OpenSSH changes for BSD/OS
Jeff Polk
polk at BSDI.COM
Sun Oct 8 03:39:40 EST 2000
The following are patches against openssh 2.1.1p4 to add
support for the BSD_AUTH authentication mechanisms. It allows the
use of non-challenge/response style mechanisms (which styles are
allowed my be limited by appropriate auth-ssh entries in login.conf).
The patches also add support for calling setusercontext for the
appropriate class when called with a command (so that the PATH, limits,
etc. are set appropriately for the class the user is part of). login -h
takes care of this when ssh is called for a regular login. To have
access to the class when setting up the session, I had to add preserving
it in ssh.c, and both version 1 and version 2 auth routines. I
made that conditional on the last CSRG release BSD/OS is based on
(all of the other BSD's should also have it).
Please let me know if you have different suggestions.
It looks like the s/key challenge/response code is really a hack
using the debugging messages for the challenge on the first login
attempt. It looked pretty painful, so I didn't bother making
generic challenge/response for BSD_AUTH work using that mechanism.
Is there something I'm missing that would make challenge/response
more reasonable?
Jeff
Index: auth1.c
===================================================================
RCS file: /master/contrib/openssh/auth1.c,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 auth1.c
*** auth1.c 2000/08/17 16:17:52 1.1.1.1
--- auth1.c 2000/10/06 20:45:57
***************
*** 23,28 ****
--- 23,34 ----
# include <siad.h>
#endif
+ #ifdef HAVE_BSD_AUTH
+ # include <login_cap.h>
+ # include <bsd_auth.h>
+ static char *bsduser=NULL; /* XXX -- ugly, but we need the original */
+ #endif
+
/* import */
extern ServerOptions options;
extern char *forced_command;
***************
*** 315,321 ****
NULL, password) == SIASUCCESS) {
authenticated = 1;
}
! #else /* !USE_PAM && !HAVE_OSF_SIA */
/* Try authentication with the password. */
authenticated = auth_password(pw, password);
#endif /* USE_PAM */
--- 321,330 ----
NULL, password) == SIASUCCESS) {
authenticated = 1;
}
! #elif defined(HAVE_BSD_AUTH)
! authenticated = auth_userokay(bsduser, NULL,
! "auth-ssh", password);
! #else /* !USE_PAM && !HAVE_OSF_SIA && !HAVE_BSD_AUTH */
/* Try authentication with the password. */
authenticated = auth_password(pw, password);
#endif /* USE_PAM */
***************
*** 469,474 ****
--- 478,492 ----
#endif /* AFS */
/* Verify that the user is a valid user. */
+ #ifdef HAVE_BSD_AUTH
+ /* we may have an auth type in the user name we need to strip */
+ {
+ char *p;
+ bsduser = xstrdup(user);
+ if ((p = strchr(user, ':')) != NULL)
+ *p = '\0';
+ }
+ #endif
pw = getpwnam(user);
if (!pw || !allowed_user(pw))
do_fake_authloop1(user);
***************
*** 482,487 ****
--- 500,508 ----
pwcopy.pw_gid = pw->pw_gid;
pwcopy.pw_dir = xstrdup(pw->pw_dir);
pwcopy.pw_shell = xstrdup(pw->pw_shell);
+ #if defined(BSD) && BSD >= 199506
+ pwcopy.pw_class = xstrdup(pw->pw_class);
+ #endif
pw = &pwcopy;
#ifdef USE_PAM
***************
*** 508,514 ****
(sia_validate_user(NULL, saved_argc, saved_argv,
get_canonical_hostname(), pw->pw_name, NULL, 0, NULL,
"") == SIASUCCESS)) {
! #else /* !HAVE_OSF_SIA && !USE_PAM */
auth_password(pw, "")) {
#endif /* USE_PAM */
/* Authentication with empty password succeeded. */
--- 529,537 ----
(sia_validate_user(NULL, saved_argc, saved_argv,
get_canonical_hostname(), pw->pw_name, NULL, 0, NULL,
"") == SIASUCCESS)) {
! #elif defined(HAVE_BSD_AUTH)
! auth_userokay(bsduser, NULL, "auth-ssh", "" )) {
! #else /* !HAVE_OSF_SIA && !USE_PAM && !HAVE_BSD_AUTH */
auth_password(pw, "")) {
#endif /* USE_PAM */
/* Authentication with empty password succeeded. */
***************
*** 520,525 ****
--- 543,555 ----
authentication is successfull */
do_authloop(pw);
}
+
+ #ifdef HAVE_BSD_AUTH
+ if (bsduser != NULL) {
+ xfree(bsduser);
+ bsduser = NULL;
+ }
+ #endif
/* The user has been authenticated and accepted. */
#ifdef WITH_AIXAUTHENTICATE
Index: auth2.c
===================================================================
RCS file: /master/contrib/openssh/auth2.c,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 auth2.c
*** auth2.c 2000/08/17 16:17:52 1.1.1.1
--- auth2.c 2000/10/06 20:49:19
***************
*** 61,66 ****
--- 61,71 ----
# include <siad.h>
#endif
+ #ifdef HAVE_BSD_AUTH
+ # include <login_cap.h>
+ # include <bsd_auth.h>
+ #endif
+
/* import */
extern ServerOptions options;
extern unsigned char *session_id2;
***************
*** 262,268 ****
return(sia_validate_user(NULL, saved_argc, saved_argv,
get_canonical_hostname(), pw->pw_name, NULL, 0, NULL,
"") == SIASUCCESS);
! #else /* !HAVE_OSF_SIA && !USE_PAM */
return auth_password(pw, "");
#endif /* USE_PAM */
}
--- 267,275 ----
return(sia_validate_user(NULL, saved_argc, saved_argv,
get_canonical_hostname(), pw->pw_name, NULL, 0, NULL,
"") == SIASUCCESS);
! #elif defined(HAVE_BSD_AUTH)
! return auth_userokay(authctxt->user, NULL, "auth-ssh", "");
! #else /* !HAVE_OSF_SIA && !USE_PAM && !HAVE_BSD_AUTH */
return auth_password(pw, "");
#endif /* USE_PAM */
}
***************
*** 289,295 ****
sia_validate_user(NULL, saved_argc, saved_argv,
get_canonical_hostname(), pw->pw_name, NULL, 0,
NULL, password) == SIASUCCESS)
! #else /* !USE_PAM && !HAVE_OSF_SIA */
auth_password(pw, password) == 1)
#endif /* USE_PAM */
authenticated = 1;
--- 296,304 ----
sia_validate_user(NULL, saved_argc, saved_argv,
get_canonical_hostname(), pw->pw_name, NULL, 0,
NULL, password) == SIASUCCESS)
! #elif defined(HAVE_BSD_AUTH)
! auth_userokay(authctxt->user, NULL, "auth-ssh", password) != 0)
! #else /* !USE_PAM && !HAVE_OSF_SIA && !HAVE_BSD_AUTH */
auth_password(pw, password) == 1)
#endif /* USE_PAM */
authenticated = 1;
***************
*** 397,403 ****
--- 406,424 ----
authctxt->user = xstrdup(u);
authctxt->service = xstrdup(s);
setproctitle("%s", u);
+ #ifdef HAVE_BSD_AUTH
+ {
+ /* user may contain requested auth type */
+ char *p;
+ if ((p = strchr(u, ':')) != NULL)
+ *p = '\0';
+ pw = getpwnam(u);
+ if (p != NULL)
+ *p = ':';
+ }
+ #else
pw = getpwnam(u);
+ #endif
if (!pw || !allowed_user(pw)) {
log("auth_set_user: illegal user %s", u);
return NULL;
***************
*** 413,418 ****
--- 434,442 ----
copy->pw_gid = pw->pw_gid;
copy->pw_dir = xstrdup(pw->pw_dir);
copy->pw_shell = xstrdup(pw->pw_shell);
+ #if defined(BSD) && BSD >= 199506
+ copy->pw_class = xstrdup(pw->pw_class);
+ #endif
authctxt->valid = 1;
} else {
if (strcmp(u, authctxt->user) != 0 ||
Index: session.c
===================================================================
RCS file: /master/contrib/openssh/session.c,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 session.c
*** session.c 2000/08/17 16:17:59 1.1.1.1
--- session.c 2000/10/06 21:03:25
***************
*** 32,37 ****
--- 32,41 ----
#include <proj.h>
#endif /* WITH_IRIX_PROJECT */
+ #ifdef HAVE_SETUSERCONTEXT
+ #include <login_cap.h>
+ #endif
+
#if defined(HAVE_USERSEC_H)
#include <usersec.h>
#endif
***************
*** 900,905 ****
--- 904,912 ----
#ifdef WITH_IRIX_PROJECT
prid_t projid;
#endif /* WITH_IRIX_PROJECT */
+ #ifdef HAVE_SETUSERCONTEXT
+ login_cap_t *lc;
+ #endif /* HAVE_SETUSERCONTEXT */
/* login(1) is only called if we execute the login shell */
if (options.use_login && command != NULL)
***************
*** 927,932 ****
--- 934,940 ----
/* Login(1) does this as well, and it needs uid 0 for the "-h"
switch, so we let login(1) to this for us. */
if (!options.use_login) {
+ #ifndef HAVE_SETUSERCONTEXT
#ifdef HAVE_OSF_SIA
extern char **saved_argv;
extern int saved_argc;
***************
*** 984,989 ****
--- 992,1002 ----
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %d.", (int) pw->pw_uid);
#endif /* HAVE_OSF_SIA */
+ #else /* HAVE_SETUSERCONTEXT*/
+ lc = login_getclass(pw->pw_class);
+ if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETALL) < 0)
+ fatal("setusercontext failed.");
+ #endif /* HAVE_SETUSERCONTEXT */
}
/*
* Get the shell from the password data. An empty shell field is
***************
*** 1013,1019 ****
--- 1026,1038 ----
child_set_env(&env, &envsize, "USER", pw->pw_name);
child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
child_set_env(&env, &envsize, "HOME", pw->pw_dir);
+ #ifdef HAVE_SETUSERCONTEXT
+ /* update the path to the one setusercontext set for us */
+ if (getenv("PATH"))
+ child_set_env(&env, &envsize, "PATH", getenv("PATH"));
+ #else
child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+ #endif
snprintf(buf, sizeof buf, "%.200s/%.50s",
_PATH_MAILDIR, pw->pw_name);
Index: ssh.c
===================================================================
RCS file: /master/contrib/openssh/ssh.c,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 ssh.c
*** ssh.c 2000/08/17 16:18:00 1.1.1.1
--- ssh.c 2000/10/06 20:44:07
***************
*** 492,497 ****
--- 492,500 ----
pwcopy.pw_gid = pw->pw_gid;
pwcopy.pw_dir = xstrdup(pw->pw_dir);
pwcopy.pw_shell = xstrdup(pw->pw_shell);
+ #if defined(BSD) && BSD >= 199506
+ pwcopy.pw_class = xstrdup(pw->pw_class);
+ #endif
pw = &pwcopy;
/* Initialize "log" output. Since we are the client all output
More information about the openssh-unix-dev
mailing list