Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openssh/patches/025-login_to_a_role.patch
author Tomas Kuthan <tomas.kuthan@oracle.com>
Mon, 06 Feb 2017 22:51:03 -0800
changeset 7649 69d7508f0d66
parent 5818 5f0e7a0f17c2
permissions -rw-r--r--
PSARC/2017/022 OpenSSH 7.4 25295722 upgrade OpenSSH to 7.4p1 25295787 problem in UTILITY/OPENSSH 25295804 problem in UTILITY/OPENSSH 25295822 problem in UTILITY/OPENSSH 25295840 problem in UTILITY/OPENSSH

#
# Enable login to a role for hostbased authentication if allowed by PAM.
#
# Sets PAM_AUSER item to user who is asserting a new identity before
# calling do_pam_account(). Implemented using existing static variable
# hostbased_cuser. The change is protected by new HAVE_PAM_AUSER ifdef-guard,
# which is set to defined on Solaris.
#
# Patch offered upstream:
#     https://bugzilla.mindrot.org/show_bug.cgi?id=2378
#
diff -pur old/auth-pam.c new/auth-pam.c
--- old/auth-pam.c
+++ new/auth-pam.c
@@ -1040,6 +1040,20 @@ start_pam(Authctxt *authctxt)
 		fatal("PAM: initialisation failed");
 }
 
+#ifdef HAVE_PAM_AUSER
+void
+do_pam_set_auser(const char* auser)
+{
+	if (auser != NULL) {
+		debug("PAM: setting PAM_AUSER to \"%s\"", auser);
+		sshpam_err = pam_set_item(sshpam_handle, PAM_AUSER, auser);
+		if (sshpam_err != PAM_SUCCESS)
+			error("PAM: failed to set PAM_AUSER: %s",
+			    pam_strerror(sshpam_handle, sshpam_err));
+	}
+}
+#endif
+
 void
 finish_pam(void)
 {
diff -pur old/auth-pam.h new/auth-pam.h
--- old/auth-pam.h
+++ new/auth-pam.h
@@ -29,6 +29,9 @@ void start_pam(Authctxt *);
 void finish_pam(void);
 u_int do_pam_account(void);
 void do_pam_session(void);
+#ifdef HAVE_PAM_AUSER
+void do_pam_set_auser(const char *);
+#endif
 void do_pam_setcred(int );
 void do_pam_chauthtok(void);
 int do_pam_putenv(char *, char *);
diff -pur old/auth.h new/auth.h
--- old/auth.h
+++ new/auth.h
@@ -84,6 +84,9 @@ struct Authctxt {
 #ifdef PAM_ENHANCEMENT
         char            *authmethod_name;
 #endif 
+#ifdef HAVE_PAM_AUSER
+	char		*auser;
+#endif 
 };
 /*
  * Every authentication method has to handle authentication requests for
diff -pur old/auth2-hostbased.c new/auth2-hostbased.c
--- old/auth2-hostbased.c
+++ new/auth2-hostbased.c
@@ -85,6 +85,9 @@ userauth_hostbased(Authctxt *authctxt)
 	buffer_dump(&b);
 	buffer_free(&b);
 #endif
+#ifdef HAVE_PAM_AUSER
+	authctxt->auser = NULL;
+#endif
 	pktype = key_type_from_name(pkalg);
 	if (pktype == KEY_UNSPEC) {
 		/* this is perfectly legal */
@@ -142,6 +145,13 @@ userauth_hostbased(Authctxt *authctxt)
 			buffer_len(&b))) == 1)
 		authenticated = 1;
 
+#ifdef HAVE_PAM_AUSER
+	if (authenticated) {
+		authctxt->auser = cuser;
+		cuser = NULL;
+	}
+#endif
+
 	buffer_free(&b);
 done:
 	debug2("userauth_hostbased: authenticated %d", authenticated);
diff -pur old/auth2.c new/auth2.c
--- old/auth2.c
+++ new/auth2.c
@@ -339,6 +339,14 @@ userauth_finish(Authctxt *authctxt, int
 #endif
 	}
 
+#ifdef HAVE_PAM_AUSER
+	if (!use_privsep) {
+		do_pam_set_auser(authctxt->auser);
+		free(authctxt->auser);
+		authctxt->auser = NULL;	
+	}
+#endif
+
 	if (authenticated && options.num_auth_methods != 0) {
 
 #if defined(USE_PAM) && defined(PAM_ENHANCEMENT)
diff -pur old/config.h.in new/config.h.in
--- old/config.h.in
+++ new/config.h.in
@@ -839,6 +839,9 @@
 /* Define if you have Digital Unix Security Integration Architecture */
 #undef HAVE_OSF_SIA
 
+/* Define if you have PAM_AUSER PAM item */
+#undef HAVE_PAM_AUSER
+
 /* Define to 1 if you have the `pam_getenvlist' function. */
 #undef HAVE_PAM_GETENVLIST
 
diff -pur old/configure.ac new/configure.ac
--- old/configure.ac
+++ new/configure.ac
@@ -951,6 +951,7 @@ mips-sony-bsd|mips-sony-newsos4)
 	TEST_SHELL=$SHELL	# let configure find us a capable shell
         AC_DEFINE([USE_GSS_STORE_CRED])
         AC_DEFINE([GSSAPI_STORECREDS_NEEDS_RUID])
+        AC_DEFINE([HAVE_PAM_AUSER])
 	;;
 *-*-sunos4*)
 	CPPFLAGS="$CPPFLAGS -DSUNOS4"
diff -pur old/monitor.c new/monitor.c
--- old/monitor.c
+++ new/monitor.c
@@ -400,6 +400,12 @@ monitor_child_preauth(Authctxt *_authctx
 		}
 	}
 
+#if defined(HAVE_PAM_AUSER) && defined(USE_PAM)
+	if (hostbased_cuser != NULL) {
+		free(hostbased_cuser);
+		hostbased_cuser = NULL;
+	}
+#endif
 	if (!authctxt->valid)
 		fatal("%s: authenticated invalid user", __func__);
 	if (strcmp(auth_method, "unknown") == 0)
@@ -599,12 +605,14 @@ monitor_reset_key_state(void)
 {
 	/* reset state */
 	free(key_blob);
+#if !defined(HAVE_PAM_AUSER) || !defined(USE_PAM)
 	free(hostbased_cuser);
+	hostbased_cuser = NULL;
+#endif
 	free(hostbased_chost);
 	key_blob = NULL;
 	key_bloblen = 0;
 	key_blobtype = MM_NOKEY;
-	hostbased_cuser = NULL;
 	hostbased_chost = NULL;
 }
 
@@ -1061,6 +1069,11 @@ mm_answer_pam_account(int sock, Buffer *
 	if (!options.use_pam)
 		fatal("%s: PAM not enabled", __func__);
 
+#ifdef HAVE_PAM_AUSER
+	if (hostbased_cuser != NULL)
+		do_pam_set_auser(hostbased_cuser);
+#endif
+
 	ret = do_pam_account();
 
 	buffer_put_int(m, ret);
upstream/oracle/userland-gate