openssh-3.4p1-owl-pam_userpass.diff

   1 diff -urN openssh-3.4p1-owl-always-auth/Makefile.in openssh-3.4p1/Makefile.in
   2 --- openssh-3.4p1-owl-always-auth/Makefile.in   Wed Jun 26 03:45:42 2002
   3 +++ openssh-3.4p1/Makefile.in   Mon Jul  1 23:11:30 2002
   4 @@ -64,7 +64,7 @@
   5
   6  SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o
   7
   8 -SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o
   9 +SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o appl_userpass.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o
  10
  11  MANPAGES       = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
  12  MANPAGES_IN    = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
  13 diff -urN openssh-3.4p1-owl-always-auth/_pam_userpass.h openssh-3.4p1/_pam_userpass.h
  14 --- openssh-3.4p1-owl-always-auth/_pam_userpass.h       Thu Jan  1 03:00:00 1970
  15 +++ openssh-3.4p1/_pam_userpass.h       Mon Jul  1 23:11:30 2002
  16 @@ -0,0 +1,12 @@
  17 +#ifndef __PAM_USERPASS_H
  18 +#define __PAM_USERPASS_H
  19 +
  20 +#define USERPASS_AGENT_ID              "userpass"
  21 +#define USERPASS_AGENT_ID_LENGTH       8
  22 +
  23 +#define USERPASS_USER_MASK             0x03
  24 +#define USERPASS_USER_REQUIRED         1
  25 +#define USERPASS_USER_KNOWN            2
  26 +#define USERPASS_USER_FIXED            3
  27 +
  28 +#endif
  29 diff -urN openssh-3.4p1-owl-always-auth/appl_userpass.c openssh-3.4p1/appl_userpass.c
  30 --- openssh-3.4p1-owl-always-auth/appl_userpass.c       Thu Jan  1 03:00:00 1970
  31 +++ openssh-3.4p1/appl_userpass.c       Mon Jul  1 23:11:30 2002
  32 @@ -0,0 +1,59 @@
  33 +#include <string.h>
  34 +#include <stdlib.h>
  35 +
  36 +#include <security/pam_appl.h>
  37 +#include <security/pam_client.h>
  38 +
  39 +#ifndef PAM_BP_RCONTROL
  40 +/* Linux-PAM prior to 0.74 */
  41 +#define PAM_BP_RCONTROL        PAM_BP_CONTROL
  42 +#define PAM_BP_WDATA   PAM_BP_DATA
  43 +#define PAM_BP_RDATA   PAM_BP_DATA
  44 +#endif
  45 +
  46 +#include "_pam_userpass.h"
  47 +#include "pam_userpass.h"
  48 +
  49 +int pam_userpass_conv(int num_msg, const struct pam_message **msg,
  50 +       struct pam_response **resp, void *appdata_ptr)
  51 +{
  52 +       pam_userpass_t *userpass = (pam_userpass_t *)appdata_ptr;
  53 +       pamc_bp_t prompt;
  54 +       const char *input;
  55 +       char *output;
  56 +       char flags;
  57 +
  58 +       if (num_msg != 1 || msg[0]->msg_style != PAM_BINARY_PROMPT)
  59 +               return PAM_CONV_ERR;
  60 +
  61 +       prompt = (pamc_bp_t)msg[0]->msg;
  62 +       input = PAM_BP_RDATA(prompt);
  63 +
  64 +       if (PAM_BP_RCONTROL(prompt) != PAM_BPC_SELECT ||
  65 +           strncmp(input, USERPASS_AGENT_ID "/", USERPASS_AGENT_ID_LENGTH + 1))
  66 +               return PAM_CONV_ERR;
  67 +
  68 +       flags = input[USERPASS_AGENT_ID_LENGTH + 1];
  69 +       input += USERPASS_AGENT_ID_LENGTH + 1 + 1;
  70 +
  71 +       if ((flags & USERPASS_USER_MASK) == USERPASS_USER_FIXED &&
  72 +           strcmp(input, userpass->user))
  73 +               return PAM_CONV_AGAIN;
  74 +
  75 +       if (!(*resp = malloc(sizeof(struct pam_response))))
  76 +               return PAM_CONV_ERR;
  77 +
  78 +       prompt = NULL;
  79 +       PAM_BP_RENEW(&prompt, PAM_BPC_DONE,
  80 +               strlen(userpass->user) + 1 + strlen(userpass->pass));
  81 +       output = PAM_BP_WDATA(prompt);
  82 +
  83 +       strcpy(output, userpass->user);
  84 +       output += strlen(output) + 1;
  85 +       memcpy(output, userpass->pass, strlen(userpass->pass));
  86 +
  87 +       (*resp)[0].resp_retcode = 0;
  88 +       (*resp)[0].resp = (char *)prompt;
  89 +
  90 +       return PAM_SUCCESS;
  91 +}
  92 diff -urN openssh-3.4p1-owl-always-auth/auth-pam.c openssh-3.4p1/auth-pam.c
  93 --- openssh-3.4p1-owl-always-auth/auth-pam.c    Mon Jul  1 23:09:55 2002
  94 +++ openssh-3.4p1/auth-pam.c    Mon Jul  1 23:38:11 2002
  95 @@ -34,6 +34,9 @@
  96  #include "canohost.h"
  97  #include "readpass.h"
  98
  99 +#include <security/pam_misc.h>
 100 +#include "pam_userpass.h"
 101 +
 102  extern char *__progname;
 103
 104  RCSID("$Id$");
 105 @@ -45,13 +48,13 @@
 106         struct pam_response **resp, void *appdata_ptr);
 107
 108  /* module-local variables */
 109 +static pam_userpass_t userpass;
 110  static struct pam_conv conv = {
 111         do_pam_conversation,
 112 -       NULL
 113 +       &userpass
 114  };
 115  static char *__pam_msg = NULL;
 116  static pam_handle_t *__pamh = NULL;
 117 -static const char *__pampasswd = NULL;
 118
 119  /* states for do_pam_conversation() */
 120  enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN;
 121 @@ -83,18 +86,45 @@
 122   * PAM conversation function.
 123   * There are two states this can run in.
 124   *
 125 - * INITIAL_LOGIN mode simply feeds the password from the client into
 126 - * PAM in response to PAM_PROMPT_ECHO_OFF, and collects output
 127 - * messages with into __pam_msg.  This is used during initial
 128 - * authentication to bypass the normal PAM password prompt.
 129 + * INITIAL_LOGIN mode simply feeds the username and the password from
 130 + * the client into PAM via Linux-PAM binary prompts and queues any text
 131 + * messages for printing later.
 132   *
 133 - * OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase()
 134 - * and outputs messages to stderr. This mode is used if pam_chauthtok()
 135 - * is called to update expired passwords.
 136 + * OTHER mode is a regular PAM conversation.  This mode is used if
 137 + * pam_chauthtok() is called to update expired passwords.
 138   */
 139  static int do_pam_conversation(int num_msg, const struct pam_message **msg,
 140         struct pam_response **resp, void *appdata_ptr)
 141  {
 142 +       if (pamstate == INITIAL_LOGIN) {
 143 +               int i, status;
 144 +
 145 +               status = pam_userpass_conv(num_msg, msg, resp, appdata_ptr);
 146 +               if (status != PAM_CONV_ERR)
 147 +                       return status;
 148 +
 149 +               if (!(*resp = malloc(num_msg * sizeof(struct pam_response))))
 150 +                       return PAM_CONV_ERR;
 151 +               for (i = 0; i < num_msg; i++) {
 152 +                       switch (msg[i]->msg_style) {
 153 +                       case PAM_ERROR_MSG:
 154 +                       case PAM_TEXT_INFO:
 155 +                               message_cat(&__pam_msg, msg[i]->msg);
 156 +                               (*resp)[i].resp_retcode = PAM_SUCCESS;
 157 +                               (*resp)[i].resp = NULL;
 158 +                               continue;
 159 +                       default:
 160 +                               free(*resp);
 161 +                               *resp = NULL;
 162 +                               return PAM_CONV_ERR;
 163 +                       }
 164 +               }
 165 +               return PAM_SUCCESS;
 166 +       }
 167 +
 168 +       return misc_conv(num_msg, msg, resp, appdata_ptr);
 169 +
 170 +#if 0
 171         struct pam_response *reply;
 172         int count;
 173         char buf[1024];
 174 @@ -170,6 +200,7 @@
 175         *resp = reply;
 176
 177         return PAM_SUCCESS;
 178 +#endif
 179  }
 180
 181  /* Called at exit to cleanly shutdown PAM */
 182 @@ -221,7 +252,8 @@
 183         if (*password == '\0' && options.permit_empty_passwd == 0)
 184                 return 0;
 185
 186 -       __pampasswd = password;
 187 +       userpass.user = pw ? pw->pw_name : "ILLEGAL USER";
 188 +       userpass.pass = password;
 189
 190         pamstate = INITIAL_LOGIN;
 191         pam_retval = do_pam_authenticate(
 192 diff -urN openssh-3.4p1-owl-always-auth/pam_userpass.h openssh-3.4p1/pam_userpass.h
 193 --- openssh-3.4p1-owl-always-auth/pam_userpass.h        Thu Jan  1 03:00:00 1970
 194 +++ openssh-3.4p1/pam_userpass.h        Mon Jul  1 23:11:30 2002
 195 @@ -0,0 +1,14 @@
 196 +#ifndef _PAM_USERPASS_H
 197 +#define _PAM_USERPASS_H
 198 +
 199 +#include <security/pam_appl.h>
 200 +
 201 +typedef struct {
 202 +       const char *user;
 203 +       const char *pass;
 204 +} pam_userpass_t;
 205 +
 206 +extern int pam_userpass_conv(int num_msg, const struct pam_message **msg,
 207 +       struct pam_response **resp, void *appdata_ptr);
 208 +
 209 +#endif