[OpenAFS] OpenSSH-3.7.1p1, krb5, aklog and pam
Christian Pfaffel
flash@itp.tu-graz.ac.at
22 Sep 2003 14:16:08 +0200
--=-=-=
Since openssh version 3.7p1 the pam support is kind of broken. The
attached patch is for version 3.7.1p1 and helps with the following
problems.
1) Login via gssapi and obtaining AFS tokens via a session module from
the transferred credential. The problem arises because the session
module gets executed befor the krb5 credentials are stored.
2) Interactive keyboard login with pam_krb5 as auth module and
obtaining AFS tokens via a session module from the krb5 ticket
during auth. Since the authentication via pam_authenticate() is
done in a separate thread, environment variables set by the pam
auth modules never get stored properly for the pam session modules
and for the user.
regards,
Christian Pfaffel
--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment; filename=openssh_pam.patch
Content-Description: Fix for pam, krb5 and aklog
diff -ur openssh-3.7.1p1/auth-pam.c openssh-3.7.1p1.new/auth-pam.c
--- openssh-3.7.1p1/auth-pam.c Tue Sep 16 08:00:52 2003
+++ openssh-3.7.1p1.new/auth-pam.c Mon Sep 22 13:06:37 2003
@@ -202,6 +202,7 @@
struct pam_conv sshpam_conv;
#ifndef USE_POSIX_THREADS
const char *pam_user;
+ char **envp;
pam_get_item(sshpam_handle, PAM_USER, (const void **)&pam_user);
setproctitle("%s [pam]", pam_user);
@@ -218,6 +219,15 @@
sshpam_err = pam_authenticate(sshpam_handle, 0);
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
+ do_pam_setcred(0);
+ envp = fetch_pam_environment();
+ if(envp)
+ while(*envp){
+ buffer_clear(&buffer);
+ buffer_put_cstring(&buffer, *(envp++));
+ ssh_msg_send(ctxt->pam_csock, PAM_SEND_ENVIRONMENT, &buffer);
+ }
+ buffer_clear(&buffer);
buffer_put_cstring(&buffer, "OK");
ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer);
buffer_free(&buffer);
@@ -401,6 +411,9 @@
plen += snprintf(**prompts + plen, len, "%s", msg);
xfree(msg);
break;
+ case PAM_SEND_ENVIRONMENT:
+ pam_putenv(sshpam_handle, msg);
+ break;
case PAM_SUCCESS:
case PAM_AUTH_ERR:
if (**prompts != NULL) {
diff -ur openssh-3.7.1p1/auth-pam.h openssh-3.7.1p1.new/auth-pam.h
--- openssh-3.7.1p1/auth-pam.h Tue Sep 2 15:18:53 2003
+++ openssh-3.7.1p1.new/auth-pam.h Mon Sep 22 12:58:26 2003
@@ -31,6 +31,8 @@
# define SSHD_PAM_SERVICE __progname
#endif
+#define PAM_SEND_ENVIRONMENT 9
+
void start_pam(const char *);
void finish_pam(void);
u_int do_pam_account(void);
diff -ur openssh-3.7.1p1/session.c openssh-3.7.1p1.new/session.c
--- openssh-3.7.1p1/session.c Tue Sep 16 03:52:19 2003
+++ openssh-3.7.1p1.new/session.c Fri Sep 19 19:24:51 2003
@@ -396,6 +396,7 @@
#if defined(USE_PAM)
if (options.use_pam) {
+ do_pam_session();
do_pam_setcred(1);
if (is_pam_password_change_required())
packet_disconnect("Password change required but no "
@@ -525,6 +526,7 @@
#if defined(USE_PAM)
if (options.use_pam) {
do_pam_set_tty(s->tty);
+ do_pam_session();
do_pam_setcred(1);
}
#endif
--=-=-=
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
--
Christian Pfaffel <flash@itp.tu-graz.ac.at>
Technische Universität Graz Telefon: +43 / 316 / 873 - 81 90
Institut für Theoretische Physik Telefax: +43 / 316 / 873 - 86 78
Petersgasse 16, A-8010 Graz http://fubphpc.tu-graz.ac.at/~flash/pubkey.gpg
--=-=-=--