]>
Commit | Line | Data |
---|---|---|
ee8ebf6b JR |
1 | Index: auth-pam.c |
2 | =================================================================== | |
3 | RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v | |
4 | retrieving revision 1.97 | |
5 | diff -u -p -r1.97 auth-pam.c | |
6 | --- auth-pam.c 4 Mar 2004 09:03:54 -0000 1.97 | |
7 | +++ auth-pam.c 4 Mar 2004 10:53:12 -0000 | |
8 | @@ -160,7 +160,7 @@ static int sshpam_session_open = 0; | |
9 | static int sshpam_cred_established = 0; | |
10 | static int sshpam_account_status = -1; | |
11 | static char **sshpam_env = NULL; | |
12 | -static int *force_pwchange; | |
13 | +static Authctxt *the_authctxt = NULL; | |
14 | ||
15 | /* Some PAM implementations don't implement this */ | |
16 | #ifndef HAVE_PAM_GETENVLIST | |
17 | @@ -180,7 +180,9 @@ void | |
18 | pam_password_change_required(int reqd) | |
19 | { | |
20 | debug3("%s %d", __func__, reqd); | |
21 | - *force_pwchange = reqd; | |
22 | + if (the_authctxt == NULL) | |
23 | + fatal("%s: PAM authctxt not initialized", __func__); | |
24 | + the_authctxt->force_pwchange = reqd; | |
25 | if (reqd) { | |
26 | no_port_forwarding_flag |= 2; | |
27 | no_agent_forwarding_flag |= 2; | |
28 | @@ -339,6 +341,9 @@ sshpam_thread(void *ctxtp) | |
29 | sshpam_conv.conv = sshpam_thread_conv; | |
30 | sshpam_conv.appdata_ptr = ctxt; | |
31 | ||
32 | + if (the_authctxt == NULL) | |
33 | + fatal("%s: PAM authctxt not initialized", __func__); | |
34 | + | |
35 | buffer_init(&buffer); | |
36 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | |
37 | (const void *)&sshpam_conv); | |
38 | @@ -351,7 +356,7 @@ sshpam_thread(void *ctxtp) | |
39 | if (compat20) { | |
40 | if (!do_pam_account()) | |
41 | goto auth_fail; | |
42 | - if (*force_pwchange) { | |
43 | + if (the_authctxt->force_pwchange) { | |
44 | sshpam_err = pam_chauthtok(sshpam_handle, | |
45 | PAM_CHANGE_EXPIRED_AUTHTOK); | |
46 | if (sshpam_err != PAM_SUCCESS) | |
47 | @@ -365,7 +370,7 @@ sshpam_thread(void *ctxtp) | |
48 | #ifndef USE_POSIX_THREADS | |
49 | /* Export variables set by do_pam_account */ | |
50 | buffer_put_int(&buffer, sshpam_account_status); | |
51 | - buffer_put_int(&buffer, *force_pwchange); | |
52 | + buffer_put_int(&buffer, the_authctxt->force_pwchange); | |
53 | ||
54 | /* Export any environment strings set in child */ | |
55 | for(i = 0; environ[i] != NULL; i++) | |
56 | @@ -446,11 +451,11 @@ sshpam_cleanup(void) | |
57 | } | |
58 | ||
59 | static int | |
60 | -sshpam_init(const char *user) | |
61 | +sshpam_init(Authctxt *authctxt) | |
62 | { | |
63 | extern u_int utmp_len; | |
64 | extern char *__progname; | |
65 | - const char *pam_rhost, *pam_user; | |
66 | + const char *pam_rhost, *pam_user, *user = authctxt->user; | |
67 | ||
68 | if (sshpam_handle != NULL) { | |
69 | /* We already have a PAM context; check if the user matches */ | |
70 | @@ -464,6 +469,8 @@ sshpam_init(const char *user) | |
71 | debug("PAM: initializing for \"%s\"", user); | |
72 | sshpam_err = | |
73 | pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle); | |
74 | + the_authctxt = authctxt; | |
75 | + | |
76 | if (sshpam_err != PAM_SUCCESS) { | |
77 | pam_end(sshpam_handle, sshpam_err); | |
78 | sshpam_handle = NULL; | |
79 | @@ -506,7 +513,7 @@ sshpam_init_ctx(Authctxt *authctxt) | |
80 | return NULL; | |
81 | ||
82 | /* Initialize PAM */ | |
83 | - if (sshpam_init(authctxt->user) == -1) { | |
84 | + if (sshpam_init(authctxt) == -1) { | |
85 | error("PAM: initialization failed"); | |
86 | return (NULL); | |
87 | } | |
88 | @@ -514,8 +521,6 @@ sshpam_init_ctx(Authctxt *authctxt) | |
89 | ctxt = xmalloc(sizeof *ctxt); | |
90 | memset(ctxt, 0, sizeof(*ctxt)); | |
91 | ||
92 | - force_pwchange = &(authctxt->force_pwchange); | |
93 | - | |
94 | /* Start the authentication thread */ | |
95 | if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { | |
96 | error("PAM: failed create sockets: %s", strerror(errno)); | |
97 | @@ -674,12 +679,12 @@ KbdintDevice mm_sshpam_device = { | |
98 | * This replaces auth-pam.c | |
99 | */ | |
100 | void | |
101 | -start_pam(const char *user) | |
102 | +start_pam(Authctxt *authctxt) | |
103 | { | |
104 | if (!options.use_pam) | |
105 | fatal("PAM: initialisation requested when UsePAM=no"); | |
106 | ||
107 | - if (sshpam_init(user) == -1) | |
108 | + if (sshpam_init(authctxt) == -1) | |
109 | fatal("PAM: initialisation failed"); | |
110 | } | |
111 | ||
112 | Index: auth-pam.h | |
113 | =================================================================== | |
114 | RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.h,v | |
115 | retrieving revision 1.24 | |
116 | diff -u -p -r1.24 auth-pam.h | |
117 | --- auth-pam.h 10 Feb 2004 02:23:29 -0000 1.24 | |
118 | +++ auth-pam.h 1 Mar 2004 07:32:06 -0000 | |
119 | @@ -31,7 +31,7 @@ | |
120 | # define SSHD_PAM_SERVICE __progname | |
121 | #endif | |
122 | ||
123 | -void start_pam(const char *); | |
124 | +void start_pam(Authctxt *); | |
125 | void finish_pam(void); | |
126 | u_int do_pam_account(void); | |
127 | void do_pam_session(void); | |
128 | Index: auth1.c | |
129 | =================================================================== | |
130 | RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth1.c,v | |
131 | retrieving revision 1.96 | |
132 | diff -u -p -r1.96 auth1.c | |
133 | --- auth1.c 22 Nov 2003 03:15:30 -0000 1.96 | |
134 | +++ auth1.c 1 Mar 2004 07:32:06 -0000 | |
135 | @@ -307,7 +307,7 @@ do_authentication(Authctxt *authctxt) | |
136 | ||
137 | #ifdef USE_PAM | |
138 | if (options.use_pam) | |
139 | - PRIVSEP(start_pam(user)); | |
140 | + PRIVSEP(start_pam(authctxt)); | |
141 | #endif | |
142 | ||
143 | /* | |
144 | Index: auth2.c | |
145 | =================================================================== | |
146 | RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2.c,v | |
147 | retrieving revision 1.126 | |
148 | diff -u -p -r1.126 auth2.c | |
149 | --- auth2.c 17 Nov 2003 10:13:41 -0000 1.126 | |
150 | +++ auth2.c 1 Mar 2004 07:32:06 -0000 | |
151 | @@ -150,24 +150,24 @@ input_userauth_request(int type, u_int32 | |
152 | if (authctxt->attempt++ == 0) { | |
153 | /* setup auth context */ | |
154 | authctxt->pw = PRIVSEP(getpwnamallow(user)); | |
155 | + authctxt->user = xstrdup(user); | |
156 | if (authctxt->pw && strcmp(service, "ssh-connection")==0) { | |
157 | authctxt->valid = 1; | |
158 | debug2("input_userauth_request: setting up authctxt for %s", user); | |
159 | #ifdef USE_PAM | |
160 | if (options.use_pam) | |
161 | - PRIVSEP(start_pam(authctxt->pw->pw_name)); | |
162 | + PRIVSEP(start_pam(authctxt)); | |
163 | #endif | |
164 | } else { | |
165 | logit("input_userauth_request: illegal user %s", user); | |
166 | authctxt->pw = fakepw(); | |
167 | #ifdef USE_PAM | |
168 | if (options.use_pam) | |
169 | - PRIVSEP(start_pam(user)); | |
170 | + PRIVSEP(start_pam(authctxt)); | |
171 | #endif | |
172 | } | |
173 | setproctitle("%s%s", authctxt->pw ? user : "unknown", | |
174 | use_privsep ? " [net]" : ""); | |
175 | - authctxt->user = xstrdup(user); | |
176 | authctxt->service = xstrdup(service); | |
177 | authctxt->style = style ? xstrdup(style) : NULL; | |
178 | if (use_privsep) | |
179 | Index: monitor.c | |
180 | =================================================================== | |
181 | RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor.c,v | |
182 | retrieving revision 1.64 | |
183 | diff -u -p -r1.64 monitor.c | |
184 | --- monitor.c 6 Feb 2004 05:40:27 -0000 1.64 | |
185 | +++ monitor.c 4 Mar 2004 09:44:54 -0000 | |
186 | @@ -782,16 +782,10 @@ mm_answer_skeyrespond(int socket, Buffer | |
187 | int | |
188 | mm_answer_pam_start(int socket, Buffer *m) | |
189 | { | |
190 | - char *user; | |
191 | - | |
192 | if (!options.use_pam) | |
193 | fatal("UsePAM not set, but ended up in %s anyway", __func__); | |
194 | ||
195 | - user = buffer_get_string(m, NULL); | |
196 | - | |
197 | - start_pam(user); | |
198 | - | |
199 | - xfree(user); | |
200 | + start_pam(authctxt); | |
201 | ||
202 | monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1); | |
203 | ||
204 | Index: monitor_wrap.c | |
205 | =================================================================== | |
206 | RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor_wrap.c,v | |
207 | retrieving revision 1.40 | |
208 | diff -u -p -r1.40 monitor_wrap.c | |
209 | --- monitor_wrap.c 21 Nov 2003 12:56:47 -0000 1.40 | |
210 | +++ monitor_wrap.c 4 Mar 2004 10:06:58 -0000 | |
211 | @@ -686,7 +686,7 @@ mm_session_pty_cleanup2(Session *s) | |
212 | ||
213 | #ifdef USE_PAM | |
214 | void | |
215 | -mm_start_pam(char *user) | |
216 | +mm_start_pam(Authctxt *authctxt) | |
217 | { | |
218 | Buffer m; | |
219 | ||
220 | @@ -695,8 +695,6 @@ mm_start_pam(char *user) | |
221 | fatal("UsePAM=no, but ended up in %s anyway", __func__); | |
222 | ||
223 | buffer_init(&m); | |
224 | - buffer_put_cstring(&m, user); | |
225 | - | |
226 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, &m); | |
227 | ||
228 | buffer_free(&m); | |
229 | Index: monitor_wrap.h | |
230 | =================================================================== | |
231 | RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor_wrap.h,v | |
232 | retrieving revision 1.17 | |
233 | diff -u -p -r1.17 monitor_wrap.h | |
234 | --- monitor_wrap.h 17 Nov 2003 11:18:22 -0000 1.17 | |
235 | +++ monitor_wrap.h 4 Mar 2004 09:55:57 -0000 | |
236 | @@ -66,7 +66,7 @@ OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt | |
237 | #endif | |
238 | ||
239 | #ifdef USE_PAM | |
240 | -void mm_start_pam(char *); | |
241 | +void mm_start_pam(struct Authctxt *); | |
242 | u_int mm_do_pam_account(void); | |
243 | void *mm_sshpam_init_ctx(struct Authctxt *); | |
244 | int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); |