Commit Graph

181 Commits

Author SHA1 Message Date
Damien Miller
57ed647ee0 polish whitespace for portable files 2021-04-03 17:47:37 +11:00
Darren Tucker
fcf429a4c6 Prevent excessively long username going to PAM.
This is a mitigation for a buffer overflow in Solaris' PAM username
handling (CVE-2020-14871), and is only enabled for Sun-derived PAM
implementations.  This is not a problem in sshd itself, it only
prevents sshd from being used as a vector to attack Solaris' PAM.
It does not prevent the bug in PAM from being exploited via some other
PAM application.

Based on github PR#212 from Mike Scott but implemented slightly
differently.  ok tim@ djm@
2020-11-11 14:05:30 +11:00
Damien Miller
598c3a5e38 document a PAM spec problem in a frustrated comment 2020-06-26 16:07:24 +10:00
Darren Tucker
945bf52c3c Fix a couple of mysig_t leftovers. 2020-01-23 21:06:45 +11:00
dtucker@openbsd.org
3bf2a6ac79 upstream: Replace all calls to signal(2) with a wrapper around
sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTART which should reduce
the potential for short read/write operations.

OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519
2020-01-23 18:51:25 +11:00
Ruben Kerkhof
6089abf715 Make sshpam_password_change_required static.
sshpam_password_change_required is only used in auth-pam.c, so make it
static to prevent a mising prototype warning.
2020-01-21 10:39:49 +11:00
Ruben Kerkhof
335dc93526 Fix a few warnings when on Mac OS X.
Include stdlib.h for calloc, malloc, free and setenv.
2020-01-20 21:17:11 +11:00
Damien Miller
ec0e624366 memleak of buffer in sshpam_query
coverity report via Ed Maste; ok dtucker@
2019-09-13 13:15:19 +10:00
Darren Tucker
fc0340f7c4 Typo fixes in error messages.
Patch from knweiss at gmail.com via github pull req #97 (portable-
specific parts).
2019-06-08 00:51:18 +10:00
Darren Tucker
d220b67520 Have pthread_create return errno on failure.
According to POSIX, pthread_create returns the failure reason in
the non-zero function return code so make the fork wrapper do that.
Matches previous change.
2019-06-07 14:26:54 +10:00
Elliott Hughes
1bd4f7f25f pthread_create(3) returns positive values on failure.
Found by inspection after finding similar bugs in other code used by
Android.
2019-06-07 14:16:21 +10:00
Darren Tucker
606077ee1e Add no-op implementation of pam_putenv.
Some platforms such as HP-UX do not have pam_putenv.  Currently the
calls are ifdef'ed out, but a new one was recently added.  Remove the
ifdefs and add a no-op implementation.  bz#3008, ok djm.
2019-05-17 13:14:12 +10:00
Damien Miller
3f0786bbe7 remove PAM dependencies on old packet API
Requires some caching of values, because the PAM code isn't
always called with packet context.
2019-01-20 10:22:18 +11:00
Damien Miller
8a22ffaa13 expose $SSH_CONNECTION in the PAM environment
This makes the connection 4-tuple available to PAM modules that
wish to use it in decision-making. bz#2741
2018-12-14 13:23:48 +11:00
Damien Miller
48f54b9d12 adapt -portable to OpenSSL 1.1x API
Polyfill missing API with replacement functions extracted from LibreSSL
2018-09-13 12:13:50 +10:00
Darren Tucker
3f420a692b Remove key.h from portable files too.
Commit 5467fbcb removed key.h so stop including it in portable files
too.  Fixes builds on lots of platforms.
2018-07-12 14:57:46 +10:00
Damien Miller
120a1ec74e Adapt portable to legacy buffer API removal 2018-07-10 19:39:52 +10:00
Damien Miller
e8f474554e Expose SSH_AUTH_INFO_0 to PAM auth modules
bz#2408, patch from Radoslaw Ejsmont; ok dtucker@
2018-04-06 14:11:44 +10:00
Darren Tucker
13ef4cf53f Update PAM password change to new opts API. 2018-03-03 16:21:20 +11:00
djm@openbsd.org
7c85685760 upstream: switch over to the new authorized_keys options API and
remove the legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df
2018-03-03 14:37:16 +11:00
Damien Miller
94bc1e7ffb Expose list of completed auth methods to PAM
bz#2408; ok dtucker@
2017-07-28 15:04:00 +10:00
Darren Tucker
608ec1f62f Remove SSHv1 code path.
Server-side support for Protocol 1 has been removed so remove !compat20
PAM code path.
2017-03-29 09:50:54 +11:00
Darren Tucker
bee0167be2 Check for NULL from malloc.
Part of bz#2687, from jjelen at redhat.com.
2017-03-10 13:40:18 +11:00
Darren Tucker
e0259a82dd Remove do_pam_set_tty which is dead code.
The callers of do_pam_set_tty were removed in 2008, so this is now dead
code.  bz#2604, pointed out by jjelen at redhat.com.
2016-10-15 04:34:46 +11:00
Damien Miller
8bd81e1596 add --with-pam-service to specify PAM service name
Saves messing around with CFLAGS to do it.
2016-08-16 13:37:26 +10:00
Damien Miller
10358abd08 retry waitpid on EINTR failure
patch from Jakub Jelen on bz#2581; ok dtucker@
2016-07-22 14:07:08 +10:00
Darren Tucker
01558b7b07 Handle PAM_MAXTRIES from modules.
bz#2249: handle the case where PAM returns PAM_MAXTRIES by ceasing to offer
password and keyboard-interative authentication methods.  Should prevent
"sshd ignoring max retries" warnings in the log.  ok djm@

It probably won't trigger with keyboard-interactive in the default
configuration because the retry counter is stored in module-private
storage which goes away with the sshd PAM process (see bz#688).  On the
other hand, those cases probably won't log a warning either.
2016-07-18 09:33:25 +10:00
Darren Tucker
283b97ff33 Mitigate timing of disallowed users PAM logins.
When sshd decides to not allow a login (eg PermitRootLogin=no) and
it's using PAM, it sends a fake password to PAM so that the timing for
the failure is not noticeably different whether or not the password
is correct.  This behaviour can be detected by sending a very long
password string which is slower to hash than the fake password.

Mitigate by constructing an invalid password that is the same length
as the one from the client and thus takes the same time to hash.
Diff from djm@
2016-07-15 13:49:44 +10:00
Darren Tucker
009891afc8 Remove duplicate code from PAM. ok djm@ 2016-06-17 14:34:09 +10:00
Darren Tucker
39c0cecaa1 Fix comment about sshpam_const and AIX.
From mschwager via github.
2016-05-20 10:01:58 +10:00
Damien Miller
3ed9218c33 unbreak PAM after canohost refactor 2016-03-08 14:01:29 -08:00
Damien Miller
5ef4b0fdcc avoid FreeBSD RCS Id in comment
Change old $FreeBSD version string in comment so it doesn't
become an RCS ident downstream; requested by des AT des.no
2016-02-05 10:45:23 +11:00
Darren Tucker
d1680d36e1 xrealloc -> xreallocarray in portable code too. 2015-04-30 09:18:11 +10:00
Darren Tucker
53f8e784dc - (dtucker) [auth-pam.c] bz#2163: check return value from pam_get_item().
Patch from Loganaden Velvindron.
2013-12-19 11:31:44 +11:00
Darren Tucker
f60845fde2 - (dtucker) [M auth-chall.c auth-krb5.c auth-pam.c cipher-aes.c cipher-ctr.c
groupaccess.c loginrec.c monitor.c monitor_wrap.c session.c sshd.c
   sshlogin.c uidswap.c openbsd-compat/bsd-cygwin_util.c
   openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/port-aix.c
   openbsd-compat/port-linux.c] Replace portable-specific instances of xfree
   with the equivalent calls to free.
2013-06-02 08:07:31 +10:00
Darren Tucker
622d5c561b - (dtucker) [auth-pam.c] Bug #1534: move the deletion of PAM credentials on
logout to after the session close.  Patch from Anicka Bernathova, ok djm.
2009-07-12 22:07:21 +10:00
Darren Tucker
52358d6df3 - (dtucker) [auth-pam.c monitor.c session.c sshd.c] Bug #926: Move
pam_open_session and pam_close_session into the privsep monitor, which
   will ensure that pam_session_close is called as root.  Patch from Tomas
   Mraz.
2008-03-11 22:58:25 +11:00
Darren Tucker
57d4ca9681 - (dtucker) [auth-pam.c] Use sigdie here too. ok djm@ 2007-08-10 14:32:34 +10:00
Darren Tucker
2216471510 - (dtucker) [auth-pam.c] Return empty string if fgets fails in
sshpam_tty_conv.  Patch from ldv at altlinux.org.
2007-05-20 15:26:07 +10:00
Darren Tucker
29171e9f5c - (dtucker) [auth-pam.c] malloc+memset -> calloc. Patch from
ldv at altlinux.org.
2007-05-20 15:20:08 +10:00
Darren Tucker
54e1b2291c - (dtucker) [auth-pam.c] Propogate TZ environment variable to PAM auth
process so that any logging it does is with the right timezone.  From
   Scott Strickler, ok djm@.
2006-09-17 11:57:46 +10:00
Damien Miller
ded319cca2 - (djm) [audit-bsm.c audit.c auth-bsdauth.c auth-chall.c auth-pam.c]
[auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c]
   [auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c]
   [cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c]
   [dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
   [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c]
   [md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c]
   [scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c]
   [ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c]
   [sshconnect1.c sshconnect2.c sshd.c rc4.diff]
   [openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c]
   [openbsd-compat/port-linux.c openbsd-compat/port-solaris.c]
   [openbsd-compat/port-uw.c]
   Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h;
   compile problems reported by rac AT tenzing.org
2006-09-01 15:38:36 +10:00
Damien Miller
75bb664458 - (djm) [auth-pam.c auth-shadow.c auth2-none.c cleanup.c sshd.c]
[openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Sprinkle more
   includes for Linux in
2006-08-05 14:07:20 +10:00
Damien Miller
4cbfe8ebeb - (djm) [auth-pam.c auth.c bufaux.h entropy.c openbsd-compat/port-tun.c]
remove last traces of bufaux.h - it was merged into buffer.h in the big
   includes.h commit
2006-08-05 12:49:30 +10:00
Damien Miller
2ab323e0bd - (djm) [auth-pam.c defines.h] Move PAM related bits to auth-pam.c 2006-08-05 12:43:32 +10:00
Damien Miller
b8fe89c4d9 - (djm) [acss.c auth-krb5.c auth-options.c auth-pam.c auth-shadow.c]
[canohost.c channels.c cipher-acss.c defines.h dns.c gss-genr.c]
   [gss-serv-krb5.c gss-serv.c log.h loginrec.c logintest.c readconf.c]
   [servconf.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c]
   [ssh.c sshconnect.c sshd.c openbsd-compat/bindresvport.c]
   [openbsd-compat/bsd-arc4random.c openbsd-compat/bsd-misc.c]
   [openbsd-compat/getrrsetbyname.c openbsd-compat/glob.c]
   [openbsd-compat/mktemp.c openbsd-compat/port-linux.c]
   [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c]
   [openbsd-compat/setproctitle.c openbsd-compat/xmmap.c]
   make the portable tree compile again - sprinkle unistd.h and string.h
   back in. Don't redefine __unused, as it turned out to be used in
   headers on Linux, and replace its use in auth-pam.c with ARGSUSED
2006-07-24 14:51:00 +10:00
Darren Tucker
341dae59c8 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h 2006-07-13 08:45:14 +10:00
Darren Tucker
2c77b7f1c1 - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
do not allow kbdint again after the PAM account check fails.  ok djm@
2006-05-15 17:22:33 +10:00
Darren Tucker
d8093e49bf - (dtucker) [auth-pam.c groupaccess.c monitor.c monitor_wrap.c scard-opensc.c
session.c ssh-rand-helper.c sshd.c openbsd-compat/bsd-cygwin_util.c
   openbsd-compat/setproctitle.c] Convert malloc(foo*bar) -> calloc(foo,bar)
   in Portable-only code; since calloc zeros, remove now-redundant memsets.
   Also add a couple of sanity checks.  With & ok djm@
2006-05-04 16:24:34 +10:00
Damien Miller
36812092ec - djm@cvs.openbsd.org 2006/03/25 01:13:23
[buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c]
     [sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c]
     [uidswap.c]
     change OpenSSH's xrealloc() function from being xrealloc(p, new_size)
     to xrealloc(p, new_nmemb, new_itemsize).

     realloc is particularly prone to integer overflows because it is
     almost always allocating "n * size" bytes, so this is a far safer
     API; ok deraadt@
2006-03-26 14:22:47 +11:00