22631538 Patch comment incorrect/outdated for patch 039-sshd_config_5_defaults.patch
#
# Enable login to a role for hostbased authentication if allowed by PAM.
#
# Sets PAM_AUSER item to user who is asserting a new identity before
# calling do_pam_account(). Implemented using existing static variable
# hostbased_cuser. The change is protected by new HAVE_PAM_AUSER ifdef-guard,
# which is set to defined on Solaris.
#
# Patch offered upstream:
# https://bugzilla.mindrot.org/show_bug.cgi?id=2378
#
diff -pur old/auth-pam.c new/auth-pam.c
--- old/auth-pam.c 2015-05-21 04:08:41.910932322 -0700
+++ new/auth-pam.c 2015-05-21 04:08:42.024831668 -0700
@@ -1038,6 +1038,20 @@ do_pam_account(void)
return (sshpam_account_status);
}
+#ifdef HAVE_PAM_AUSER
+void
+do_pam_set_auser(const char* auser)
+{
+ if (auser != NULL) {
+ debug("PAM: setting PAM_AUSER to \"%s\"", auser);
+ sshpam_err = pam_set_item(sshpam_handle, PAM_AUSER, auser);
+ if (sshpam_err != PAM_SUCCESS)
+ error("PAM: failed to set PAM_AUSER: %s",
+ pam_strerror(sshpam_handle, sshpam_err));
+ }
+}
+#endif
+
void
do_pam_set_tty(const char *tty)
{
diff -pur old/auth-pam.h new/auth-pam.h
--- old/auth-pam.h 2015-03-16 22:49:20.000000000 -0700
+++ new/auth-pam.h 2015-05-21 04:08:42.025160216 -0700
@@ -35,6 +35,9 @@ void start_pam(Authctxt *);
void finish_pam(void);
u_int do_pam_account(void);
void do_pam_session(void);
+#ifdef HAVE_PAM_AUSER
+void do_pam_set_auser(const char *);
+#endif
void do_pam_set_tty(const char *);
void do_pam_setcred(int );
void do_pam_chauthtok(void);
diff -pur old/auth.h new/auth.h
--- old/auth.h 2015-05-21 04:08:41.911346027 -0700
+++ new/auth.h 2015-05-21 04:08:42.025504068 -0700
@@ -84,6 +84,9 @@ struct Authctxt {
#ifdef PAM_ENHANCEMENT
char *authmethod_name;
#endif
+#ifdef HAVE_PAM_AUSER
+ char *auser;
+#endif
};
/*
* Every authentication method has to handle authentication requests for
diff -pur old/auth2-hostbased.c new/auth2-hostbased.c
--- old/auth2-hostbased.c 2015-03-16 22:49:20.000000000 -0700
+++ new/auth2-hostbased.c 2015-05-21 04:08:42.026208843 -0700
@@ -85,6 +85,9 @@ userauth_hostbased(Authctxt *authctxt)
buffer_dump(&b);
buffer_free(&b);
#endif
+#ifdef HAVE_PAM_AUSER
+ authctxt->auser = NULL;
+#endif
pktype = key_type_from_name(pkalg);
if (pktype == KEY_UNSPEC) {
/* this is perfectly legal */
@@ -143,6 +146,13 @@ userauth_hostbased(Authctxt *authctxt)
buffer_len(&b))) == 1)
authenticated = 1;
+#ifdef HAVE_PAM_AUSER
+ if (authenticated) {
+ authctxt->auser = cuser;
+ cuser = NULL;
+ }
+#endif
+
buffer_free(&b);
done:
debug2("userauth_hostbased: authenticated %d", authenticated);
diff -pur old/auth2.c new/auth2.c
--- old/auth2.c 2015-05-21 04:08:41.947286493 -0700
+++ new/auth2.c 2015-05-21 04:08:42.026846014 -0700
@@ -339,6 +339,14 @@ userauth_finish(Authctxt *authctxt, int
#endif
}
+#ifdef HAVE_PAM_AUSER
+ if (!use_privsep) {
+ do_pam_set_auser(authctxt->auser);
+ free(authctxt->auser);
+ authctxt->auser = NULL;
+ }
+#endif
+
if (authenticated && options.num_auth_methods != 0) {
#if defined(USE_PAM) && defined(PAM_ENHANCEMENT)
diff -pur old/config.h.in new/config.h.in
--- old/config.h.in 2015-05-21 04:08:41.938119429 -0700
+++ new/config.h.in 2015-05-21 04:08:42.027796887 -0700
@@ -827,6 +827,9 @@
/* Define if you have Digital Unix Security Integration Architecture */
#undef HAVE_OSF_SIA
+/* Define if you have PAM_AUSER PAM item */
+#undef HAVE_PAM_AUSER
+
/* Define to 1 if you have the `pam_getenvlist' function. */
#undef HAVE_PAM_GETENVLIST
diff -pur old/configure new/configure
--- old/configure 2015-05-21 04:08:41.952127851 -0700
+++ new/configure 2015-05-21 04:09:34.214165539 -0700
@@ -10872,6 +10872,7 @@ fi
cat >>confdefs.h <<\_ACEOF
#define USE_GSS_STORE_CRED 1
#define GSSAPI_STORECREDS_NEEDS_RUID 1
+#define HAVE_PAM_AUSER 1
_ACEOF
TEST_SHELL=$SHELL # let configure find us a capable shell
diff -pur old/configure.ac new/configure.ac
--- old/configure.ac 2015-05-21 04:08:41.886514252 -0700
+++ new/configure.ac 2015-05-21 04:08:42.052981088 -0700
@@ -904,6 +904,7 @@ mips-sony-bsd|mips-sony-newsos4)
TEST_SHELL=$SHELL # let configure find us a capable shell
AC_DEFINE([USE_GSS_STORE_CRED])
AC_DEFINE([GSSAPI_STORECREDS_NEEDS_RUID])
+ AC_DEFINE([HAVE_PAM_AUSER])
;;
*-*-sunos4*)
CPPFLAGS="$CPPFLAGS -DSUNOS4"
diff -pur old/monitor.c new/monitor.c
--- old/monitor.c 2015-05-21 04:08:41.964048305 -0700
+++ new/monitor.c 2015-05-21 04:08:42.054374639 -0700
@@ -461,6 +461,12 @@ monitor_child_preauth(Authctxt *_authctx
}
}
+#if defined(HAVE_PAM_AUSER) && defined(USE_PAM)
+ if (hostbased_cuser != NULL) {
+ free(hostbased_cuser);
+ hostbased_cuser = NULL;
+ }
+#endif
if (!authctxt->valid)
fatal("%s: authenticated invalid user", __func__);
if (strcmp(auth_method, "unknown") == 0)
@@ -694,12 +700,14 @@ monitor_reset_key_state(void)
{
/* reset state */
free(key_blob);
+#if !defined(HAVE_PAM_AUSER) || !defined(USE_PAM)
free(hostbased_cuser);
+ hostbased_cuser = NULL;
+#endif
free(hostbased_chost);
key_blob = NULL;
key_bloblen = 0;
key_blobtype = MM_NOKEY;
- hostbased_cuser = NULL;
hostbased_chost = NULL;
}
@@ -1146,6 +1154,11 @@ mm_answer_pam_account(int sock, Buffer *
if (!options.use_pam)
fatal("UsePAM not set, but ended up in %s anyway", __func__);
+#ifdef HAVE_PAM_AUSER
+ if (hostbased_cuser != NULL)
+ do_pam_set_auser(hostbased_cuser);
+#endif
+
ret = do_pam_account();
buffer_put_int(m, ret);