Azure
/
sonic-openssh
зеркало из https://github.com/Azure/sonic-openssh.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Expose list of completed auth methods to PAM 

bz#2408; ok dtucker@
This commit is contained in:
Damien Miller 2017-07-28 14:50:59 +10:00
Родитель c78e6eec78
Коммит 94bc1e7ffb
2 изменённых файлов: 46 добавлений и 6 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

26
auth-pam.c
Просмотреть файл

@ -926,6 +926,27 @@ finish_pam(void)
sshpam_cleanup(); sshpam_cleanup();
} }
static void
expose_authinfo(const char *caller)
{
char *auth_info;
/*
* Expose authentication information to PAM.
* The enviornment variable is versioned. Please increment the
* version suffix if the format of session_info changes.
*/
if (sshpam_authctxt->session_info == NULL)
auth_info = xstrdup("");
else if ((auth_info = sshbuf_dup_string(
sshpam_authctxt->session_info)) == NULL)
fatal("%s: sshbuf_dup_string failed", __func__);
debug2("%s: auth information in SSH_AUTH_INFO_0", caller);
do_pam_putenv("SSH_AUTH_INFO_0", auth_info);
free(auth_info);
}
u_int u_int
do_pam_account(void) do_pam_account(void)
{ {
@ -933,6 +954,8 @@ do_pam_account(void)
if (sshpam_account_status != -1) if (sshpam_account_status != -1)
return (sshpam_account_status); return (sshpam_account_status);
expose_authinfo(__func__);
sshpam_err = pam_acct_mgmt(sshpam_handle, 0); sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err, debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err,
pam_strerror(sshpam_handle, sshpam_err)); pam_strerror(sshpam_handle, sshpam_err));
@ -1057,6 +1080,9 @@ void
do_pam_session(void) do_pam_session(void)
{ {
debug3("PAM: opening session"); debug3("PAM: opening session");
expose_authinfo(__func__);
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&store_conv); (const void *)&store_conv);
if (sshpam_err != PAM_SUCCESS) if (sshpam_err != PAM_SUCCESS)

26
session.c
Просмотреть файл

@ -984,8 +984,9 @@ read_etc_default_login(char ***env, u_int *envsize, uid_t uid)
} }
#endif /* HAVE_ETC_DEFAULT_LOGIN */ #endif /* HAVE_ETC_DEFAULT_LOGIN */
void static void
copy_environment(char **source, char ***env, u_int *envsize) copy_environment_blacklist(char **source, char ***env, u_int *envsize,
const char *blacklist)
{ {
char *var_name, *var_val; char *var_name, *var_val;
int i; int i;
@ -1001,13 +1002,22 @@ copy_environment(char **source, char ***env, u_int *envsize)
} }
*var_val++ = '\0'; *var_val++ = '\0';
debug3("Copy environment: %s=%s", var_name, var_val); if (blacklist == NULL ||
child_set_env(env, envsize, var_name, var_val); match_pattern_list(var_name, blacklist, 0) != 1) {
debug3("Copy environment: %s=%s", var_name, var_val);
child_set_env(env, envsize, var_name, var_val);
}
free(var_name); free(var_name);
} }
} }
void
copy_environment(char **source, char ***env, u_int *envsize)
{
copy_environment_blacklist(source, env, envsize, NULL);
}
static char ** static char **
do_setup_env(Session *s, const char *shell) do_setup_env(Session *s, const char *shell)
{ {
@ -1169,12 +1179,16 @@ do_setup_env(Session *s, const char *shell)
if (options.use_pam) { if (options.use_pam) {
char **p; char **p;
/*
* Don't allow SSH_AUTH_INFO variables posted to PAM to leak
* back into the environment.
*/
p = fetch_pam_child_environment(); p = fetch_pam_child_environment();
copy_environment(p, &env, &envsize); copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*");
free_pam_environment(p); free_pam_environment(p);
p = fetch_pam_environment(); p = fetch_pam_environment();
copy_environment(p, &env, &envsize); copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*");
free_pam_environment(p); free_pam_environment(p);
} }
#endif /* USE_PAM */ #endif /* USE_PAM */