[openssh-commits] [openssh] branch master updated: auth-pam: Check the user didn't change during PAM transaction
git+noreply at mindrot.org
git+noreply at mindrot.org
Sat May 24 17:21:56 AEST 2025
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
The following commit(s) were added to refs/heads/master by this push:
new 140bae1df auth-pam: Check the user didn't change during PAM transaction
140bae1df is described below
commit 140bae1df2b7246bb43439d039bf994159973585
Author: Marco Trevisan (Treviño) <mail at 3v1n0.net>
AuthorDate: Mon Sep 30 13:14:11 2024 +0200
auth-pam: Check the user didn't change during PAM transaction
PAM modules can change the user during their execution, in such case ssh
would still use the user that has been provided giving potentially
access to another user with the credentials of another one.
So prevent this to happen, by ensuring that the final PAM user is
matching the one that initiated the transaction.
---
auth-pam.c | 41 +++++++++++++++++++++++++++++++++--------
1 file changed, 33 insertions(+), 8 deletions(-)
diff --git a/auth-pam.c b/auth-pam.c
index 13c0a792e..2481db45f 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -467,6 +467,32 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
return (PAM_CONV_ERR);
}
+static int
+check_pam_user(Authctxt *authctxt)
+{
+ const char *pam_user;
+
+ if (authctxt == NULL || authctxt->pw == NULL ||
+ authctxt->pw->pw_name == NULL)
+ fatal("%s: PAM authctxt user not initialized", __func__);
+
+ if ((sshpam_err = pam_get_item(sshpam_handle, PAM_USER,
+ (sshpam_const void **) &pam_user)) != PAM_SUCCESS)
+ return sshpam_err;
+
+ if (pam_user == NULL) {
+ debug("PAM error: PAM_USER is NULL");
+ return PAM_USER_UNKNOWN;
+ }
+
+ if (strcmp(authctxt->pw->pw_name, pam_user) != 0) {
+ debug("PAM user \"%s\" does not match expected \"%s\"",
+ pam_user, authctxt->pw->pw_name);
+ return PAM_USER_UNKNOWN;
+ }
+ return PAM_SUCCESS;
+}
+
/*
* Authentication thread.
*/
@@ -521,6 +547,8 @@ sshpam_thread(void *ctxtp)
sshpam_set_maxtries_reached(1);
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
+ if ((sshpam_err = check_pam_user(sshpam_authctxt)) != PAM_SUCCESS)
+ goto auth_fail;
if (!do_pam_account()) {
sshpam_err = PAM_ACCT_EXPIRED;
@@ -686,8 +714,7 @@ sshpam_cleanup(void)
static int
sshpam_init(struct ssh *ssh, Authctxt *authctxt)
{
- const char *pam_user, *user = authctxt->user;
- const char **ptr_pam_user = &pam_user;
+ const char *user = authctxt->user;
int r;
if (options.pam_service_name == NULL)
@@ -706,12 +733,8 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
}
if (sshpam_handle != NULL) {
/* We already have a PAM context; check if the user matches */
- sshpam_err = pam_get_item(sshpam_handle,
- PAM_USER, (sshpam_const void **)ptr_pam_user);
- if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0)
- return (0);
- pam_end(sshpam_handle, sshpam_err);
- sshpam_handle = NULL;
+ if ((sshpam_err = check_pam_user(authctxt)) != PAM_SUCCESS)
+ fatal("PAM user mismatch");
}
debug("PAM: initializing for \"%s\" with service \"%s\"", user,
options.pam_service_name);
@@ -1378,6 +1401,8 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
sshpam_err = pam_authenticate(sshpam_handle, flags);
sshpam_password = NULL;
free(fake);
+ if (sshpam_err == PAM_SUCCESS)
+ sshpam_err = check_pam_user(authctxt);
if (sshpam_err == PAM_MAXTRIES)
sshpam_set_maxtries_reached(1);
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list