- Make distclean now removed configure script

- Improved PAM logging
 - Added some debug() calls for PAM
This commit is contained in:
Damien Miller 1999-10-29 11:49:20 +10:00
parent 070f7a1fd0
commit 07a826d854
3 changed files with 67 additions and 35 deletions

View File

@ -3,6 +3,9 @@
- Incorporated latest changes from OpenBSD's CVS - Incorporated latest changes from OpenBSD's CVS
- Integrated Makefile patch from Niels Kristian Bech Jensen <nkbj@image.dk> - Integrated Makefile patch from Niels Kristian Bech Jensen <nkbj@image.dk>
- Integrated PAM env patch from Nalin Dahyabhai <nalin.dahyabhai@pobox.com> - Integrated PAM env patch from Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
- Make distclean now removed configure script
- Improved PAM logging
- Added some debug() calls for PAM
19991028 19991028
- Further PAM enhancements. - Further PAM enhancements.

View File

@ -76,7 +76,7 @@ install:
install -m644 -c sshd.8 $(mandir)/man8/sshd.8 install -m644 -c sshd.8 $(mandir)/man8/sshd.8
distclean: clean distclean: clean
rm -f Makefile config.h *~ rm -f Makefile config.h core configure *~
rm -rf bin rm -rf bin
mrproper: distclean mrproper: distclean

89
sshd.c
View File

@ -18,7 +18,7 @@ agent connections.
*/ */
#include "includes.h" #include "includes.h"
RCSID("$Id: sshd.c,v 1.7 1999/10/29 00:21:15 damien Exp $"); RCSID("$Id: sshd.c,v 1.8 1999/10/29 01:49:20 damien Exp $");
#include "xmalloc.h" #include "xmalloc.h"
#include "rsa.h" #include "rsa.h"
@ -188,40 +188,63 @@ static int pamconv(int num_msg, const struct pam_message **msg,
void pam_cleanup_proc(void *context) void pam_cleanup_proc(void *context)
{ {
int retval; int pam_retval;
if (pamh != NULL) if (pamh != NULL)
{ {
retval = pam_close_session((pam_handle_t *)pamh, 0); pam_retval = pam_close_session((pam_handle_t *)pamh, 0);
if (pam_retval != PAM_SUCCESS)
{
log("Cannot close PAM session: %.200s",
pam_strerror((pam_handle_t *)pamh, pam_retval));
}
if (pam_end((pam_handle_t *)pamh, retval) != PAM_SUCCESS) pam_retval = pam_end((pam_handle_t *)pamh, pam_retval);
log("Cannot release PAM authentication."); if (pam_retval != PAM_SUCCESS)
{
log("Cannot release PAM authentication: %.200s",
pam_strerror((pam_handle_t *)pamh, pam_retval));
}
} }
} }
void do_pam_account_and_session(const char *username, const char *password, const char *remote_user, const char *remote_host) void do_pam_account_and_session(const char *username, const char *password, const char *remote_user, const char *remote_host)
{ {
if (remote_host && (PAM_SUCCESS != pam_set_item((pam_handle_t *)pamh, PAM_RHOST, remote_host))) int pam_retval;
if (remote_host != NULL)
{ {
log("PAM setup failed."); debug("PAM setting rhost to \"%.200s\"", remote_host);
pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, remote_host);
if (pam_retval != PAM_SUCCESS)
{
log("PAM set rhost failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval));
eat_packets_and_disconnect(username);
}
}
if (remote_user != NULL)
{
debug("PAM setting ruser to \"%.200s\"", remote_user);
pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user);
if (pam_retval != PAM_SUCCESS)
{
log("PAM set ruser failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval));
eat_packets_and_disconnect(username);
}
}
pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0);
if (pam_retval != PAM_SUCCESS)
{
log("PAM rejected by account configuration: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval));
eat_packets_and_disconnect(username); eat_packets_and_disconnect(username);
} }
if (remote_user && (PAM_SUCCESS != pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user))) pam_retval = pam_open_session((pam_handle_t *)pamh, 0);
if (pam_retval != PAM_SUCCESS)
{ {
log("PAM setup failed."); log("PAM session setup failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval));
eat_packets_and_disconnect(username);
}
if (PAM_SUCCESS != pam_acct_mgmt((pam_handle_t *)pamh, 0))
{
log("PAM rejected by account configuration.");
eat_packets_and_disconnect(username);
}
if (PAM_SUCCESS != pam_open_session((pam_handle_t *)pamh, 0))
{
log("PAM session setup failed.");
eat_packets_and_disconnect(username); eat_packets_and_disconnect(username);
} }
} }
@ -815,8 +838,10 @@ main(int ac, char **av)
if (pamh != NULL) if (pamh != NULL)
{ {
debug("Closing PAM session.");
retval = pam_close_session((pam_handle_t *)pamh, 0); retval = pam_close_session((pam_handle_t *)pamh, 0);
debug("Terminating PAM library.");
if (pam_end((pam_handle_t *)pamh, retval) != PAM_SUCCESS) if (pam_end((pam_handle_t *)pamh, retval) != PAM_SUCCESS)
log("Cannot release PAM authentication."); log("Cannot release PAM authentication.");
@ -1111,6 +1136,9 @@ do_authentication(char *user, int privileged_port)
char *client_user = NULL; char *client_user = NULL;
unsigned int client_host_key_bits; unsigned int client_host_key_bits;
BIGNUM *client_host_key_e, *client_host_key_n; BIGNUM *client_host_key_e, *client_host_key_n;
#ifdef HAVE_LIBPAM
int pam_retval;
#endif /* HAVE_LIBPAM */
#ifdef AFS #ifdef AFS
/* If machine has AFS, set process authentication group. */ /* If machine has AFS, set process authentication group. */
@ -1136,14 +1164,13 @@ do_authentication(char *user, int privileged_port)
pw = &pwcopy; pw = &pwcopy;
#ifdef HAVE_LIBPAM #ifdef HAVE_LIBPAM
if (PAM_SUCCESS != pam_start("sshd", pw->pw_name, &conv, (pam_handle_t**)&pamh)) debug("Starting up PAM with username \"%.200s\"", pw->pw_name);
pam_retval = pam_start("sshd", pw->pw_name, &conv, (pam_handle_t**)&pamh);
if (pam_retval != PAM_SUCCESS)
{ {
packet_start(SSH_SMSG_FAILURE); log("PAM initialisation failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval));
packet_send(); eat_packets_and_disconnect(user);
packet_write_wait();
packet_disconnect("PAM initialisation failed.");
} }
fatal_add_cleanup(&pam_cleanup_proc, NULL); fatal_add_cleanup(&pam_cleanup_proc, NULL);
#endif #endif
@ -1406,14 +1433,16 @@ do_authentication(char *user, int privileged_port)
#ifdef HAVE_LIBPAM #ifdef HAVE_LIBPAM
pampasswd = password; pampasswd = password;
if (PAM_SUCCESS == pam_authenticate((pam_handle_t *)pamh, 0)) pam_retval = pam_authenticate((pam_handle_t *)pamh, 0);
if (pam_retval == PAM_SUCCESS)
{ {
log("PAM Password authentication accepted for %.100s.", user); log("PAM Password authentication accepted for \"%.100s\"", user);
authenticated = 1; authenticated = 1;
break; break;
} else } else
{ {
log("PAM Password authentication for %.100s failed.", user); log("PAM Password authentication for \"%.100s\" failed: %s",
user, pam_strerror((pam_handle_t *)pamh, pam_retval));
break; break;
} }
#else /* HAVE_LIBPAM */ #else /* HAVE_LIBPAM */