From 77fc29eeb382974ae063227c249ee3b98646e38a Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 11 Sep 2004 23:07:03 +1000 Subject: [PATCH] - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c] Bug #892: Send messages from failing PAM account modules to the client via SSH2_MSG_USERAUTH_BANNER messages. Note that this will not happen with SSH2 kbdint authentication, which need to be dealt with separately. ok djm@ --- ChangeLog | 6 +++++- auth-pam.c | 10 ++++++---- auth.h | 1 + auth2-none.c | 19 ++++++++++++++----- auth2.c | 15 +++++++++++++-- monitor.c | 3 +++ monitor_wrap.c | 5 +++++ 7 files changed, 47 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index 85366cbb1..0c0d2c6fc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,10 @@ - (dtucker) [auth-pam.c] Relocate sshpam_store_conv(), no code change. - (djm) [auth2-kbdint.c auth2-none.c auth2-passwd.c auth2-pubkey.c] Make cygwin code more consistent with that which surrounds it + - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c] + Bug #892: Send messages from failing PAM account modules to the client via + SSH2_MSG_USERAUTH_BANNER messages. Note that this will not happen with + SSH2 kbdint authentication, which need to be dealt with separately. ok djm@ 20040830 - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only @@ -1725,4 +1729,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3543 2004/09/11 12:42:09 djm Exp $ +$Id: ChangeLog,v 1.3544 2004/09/11 13:07:03 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index 4ad86de9e..0a6817d63 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -47,7 +47,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.116 2004/09/11 12:28:02 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.117 2004/09/11 13:07:03 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -572,7 +572,7 @@ sshpam_init(Authctxt *authctxt) } debug("PAM: initializing for \"%s\"", user); sshpam_err = - pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle); + pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle); sshpam_authctxt = authctxt; if (sshpam_err != PAM_SUCCESS) { @@ -804,11 +804,13 @@ finish_pam(void) u_int do_pam_account(void) { + debug("%s: called", __func__); if (sshpam_account_status != -1) return (sshpam_account_status); sshpam_err = pam_acct_mgmt(sshpam_handle, 0); - debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err); + debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err, + pam_strerror(sshpam_handle, sshpam_err)); if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { sshpam_account_status = 0; @@ -838,7 +840,7 @@ void do_pam_setcred(int init) { sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, - (const void *)&null_conv); + (const void *)&store_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); diff --git a/auth.h b/auth.h index 2f094403d..760337bea 100644 --- a/auth.h +++ b/auth.h @@ -137,6 +137,7 @@ void do_authentication2(Authctxt *); void auth_log(Authctxt *, int, char *, char *); void userauth_finish(Authctxt *, int, char *); +void userauth_send_banner(const char *); int auth_root_allowed(char *); char *auth2_read_banner(void); diff --git a/auth2-none.c b/auth2-none.c index 787458dad..1c30a3203 100644 --- a/auth2-none.c +++ b/auth2-none.c @@ -74,6 +74,19 @@ auth2_read_banner(void) return (banner); } +void +userauth_send_banner(const char *msg) +{ + if (datafellows & SSH_BUG_BANNER) + return; + + packet_start(SSH2_MSG_USERAUTH_BANNER); + packet_put_cstring(msg); + packet_put_cstring(""); /* language, unused */ + packet_send(); + debug("%s: sent", __func__); +} + static void userauth_banner(void) { @@ -84,12 +97,8 @@ userauth_banner(void) if ((banner = PRIVSEP(auth2_read_banner())) == NULL) goto done; + userauth_send_banner(banner); - packet_start(SSH2_MSG_USERAUTH_BANNER); - packet_put_cstring(banner); - packet_put_cstring(""); /* language, unused */ - packet_send(); - debug("userauth_banner: sent"); done: if (banner) xfree(banner); diff --git a/auth2.c b/auth2.c index b98309576..57e6db46b 100644 --- a/auth2.c +++ b/auth2.c @@ -35,6 +35,7 @@ RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $"); #include "dispatch.h" #include "pathnames.h" #include "monitor_wrap.h" +#include "buffer.h" #ifdef GSSAPI #include "ssh-gss.h" @@ -44,6 +45,7 @@ RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $"); extern ServerOptions options; extern u_char *session_id2; extern u_int session_id2_len; +extern Buffer loginmsg; /* methods */ @@ -216,8 +218,17 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) authenticated = 0; #ifdef USE_PAM - if (options.use_pam && authenticated && !PRIVSEP(do_pam_account())) - authenticated = 0; + if (options.use_pam && authenticated) { + if (!PRIVSEP(do_pam_account())) { + authenticated = 0; + /* if PAM returned a message, send it to the user */ + if (buffer_len(&loginmsg) > 0) { + buffer_append(&loginmsg, "\0", 1); + userauth_send_banner(buffer_ptr(&loginmsg)); + buffer_clear(&loginmsg); + } + } + } #endif #ifdef _UNICOS diff --git a/monitor.c b/monitor.c index b7463400e..00d4a785f 100644 --- a/monitor.c +++ b/monitor.c @@ -810,6 +810,9 @@ mm_answer_pam_account(int sock, Buffer *m) ret = do_pam_account(); buffer_put_int(m, ret); + buffer_append(&loginmsg, "\0", 1); + buffer_put_cstring(m, buffer_ptr(&loginmsg)); + buffer_clear(&loginmsg); mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m); diff --git a/monitor_wrap.c b/monitor_wrap.c index 0d7a0e3bd..23857639b 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -72,6 +72,7 @@ extern struct monitor *pmonitor; extern Buffer input, output; extern Buffer loginmsg; extern ServerOptions options; +extern Buffer loginmsg; int mm_is_monitor(void) @@ -716,6 +717,7 @@ mm_do_pam_account(void) { Buffer m; u_int ret; + char *msg; debug3("%s entering", __func__); if (!options.use_pam) @@ -727,6 +729,9 @@ mm_do_pam_account(void) mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_ACCOUNT, &m); ret = buffer_get_int(&m); + msg = buffer_get_string(&m, NULL); + buffer_append(&loginmsg, msg, strlen(msg)); + xfree(msg); buffer_free(&m);