oob-openssh New build/openssh/patches/0016-Enable-login-to-a-role-if-PAM-is-ok-with-it.patch

   1 From 7332e7d5627a72f1587bca85f3fd37f42b419754 Mon Sep 17 00:00:00 2001
   2 From: oracle <solaris@oracle.com>
   3 Date: Mon, 3 Aug 2015 14:38:19 -0700
   4 Subject: [PATCH 16/30] Enable login to a role if PAM is ok with it
   5 
   6 ---
   7  auth-pam.c        | 14 ++++++++++++++
   8  auth-pam.h        |  3 +++
   9  auth.h            |  3 +++
  10  auth2-hostbased.c | 10 ++++++++++
  11  auth2.c           |  8 ++++++++
  12  monitor.c         | 15 ++++++++++++++-
  13  6 files changed, 52 insertions(+), 1 deletion(-)
  14 
  15 diff --git a/auth-pam.c b/auth-pam.c
  16 index 7bdee5c..6470d5e 100644
  17 --- a/auth-pam.c
  18 +++ b/auth-pam.c
  19 @@ -1038,6 +1038,20 @@ do_pam_account(void)
  20         return (sshpam_account_status);
  21  }
  22  
  23 +#ifdef HAVE_PAM_AUSER
  24 +void
  25 +do_pam_set_auser(const char* auser)
  26 +{
  27 +       if (auser != NULL) {
  28 +               debug("PAM: setting PAM_AUSER to \"%s\"", auser);
  29 +               sshpam_err = pam_set_item(sshpam_handle, PAM_AUSER, auser);
  30 +               if (sshpam_err != PAM_SUCCESS)
  31 +                       error("PAM: failed to set PAM_AUSER: %s",
  32 +                           pam_strerror(sshpam_handle, sshpam_err));
  33 +       }
  34 +}
  35 +#endif
  36 +
  37  void
  38  do_pam_set_tty(const char *tty)
  39  {
  40 diff --git a/auth-pam.h b/auth-pam.h
  41 index a1a2b52..6c41fd9 100644
  42 --- a/auth-pam.h
  43 +++ b/auth-pam.h
  44 @@ -35,6 +35,9 @@ void start_pam(Authctxt *);
  45  void finish_pam(void);
  46  u_int do_pam_account(void);
  47  void do_pam_session(void);
  48 +#ifdef HAVE_PAM_AUSER
  49 +void do_pam_set_auser(const char *);
  50 +#endif
  51  void do_pam_set_tty(const char *);
  52  void do_pam_setcred(int );
  53  void do_pam_chauthtok(void);
  54 diff --git a/auth.h b/auth.h
  55 index a0e41a4..c336cf0 100644
  56 --- a/auth.h
  57 +++ b/auth.h
  58 @@ -84,6 +84,9 @@ struct Authctxt {
  59  #ifdef PAM_ENHANCEMENT
  60          char            *authmethod_name;
  61  #endif 
  62 +#ifdef HAVE_PAM_AUSER
  63 +       char            *auser;
  64 +#endif 
  65  };
  66  /*
  67   * Every authentication method has to handle authentication requests for
  68 diff --git a/auth2-hostbased.c b/auth2-hostbased.c
  69 index e2327cf..c0fcc4d 100644
  70 --- a/auth2-hostbased.c
  71 +++ b/auth2-hostbased.c
  72 @@ -85,6 +85,9 @@ userauth_hostbased(Authctxt *authctxt)
  73         buffer_dump(&b);
  74         buffer_free(&b);
  75  #endif
  76 +#ifdef HAVE_PAM_AUSER
  77 +       authctxt->auser = NULL;
  78 +#endif
  79         pktype = key_type_from_name(pkalg);
  80         if (pktype == KEY_UNSPEC) {
  81                 /* this is perfectly legal */
  82 @@ -142,6 +145,13 @@ userauth_hostbased(Authctxt *authctxt)
  83                         buffer_len(&b))) == 1)
  84                 authenticated = 1;
  85  
  86 +#ifdef HAVE_PAM_AUSER
  87 +       if (authenticated) {
  88 +               authctxt->auser = cuser;
  89 +               cuser = NULL;
  90 +       }
  91 +#endif
  92 +
  93         buffer_free(&b);
  94  done:
  95         debug2("userauth_hostbased: authenticated %d", authenticated);
  96 diff --git a/auth2.c b/auth2.c
  97 index 5a3ef1b..b456237 100644
  98 --- a/auth2.c
  99 +++ b/auth2.c
 100 @@ -339,6 +339,14 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
 101  #endif
 102         }
 103  
 104 +#ifdef HAVE_PAM_AUSER
 105 +       if (!use_privsep) {
 106 +               do_pam_set_auser(authctxt->auser);
 107 +               free(authctxt->auser);
 108 +               authctxt->auser = NULL;      
 109 +       }
 110 +#endif
 111 +
 112         if (authenticated && options.num_auth_methods != 0) {
 113  
 114  #if defined(USE_PAM) && defined(PAM_ENHANCEMENT)
 115 diff --git a/monitor.c b/monitor.c
 116 index 7ac4c61..20ed152 100644
 117 --- a/monitor.c
 118 +++ b/monitor.c
 119 @@ -461,6 +461,12 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
 120                 }
 121         }
 122  
 123 +#if defined(HAVE_PAM_AUSER) && defined(USE_PAM)
 124 +       if (hostbased_cuser != NULL) {
 125 +               free(hostbased_cuser);
 126 +               hostbased_cuser = NULL;
 127 +       }
 128 +#endif
 129         if (!authctxt->valid)
 130                 fatal("%s: authenticated invalid user", __func__);
 131         if (strcmp(auth_method, "unknown") == 0)
 132 @@ -694,12 +700,14 @@ monitor_reset_key_state(void)
 133  {
 134         /* reset state */
 135         free(key_blob);
 136 +#if !defined(HAVE_PAM_AUSER) || !defined(USE_PAM)
 137         free(hostbased_cuser);
 138 +       hostbased_cuser = NULL;
 139 +#endif
 140         free(hostbased_chost);
 141         key_blob = NULL;
 142         key_bloblen = 0;
 143         key_blobtype = MM_NOKEY;
 144 -       hostbased_cuser = NULL;
 145         hostbased_chost = NULL;
 146  }
 147  
 148 @@ -1146,6 +1154,11 @@ mm_answer_pam_account(int sock, Buffer *m)
 149         if (!options.use_pam)
 150                 fatal("UsePAM not set, but ended up in %s anyway", __func__);
 151  
 152 +#ifdef HAVE_PAM_AUSER
 153 +       if (hostbased_cuser != NULL)
 154 +               do_pam_set_auser(hostbased_cuser);
 155 +#endif
 156 +
 157         ret = do_pam_account();
 158  
 159         buffer_put_int(m, ret);
 160 -- 
 161 2.3.2 (Apple Git-55)
 162