HP-UX PAM with Trusted System patch

Dan Wanek dwanek at dexter.it-ias.depaul.edu
Tue Jul 16 23:25:09 EST 2002 

I'm fairly new to the list and new to submitting patches.  Can someone
please verify the attached patch for running a HP-UX Trusted System with
PAM and OpenSSH 3.4p1?  The problem seemed to be that pam couldn't verify
the user via __pamh after the call to permanently_set_uid in session.c.
So I called do_pam_session prior to the call and added a function
do_pam_set_tty in order to set the tty after allocation.

--
Dan Wanek

-------------- next part --------------
diff -u -r openssh-3.4p1/auth-pam.c openssh-3.4p1-dw/auth-pam.c
--- openssh-3.4p1/auth-pam.c	Tue May  7 21:27:56 2002
+++ openssh-3.4p1-dw/auth-pam.c	Tue Jul 16 07:54:05 2002
@@ -294,6 +294,18 @@
 	session_opened = 1;
 }
 
+/* Set the TTY after session is open */
+void do_pam_set_tty(const char *ttyname) {
+	int pam_retval;
+	if (ttyname != NULL) {
+		debug("PAM setting tty to \"%.200s\"", ttyname);
+		pam_retval = pam_set_item(__pamh, PAM_TTY, ttyname);
+		if (pam_retval != PAM_SUCCESS)
+			fatal("PAM set tty failed[%d]: %.200s",
+			    pam_retval, PAM_STRERROR(__pamh, pam_retval));
+	}
+}
+
 /* Set PAM credentials */
 void do_pam_setcred(int init)
 {
Only in openssh-3.4p1-dw: auth-pam.c.orig
diff -u -r openssh-3.4p1/auth-pam.h openssh-3.4p1-dw/auth-pam.h
--- openssh-3.4p1/auth-pam.h	Thu Apr  4 13:02:28 2002
+++ openssh-3.4p1-dw/auth-pam.h	Tue Jul 16 07:54:05 2002
@@ -12,6 +12,7 @@
 int do_pam_authenticate(int flags);
 int do_pam_account(char *username, char *remote_user);
 void do_pam_session(char *username, const char *ttyname);
+void do_pam_set_tty(const char *ttyname);
 void do_pam_setcred(int init);
 void print_pam_messages(void);
 int is_pam_password_change_required(void);
Only in openssh-3.4p1-dw: auth-pam.h.orig
diff -u -r openssh-3.4p1/session.c openssh-3.4p1-dw/session.c
--- openssh-3.4p1/session.c	Wed Jun 26 08:51:06 2002
+++ openssh-3.4p1-dw/session.c	Tue Jul 16 07:54:06 2002
@@ -461,7 +461,6 @@
 	session_proctitle(s);
 
 #if defined(USE_PAM)
-	do_pam_session(s->pw->pw_name, NULL);
 	do_pam_setcred(1);
 	if (is_pam_password_change_required())
 		packet_disconnect("Password change required but no "
@@ -579,7 +578,7 @@
 	ttyfd = s->ttyfd;
 
 #if defined(USE_PAM)
-	do_pam_session(s->pw->pw_name, s->tty);
+	do_pam_set_tty(s->tty);
 	do_pam_setcred(1);
 #endif
 
@@ -1204,6 +1203,13 @@
 		 * Reestablish them here.
 		 */
 		do_pam_setcred(0);
+
+		/*
+		 * We need to open the session here because PAM on HP-UX does not
+		 * work after the call to permanently_set_uid.
+		 */
+		do_pam_session(pw->pw_name,NULL);
+
 # endif /* USE_PAM */
 # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY)
 		irix_setusercontext(pw);
Only in openssh-3.4p1-dw: session.c.orig

More information about the openssh-unix-dev mailing list