Commit Graph

162 Commits

Author SHA1 Message Date
djm@openbsd.org
7c85685760 upstream: switch over to the new authorized_keys options API and
remove the legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df
2018-03-03 14:37:16 +11:00
Damien Miller
94bc1e7ffb Expose list of completed auth methods to PAM
bz#2408; ok dtucker@
2017-07-28 15:04:00 +10:00
Darren Tucker
608ec1f62f Remove SSHv1 code path.
Server-side support for Protocol 1 has been removed so remove !compat20
PAM code path.
2017-03-29 09:50:54 +11:00
Darren Tucker
bee0167be2 Check for NULL from malloc.
Part of bz#2687, from jjelen at redhat.com.
2017-03-10 13:40:18 +11:00
Darren Tucker
e0259a82dd Remove do_pam_set_tty which is dead code.
The callers of do_pam_set_tty were removed in 2008, so this is now dead
code.  bz#2604, pointed out by jjelen at redhat.com.
2016-10-15 04:34:46 +11:00
Damien Miller
8bd81e1596 add --with-pam-service to specify PAM service name
Saves messing around with CFLAGS to do it.
2016-08-16 13:37:26 +10:00
Damien Miller
10358abd08 retry waitpid on EINTR failure
patch from Jakub Jelen on bz#2581; ok dtucker@
2016-07-22 14:07:08 +10:00
Darren Tucker
01558b7b07 Handle PAM_MAXTRIES from modules.
bz#2249: handle the case where PAM returns PAM_MAXTRIES by ceasing to offer
password and keyboard-interative authentication methods.  Should prevent
"sshd ignoring max retries" warnings in the log.  ok djm@

It probably won't trigger with keyboard-interactive in the default
configuration because the retry counter is stored in module-private
storage which goes away with the sshd PAM process (see bz#688).  On the
other hand, those cases probably won't log a warning either.
2016-07-18 09:33:25 +10:00
Darren Tucker
283b97ff33 Mitigate timing of disallowed users PAM logins.
When sshd decides to not allow a login (eg PermitRootLogin=no) and
it's using PAM, it sends a fake password to PAM so that the timing for
the failure is not noticeably different whether or not the password
is correct.  This behaviour can be detected by sending a very long
password string which is slower to hash than the fake password.

Mitigate by constructing an invalid password that is the same length
as the one from the client and thus takes the same time to hash.
Diff from djm@
2016-07-15 13:49:44 +10:00
Darren Tucker
009891afc8 Remove duplicate code from PAM. ok djm@ 2016-06-17 14:34:09 +10:00
Darren Tucker
39c0cecaa1 Fix comment about sshpam_const and AIX.
From mschwager via github.
2016-05-20 10:01:58 +10:00
Damien Miller
3ed9218c33 unbreak PAM after canohost refactor 2016-03-08 14:01:29 -08:00
Damien Miller
5ef4b0fdcc avoid FreeBSD RCS Id in comment
Change old $FreeBSD version string in comment so it doesn't
become an RCS ident downstream; requested by des AT des.no
2016-02-05 10:45:23 +11:00
Darren Tucker
d1680d36e1 xrealloc -> xreallocarray in portable code too. 2015-04-30 09:18:11 +10:00
Darren Tucker
53f8e784dc - (dtucker) [auth-pam.c] bz#2163: check return value from pam_get_item().
Patch from Loganaden Velvindron.
2013-12-19 11:31:44 +11:00
Darren Tucker
f60845fde2 - (dtucker) [M auth-chall.c auth-krb5.c auth-pam.c cipher-aes.c cipher-ctr.c
groupaccess.c loginrec.c monitor.c monitor_wrap.c session.c sshd.c
   sshlogin.c uidswap.c openbsd-compat/bsd-cygwin_util.c
   openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/port-aix.c
   openbsd-compat/port-linux.c] Replace portable-specific instances of xfree
   with the equivalent calls to free.
2013-06-02 08:07:31 +10:00
Darren Tucker
622d5c561b - (dtucker) [auth-pam.c] Bug #1534: move the deletion of PAM credentials on
logout to after the session close.  Patch from Anicka Bernathova, ok djm.
2009-07-12 22:07:21 +10:00
Darren Tucker
52358d6df3 - (dtucker) [auth-pam.c monitor.c session.c sshd.c] Bug #926: Move
pam_open_session and pam_close_session into the privsep monitor, which
   will ensure that pam_session_close is called as root.  Patch from Tomas
   Mraz.
2008-03-11 22:58:25 +11:00
Darren Tucker
57d4ca9681 - (dtucker) [auth-pam.c] Use sigdie here too. ok djm@ 2007-08-10 14:32:34 +10:00
Darren Tucker
2216471510 - (dtucker) [auth-pam.c] Return empty string if fgets fails in
sshpam_tty_conv.  Patch from ldv at altlinux.org.
2007-05-20 15:26:07 +10:00
Darren Tucker
29171e9f5c - (dtucker) [auth-pam.c] malloc+memset -> calloc. Patch from
ldv at altlinux.org.
2007-05-20 15:20:08 +10:00
Darren Tucker
54e1b2291c - (dtucker) [auth-pam.c] Propogate TZ environment variable to PAM auth
process so that any logging it does is with the right timezone.  From
   Scott Strickler, ok djm@.
2006-09-17 11:57:46 +10:00
Damien Miller
ded319cca2 - (djm) [audit-bsm.c audit.c auth-bsdauth.c auth-chall.c auth-pam.c]
[auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c]
   [auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c]
   [cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c]
   [dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
   [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c]
   [md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c]
   [scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c]
   [ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c]
   [sshconnect1.c sshconnect2.c sshd.c rc4.diff]
   [openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c]
   [openbsd-compat/port-linux.c openbsd-compat/port-solaris.c]
   [openbsd-compat/port-uw.c]
   Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h;
   compile problems reported by rac AT tenzing.org
2006-09-01 15:38:36 +10:00
Damien Miller
75bb664458 - (djm) [auth-pam.c auth-shadow.c auth2-none.c cleanup.c sshd.c]
[openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Sprinkle more
   includes for Linux in
2006-08-05 14:07:20 +10:00
Damien Miller
4cbfe8ebeb - (djm) [auth-pam.c auth.c bufaux.h entropy.c openbsd-compat/port-tun.c]
remove last traces of bufaux.h - it was merged into buffer.h in the big
   includes.h commit
2006-08-05 12:49:30 +10:00
Damien Miller
2ab323e0bd - (djm) [auth-pam.c defines.h] Move PAM related bits to auth-pam.c 2006-08-05 12:43:32 +10:00
Damien Miller
b8fe89c4d9 - (djm) [acss.c auth-krb5.c auth-options.c auth-pam.c auth-shadow.c]
[canohost.c channels.c cipher-acss.c defines.h dns.c gss-genr.c]
   [gss-serv-krb5.c gss-serv.c log.h loginrec.c logintest.c readconf.c]
   [servconf.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c]
   [ssh.c sshconnect.c sshd.c openbsd-compat/bindresvport.c]
   [openbsd-compat/bsd-arc4random.c openbsd-compat/bsd-misc.c]
   [openbsd-compat/getrrsetbyname.c openbsd-compat/glob.c]
   [openbsd-compat/mktemp.c openbsd-compat/port-linux.c]
   [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c]
   [openbsd-compat/setproctitle.c openbsd-compat/xmmap.c]
   make the portable tree compile again - sprinkle unistd.h and string.h
   back in. Don't redefine __unused, as it turned out to be used in
   headers on Linux, and replace its use in auth-pam.c with ARGSUSED
2006-07-24 14:51:00 +10:00
Darren Tucker
341dae59c8 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h 2006-07-13 08:45:14 +10:00
Darren Tucker
2c77b7f1c1 - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
do not allow kbdint again after the PAM account check fails.  ok djm@
2006-05-15 17:22:33 +10:00
Darren Tucker
d8093e49bf - (dtucker) [auth-pam.c groupaccess.c monitor.c monitor_wrap.c scard-opensc.c
session.c ssh-rand-helper.c sshd.c openbsd-compat/bsd-cygwin_util.c
   openbsd-compat/setproctitle.c] Convert malloc(foo*bar) -> calloc(foo,bar)
   in Portable-only code; since calloc zeros, remove now-redundant memsets.
   Also add a couple of sanity checks.  With & ok djm@
2006-05-04 16:24:34 +10:00
Damien Miller
36812092ec - djm@cvs.openbsd.org 2006/03/25 01:13:23
[buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c]
     [sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c]
     [uidswap.c]
     change OpenSSH's xrealloc() function from being xrealloc(p, new_size)
     to xrealloc(p, new_nmemb, new_itemsize).

     realloc is particularly prone to integer overflows because it is
     almost always allocating "n * size" bytes, so this is a far safer
     API; ok deraadt@
2006-03-26 14:22:47 +11:00
Damien Miller
b0fb6872ed - deraadt@cvs.openbsd.org 2006/03/19 18:51:18
[atomicio.c auth-bsdauth.c auth-chall.c auth-krb5.c auth-options.c]
     [auth-pam.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c]
     [auth-shadow.c auth-skey.c auth.c auth1.c auth2-chall.c]
     [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c]
     [auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c buffer.c]
     [canohost.c channels.c cipher-3des1.c cipher-acss.c cipher-aes.c]
     [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
     [compress.c deattack.c dh.c dispatch.c dns.c entropy.c fatal.c]
     [groupaccess.c hostfile.c includes.h kex.c kexdh.c kexdhc.c]
     [kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c loginrec.c]
     [loginrec.h logintest.c mac.c match.c md-sha256.c md5crypt.c misc.c]
     [monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c msg.c]
     [nchan.c packet.c progressmeter.c readconf.c readpass.c rsa.c]
     [scard.c scp.c servconf.c serverloop.c session.c sftp-client.c]
     [sftp-common.c sftp-glob.c sftp-server.c sftp.c ssh-add.c]
     [ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
     [ssh-rand-helper.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
     [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
     [uidswap.c uuencode.c xmalloc.c openbsd-compat/bsd-arc4random.c]
     [openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-cygwin_util.c]
     [openbsd-compat/bsd-getpeereid.c openbsd-compat/bsd-misc.c]
     [openbsd-compat/bsd-nextstep.c openbsd-compat/bsd-snprintf.c]
     [openbsd-compat/bsd-waitpid.c openbsd-compat/fake-rfc2553.c]
     RCSID() can die
2006-03-26 00:03:21 +11:00
Damien Miller
66f9eb65ff - (djm) [auth-pam.c] Fix memleak in error path, from Coverity via
elad AT NetBSD.org
2006-03-18 23:04:49 +11:00
Damien Miller
6645e7a70d - (djm) [auth-pam.c clientloop.c includes.h monitor.c session.c]
[sftp-client.c ssh-keysign.c ssh.c sshconnect.c sshconnect2.c]
   [sshd.c openbsd-compat/bsd-misc.c openbsd-compat/bsd-openpty.c]
   [openbsd-compat/glob.c openbsd-compat/mktemp.c]
   [openbsd-compat/readpassphrase.c] Lots of include fixes for
   OpenSolaris
2006-03-15 14:42:54 +11:00
Darren Tucker
1d4ebbf143 Correct format in debug message 2006-01-29 16:46:13 +11:00
Darren Tucker
7b1e695846 - (dtucker) [auth-pam.c] Bug #1028: send final non-query messages from
PAM via keyboard-interactive.  Patch tested by the folks at Vintela.
2005-09-28 22:33:27 +10:00
Damien Miller
37294fb630 - (djm) [auth-pam.c sftp.c] spaces vs. tabs at start of line 2005-07-17 17:18:49 +10:00
Damien Miller
94cf4c8448 - (djm) [acss.c auth-pam.c auth-shadow.c auth-skey.c auth1.c canohost.c]
[cipher-acss.c loginrec.c ssh-rand-helper.c sshd.c] Fix whitespace at EOL
   in portable too ("perl -p -i -e 's/\s+$/\n/' *.[ch]")
2005-07-17 17:04:47 +10:00
Darren Tucker
4f1adad4f6 - (dtucker) [auth-pam.c] Ensure that only one side of the authentication
socketpair stays open on in both the monitor and PAM process.  Patch from
   Joerg Sonnenberger.
2005-07-16 11:33:06 +10:00
Darren Tucker
f08bdb5a7e - (dtucker) [auth-pam.c] Bug #1033: Fix warnings building with PAM on Linux:
warning: dereferencing type-punned pointer will break strict-aliasing rules
  warning: passing arg 3 of `pam_get_item' from incompatible pointer type
  The type-punned pointer fix is based on a patch from SuSE's rpm.  ok djm@
2005-05-26 19:59:48 +10:00
Darren Tucker
328118aa79 - (dtucker) [auth-pam.c] Since people don't seem to be getting the message
that USE_POSIX_THREADS is unsupported, not recommended and generally a bad
   idea, it is now known as UNSUPPORTED_POSIX_THREADS_HACK.  Attempting to use
   USE_POSIX_THREADS will now generate an error so we don't silently change
   behaviour.  ok djm@
2005-05-25 16:18:09 +10:00
Darren Tucker
d5bfa8f9d8 Oops, did not intend to commit this yet 2005-01-20 13:29:51 +11:00
Darren Tucker
d231186fd0 - djm@cvs.openbsd.org 2004/12/22 02:13:19
[cipher-ctr.c cipher.c]
     remove fallback AES support for old OpenSSL, as OpenBSD has had it for
     many years now; ok deraadt@
     (Id sync only: Portable will continue to support older OpenSSLs)
2005-01-20 13:27:56 +11:00
Darren Tucker
36a3d60347 - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user
existence via keyboard-interactive/pam, in conjunction with previous
   auth2-chall.c change; with Colin Watson and djm.
2005-01-20 12:43:38 +11:00
Damien Miller
daffc6a115 - (djm) [auth-pam.c] snprintf->strl*, fix server message length calculations 2004-10-16 18:52:44 +10:00
Darren Tucker
77fc29eeb3 - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c]
Bug #892: Send messages from failing PAM account modules to the client via
   SSH2_MSG_USERAUTH_BANNER messages.  Note that this will not happen with
   SSH2 kbdint authentication, which need to be dealt with separately.  ok djm@
2004-09-11 23:07:03 +10:00
Darren Tucker
0a7e3c6c89 - (dtucker) [auth-pam.c] Relocate sshpam_store_conv(), no code change. 2004-09-11 22:28:01 +10:00
Darren Tucker
69687f4b65 - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output from
failing PAM session modules to user then exit, similar to the way
   /etc/nologin is handled.  ok djm@
2004-09-11 22:17:26 +10:00
Darren Tucker
21dd0897d5 - (dtucker) [acconfig.h auth-pam.c configure.ac] Set real uid to non-root
to convince Solaris PAM to honour password complexity rules.  ok djm@
2004-08-16 23:12:05 +10:00
Damien Miller
2d2ed3d633 - (djm) [auth-pam.c] Portable parts of bz#899: Don't display invalid
usernames in setproctitle from peak AT argo.troja.mff.cuni.cz;
2004-07-21 20:54:47 +10:00