From 2e1b082dfbc5dcdae80957a3d889abe9fa480d77 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 25 Dec 1999 10:11:29 +1100 Subject: - Prepare for 1.2.1pre20 19991225 - More fixes from Andre Lucas - Cleanup of auth-passwd.c for shadow and MD5 passwords - Cleanup and bugfix of PAM authentication code 19991223 - Merged later HPUX patch from Andre Lucas - Above patch included better utmpx support from Ben Taylor : --- ChangeLog | 11 ++++++++ acconfig.h | 62 ++++++++++++++++++++++---------------------- auth-passwd.c | 47 +++++++++++++-------------------- bsd-login.c | 46 +++++++++++++++++++------------- bsd-login.h | 21 ++++++++++----- configure.in | 47 +++++++++++++++++++++++++-------- includes.h | 1 + login.c | 40 +++++++++++++++++++--------- packages/redhat/openssh.spec | 2 +- packages/redhat/sshd.pam | 2 +- packages/suse/openssh.spec | 2 +- sshd.c | 43 +++++++++++++++++------------- sshd.pam.generic | 2 +- 13 files changed, 197 insertions(+), 129 deletions(-) diff --git a/ChangeLog b/ChangeLog index 256711eb..394ebc89 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +19991225 + - More fixes from Andre Lucas + - Cleanup of auth-passwd.c for shadow and MD5 passwords + - Cleanup and bugfix of PAM authentication code + +19991223 + - Merged later HPUX patch from Andre Lucas + + - Above patch included better utmpx support from Ben Taylor + : + 19991222 - Fix undefined fd_set type in ssh.h from Povl H. Pedersen diff --git a/acconfig.h b/acconfig.h index b02abbaf..1e706ff5 100644 --- a/acconfig.h +++ b/acconfig.h @@ -30,6 +30,9 @@ /* Define is utmpx.h has a ut_host field */ #undef HAVE_HOST_IN_UTMPX +/* Define is utmpx.h has a syslen field */ +#undef HAVE_SYSLEN_IN_UTMPX + /* Define if you want to use utmpx */ #undef USE_UTMPX @@ -63,6 +66,9 @@ /* Define if xauth is found in your path */ #undef XAUTH_PATH +/* Define if rsh is found in your path */ +#undef RSH_PATH + /* Define if you want to allow MD5 passwords */ #undef HAVE_MD5_PASSWORDS @@ -76,6 +82,9 @@ /* to pam_strerror */ #undef HAVE_OLD_PAM +/* Set this to your mail directory if you don't have maillock.h */ +#undef MAIL_DIRECTORY + /* Data types */ #undef HAVE_QUAD_T #undef HAVE_INTXX_T @@ -197,36 +206,19 @@ enum # endif #endif -/* Use utmpx if supported */ -#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) -# define UTMP_STR utmpx -#else -# ifdef HAVE_UTMP_H -# define UTMP_STR utmp -# endif -#endif - #ifndef _PATH_UTMP -# if defined(UTMPX_FILE) && defined(USE_UTMPX) -# define _PATH_UTMP UTMPX_FILE +# ifdef UTMP_FILE +# define _PATH_UTMP UTMP_FILE # else -# ifdef UTMP_FILE -# define _PATH_UTMP UTMP_FILE -# else -# define _PATH_UTMP "/var/adm/utmp" -# endif +# define _PATH_UTMP "/var/adm/utmp" # endif #endif #ifndef _PATH_WTMP -# if defined(WTMPX_FILE) && defined(USE_UTMPX) -# define _PATH_WTMP WTMPX_FILE +# ifdef WTMP_FILE +# define _PATH_WTMP WTMP_FILE # else -# ifdef WTMP_FILE -# define _PATH_WTMP WTMP_FILE -# else -# define _PATH_WTMP "/var/adm/wtmp" -# endif +# define _PATH_WTMP "/var/adm/wtmp" # endif #endif @@ -242,16 +234,14 @@ enum # define _PATH_DEVNULL "/dev/null" #endif -#ifndef _PATH_MAILDIR -# ifdef MAILDIR -# define _PATH_MAILDIR MAILDIR -# else -# ifdef MAIL_DIRECTORY -# define _PATH_MAILDIR MAIL_DIRECTORY -# endif -# endif +#ifndef MAILDIR +# define MAILDIR MAIL_DIRECTORY #endif +#if !defined(_PATH_MAILDIR) && defined(MAILDIR) +# define _PATH_MAILDIR MAILDIR +#endif /* !defined(_PATH_MAILDIR) && defined(MAILDIR) */ + #ifndef MAX # define MAX(a,b) (((a)>(b))?(a):(b)) # define MIN(a,b) (((a)<(b))?(a):(b)) @@ -287,3 +277,13 @@ enum #if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) # define seteuid(a) setreuid(-1,a) #endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */ + +#ifndef HAVE_INNETGR +# define innetgr(a,b,c,d) (0) +#endif /* HAVE_INNETGR */ + +#ifndef _PATH_RSH +# ifdef RSH_PATH +# define _PATH_RSH RSH_PATH +# endif /* RSH_PATH */ +#endif /* _PATH_RSH */ diff --git a/auth-passwd.c b/auth-passwd.c index fc0809e1..058dde82 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -9,9 +9,9 @@ #include "includes.h" -#ifndef HAVE_PAM +#ifndef HAVE_LIBPAM -RCSID("$Id: auth-passwd.c,v 1.10 1999/12/21 10:03:09 damien Exp $"); +RCSID("$Id: auth-passwd.c,v 1.11 1999/12/24 23:11:29 damien Exp $"); #include "packet.h" #include "ssh.h" @@ -35,6 +35,8 @@ auth_password(struct passwd * pw, const char *password) { extern ServerOptions options; char *encrypted_password; + char *pw_password; + char *salt; #ifdef HAVE_SHADOW_H struct spwd *spw; #endif @@ -68,48 +70,35 @@ auth_password(struct passwd * pw, const char *password) if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) return 1; + pw_password = pw->pw_passwd; + #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) spw = getspnam(pw->pw_name); - if (spw == NULL) + if (spw == NULL) return(0); - if ((spw->sp_namp == NULL) || (strcmp(pw->pw_name, spw->sp_namp) != 0)) - fatal("Shadow lookup returned garbage."); - /* Check for users with no password. */ if (strcmp(password, "") == 0 && strcmp(spw->sp_pwdp, "") == 0) return 1; - if (strlen(spw->sp_pwdp) < 3) - return(0); + pw_password = spw->sp_pwdp; +#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ - /* Encrypt the candidate password using the proper salt. */ -#ifdef HAVE_MD5_PASSWORDS - if (is_md5_salt(spw->sp_pwdp)) - encrypted_password = md5_crypt(password, spw->sp_pwdp); + if (pw_password[0] != '\0') + salt = pw_password; else - encrypted_password = crypt(password, spw->sp_pwdp); -#else /* HAVE_MD5_PASSWORDS */ - encrypted_password = crypt(password, spw->sp_pwdp); -#endif /* HAVE_MD5_PASSWORDS */ - /* Authentication is accepted if the encrypted passwords are identical. */ - return (strcmp(encrypted_password, spw->sp_pwdp) == 0); -#else /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ - - if (strlen(pw->pw_passwd) < 3) - return(0); + salt = "xx"; #ifdef HAVE_MD5_PASSWORDS - if (is_md5_salt(pw->pw_passwd)) - encrypted_password = md5_crypt(password, pw->pw_passwd); + if (is_md5_salt(salt)) + encrypted_password = md5_crypt(password, salt); else - encrypted_password = crypt(password, pw->pw_passwd); + encrypted_password = crypt(password, salt); #else /* HAVE_MD5_PASSWORDS */ - encrypted_password = crypt(password, pw->pw_passwd); + encrypted_password = crypt(password, salt); #endif /* HAVE_MD5_PASSWORDS */ /* Authentication is accepted if the encrypted passwords are identical. */ - return (strcmp(encrypted_password, pw->pw_passwd) == 0); -#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ + return (strcmp(encrypted_password, pw_password) == 0); } -#endif /* !HAVE_PAM */ +#endif /* !HAVE_LIBPAM */ diff --git a/bsd-login.c b/bsd-login.c index c0f4c1ab..d81e4691 100644 --- a/bsd-login.c +++ b/bsd-login.c @@ -54,53 +54,63 @@ static char *rcsid = "$OpenBSD: login.c,v 1.5 1998/07/13 02:11:12 millert Exp $" #include #include +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) +void +login(utp,utx) + struct utmp *utp; + struct utmpx *utx; +#else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ void login(utp) - struct UTMP_STR *utp; + struct utmp *utp; +#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ { - struct UTMP_STR old_ut; + struct utmp old_ut; +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) + struct utmpx *old_utx; +#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ register int fd; int tty; #ifndef UT_LINESIZE # define UT_LINESIZE (sizeof(old_ut.ut_line)) -# if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) -# define UT_NAMESIZE (sizeof(old_ut.ut_user)) -# else -# define UT_NAMESIZE (sizeof(old_ut.ut_name)) -# endif +# define UT_NAMESIZE (sizeof(old_ut.ut_name)) # ifdef HAVE_HOST_IN_UTMP # define UT_HOSTSIZE (sizeof(old_ut.ut_host)) # endif -# if defined(HAVE_HOST_IN_UTMPX) && defined(USE_UTMPX) -# define UT_HOSTSIZE (sizeof(old_ut.ut_host)) -# endif #endif tty = ttyslot(); if (tty > 0 && (fd = open(_PATH_UTMP, O_RDWR|O_CREAT, 0644)) >= 0) { -#if defined(HAVE_HOST_IN_UTMP) || defined(HAVE_HOST_IN_UTMPX) - (void)lseek(fd, (off_t)(tty * sizeof(struct UTMP_STR)), SEEK_SET); +#if defined(HAVE_HOST_IN_UTMP) + (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); /* * Prevent luser from zero'ing out ut_host. * If the new ut_line is empty but the old one is not * and ut_line and ut_name match, preserve the old ut_line. */ - if (read(fd, &old_ut, sizeof(struct UTMP_STR)) == - sizeof(struct UTMP_STR) && utp->ut_host[0] == '\0' && + if (read(fd, &old_ut, sizeof(struct utmp)) == + sizeof(struct utmp) && utp->ut_host[0] == '\0' && old_ut.ut_host[0] != '\0' && strncmp(old_ut.ut_line, utp->ut_line, UT_LINESIZE) == 0 && strncmp(old_ut.ut_name, utp->ut_name, UT_NAMESIZE) == 0) (void)memcpy(utp->ut_host, old_ut.ut_host, UT_HOSTSIZE); -#endif /* defined(HAVE_HOST_IN_UTMP) || defined(HAVE_HOST_IN_UTMPX) */ - (void)lseek(fd, (off_t)(tty * sizeof(struct UTMP_STR)), SEEK_SET); - (void)write(fd, utp, sizeof(struct UTMP_STR)); +#endif /* defined(HAVE_HOST_IN_UTMP) */ + (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); + (void)write(fd, utp, sizeof(struct utmp)); (void)close(fd); } if ((fd = open(_PATH_WTMP, O_WRONLY|O_APPEND, 0)) >= 0) { - (void)write(fd, utp, sizeof(struct UTMP_STR)); + (void)write(fd, utp, sizeof(struct utmp)); (void)close(fd); } +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) + old_utx = pututxline(utx); +# ifdef HAVE_UPDWTMPX + updwtmpx(_PATH_WTMPX, utx); +# endif /* HAVE_UPDWTMPX */ + endutxent(); +#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ } #endif /* HAVE_LOGIN */ diff --git a/bsd-login.h b/bsd-login.h index 8891ae34..f26f4708 100644 --- a/bsd-login.h +++ b/bsd-login.h @@ -1,13 +1,22 @@ #ifndef _BSD_LOGIN_H -#define _BSD_LOGIN_H +# define _BSD_LOGIN_H -#include "config.h" -#ifndef HAVE_LOGIN +# include "config.h" +# ifndef HAVE_LOGIN -#include +# include -void login(struct UTMP_STR *utp); +# if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) +# include -#endif /* !HAVE_LOGIN */ +void login(struct utmp *utp, struct utmpx *utx); + +# else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ + +void login(struct utmp *utp); + +# endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ + +# endif /* !HAVE_LOGIN */ #endif /* _BSD_LOGIN_H */ diff --git a/configure.in b/configure.in index b5ffee79..7bb96270 100644 --- a/configure.in +++ b/configure.in @@ -9,10 +9,25 @@ AC_PROG_CPP AC_PROG_RANLIB AC_PROG_INSTALL AC_CHECK_PROG(AR, ar, ar) - -dnl Check for the path to xauth AC_PATH_PROG(xauth_path, xauth) -AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path") + +dnl Use ip address instead of hostname in $DISPLAY +AC_ARG_WITH(rsh, + [ --with-rsh=PATH Specify path to remote shell program ], + [ + AC_DEFINE_UNQUOTED(RSH_PATH, "$withval") + ], + [ + AC_PATH_PROG(rsh_path, rsh) + ] +) + +if test ! -z "$xauth_path" ; then + AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path") +fi +if test ! -z "$rsh_path" ; then + AC_DEFINE_UNQUOTED(RSH_PATH, "$rsh_path") +fi dnl Checks for compiler characteristics if test "$GCC" = "yes"; then CFLAGS="$CFLAGS -Wall"; fi @@ -27,6 +42,7 @@ case "$host" in fi CFLAGS="$CFLAGS -D_HPUX_SOURCE" AC_DEFINE(IPADDR_IN_DISPLAY) + AC_DEFINE(USE_UTMPX) AC_MSG_CHECKING(for HPUX trusted system password database) if test -f /tcb/files/auth/system/default; then AC_MSG_RESULT(yes) @@ -80,15 +96,22 @@ AC_CHECK_LIB(util, login, AC_DEFINE(HAVE_LIBUTIL_LOGIN) LIBS="$LIBS -lutil") AC_CHECK_LIB(nsl, yp_match, , ) AC_CHECK_LIB(socket, main, , ) -dnl libdl is needed by PAM on Redhat systems -AC_CHECK_LIB(dl, dlopen, , ) -AC_CHECK_LIB(pam, pam_authenticate, , ) +dnl Use ip address instead of hostname in $DISPLAY +AC_ARG_WITH(pam, + [ --without-pam Disable PAM support ], + [ + if test "x$withval" != "xno" ; then + AC_CHECK_LIB(dl, dlopen, , ) + AC_CHECK_LIB(pam, pam_authenticate, , ) + fi + ] +) dnl Checks for header files. -AC_CHECK_HEADERS(endian.h lastlog.h login.h maillock.h netgroup.h paths.h poll.h pty.h shadow_h util.h utmp.h utmpx.h sys/bsdtty.h sys/poll.h sys/select.h sys/stropts.h sys/time.h) +AC_CHECK_HEADERS(endian.h lastlog.h login.h maillock.h netgroup.h paths.h poll.h pty.h shadow.h util.h utmp.h utmpx.h sys/bsdtty.h sys/poll.h sys/select.h sys/stropts.h sys/time.h sys/ttcompat.h) dnl Checks for library functions. -AC_CHECK_FUNCS(arc4random mkdtemp openpty _getpty setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy vsnprintf) +AC_CHECK_FUNCS(arc4random updwtmpx mkdtemp openpty _getpty innetgr setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy vsnprintf) AC_CHECK_FUNC(login, [AC_DEFINE(HAVE_LOGIN)], @@ -220,19 +243,21 @@ if test -z "$RANDOM_POOL" -a -z "$EGD_POOL"; then AC_MSG_ERROR([No random device found, and no EGD random pool specified]) fi -dnl Check for ut_host field in utmp AC_MSG_CHECKING([whether utmp.h has ut_host field]) AC_EGREP_HEADER(ut_host, utmp.h, [AC_DEFINE(HAVE_HOST_IN_UTMP) AC_MSG_RESULT(yes); ], [AC_MSG_RESULT(no)] ) - -dnl Check for ut_host field in utmpx AC_MSG_CHECKING([whether utmpx.h has ut_host field]) AC_EGREP_HEADER(ut_host, utmpx.h, [AC_DEFINE(HAVE_HOST_IN_UTMPX) AC_MSG_RESULT(yes); ], [AC_MSG_RESULT(no)] ) +AC_MSG_CHECKING([whether utmpx.h has syslen field]) +AC_EGREP_HEADER(syslen, utmpx.h, + [AC_DEFINE(HAVE_SYSLEN_IN_UTMPX) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) dnl Look for lastlog location AC_ARG_WITH(lastlog, diff --git a/includes.h b/includes.h index 308e674c..0538bfbc 100644 --- a/includes.h +++ b/includes.h @@ -81,6 +81,7 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg } #include "bsd-mktemp.h" #include "bsd-snprintf.h" #include "bsd-daemon.h" +#include "bsd-login.h" /* Define this to be the path of the xauth program. */ #ifndef XAUTH_PATH diff --git a/login.c b/login.c index fb9c8f87..c551da89 100644 --- a/login.c +++ b/login.c @@ -18,7 +18,7 @@ */ #include "includes.h" -RCSID("$Id: login.c,v 1.10 1999/12/22 05:09:48 damien Exp $"); +RCSID("$Id: login.c,v 1.11 1999/12/24 23:11:29 damien Exp $"); #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) # include @@ -133,28 +133,44 @@ record_login(int pid, const char *ttyname, const char *user, uid_t uid, struct lastlog ll; char *lastlog; #endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ - struct UTMP_STR u; - const char *utmp, *wtmp; + struct utmp u; +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) + struct utmpx utx; +#endif /* Construct an utmp/wtmp entry. */ memset(&u, 0, sizeof(u)); strncpy(u.ut_line, ttyname + 5, sizeof(u.ut_line)); -#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) - u.ut_tv.tv_sec = time(NULL); - strncpy(u.ut_user, user, sizeof(u.ut_name)); -#else + u.ut_pid = (pid_t)pid; u.ut_time = time(NULL); strncpy(u.ut_name, user, sizeof(u.ut_name)); -#endif -#if defined(HAVE_HOST_IN_UTMP) || defined(HAVE_HOST_IN_UTMPX) + u.ut_type = (uid == -1)?DEAD_PROCESS:USER_PROCESS; +#if defined(HAVE_HOST_IN_UTMP) strncpy(u.ut_host, host, sizeof(u.ut_host)); #endif - /* Figure out the file names. */ - utmp = _PATH_UTMP; - wtmp = _PATH_WTMP; +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) + memset(&utx, 0, sizeof(utx)); + strncpy(utx.ut_user, user, sizeof(utx.ut_name)); + strncpy(utx.ut_line, ttyname + 5, sizeof(utx.ut_line)); + utx.ut_pid = (pid_t)pid; + utx.ut_tv.tv_sec = time(NULL); + u.ut_type = (uid == -1)?DEAD_PROCESS:USER_PROCESS; +#ifdef HAVE_HOST_IN_UTMPX +#ifdef HAVE_SYSLEN_IN_UTMPX + utx.ut_syslen = strlen(host); + strncpy(utx.ut_host, host, utx.ut_syslen ); +#else + strncpy(utx.ut_host, host, sizeof(utx.ut_host)); +#endif /* HAVE_SYSLEN_IN_UTMPX */ +#endif +#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) && !defined(HAVE_LOGIN) + login(&u, &utx); +#else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ login(&u); +#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ #if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) lastlog = _PATH_LASTLOG; diff --git a/packages/redhat/openssh.spec b/packages/redhat/openssh.spec index d036f5c3..a3e51bb8 100644 --- a/packages/redhat/openssh.spec +++ b/packages/redhat/openssh.spec @@ -1,6 +1,6 @@ Summary: OpenSSH free Secure Shell (SSH) implementation Name: openssh -Version: 1.2.1pre19 +Version: 1.2.1pre20 Release: 1 Packager: Damien Miller Source0: openssh-%{version}.tar.gz diff --git a/packages/redhat/sshd.pam b/packages/redhat/sshd.pam index f466f9ba..f0105502 100644 --- a/packages/redhat/sshd.pam +++ b/packages/redhat/sshd.pam @@ -1,5 +1,5 @@ #%PAM-1.0 -auth required /lib/security/pam_pwdb.so shadow +auth required /lib/security/pam_pwdb.so shadow nowait auth required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so diff --git a/packages/suse/openssh.spec b/packages/suse/openssh.spec index 4632763c..c649ef23 100644 --- a/packages/suse/openssh.spec +++ b/packages/suse/openssh.spec @@ -1,6 +1,6 @@ Summary: OpenSSH, a free Secure Shell (SSH) implementation Name: openssh -Version: 1.2.1pre19 +Version: 1.2.1pre20 Release: 1 Source0: openssh-%{version}.tar.gz Copyright: BSD diff --git a/sshd.c b/sshd.c index 448ca596..9c570ab8 100644 --- a/sshd.c +++ b/sshd.c @@ -11,7 +11,7 @@ */ #include "includes.h" -RCSID("$Id: sshd.c,v 1.39 1999/12/14 04:43:03 damien Exp $"); +RCSID("$Id: sshd.c,v 1.40 1999/12/24 23:11:29 damien Exp $"); #ifdef HAVE_POLL_H # include @@ -146,6 +146,7 @@ void do_child(const char *command, struct passwd * pw, const char *term, #ifdef HAVE_LIBPAM static int pamconv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); +int do_pam_auth(const char *user, const char *password); void do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, char *ttyname); void pam_cleanup_proc(void *context); @@ -237,6 +238,23 @@ void pam_cleanup_proc(void *context) } } +int do_pam_auth(const char *user, const char *password) +{ + int pam_retval; + + pampasswd = password; + + pam_retval = pam_authenticate((pam_handle_t *)pamh, 0); + if (pam_retval == PAM_SUCCESS) { + log("PAM Password authentication accepted for user \"%.100s\"", user); + return 1; + } else { + log("PAM Password authentication for \"%.100s\" failed: %s", + user, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + return 0; + } +} + void do_pam_account(char *username, char *remote_user) { int pam_retval; @@ -1292,7 +1310,11 @@ do_authentication(char *user) #ifdef KRB4 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif /* KRB4 */ +#ifdef HAVE_LIBPAM + do_pam_auth(pw->pw_name, "")) { +#else /* HAVE_LIBPAM */ auth_password(pw, "")) { +#endif /* HAVE_LIBPAM */ /* Authentication with empty password succeeded. */ log("Login for user %s from %.100s, accepted without authentication.", pw->pw_name, get_remote_ipaddr()); @@ -1503,29 +1525,14 @@ do_authloop(struct passwd * pw) #ifdef HAVE_LIBPAM /* Do PAM auth with password */ - pampasswd = password; - pam_retval = pam_authenticate((pam_handle_t *)pamh, 0); - if (pam_retval == PAM_SUCCESS) { - log("PAM Password authentication accepted for user \"%.100s\"", pw->pw_name); - memset(password, 0, strlen(password)); - xfree(password); - authenticated = 1; - break; - } - - log("PAM Password authentication for \"%.100s\" failed: %s", - pw->pw_name, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); - memset(password, 0, strlen(password)); - xfree(password); - break; + authenticated = do_pam_auth(pw->pw_name, password); #else /* HAVE_LIBPAM */ /* Try authentication with the password. */ authenticated = auth_password(pw, password); - +#endif /* HAVE_LIBPAM */ memset(password, 0, strlen(password)); xfree(password); break; -#endif /* HAVE_LIBPAM */ #ifdef SKEY case SSH_CMSG_AUTH_TIS: diff --git a/sshd.pam.generic b/sshd.pam.generic index 4ec2a2a0..8c4f32da 100644 --- a/sshd.pam.generic +++ b/sshd.pam.generic @@ -1,5 +1,5 @@ #%PAM-1.0 -auth required /lib/security/pam_unix.so shadow +auth required /lib/security/pam_unix.so shadow nowait auth required /lib/security/pam_nologin.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so -- cgit v1.2.3