FreeBSD Bugzilla – Attachment 5308 Details for
Bug 12776
Add PAM hooks to rlogind and rshd
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
file.diff
file.diff (text/plain), 10.18 KB, created by
dagill
on 1999-07-23 16:00:02 UTC
(
hide
)
Description:
file.diff
Filename:
MIME Type:
Creator:
dagill
Created:
1999-07-23 16:00:02 UTC
Size:
10.18 KB
patch
obsolete
>Index: rlogind/Makefile >=================================================================== >RCS file: /usr/mirror/ncvs/src/libexec/rlogind/Makefile,v >retrieving revision 1.10 >diff -r1.10 Makefile >23a24,30 >> .if defined(NOPAM) >> CFLAGS+= -DNO_PAM >> .else >> DPADD+= ${LIBPAM} >> LDADD+= ${MINUSLPAM} >> .endif >> >Index: rlogind/rlogind.c >=================================================================== >RCS file: /usr/mirror/ncvs/src/libexec/rlogind/rlogind.c,v >retrieving revision 1.23 >diff -r1.23 rlogind.c >82a83,87 >> #ifndef NO_PAM >> #include <security/pam_appl.h> >> #include <security/pam_misc.h> >> #endif >> >125a131,134 >> #ifndef NO_PAM >> static int auth_pam __P((char *)); >> #endif >> >198a208,313 >> #ifndef NO_PAM >> /* >> * Attempt to authenticate the user using PAM. Returns 0 if the user is >> * authenticated, or 1 if not authenticated. If some sort of PAM system >> * error occurs (e.g., the "/etc/pam.conf" file is missing) then this >> * function returns -1. This can be used as an indication that we should >> * fall back to a different authentication mechanism. >> */ >> static int >> auth_pam(char *username) >> { >> struct passwd *pawd; >> pam_handle_t *pamh = NULL; >> const char *tmpl_user; >> const void *item; >> int rval; >> char *tty, *ttyn; >> char hostname[MAXHOSTNAMELEN]; >> char tname[sizeof(_PATH_TTY) + 10]; >> int e; >> >> static struct pam_conv conv = { misc_conv, NULL }; >> >> ttyn = ttyname(STDIN_FILENO); >> >> if (ttyn == NULL || *ttyn == '\0') { >> (void)snprintf(tname, sizeof(tname), "%s??", _PATH_TTY); >> ttyn = tname; >> } >> if ((tty = strrchr(ttyn, '/')) != NULL) >> ++tty; >> else >> tty = ttyn; >> >> rval = gethostname(hostname, sizeof(hostname)); >> >> if (rval < 0) { >> syslog(LOG_ERR, "auth_pam: Failed to resolve local hostname"); >> return -1; >> } >> if ((e = pam_start("rshd", username, &conv, &pamh)) != PAM_SUCCESS) { >> syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, e)); >> return -1; >> } >> if ((e = pam_set_item(pamh, PAM_TTY, tty)) != PAM_SUCCESS) { >> syslog(LOG_ERR, "pam_set_item(PAM_TTY): %s", >> pam_strerror(pamh, e)); >> return -1; >> } >> if (hostname != NULL && >> (e = pam_set_item(pamh, PAM_RHOST, hostname)) != PAM_SUCCESS) { >> syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s", >> pam_strerror(pamh, e)); >> return -1; >> } >> >> e = pam_authenticate(pamh, 0); >> >> switch (e) { >> case PAM_SUCCESS: >> /* >> * With PAM we support the concept of a "template" >> * user. The user enters a login name which is >> * authenticated by PAM, usually via a remote service >> * such as RADIUS or TACACS+. If authentication >> * succeeds, a different but related "template" name >> * is used for setting the credentials, shell, and >> * home directory. The name the user enters need only >> * exist on the remote authentication server, but the >> * template name must be present in the local password >> * database. >> * >> * This is supported by two various mechanisms in the >> * individual modules. However, from the application's >> * point of view, the template user is always passed >> * back as a changed value of the PAM_USER item. >> */ >> if ((e = pam_get_item(pamh, PAM_USER, &item)) == >> PAM_SUCCESS) { >> tmpl_user = (const char *) item; >> if (strcmp(username, tmpl_user) != 0) >> pawd = getpwnam(tmpl_user); >> } else >> syslog(LOG_ERR, "Couldn't get PAM_USER: %s", pam_strerror(pamh, e)); >> rval = 0; >> break; >> >> case PAM_AUTH_ERR: >> case PAM_USER_UNKNOWN: >> case PAM_MAXTRIES: >> rval = 1; >> break; >> >> default: >> syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e)); >> rval = -1; >> break; >> } >> if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { >> syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); >> rval = -1; >> } >> return rval; >> } >> #endif >> >278a394,395 >> >> >588a706 >> int retval; >596a715,727 >> >> #ifndef NO_PAM >> retval = auth_pam(lusername); >> >> if (retval < 0) { >> syslog(LOG_ERR,"PAM authentication failed"); >> } >> else if (retval == 1) { >> syslog(LOG_ERR,"User %s failed PAM authentication",lusername); >> exit(1); >> } >> #endif >> >Index: rshd/Makefile >=================================================================== >RCS file: /usr/mirror/ncvs/src/libexec/rshd/Makefile,v >retrieving revision 1.10 >diff -r1.10 Makefile >19a20,26 >> .if defined(NOPAM) >> CFLAGS+= -DNO_PAM >> .else >> DPADD+= ${LIBPAM} >> LDADD+= ${MINUSLPAM} >> .endif >> >Index: rshd/rshd.c >=================================================================== >RCS file: /usr/mirror/ncvs/src/libexec/rshd/rshd.c,v >retrieving revision 1.25 >diff -r1.25 rshd.c >82a83,87 >> #ifndef NO_PAM >> #include <security/pam_appl.h> >> #include <security/pam_misc.h> >> #endif >> >94a100,103 >> #ifndef NO_PAM >> static int auth_pam __P((char *)); >> #endif >> >197a207,314 >> #ifndef NO_PAM >> /* >> * Attempt to authenticate the user using PAM. Returns 0 if the user is >> * authenticated, or 1 if not authenticated. If some sort of PAM system >> * error occurs (e.g., the "/etc/pam.conf" file is missing) then this >> * function returns -1. This can be used as an indication that we should >> * fall back to a different authentication mechanism. >> */ >> static int >> auth_pam(char *username) >> { >> struct passwd *pawd; >> pam_handle_t *pamh = NULL; >> const char *tmpl_user; >> const void *item; >> int rval; >> char *tty, *ttyn; >> char hostname[MAXHOSTNAMELEN]; >> char tname[sizeof(_PATH_TTY) + 10]; >> int e; >> >> static struct pam_conv conv = { misc_conv, NULL }; >> >> ttyn = ttyname(STDIN_FILENO); >> >> if (ttyn == NULL || *ttyn == '\0') { >> (void)snprintf(tname, sizeof(tname), "%s??", _PATH_TTY); >> ttyn = tname; >> } >> if ((tty = strrchr(ttyn, '/')) != NULL) >> ++tty; >> else >> tty = ttyn; >> >> rval = gethostname(hostname, sizeof(hostname)); >> >> if (rval < 0) { >> syslog(LOG_ERR, "auth_pam: Failed to resolve local hostname"); >> return -1; >> } >> if ((e = pam_start("rshd", username, &conv, &pamh)) != PAM_SUCCESS) { >> syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, e)); >> return -1; >> } >> if ((e = pam_set_item(pamh, PAM_TTY, tty)) != PAM_SUCCESS) { >> syslog(LOG_ERR, "pam_set_item(PAM_TTY): %s", >> pam_strerror(pamh, e)); >> return -1; >> } >> if (hostname != NULL && >> (e = pam_set_item(pamh, PAM_RHOST, hostname)) != PAM_SUCCESS) { >> syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s", >> pam_strerror(pamh, e)); >> return -1; >> } >> >> e = pam_authenticate(pamh, 0); >> >> >> switch (e) { >> >> case PAM_SUCCESS: >> /* >> * With PAM we support the concept of a "template" >> * user. The user enters a login name which is >> * authenticated by PAM, usually via a remote service >> * such as RADIUS or TACACS+. If authentication >> * succeeds, a different but related "template" name >> * is used for setting the credentials, shell, and >> * home directory. The name the user enters need only >> * exist on the remote authentication server, but the >> * template name must be present in the local password >> * database. >> * >> * This is supported by two various mechanisms in the >> * individual modules. However, from the application's >> * point of view, the template user is always passed >> * back as a changed value of the PAM_USER item. >> */ >> if ((e = pam_get_item(pamh, PAM_USER, &item)) == >> PAM_SUCCESS) { >> tmpl_user = (const char *) item; >> if (strcmp(username, tmpl_user) != 0) >> pawd = getpwnam(tmpl_user); >> } else >> syslog(LOG_ERR, "Couldn't get PAM_USER: %s", pam_strerror(pamh, e)); >> rval = 0; >> break; >> >> case PAM_AUTH_ERR: >> case PAM_USER_UNKNOWN: >> case PAM_MAXTRIES: >> rval = 1; >> break; >> >> default: >> syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e)); >> rval = -1; >> break; >> } >> if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { >> syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); >> rval = -1; >> } >> return rval; >> } >> #endif >> >215a333 >> int retval; >428a547,558 >> >> #ifndef NO_PAM >> retval = auth_pam(locuser); >> >> if (retval < 0) { >> syslog(LOG_ERR,"PAM authentication failed"); >> } >> else if (retval == 1) { >> syslog(LOG_ERR,"User %s failed PAM authentication",locuser); >> exit(1); >> } >> #endif
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=5308">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 12776
: 5308