author | Huie-Ying Lee <huieying.lee@oracle.com> |
Fri, 15 May 2015 12:02:19 -0700 | |
changeset 4297 | b90b1e0312f8 |
permissions | -rw-r--r-- |
4297
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
1 |
# |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
2 |
# This patch contains bug fixes to the PAM credential and session operations. |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
3 |
# In the original OpenSSH, the server only gives warnings and still allows |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
4 |
# users to log in when pam_setcred() or pam_open_session() fail, if user auth |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
5 |
# method is not keyboard-interactive or password. This is not a correct |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
6 |
# behavior. The server should just fatal out, when these functions fail. |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
7 |
# |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
8 |
# We have contributed back these bug fixes to the OpenSSH upstream community. |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
9 |
# For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2399 |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
10 |
# In the future, if these bug fixes are accepted by the upsteam in a later |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
11 |
# release, we will remove this patch when we upgrade to that release. |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
12 |
# |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
13 |
--- orig/auth-pam.c Tue May 12 12:57:25 2015 |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
14 |
+++ new/auth-pam.c Thu May 14 15:21:54 2015 |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
15 |
@@ -950,6 +950,12 @@ |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
16 |
sshpam_cred_established = 1; |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
17 |
return; |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
18 |
} |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
19 |
+ |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
20 |
+#ifdef PAM_BUGFIX |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
21 |
+ /* Server will fatal out when pam_setcred() failed. */ |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
22 |
+ fatal("PAM: pam_setcred(): %s", pam_strerror(sshpam_handle, |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
23 |
+ sshpam_err)); |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
24 |
+#else /* orig */ |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
25 |
if (sshpam_authenticated) |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
26 |
fatal("PAM: pam_setcred(): %s", |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
27 |
pam_strerror(sshpam_handle, sshpam_err)); |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
28 |
@@ -956,6 +962,7 @@ |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
29 |
else |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
30 |
debug("PAM: pam_setcred(): %s", |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
31 |
pam_strerror(sshpam_handle, sshpam_err)); |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
32 |
+#endif /* PAM_BUGFIX */ |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
33 |
} |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
34 |
|
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
35 |
static int |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
36 |
@@ -1048,10 +1055,16 @@ |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
37 |
if (sshpam_err == PAM_SUCCESS) |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
38 |
sshpam_session_open = 1; |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
39 |
else { |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
40 |
+#ifdef PAM_BUGFIX |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
41 |
+ /* Server will fatal out when pam_open_session() failed */ |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
42 |
+ fatal("PAM: pam_open_session(): %s", |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
43 |
+ pam_strerror(sshpam_handle, sshpam_err)); |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
44 |
+#else /* orig */ |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
45 |
sshpam_session_open = 0; |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
46 |
disable_forwarding(); |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
47 |
error("PAM: pam_open_session(): %s", |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
48 |
pam_strerror(sshpam_handle, sshpam_err)); |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
49 |
+#endif /* PAM_BUGFIX */ |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
50 |
} |
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
51 |
|
b90b1e0312f8
21078900 openssh server should fatal out when pam_setcred and pam_open_session fail
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
52 |
} |