From 92ddb7d6f0d6a1942e27f75883d29dc0ea99223f Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 14 Feb 2001 01:25:23 +1100 Subject: [PATCH] - (djm) Split out and improve OSF SIA auth code. Patch from Chris Adams with a little modification and KNF. --- ChangeLog | 4 ++- Makefile.in | 4 +-- auth-sia.c | 96 +++++++++++++++++++++++++++++++++++++++++++++++++++++ auth-sia.h | 8 +++++ auth1.c | 18 +++------- auth2.c | 19 ++--------- session.c | 20 +---------- 7 files changed, 116 insertions(+), 53 deletions(-) create mode 100644 auth-sia.c create mode 100644 auth-sia.h diff --git a/ChangeLog b/ChangeLog index 115d7aebc..6d07d0105 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,8 @@ from Nalin Dahyabhai - (bal) Missing function prototype in bsd-snprintf.c patch by Mark Miller + - (djm) Split out and improve OSF SIA auth code. Patch from Chris Adams + with a little modification and KNF. 20010213 - (djm) Only test -S potential EGD sockets if they exist and are readable. @@ -3922,4 +3924,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.757 2001/02/13 14:05:59 mouring Exp $ +$Id: ChangeLog,v 1.758 2001/02/13 14:25:23 djm Exp $ diff --git a/Makefile.in b/Makefile.in index f64e25504..f9c48d29a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.150 2001/02/09 13:40:03 djm Exp $ +# $Id: Makefile.in,v 1.151 2001/02/13 14:25:23 djm Exp $ prefix=@prefix@ exec_prefix=@exec_prefix@ @@ -48,7 +48,7 @@ LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o -SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o dh.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o +SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh-keyscan.0 ssh.0 sshd.0 sftp-server.0 sftp.0 diff --git a/auth-sia.c b/auth-sia.c new file mode 100644 index 000000000..6fece555d --- /dev/null +++ b/auth-sia.c @@ -0,0 +1,96 @@ +#include "includes.h" + +#ifdef HAVE_OSF_SIA +#include "ssh.h" +#include "auth-sia.h" +#include "log.h" +#include "servconf.h" +#include "canohost.h" + +#include +#include +#include +#include +#include +#include +#include +#include + +extern ServerOptions options; +extern int saved_argc; +extern char **saved_argv; + +extern int errno; + +int +auth_sia_password(char *user, char *pass) +{ + int ret; + SIAENTITY *ent = NULL; + const char *host; + + host = get_canonical_hostname(options.reverse_mapping_check); + + if (!user || !pass) + return(0); + + if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0, + NULL) != SIASUCCESS) + return(0); + + if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { + error("couldn't authenticate %s from %s", user, host); + if (ret & SIASTOP) + sia_ses_release(&ent); + return(0); + } + + sia_ses_release(&ent); + + return(1); +} + +void +session_setup_sia(char *user, char *tty) +{ + int ret; + struct passwd *pw; + SIAENTITY *ent = NULL; + const char *host; + + host = get_canonical_hostname (options.reverse_mapping_check); + + if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, + NULL) != SIASUCCESS) + fatal("sia_ses_init failed"); + + if ((pw = getpwnam(user)) == NULL) { + sia_ses_release(&ent); + fatal("getpwnam(%s) failed: %s", user, strerror(errno)); + } + if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) { + sia_ses_release(&ent); + fatal("sia_make_entity_pwd failed"); + } + + ent->authtype = SIA_A_NONE; + if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) + fatal("couldn't establish session for %s from %s", user, + host); + + if (setpriority(PRIO_PROCESS, 0, 0) == -1) { + sia_ses_release(&ent); + fatal("setpriority failed: %s", strerror (errno)); + } + + if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) + fatal("couldn't launch session for %s from %s", user, host); + + sia_ses_release(&ent); + + if (setreuid(geteuid(), geteuid()) < 0) + fatal("setreuid failed: %s", strerror (errno)); +} + +#endif /* HAVE_OSF_SIA */ + diff --git a/auth-sia.h b/auth-sia.h new file mode 100644 index 000000000..eaa933322 --- /dev/null +++ b/auth-sia.h @@ -0,0 +1,8 @@ +#include "includes.h" + +#ifdef HAVE_OSF_SIA + +int auth_sia_password(char *user, char *pass); +void session_setup_sia(char *user, char *tty); + +#endif /* HAVE_OSF_SIA */ diff --git a/auth1.c b/auth1.c index a7693df59..31034262b 100644 --- a/auth1.c +++ b/auth1.c @@ -12,11 +12,6 @@ #include "includes.h" RCSID("$OpenBSD: auth1.c,v 1.15 2001/02/07 22:35:45 markus Exp $"); -#ifdef HAVE_OSF_SIA -# include -# include -#endif - #include "xmalloc.h" #include "rsa.h" #include "ssh1.h" @@ -36,10 +31,6 @@ extern char *forced_command; #ifdef WITH_AIXAUTHENTICATE extern char *aixloginmsg; #endif /* WITH_AIXAUTHENTICATE */ -#ifdef HAVE_OSF_SIA -extern int saved_argc; -extern char **saved_argv; -#endif /* HAVE_OSF_SIA */ /* * convert ssh auth msg type into description @@ -98,6 +89,8 @@ do_authloop(Authctxt *authctxt) #endif #ifdef USE_PAM auth_pam_password(pw, "")) { +#elif defined(HAVE_OSF_SIA) + 0) { #else auth_password(pw, "")) { #endif @@ -265,11 +258,8 @@ do_authloop(Authctxt *authctxt) authenticated = auth_pam_password(pw, password); #elif defined(HAVE_OSF_SIA) /* Do SIA auth with password */ - if (sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(options.reverse_mapping_check), - authctxt->user?authctxt->user:"NOUSER", NULL, - 0, NULL, password) == SIASUCCESS) - authenticated = 1; + authenticated = auth_sia_password(authctxt->user, + password); #else /* !USE_PAM && !HAVE_OSF_SIA */ /* Try authentication with the password. */ authenticated = auth_password(pw, password); diff --git a/auth2.c b/auth2.c index c887283a3..b74920578 100644 --- a/auth2.c +++ b/auth2.c @@ -25,11 +25,6 @@ #include "includes.h" RCSID("$OpenBSD: auth2.c,v 1.40 2001/02/10 12:52:02 markus Exp $"); -#ifdef HAVE_OSF_SIA -# include -# include -#endif - #include #include "ssh2.h" @@ -61,10 +56,6 @@ extern int session_id2_len; #ifdef WITH_AIXAUTHENTICATE extern char *aixloginmsg; #endif -#ifdef HAVE_OSF_SIA -extern int saved_argc; -extern char **saved_argv; -#endif static Authctxt *x_authctxt = NULL; static int one = 1; @@ -346,10 +337,7 @@ userauth_none(Authctxt *authctxt) #ifdef USE_PAM return auth_pam_password(authctxt->pw, ""); #elif defined(HAVE_OSF_SIA) - return (sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(options.reverse_mapping_check), - authctxt->user?authctxt->user:"NOUSER", NULL, 0, - NULL, "") == SIASUCCESS); + return 0; #else /* !HAVE_OSF_SIA && !USE_PAM */ return auth_password(authctxt->pw, ""); #endif /* USE_PAM */ @@ -374,10 +362,7 @@ userauth_passwd(Authctxt *authctxt) #ifdef USE_PAM auth_pam_password(authctxt->pw, password) == 1) #elif defined(HAVE_OSF_SIA) - sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(options.reverse_mapping_check), - authctxt->user?authctxt->user:"NOUSER", NULL, 0, NULL, - password) == SIASUCCESS) + auth_sia_password(authctxt->user, password) == 1) #else /* !USE_PAM && !HAVE_OSF_SIA */ auth_password(authctxt->pw, password) == 1) #endif /* USE_PAM */ diff --git a/session.c b/session.c index 7319df3d1..a9b4d87a3 100644 --- a/session.c +++ b/session.c @@ -72,11 +72,6 @@ RCSID("$OpenBSD: session.c,v 1.55 2001/02/08 19:30:52 itojun Exp $"); #include #endif -#ifdef HAVE_OSF_SIA -# include -# include -#endif - #ifdef HAVE_CYGWIN #include #include @@ -1051,21 +1046,8 @@ do_child(const char *command, struct passwd * pw, const char *term, switch, so we let login(1) to this for us. */ if (!options.use_login) { #ifdef HAVE_OSF_SIA - extern char **saved_argv; - extern int saved_argc; - char *host = get_canonical_hostname(options.reverse_mapping_check); - - if (sia_become_user(NULL, saved_argc, saved_argv, host, - pw->pw_name, ttyname, 0, NULL, NULL, SIA_BEU_SETLUID) != - SIASUCCESS) { - perror("sia_become_user"); - exit(1); - } - if (setreuid(geteuid(), geteuid()) < 0) { - perror("setreuid"); - exit(1); - } #else /* HAVE_OSF_SIA */ + session_setup_sia(pw->pw_name, ttyname); #ifdef HAVE_CYGWIN if (is_winnt) { #else