From 3238bed9c9467a4c77bb6b430cd8f9fc394315c2 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Sun, 8 Aug 2004 16:57:37 +0000 Subject: svr-authpam code merged and works. needs tidying a log --HG-- branch : authpam extra : convert_revision : abeb2807b88fbd8b95d92b760a209a0816cbaea9 --- Makefile.in | 3 +- auth.h | 1 + configure.in | 38 ++++++++++- options.h | 5 +- svr-auth.c | 15 +++- svr-authpam.c | 215 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 273 insertions(+), 4 deletions(-) create mode 100644 svr-authpam.c diff --git a/Makefile.in b/Makefile.in index 2bffe90..6cb94e4 100644 --- a/Makefile.in +++ b/Makefile.in @@ -24,7 +24,8 @@ COMMONOBJS=dbutil.o buffer.o \ SVROBJS=svr-kex.o svr-algo.o svr-auth.o sshpty.o \ svr-authpasswd.o svr-authpubkey.o svr-session.o svr-service.o \ - svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o + svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o\ + svr-authpam.o CLIOBJS=cli-algo.o cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \ cli-session.o cli-service.o cli-runopts.o cli-chansession.o \ diff --git a/auth.h b/auth.h index edac5a9..399db2d 100644 --- a/auth.h +++ b/auth.h @@ -36,6 +36,7 @@ void send_msg_userauth_failure(int partial, int incrfail); void send_msg_userauth_success(); void svr_auth_password(); void svr_auth_pubkey(); +void svr_auth_pam(); /* Client functions */ void recv_msg_userauth_failure(); diff --git a/configure.in b/configure.in index 47a9a29..d3c5229 100644 --- a/configure.in +++ b/configure.in @@ -108,6 +108,42 @@ AC_ARG_ENABLE(zlib, ] ) +# Check if pam is needed +AC_ARG_WITH(pam, + [ --with-pam=PATH Use pam in PATH], + [ + # option is given + if test -d "$withval/lib"; then + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval} ${LDFLAGS}" + fi + if test -d "$withval/include"; then + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" + else + CPPFLAGS="-I${withval} ${CPPFLAGS}" + fi + ] +) + +AC_ARG_ENABLE(pam, + [ --disable-pam Don't include PAM support], + [ + if test "x$enableval" = "xno"; then + AC_DEFINE(DISABLE_PAM,, Use PAM) + AC_MSG_RESULT(Disabling PAM) + else + AC_CHECK_LIB(pam, pam_authenticate, , AC_MSG_ERROR([*** PAM missing - install first or check config.log ***])) + AC_MSG_RESULT(Enabling PAM) + fi + ], + [ + # if not disabled, check for pam + AC_CHECK_LIB(pam, pam_authenticate, , AC_MSG_ERROR([*** PAM missing - install first or check config.log ***])) + AC_MSG_RESULT(Enabling PAM) + ] +) + AC_ARG_ENABLE(openpty, [ --disable-openpty Don't use openpty, use alternative method], [ @@ -160,7 +196,7 @@ AC_ARG_ENABLE(shadow, # Checks for header files. AC_HEADER_STDC AC_HEADER_SYS_WAIT -AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h utmpx.h lastlog.h paths.h util.h netdb.h sys/dirent.h]) +AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h utmpx.h lastlog.h paths.h util.h netdb.h sys/dirent.h security/pam_appl.h pam/pam_appl.h]) # Checks for typedefs, structures, and compiler characteristics. AC_C_CONST diff --git a/options.h b/options.h index d4abf09..6ea5277 100644 --- a/options.h +++ b/options.h @@ -110,7 +110,10 @@ /* Authentication types to enable, at least one required. RFC Draft requires pubkey auth, and recommends password */ -#define DROPBEAR_PASSWORD_AUTH +//#define DROPBEAR_PASSWORD_AUTH +/* Only set PAM auth if you aren't using PASSWORD auth. Also, you'll need + * to make sure PAM libraries etc are installed */ +#define DROPBEAR_PAM_AUTH #define DROPBEAR_PUBKEY_AUTH /* Random device to use - you must specify _one only_. diff --git a/svr-auth.c b/svr-auth.c index db1d6a4..9e82b25 100644 --- a/svr-auth.c +++ b/svr-auth.c @@ -57,7 +57,7 @@ static void authclear() { #ifdef DROPBEAR_PUBKEY_AUTH ses.authstate.authtypes |= AUTH_TYPE_PUBKEY; #endif -#ifdef DROPBEAR_PASSWORD_AUTH +#if defined(DROPBEAR_PASSWORD_AUTH) || defined(DROPBEAR_PAM_AUTH) if (!svr_opts.noauthpass) { ses.authstate.authtypes |= AUTH_TYPE_PASSWORD; } @@ -156,6 +156,19 @@ void recv_msg_userauth_request() { } #endif +#ifdef DROPBEAR_PAM_AUTH + if (!svr_opts.noauthpass && + !(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) { + /* user wants to try password auth */ + if (methodlen == AUTH_METHOD_PASSWORD_LEN && + strncmp(methodname, AUTH_METHOD_PASSWORD, + AUTH_METHOD_PASSWORD_LEN) == 0) { + svr_auth_pam(); + goto out; + } + } +#endif + #ifdef DROPBEAR_PUBKEY_AUTH /* user wants to try pubkey auth */ if (methodlen == AUTH_METHOD_PUBKEY_LEN && diff --git a/svr-authpam.c b/svr-authpam.c new file mode 100644 index 0000000..cfd4327 --- /dev/null +++ b/svr-authpam.c @@ -0,0 +1,215 @@ +/* + * Dropbear - a SSH2 server + * + * Copyright (c) 2002,2003 Matt Johnston + * All rights reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. */ + +/* Validates a user password */ + +#include "includes.h" +#include "session.h" +#include "buffer.h" +#include "dbutil.h" +#include "auth.h" + +#if defined(HAVE_SECURITY_PAM_APPL_H) +#include +#elif defined (HAVE_PAM_PAM_APPL_H) +#include +#endif + +#ifdef DROPBEAR_PAM_AUTH + +struct UserDataS { + char* user; + char* passwd; +}; + +/* PAM conversation function */ +int +pamConvFunc(int num_msg, + const struct pam_message **msg, + struct pam_response **respp, + void *appdata_ptr) { + int rc = PAM_SUCCESS; + struct pam_response* resp = NULL; + struct UserDataS* userDatap = (struct UserDataS*) appdata_ptr; + + /* tbd only handles one msg */ + + switch((*msg)->msg_style) { + case PAM_PROMPT_ECHO_OFF: + dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_PROMPT_ECHO_OFF: (*msg)->msg=\"%s\"", (*msg)->msg); + + if (strcmp((*msg)->msg, "Password:") == 0) { + resp = (struct pam_response*) malloc(sizeof(struct pam_response)); + resp->resp = (char*) strdup(userDatap->passwd); + /* dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_PROMPT_ECHO_ON: userDatap->passwd=\"%s\"", userDatap->passwd); */ + resp->resp_retcode = 0; + (*respp) = resp; + } + else { + dropbear_log(LOG_WARNING, "pamConvFunc(): PAM_PROMPT_ECHO_OFF: unrecognized prompt, (*msg)->msg=\"%s\"", (*msg)->msg); + rc = PAM_CONV_ERR; + } + break; + case PAM_PROMPT_ECHO_ON: + dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_PROMPT_ECHO_ON: (*msg)->msg=\"%s\"", (*msg)->msg); + + if ((strcmp((*msg)->msg, "login: " ) == 0) || (strcmp((*msg)->msg, "Please enter username: " ) == 0)) { + resp = (struct pam_response*) malloc(sizeof(struct pam_response)); + resp->resp = (char*) strdup(userDatap->user); + dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_PROMPT_ECHO_ON: userDatap->user=\"%s\"", userDatap->user); + resp->resp_retcode = 0; + (*respp) = resp; + } + else { + dropbear_log(LOG_WARNING, "pamConvFunc(): PAM_PROMPT_ECHO_ON: unrecognized prompt, (*msg)->msg=\"%s\"", + (*msg)->msg); + rc = PAM_CONV_ERR; + } + break; + case PAM_ERROR_MSG: + dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_ERROR_MSG: (*msg)->msg=\"%s\"", (*msg)->msg); + /* printf("error msg: '%s'\n", (*msg)->msg); */ + rc = PAM_CONV_ERR; + break; + case PAM_TEXT_INFO: + dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_TEXT_INFO: (*msg)->msg=\"%s\"", (*msg)->msg); + /* printf("text info: '%s'\n", (*msg)->msg); */ + rc = PAM_CONV_ERR; + break; + case PAM_RADIO_TYPE: + dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_RADIO_TYPE: (*msg)->msg=\"%s\"", (*msg)->msg); + /* printf("radio type: '%s'\n", (*msg)->msg); */ + rc = PAM_CONV_ERR; + break; + case PAM_BINARY_PROMPT: + dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_BINARY_PROMPT: (*msg)->msg=\"%s\"", (*msg)->msg); + /* printf("binary prompt: '%s'\n", (*msg)->msg); */ + rc = PAM_CONV_ERR; + break; + default: + dropbear_log(LOG_DEBUG, "pamConvFunc(): Unknown PAM message"); + /* printf("unknown message\n"); */ + rc = PAM_CONV_ERR; + break; + } + + return rc; +} + +/* Process a password auth request, sending success or failure messages as + * appropriate */ +void svr_auth_pam() { + // PAM stuff + int rc = PAM_SUCCESS; + struct UserDataS userData; + struct pam_conv pamConv = { + pamConvFunc, + &userData /* submitted to pamvConvFunc as appdata_ptr */ + }; + pam_handle_t* pamHandlep = NULL; + unsigned char * password = NULL; + unsigned int passwordlen; + + unsigned char changepw; + + /* check if client wants to change password */ + changepw = buf_getbyte(ses.payload); + if (changepw) { + /* not implemented by this server */ + send_msg_userauth_failure(0, 1); + return; + } + + password = buf_getstring(ses.payload, &passwordlen); + + /* clear the buffer containing the password */ + buf_incrpos(ses.payload, -passwordlen - 4); + m_burn(buf_getptr(ses.payload, passwordlen + 4), passwordlen + 4); + + /* used to pass data to the PAM conversation function */ + userData.user = ses.authstate.printableuser; + TRACE(("user is %s\n", userData.user)); + userData.passwd = password; + + /* Init pam */ + if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) { + dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc)); + /* fprintf(stderr, "pam_start() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc)); */ + goto clean; + } + + /* + if ((rc = pam_set_item(pamHandlep, PAM_RHOST, webReqp->ipaddr) != PAM_SUCCESS)) { + dropbear_log(LOG_WARNING, "pam_set_item() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc)); + return; + } + */ + + /* just to set it to something */ + if ((rc = pam_set_item(pamHandlep, PAM_TTY, "ssh") != PAM_SUCCESS)) { + dropbear_log(LOG_WARNING, "pam_set_item() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc)); + goto clean; + } + + (void) pam_fail_delay(pamHandlep, 0 /* musec_delay */); + + /* (void) pam_set_item(pamHandlep, PAM_FAIL_DELAY, (void*) pamDelayFunc); */ + + if ((rc = pam_authenticate(pamHandlep, 0)) != PAM_SUCCESS) { + dropbear_log(LOG_WARNING, "pam_authenticate() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc)); + /* fprintf(stderr, "pam_authenticate() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc)); */ + dropbear_log(LOG_WARNING, + "bad pam password attempt for '%s'", + ses.authstate.printableuser); + send_msg_userauth_failure(0, 1); + goto clean; + } + + if ((rc = pam_acct_mgmt(pamHandlep, 0)) != PAM_SUCCESS) { + dropbear_log(LOG_WARNING, "pam_acct_mgmt() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc)); + /* fprintf(stderr, "pam_acct_mgmt() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc)); */ + dropbear_log(LOG_WARNING, + "bad pam password attempt for '%s'", + ses.authstate.printableuser); + send_msg_userauth_failure(0, 1); + goto clean; + } + + /* successful authentication */ + dropbear_log(LOG_NOTICE, + "password auth succeeded for '%s'", + ses.authstate.printableuser); + send_msg_userauth_success(); + + clean: + if (password != NULL) { + m_burn(password, passwordlen); + m_free(password); + } + if (pamHandlep != NULL) { + (void) pam_end(pamHandlep, 0 /* pam_status */); + } +} + +#endif /* DROPBEAR_PAM_AUTH */ -- cgit v1.2.3