PSARC/2015/395 OpenSSH 7.1p1
PSARC 2014/390 OpenSSH GSSKEY
21696247 upgrade OpenSSH to 7.1p1
22031540 problem in UTILITY/OPENSSH
22022180 problem in UTILITY/OPENSSH
22048638 problem in UTILITY/OPENSSH
19775805 OpenSSH contains a redundant call to do_pam_setcred()
21379157 OpenSSH shouldn't call setproject(3PROJECT) when configured to use PAM
20919294 upgrade OpenSSH to 6.8p1
19130869 migrate the Xforwarding bug fix (15350344) from SunSSH to OpenSSH
21861322 OpenSSH client hangs on broken pipe
22018764 remove cast128-cbc from OpenSSH
21919790 add GSSKeyEx as an alias to GSSAPIKeyExchange in OpenSSH
19941148 GSS-API Key Exchange for OpenSSH
21643415 OpenSSH should use AI_ADDRCONFIG per bug 19827438
20370803 OpenSSH patch number collision
20711463 OpenSSH wants to be able to login to a role too
22389801 OpenSSH: remove cast from ssh(1), sshd(8), ssh_config(5) and sshd_config(5)
22582153 openssh system/linker should be added to core REQ
#
# Enable login to a role for hostbased authentication if allowed by PAM.
#
# Sets PAM_AUSER item to user who is asserting a new identity before
# calling do_pam_account(). Implemented using existing static variable
# hostbased_cuser. The change is protected by new HAVE_PAM_AUSER ifdef-guard,
# which is set to defined on Solaris.
#
# Patch offered upstream:
# https://bugzilla.mindrot.org/show_bug.cgi?id=2378
#
diff -pur old/auth-pam.c new/auth-pam.c
--- old/auth-pam.c 2015-05-21 04:08:41.910932322 -0700
+++ new/auth-pam.c 2015-05-21 04:08:42.024831668 -0700
@@ -1038,6 +1038,20 @@ do_pam_account(void)
return (sshpam_account_status);
}
+#ifdef HAVE_PAM_AUSER
+void
+do_pam_set_auser(const char* auser)
+{
+ if (auser != NULL) {
+ debug("PAM: setting PAM_AUSER to \"%s\"", auser);
+ sshpam_err = pam_set_item(sshpam_handle, PAM_AUSER, auser);
+ if (sshpam_err != PAM_SUCCESS)
+ error("PAM: failed to set PAM_AUSER: %s",
+ pam_strerror(sshpam_handle, sshpam_err));
+ }
+}
+#endif
+
void
do_pam_set_tty(const char *tty)
{
diff -pur old/auth-pam.h new/auth-pam.h
--- old/auth-pam.h 2015-03-16 22:49:20.000000000 -0700
+++ new/auth-pam.h 2015-05-21 04:08:42.025160216 -0700
@@ -35,6 +35,9 @@ void start_pam(Authctxt *);
void finish_pam(void);
u_int do_pam_account(void);
void do_pam_session(void);
+#ifdef HAVE_PAM_AUSER
+void do_pam_set_auser(const char *);
+#endif
void do_pam_set_tty(const char *);
void do_pam_setcred(int );
void do_pam_chauthtok(void);
diff -pur old/auth.h new/auth.h
--- old/auth.h 2015-05-21 04:08:41.911346027 -0700
+++ new/auth.h 2015-05-21 04:08:42.025504068 -0700
@@ -84,6 +84,9 @@ struct Authctxt {
#ifdef PAM_ENHANCEMENT
char *authmethod_name;
#endif
+#ifdef HAVE_PAM_AUSER
+ char *auser;
+#endif
};
/*
* Every authentication method has to handle authentication requests for
diff -pur old/auth2-hostbased.c new/auth2-hostbased.c
--- old/auth2-hostbased.c 2015-03-16 22:49:20.000000000 -0700
+++ new/auth2-hostbased.c 2015-05-21 04:08:42.026208843 -0700
@@ -85,6 +85,9 @@ userauth_hostbased(Authctxt *authctxt)
buffer_dump(&b);
buffer_free(&b);
#endif
+#ifdef HAVE_PAM_AUSER
+ authctxt->auser = NULL;
+#endif
pktype = key_type_from_name(pkalg);
if (pktype == KEY_UNSPEC) {
/* this is perfectly legal */
@@ -143,6 +146,13 @@ userauth_hostbased(Authctxt *authctxt)
buffer_len(&b))) == 1)
authenticated = 1;
+#ifdef HAVE_PAM_AUSER
+ if (authenticated) {
+ authctxt->auser = cuser;
+ cuser = NULL;
+ }
+#endif
+
buffer_free(&b);
done:
debug2("userauth_hostbased: authenticated %d", authenticated);
diff -pur old/auth2.c new/auth2.c
--- old/auth2.c 2015-05-21 04:08:41.947286493 -0700
+++ new/auth2.c 2015-05-21 04:08:42.026846014 -0700
@@ -339,6 +339,14 @@ userauth_finish(Authctxt *authctxt, int
#endif
}
+#ifdef HAVE_PAM_AUSER
+ if (!use_privsep) {
+ do_pam_set_auser(authctxt->auser);
+ free(authctxt->auser);
+ authctxt->auser = NULL;
+ }
+#endif
+
if (authenticated && options.num_auth_methods != 0) {
#if defined(USE_PAM) && defined(PAM_ENHANCEMENT)
diff -pur old/config.h.in new/config.h.in
--- old/config.h.in 2015-05-21 04:08:41.938119429 -0700
+++ new/config.h.in 2015-05-21 04:08:42.027796887 -0700
@@ -827,6 +827,9 @@
/* Define if you have Digital Unix Security Integration Architecture */
#undef HAVE_OSF_SIA
+/* Define if you have PAM_AUSER PAM item */
+#undef HAVE_PAM_AUSER
+
/* Define to 1 if you have the `pam_getenvlist' function. */
#undef HAVE_PAM_GETENVLIST
diff -pur old/configure new/configure
--- old/configure 2015-05-21 04:08:41.952127851 -0700
+++ new/configure 2015-05-21 04:09:34.214165539 -0700
@@ -10872,6 +10872,7 @@ fi
cat >>confdefs.h <<\_ACEOF
#define USE_GSS_STORE_CRED 1
#define GSSAPI_STORECREDS_NEEDS_RUID 1
+#define HAVE_PAM_AUSER 1
_ACEOF
TEST_SHELL=$SHELL # let configure find us a capable shell
diff -pur old/configure.ac new/configure.ac
--- old/configure.ac 2015-05-21 04:08:41.886514252 -0700
+++ new/configure.ac 2015-05-21 04:08:42.052981088 -0700
@@ -904,6 +904,7 @@ mips-sony-bsd|mips-sony-newsos4)
TEST_SHELL=$SHELL # let configure find us a capable shell
AC_DEFINE([USE_GSS_STORE_CRED])
AC_DEFINE([GSSAPI_STORECREDS_NEEDS_RUID])
+ AC_DEFINE([HAVE_PAM_AUSER])
;;
*-*-sunos4*)
CPPFLAGS="$CPPFLAGS -DSUNOS4"
diff -pur old/monitor.c new/monitor.c
--- old/monitor.c 2015-05-21 04:08:41.964048305 -0700
+++ new/monitor.c 2015-05-21 04:08:42.054374639 -0700
@@ -461,6 +461,12 @@ monitor_child_preauth(Authctxt *_authctx
}
}
+#if defined(HAVE_PAM_AUSER) && defined(USE_PAM)
+ if (hostbased_cuser != NULL) {
+ free(hostbased_cuser);
+ hostbased_cuser = NULL;
+ }
+#endif
if (!authctxt->valid)
fatal("%s: authenticated invalid user", __func__);
if (strcmp(auth_method, "unknown") == 0)
@@ -694,12 +700,14 @@ monitor_reset_key_state(void)
{
/* reset state */
free(key_blob);
+#if !defined(HAVE_PAM_AUSER) || !defined(USE_PAM)
free(hostbased_cuser);
+ hostbased_cuser = NULL;
+#endif
free(hostbased_chost);
key_blob = NULL;
key_bloblen = 0;
key_blobtype = MM_NOKEY;
- hostbased_cuser = NULL;
hostbased_chost = NULL;
}
@@ -1146,6 +1154,11 @@ mm_answer_pam_account(int sock, Buffer *
if (!options.use_pam)
fatal("UsePAM not set, but ended up in %s anyway", __func__);
+#ifdef HAVE_PAM_AUSER
+ if (hostbased_cuser != NULL)
+ do_pam_set_auser(hostbased_cuser);
+#endif
+
ret = do_pam_account();
buffer_put_int(m, ret);