = PRIVSEP_NOSANDBOX; |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
465 |
@@ -351,6 +369,9 @@ |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
466 |
sKexAlgorithms, sIPQoS, sVersionAddendum, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
467 |
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
468 |
sAuthenticationMethods, sHostKeyAgent, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
469 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
470 |
+ sPAMServicePrefix, sPAMServiceName, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
471 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
472 |
sDeprecated, sUnsupported |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
473 |
} ServerOpCodes; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
474 |
|
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
475 |
@@ -482,6 +503,10 @@ |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
476 |
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
477 |
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
478 |
{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
479 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
480 |
+ { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL }, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
481 |
+ { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL }, |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
482 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
483 |
{ NULL, sBadOption, 0 } |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
484 |
}; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
485 |
|
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
486 |
@@ -1632,6 +1657,37 @@ |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
487 |
} |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
488 |
return 0; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
489 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
490 |
+ case sPAMServicePrefix: |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
491 |
+ arg = strdelim(&cp); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
492 |
+ if (!arg || *arg == '\0') |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
493 |
+ fatal("%s line %d: Missing argument.", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
494 |
+ filename, linenum); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
495 |
+ if (options->pam_service_name != NULL) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
496 |
+ fatal("%s line %d: PAMServiceName and PAMServicePrefix" |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
497 |
+ " are mutually exclusive.", filename, linenum); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
498 |
+ if (options->pam_service_prefix == NULL) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
499 |
+ options->pam_service_prefix = xstrdup(arg); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
500 |
+ break; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
501 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
502 |
+ case sPAMServiceName: |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
503 |
+ arg = strdelim(&cp); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
504 |
+ if (!arg || *arg == '\0') |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
505 |
+ fatal("%s line %d: Missing argument.", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
506 |
+ filename, linenum); |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
507 |
+ if (options->pam_service_prefix != NULL) |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
508 |
+ fatal("%s line %d: PAMServiceName and PAMServicePrefix" |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
509 |
+ " are mutually exclusive.", filename, linenum); |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
510 |
+ if (options->pam_service_name == NULL) { |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
511 |
+ options->pam_service_name = xstrdup(arg); |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
512 |
+ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
513 |
+ /* |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
514 |
+ * When this option is specified, we will not have |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
515 |
+ * PAM service for each auth method. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
516 |
+ */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
517 |
+ options->pam_service_per_authmethod = 0; |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
518 |
+ } |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
519 |
+ break; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
520 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
521 |
case sDeprecated: |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
522 |
logit("%s line %d: Deprecated option %s", |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
523 |
filename, linenum, arg); |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
524 |
--- orig/servconf.h Mon Jan 26 18:02:10 2015 |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
525 |
+++ new/servconf.h Tue Mar 31 15:07:14 2015 |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
526 |
@@ -54,6 +54,10 @@ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
527 |
/* Magic name for internal sftp-server */ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
528 |
#define INTERNAL_SFTP_NAME "internal-sftp" |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
529 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
530 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
531 |
+#define _SSH_PAM_SERVICE_PREFIX "sshd" |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
532 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
533 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
534 |
typedef struct { |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
535 |
u_int num_ports; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
536 |
u_int ports_from_cmdline; |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
537 |
@@ -185,6 +189,13 @@ |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
538 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
539 |
u_int num_auth_methods; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
540 |
char *auth_methods[MAX_AUTH_METHODS]; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
541 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
542 |
+#ifdef PAM_ENHANCEMENT |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
543 |
+ char *pam_service_prefix; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
544 |
+ char *pam_service_name; |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
545 |
+ int pam_service_per_authmethod; |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
546 |
+#endif |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
547 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
548 |
} ServerOptions; |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
549 |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
550 |
/* Information about the incoming connection as used by Match */ |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
551 |
--- orig/sshd_config.5 Mon Jan 26 18:02:10 2015 |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
552 |
+++ new/sshd_config.5 Mon Jan 26 18:03:45 2015 |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
553 |
@@ -868,6 +868,21 @@ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
554 |
are refused if the number of unauthenticated connections reaches |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
555 |
.Dq full |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
556 |
(60). |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
557 |
+.It Cm PAMServiceName |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
558 |
+Specifies the PAM service name for the PAM session. The PAMServiceName and |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
559 |
+PAMServicePrefix options are mutually exclusive and if both set, sshd does not |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
560 |
+start. If this option is set the service name is the same for all user |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
561 |
+authentication methods. The option has no default value. See PAMServicePrefix |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
562 |
+for more information. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
563 |
+.It Cm PAMServicePrefix |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
564 |
+Specifies the PAM service name prefix for service names used for individual |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
565 |
+user authentication methods. The default is sshd. The PAMServiceName and |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
566 |
+PAMServicePrefix options are mutually exclusive and if both set, sshd does not |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
567 |
+start. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
568 |
+.Pp |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
569 |
+For example, if this option is set to admincli, the service name for the |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
570 |
+keyboard-interactive authentication method is admincli-kbdint instead of the |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
571 |
+default sshd-kbdint. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
572 |
.It Cm PasswordAuthentication |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
573 |
Specifies whether password authentication is allowed. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
574 |
The default is |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
575 |
@@ -1203,8 +1218,7 @@ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
576 |
is enabled, you will not be able to run |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
577 |
.Xr sshd 8 |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
578 |
as a non-root user. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
579 |
-The default is |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
580 |
-.Dq no . |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
581 |
+On Solaris, the option is always enabled. |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
582 |
.It Cm UsePrivilegeSeparation |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
583 |
Specifies whether |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
584 |
.Xr sshd 8 |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
585 |
--- orig/sshd.8 Mon Jan 26 18:02:09 2015 |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
586 |
+++ new/sshd.8 Mon Jan 26 18:02:11 2015 |
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
587 |
@@ -951,6 +951,33 @@ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
588 |
started last). |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
589 |
The content of this file is not sensitive; it can be world-readable. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
590 |
.El |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
591 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
592 |
+.Sh SECURITY |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
593 |
+sshd uses pam(3PAM) for password and keyboard-interactive methods as well as |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
594 |
+for account management, session management, and the password management for all |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
595 |
+authentication methods. |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
596 |
+.Pp |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
597 |
+Each SSHv2 userauth type has its own PAM service name: |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
598 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
599 |
+.Bd -literal -offset 3n |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
600 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
601 |
+----------------------------------------------- |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
602 |
+| SSHv2 Userauth | PAM Service Name | |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
603 |
+----------------------------------------------- |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
604 |
+| none | sshd-none | |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
605 |
+----------------------------------------------- |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
606 |
+| password | sshd-password | |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
607 |
+----------------------------------------------- |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
608 |
+| keyboard-interactive | sshd-kbdint | |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
609 |
+----------------------------------------------- |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
610 |
+| pubkey | sshd-pubkey | |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
611 |
+----------------------------------------------- |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
612 |
+| hostbased | sshd-hostbased | |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
613 |
+----------------------------------------------- |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
614 |
+| gssapi-with-mic | sshd-gssapi | |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
615 |
+----------------------------------------------- |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
616 |
+.Ed |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
617 |
+ |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
618 |
.Sh SEE ALSO |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
619 |
.Xr scp 1 , |
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
620 |
.Xr sftp 1 , |
4098
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
621 |
--- orig/sshd.c Tue Mar 31 18:12:33 2015 |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
622 |
+++ new/sshd.c Tue Mar 31 18:42:28 2015 |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
623 |
@@ -2065,6 +2065,11 @@ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
624 |
|
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
625 |
sshd_exchange_identification(sock_in, sock_out); |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
626 |
|
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
627 |
+#ifdef PAM_ENHANCEMENT |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
628 |
+ if (!compat20) |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
629 |
+ options.pam_service_per_authmethod = 0; |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
630 |
+#endif |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
631 |
+ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
632 |
/* In inetd mode, generate ephemeral key only for proto 1 connections */ |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
633 |
if (!compat20 && inetd_flag && sensitive_data.server_key == NULL) |
19376bf84775
20840006 PAM state needs to to be cleaned up when each userauth has its own PAM service
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
3946
diff
changeset
|
634 |
generate_ephemeral_server_key(); |