Patch for DU SIA auth

Trevor Schroeder tschroed at media.mit.edu
Thu Dec 20 03:51:44 EST 2001


Hello.  The following is a patch against OpenSSH 3.0.2p1 to fix OpenSSH's
handling of Tru64 SIA authentication.  The main changes are to make the
SIAENTITY a global variable (so that it remains persistent across function
calls), initialization only happens once, the session is only released
once.  This makes SIA modules that require authentication in order to
perform certain actions during the session launch call work properly.

For example, we have a Kerberos 5 / AFS SIA module here that requires that
the user authenticate durring sia_ses_authent and then uses the information
stored in the SIAENTITY during ses_launch to fetch krb tickets and afs
tokens.

diff -c openssh-3.0.2p1/auth-sia.c openssh-3.0.2p1-tschroed/auth-sia.c
*** openssh-3.0.2p1/auth-sia.c	Mon Apr 16 04:37:05 2001
--- openssh-3.0.2p1-tschroed/auth-sia.c	Thu Dec  6 13:02:26 2001
***************
*** 21,32 ****
  extern char **saved_argv;
  
  extern int errno;
  
  int
  auth_sia_password(char *user, char *pass)
  {
  	int ret;
- 	SIAENTITY *ent = NULL;
  	const char *host;
  
  	host = get_canonical_hostname(options.reverse_mapping_check);
--- 21,32 ----
  extern char **saved_argv;
  
  extern int errno;
+ SIAENTITY *__sia_ent = NULL;
  
  int
  auth_sia_password(char *user, char *pass)
  {
  	int ret;
  	const char *host;
  
  	host = get_canonical_hostname(options.reverse_mapping_check);
***************
*** 34,51 ****
  	if (!user || !pass)
  		return(0);
  
! 	if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0,
  	    NULL) != SIASUCCESS)
  		return(0);
  
! 	if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) {
  		error("couldn't authenticate %s from %s", user, host);
  		if (ret & SIASTOP)
! 			sia_ses_release(&ent);
  		return(0);
  	}
  
- 	sia_ses_release(&ent);
  
  	return(1);
  }
--- 34,50 ----
  	if (!user || !pass)
  		return(0);
  
! 	if (sia_ses_init(&__sia_ent, saved_argc, saved_argv, host, user, NULL, 0,
  	    NULL) != SIASUCCESS)
  		return(0);
  
! 	if ((ret = sia_ses_authent(NULL, pass, __sia_ent)) != SIASUCCESS) {
  		error("couldn't authenticate %s from %s", user, host);
  		if (ret & SIASTOP)
! 			sia_ses_release(&__sia_ent);
  		return(0);
  	}
  
  
  	return(1);
  }
***************
*** 55,84 ****
  {
  	int ret;
  	struct passwd *pw;
! 	SIAENTITY *ent = NULL;
  	const char *host;
  
  	host = get_canonical_hostname (options.reverse_mapping_check);
  
- 	if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0,
- 	    NULL) != SIASUCCESS) {
- 		error("sia_ses_init failed");
- 		exit(1);
- 	}
- 
  	if ((pw = getpwnam(user)) == NULL) {
! 		sia_ses_release(&ent);
  		error("getpwnam(%s) failed: %s", user, strerror(errno));
  		exit(1);
  	}
! 	if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) {
! 		sia_ses_release(&ent);
  		error("sia_make_entity_pwd failed");
  		exit(1);
  	}
  
! 	ent->authtype = SIA_A_NONE;
! 	if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) {
  		error("couldn't establish session for %s from %s", user,
  		    host);
  		exit(1);
--- 54,77 ----
  {
  	int ret;
  	struct passwd *pw;
! 	/* SIAENTITY *__sia_ent = NULL; */
  	const char *host;
  
  	host = get_canonical_hostname (options.reverse_mapping_check);
  
  	if ((pw = getpwnam(user)) == NULL) {
! 		sia_ses_release(&__sia_ent);
  		error("getpwnam(%s) failed: %s", user, strerror(errno));
  		exit(1);
  	}
! 	if (sia_make_entity_pwd(pw, __sia_ent) != SIASUCCESS) {
! 		sia_ses_release(&__sia_ent);
  		error("sia_make_entity_pwd failed");
  		exit(1);
  	}
  
! 	__sia_ent->authtype = SIA_A_NONE;
! 	if (sia_ses_estab(sia_collect_trm, __sia_ent) != SIASUCCESS) {
  		error("couldn't establish session for %s from %s", user,
  		    host);
  		exit(1);
***************
*** 85,106 ****
  	}
  
  	if (setpriority(PRIO_PROCESS, 0, 0) == -1) {
! 		sia_ses_release(&ent);
  		error("setpriority failed: %s", strerror (errno));
  		exit(1);
  	}
  
! 	if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) {
  		error("couldn't launch session for %s from %s", user, host);
  		exit(1);
  	}
  	
! 	sia_ses_release(&ent);
  
  	if (setreuid(geteuid(), geteuid()) < 0) {
  		error("setreuid failed: %s", strerror (errno));
  		exit(1);
  	}
  }
  
  #endif /* HAVE_OSF_SIA */
--- 78,100 ----
  	}
  
  	if (setpriority(PRIO_PROCESS, 0, 0) == -1) {
! 		sia_ses_release(&__sia_ent);
  		error("setpriority failed: %s", strerror (errno));
  		exit(1);
  	}
  
! 	if (sia_ses_launch(sia_collect_trm, __sia_ent) != SIASUCCESS) {
  		error("couldn't launch session for %s from %s", user, host);
  		exit(1);
  	}
  	
! 	sia_ses_release(&__sia_ent);
  
  	if (setreuid(geteuid(), geteuid()) < 0) {
  		error("setreuid failed: %s", strerror (errno));
  		exit(1);
  	}
+ 	sia_ses_release(&__sia_ent);
  }
  
  #endif /* HAVE_OSF_SIA */



More information about the openssh-unix-dev mailing list