]>
Commit | Line | Data |
---|---|---|
d9d6f0a2 JR |
1 | diff -urN openssh-3.4p1-owl-always-auth/Makefile.in openssh-3.4p1/Makefile.in |
2 | --- openssh-3.4p1-owl-always-auth/Makefile.in Wed Jun 26 03:45:42 2002 | |
3 | +++ openssh-3.4p1/Makefile.in Mon Jul 1 23:11:30 2002 | |
4 | @@ -64,7 +64,7 @@ | |
5 | ||
6 | SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o | |
7 | ||
8 | -SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o | |
9 | +SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o appl_userpass.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o | |
10 | ||
11 | MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out | |
12 | MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5 | |
13 | diff -urN openssh-3.4p1-owl-always-auth/_pam_userpass.h openssh-3.4p1/_pam_userpass.h | |
14 | --- openssh-3.4p1-owl-always-auth/_pam_userpass.h Thu Jan 1 03:00:00 1970 | |
15 | +++ openssh-3.4p1/_pam_userpass.h Mon Jul 1 23:11:30 2002 | |
16 | @@ -0,0 +1,12 @@ | |
17 | +#ifndef __PAM_USERPASS_H | |
18 | +#define __PAM_USERPASS_H | |
19 | + | |
20 | +#define USERPASS_AGENT_ID "userpass" | |
21 | +#define USERPASS_AGENT_ID_LENGTH 8 | |
22 | + | |
23 | +#define USERPASS_USER_MASK 0x03 | |
24 | +#define USERPASS_USER_REQUIRED 1 | |
25 | +#define USERPASS_USER_KNOWN 2 | |
26 | +#define USERPASS_USER_FIXED 3 | |
27 | + | |
28 | +#endif | |
29 | diff -urN openssh-3.4p1-owl-always-auth/appl_userpass.c openssh-3.4p1/appl_userpass.c | |
30 | --- openssh-3.4p1-owl-always-auth/appl_userpass.c Thu Jan 1 03:00:00 1970 | |
31 | +++ openssh-3.4p1/appl_userpass.c Mon Jul 1 23:11:30 2002 | |
32 | @@ -0,0 +1,59 @@ | |
33 | +#include <string.h> | |
34 | +#include <stdlib.h> | |
35 | + | |
36 | +#include <security/pam_appl.h> | |
37 | +#include <security/pam_client.h> | |
38 | + | |
39 | +#ifndef PAM_BP_RCONTROL | |
40 | +/* Linux-PAM prior to 0.74 */ | |
41 | +#define PAM_BP_RCONTROL PAM_BP_CONTROL | |
42 | +#define PAM_BP_WDATA PAM_BP_DATA | |
43 | +#define PAM_BP_RDATA PAM_BP_DATA | |
44 | +#endif | |
45 | + | |
46 | +#include "_pam_userpass.h" | |
47 | +#include "pam_userpass.h" | |
48 | + | |
49 | +int pam_userpass_conv(int num_msg, const struct pam_message **msg, | |
50 | + struct pam_response **resp, void *appdata_ptr) | |
51 | +{ | |
52 | + pam_userpass_t *userpass = (pam_userpass_t *)appdata_ptr; | |
53 | + pamc_bp_t prompt; | |
54 | + const char *input; | |
55 | + char *output; | |
56 | + char flags; | |
57 | + | |
58 | + if (num_msg != 1 || msg[0]->msg_style != PAM_BINARY_PROMPT) | |
59 | + return PAM_CONV_ERR; | |
60 | + | |
61 | + prompt = (pamc_bp_t)msg[0]->msg; | |
62 | + input = PAM_BP_RDATA(prompt); | |
63 | + | |
64 | + if (PAM_BP_RCONTROL(prompt) != PAM_BPC_SELECT || | |
65 | + strncmp(input, USERPASS_AGENT_ID "/", USERPASS_AGENT_ID_LENGTH + 1)) | |
66 | + return PAM_CONV_ERR; | |
67 | + | |
68 | + flags = input[USERPASS_AGENT_ID_LENGTH + 1]; | |
69 | + input += USERPASS_AGENT_ID_LENGTH + 1 + 1; | |
70 | + | |
71 | + if ((flags & USERPASS_USER_MASK) == USERPASS_USER_FIXED && | |
72 | + strcmp(input, userpass->user)) | |
73 | + return PAM_CONV_AGAIN; | |
74 | + | |
75 | + if (!(*resp = malloc(sizeof(struct pam_response)))) | |
76 | + return PAM_CONV_ERR; | |
77 | + | |
78 | + prompt = NULL; | |
79 | + PAM_BP_RENEW(&prompt, PAM_BPC_DONE, | |
80 | + strlen(userpass->user) + 1 + strlen(userpass->pass)); | |
81 | + output = PAM_BP_WDATA(prompt); | |
82 | + | |
83 | + strcpy(output, userpass->user); | |
84 | + output += strlen(output) + 1; | |
85 | + memcpy(output, userpass->pass, strlen(userpass->pass)); | |
86 | + | |
87 | + (*resp)[0].resp_retcode = 0; | |
88 | + (*resp)[0].resp = (char *)prompt; | |
89 | + | |
90 | + return PAM_SUCCESS; | |
91 | +} | |
92 | diff -urN openssh-3.4p1-owl-always-auth/auth-pam.c openssh-3.4p1/auth-pam.c | |
93 | --- openssh-3.4p1-owl-always-auth/auth-pam.c Mon Jul 1 23:09:55 2002 | |
94 | +++ openssh-3.4p1/auth-pam.c Mon Jul 1 23:38:11 2002 | |
95 | @@ -34,6 +34,9 @@ | |
96 | #include "canohost.h" | |
97 | #include "readpass.h" | |
98 | ||
99 | +#include <security/pam_misc.h> | |
100 | +#include "pam_userpass.h" | |
101 | + | |
102 | extern char *__progname; | |
103 | ||
104 | RCSID("$Id$"); | |
105 | @@ -45,13 +48,13 @@ | |
106 | struct pam_response **resp, void *appdata_ptr); | |
107 | ||
108 | /* module-local variables */ | |
109 | +static pam_userpass_t userpass; | |
110 | static struct pam_conv conv = { | |
111 | do_pam_conversation, | |
112 | - NULL | |
113 | + &userpass | |
114 | }; | |
115 | static char *__pam_msg = NULL; | |
116 | static pam_handle_t *__pamh = NULL; | |
117 | -static const char *__pampasswd = NULL; | |
118 | ||
119 | /* states for do_pam_conversation() */ | |
120 | enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN; | |
121 | @@ -83,18 +86,45 @@ | |
122 | * PAM conversation function. | |
123 | * There are two states this can run in. | |
124 | * | |
125 | - * INITIAL_LOGIN mode simply feeds the password from the client into | |
126 | - * PAM in response to PAM_PROMPT_ECHO_OFF, and collects output | |
127 | - * messages with into __pam_msg. This is used during initial | |
128 | - * authentication to bypass the normal PAM password prompt. | |
129 | + * INITIAL_LOGIN mode simply feeds the username and the password from | |
130 | + * the client into PAM via Linux-PAM binary prompts and queues any text | |
131 | + * messages for printing later. | |
132 | * | |
133 | - * OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase() | |
134 | - * and outputs messages to stderr. This mode is used if pam_chauthtok() | |
135 | - * is called to update expired passwords. | |
136 | + * OTHER mode is a regular PAM conversation. This mode is used if | |
137 | + * pam_chauthtok() is called to update expired passwords. | |
138 | */ | |
139 | static int do_pam_conversation(int num_msg, const struct pam_message **msg, | |
140 | struct pam_response **resp, void *appdata_ptr) | |
141 | { | |
142 | + if (pamstate == INITIAL_LOGIN) { | |
143 | + int i, status; | |
144 | + | |
145 | + status = pam_userpass_conv(num_msg, msg, resp, appdata_ptr); | |
146 | + if (status != PAM_CONV_ERR) | |
147 | + return status; | |
148 | + | |
149 | + if (!(*resp = malloc(num_msg * sizeof(struct pam_response)))) | |
150 | + return PAM_CONV_ERR; | |
151 | + for (i = 0; i < num_msg; i++) { | |
152 | + switch (msg[i]->msg_style) { | |
153 | + case PAM_ERROR_MSG: | |
154 | + case PAM_TEXT_INFO: | |
155 | + message_cat(&__pam_msg, msg[i]->msg); | |
156 | + (*resp)[i].resp_retcode = PAM_SUCCESS; | |
157 | + (*resp)[i].resp = NULL; | |
158 | + continue; | |
159 | + default: | |
160 | + free(*resp); | |
161 | + *resp = NULL; | |
162 | + return PAM_CONV_ERR; | |
163 | + } | |
164 | + } | |
165 | + return PAM_SUCCESS; | |
166 | + } | |
167 | + | |
168 | + return misc_conv(num_msg, msg, resp, appdata_ptr); | |
169 | + | |
170 | +#if 0 | |
171 | struct pam_response *reply; | |
172 | int count; | |
173 | char buf[1024]; | |
174 | @@ -170,6 +200,7 @@ | |
175 | *resp = reply; | |
176 | ||
177 | return PAM_SUCCESS; | |
178 | +#endif | |
179 | } | |
180 | ||
181 | /* Called at exit to cleanly shutdown PAM */ | |
182 | @@ -221,7 +252,8 @@ | |
183 | if (*password == '\0' && options.permit_empty_passwd == 0) | |
184 | return 0; | |
185 | ||
186 | - __pampasswd = password; | |
187 | + userpass.user = pw ? pw->pw_name : "ILLEGAL USER"; | |
188 | + userpass.pass = password; | |
189 | ||
190 | pamstate = INITIAL_LOGIN; | |
191 | pam_retval = do_pam_authenticate( | |
192 | diff -urN openssh-3.4p1-owl-always-auth/pam_userpass.h openssh-3.4p1/pam_userpass.h | |
193 | --- openssh-3.4p1-owl-always-auth/pam_userpass.h Thu Jan 1 03:00:00 1970 | |
194 | +++ openssh-3.4p1/pam_userpass.h Mon Jul 1 23:11:30 2002 | |
195 | @@ -0,0 +1,14 @@ | |
196 | +#ifndef _PAM_USERPASS_H | |
197 | +#define _PAM_USERPASS_H | |
198 | + | |
199 | +#include <security/pam_appl.h> | |
200 | + | |
201 | +typedef struct { | |
202 | + const char *user; | |
203 | + const char *pass; | |
204 | +} pam_userpass_t; | |
205 | + | |
206 | +extern int pam_userpass_conv(int num_msg, const struct pam_message **msg, | |
207 | + struct pam_response **resp, void *appdata_ptr); | |
208 | + | |
209 | +#endif |