OSF_SIA bug in 2.3.0p1

Chris Adams cmadams at hiwaay.net
Tue Feb 13 04:22:24 EST 2001 

Once upon a time, Mike Battersby <mib at unimelb.edu.au> said:
> Is anyone maintaining the OSF_SIA support in openssh? This seems to be an
> obvious bug triggered if you try to connect as a non-existant user.

Well, I wrote the current code, and yeah, I missed that.

> >From auth1.c line 459
> 
> #elif defined(HAVE_OSF_SIA)
>             (sia_validate_user(NULL, saved_argc, saved_argv, 
>             get_canonical_hostname(), pw->pw_name, NULL, 0, 
>                  NULL, "") == SIASUCCESS)) {
> #else /* !HAVE_OSF_SIA && !USE_PAM */
> 
> At this stage pw could be NULL so obviously pw->pw_name isn't a valid 
> thing to do.  Should this just be 'user'?  I'm not even 100% sure of the 
> validity of passing NULL as collect function (acceptable in 4.0g manpage,
> not mentioned in 4.0d manpage).

The 4.0F manpage says collect can be NULL, but I've read in other places
it is a bad idea, and found out why.

Someone already did a "quick fix" to CVS on the first problem.  Here is
a patch against CVS that fixes the collect problem as well as some other
things (like not really blocking locked and expired accounts and not
returning the correct messages to the user).

This patch pulls the SIA stuff out into a separate file that provides
two functions: one to check the username/password and one to setup a
session.

There may still be a problem with information going back to the user.
Someone reported to me that on Tru64 5.1, the last login times are
printed when connecting to an account that is locked.  It doesn't happen
under 4.0F, so I haven't been able to track down what is happening
(don't have 5.x installed here yet - CDs are still on the bookshelf).
-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.


diff -urN openssh_cvs/Makefile.in openssh/Makefile.in
--- openssh_cvs/Makefile.in	Fri Feb  9 07:40:03 2001
+++ openssh/Makefile.in	Mon Feb 12 11:19:30 2001
@@ -48,7 +48,7 @@
 
 SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o
 
-SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o dh.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o
+SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o
 
 TROFFMAN	= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1
 CATMAN		= scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh-keyscan.0 ssh.0 sshd.0 sftp-server.0 sftp.0
diff -urN openssh_cvs/auth-sia.c openssh/auth-sia.c
--- openssh_cvs/auth-sia.c	Wed Dec 31 18:00:00 1969
+++ openssh/auth-sia.c	Mon Feb 12 11:20:03 2001
@@ -0,0 +1,106 @@
+#include "includes.h"
+
+#ifdef HAVE_OSF_SIA
+#include "ssh.h"
+#include "auth-sia.h"
+#include "log.h"
+#include "servconf.h"
+#include "canohost.h"
+
+#include <sia.h>
+#include <siad.h>
+#include <pwd.h>
+#include <signal.h>
+#include <setjmp.h>
+#include <sys/resource.h>
+#include <unistd.h>
+#include <string.h>
+
+extern ServerOptions options;
+extern int saved_argc;
+extern char **saved_argv;
+
+extern int errno;
+
+int
+auth_sia_password (user, pass)
+	char *user;
+	char *pass;
+{
+	int ret;
+	SIAENTITY *ent = NULL;
+	const char *host
+	    = get_canonical_hostname (options.reverse_mapping_check);
+
+	if (! user || ! pass)
+		return 0;
+
+	if (sia_ses_init (&ent, saved_argc, saved_argv, host, user, NULL, 0,
+	    NULL) != SIASUCCESS)
+		return 0;
+
+	if ((ret = sia_ses_authent (NULL, pass, ent)) != SIASUCCESS) {
+		error ("couldn't authenticate %s from %s", user, host);
+		if (ret & SIASTOP)
+			sia_ses_release (&ent);
+		return 0;
+	}
+
+	sia_ses_release (&ent);
+
+	return 1;
+}
+
+int
+session_setup_sia (user, tty)
+	char *user;
+	char *tty;
+{
+	int ret;
+	struct passwd *pw;
+	SIAENTITY *ent = NULL;
+	const char *host
+	    = get_canonical_hostname (options.reverse_mapping_check);
+
+	if (sia_ses_init (&ent, saved_argc, saved_argv, host, user, tty, 0,
+	    NULL) != SIASUCCESS)
+		return 0;
+
+	if ((pw = getpwnam (user)) == NULL) {
+		error ("getpwnam(%s) failed", user);
+		sia_ses_release (&ent);
+		return 0;
+	}
+	if (sia_make_entity_pwd (pw, ent) != SIASUCCESS) {
+		sia_ses_release (&ent);
+		return 0;
+	}
+
+	ent->authtype = SIA_A_NONE;
+	if (sia_ses_estab (sia_collect_trm, ent) != SIASUCCESS) {
+		error ("couldn't establish session for %s from %s", user,
+		    host);
+		return 0;
+	}
+
+	if (setpriority (PRIO_PROCESS, 0, 0) == -1) {
+		error ("setpriority failed: %s", strerror (errno));
+		sia_ses_release (&ent);
+		return 0;
+	}
+
+	if (sia_ses_launch (sia_collect_trm, ent) != SIASUCCESS) {
+		error ("couldn't launch session for %s from %s", user, host);
+		return 0;
+	}
+	sia_ses_release (&ent);
+
+	if (setreuid(geteuid(), geteuid()) < 0) {
+		error ("setreuid failed: %s", strerror (errno));
+		return 0;
+	}
+
+	return 1;
+}
+
+#endif /* HAVE_OSF_SIA */
diff -urN openssh_cvs/auth-sia.h openssh/auth-sia.h
--- openssh_cvs/auth-sia.h	Wed Dec 31 18:00:00 1969
+++ openssh/auth-sia.h	Mon Feb 12 11:19:30 2001
@@ -0,0 +1,8 @@
+#include "includes.h"
+
+#ifdef HAVE_OSF_SIA
+
+int	auth_sia_password(char *user, char *pass);
+int	session_setup_sia(char *user, char *tty);
+
+#endif /* HAVE_OSF_SIA */
diff -urN openssh_cvs/auth1.c openssh/auth1.c
--- openssh_cvs/auth1.c	Mon Feb 12 01:02:24 2001
+++ openssh/auth1.c	Mon Feb 12 11:19:30 2001
@@ -12,11 +12,6 @@
 #include "includes.h"
 RCSID("$OpenBSD: auth1.c,v 1.15 2001/02/07 22:35:45 markus Exp $");
 
-#ifdef HAVE_OSF_SIA
-# include <sia.h>
-# include <siad.h>
-#endif
-
 #include "xmalloc.h"
 #include "rsa.h"
 #include "ssh1.h"
@@ -36,10 +31,6 @@
 #ifdef WITH_AIXAUTHENTICATE
 extern char *aixloginmsg;
 #endif /* WITH_AIXAUTHENTICATE */
-#ifdef HAVE_OSF_SIA
-extern int saved_argc;
-extern char **saved_argv;
-#endif /* HAVE_OSF_SIA */
 
 /*
  * convert ssh auth msg type into description
@@ -98,6 +89,8 @@
 #endif
 #ifdef USE_PAM
 	    auth_pam_password(pw, password)) {
+#elif defined(HAVE_OSF_SIA)
+	    0) {
 #else
 	    auth_password(pw, "")) {
 #endif
@@ -265,11 +258,7 @@
 			authenticated = auth_pam_password(pw, password);
 #elif defined(HAVE_OSF_SIA)
 			/* Do SIA auth with password */
-			if (sia_validate_user(NULL, saved_argc, saved_argv,
-			    get_canonical_hostname(options.reverse_mapping_check),
-			    authctxt->user?authctxt->user:"NOUSER", NULL, 
-			    0, NULL, password) == SIASUCCESS)
-				authenticated = 1;
+			authenticated = auth_sia_password(authctxt->user, password);
 #else /* !USE_PAM && !HAVE_OSF_SIA */
 			/* Try authentication with the password. */
 			authenticated = auth_password(pw, password);
diff -urN openssh_cvs/auth2.c openssh/auth2.c
--- openssh_cvs/auth2.c	Sat Feb 10 15:31:53 2001
+++ openssh/auth2.c	Mon Feb 12 11:19:30 2001
@@ -25,11 +25,6 @@
 #include "includes.h"
 RCSID("$OpenBSD: auth2.c,v 1.40 2001/02/10 12:52:02 markus Exp $");
 
-#ifdef HAVE_OSF_SIA
-# include <sia.h>
-# include <siad.h>
-#endif
-
 #include <openssl/evp.h>
 
 #include "ssh2.h"
@@ -61,10 +56,6 @@
 #ifdef WITH_AIXAUTHENTICATE
 extern char *aixloginmsg;
 #endif
-#ifdef HAVE_OSF_SIA
-extern int saved_argc;
-extern char **saved_argv;
-#endif
 
 static Authctxt	*x_authctxt = NULL;
 static int one = 1;
@@ -346,10 +337,7 @@
 #ifdef USE_PAM
 	return auth_pam_password(authctxt->pw, "");
 #elif defined(HAVE_OSF_SIA)
-	return (sia_validate_user(NULL, saved_argc, saved_argv,
-	    get_canonical_hostname(options.reverse_mapping_check),
-	    authctxt->user?authctxt->user:"NOUSER", NULL, 0,
-	    NULL, "") == SIASUCCESS);
+	return 0;
 #else /* !HAVE_OSF_SIA && !USE_PAM */
 	return auth_password(authctxt->pw, "");
 #endif /* USE_PAM */
@@ -374,10 +362,7 @@
 #ifdef USE_PAM
 	    auth_pam_password(authctxt->pw, password) == 1)
 #elif defined(HAVE_OSF_SIA)
-	    sia_validate_user(NULL, saved_argc, saved_argv,
-	    get_canonical_hostname(options.reverse_mapping_check),
-	    authctxt->user?authctxt->user:"NOUSER", NULL, 0, NULL,
-	    password) == SIASUCCESS)
+	    auth_sia_password(authctxt->user, password) == 1)
 #else /* !USE_PAM && !HAVE_OSF_SIA */
 	    auth_password(authctxt->pw, password) == 1)
 #endif /* USE_PAM */
diff -urN openssh_cvs/session.c openssh/session.c
--- openssh_cvs/session.c	Mon Feb 12 11:06:02 2001
+++ openssh/session.c	Mon Feb 12 11:19:30 2001
@@ -72,11 +72,6 @@
 #include <usersec.h>
 #endif
 
-#ifdef HAVE_OSF_SIA
-# include <sia.h>
-# include <siad.h>
-#endif
-
 #ifdef HAVE_CYGWIN
 #include <windows.h>
 #include <sys/cygwin.h>
@@ -1060,21 +1055,9 @@
 	   switch, so we let login(1) to this for us. */
 	if (!options.use_login) {
 #ifdef HAVE_OSF_SIA
-		extern char **saved_argv;
-		extern int saved_argc;
-		char *host = get_canonical_hostname(options.reverse_mapping_check);
-
-		if (sia_become_user(NULL, saved_argc, saved_argv, host,
-		    pw->pw_name, ttyname, 0, NULL, NULL, SIA_BEU_SETLUID) !=
-		    SIASUCCESS) {
-			perror("sia_become_user");
-			exit(1);
-		}
-		if (setreuid(geteuid(), geteuid()) < 0) {
-			perror("setreuid");
-			exit(1);
-		}
 #else /* HAVE_OSF_SIA */
+		if (session_setup_sia(pw->pw_name, ttyname) != 1)
+			exit(1);
 #ifdef HAVE_CYGWIN
 		if (is_winnt) {
 #else

More information about the openssh-unix-dev mailing list