summaryrefslogtreecommitdiffstats
path: root/auth-pam.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth-pam.c')
-rw-r--r--auth-pam.c54
1 files changed, 27 insertions, 27 deletions
diff --git a/auth-pam.c b/auth-pam.c
index b49d415..13c0a79 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -67,11 +67,6 @@
#include <pam/pam_appl.h>
#endif
-#if !defined(SSHD_PAM_SERVICE)
-extern char *__progname;
-# define SSHD_PAM_SERVICE __progname
-#endif
-
/* OpenGroup RFC86.0 and XSSO specify no "const" on arguments */
#ifdef PAM_SUN_CODEBASE
# define sshpam_const /* Solaris, HP-UX, SunOS */
@@ -105,6 +100,7 @@ extern char *__progname;
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
+#include "srclimit.h"
extern ServerOptions options;
extern struct sshbuf *loginmsg;
@@ -171,13 +167,13 @@ sshpam_sigchld_handler(int sig)
return;
}
}
- if (WIFSIGNALED(sshpam_thread_status) &&
- WTERMSIG(sshpam_thread_status) == SIGTERM)
- return; /* terminated by pthread_cancel */
- if (!WIFEXITED(sshpam_thread_status))
- sigdie("PAM: authentication thread exited unexpectedly");
- if (WEXITSTATUS(sshpam_thread_status) != 0)
- sigdie("PAM: authentication thread exited uncleanly");
+ if (sshpam_thread_status == -1)
+ return;
+ if (WIFSIGNALED(sshpam_thread_status)) {
+ if (signal_is_crash(WTERMSIG(sshpam_thread_status)))
+ _exit(EXIT_CHILD_CRASH);
+ } else if (!WIFEXITED(sshpam_thread_status))
+ _exit(EXIT_CHILD_CRASH);
}
/* ARGSUSED */
@@ -668,7 +664,7 @@ static struct pam_conv store_conv = { sshpam_store_conv, NULL };
void
sshpam_cleanup(void)
{
- if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
+ if (sshpam_handle == NULL || !mm_is_monitor())
return;
debug("PAM: cleanup");
pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
@@ -694,6 +690,8 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
const char **ptr_pam_user = &pam_user;
int r;
+ if (options.pam_service_name == NULL)
+ fatal_f("internal error: NULL PAM service name");
#if defined(PAM_SUN_CODEBASE) && defined(PAM_MAX_RESP_SIZE)
/* Protect buggy PAM implementations from excessively long usernames */
if (strlen(user) >= PAM_MAX_RESP_SIZE)
@@ -705,7 +703,8 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
fatal("%s: called initially with no "
"packet context", __func__);
}
- } if (sshpam_handle != NULL) {
+ }
+ if (sshpam_handle != NULL) {
/* We already have a PAM context; check if the user matches */
sshpam_err = pam_get_item(sshpam_handle,
PAM_USER, (sshpam_const void **)ptr_pam_user);
@@ -714,9 +713,10 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
pam_end(sshpam_handle, sshpam_err);
sshpam_handle = NULL;
}
- debug("PAM: initializing for \"%s\"", user);
- sshpam_err =
- pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
+ debug("PAM: initializing for \"%s\" with service \"%s\"", user,
+ options.pam_service_name);
+ sshpam_err = pam_start(options.pam_service_name, user,
+ &store_conv, &sshpam_handle);
sshpam_authctxt = authctxt;
if (sshpam_err != PAM_SUCCESS) {
@@ -1101,20 +1101,15 @@ do_pam_account(void)
}
void
-do_pam_setcred(int init)
+do_pam_setcred(void)
{
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&store_conv);
if (sshpam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(sshpam_handle, sshpam_err));
- if (init) {
- debug("PAM: establishing credentials");
- sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED);
- } else {
- debug("PAM: reinitializing credentials");
- sshpam_err = pam_setcred(sshpam_handle, PAM_REINITIALIZE_CRED);
- }
+ debug("PAM: establishing credentials");
+ sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED);
if (sshpam_err == PAM_SUCCESS) {
sshpam_cred_established = 1;
return;
@@ -1127,6 +1122,7 @@ do_pam_setcred(int init)
pam_strerror(sshpam_handle, sshpam_err));
}
+#if 0
static int
sshpam_tty_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
@@ -1182,6 +1178,7 @@ sshpam_tty_conv(int n, sshpam_const struct pam_message **msg,
}
static struct pam_conv tty_conv = { sshpam_tty_conv, NULL };
+#endif
/*
* XXX this should be done in the authentication phase, but ssh1 doesn't
@@ -1190,8 +1187,8 @@ static struct pam_conv tty_conv = { sshpam_tty_conv, NULL };
void
do_pam_chauthtok(void)
{
- if (use_privsep)
- fatal("Password expired (unable to change with privsep)");
+ fatal("Password expired");
+#if 0
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&tty_conv);
if (sshpam_err != PAM_SUCCESS)
@@ -1202,6 +1199,7 @@ do_pam_chauthtok(void)
if (sshpam_err != PAM_SUCCESS)
fatal("PAM: pam_chauthtok(): %s",
pam_strerror(sshpam_handle, sshpam_err));
+#endif
}
void
@@ -1375,6 +1373,8 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
fatal("PAM: %s: failed to set PAM_CONV: %s", __func__,
pam_strerror(sshpam_handle, sshpam_err));
+ expose_authinfo(__func__);
+
sshpam_err = pam_authenticate(sshpam_handle, flags);
sshpam_password = NULL;
free(fake);