Regarding PAM_TTY_KLUDGE and Solaris 8...

Ed Phillips ed at UDel.Edu
Fri Oct 26 07:28:56 EST 2001 

On Thu, 25 Oct 2001, Nicolas Williams wrote:

> Again, it is not ok to just go on if pam_acct_mgmt() returns
> PAM_NEW_AUTHTOK_REQD -- pam_chauthtok() must be called *and* it must
> return PAM_SUCCESS or the session must be ended.

I agree.

The more I look at how other applications use pam_open_session() the more
I think it's okay to go ahead and set PAM_TTY to something like "sshdXXXX"
(where XXXX is the pid) for non-interactive sessions.  And, we should call
pam_open_session() no matter what mode we're in.

However, I think a change should be made so that pam_chauthtok() is not
called if we don't have a real TTY.

Attached is a simple patch for 2.9.9p2 for someone who has time to test it
before I can (tomorrow).  It will (hopefully) make sshd set PAM_TTY no
matter what (we might #ifdef this for Solaris if it breaks other OSes...
???), and make sshd "fail" instead of trying to call pam_chauthtok() when
we don't have a real tty (although if we had a DISPLAY we might try
running ssh-askpass?).  Is there anything I'm missing?

	Ed

Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key
-------------- next part --------------
*** auth-pam.c_orig	Thu Oct 25 16:57:38 2001
--- auth-pam.c	Thu Oct 25 17:15:34 2001
***************
*** 58,63 ****
--- 58,65 ----
  static int password_change_required = 0;
  /* remember whether the last pam_authenticate() succeeded or not */
  static int was_authenticated = 0;
+ /* remember whether we have a real TTY for this session */
+ static int have_real_tty = 0;
  
  /* Remember what has been initialised */
  static int session_opened = 0;
***************
*** 269,274 ****
--- 271,277 ----
  void do_pam_session(char *username, const char *ttyname)
  {
  	int pam_retval;
+ 	char ttyfake[50];
  
  	do_pam_set_conv(&conv);
  
***************
*** 278,283 ****
--- 281,295 ----
  		if (pam_retval != PAM_SUCCESS)
  			fatal("PAM set tty failed[%d]: %.200s",
  			    pam_retval, PAM_STRERROR(__pamh, pam_retval));
+ 		have_real_tty = 1;
+ 	} else {
+ 		sprintf(ttyfake, "sshd%ld", getpid());
+ 		debug("PAM setting tty to \"%.50s\"", ttyfake);
+ 		pam_retval = pam_set_item(__pamh, PAM_TTY, ttyfake);
+ 		if (pam_retval != PAM_SUCCESS)
+ 			fatal("PAM set tty failed[%d]: %.200s",
+ 			    pam_retval, PAM_STRERROR(__pamh, pam_retval));
+ 		have_real_tty = 0;
  	}
  
  	pam_retval = pam_open_session(__pamh, 0);
***************
*** 329,338 ****
  
  	if (password_change_required) {
  		pamstate = OTHER;
! 		pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
! 		if (pam_retval != PAM_SUCCESS)
! 			fatal("PAM pam_chauthtok failed[%d]: %.200s",
! 			    pam_retval, PAM_STRERROR(__pamh, pam_retval));
  	}
  }
  
--- 341,355 ----
  
  	if (password_change_required) {
  		pamstate = OTHER;
! 		if (have_real_tty) {
! 			pam_retval = pam_chauthtok(__pamh,
! 				PAM_CHANGE_EXPIRED_AUTHTOK);
! 			if (pam_retval != PAM_SUCCESS)
! 				fatal("PAM pam_chauthtok failed[%d]: %.200s",
! 				    pam_retval, PAM_STRERROR(__pamh, pam_retval));
! 		} else {
! 			fatal("Can't call pam_chauthtok: no TTY");
! 		}
  	}
  }
  
***************
*** 366,373 ****
  	if (pam_retval != PAM_SUCCESS)
  		fatal("PAM set rhost failed[%d]: %.200s", pam_retval,
  		    PAM_STRERROR(__pamh, pam_retval));
! #ifdef PAM_TTY_KLUDGE
  	/*
  	 * Some PAM modules (e.g. pam_time) require a TTY to operate,
  	 * and will fail in various stupid ways if they don't get one.
  	 * sshd doesn't set the tty until too late in the auth process and may
--- 383,396 ----
  	if (pam_retval != PAM_SUCCESS)
  		fatal("PAM set rhost failed[%d]: %.200s", pam_retval,
  		    PAM_STRERROR(__pamh, pam_retval));
! 
  	/*
+ 	 * Let do_pam_session decide whether or not to include a "dummy"
+ 	 * PAM_TTY in the PAM handle or not. ELP 10/25/2001
+ 	 */
+ 
+ #ifdef xPAM_TTY_KLUDGE
+ 	/*
  	 * Some PAM modules (e.g. pam_time) require a TTY to operate,
  	 * and will fail in various stupid ways if they don't get one.
  	 * sshd doesn't set the tty until too late in the auth process and may
***************
*** 378,384 ****
  	if (pam_retval != PAM_SUCCESS)
  		fatal("PAM set tty failed[%d]: %.200s",
  		    pam_retval, PAM_STRERROR(__pamh, pam_retval));
! #endif /* PAM_TTY_KLUDGE */
  
  	fatal_add_cleanup(&do_pam_cleanup_proc, NULL);
  }
--- 401,407 ----
  	if (pam_retval != PAM_SUCCESS)
  		fatal("PAM set tty failed[%d]: %.200s",
  		    pam_retval, PAM_STRERROR(__pamh, pam_retval));
! #endif /* xPAM_TTY_KLUDGE */
  
  	fatal_add_cleanup(&do_pam_cleanup_proc, NULL);
  }

More information about the openssh-unix-dev mailing list