[OpenAFS] Patch: OpenSSH 3.8.1p1, PAM, pam_krb5 & Privilege Separation

27 May 2004 15:18:23 +0200

--=-=-=


Attached is a patch that addresses the problem that occurs when one
uses PAM to authenticate to a system via ssh and authentication in the
PAM module is done via Kerberos (i.e. pam_krb5 and the like) - The
acquired credentials are not stored. The patch can also be found at:

    <http://itp.tugraz.at/Comp/Resources/OpenSSH/openssh-setcred.patch>

The second patch executes pam_session() again with stored Kerberos
credentials when GSSAPI authentication is performed AND privilege
separation is enabled so that modules like pam_aklog or
pam_openafs_session can access the cache file. It can be found at 
        
    <http://itp.tugraz.at/Comp/Resources/OpenSSH/openssh-pam-privsep.patch>

or below.

Best regards,

Christian


--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment; filename=openssh-setcred.patch
Content-Description: PAM and Kerberos

--- openssh-3.8.1p1/auth-pam.c	Sun Apr 18 03:00:26 2004
+++ openssh-3.8.1p1/auth-pam.c	Wed May 19 14:20:05 2004
@@ -364,6 +364,8 @@
 				goto auth_fail;
 			pam_password_change_required(0);
 		}
+		if (options.use_pam_setcred)
+		    do_pam_setcred(1);
 	}
 
 	buffer_put_cstring(&buffer, "OK");
--- openssh-3.8.1p1/servconf.h	Wed Dec 31 01:37:34 2003
+++ openssh-3.8.1p1/servconf.h	Wed May 19 14:11:16 2004
@@ -125,6 +125,10 @@
 	char   *authorized_keys_file;	/* File containing public keys */
 	char   *authorized_keys_file2;
 	int	use_pam;		/* Enable auth via PAM */
+	int	use_pam_setcred;	/* 
+					 * Execute do_pam_setcred in the 
+					 * PAM authentication thread
+					 */
 }       ServerOptions;
 
 void	 initialize_server_options(ServerOptions *);
--- openssh-3.8.1p1/servconf.c	Fri Jan 23 12:03:10 2004
+++ openssh-3.8.1p1/servconf.c	Wed May 19 14:09:02 2004
@@ -41,6 +41,7 @@
 
 	/* Portable-specific options */
 	options->use_pam = -1;
+	options->use_pam_setcred = -1;
 
 	/* Standard Options */
 	options->num_ports = 0;
@@ -113,6 +114,9 @@
 	if (options->use_pam == -1)
 		options->use_pam = 0;
 
+	if (options->use_pam_setcred == -1)
+	        options->use_pam_setcred = 0;
+
 	/* Standard Options */
 	if (options->protocol == SSH_PROTO_UNKNOWN)
 		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
@@ -248,6 +252,7 @@
 	sBadOption,		/* == unknown option */
 	/* Portable-specific options */
 	sUsePAM,
+	sUsePAMSetCred,
 	/* Standard Options */
 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
 	sPermitRootLogin, sLogFacility, sLogLevel,
@@ -279,8 +284,10 @@
 	/* Portable-specific options */
 #ifdef USE_PAM
 	{ "usepam", sUsePAM },
+	{ "usepamsetcred", sUsePAMSetCred },
 #else
 	{ "usepam", sUnsupported },
+	{ "usepamsetcred", sUnsupported },
 #endif
 	{ "pamauthenticationviakbdint", sDeprecated },
 	/* Standard Options */
@@ -447,6 +454,9 @@
 	case sUsePAM:
 		intptr = &options->use_pam;
 		goto parse_flag;
+	case sUsePAMSetCred:
+		intptr = &options->use_pam_setcred;
+		goto parse_flag;
 
 	/* Standard Options */
 	case sBadOption:
--- openssh-3.8.1p1/sshd_config.5.~1~	Wed Apr 14 05:04:36 2004
+++ openssh-3.8.1p1/sshd_config.5	Mon May 24 12:15:00 2004
@@ -615,6 +615,14 @@
 .CM UsePAM
 then you will not be able to run sshd as a non-root user.  The default is
 .Dq no .
+.It Cm UsePAMSetCred
+If PAM authentication (via challenge-response) is enabled using 
+.Cm UsePAM 
+you might want to enable this option to force storage of the
+credentials which are obtained in the authentication step. This is
+useful for situations where the password is validated through Kerberos
+via a PAM module. The default is
+.Dq no .
 .It Cm UsePrivilegeSeparation
 Specifies whether
 .Nm sshd

--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment; filename=openssh-pam-privsep.patch
Content-Description: GSSAPIAuth PAM and PrivSep

--- openssh-3.8.1p1/session.c.~1~	Fri Apr 16 14:47:55 2004
+++ openssh-3.8.1p1/session.c	Tue May 25 15:02:19 2004
@@ -888,7 +888,6 @@
 	fclose(f);
 }
 
-#ifdef HAVE_ETC_DEFAULT_LOGIN
 /*
  * Return named variable from specified environment, or NULL if not present.
  */
@@ -905,6 +904,8 @@
 	return NULL;
 }
 
+#ifdef HAVE_ETC_DEFAULT_LOGIN
+
 /*
  * Read /etc/default/login.
  * We pick up the PATH (or SUPATH for root) and UMASK.
@@ -1103,8 +1104,14 @@
 	 * been set by PAM.
 	 */
 	if (options.use_pam) {
-		char **p;
+		char **p, *cp;
 
+		if((cp = child_get_env(env, "KRB5CCNAME")) != NULL){
+		    debug("Reexecuting do_pam_session()");
+		    do_pam_putenv("KRB5CCNAME", cp);
+		    do_pam_session();
+		}
+		    
 		p = fetch_pam_child_environment();
 		copy_environment(p, &env, &envsize);
 		free_pam_environment(p);
--- openssh-3.8.1p1/session.h.~1~	Thu Oct  2 08:12:37 2003
+++ openssh-3.8.1p1/session.h	Tue May 25 14:55:05 2004
@@ -71,5 +71,6 @@
 void	 do_setusercontext(struct passwd *);
 void	 child_set_env(char ***envp, u_int *envsizep, const char *name,
 		       const char *value);
+static char *child_get_env(char **env, const char *name);
 
 #endif

--=-=-=
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit


-- 
Christian Pfaffel <flash@itp.tu-graz.ac.at>
Technische Universität Graz                 Telefon: +43 / 316 / 873 - 81 90
Institut für Theoretische Physik            Telefax: +43 / 316 / 873 - 86 78
Petersgasse 16, A-8010 Graz   http://fubphpc.tu-graz.ac.at/~flash/pubkey.gpg


--=-=-=--

