[packages/openssh.git] / openssh-pam-authctxt.patch

Index: auth-pam.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v
retrieving revision 1.97
diff -u -p -r1.97 auth-pam.c
--- auth-pam.c	4 Mar 2004 09:03:54 -0000	1.97
+++ auth-pam.c	4 Mar 2004 10:53:12 -0000
@@ -160,7 +160,7 @@ static int sshpam_session_open = 0;
 static int sshpam_cred_established = 0;
 static int sshpam_account_status = -1;
 static char **sshpam_env = NULL;
-static int *force_pwchange;
+static Authctxt *the_authctxt = NULL;
 
 /* Some PAM implementations don't implement this */
 #ifndef HAVE_PAM_GETENVLIST
@@ -180,7 +180,9 @@ void
 pam_password_change_required(int reqd)
 {
 	debug3("%s %d", __func__, reqd);
-	*force_pwchange = reqd;
+	if (the_authctxt == NULL)
+		fatal("%s: PAM authctxt not initialized", __func__);
+	the_authctxt->force_pwchange = reqd;
 	if (reqd) {
 		no_port_forwarding_flag |= 2;
 		no_agent_forwarding_flag |= 2;
@@ -339,6 +341,9 @@ sshpam_thread(void *ctxtp)
 	sshpam_conv.conv = sshpam_thread_conv;
 	sshpam_conv.appdata_ptr = ctxt;
 
+	if (the_authctxt == NULL)
+		fatal("%s: PAM authctxt not initialized", __func__);
+
 	buffer_init(&buffer);
 	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
 	    (const void *)&sshpam_conv);
@@ -351,7 +356,7 @@ sshpam_thread(void *ctxtp)
 	if (compat20) {
 		if (!do_pam_account())
 			goto auth_fail;
-		if (*force_pwchange) {
+		if (the_authctxt->force_pwchange) {
 			sshpam_err = pam_chauthtok(sshpam_handle,
 			    PAM_CHANGE_EXPIRED_AUTHTOK);
 			if (sshpam_err != PAM_SUCCESS)
@@ -365,7 +370,7 @@ sshpam_thread(void *ctxtp)
 #ifndef USE_POSIX_THREADS
 	/* Export variables set by do_pam_account */
 	buffer_put_int(&buffer, sshpam_account_status);
-	buffer_put_int(&buffer, *force_pwchange);
+	buffer_put_int(&buffer, the_authctxt->force_pwchange);
 
 	/* Export any environment strings set in child */
 	for(i = 0; environ[i] != NULL; i++)
@@ -446,11 +451,11 @@ sshpam_cleanup(void)
 }
 
 static int
-sshpam_init(const char *user)
+sshpam_init(Authctxt *authctxt)
 {
 	extern u_int utmp_len;
 	extern char *__progname;
-	const char *pam_rhost, *pam_user;
+	const char *pam_rhost, *pam_user, *user = authctxt->user;
 
 	if (sshpam_handle != NULL) {
 		/* We already have a PAM context; check if the user matches */
@@ -464,6 +469,8 @@ sshpam_init(const char *user)
 	debug("PAM: initializing for \"%s\"", user);
 	sshpam_err =
 	    pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle);
+	the_authctxt = authctxt;
+
 	if (sshpam_err != PAM_SUCCESS) {
 		pam_end(sshpam_handle, sshpam_err);
 		sshpam_handle = NULL;
@@ -506,7 +513,7 @@ sshpam_init_ctx(Authctxt *authctxt)
 		return NULL;
 
 	/* Initialize PAM */
-	if (sshpam_init(authctxt->user) == -1) {
+	if (sshpam_init(authctxt) == -1) {
 		error("PAM: initialization failed");
 		return (NULL);
 	}
@@ -514,8 +521,6 @@ sshpam_init_ctx(Authctxt *authctxt)
 	ctxt = xmalloc(sizeof *ctxt);
 	memset(ctxt, 0, sizeof(*ctxt));
 
-	force_pwchange = &(authctxt->force_pwchange);
-
 	/* Start the authentication thread */
 	if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
 		error("PAM: failed create sockets: %s", strerror(errno));
@@ -674,12 +679,12 @@ KbdintDevice mm_sshpam_device = {
  * This replaces auth-pam.c
  */
 void
-start_pam(const char *user)
+start_pam(Authctxt *authctxt)
 {
 	if (!options.use_pam)
 		fatal("PAM: initialisation requested when UsePAM=no");
 
-	if (sshpam_init(user) == -1)
+	if (sshpam_init(authctxt) == -1)
 		fatal("PAM: initialisation failed");
 }
 
Index: auth-pam.h
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.h,v
retrieving revision 1.24
diff -u -p -r1.24 auth-pam.h
--- auth-pam.h	10 Feb 2004 02:23:29 -0000	1.24
+++ auth-pam.h	1 Mar 2004 07:32:06 -0000
@@ -31,7 +31,7 @@
 # define SSHD_PAM_SERVICE		__progname
 #endif
 
-void start_pam(const char *);
+void start_pam(Authctxt *);
 void finish_pam(void);
 u_int do_pam_account(void);
 void do_pam_session(void);
Index: auth1.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth1.c,v
retrieving revision 1.96
diff -u -p -r1.96 auth1.c
--- auth1.c	22 Nov 2003 03:15:30 -0000	1.96
+++ auth1.c	1 Mar 2004 07:32:06 -0000
@@ -307,7 +307,7 @@ do_authentication(Authctxt *authctxt)
 
 #ifdef USE_PAM
 	if (options.use_pam)
-		PRIVSEP(start_pam(user));
+		PRIVSEP(start_pam(authctxt));
 #endif
 
 	/*
Index: auth2.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2.c,v
retrieving revision 1.126
diff -u -p -r1.126 auth2.c
--- auth2.c	17 Nov 2003 10:13:41 -0000	1.126
+++ auth2.c	1 Mar 2004 07:32:06 -0000
@@ -150,24 +150,24 @@ input_userauth_request(int type, u_int32
 	if (authctxt->attempt++ == 0) {
 		/* setup auth context */
 		authctxt->pw = PRIVSEP(getpwnamallow(user));
+		authctxt->user = xstrdup(user);
 		if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
 			authctxt->valid = 1;
 			debug2("input_userauth_request: setting up authctxt for %s", user);
 #ifdef USE_PAM
 			if (options.use_pam)
-				PRIVSEP(start_pam(authctxt->pw->pw_name));
+				PRIVSEP(start_pam(authctxt));
 #endif
 		} else {
 			logit("input_userauth_request: illegal user %s", user);
 			authctxt->pw = fakepw();
 #ifdef USE_PAM
 			if (options.use_pam)
-				PRIVSEP(start_pam(user));
+				PRIVSEP(start_pam(authctxt));
 #endif
 		}
 		setproctitle("%s%s", authctxt->pw ? user : "unknown",
 		    use_privsep ? " [net]" : "");
-		authctxt->user = xstrdup(user);
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
 		if (use_privsep)
Index: monitor.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor.c,v
retrieving revision 1.64
diff -u -p -r1.64 monitor.c
--- monitor.c	6 Feb 2004 05:40:27 -0000	1.64
+++ monitor.c	4 Mar 2004 09:44:54 -0000
@@ -782,16 +782,10 @@ mm_answer_skeyrespond(int socket, Buffer
 int
 mm_answer_pam_start(int socket, Buffer *m)
 {
-	char *user;
-
 	if (!options.use_pam)
 		fatal("UsePAM not set, but ended up in %s anyway", __func__);
 
-	user = buffer_get_string(m, NULL);
-
-	start_pam(user);
-
-	xfree(user);
+	start_pam(authctxt);
 
 	monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);
 
Index: monitor_wrap.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor_wrap.c,v
retrieving revision 1.40
diff -u -p -r1.40 monitor_wrap.c
--- monitor_wrap.c	21 Nov 2003 12:56:47 -0000	1.40
+++ monitor_wrap.c	4 Mar 2004 10:06:58 -0000
@@ -686,7 +686,7 @@ mm_session_pty_cleanup2(Session *s)
 
 #ifdef USE_PAM
 void
-mm_start_pam(char *user)
+mm_start_pam(Authctxt *authctxt)
 {
 	Buffer m;
 
@@ -695,8 +695,6 @@ mm_start_pam(char *user)
 		fatal("UsePAM=no, but ended up in %s anyway", __func__);
 
 	buffer_init(&m);
-	buffer_put_cstring(&m, user);
-
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, &m);
 
 	buffer_free(&m);
Index: monitor_wrap.h
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor_wrap.h,v
retrieving revision 1.17
diff -u -p -r1.17 monitor_wrap.h
--- monitor_wrap.h	17 Nov 2003 11:18:22 -0000	1.17
+++ monitor_wrap.h	4 Mar 2004 09:55:57 -0000
@@ -66,7 +66,7 @@ OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt
 #endif
 
 #ifdef USE_PAM
-void mm_start_pam(char *);
+void mm_start_pam(struct Authctxt *);
 u_int mm_do_pam_account(void);
 void *mm_sshpam_init_ctx(struct Authctxt *);
 int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);
Commit	Line	Data
ee8ebf6b JR	1	Index: auth-pam.c
	2	===================================================================
	3	RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v
	4	retrieving revision 1.97
	5	diff -u -p -r1.97 auth-pam.c
	6	--- auth-pam.c 4 Mar 2004 09:03:54 -0000 1.97
	7	+++ auth-pam.c 4 Mar 2004 10:53:12 -0000
	8	@@ -160,7 +160,7 @@ static int sshpam_session_open = 0;
	9	static int sshpam_cred_established = 0;
	10	static int sshpam_account_status = -1;
	11	static char **sshpam_env = NULL;
	12	-static int *force_pwchange;
	13	+static Authctxt *the_authctxt = NULL;
	14
	15	/* Some PAM implementations don't implement this */
	16	#ifndef HAVE_PAM_GETENVLIST
	17	@@ -180,7 +180,9 @@ void
	18	pam_password_change_required(int reqd)
	19	{
	20	debug3("%s %d", __func__, reqd);
	21	- *force_pwchange = reqd;
	22	+ if (the_authctxt == NULL)
	23	+ fatal("%s: PAM authctxt not initialized", __func__);
	24	+ the_authctxt->force_pwchange = reqd;
	25	if (reqd) {
	26	no_port_forwarding_flag \|= 2;
	27	no_agent_forwarding_flag \|= 2;
	28	@@ -339,6 +341,9 @@ sshpam_thread(void *ctxtp)
	29	sshpam_conv.conv = sshpam_thread_conv;
	30	sshpam_conv.appdata_ptr = ctxt;
	31
	32	+ if (the_authctxt == NULL)
	33	+ fatal("%s: PAM authctxt not initialized", __func__);
	34	+
	35	buffer_init(&buffer);
	36	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
	37	(const void *)&sshpam_conv);
	38	@@ -351,7 +356,7 @@ sshpam_thread(void *ctxtp)
	39	if (compat20) {
	40	if (!do_pam_account())
	41	goto auth_fail;
	42	- if (*force_pwchange) {
	43	+ if (the_authctxt->force_pwchange) {
	44	sshpam_err = pam_chauthtok(sshpam_handle,
	45	PAM_CHANGE_EXPIRED_AUTHTOK);
	46	if (sshpam_err != PAM_SUCCESS)
	47	@@ -365,7 +370,7 @@ sshpam_thread(void *ctxtp)
	48	#ifndef USE_POSIX_THREADS
	49	/* Export variables set by do_pam_account */
	50	buffer_put_int(&buffer, sshpam_account_status);
	51	- buffer_put_int(&buffer, *force_pwchange);
	52	+ buffer_put_int(&buffer, the_authctxt->force_pwchange);
	53
	54	/* Export any environment strings set in child */
	55	for(i = 0; environ[i] != NULL; i++)
	56	@@ -446,11 +451,11 @@ sshpam_cleanup(void)
	57	}
	58
	59	static int
	60	-sshpam_init(const char *user)
	61	+sshpam_init(Authctxt *authctxt)
	62	{
	63	extern u_int utmp_len;
	64	extern char *__progname;
65	- const char pam_rhost, pam_user;
66	+ const char pam_rhost, pam_user, *user = authctxt->user;
67
68	if (sshpam_handle != NULL) {
69	/* We already have a PAM context; check if the user matches */
70	@@ -464,6 +469,8 @@ sshpam_init(const char *user)
71	debug("PAM: initializing for \"%s\"", user);
72	sshpam_err =
73	pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle);
74	+ the_authctxt = authctxt;
75	+
76	if (sshpam_err != PAM_SUCCESS) {
77	pam_end(sshpam_handle, sshpam_err);
78	sshpam_handle = NULL;
79	@@ -506,7 +513,7 @@ sshpam_init_ctx(Authctxt *authctxt)
80	return NULL;
81
82	/* Initialize PAM */
83	- if (sshpam_init(authctxt->user) == -1) {
84	+ if (sshpam_init(authctxt) == -1) {
85	error("PAM: initialization failed");
86	return (NULL);
87	}
88	@@ -514,8 +521,6 @@ sshpam_init_ctx(Authctxt *authctxt)
89	ctxt = xmalloc(sizeof *ctxt);
90	memset(ctxt, 0, sizeof(*ctxt));
91
92	- force_pwchange = &(authctxt->force_pwchange);
93	-
94	/* Start the authentication thread */
95	if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
96	error("PAM: failed create sockets: %s", strerror(errno));
97	@@ -674,12 +679,12 @@ KbdintDevice mm_sshpam_device = {
98	* This replaces auth-pam.c
99	*/
100	void
101	-start_pam(const char *user)
102	+start_pam(Authctxt *authctxt)
103	{
104	if (!options.use_pam)
105	fatal("PAM: initialisation requested when UsePAM=no");
106
107	- if (sshpam_init(user) == -1)
108	+ if (sshpam_init(authctxt) == -1)
109	fatal("PAM: initialisation failed");
110	}
111
112	Index: auth-pam.h
113	===================================================================
114	RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.h,v
115	retrieving revision 1.24
116	diff -u -p -r1.24 auth-pam.h
117	--- auth-pam.h 10 Feb 2004 02:23:29 -0000 1.24
118	+++ auth-pam.h 1 Mar 2004 07:32:06 -0000
119	@@ -31,7 +31,7 @@
120	# define SSHD_PAM_SERVICE __progname
121	#endif
122
123	-void start_pam(const char *);
124	+void start_pam(Authctxt *);
125	void finish_pam(void);
126	u_int do_pam_account(void);
127	void do_pam_session(void);
128	Index: auth1.c
129	===================================================================
130	RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth1.c,v
131	retrieving revision 1.96
132	diff -u -p -r1.96 auth1.c
133	--- auth1.c 22 Nov 2003 03:15:30 -0000 1.96
134	+++ auth1.c 1 Mar 2004 07:32:06 -0000
135	@@ -307,7 +307,7 @@ do_authentication(Authctxt *authctxt)
136
137	#ifdef USE_PAM
138	if (options.use_pam)
139	- PRIVSEP(start_pam(user));
140	+ PRIVSEP(start_pam(authctxt));
141	#endif
142
143	/*
144	Index: auth2.c
145	===================================================================
146	RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2.c,v
147	retrieving revision 1.126
148	diff -u -p -r1.126 auth2.c
149	--- auth2.c 17 Nov 2003 10:13:41 -0000 1.126
150	+++ auth2.c 1 Mar 2004 07:32:06 -0000
151	@@ -150,24 +150,24 @@ input_userauth_request(int type, u_int32
152	if (authctxt->attempt++ == 0) {
153	/* setup auth context */
154	authctxt->pw = PRIVSEP(getpwnamallow(user));
155	+ authctxt->user = xstrdup(user);
156	if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
157	authctxt->valid = 1;
158	debug2("input_userauth_request: setting up authctxt for %s", user);
159	#ifdef USE_PAM
160	if (options.use_pam)
161	- PRIVSEP(start_pam(authctxt->pw->pw_name));
162	+ PRIVSEP(start_pam(authctxt));
163	#endif
164	} else {
165	logit("input_userauth_request: illegal user %s", user);
166	authctxt->pw = fakepw();
167	#ifdef USE_PAM
168	if (options.use_pam)
169	- PRIVSEP(start_pam(user));
170	+ PRIVSEP(start_pam(authctxt));
171	#endif
172	}
173	setproctitle("%s%s", authctxt->pw ? user : "unknown",
174	use_privsep ? " [net]" : "");
175	- authctxt->user = xstrdup(user);
176	authctxt->service = xstrdup(service);
177	authctxt->style = style ? xstrdup(style) : NULL;
178	if (use_privsep)
179	Index: monitor.c
180	===================================================================
181	RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor.c,v
182	retrieving revision 1.64
183	diff -u -p -r1.64 monitor.c
184	--- monitor.c 6 Feb 2004 05:40:27 -0000 1.64
185	+++ monitor.c 4 Mar 2004 09:44:54 -0000
186	@@ -782,16 +782,10 @@ mm_answer_skeyrespond(int socket, Buffer
187	int
188	mm_answer_pam_start(int socket, Buffer *m)
189	{
190	- char *user;
191	-
192	if (!options.use_pam)
193	fatal("UsePAM not set, but ended up in %s anyway", __func__);
194
195	- user = buffer_get_string(m, NULL);
196	-
197	- start_pam(user);
198	-
199	- xfree(user);
200	+ start_pam(authctxt);
201
202	monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);
203
204	Index: monitor_wrap.c
205	===================================================================
206	RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor_wrap.c,v
207	retrieving revision 1.40
208	diff -u -p -r1.40 monitor_wrap.c
209	--- monitor_wrap.c 21 Nov 2003 12:56:47 -0000 1.40
210	+++ monitor_wrap.c 4 Mar 2004 10:06:58 -0000
211	@@ -686,7 +686,7 @@ mm_session_pty_cleanup2(Session *s)
212
213	#ifdef USE_PAM
214	void
215	-mm_start_pam(char *user)
216	+mm_start_pam(Authctxt *authctxt)
217	{
218	Buffer m;
219
220	@@ -695,8 +695,6 @@ mm_start_pam(char *user)
221	fatal("UsePAM=no, but ended up in %s anyway", __func__);
222
223	buffer_init(&m);
224	- buffer_put_cstring(&m, user);
225	-
226	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, &m);
227
228	buffer_free(&m);
229	Index: monitor_wrap.h
230	===================================================================
231	RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor_wrap.h,v
232	retrieving revision 1.17
233	diff -u -p -r1.17 monitor_wrap.h
234	--- monitor_wrap.h 17 Nov 2003 11:18:22 -0000 1.17
235	+++ monitor_wrap.h 4 Mar 2004 09:55:57 -0000
236	@@ -66,7 +66,7 @@ OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt
237	#endif
238
239	#ifdef USE_PAM
240	-void mm_start_pam(char *);
241	+void mm_start_pam(struct Authctxt *);
242	u_int mm_do_pam_account(void);
243	void mm_sshpam_init_ctx(struct Authctxt );
244	int mm_sshpam_query(void , char , char , u_int , char *, u_int );