Patch for Digital Unix SIA authentication

Chris Adams cmadams at hiwaay.net
Tue Oct 24 03:33:32 EST 2000


Once upon a time, Chris Adams <cmadams at hiwaay.net> said:
> A while back, I sent in a patch that added Digital Unix SIA
> authentication to OpenSSH.  Well, I just figured out that it didn't
> handle everything correctly (locked accounts could still log in).  I
> thought I had checked that, but I guess I missed it.
> 
> Anyway, here is a patch against OpenSSH 2.2.0p1 that fixes this.

Well, that patch still didn't fix everything.  With the help of John P
Speno, I've got a new patch that _really_ fixes things.

Since I don't know if my previous patch has been applied to any tree,
I'm including two patches here:

openssh-2.2.0p1-osfsia-sec.patch: applies against 2.2.0p1 + my previous patch
openssh-2.2.0p1-osfsia-full.patch: applies against clean 2.2.0p1

Sorry for the confusion; this should be "the one".
-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
-------------- next part --------------
diff -urN openssh-2.2.0p1-dist/auth-sia.c openssh-2.2.0p1/auth-sia.c
--- openssh-2.2.0p1-dist/auth-sia.c	Mon Oct 16 16:00:45 2000
+++ openssh-2.2.0p1/auth-sia.c	Mon Oct 16 15:50:09 2000
@@ -5,29 +5,91 @@
 
 #include <sia.h>
 #include <siad.h>
+#include <pwd.h>
+#include <signal.h>
+#include <setjmp.h>
+#include <sys/resource.h>
+#include <unistd.h>
+#include <string.h>
 
 extern int saved_argc;
 extern char **saved_argv;
 
+extern int errno;
+
 int
 auth_sia_password (user, pass)
 	char *user;
 	char *pass;
 {
-	SIAENTITY *ent = NULL;
 	int ret;
+	SIAENTITY *ent = NULL;
+	char *host = get_canonical_hostname();
 
-	if (sia_ses_init (&ent, saved_argc, saved_argv,
-	    get_canonical_hostname(), user, NULL, 0, NULL) != SIASUCCESS)
+	if (sia_ses_init (&ent, saved_argc, saved_argv, host, user, NULL, 0,
+	    NULL) != SIASUCCESS)
 		return 0;
+
 	if ((ret = sia_ses_authent (NULL, pass, ent)) != SIASUCCESS) {
+		error ("couldn't authenticate %s from %s", user, host);
 		if (ret & SIASTOP)
 			sia_ses_release (&ent);
 		return 0;
 	}
-	if (sia_ses_estab (NULL, ent) != SIASUCCESS)
+
+	sia_ses_release (&ent);
+
+	return 1;
+}
+
+int
+session_setup_sia (user, tty)
+	char *user;
+	char *tty;
+{
+	int ret;
+	struct passwd *pw;
+	SIAENTITY *ent = NULL;
+	char *host = get_canonical_hostname();
+
+	if (sia_ses_init (&ent, saved_argc, saved_argv, host, user, tty, 0,
+	    NULL) != SIASUCCESS)
+		return 0;
+
+	if ((pw = getpwnam (user)) == NULL) {
+		error ("getpwnam(%s) failed", user);
+		sia_ses_release (&ent);
+		return 0;
+	}
+	if (sia_make_entity_pwd (pw, ent) != SIASUCCESS) {
+		sia_ses_release (&ent);
+		return 0;
+	}
+
+	ent->authtype = SIA_A_NONE;
+	if (sia_ses_estab (sia_collect_trm, ent) != SIASUCCESS) {
+		error ("couldn't establish session for %s from %s", user,
+		    host);
+		return 0;
+	}
+
+	if (setpriority (PRIO_PROCESS, 0, 0) == -1) {
+		error ("setpriority failed: %s", strerror (errno));
+		sia_ses_release (&ent);
+		return 0;
+	}
+
+	if (sia_ses_launch (sia_collect_trm, ent) != SIASUCCESS) {
+		error ("couldn't launch session for %s from %s", user, host);
 		return 0;
+	}
 	sia_ses_release (&ent);
+
+	if (setreuid(geteuid(), geteuid()) < 0) {
+		error ("setreuid failed: %s", strerror (errno));
+		return 0;
+	}
+
 	return 1;
 }
 
diff -urN openssh-2.2.0p1-dist/auth1.c openssh-2.2.0p1/auth1.c
--- openssh-2.2.0p1-dist/auth1.c	Mon Oct 16 16:00:45 2000
+++ openssh-2.2.0p1/auth1.c	Mon Oct 16 14:32:28 2000
@@ -495,7 +495,7 @@
 #ifdef USE_PAM
 	    auth_pam_password(pw, "")) {
 #elif defined(HAVE_OSF_SIA)
-	    auth_sia_password(pw->pw_name, "")) {
+	    0) {
 #else /* !HAVE_OSF_SIA && !USE_PAM */
 	    auth_password(pw, "")) {
 #endif /* USE_PAM */
diff -urN openssh-2.2.0p1-dist/auth2.c openssh-2.2.0p1/auth2.c
--- openssh-2.2.0p1-dist/auth2.c	Mon Oct 16 16:00:45 2000
+++ openssh-2.2.0p1/auth2.c	Mon Oct 16 15:11:34 2000
@@ -249,7 +249,7 @@
 #ifdef USE_PAM
 	return auth_pam_password(pw, "");
 #elif defined(HAVE_OSF_SIA)
-	return auth_sia_password(pw->pw_name, "");
+	return 0;
 #else /* !HAVE_OSF_SIA && !USE_PAM */
 	return auth_password(pw, "");
 #endif /* USE_PAM */
diff -urN openssh-2.2.0p1-dist/session.c openssh-2.2.0p1/session.c
--- openssh-2.2.0p1-dist/session.c	Tue Aug 29 17:21:22 2000
+++ openssh-2.2.0p1/session.c	Mon Oct 16 15:19:47 2000
@@ -36,11 +36,6 @@
 #include <usersec.h>
 #endif
 
-#ifdef HAVE_OSF_SIA
-# include <sia.h>
-# include <siad.h>
-#endif
-
 /* AIX limits */
 #if defined(HAVE_GETUSERATTR) && !defined(S_UFSIZE_HARD) && defined(S_UFSIZE)
 # define S_UFSIZE_HARD  S_UFSIZE "_hard"
@@ -953,20 +948,8 @@
 	   switch, so we let login(1) to this for us. */
 	if (!options.use_login) {
 #ifdef HAVE_OSF_SIA
-		extern char **saved_argv;
-		extern int saved_argc;
-		char *host = get_canonical_hostname ();
-
-		if (sia_become_user(NULL, saved_argc, saved_argv, host,
-		    pw->pw_name, ttyname, 0, NULL, NULL, SIA_BEU_SETLUID) !=
-		    SIASUCCESS) {
-			perror("sia_become_user");
+		if (session_setup_sia(pw->pw_name, ttyname) != 1)
 			exit(1);
-		}
-		if (setreuid(geteuid(), geteuid()) < 0) {
-			perror("setreuid");
-			exit(1);
-		}
 #else /* HAVE_OSF_SIA */
 		if (getuid() == 0 || geteuid() == 0) {
 # ifdef HAVE_GETUSERATTR
diff -urN openssh-2.2.0p1-dist/ssh.h openssh-2.2.0p1/ssh.h
--- openssh-2.2.0p1-dist/ssh.h	Mon Oct 16 16:00:45 2000
+++ openssh-2.2.0p1/ssh.h	Mon Oct 16 15:03:02 2000
@@ -563,6 +563,7 @@
 
 #ifdef HAVE_OSF_SIA
 int	auth_sia_password(char *user, char *pass);
+int	session_setup_sia(char *user, char *tty);
 #endif
 
 #endif				/* SSH_H */
-------------- next part --------------
diff -urN openssh-2.2.0p1-dist/Makefile.in openssh-2.2.0p1/Makefile.in
--- openssh-2.2.0p1-dist/Makefile.in	Tue Aug 22 19:46:23 2000
+++ openssh-2.2.0p1/Makefile.in	Sat Oct 14 19:34:08 2000
@@ -40,7 +40,7 @@
 
 SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o
 
-SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o
+SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o
 
 TROFFMAN	= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8
 CATMAN		= scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh.0 sshd.0
diff -urN openssh-2.2.0p1-dist/auth-sia.c openssh-2.2.0p1/auth-sia.c
--- openssh-2.2.0p1-dist/auth-sia.c	Wed Dec 31 18:00:00 1969
+++ openssh-2.2.0p1/auth-sia.c	Mon Oct 16 15:50:09 2000
@@ -0,0 +1,96 @@
+#include "includes.h"
+
+#ifdef HAVE_OSF_SIA
+#include "ssh.h"
+
+#include <sia.h>
+#include <siad.h>
+#include <pwd.h>
+#include <signal.h>
+#include <setjmp.h>
+#include <sys/resource.h>
+#include <unistd.h>
+#include <string.h>
+
+extern int saved_argc;
+extern char **saved_argv;
+
+extern int errno;
+
+int
+auth_sia_password (user, pass)
+	char *user;
+	char *pass;
+{
+	int ret;
+	SIAENTITY *ent = NULL;
+	char *host = get_canonical_hostname();
+
+	if (sia_ses_init (&ent, saved_argc, saved_argv, host, user, NULL, 0,
+	    NULL) != SIASUCCESS)
+		return 0;
+
+	if ((ret = sia_ses_authent (NULL, pass, ent)) != SIASUCCESS) {
+		error ("couldn't authenticate %s from %s", user, host);
+		if (ret & SIASTOP)
+			sia_ses_release (&ent);
+		return 0;
+	}
+
+	sia_ses_release (&ent);
+
+	return 1;
+}
+
+int
+session_setup_sia (user, tty)
+	char *user;
+	char *tty;
+{
+	int ret;
+	struct passwd *pw;
+	SIAENTITY *ent = NULL;
+	char *host = get_canonical_hostname();
+
+	if (sia_ses_init (&ent, saved_argc, saved_argv, host, user, tty, 0,
+	    NULL) != SIASUCCESS)
+		return 0;
+
+	if ((pw = getpwnam (user)) == NULL) {
+		error ("getpwnam(%s) failed", user);
+		sia_ses_release (&ent);
+		return 0;
+	}
+	if (sia_make_entity_pwd (pw, ent) != SIASUCCESS) {
+		sia_ses_release (&ent);
+		return 0;
+	}
+
+	ent->authtype = SIA_A_NONE;
+	if (sia_ses_estab (sia_collect_trm, ent) != SIASUCCESS) {
+		error ("couldn't establish session for %s from %s", user,
+		    host);
+		return 0;
+	}
+
+	if (setpriority (PRIO_PROCESS, 0, 0) == -1) {
+		error ("setpriority failed: %s", strerror (errno));
+		sia_ses_release (&ent);
+		return 0;
+	}
+
+	if (sia_ses_launch (sia_collect_trm, ent) != SIASUCCESS) {
+		error ("couldn't launch session for %s from %s", user, host);
+		return 0;
+	}
+	sia_ses_release (&ent);
+
+	if (setreuid(geteuid(), geteuid()) < 0) {
+		error ("setreuid failed: %s", strerror (errno));
+		return 0;
+	}
+
+	return 1;
+}
+
+#endif /* HAVE_OSF_SIA */
diff -urN openssh-2.2.0p1-dist/auth1.c openssh-2.2.0p1/auth1.c
--- openssh-2.2.0p1-dist/auth1.c	Tue Aug 22 19:46:23 2000
+++ openssh-2.2.0p1/auth1.c	Mon Oct 16 14:32:28 2000
@@ -18,18 +18,9 @@
 #include "auth.h"
 #include "session.h"
 
-#ifdef HAVE_OSF_SIA
-# include <sia.h>
-# include <siad.h>
-#endif
-
 /* import */
 extern ServerOptions options;
 extern char *forced_command;
-#ifdef HAVE_OSF_SIA
-extern int saved_argc;
-extern char **saved_argv;
-#endif /* HAVE_OSF_SIA */
 
 /*
  * convert ssh auth msg type into description
@@ -310,11 +301,7 @@
 			authenticated = auth_pam_password(pw, password);
 #elif defined(HAVE_OSF_SIA)
 			/* Do SIA auth with password */
-			if (sia_validate_user(NULL, saved_argc, saved_argv, 
-				get_canonical_hostname(), pw->pw_name, NULL, 0, 
-				NULL, password) == SIASUCCESS) {
-				authenticated = 1;
-			}
+			authenticated = auth_sia_password(pw->pw_name, password);
 #else /* !USE_PAM && !HAVE_OSF_SIA */
 			/* Try authentication with the password. */
 			authenticated = auth_password(pw, password);
@@ -508,9 +495,7 @@
 #ifdef USE_PAM
 	    auth_pam_password(pw, "")) {
 #elif defined(HAVE_OSF_SIA)
-	    (sia_validate_user(NULL, saved_argc, saved_argv, 
-	    get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, 
-	    "") == SIASUCCESS)) {
+	    0) {
 #else /* !HAVE_OSF_SIA && !USE_PAM */
 	    auth_password(pw, "")) {
 #endif /* USE_PAM */
diff -urN openssh-2.2.0p1-dist/auth2.c openssh-2.2.0p1/auth2.c
--- openssh-2.2.0p1-dist/auth2.c	Tue Aug 22 19:46:24 2000
+++ openssh-2.2.0p1/auth2.c	Mon Oct 16 15:11:34 2000
@@ -56,11 +56,6 @@
 #include "uidswap.h"
 #include "auth-options.h"
 
-#ifdef HAVE_OSF_SIA
-# include <sia.h>
-# include <siad.h>
-#endif
-
 /* import */
 extern ServerOptions options;
 extern unsigned char *session_id2;
@@ -249,19 +244,12 @@
 int
 ssh2_auth_none(struct passwd *pw)
 {
-#ifdef HAVE_OSF_SIA
-	extern int saved_argc;
-	extern char **saved_argv;
-#endif
-
 	packet_done();
 
 #ifdef USE_PAM
 	return auth_pam_password(pw, "");
 #elif defined(HAVE_OSF_SIA)
-	return(sia_validate_user(NULL, saved_argc, saved_argv, 
-		get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, 
-		"") == SIASUCCESS);
+	return 0;
 #else /* !HAVE_OSF_SIA && !USE_PAM */
 	return auth_password(pw, "");
 #endif /* USE_PAM */
@@ -273,10 +261,6 @@
 	int authenticated = 0;
 	int change;
 	unsigned int len;
-#ifdef HAVE_OSF_SIA
-	extern int saved_argc;
-	extern char **saved_argv;
-#endif
 	change = packet_get_char();
 	if (change)
 		log("password change not supported");
@@ -286,9 +270,7 @@
 #ifdef USE_PAM
 	    auth_pam_password(pw, password) == 1)
 #elif defined(HAVE_OSF_SIA)
-	    sia_validate_user(NULL, saved_argc, saved_argv, 
-		 	get_canonical_hostname(), pw->pw_name, NULL, 0, 
-			NULL, password) == SIASUCCESS)
+	    auth_sia_password(pw->pw_name, password) == 1)
 #else /* !USE_PAM && !HAVE_OSF_SIA */
 	    auth_password(pw, password) == 1)
 #endif /* USE_PAM */
diff -urN openssh-2.2.0p1-dist/session.c openssh-2.2.0p1/session.c
--- openssh-2.2.0p1-dist/session.c	Tue Aug 29 17:21:22 2000
+++ openssh-2.2.0p1/session.c	Mon Oct 16 15:19:47 2000
@@ -36,11 +36,6 @@
 #include <usersec.h>
 #endif
 
-#ifdef HAVE_OSF_SIA
-# include <sia.h>
-# include <siad.h>
-#endif
-
 /* AIX limits */
 #if defined(HAVE_GETUSERATTR) && !defined(S_UFSIZE_HARD) && defined(S_UFSIZE)
 # define S_UFSIZE_HARD  S_UFSIZE "_hard"
@@ -953,20 +948,8 @@
 	   switch, so we let login(1) to this for us. */
 	if (!options.use_login) {
 #ifdef HAVE_OSF_SIA
-		extern char **saved_argv;
-		extern int saved_argc;
-		char *host = get_canonical_hostname ();
-
-		if (sia_become_user(NULL, saved_argc, saved_argv, host,
-		    pw->pw_name, ttyname, 0, NULL, NULL, SIA_BEU_SETLUID) !=
-		    SIASUCCESS) {
-			perror("sia_become_user");
+		if (session_setup_sia(pw->pw_name, ttyname) != 1)
 			exit(1);
-		}
-		if (setreuid(geteuid(), geteuid()) < 0) {
-			perror("setreuid");
-			exit(1);
-		}
 #else /* HAVE_OSF_SIA */
 		if (getuid() == 0 || geteuid() == 0) {
 # ifdef HAVE_GETUSERATTR
diff -urN openssh-2.2.0p1-dist/ssh.h openssh-2.2.0p1/ssh.h
--- openssh-2.2.0p1-dist/ssh.h	Tue Aug 22 19:46:25 2000
+++ openssh-2.2.0p1/ssh.h	Mon Oct 16 15:03:02 2000
@@ -561,4 +561,9 @@
 #include "auth-pam.h"
 #endif /* USE_PAM */
 
+#ifdef HAVE_OSF_SIA
+int	auth_sia_password(char *user, char *pass);
+int	session_setup_sia(char *user, char *tty);
+#endif
+
 #endif				/* SSH_H */


More information about the openssh-unix-dev mailing list