1 From f31faf48842765bb3a9a5a9c400bf4613d639e94 Mon Sep 17 00:00:00 2001
2 From: oracle <solaris@oracle.com>
3 Date: Mon, 3 Aug 2015 14:36:19 -0700
4 Subject: [PATCH 10/30] PAM enhancements for Solaris
5
6 #
7 # This patch contains a couple of PAM enhancements:
8 # 1) Each SSHv2 userauth method has its own PAM service name so that PAM can
9 # be used to control what userauth methods are allowed.
10 # 2) The PAMServiceName and PAMServicePrefix options.
11 #
12 # We have contributed back this feature to the OpenSSH upstream community.
13 # For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2246
14 # In the future, if these enhancements are accepted by the upsteam in a
15 # later release, we will remove this patch when we upgrade to that release.
16 #
17 ---
18 auth-pam.c | 119 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
19 auth.h | 3 ++
20 auth2.c | 61 ++++++++++++++++++++++++++++-
21 monitor.c | 63 ++++++++++++++++++++++++++++++
22 monitor.h | 3 ++
23 monitor_wrap.c | 18 +++++++++
24 servconf.c | 56 +++++++++++++++++++++++++++
565 +#define _SSH_PAM_SERVICE_PREFIX "sshd"
566 +#endif
567 +
568 typedef struct {
569 u_int num_ports;
570 u_int ports_from_cmdline;
571 @@ -194,6 +198,12 @@ typedef struct {
572 u_int num_auth_methods;
573 char *auth_methods[MAX_AUTH_METHODS];
574
575 +#ifdef PAM_ENHANCEMENT
576 + char *pam_service_prefix;
577 + char *pam_service_name;
578 + int pam_service_per_authmethod;
579 +#endif
580 +
581 int fingerprint_hash;
582 } ServerOptions;
583
584 diff --git a/sshd.1m b/sshd.1m
585 index 967a753..d67efd7 100644
586 --- a/sshd.1m
587 +++ b/sshd.1m
588 @@ -944,6 +944,33 @@ concurrently for different ports, this contains the process ID of the one
589 started last).
590 The content of this file is not sensitive; it can be world-readable.
591 .El
592 +
593 +.Sh SECURITY
594 +sshd uses pam(3PAM) for password and keyboard-interactive methods as well as
595 +for account management, session management, and the password management for all
596 +authentication methods.
597 +.Pp
598 +Each SSHv2 userauth type has its own PAM service name:
599 +
600 +.Bd -literal -offset 3n
601 +
602 +-----------------------------------------------
603 +| SSHv2 Userauth | PAM Service Name |
604 +-----------------------------------------------
605 +| none | sshd-none |
606 +-----------------------------------------------
607 +| password | sshd-password |
608 +-----------------------------------------------
609 +| keyboard-interactive | sshd-kbdint |
610 +-----------------------------------------------
611 +| pubkey | sshd-pubkey |
612 +-----------------------------------------------
613 +| hostbased | sshd-hostbased |
614 +-----------------------------------------------
615 +| gssapi-with-mic | sshd-gssapi |
616 +-----------------------------------------------
617 +.Ed
618 +
619 .Sh SEE ALSO
620 .Xr scp 1 ,
621 .Xr sftp 1 ,
622 diff --git a/sshd.c b/sshd.c
623 index 3df50f8..5a00ae2 100644
624 --- a/sshd.c
625 +++ b/sshd.c
626 @@ -2159,6 +2159,11 @@ main(int ac, char **av)
627
628 sshd_exchange_identification(sock_in, sock_out);
629
630 +#ifdef PAM_ENHANCEMENT
631 + if (!compat20)
632 + options.pam_service_per_authmethod = 0;
633 +#endif
634 +
635 /* In inetd mode, generate ephemeral key only for proto 1 connections */
636 if (!compat20 && inetd_flag && sensitive_data.server_key == NULL)
637 generate_ephemeral_server_key();
638 diff --git a/sshd_config.4 b/sshd_config.4
639 index ba4d79a..263175b 100644
640 --- a/sshd_config.4
641 +++ b/sshd_config.4
642 @@ -1160,6 +1160,21 @@ The probability increases linearly and all connection attempts
643 are refused if the number of unauthenticated connections reaches
644 .Dq full
645 (60).
646 +.It Cm PAMServiceName
655 +PAMServicePrefix options are mutually exclusive and if both set, sshd does not
656 +start.
657 +.Pp
658 +For example, if this option is set to admincli, the service name for the
659 +keyboard-interactive authentication method is admincli-kbdint instead of the
660 +default sshd-kbdint.
661 .It Cm PasswordAuthentication
662 Specifies whether password authentication is allowed.
663 The default is
664 @@ -1573,8 +1588,7 @@ If
665 is enabled, you will not be able to run
666 .Xr sshd 1M
667 as a non-root user.
668 -The default is
669 -.Dq no .
670 +On Solaris, the option is always enabled.
671 .It Cm UsePrivilegeSeparation
672 Specifies whether
673 .Xr sshd 1M
674 --
675 2.3.2 (Apple Git-55)
676
|
1 From 8aa9debff40660ed691f984b805e513f3f54334b Mon Sep 17 00:00:00 2001
2 From: oracle <solaris@oracle.com>
3 Date: Mon, 3 Aug 2015 14:36:19 -0700
4 Subject: [PATCH 12/36] PAM enhancements for Solaris
5
6 #
7 # This patch contains a couple of PAM enhancements:
8 # 1) Each SSHv2 userauth method has its own PAM service name so that PAM can
9 # be used to control what userauth methods are allowed.
10 # 2) The PAMServiceName and PAMServicePrefix options.
11 #
12 # We have contributed back this feature to the OpenSSH upstream community.
13 # For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2246
14 # In the future, if these enhancements are accepted by the upsteam in a
15 # later release, we will remove this patch when we upgrade to that release.
16 #
17 ---
18 auth-pam.c | 119 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
19 auth.h | 3 ++
20 auth2.c | 61 ++++++++++++++++++++++++++++-
21 monitor.c | 63 ++++++++++++++++++++++++++++++
22 monitor.h | 3 ++
23 monitor_wrap.c | 18 +++++++++
24 servconf.c | 56 +++++++++++++++++++++++++++
565 +#define _SSH_PAM_SERVICE_PREFIX "sshd"
566 +#endif
567 +
568 typedef struct {
569 u_int num_ports;
570 u_int ports_from_cmdline;
571 @@ -194,6 +198,12 @@ typedef struct {
572 u_int num_auth_methods;
573 char *auth_methods[MAX_AUTH_METHODS];
574
575 +#ifdef PAM_ENHANCEMENT
576 + char *pam_service_prefix;
577 + char *pam_service_name;
578 + int pam_service_per_authmethod;
579 +#endif
580 +
581 int fingerprint_hash;
582 } ServerOptions;
583
584 diff --git a/sshd.1m b/sshd.1m
585 index ada4f25..3753f90 100644
586 --- a/sshd.1m
587 +++ b/sshd.1m
588 @@ -944,6 +944,33 @@ concurrently for different ports, this contains the process ID of the one
589 started last).
590 The content of this file is not sensitive; it can be world-readable.
591 .El
592 +
593 +.Sh SECURITY
594 +sshd uses pam(3PAM) for password and keyboard-interactive methods as well as
595 +for account management, session management, and the password management for all
596 +authentication methods.
597 +.Pp
598 +Each SSHv2 userauth type has its own PAM service name:
599 +
600 +.Bd -literal -offset 3n
601 +
602 +-----------------------------------------------
603 +| SSHv2 Userauth | PAM Service Name |
604 +-----------------------------------------------
605 +| none | sshd-none |
606 +-----------------------------------------------
607 +| password | sshd-password |
608 +-----------------------------------------------
609 +| keyboard-interactive | sshd-kbdint |
610 +-----------------------------------------------
611 +| pubkey | sshd-pubkey |
612 +-----------------------------------------------
613 +| hostbased | sshd-hostbased |
614 +-----------------------------------------------
615 +| gssapi-with-mic | sshd-gssapi |
616 +-----------------------------------------------
617 +.Ed
618 +
619 .Sh SEE ALSO
620 .Xr scp 1 ,
621 .Xr sftp 1 ,
622 diff --git a/sshd.c b/sshd.c
623 index 84e1dee..7e519d4 100644
624 --- a/sshd.c
625 +++ b/sshd.c
626 @@ -2165,6 +2165,11 @@ main(int ac, char **av)
627
628 sshd_exchange_identification(sock_in, sock_out);
629
630 +#ifdef PAM_ENHANCEMENT
631 + if (!compat20)
632 + options.pam_service_per_authmethod = 0;
633 +#endif
634 +
635 /* In inetd mode, generate ephemeral key only for proto 1 connections */
636 if (!compat20 && inetd_flag && sensitive_data.server_key == NULL)
637 generate_ephemeral_server_key();
638 diff --git a/sshd_config.4 b/sshd_config.4
639 index ba4d79a..263175b 100644
640 --- a/sshd_config.4
641 +++ b/sshd_config.4
642 @@ -1160,6 +1160,21 @@ The probability increases linearly and all connection attempts
643 are refused if the number of unauthenticated connections reaches
644 .Dq full
645 (60).
646 +.It Cm PAMServiceName
655 +PAMServicePrefix options are mutually exclusive and if both set, sshd does not
656 +start.
657 +.Pp
658 +For example, if this option is set to admincli, the service name for the
659 +keyboard-interactive authentication method is admincli-kbdint instead of the
660 +default sshd-kbdint.
661 .It Cm PasswordAuthentication
662 Specifies whether password authentication is allowed.
663 The default is
664 @@ -1573,8 +1588,7 @@ If
665 is enabled, you will not be able to run
666 .Xr sshd 1M
667 as a non-root user.
668 -The default is
669 -.Dq no .
670 +On Solaris, the option is always enabled.
671 .It Cm UsePrivilegeSeparation
672 Specifies whether
673 .Xr sshd 1M
674 --
675 2.5.4 (Apple Git-61)
676
|