[OpenAFS] openssh-3.8p1+PAM+solaris8+token OK

Rainer Laatsch Laatsch@rrz.Uni-Koeln.DE
Tue, 16 Mar 2004 13:29:51 +0100 (MET) 

The following setup is working as First-Aid on Solaris-8 for PAM witout KRB5.
Its not the final solution ....
Method: grab the PAM password via PAM setenv to session (sshd child);
start a Klog with password from environment;
then start user (wont see nothing).
Start sshd under pagsh, else (if Klog fails silently) a user could
get a token of root. Root users: use AFS klog with param '-setpag'
to be cautious. Have pam_afs as last entry in respective pam.conf sshd
entries to grab the right password. PrivSep yes/no wont matter.

Best regards,
Rainer		Laatsch@Uni-Koeln.DE




My simple Klog script:

#!/bin/ksh
export PATH=/bin:/usr/bin:/usr/sbin:/sbin:/usr/ucb     # SunOS
umask 077	# for LOGFILE
MYID=`expr "\`id\`" : 'uid=\([0-9]*\)'`		## thats ok
LOG=/tmp/Klog-$MYID.log ; print >>$LOG ; date >>$LOG
print "Klog :$USER:$LOGNAME:$UID: $*" >>$LOG # $USER,$LOGNAME,$UID: none set yet
[ $MYID -eq 0 ] && exit				## no good for root
# grab environment:
	print $AUTHPW | /usr/afsws/bin/klog $*	## -pipe -setpag #knows its user
#                                                        !!!!!!!
/bin/id -a >>$LOG ; /usr/afsws/bin/tokens >>$LOG


# ------------------ /etc/pam.conf additions: have pam_afs always last !
sshd	auth requisite	pam_authtok_get.so.1 debug
sshd	auth optional	pam_dhkeys.so.1 debug
sshd	auth optional	pam_unix_auth.so.1 debug
sshd	auth  optional  pam_afs.so.1 try_first_pass ignore_root debug
sshd	account optional	pam_unix_account.so.1
sshd    account optional	pam_afs.so.1 ignore_root debug
sshd	session optional	pam_unix_session.so.1
sshd    session optional	pam_afs.so.1 try_first_pass  ignore_root debug

# ------------------ /etc/ssh/sshd_config override/add
Port 522
LogLevel DEBUG
X11Forwarding yes
PrintMotd no
UsePrivilegeSeparation no		# Wont matter. If no sshd user in passwd
ChallengeResponseAuthentication yes	# PAM needs this
UsePAM yes
KbdInteractiveAuthentication yes	# else PAM doesnt work
# ------------------

Patches:

*** openssh-3.8p1.ORIG/auth-pam.c	Tue Feb 17 13:20:08 2004
--- openssh-3.8p1/auth-pam.c	Tue Mar 16 10:46:00 2004
***************
*** 267,272 ****
--- 267,274 ----
  			if (buffer_get_char(&buffer) != PAM_AUTHTOK)
  				goto fail;
  			reply[i].resp = buffer_get_string(&buffer, NULL);
+ do_pam_putenv("AUTHPW\0",reply[i].resp); /*RL*/
+ 
  			break;
  		case PAM_PROMPT_ECHO_ON:
  			buffer_put_cstring(&buffer,
*** openssh-3.8p1.ORIG/session.c	Mon Feb 23 14:01:27 2004
--- openssh-3.8p1/session.c	Tue Mar 16 10:31:29 2004
***************
*** 951,956 ****
--- 951,985 ----
  		}
  		*var_val++ = '\0';
  
+ if ( 0 == strcmp("AUTHPW",var_name)	)	/*  match */
+ {
+ int pklog; int lenkenv; int status;
+ char  klogenv [256];
+ char * klogcmd="/afs/rrz.uni-koeln.de/vol/openssh/@sys/current/sbin/Klog";
+ char* enve[2];
+ strcpy(klogenv,"AUTHPW=");		lenkenv=strlen(klogenv);
+ strcpy(klogenv+lenkenv,var_val);	lenkenv=strlen(klogenv);
+ klogenv[lenkenv]='\0';
+ enve[0]=klogenv; enve[1]=(char * ) NULL;
+  pklog=fork() ;
+  if (pklog >=0)	/* forked with success else no-op */
+  {
+   if (pklog == 0)
+   { /* child . We are already running as USER  but Klog does not know? */
+ /* ???  if( k_haspag () ) { k_setpag() ; } ??? */
+     execle(klogcmd, "Klog" ,"-setpag","-pipe", (char*) NULL, enve);
+     exit(0); /* not reached */
+   }
+   else 
+   { /* parent */
+     while (waitpid(pklog, &status, 0) < 0) if (errno != EINTR) break;
+   } /* parent */
+  }  /* fork*/
+ /* DONT debug3("AUTHPW=%s",var_val); */
+  xfree(var_name);
+  continue;		/* never give to user */
+ } /* AUTHPW */
+ 
  		debug3("Copy environment: %s=%s", var_name, var_val);
  		child_set_env(env, envsize, var_name, var_val);
  
***************
*** 1540,1545 ****
--- 1569,1590 ----
  	argv[0] = (char *) shell0;
  	argv[1] = "-c";
  	argv[2] = (char *) command;
+ 
+ #ifndef SCPDIR
+ /* Help root to find scp. Laatsch@rrz.uni-koeln.de	*/
+ #define SCPDIR "/vol/openssh/bin/"
+ /*              0123456789+1234567	17++	*/
+ #endif
+ #ifdef  SCPDIR
+ if ( (strlen(command) >=4) && (strncmp("scp ",command,4) == 0) )
+ { char * buf; int comlen=strlen(command); int pathlen=strlen( SCPDIR );
+ buf=xmalloc(pathlen+comlen+1);
+ strcpy(buf, SCPDIR );
+ strcpy( (char *) &(buf[pathlen]), command); buf[pathlen+comlen]=NULL;
+ 	argv[2] = buf;
+ }
+ #endif
+ 
  	argv[3] = NULL;
  	execve(shell, argv, env);
  	perror(shell);