|
1 # |
|
2 # Enable login to a role for hostbased authentication if allowed by PAM. |
|
3 # |
|
4 # Sets PAM_AUSER item to user who is asserting a new identity before |
|
5 # calling do_pam_account(). Implemented using existing static variable |
|
6 # hostbased_cuser. The change is protected by new HAVE_PAM_AUSER ifdef-guard, |
|
7 # which is set to defined on Solaris. |
|
8 # |
|
9 # Patch offered upstream: |
|
10 # https://bugzilla.mindrot.org/show_bug.cgi?id=2378 |
|
11 # |
|
12 diff -pur old/auth-pam.c new/auth-pam.c |
|
13 --- old/auth-pam.c 2015-04-13 07:40:15.102801416 -0700 |
|
14 +++ new/auth-pam.c 2015-04-13 07:40:15.170507123 -0700 |
|
15 @@ -1038,6 +1038,20 @@ do_pam_account(void) |
|
16 return (sshpam_account_status); |
|
17 } |
|
18 |
|
19 +#ifdef HAVE_PAM_AUSER |
|
20 +void |
|
21 +do_pam_set_auser(const char* auser) |
|
22 +{ |
|
23 + if (auser != NULL) { |
|
24 + debug("PAM: setting PAM_AUSER to \"%s\"", auser); |
|
25 + sshpam_err = pam_set_item(sshpam_handle, PAM_AUSER, auser); |
|
26 + if (sshpam_err != PAM_SUCCESS) |
|
27 + error("PAM: failed to set PAM_AUSER: %s", |
|
28 + pam_strerror(sshpam_handle, sshpam_err)); |
|
29 + } |
|
30 +} |
|
31 +#endif |
|
32 + |
|
33 void |
|
34 do_pam_set_tty(const char *tty) |
|
35 { |
|
36 diff -pur old/auth-pam.h new/auth-pam.h |
|
37 --- old/auth-pam.h 2004-09-11 05:17:26.000000000 -0700 |
|
38 +++ new/auth-pam.h 2015-04-13 07:40:15.170675124 -0700 |
|
39 @@ -35,6 +35,9 @@ void start_pam(Authctxt *); |
|
40 void finish_pam(void); |
|
41 u_int do_pam_account(void); |
|
42 void do_pam_session(void); |
|
43 +#ifdef HAVE_PAM_AUSER |
|
44 +void do_pam_set_auser(const char *); |
|
45 +#endif |
|
46 void do_pam_set_tty(const char *); |
|
47 void do_pam_setcred(int ); |
|
48 void do_pam_chauthtok(void); |
|
49 diff -pur old/auth.h new/auth.h |
|
50 --- old/auth.h 2015-04-13 07:40:15.102912510 -0700 |
|
51 +++ new/auth.h 2015-04-13 07:40:15.170773363 -0700 |
|
52 @@ -79,6 +79,9 @@ struct Authctxt { |
|
53 #ifdef PAM_ENHANCEMENT |
|
54 char *authmethod_name; |
|
55 #endif |
|
56 +#ifdef HAVE_PAM_AUSER |
|
57 + char *auser; |
|
58 +#endif |
|
59 }; |
|
60 /* |
|
61 * Every authentication method has to handle authentication requests for |
|
62 diff -pur old/auth2-hostbased.c new/auth2-hostbased.c |
|
63 --- old/auth2-hostbased.c 2013-12-30 17:25:41.000000000 -0800 |
|
64 +++ new/auth2-hostbased.c 2015-04-13 07:40:15.170883166 -0700 |
|
65 @@ -83,6 +83,9 @@ userauth_hostbased(Authctxt *authctxt) |
|
66 buffer_dump(&b); |
|
67 buffer_free(&b); |
|
68 #endif |
|
69 +#ifdef HAVE_PAM_AUSER |
|
70 + authctxt->auser = NULL; |
|
71 +#endif |
|
72 pktype = key_type_from_name(pkalg); |
|
73 if (pktype == KEY_UNSPEC) { |
|
74 /* this is perfectly legal */ |
|
75 @@ -133,6 +136,13 @@ userauth_hostbased(Authctxt *authctxt) |
|
76 buffer_len(&b))) == 1) |
|
77 authenticated = 1; |
|
78 |
|
79 +#ifdef HAVE_PAM_AUSER |
|
80 + if (authenticated) { |
|
81 + authctxt->auser = cuser; |
|
82 + cuser = NULL; |
|
83 + } |
|
84 +#endif |
|
85 + |
|
86 buffer_free(&b); |
|
87 done: |
|
88 debug2("userauth_hostbased: authenticated %d", authenticated); |
|
89 diff -pur old/auth2.c new/auth2.c |
|
90 --- old/auth2.c 2015-04-13 07:40:15.125748357 -0700 |
|
91 +++ new/auth2.c 2015-04-13 07:54:08.589929143 -0700 |
|
92 @@ -347,6 +347,14 @@ userauth_finish(Authctxt *authctxt, int |
|
93 #endif |
|
94 } |
|
95 |
|
96 +#ifdef HAVE_PAM_AUSER |
|
97 + if (!use_privsep) { |
|
98 + do_pam_set_auser(authctxt->auser); |
|
99 + free(authctxt->auser); |
|
100 + authctxt->auser = NULL; |
|
101 + } |
|
102 +#endif |
|
103 + |
|
104 if (authenticated && options.num_auth_methods != 0) { |
|
105 |
|
106 #if defined(USE_PAM) && defined(PAM_ENHANCEMENT) |
|
107 diff -pur old/config.h.in new/config.h.in |
|
108 --- old/config.h.in 2015-04-13 07:40:15.118922540 -0700 |
|
109 +++ new/config.h.in 2015-04-13 07:40:15.171493102 -0700 |
|
110 @@ -814,6 +814,9 @@ |
|
111 /* Define if you have Digital Unix Security Integration Architecture */ |
|
112 #undef HAVE_OSF_SIA |
|
113 |
|
114 +/* Define if you have PAM_AUSER PAM item */ |
|
115 +#undef HAVE_PAM_AUSER |
|
116 + |
|
117 /* Define to 1 if you have the `pam_getenvlist' function. */ |
|
118 #undef HAVE_PAM_GETENVLIST |
|
119 |
|
120 diff -pur old/configure new/configure |
|
121 --- old/configure 2015-04-13 07:40:15.121667931 -0700 |
|
122 +++ new/configure 2015-04-13 07:40:15.174438856 -0700 |
|
123 @@ -7799,6 +7799,7 @@ fi |
|
124 |
|
125 $as_echo "#define USE_GSS_STORE_CRED 1" >>confdefs.h |
|
126 $as_echo "#define GSSAPI_STORECREDS_NEEDS_RUID 1" >>confdefs.h |
|
127 + $as_echo "#define HAVE_PAM_AUSER 1" >>confdefs.h |
|
128 |
|
129 TEST_SHELL=$SHELL # let configure find us a capable shell |
|
130 ;; |
|
131 diff -pur old/configure.ac new/configure.ac |
|
132 --- old/configure.ac 2015-04-13 07:40:15.085660430 -0700 |
|
133 +++ new/configure.ac 2015-04-13 07:40:15.175130655 -0700 |
|
134 @@ -868,6 +868,7 @@ mips-sony-bsd|mips-sony-newsos4) |
|
135 TEST_SHELL=$SHELL # let configure find us a capable shell |
|
136 AC_DEFINE([USE_GSS_STORE_CRED]) |
|
137 AC_DEFINE([GSSAPI_STORECREDS_NEEDS_RUID]) |
|
138 + AC_DEFINE([HAVE_PAM_AUSER]) |
|
139 ;; |
|
140 *-*-sunos4*) |
|
141 CPPFLAGS="$CPPFLAGS -DSUNOS4" |
|
142 diff -pur old/monitor.c new/monitor.c |
|
143 --- old/monitor.c 2015-04-13 07:40:15.136922050 -0700 |
|
144 +++ new/monitor.c 2015-04-13 07:40:15.175533060 -0700 |
|
145 @@ -490,6 +490,12 @@ monitor_child_preauth(Authctxt *_authctx |
|
146 #endif |
|
147 } |
|
148 |
|
149 +#if defined(HAVE_PAM_AUSER) && defined(USE_PAM) |
|
150 + if (hostbased_cuser != NULL) { |
|
151 + free(hostbased_cuser); |
|
152 + hostbased_cuser = NULL; |
|
153 + } |
|
154 +#endif |
|
155 if (!authctxt->valid) |
|
156 fatal("%s: authenticated invalid user", __func__); |
|
157 if (strcmp(auth_method, "unknown") == 0) |
|
158 @@ -699,12 +705,14 @@ monitor_reset_key_state(void) |
|
159 { |
|
160 /* reset state */ |
|
161 free(key_blob); |
|
162 +#if !defined(HAVE_PAM_AUSER) || !defined(USE_PAM) |
|
163 free(hostbased_cuser); |
|
164 + hostbased_cuser = NULL; |
|
165 +#endif |
|
166 free(hostbased_chost); |
|
167 key_blob = NULL; |
|
168 key_bloblen = 0; |
|
169 key_blobtype = MM_NOKEY; |
|
170 - hostbased_cuser = NULL; |
|
171 hostbased_chost = NULL; |
|
172 } |
|
173 |
|
174 @@ -1111,6 +1119,11 @@ mm_answer_pam_account(int sock, Buffer * |
|
175 if (!options.use_pam) |
|
176 fatal("UsePAM not set, but ended up in %s anyway", __func__); |
|
177 |
|
178 +#ifdef HAVE_PAM_AUSER |
|
179 + if (hostbased_cuser != NULL) |
|
180 + do_pam_set_auser(hostbased_cuser); |
|
181 +#endif |
|
182 + |
|
183 ret = do_pam_account(); |
|
184 |
|
185 buffer_put_int(m, ret); |