No TTY prealloc; Tru64 can't do post-auth privsep

Ben Lindstrom mouring at etoh.eviladmin.org
Sat Jun 29 01:00:07 EST 2002


>
> For general info on the SIA architecture (which is kind of like PAM):
>
> http://www.tru64unix.compaq.com/docs/base_doc/DOCUMENTATION/V51A_HTML/ARH95DTE/CSPRGXXX.HTM
>
Ok.. This explains a lot.  It looks and smells a lot like BSD_AUTH or PAM.
So maybe this whole hell will go away if we treet it like BSD_AUTH/PAM by
privsepifying it.  Since it seems to be updating kernelt ables not
inserting stuff into the actually login session.

Can you try this patch and make note of the one XXX question in
auth-sia.c.

Index: auth-sia.c
===================================================================
RCS file: /var/cvs/openssh/auth-sia.c,v
retrieving revision 1.7
diff -u -r1.7 auth-sia.c
--- auth-sia.c	12 Apr 2002 15:36:08 -0000	1.7
+++ auth-sia.c	28 Jun 2002 15:05:28 -0000
@@ -77,7 +77,7 @@
 }

 void
-session_setup_sia(char *user, char *tty)
+setup_sia(char *user, char *tty)
 {
 	struct passwd *pw;
 	SIAENTITY *ent = NULL;
@@ -116,6 +116,7 @@

 	sia_ses_release(&ent);

+	/* XXX: Should this be be around a if (!use_privsep) ? */
 	if (setreuid(geteuid(), geteuid()) < 0) {
 		fatal("setreuid: %s", strerror(errno));
 	}
Index: monitor.c
===================================================================
RCS file: /var/cvs/openssh/monitor.c,v
retrieving revision 1.22
diff -u -r1.22 monitor.c
--- monitor.c	27 Jun 2002 00:12:58 -0000	1.22
+++ monitor.c	28 Jun 2002 15:05:34 -0000
@@ -120,6 +120,10 @@
 int mm_answer_pam_start(int, Buffer *);
 #endif

+#ifdef HAVE_OSF_SIA
+int mm_answer_setup_sia(int, Buffer *);
+#endif
+
 static Authctxt *authctxt;
 static BIGNUM *ssh1_challenge = NULL;	/* used for ssh1 rsa auth */

@@ -154,6 +158,9 @@
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
+#ifdef HAVE_OSF_SIA
+    (MONITOR_REQ_SETUP_SIA, MON_ONCE, mm_answer_setup_sia),
+#endif
 #ifdef USE_PAM
     {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
 #endif
@@ -196,6 +203,9 @@
     {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
     {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
 #endif
+#ifdef HAVE_OSF_SIA
+    (MONITOR_REQ_SETUP_SIA, MON_ONCE, mm_answer_setup_sia),
+#endif
 #ifdef USE_PAM
     {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
 #endif
@@ -716,6 +726,22 @@
 	auth_method = "skey";

 	return (authok != 0);
+}
+#endif
+
+#ifdef HAVE_OSF_SIA
+int
+mm_answer_setup_sia(int socket, Buffer *m)
+{
+	char *user, *tty;
+
+	user = buffer_get_string(m, NULL);
+	tty = buffer_get_string(m, NULL);
+
+	setup_sia(user, tty);
+
+	xfree(user);
+	xfree(tty);
 }
 #endif

Index: monitor.h
===================================================================
RCS file: /var/cvs/openssh/monitor.h,v
retrieving revision 1.8
diff -u -r1.8 monitor.h
--- monitor.h	11 Jun 2002 16:42:49 -0000	1.8
+++ monitor.h	28 Jun 2002 15:05:37 -0000
@@ -50,6 +50,7 @@
 	MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
 	MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
 	MONITOR_REQ_PAM_START,
+	MONITOR_REQ_SETUP_SIA,
 	MONITOR_REQ_TERM
 };





More information about the openssh-unix-dev mailing list