[OpenAFS] OpenSSH-3.7.1p1, krb5, aklog and pam

Christian Pfaffel flash@itp.tu-graz.ac.at
22 Sep 2003 14:16:08 +0200 

--=-=-=

Since openssh version 3.7p1 the pam support is kind of broken. The
attached patch is for version 3.7.1p1 and helps with the following
problems.

1) Login via gssapi and obtaining AFS tokens via a session module from
   the transferred credential. The problem arises because the session
   module gets executed befor the krb5 credentials are stored.

2) Interactive keyboard login with pam_krb5 as auth module and
   obtaining AFS tokens via a session module from the krb5 ticket
   during auth. Since the authentication via pam_authenticate() is
   done in a separate thread, environment variables set by the pam
   auth modules never get stored properly for the pam session modules
   and for the user.

regards,

Christian Pfaffel


--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment; filename=openssh_pam.patch
Content-Description: Fix for pam, krb5 and aklog

diff -ur openssh-3.7.1p1/auth-pam.c openssh-3.7.1p1.new/auth-pam.c
--- openssh-3.7.1p1/auth-pam.c	Tue Sep 16 08:00:52 2003
+++ openssh-3.7.1p1.new/auth-pam.c	Mon Sep 22 13:06:37 2003
@@ -202,6 +202,7 @@
 	struct pam_conv sshpam_conv;
 #ifndef USE_POSIX_THREADS
 	const char *pam_user;
+	char **envp;
 
 	pam_get_item(sshpam_handle, PAM_USER, (const void **)&pam_user);
 	setproctitle("%s [pam]", pam_user);
@@ -218,6 +219,15 @@
 	sshpam_err = pam_authenticate(sshpam_handle, 0);
 	if (sshpam_err != PAM_SUCCESS)
 		goto auth_fail;
+	do_pam_setcred(0);
+	envp = fetch_pam_environment();
+	if(envp)
+		while(*envp){
+			buffer_clear(&buffer);
+			buffer_put_cstring(&buffer, *(envp++));
+			ssh_msg_send(ctxt->pam_csock, PAM_SEND_ENVIRONMENT, &buffer);
+		}
+	buffer_clear(&buffer);
 	buffer_put_cstring(&buffer, "OK");
 	ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer);
 	buffer_free(&buffer);
@@ -401,6 +411,9 @@
 			plen += snprintf(**prompts + plen, len, "%s", msg);
 			xfree(msg);
 			break;
+		case PAM_SEND_ENVIRONMENT:
+			pam_putenv(sshpam_handle, msg);
+			break;
 		case PAM_SUCCESS:
 		case PAM_AUTH_ERR:
 			if (**prompts != NULL) {
diff -ur openssh-3.7.1p1/auth-pam.h openssh-3.7.1p1.new/auth-pam.h
--- openssh-3.7.1p1/auth-pam.h	Tue Sep  2 15:18:53 2003
+++ openssh-3.7.1p1.new/auth-pam.h	Mon Sep 22 12:58:26 2003
@@ -31,6 +31,8 @@
 # define SSHD_PAM_SERVICE		__progname
 #endif
 
+#define PAM_SEND_ENVIRONMENT 9
+
 void start_pam(const char *);
 void finish_pam(void);
 u_int do_pam_account(void);
diff -ur openssh-3.7.1p1/session.c openssh-3.7.1p1.new/session.c
--- openssh-3.7.1p1/session.c	Tue Sep 16 03:52:19 2003
+++ openssh-3.7.1p1.new/session.c	Fri Sep 19 19:24:51 2003
@@ -396,6 +396,7 @@
 
 #if defined(USE_PAM)
 	if (options.use_pam) {
+		do_pam_session();
 		do_pam_setcred(1);
 		if (is_pam_password_change_required())
 			packet_disconnect("Password change required but no "
@@ -525,6 +526,7 @@
 #if defined(USE_PAM)
 	if (options.use_pam) {
 		do_pam_set_tty(s->tty);
+		do_pam_session();
 		do_pam_setcred(1);
 	}
 #endif

--=-=-=
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit


-- 
Christian Pfaffel <flash@itp.tu-graz.ac.at>
Technische Universität Graz                 Telefon: +43 / 316 / 873 - 81 90
Institut für Theoretische Physik            Telefax: +43 / 316 / 873 - 86 78
Petersgasse 16, A-8010 Graz   http://fubphpc.tu-graz.ac.at/~flash/pubkey.gpg

--=-=-=--