[packages/openssh.git] / openssh-3.4p1-owl-pam_userpass.diff

diff -urN openssh-3.4p1-owl-always-auth/Makefile.in openssh-3.4p1/Makefile.in
--- openssh-3.4p1-owl-always-auth/Makefile.in	Wed Jun 26 03:45:42 2002
+++ openssh-3.4p1/Makefile.in	Mon Jul  1 23:11:30 2002
@@ -64,7 +64,7 @@
 
 SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o
 
-SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o
+SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o appl_userpass.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o
 
 MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
 MANPAGES_IN	= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
diff -urN openssh-3.4p1-owl-always-auth/_pam_userpass.h openssh-3.4p1/_pam_userpass.h
--- openssh-3.4p1-owl-always-auth/_pam_userpass.h	Thu Jan  1 03:00:00 1970
+++ openssh-3.4p1/_pam_userpass.h	Mon Jul  1 23:11:30 2002
@@ -0,0 +1,12 @@
+#ifndef __PAM_USERPASS_H
+#define __PAM_USERPASS_H
+
+#define USERPASS_AGENT_ID		"userpass"
+#define USERPASS_AGENT_ID_LENGTH	8
+
+#define USERPASS_USER_MASK		0x03
+#define USERPASS_USER_REQUIRED		1
+#define USERPASS_USER_KNOWN		2
+#define USERPASS_USER_FIXED		3
+
+#endif
diff -urN openssh-3.4p1-owl-always-auth/appl_userpass.c openssh-3.4p1/appl_userpass.c
--- openssh-3.4p1-owl-always-auth/appl_userpass.c	Thu Jan  1 03:00:00 1970
+++ openssh-3.4p1/appl_userpass.c	Mon Jul  1 23:11:30 2002
@@ -0,0 +1,59 @@
+#include <string.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_client.h>
+
+#ifndef PAM_BP_RCONTROL
+/* Linux-PAM prior to 0.74 */
+#define PAM_BP_RCONTROL	PAM_BP_CONTROL
+#define PAM_BP_WDATA	PAM_BP_DATA
+#define PAM_BP_RDATA	PAM_BP_DATA
+#endif
+
+#include "_pam_userpass.h"
+#include "pam_userpass.h"
+
+int pam_userpass_conv(int num_msg, const struct pam_message **msg,
+	struct pam_response **resp, void *appdata_ptr)
+{
+	pam_userpass_t *userpass = (pam_userpass_t *)appdata_ptr;
+	pamc_bp_t prompt;
+	const char *input;
+	char *output;
+	char flags;
+
+	if (num_msg != 1 || msg[0]->msg_style != PAM_BINARY_PROMPT)
+		return PAM_CONV_ERR;
+
+	prompt = (pamc_bp_t)msg[0]->msg;
+	input = PAM_BP_RDATA(prompt);
+
+	if (PAM_BP_RCONTROL(prompt) != PAM_BPC_SELECT ||
+	    strncmp(input, USERPASS_AGENT_ID "/", USERPASS_AGENT_ID_LENGTH + 1))
+		return PAM_CONV_ERR;
+
+	flags = input[USERPASS_AGENT_ID_LENGTH + 1];
+	input += USERPASS_AGENT_ID_LENGTH + 1 + 1;
+
+	if ((flags & USERPASS_USER_MASK) == USERPASS_USER_FIXED &&
+	    strcmp(input, userpass->user))
+		return PAM_CONV_AGAIN;
+
+	if (!(*resp = malloc(sizeof(struct pam_response))))
+		return PAM_CONV_ERR;
+
+	prompt = NULL;
+	PAM_BP_RENEW(&prompt, PAM_BPC_DONE,
+		strlen(userpass->user) + 1 + strlen(userpass->pass));
+	output = PAM_BP_WDATA(prompt);
+
+	strcpy(output, userpass->user);
+	output += strlen(output) + 1;
+	memcpy(output, userpass->pass, strlen(userpass->pass));
+
+	(*resp)[0].resp_retcode = 0;
+	(*resp)[0].resp = (char *)prompt;
+
+	return PAM_SUCCESS;
+}
diff -urN openssh-3.4p1-owl-always-auth/auth-pam.c openssh-3.4p1/auth-pam.c
--- openssh-3.4p1-owl-always-auth/auth-pam.c	Mon Jul  1 23:09:55 2002
+++ openssh-3.4p1/auth-pam.c	Mon Jul  1 23:38:11 2002
@@ -34,6 +34,9 @@
 #include "canohost.h"
 #include "readpass.h"
 
+#include <security/pam_misc.h>
+#include "pam_userpass.h"
+
 extern char *__progname;
 
 RCSID("$Id$");
@@ -45,13 +48,13 @@
 	struct pam_response **resp, void *appdata_ptr);
 
 /* module-local variables */
+static pam_userpass_t userpass;
 static struct pam_conv conv = {
 	do_pam_conversation,
-	NULL
+	&userpass
 };
 static char *__pam_msg = NULL;
 static pam_handle_t *__pamh = NULL;
-static const char *__pampasswd = NULL;
 
 /* states for do_pam_conversation() */
 enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN;
@@ -83,18 +86,45 @@
  * PAM conversation function.
  * There are two states this can run in.
  *
- * INITIAL_LOGIN mode simply feeds the password from the client into
- * PAM in response to PAM_PROMPT_ECHO_OFF, and collects output
- * messages with into __pam_msg.  This is used during initial
- * authentication to bypass the normal PAM password prompt.
+ * INITIAL_LOGIN mode simply feeds the username and the password from
+ * the client into PAM via Linux-PAM binary prompts and queues any text
+ * messages for printing later.
  *
- * OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase()
- * and outputs messages to stderr. This mode is used if pam_chauthtok()
- * is called to update expired passwords.
+ * OTHER mode is a regular PAM conversation.  This mode is used if
+ * pam_chauthtok() is called to update expired passwords.
  */
 static int do_pam_conversation(int num_msg, const struct pam_message **msg,
 	struct pam_response **resp, void *appdata_ptr)
 {
+	if (pamstate == INITIAL_LOGIN) {
+		int i, status;
+
+		status = pam_userpass_conv(num_msg, msg, resp, appdata_ptr);
+		if (status != PAM_CONV_ERR)
+			return status;
+
+		if (!(*resp = malloc(num_msg * sizeof(struct pam_response))))
+			return PAM_CONV_ERR;
+		for (i = 0; i < num_msg; i++) {
+			switch (msg[i]->msg_style) {
+			case PAM_ERROR_MSG:
+			case PAM_TEXT_INFO:
+				message_cat(&__pam_msg, msg[i]->msg);
+				(*resp)[i].resp_retcode = PAM_SUCCESS;
+				(*resp)[i].resp = NULL;
+				continue;
+			default:
+				free(*resp);
+				*resp = NULL;
+				return PAM_CONV_ERR;
+			}
+		}
+		return PAM_SUCCESS;
+	}
+
+	return misc_conv(num_msg, msg, resp, appdata_ptr);
+
+#if 0
 	struct pam_response *reply;
 	int count;
 	char buf[1024];
@@ -170,6 +200,7 @@
 	*resp = reply;
 
 	return PAM_SUCCESS;
+#endif
 }
 
 /* Called at exit to cleanly shutdown PAM */
@@ -221,7 +252,8 @@
 	if (*password == '\0' && options.permit_empty_passwd == 0)
 		return 0;
 
-	__pampasswd = password;
+	userpass.user = pw ? pw->pw_name : "ILLEGAL USER";
+	userpass.pass = password;
 
 	pamstate = INITIAL_LOGIN;
 	pam_retval = do_pam_authenticate(
diff -urN openssh-3.4p1-owl-always-auth/pam_userpass.h openssh-3.4p1/pam_userpass.h
--- openssh-3.4p1-owl-always-auth/pam_userpass.h	Thu Jan  1 03:00:00 1970
+++ openssh-3.4p1/pam_userpass.h	Mon Jul  1 23:11:30 2002
@@ -0,0 +1,14 @@
+#ifndef _PAM_USERPASS_H
+#define _PAM_USERPASS_H
+
+#include <security/pam_appl.h>
+
+typedef struct {
+	const char *user;
+	const char *pass;
+} pam_userpass_t;
+
+extern int pam_userpass_conv(int num_msg, const struct pam_message **msg,
+	struct pam_response **resp, void *appdata_ptr);
+
+#endif
Commit	Line	Data
d9d6f0a2 JR	1	diff -urN openssh-3.4p1-owl-always-auth/Makefile.in openssh-3.4p1/Makefile.in
	2	--- openssh-3.4p1-owl-always-auth/Makefile.in Wed Jun 26 03:45:42 2002
	3	+++ openssh-3.4p1/Makefile.in Mon Jul 1 23:11:30 2002
	4	@@ -64,7 +64,7 @@
	5
	6	SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o
	7
	8	-SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o
	9	+SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o appl_userpass.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o
	10
	11	MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
	12	MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
	13	diff -urN openssh-3.4p1-owl-always-auth/_pam_userpass.h openssh-3.4p1/_pam_userpass.h
	14	--- openssh-3.4p1-owl-always-auth/_pam_userpass.h Thu Jan 1 03:00:00 1970
	15	+++ openssh-3.4p1/_pam_userpass.h Mon Jul 1 23:11:30 2002
	16	@@ -0,0 +1,12 @@
	17	+#ifndef __PAM_USERPASS_H
	18	+#define __PAM_USERPASS_H
	19	+
	20	+#define USERPASS_AGENT_ID "userpass"
	21	+#define USERPASS_AGENT_ID_LENGTH 8
	22	+
	23	+#define USERPASS_USER_MASK 0x03
	24	+#define USERPASS_USER_REQUIRED 1
	25	+#define USERPASS_USER_KNOWN 2
	26	+#define USERPASS_USER_FIXED 3
	27	+
	28	+#endif
	29	diff -urN openssh-3.4p1-owl-always-auth/appl_userpass.c openssh-3.4p1/appl_userpass.c
	30	--- openssh-3.4p1-owl-always-auth/appl_userpass.c Thu Jan 1 03:00:00 1970
	31	+++ openssh-3.4p1/appl_userpass.c Mon Jul 1 23:11:30 2002
	32	@@ -0,0 +1,59 @@
	33	+#include <string.h>
	34	+#include <stdlib.h>
	35	+
	36	+#include <security/pam_appl.h>
	37	+#include <security/pam_client.h>
	38	+
	39	+#ifndef PAM_BP_RCONTROL
	40	+/* Linux-PAM prior to 0.74 */
	41	+#define PAM_BP_RCONTROL PAM_BP_CONTROL
	42	+#define PAM_BP_WDATA PAM_BP_DATA
	43	+#define PAM_BP_RDATA PAM_BP_DATA
	44	+#endif
	45	+
	46	+#include "_pam_userpass.h"
	47	+#include "pam_userpass.h"
	48	+
	49	+int pam_userpass_conv(int num_msg, const struct pam_message **msg,
	50	+ struct pam_response *resp, void appdata_ptr)
	51	+{
	52	+ pam_userpass_t userpass = (pam_userpass_t )appdata_ptr;
	53	+ pamc_bp_t prompt;
	54	+ const char *input;
	55	+ char *output;
	56	+ char flags;
	57	+
	58	+ if (num_msg != 1 \|\| msg[0]->msg_style != PAM_BINARY_PROMPT)
	59	+ return PAM_CONV_ERR;
	60	+
	61	+ prompt = (pamc_bp_t)msg[0]->msg;
	62	+ input = PAM_BP_RDATA(prompt);
	63	+
	64	+ if (PAM_BP_RCONTROL(prompt) != PAM_BPC_SELECT \|\|
65	+ strncmp(input, USERPASS_AGENT_ID "/", USERPASS_AGENT_ID_LENGTH + 1))
66	+ return PAM_CONV_ERR;
67	+
68	+ flags = input[USERPASS_AGENT_ID_LENGTH + 1];
69	+ input += USERPASS_AGENT_ID_LENGTH + 1 + 1;
70	+
71	+ if ((flags & USERPASS_USER_MASK) == USERPASS_USER_FIXED &&
72	+ strcmp(input, userpass->user))
73	+ return PAM_CONV_AGAIN;
74	+
75	+ if (!(*resp = malloc(sizeof(struct pam_response))))
76	+ return PAM_CONV_ERR;
77	+
78	+ prompt = NULL;
79	+ PAM_BP_RENEW(&prompt, PAM_BPC_DONE,
80	+ strlen(userpass->user) + 1 + strlen(userpass->pass));
81	+ output = PAM_BP_WDATA(prompt);
82	+
83	+ strcpy(output, userpass->user);
84	+ output += strlen(output) + 1;
85	+ memcpy(output, userpass->pass, strlen(userpass->pass));
86	+
87	+ (*resp)[0].resp_retcode = 0;
88	+ (resp)[0].resp = (char )prompt;
89	+
90	+ return PAM_SUCCESS;
91	+}
92	diff -urN openssh-3.4p1-owl-always-auth/auth-pam.c openssh-3.4p1/auth-pam.c
93	--- openssh-3.4p1-owl-always-auth/auth-pam.c Mon Jul 1 23:09:55 2002
94	+++ openssh-3.4p1/auth-pam.c Mon Jul 1 23:38:11 2002
95	@@ -34,6 +34,9 @@
96	#include "canohost.h"
97	#include "readpass.h"
98
99	+#include <security/pam_misc.h>
100	+#include "pam_userpass.h"
101	+
102	extern char *__progname;
103
104	RCSID("$Id$");
105	@@ -45,13 +48,13 @@
106	struct pam_response *resp, void appdata_ptr);
107
108	/* module-local variables */
109	+static pam_userpass_t userpass;
110	static struct pam_conv conv = {
111	do_pam_conversation,
112	- NULL
113	+ &userpass
114	};
115	static char *__pam_msg = NULL;
116	static pam_handle_t *__pamh = NULL;
117	-static const char *__pampasswd = NULL;
118
119	/* states for do_pam_conversation() */
120	enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN;
121	@@ -83,18 +86,45 @@
122	* PAM conversation function.
123	* There are two states this can run in.
124	*
125	- * INITIAL_LOGIN mode simply feeds the password from the client into
126	- * PAM in response to PAM_PROMPT_ECHO_OFF, and collects output
127	- * messages with into __pam_msg. This is used during initial
128	- * authentication to bypass the normal PAM password prompt.
129	+ * INITIAL_LOGIN mode simply feeds the username and the password from
130	+ * the client into PAM via Linux-PAM binary prompts and queues any text
131	+ * messages for printing later.
132	*
133	- * OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase()
134	- * and outputs messages to stderr. This mode is used if pam_chauthtok()
135	- * is called to update expired passwords.
136	+ * OTHER mode is a regular PAM conversation. This mode is used if
137	+ * pam_chauthtok() is called to update expired passwords.
138	*/
139	static int do_pam_conversation(int num_msg, const struct pam_message **msg,
140	struct pam_response *resp, void appdata_ptr)
141	{
142	+ if (pamstate == INITIAL_LOGIN) {
143	+ int i, status;
144	+
145	+ status = pam_userpass_conv(num_msg, msg, resp, appdata_ptr);
146	+ if (status != PAM_CONV_ERR)
147	+ return status;
148	+
149	+ if (!(resp = malloc(num_msg sizeof(struct pam_response))))
150	+ return PAM_CONV_ERR;
151	+ for (i = 0; i < num_msg; i++) {
152	+ switch (msg[i]->msg_style) {
153	+ case PAM_ERROR_MSG:
154	+ case PAM_TEXT_INFO:
155	+ message_cat(&__pam_msg, msg[i]->msg);
156	+ (*resp)[i].resp_retcode = PAM_SUCCESS;
157	+ (*resp)[i].resp = NULL;
158	+ continue;
159	+ default:
160	+ free(*resp);
161	+ *resp = NULL;
162	+ return PAM_CONV_ERR;
163	+ }
164	+ }
165	+ return PAM_SUCCESS;
166	+ }
167	+
168	+ return misc_conv(num_msg, msg, resp, appdata_ptr);
169	+
170	+#if 0
171	struct pam_response *reply;
172	int count;
173	char buf[1024];
174	@@ -170,6 +200,7 @@
175	*resp = reply;
176
177	return PAM_SUCCESS;
178	+#endif
179	}
180
181	/* Called at exit to cleanly shutdown PAM */
182	@@ -221,7 +252,8 @@
183	if (*password == '\0' && options.permit_empty_passwd == 0)
184	return 0;
185
186	- __pampasswd = password;
187	+ userpass.user = pw ? pw->pw_name : "ILLEGAL USER";
188	+ userpass.pass = password;
189
190	pamstate = INITIAL_LOGIN;
191	pam_retval = do_pam_authenticate(
192	diff -urN openssh-3.4p1-owl-always-auth/pam_userpass.h openssh-3.4p1/pam_userpass.h
193	--- openssh-3.4p1-owl-always-auth/pam_userpass.h Thu Jan 1 03:00:00 1970
194	+++ openssh-3.4p1/pam_userpass.h Mon Jul 1 23:11:30 2002
195	@@ -0,0 +1,14 @@
196	+#ifndef _PAM_USERPASS_H
197	+#define _PAM_USERPASS_H
198	+
199	+#include <security/pam_appl.h>
200	+
201	+typedef struct {
202	+ const char *user;
203	+ const char *pass;
204	+} pam_userpass_t;
205	+
206	+extern int pam_userpass_conv(int num_msg, const struct pam_message **msg,
207	+ struct pam_response *resp, void appdata_ptr);
208	+
209	+#endif