144 debug("PAM: initializing for \"%s\"", user); |
145 debug("PAM: initializing for \"%s\"", user); |
145 + |
146 + |
146 +#ifdef PAM_ENHANCEMENT |
147 +#ifdef PAM_ENHANCEMENT |
147 + debug3("Starting PAM service %s for user %s method %s", svc, user, |
148 + debug3("Starting PAM service %s for user %s method %s", svc, user, |
148 + authctxt->authmethod_name); |
149 + authctxt->authmethod_name); |
149 sshpam_err = |
150 + sshpam_err = |
150 + pam_start(svc, user, &store_conv, &sshpam_handle); |
151 + pam_start(svc, user, &store_conv, &sshpam_handle); |
151 + free(svc); |
152 + free(svc); |
152 +#else /* Original */ |
153 +#else /* Original */ |
153 + sshpam_err = |
154 sshpam_err = |
154 pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle); |
155 pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle); |
155 +#endif |
156 +#endif |
156 sshpam_authctxt = authctxt; |
157 sshpam_authctxt = authctxt; |
157 |
158 |
158 if (sshpam_err != PAM_SUCCESS) { |
159 if (sshpam_err != PAM_SUCCESS) { |
159 --- orig/auth.h Mon Jan 26 18:02:11 2015 |
160 diff -pur old/auth.h new/auth.h |
160 +++ new/auth.h Mon Jan 26 18:02:11 2015 |
161 --- old/auth.h 2015-03-16 22:49:20.000000000 -0700 |
161 @@ -76,6 +76,9 @@ |
162 +++ new/auth.h 2015-04-28 06:18:25.719914272 -0700 |
162 #endif |
163 @@ -81,6 +81,9 @@ struct Authctxt { |
163 Buffer *loginmsg; |
164 |
164 void *methoddata; |
165 struct sshkey **prev_userkeys; |
|
166 u_int nprev_userkeys; |
165 +#ifdef PAM_ENHANCEMENT |
167 +#ifdef PAM_ENHANCEMENT |
166 + char *authmethod_name; |
168 + char *authmethod_name; |
167 +#endif |
169 +#endif |
168 }; |
170 }; |
169 /* |
171 /* |
170 * Every authentication method has to handle authentication requests for |
172 * Every authentication method has to handle authentication requests for |
171 --- orig/auth2.c Mon Jan 26 18:02:10 2015 |
173 diff -pur old/auth2.c new/auth2.c |
172 +++ new/auth2.c Tue Mar 31 15:19:10 2015 |
174 --- old/auth2.c 2015-03-16 22:49:20.000000000 -0700 |
173 @@ -249,10 +249,21 @@ |
175 +++ new/auth2.c 2015-04-28 06:15:57.419262466 -0700 |
|
176 @@ -243,10 +243,21 @@ input_userauth_request(int type, u_int32 |
174 PRIVSEP(audit_event(SSH_INVALID_USER)); |
177 PRIVSEP(audit_event(SSH_INVALID_USER)); |
175 #endif |
178 #endif |
176 } |
179 } |
177 + |
180 + |
178 + |
181 + |
267 if (options.use_pam && authenticated) { |
270 if (options.use_pam && authenticated) { |
268 +#endif |
271 +#endif |
269 if (!PRIVSEP(do_pam_account())) { |
272 if (!PRIVSEP(do_pam_account())) { |
270 /* if PAM returned a message, send it to the user */ |
273 /* if PAM returned a message, send it to the user */ |
271 if (buffer_len(&loginmsg) > 0) { |
274 if (buffer_len(&loginmsg) > 0) { |
272 @@ -623,5 +682,3 @@ |
275 @@ -615,5 +674,3 @@ auth2_update_methods_lists(Authctxt *aut |
273 fatal("%s: method not in AuthenticationMethods", __func__); |
276 fatal("%s: method not in AuthenticationMethods", __func__); |
274 return 0; |
277 return 0; |
275 } |
278 } |
276 - |
279 - |
277 - |
280 - |
278 --- orig/monitor_wrap.c Mon Jan 26 18:02:09 2015 |
281 diff -pur old/monitor.c new/monitor.c |
279 +++ new/monitor_wrap.c Mon Jan 26 18:02:11 2015 |
282 --- old/monitor.c 2015-03-16 22:49:20.000000000 -0700 |
280 @@ -338,6 +338,24 @@ |
283 +++ new/monitor.c 2015-04-28 06:15:57.421294814 -0700 |
281 buffer_free(&m); |
284 @@ -127,6 +127,9 @@ int mm_answer_sign(int, Buffer *); |
282 } |
|
283 |
|
284 +#ifdef PAM_ENHANCEMENT |
|
285 +/* Inform the privileged process about the authentication method */ |
|
286 +void |
|
287 +mm_inform_authmethod(char *authmethod) |
|
288 +{ |
|
289 + Buffer m; |
|
290 + |
|
291 + debug3("%s entering", __func__); |
|
292 + |
|
293 + buffer_init(&m); |
|
294 + buffer_put_cstring(&m, authmethod); |
|
295 + |
|
296 + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHMETHOD, &m); |
|
297 + |
|
298 + buffer_free(&m); |
|
299 +} |
|
300 +#endif |
|
301 + |
|
302 /* Do the password authentication */ |
|
303 int |
|
304 mm_auth_password(Authctxt *authctxt, char *password) |
|
305 --- orig/monitor.c Mon Jan 26 18:02:10 2015 |
|
306 +++ new/monitor.c Tue Mar 31 16:10:50 2015 |
|
307 @@ -146,6 +146,9 @@ |
|
308 int mm_answer_pwnamallow(int, Buffer *); |
285 int mm_answer_pwnamallow(int, Buffer *); |
309 int mm_answer_auth2_read_banner(int, Buffer *); |
286 int mm_answer_auth2_read_banner(int, Buffer *); |
310 int mm_answer_authserv(int, Buffer *); |
287 int mm_answer_authserv(int, Buffer *); |
311 +#ifdef PAM_ENHANCEMENT |
288 +#ifdef PAM_ENHANCEMENT |
312 +int mm_answer_authmethod(int, Buffer *); |
289 +int mm_answer_authmethod(int, Buffer *); |
313 +#endif |
290 +#endif |
314 int mm_answer_authpassword(int, Buffer *); |
291 int mm_answer_authpassword(int, Buffer *); |
315 int mm_answer_bsdauthquery(int, Buffer *); |
292 int mm_answer_bsdauthquery(int, Buffer *); |
316 int mm_answer_bsdauthrespond(int, Buffer *); |
293 int mm_answer_bsdauthrespond(int, Buffer *); |
317 @@ -225,10 +228,17 @@ |
294 @@ -206,10 +209,17 @@ struct mon_table mon_dispatch_proto20[] |
318 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
295 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
319 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
296 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
320 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
297 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
321 +#ifdef PAM_ENHANCEMENT |
298 +#ifdef PAM_ENHANCEMENT |
322 + {MONITOR_REQ_AUTHMETHOD, MON_ISAUTH, mm_answer_authmethod}, |
299 + {MONITOR_REQ_AUTHMETHOD, MON_ISAUTH, mm_answer_authmethod}, |
377 if (options.use_pam && authenticated) { |
354 if (options.use_pam && authenticated) { |
378 +#endif |
355 +#endif |
379 Buffer m; |
356 Buffer m; |
380 |
357 |
381 buffer_init(&m); |
358 buffer_init(&m); |
382 @@ -828,6 +869,10 @@ |
359 @@ -863,6 +904,10 @@ mm_answer_pwnamallow(int sock, Buffer *m |
383 /* Allow service/style information on the auth context */ |
360 /* Allow service/style information on the auth context */ |
384 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
361 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
385 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
362 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
386 +#ifdef PAM_ENHANCEMENT |
363 +#ifdef PAM_ENHANCEMENT |
387 + /* Allow authmethod information on the auth context */ |
364 + /* Allow authmethod information on the auth context */ |
388 + monitor_permit(mon_dispatch, MONITOR_REQ_AUTHMETHOD, 1); |
365 + monitor_permit(mon_dispatch, MONITOR_REQ_AUTHMETHOD, 1); |
389 +#endif |
366 +#endif |
390 } |
367 } |
391 #ifdef USE_PAM |
368 #ifdef USE_PAM |
392 if (options.use_pam) |
369 if (options.use_pam) |
393 @@ -868,7 +913,25 @@ |
370 @@ -903,6 +948,24 @@ mm_answer_authserv(int sock, Buffer *m) |
394 return (0); |
371 return (0); |
395 } |
372 } |
396 |
373 |
397 +#ifdef PAM_ENHANCEMENT |
374 +#ifdef PAM_ENHANCEMENT |
398 int |
375 +int |
399 +mm_answer_authmethod(int sock, Buffer *m) |
376 +mm_answer_authmethod(int sock, Buffer *m) |
400 +{ |
377 +{ |
401 + monitor_permit_authentications(1); |
378 + monitor_permit_authentications(1); |
402 + |
379 + |
403 + authctxt->authmethod_name = buffer_get_string(m, NULL); |
380 + authctxt->authmethod_name = buffer_get_string(m, NULL); |
410 + |
387 + |
411 + return (0); |
388 + return (0); |
412 +} |
389 +} |
413 +#endif |
390 +#endif |
414 + |
391 + |
415 +int |
392 int |
416 mm_answer_authpassword(int sock, Buffer *m) |
393 mm_answer_authpassword(int sock, Buffer *m) |
417 { |
394 { |
418 static int call_count; |
395 diff -pur old/monitor.h new/monitor.h |
419 --- orig/monitor.h Mon Jan 26 18:02:10 2015 |
396 --- old/monitor.h 2015-03-16 22:49:20.000000000 -0700 |
420 +++ new/monitor.h Mon Jan 26 18:02:11 2015 |
397 +++ new/monitor.h 2015-04-28 06:15:57.421684373 -0700 |
421 @@ -70,6 +70,9 @@ |
398 @@ -65,6 +65,9 @@ enum monitor_reqtype { |
422 MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, |
399 MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, |
423 MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, |
400 MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, |
424 |
401 |
425 +#ifdef PAM_ENHANCEMENT |
402 +#ifdef PAM_ENHANCEMENT |
426 + MONITOR_REQ_AUTHMETHOD = 114, |
403 + MONITOR_REQ_AUTHMETHOD = 114, |
427 +#endif |
404 +#endif |
428 }; |
405 }; |
429 |
406 |
430 struct mm_master; |
407 struct mm_master; |
431 --- orig/servconf.c Mon Jan 26 18:02:09 2015 |
408 diff -pur old/monitor_wrap.c new/monitor_wrap.c |
432 +++ new/servconf.c Tue Mar 31 16:24:59 2015 |
409 --- old/monitor_wrap.c 2015-03-16 22:49:20.000000000 -0700 |
433 @@ -154,6 +154,18 @@ |
410 +++ new/monitor_wrap.c 2015-04-28 06:15:57.419906674 -0700 |
434 options->ip_qos_interactive = -1; |
411 @@ -347,6 +347,24 @@ mm_inform_authserv(char *service, char * |
|
412 buffer_free(&m); |
|
413 } |
|
414 |
|
415 +#ifdef PAM_ENHANCEMENT |
|
416 +/* Inform the privileged process about the authentication method */ |
|
417 +void |
|
418 +mm_inform_authmethod(char *authmethod) |
|
419 +{ |
|
420 + Buffer m; |
|
421 + |
|
422 + debug3("%s entering", __func__); |
|
423 + |
|
424 + buffer_init(&m); |
|
425 + buffer_put_cstring(&m, authmethod); |
|
426 + |
|
427 + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHMETHOD, &m); |
|
428 + |
|
429 + buffer_free(&m); |
|
430 +} |
|
431 +#endif |
|
432 + |
|
433 /* Do the password authentication */ |
|
434 int |
|
435 mm_auth_password(Authctxt *authctxt, char *password) |
|
436 diff -pur old/servconf.c new/servconf.c |
|
437 --- old/servconf.c 2015-04-28 06:15:57.300968063 -0700 |
|
438 +++ new/servconf.c 2015-04-28 06:27:06.330272555 -0700 |
|
439 @@ -163,6 +163,18 @@ initialize_server_options(ServerOptions |
435 options->ip_qos_bulk = -1; |
440 options->ip_qos_bulk = -1; |
436 options->version_addendum = NULL; |
441 options->version_addendum = NULL; |
|
442 options->fingerprint_hash = -1; |
437 +#ifdef PAM_ENHANCEMENT |
443 +#ifdef PAM_ENHANCEMENT |
438 + options->pam_service_name = NULL; |
444 + options->pam_service_name = NULL; |
439 + options->pam_service_prefix = NULL; |
445 + options->pam_service_prefix = NULL; |
440 + |
446 + |
441 + /* |
447 + /* |
442 + * Each user method will have its own PAM service by default. |
448 + * Each user method will have its own PAM service by default. |
443 + * However, if PAMServiceName is specified or the protocal version |
449 + * However, if PAMServiceName is specified or the protocal version |
444 + * is not compat20, then there will be only one PAM service for the |
450 + * is not compat20, then there will be only one PAM service for the |
445 + * entire user authentication. |
451 + * entire user authentication. |
446 + */ |
452 + */ |
447 + options->pam_service_per_authmethod = 1; |
453 + options->pam_service_per_authmethod = 1; |
448 +#endif |
454 +#endif |
449 } |
455 } |
450 |
456 |
451 void |
457 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ |
452 @@ -303,6 +315,12 @@ |
458 @@ -332,6 +344,12 @@ fill_default_server_options(ServerOption |
453 options->ip_qos_bulk = IPTOS_THROUGHPUT; |
459 options->ip_qos_bulk = IPTOS_THROUGHPUT; |
454 if (options->version_addendum == NULL) |
460 if (options->version_addendum == NULL) |
455 options->version_addendum = xstrdup(""); |
461 options->version_addendum = xstrdup(""); |
456 + |
462 + |
457 +#ifdef PAM_ENHANCEMENT |
463 +#ifdef PAM_ENHANCEMENT |
458 + if (options->pam_service_prefix == NULL) |
464 + if (options->pam_service_prefix == NULL) |
459 + options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX; |
465 + options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX; |
460 +#endif |
466 +#endif |
461 + |
467 + |
462 /* Turn privilege separation on by default */ |
468 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) |
463 if (use_privsep == -1) |
469 options->fwd_opts.streamlocal_bind_mask = 0177; |
464 use_privsep = PRIVSEP_NOSANDBOX; |
470 if (options->fwd_opts.streamlocal_bind_unlink == -1) |
465 @@ -351,6 +369,9 @@ |
471 @@ -400,6 +418,9 @@ typedef enum { |
|
472 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
|
473 sUsePrivilegeSeparation, sAllowAgentForwarding, |
|
474 sHostCertificate, |
|
475 +#ifdef PAM_ENHANCEMENT |
|
476 + sPAMServicePrefix, sPAMServiceName, |
|
477 +#endif |
|
478 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, |
466 sKexAlgorithms, sIPQoS, sVersionAddendum, |
479 sKexAlgorithms, sIPQoS, sVersionAddendum, |
467 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, |
480 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, |
468 sAuthenticationMethods, sHostKeyAgent, |
481 @@ -534,6 +555,10 @@ static struct { |
469 +#ifdef PAM_ENHANCEMENT |
482 { "forcecommand", sForceCommand, SSHCFG_ALL }, |
470 + sPAMServicePrefix, sPAMServiceName, |
483 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, |
471 +#endif |
484 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, |
472 sDeprecated, sUnsupported |
485 +#ifdef PAM_ENHANCEMENT |
473 } ServerOpCodes; |
486 + { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL }, |
474 |
487 + { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL }, |
475 @@ -482,6 +503,10 @@ |
488 +#endif |
476 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, |
489 { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, |
477 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, |
490 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, |
478 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, |
491 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, |
479 +#ifdef PAM_ENHANCEMENT |
492 @@ -1765,6 +1790,37 @@ process_server_config_line(ServerOptions |
480 + { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL }, |
493 options->fingerprint_hash = value; |
481 + { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL }, |
494 break; |
482 +#endif |
|
483 { NULL, sBadOption, 0 } |
|
484 }; |
|
485 |
|
486 @@ -1632,6 +1657,37 @@ |
|
487 } |
|
488 return 0; |
|
489 |
495 |
490 + case sPAMServicePrefix: |
496 + case sPAMServicePrefix: |
491 + arg = strdelim(&cp); |
497 + arg = strdelim(&cp); |
492 + if (!arg || *arg == '\0') |
498 + if (!arg || *arg == '\0') |
493 + fatal("%s line %d: Missing argument.", |
499 + fatal("%s line %d: Missing argument.", |
532 +#endif |
539 +#endif |
533 + |
540 + |
534 typedef struct { |
541 typedef struct { |
535 u_int num_ports; |
542 u_int num_ports; |
536 u_int ports_from_cmdline; |
543 u_int ports_from_cmdline; |
537 @@ -185,6 +189,13 @@ |
544 @@ -188,6 +192,12 @@ typedef struct { |
538 |
|
539 u_int num_auth_methods; |
545 u_int num_auth_methods; |
540 char *auth_methods[MAX_AUTH_METHODS]; |
546 char *auth_methods[MAX_AUTH_METHODS]; |
541 + |
547 |
542 +#ifdef PAM_ENHANCEMENT |
548 +#ifdef PAM_ENHANCEMENT |
543 + char *pam_service_prefix; |
549 + char *pam_service_prefix; |
544 + char *pam_service_name; |
550 + char *pam_service_name; |
545 + int pam_service_per_authmethod; |
551 + int pam_service_per_authmethod; |
546 +#endif |
552 +#endif |
547 + |
553 + |
|
554 int fingerprint_hash; |
548 } ServerOptions; |
555 } ServerOptions; |
549 |
556 |
550 /* Information about the incoming connection as used by Match */ |
557 diff -pur old/sshd.8 new/sshd.8 |
551 --- orig/sshd_config.5 Mon Jan 26 18:02:10 2015 |
558 --- old/sshd.8 2015-04-28 06:15:57.254681499 -0700 |
552 +++ new/sshd_config.5 Mon Jan 26 18:03:45 2015 |
559 +++ new/sshd.8 2015-04-28 06:15:57.426325504 -0700 |
553 @@ -868,6 +868,21 @@ |
560 @@ -945,6 +945,33 @@ concurrently for different ports, this c |
|
561 started last). |
|
562 The content of this file is not sensitive; it can be world-readable. |
|
563 .El |
|
564 + |
|
565 +.Sh SECURITY |
|
566 +sshd uses pam(3PAM) for password and keyboard-interactive methods as well as |
|
567 +for account management, session management, and the password management for all |
|
568 +authentication methods. |
|
569 +.Pp |
|
570 +Each SSHv2 userauth type has its own PAM service name: |
|
571 + |
|
572 +.Bd -literal -offset 3n |
|
573 + |
|
574 +----------------------------------------------- |
|
575 +| SSHv2 Userauth | PAM Service Name | |
|
576 +----------------------------------------------- |
|
577 +| none | sshd-none | |
|
578 +----------------------------------------------- |
|
579 +| password | sshd-password | |
|
580 +----------------------------------------------- |
|
581 +| keyboard-interactive | sshd-kbdint | |
|
582 +----------------------------------------------- |
|
583 +| pubkey | sshd-pubkey | |
|
584 +----------------------------------------------- |
|
585 +| hostbased | sshd-hostbased | |
|
586 +----------------------------------------------- |
|
587 +| gssapi-with-mic | sshd-gssapi | |
|
588 +----------------------------------------------- |
|
589 +.Ed |
|
590 + |
|
591 .Sh SEE ALSO |
|
592 .Xr scp 1 , |
|
593 .Xr sftp 1 , |
|
594 diff -pur old/sshd.c new/sshd.c |
|
595 --- old/sshd.c 2015-04-28 06:15:57.302106750 -0700 |
|
596 +++ new/sshd.c 2015-04-28 06:15:57.427449259 -0700 |
|
597 @@ -2146,6 +2146,11 @@ main(int ac, char **av) |
|
598 |
|
599 sshd_exchange_identification(sock_in, sock_out); |
|
600 |
|
601 +#ifdef PAM_ENHANCEMENT |
|
602 + if (!compat20) |
|
603 + options.pam_service_per_authmethod = 0; |
|
604 +#endif |
|
605 + |
|
606 /* In inetd mode, generate ephemeral key only for proto 1 connections */ |
|
607 if (!compat20 && inetd_flag && sensitive_data.server_key == NULL) |
|
608 generate_ephemeral_server_key(); |
|
609 diff -pur old/sshd_config.5 new/sshd_config.5 |
|
610 --- old/sshd_config.5 2015-04-28 06:15:57.256560985 -0700 |
|
611 +++ new/sshd_config.5 2015-04-28 06:15:57.425661853 -0700 |
|
612 @@ -1044,6 +1044,21 @@ The probability increases linearly and a |
554 are refused if the number of unauthenticated connections reaches |
613 are refused if the number of unauthenticated connections reaches |
555 .Dq full |
614 .Dq full |
556 (60). |
615 (60). |
557 +.It Cm PAMServiceName |
616 +.It Cm PAMServiceName |
558 +Specifies the PAM service name for the PAM session. The PAMServiceName and |
617 +Specifies the PAM service name for the PAM session. The PAMServiceName and |
570 +keyboard-interactive authentication method is admincli-kbdint instead of the |
629 +keyboard-interactive authentication method is admincli-kbdint instead of the |
571 +default sshd-kbdint. |
630 +default sshd-kbdint. |
572 .It Cm PasswordAuthentication |
631 .It Cm PasswordAuthentication |
573 Specifies whether password authentication is allowed. |
632 Specifies whether password authentication is allowed. |
574 The default is |
633 The default is |
575 @@ -1203,8 +1218,7 @@ |
634 @@ -1427,8 +1442,7 @@ If |
576 is enabled, you will not be able to run |
635 is enabled, you will not be able to run |
577 .Xr sshd 8 |
636 .Xr sshd 1M |
578 as a non-root user. |
637 as a non-root user. |
579 -The default is |
638 -The default is |
580 -.Dq no . |
639 -.Dq no . |
581 +On Solaris, the option is always enabled. |
640 +On Solaris, the option is always enabled. |
582 .It Cm UsePrivilegeSeparation |
641 .It Cm UsePrivilegeSeparation |
583 Specifies whether |
642 Specifies whether |
584 .Xr sshd 8 |
643 .Xr sshd 1M |
585 --- orig/sshd.8 Mon Jan 26 18:02:09 2015 |
|
586 +++ new/sshd.8 Mon Jan 26 18:02:11 2015 |
|
587 @@ -951,6 +951,33 @@ |
|
588 started last). |
|
589 The content of this file is not sensitive; it can be world-readable. |
|
590 .El |
|
591 + |
|
592 +.Sh SECURITY |
|
593 +sshd uses pam(3PAM) for password and keyboard-interactive methods as well as |
|
594 +for account management, session management, and the password management for all |
|
595 +authentication methods. |
|
596 +.Pp |
|
597 +Each SSHv2 userauth type has its own PAM service name: |
|
598 + |
|
599 +.Bd -literal -offset 3n |
|
600 + |
|
601 +----------------------------------------------- |
|
602 +| SSHv2 Userauth | PAM Service Name | |
|
603 +----------------------------------------------- |
|
604 +| none | sshd-none | |
|
605 +----------------------------------------------- |
|
606 +| password | sshd-password | |
|
607 +----------------------------------------------- |
|
608 +| keyboard-interactive | sshd-kbdint | |
|
609 +----------------------------------------------- |
|
610 +| pubkey | sshd-pubkey | |
|
611 +----------------------------------------------- |
|
612 +| hostbased | sshd-hostbased | |
|
613 +----------------------------------------------- |
|
614 +| gssapi-with-mic | sshd-gssapi | |
|
615 +----------------------------------------------- |
|
616 +.Ed |
|
617 + |
|
618 .Sh SEE ALSO |
|
619 .Xr scp 1 , |
|
620 .Xr sftp 1 , |
|
621 --- orig/sshd.c Tue Mar 31 18:12:33 2015 |
|
622 +++ new/sshd.c Tue Mar 31 18:42:28 2015 |
|
623 @@ -2065,6 +2065,11 @@ |
|
624 |
|
625 sshd_exchange_identification(sock_in, sock_out); |
|
626 |
|
627 +#ifdef PAM_ENHANCEMENT |
|
628 + if (!compat20) |
|
629 + options.pam_service_per_authmethod = 0; |
|
630 +#endif |
|
631 + |
|
632 /* In inetd mode, generate ephemeral key only for proto 1 connections */ |
|
633 if (!compat20 && inetd_flag && sensitive_data.server_key == NULL) |
|
634 generate_ephemeral_server_key(); |
|