summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorMatt Johnston <matt@ucc.asn.au>2004-08-08 16:57:37 +0000
committerMatt Johnston <matt@ucc.asn.au>2004-08-08 16:57:37 +0000
commit3238bed9c9467a4c77bb6b430cd8f9fc394315c2 (patch)
treeedbc491ec7befd2506105fd63caddc9d1c553764
parent8edc3523938ee2149ae11e7e19ef1e419fb57e0d (diff)
svr-authpam code merged and works. needs tidying a log
--HG-- branch : authpam extra : convert_revision : abeb2807b88fbd8b95d92b760a209a0816cbaea9
-rw-r--r--Makefile.in3
-rw-r--r--auth.h1
-rw-r--r--configure.in38
-rw-r--r--options.h5
-rw-r--r--svr-auth.c15
-rw-r--r--svr-authpam.c215
6 files changed, 273 insertions, 4 deletions
diff --git a/Makefile.in b/Makefile.in
index 2bffe90..6cb94e4 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -24,7 +24,8 @@ COMMONOBJS=dbutil.o buffer.o \
SVROBJS=svr-kex.o svr-algo.o svr-auth.o sshpty.o \
svr-authpasswd.o svr-authpubkey.o svr-session.o svr-service.o \
- svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o
+ svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o\
+ svr-authpam.o
CLIOBJS=cli-algo.o cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \
cli-session.o cli-service.o cli-runopts.o cli-chansession.o \
diff --git a/auth.h b/auth.h
index edac5a9..399db2d 100644
--- a/auth.h
+++ b/auth.h
@@ -36,6 +36,7 @@ void send_msg_userauth_failure(int partial, int incrfail);
void send_msg_userauth_success();
void svr_auth_password();
void svr_auth_pubkey();
+void svr_auth_pam();
/* Client functions */
void recv_msg_userauth_failure();
diff --git a/configure.in b/configure.in
index 47a9a29..d3c5229 100644
--- a/configure.in
+++ b/configure.in
@@ -108,6 +108,42 @@ AC_ARG_ENABLE(zlib,
]
)
+# Check if pam is needed
+AC_ARG_WITH(pam,
+ [ --with-pam=PATH Use pam in PATH],
+ [
+ # option is given
+ if test -d "$withval/lib"; then
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval} ${LDFLAGS}"
+ fi
+ if test -d "$withval/include"; then
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+ else
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
+ fi
+ ]
+)
+
+AC_ARG_ENABLE(pam,
+ [ --disable-pam Don't include PAM support],
+ [
+ if test "x$enableval" = "xno"; then
+ AC_DEFINE(DISABLE_PAM,, Use PAM)
+ AC_MSG_RESULT(Disabling PAM)
+ else
+ AC_CHECK_LIB(pam, pam_authenticate, , AC_MSG_ERROR([*** PAM missing - install first or check config.log ***]))
+ AC_MSG_RESULT(Enabling PAM)
+ fi
+ ],
+ [
+ # if not disabled, check for pam
+ AC_CHECK_LIB(pam, pam_authenticate, , AC_MSG_ERROR([*** PAM missing - install first or check config.log ***]))
+ AC_MSG_RESULT(Enabling PAM)
+ ]
+)
+
AC_ARG_ENABLE(openpty,
[ --disable-openpty Don't use openpty, use alternative method],
[
@@ -160,7 +196,7 @@ AC_ARG_ENABLE(shadow,
# Checks for header files.
AC_HEADER_STDC
AC_HEADER_SYS_WAIT
-AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h utmpx.h lastlog.h paths.h util.h netdb.h sys/dirent.h])
+AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h utmpx.h lastlog.h paths.h util.h netdb.h sys/dirent.h security/pam_appl.h pam/pam_appl.h])
# Checks for typedefs, structures, and compiler characteristics.
AC_C_CONST
diff --git a/options.h b/options.h
index d4abf09..6ea5277 100644
--- a/options.h
+++ b/options.h
@@ -110,7 +110,10 @@
/* Authentication types to enable, at least one required.
RFC Draft requires pubkey auth, and recommends password */
-#define DROPBEAR_PASSWORD_AUTH
+//#define DROPBEAR_PASSWORD_AUTH
+/* Only set PAM auth if you aren't using PASSWORD auth. Also, you'll need
+ * to make sure PAM libraries etc are installed */
+#define DROPBEAR_PAM_AUTH
#define DROPBEAR_PUBKEY_AUTH
/* Random device to use - you must specify _one only_.
diff --git a/svr-auth.c b/svr-auth.c
index db1d6a4..9e82b25 100644
--- a/svr-auth.c
+++ b/svr-auth.c
@@ -57,7 +57,7 @@ static void authclear() {
#ifdef DROPBEAR_PUBKEY_AUTH
ses.authstate.authtypes |= AUTH_TYPE_PUBKEY;
#endif
-#ifdef DROPBEAR_PASSWORD_AUTH
+#if defined(DROPBEAR_PASSWORD_AUTH) || defined(DROPBEAR_PAM_AUTH)
if (!svr_opts.noauthpass) {
ses.authstate.authtypes |= AUTH_TYPE_PASSWORD;
}
@@ -156,6 +156,19 @@ void recv_msg_userauth_request() {
}
#endif
+#ifdef DROPBEAR_PAM_AUTH
+ if (!svr_opts.noauthpass &&
+ !(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) {
+ /* user wants to try password auth */
+ if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
+ strncmp(methodname, AUTH_METHOD_PASSWORD,
+ AUTH_METHOD_PASSWORD_LEN) == 0) {
+ svr_auth_pam();
+ goto out;
+ }
+ }
+#endif
+
#ifdef DROPBEAR_PUBKEY_AUTH
/* user wants to try pubkey auth */
if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
diff --git a/svr-authpam.c b/svr-authpam.c
new file mode 100644
index 0000000..cfd4327
--- /dev/null
+++ b/svr-authpam.c
@@ -0,0 +1,215 @@
+/*
+ * Dropbear - a SSH2 server
+ *
+ * Copyright (c) 2002,2003 Matt Johnston
+ * All rights reserved.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE. */
+
+/* Validates a user password */
+
+#include "includes.h"
+#include "session.h"
+#include "buffer.h"
+#include "dbutil.h"
+#include "auth.h"
+
+#if defined(HAVE_SECURITY_PAM_APPL_H)
+#include <security/pam_appl.h>
+#elif defined (HAVE_PAM_PAM_APPL_H)
+#include <pam/pam_appl.h>
+#endif
+
+#ifdef DROPBEAR_PAM_AUTH
+
+struct UserDataS {
+ char* user;
+ char* passwd;
+};
+
+/* PAM conversation function */
+int
+pamConvFunc(int num_msg,
+ const struct pam_message **msg,
+ struct pam_response **respp,
+ void *appdata_ptr) {
+ int rc = PAM_SUCCESS;
+ struct pam_response* resp = NULL;
+ struct UserDataS* userDatap = (struct UserDataS*) appdata_ptr;
+
+ /* tbd only handles one msg */
+
+ switch((*msg)->msg_style) {
+ case PAM_PROMPT_ECHO_OFF:
+ dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_PROMPT_ECHO_OFF: (*msg)->msg=\"%s\"", (*msg)->msg);
+
+ if (strcmp((*msg)->msg, "Password:") == 0) {
+ resp = (struct pam_response*) malloc(sizeof(struct pam_response));
+ resp->resp = (char*) strdup(userDatap->passwd);
+ /* dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_PROMPT_ECHO_ON: userDatap->passwd=\"%s\"", userDatap->passwd); */
+ resp->resp_retcode = 0;
+ (*respp) = resp;
+ }
+ else {
+ dropbear_log(LOG_WARNING, "pamConvFunc(): PAM_PROMPT_ECHO_OFF: unrecognized prompt, (*msg)->msg=\"%s\"", (*msg)->msg);
+ rc = PAM_CONV_ERR;
+ }
+ break;
+ case PAM_PROMPT_ECHO_ON:
+ dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_PROMPT_ECHO_ON: (*msg)->msg=\"%s\"", (*msg)->msg);
+
+ if ((strcmp((*msg)->msg, "login: " ) == 0) || (strcmp((*msg)->msg, "Please enter username: " ) == 0)) {
+ resp = (struct pam_response*) malloc(sizeof(struct pam_response));
+ resp->resp = (char*) strdup(userDatap->user);
+ dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_PROMPT_ECHO_ON: userDatap->user=\"%s\"", userDatap->user);
+ resp->resp_retcode = 0;
+ (*respp) = resp;
+ }
+ else {
+ dropbear_log(LOG_WARNING, "pamConvFunc(): PAM_PROMPT_ECHO_ON: unrecognized prompt, (*msg)->msg=\"%s\"",
+ (*msg)->msg);
+ rc = PAM_CONV_ERR;
+ }
+ break;
+ case PAM_ERROR_MSG:
+ dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_ERROR_MSG: (*msg)->msg=\"%s\"", (*msg)->msg);
+ /* printf("error msg: '%s'\n", (*msg)->msg); */
+ rc = PAM_CONV_ERR;
+ break;
+ case PAM_TEXT_INFO:
+ dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_TEXT_INFO: (*msg)->msg=\"%s\"", (*msg)->msg);
+ /* printf("text info: '%s'\n", (*msg)->msg); */
+ rc = PAM_CONV_ERR;
+ break;
+ case PAM_RADIO_TYPE:
+ dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_RADIO_TYPE: (*msg)->msg=\"%s\"", (*msg)->msg);
+ /* printf("radio type: '%s'\n", (*msg)->msg); */
+ rc = PAM_CONV_ERR;
+ break;
+ case PAM_BINARY_PROMPT:
+ dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_BINARY_PROMPT: (*msg)->msg=\"%s\"", (*msg)->msg);
+ /* printf("binary prompt: '%s'\n", (*msg)->msg); */
+ rc = PAM_CONV_ERR;
+ break;
+ default:
+ dropbear_log(LOG_DEBUG, "pamConvFunc(): Unknown PAM message");
+ /* printf("unknown message\n"); */
+ rc = PAM_CONV_ERR;
+ break;
+ }
+
+ return rc;
+}
+
+/* Process a password auth request, sending success or failure messages as
+ * appropriate */
+void svr_auth_pam() {
+ // PAM stuff
+ int rc = PAM_SUCCESS;
+ struct UserDataS userData;
+ struct pam_conv pamConv = {
+ pamConvFunc,
+ &userData /* submitted to pamvConvFunc as appdata_ptr */
+ };
+ pam_handle_t* pamHandlep = NULL;
+ unsigned char * password = NULL;
+ unsigned int passwordlen;
+
+ unsigned char changepw;
+
+ /* check if client wants to change password */
+ changepw = buf_getbyte(ses.payload);
+ if (changepw) {
+ /* not implemented by this server */
+ send_msg_userauth_failure(0, 1);
+ return;
+ }
+
+ password = buf_getstring(ses.payload, &passwordlen);
+
+ /* clear the buffer containing the password */
+ buf_incrpos(ses.payload, -passwordlen - 4);
+ m_burn(buf_getptr(ses.payload, passwordlen + 4), passwordlen + 4);
+
+ /* used to pass data to the PAM conversation function */
+ userData.user = ses.authstate.printableuser;
+ TRACE(("user is %s\n", userData.user));
+ userData.passwd = password;
+
+ /* Init pam */
+ if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) {
+ dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc));
+ /* fprintf(stderr, "pam_start() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc)); */
+ goto clean;
+ }
+
+ /*
+ if ((rc = pam_set_item(pamHandlep, PAM_RHOST, webReqp->ipaddr) != PAM_SUCCESS)) {
+ dropbear_log(LOG_WARNING, "pam_set_item() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc));
+ return;
+ }
+ */
+
+ /* just to set it to something */
+ if ((rc = pam_set_item(pamHandlep, PAM_TTY, "ssh") != PAM_SUCCESS)) {
+ dropbear_log(LOG_WARNING, "pam_set_item() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc));
+ goto clean;
+ }
+
+ (void) pam_fail_delay(pamHandlep, 0 /* musec_delay */);
+
+ /* (void) pam_set_item(pamHandlep, PAM_FAIL_DELAY, (void*) pamDelayFunc); */
+
+ if ((rc = pam_authenticate(pamHandlep, 0)) != PAM_SUCCESS) {
+ dropbear_log(LOG_WARNING, "pam_authenticate() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc));
+ /* fprintf(stderr, "pam_authenticate() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc)); */
+ dropbear_log(LOG_WARNING,
+ "bad pam password attempt for '%s'",
+ ses.authstate.printableuser);
+ send_msg_userauth_failure(0, 1);
+ goto clean;
+ }
+
+ if ((rc = pam_acct_mgmt(pamHandlep, 0)) != PAM_SUCCESS) {
+ dropbear_log(LOG_WARNING, "pam_acct_mgmt() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc));
+ /* fprintf(stderr, "pam_acct_mgmt() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc)); */
+ dropbear_log(LOG_WARNING,
+ "bad pam password attempt for '%s'",
+ ses.authstate.printableuser);
+ send_msg_userauth_failure(0, 1);
+ goto clean;
+ }
+
+ /* successful authentication */
+ dropbear_log(LOG_NOTICE,
+ "password auth succeeded for '%s'",
+ ses.authstate.printableuser);
+ send_msg_userauth_success();
+
+ clean:
+ if (password != NULL) {
+ m_burn(password, passwordlen);
+ m_free(password);
+ }
+ if (pamHandlep != NULL) {
+ (void) pam_end(pamHandlep, 0 /* pam_status */);
+ }
+}
+
+#endif /* DROPBEAR_PAM_AUTH */