Print this page
First stab at the full Joyent wad (still needs work!!!)
| Split |
Close |
| Expand all |
| Collapse all |
--- old/build/openssh/patches/0016-Enable-login-to-a-role-if-PAM-is-ok-with-it.patch
+++ new/build/openssh/patches/0017-Enable-login-to-a-role-if-PAM-is-ok-with-it.patch
1 -From 7332e7d5627a72f1587bca85f3fd37f42b419754 Mon Sep 17 00:00:00 2001
1 +From 101a7bf94901c79603da5750d325f9de67fe3413 Mon Sep 17 00:00:00 2001
2 2 From: oracle <solaris@oracle.com>
3 3 Date: Mon, 3 Aug 2015 14:38:19 -0700
4 -Subject: [PATCH 16/30] Enable login to a role if PAM is ok with it
4 +Subject: [PATCH 17/36] Enable login to a role if PAM is ok with it
5 5
6 6 ---
7 7 auth-pam.c | 14 ++++++++++++++
8 8 auth-pam.h | 3 +++
9 9 auth.h | 3 +++
10 10 auth2-hostbased.c | 10 ++++++++++
11 11 auth2.c | 8 ++++++++
12 12 monitor.c | 15 ++++++++++++++-
13 13 6 files changed, 52 insertions(+), 1 deletion(-)
14 14
15 15 diff --git a/auth-pam.c b/auth-pam.c
16 16 index 7bdee5c..6470d5e 100644
17 17 --- a/auth-pam.c
18 18 +++ b/auth-pam.c
19 19 @@ -1038,6 +1038,20 @@ do_pam_account(void)
20 20 return (sshpam_account_status);
21 21 }
22 22
23 23 +#ifdef HAVE_PAM_AUSER
24 24 +void
25 25 +do_pam_set_auser(const char* auser)
26 26 +{
27 27 + if (auser != NULL) {
28 28 + debug("PAM: setting PAM_AUSER to \"%s\"", auser);
29 29 + sshpam_err = pam_set_item(sshpam_handle, PAM_AUSER, auser);
30 30 + if (sshpam_err != PAM_SUCCESS)
31 31 + error("PAM: failed to set PAM_AUSER: %s",
32 32 + pam_strerror(sshpam_handle, sshpam_err));
33 33 + }
34 34 +}
35 35 +#endif
36 36 +
37 37 void
38 38 do_pam_set_tty(const char *tty)
39 39 {
40 40 diff --git a/auth-pam.h b/auth-pam.h
41 41 index a1a2b52..6c41fd9 100644
42 42 --- a/auth-pam.h
43 43 +++ b/auth-pam.h
44 44 @@ -35,6 +35,9 @@ void start_pam(Authctxt *);
45 45 void finish_pam(void);
46 46 u_int do_pam_account(void);
47 47 void do_pam_session(void);
48 48 +#ifdef HAVE_PAM_AUSER
49 49 +void do_pam_set_auser(const char *);
50 50 +#endif
51 51 void do_pam_set_tty(const char *);
52 52 void do_pam_setcred(int );
53 53 void do_pam_chauthtok(void);
54 54 diff --git a/auth.h b/auth.h
55 55 index a0e41a4..c336cf0 100644
56 56 --- a/auth.h
57 57 +++ b/auth.h
58 58 @@ -84,6 +84,9 @@ struct Authctxt {
59 59 #ifdef PAM_ENHANCEMENT
60 60 char *authmethod_name;
61 61 #endif
62 62 +#ifdef HAVE_PAM_AUSER
63 63 + char *auser;
64 64 +#endif
65 65 };
66 66 /*
67 67 * Every authentication method has to handle authentication requests for
68 68 diff --git a/auth2-hostbased.c b/auth2-hostbased.c
69 69 index e2327cf..c0fcc4d 100644
70 70 --- a/auth2-hostbased.c
71 71 +++ b/auth2-hostbased.c
72 72 @@ -85,6 +85,9 @@ userauth_hostbased(Authctxt *authctxt)
73 73 buffer_dump(&b);
74 74 buffer_free(&b);
75 75 #endif
76 76 +#ifdef HAVE_PAM_AUSER
77 77 + authctxt->auser = NULL;
78 78 +#endif
79 79 pktype = key_type_from_name(pkalg);
80 80 if (pktype == KEY_UNSPEC) {
81 81 /* this is perfectly legal */
82 82 @@ -142,6 +145,13 @@ userauth_hostbased(Authctxt *authctxt)
83 83 buffer_len(&b))) == 1)
84 84 authenticated = 1;
85 85
86 86 +#ifdef HAVE_PAM_AUSER
87 87 + if (authenticated) {
88 88 + authctxt->auser = cuser;
89 89 + cuser = NULL;
90 90 + }
91 91 +#endif
92 92 +
93 93 buffer_free(&b);
94 94 done:
95 95 debug2("userauth_hostbased: authenticated %d", authenticated);
96 96 diff --git a/auth2.c b/auth2.c
97 97 index 5a3ef1b..b456237 100644
98 98 --- a/auth2.c
99 99 +++ b/auth2.c
100 100 @@ -339,6 +339,14 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
101 101 #endif
102 102 }
103 103
104 104 +#ifdef HAVE_PAM_AUSER
105 105 + if (!use_privsep) {
106 106 + do_pam_set_auser(authctxt->auser);
107 107 + free(authctxt->auser);
108 108 + authctxt->auser = NULL;
109 109 + }
110 110 +#endif
111 111 +
112 112 if (authenticated && options.num_auth_methods != 0) {
113 113
114 114 #if defined(USE_PAM) && defined(PAM_ENHANCEMENT)
115 115 diff --git a/monitor.c b/monitor.c
116 116 index 7ac4c61..20ed152 100644
117 117 --- a/monitor.c
118 118 +++ b/monitor.c
119 119 @@ -461,6 +461,12 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
120 120 }
121 121 }
122 122
123 123 +#if defined(HAVE_PAM_AUSER) && defined(USE_PAM)
124 124 + if (hostbased_cuser != NULL) {
125 125 + free(hostbased_cuser);
126 126 + hostbased_cuser = NULL;
127 127 + }
128 128 +#endif
129 129 if (!authctxt->valid)
130 130 fatal("%s: authenticated invalid user", __func__);
131 131 if (strcmp(auth_method, "unknown") == 0)
132 132 @@ -694,12 +700,14 @@ monitor_reset_key_state(void)
133 133 {
134 134 /* reset state */
135 135 free(key_blob);
136 136 +#if !defined(HAVE_PAM_AUSER) || !defined(USE_PAM)
137 137 free(hostbased_cuser);
138 138 + hostbased_cuser = NULL;
139 139 +#endif
140 140 free(hostbased_chost);
141 141 key_blob = NULL;
142 142 key_bloblen = 0;
143 143 key_blobtype = MM_NOKEY;
144 144 - hostbased_cuser = NULL;
145 145 hostbased_chost = NULL;
146 146 }
147 147
148 148 @@ -1146,6 +1154,11 @@ mm_answer_pam_account(int sock, Buffer *m)
149 149 if (!options.use_pam)
150 150 fatal("UsePAM not set, but ended up in %s anyway", __func__);
|
↓ open down ↓ |
136 lines elided |
↑ open up ↑ |
151 151
152 152 +#ifdef HAVE_PAM_AUSER
153 153 + if (hostbased_cuser != NULL)
154 154 + do_pam_set_auser(hostbased_cuser);
155 155 +#endif
156 156 +
157 157 ret = do_pam_account();
158 158
159 159 buffer_put_int(m, ret);
160 160 --
161 -2.3.2 (Apple Git-55)
161 +2.5.4 (Apple Git-61)
162 162
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX