1 files changed, 101 insertions, 15 deletions

diff --git a/security/openssh/files/patch-auth1.c b/security/openssh/files/patch-auth1.c
index c579f61..1db999b 100644
--- a/security/openssh/files/patch-auth1.c
+++ b/security/openssh/files/patch-auth1.c
@@ -1,25 +1,38 @@
---- auth1.c.orig	Wed Apr 10 10:21:47 2002
-+++ auth1.c	Thu May 23 13:07:12 2002
-@@ -75,6 +75,18 @@
+--- auth1.c.orig	Wed Jun 19 02:27:55 2002
++++ auth1.c	Mon Jun 24 21:18:53 2002
+@@ -27,6 +27,14 @@
+ #include "uidswap.h"
+ #include "monitor_wrap.h"
+ 
++#ifdef HAVE_LOGIN_CAP
++#include <login_cap.h>
++#endif /* HAVE_LOGIN_CAP */
++#ifdef USE_PAM
++#include "auth-pam.h"
++#include <security/pam_appl.h>
++#endif /* USE_PAM */
++
+ /* import */
+ extern ServerOptions options;
+ 
+@@ -75,6 +83,16 @@
  	u_int ulen;
  	int type = 0;
  	struct passwd *pw = authctxt->pw;
 +#ifdef HAVE_LOGIN_CAP
 +	login_cap_t *lc;
-+#endif
++#endif /* HAVE_LOGIN_CAP */
 +#ifdef USE_PAM
 +	struct inverted_pam_cookie *pam_cookie;
 +#endif /* USE_PAM */
-+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
 +	const char *from_host, *from_ip;
 +
 +	from_host = get_canonical_hostname(options.verify_reverse_mapping);
 +	from_ip = get_remote_ipaddr();
-+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
  
  	debug("Attempting authentication for %s%.100s.",
  	    authctxt->valid ? "" : "illegal user ", authctxt->user);
-@@ -84,7 +96,11 @@
+@@ -84,7 +102,11 @@
  #if defined(KRB4) || defined(KRB5)
  	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
  #endif
@@ -28,11 +41,11 @@
 +	   PRIVSEP(auth_pam_password(authctxt, ""))) {
 +#else
 +	   PRIVSEP(auth_password(authctxt, ""))) {
-+#endif
++#endif /* USE_PAM */
  		auth_log(authctxt, 1, "without authentication", "");
  		return;
  	}
-@@ -94,6 +110,8 @@
+@@ -94,6 +116,8 @@
  	packet_send();
  	packet_write_wait();
  
@@ -41,7 +54,70 @@
  	for (;;) {
  		/* default to fail */
  		authenticated = 0;
-@@ -284,6 +302,34 @@
+@@ -243,12 +267,48 @@
+ 			packet_check_eom();
+ 
+ 			/* Try authentication with the password. */
+-			authenticated = PRIVSEP(auth_password(authctxt, password));
++			authenticated =
++#ifdef USE_PAM
++				PRIVSEP(auth_pam_password(authctxt, password));
++#else
++				PRIVSEP(auth_password(authctxt, password));
++#endif /* USE_PAM */
+ 
+ 			memset(password, 0, strlen(password));
+ 			xfree(password);
+ 			break;
+ 
++#ifdef USE_PAM
++		case SSH_CMSG_AUTH_TIS:
++			debug("rcvd SSH_CMSG_AUTH_TIS: Trying PAM");
++			pam_cookie = ipam_start_auth("sshd", pw->pw_name);
++			/* We now have data available to send as a challenge */
++			if (pam_cookie->num_msg != 1 ||
++			    (pam_cookie->msg[0]->msg_style != PAM_PROMPT_ECHO_OFF &&
++			     pam_cookie->msg[0]->msg_style != PAM_PROMPT_ECHO_ON)) {
++			    /* We got several challenges or an unknown challenge type */
++			    ipam_free_cookie(pam_cookie);
++			    pam_cookie = NULL;
++			    break;
++			}
++			packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
++			packet_put_string(pam_cookie->msg[0]->msg, strlen(pam_cookie->msg[0]->msg));
++			packet_send();
++			packet_write_wait();
++			continue;
++		case SSH_CMSG_AUTH_TIS_RESPONSE:
++			debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
++			if (pam_cookie != NULL) {
++			    char *response = packet_get_string(&dlen);
++			    
++			    pam_cookie->resp[0]->resp = strdup(response);
++			    xfree(response);
++			    authenticated = ipam_complete_auth(pam_cookie);
++			    ipam_free_cookie(pam_cookie);
++			    pam_cookie = NULL;
++			}
++			break;
++#elif defined(SKEY)
+ 		case SSH_CMSG_AUTH_TIS:
+ 			debug("rcvd SSH_CMSG_AUTH_TIS");
+ 			if (options.challenge_response_authentication == 1) {
+@@ -275,6 +335,12 @@
+ 				xfree(response);
+ 			}
+ 			break;
++#else
++		case SSH_CMSG_AUTH_TIS:
++			/* TIS Authentication is unsupported */
++			log("TIS authentication unsupported.");
++			break;
++#endif
+ 
+ 		default:
+ 			/*
+@@ -284,6 +350,34 @@
  			log("Unknown message during authentication: type %d", type);
  			break;
  		}
@@ -76,14 +152,24 @@
  #ifdef BSD_AUTH
  		if (authctxt->as) {
  			auth_close(authctxt->as);
-@@ -302,6 +348,15 @@
- 		/* Log before sending the reply */
+@@ -299,9 +393,24 @@
+ 		    !auth_root_allowed(get_authname(type)))
+ 			authenticated = 0;
+ 
+-		/* Log before sending the reply */
++		if (pw != NULL && pw->pw_uid == 0)
++		  log("ROOT LOGIN as '%.100s' from %.100s",
++		      pw->pw_name, from_host);
++
++		/* Log before ghT!
++sending the reply */
  		auth_log(authctxt, authenticated, get_authname(type), info);
  
 +#ifdef USE_PAM
 +		if (authenticated && !do_pam_account(pw->pw_name, client_user))
 +			authenticated = 0;
 +#endif
++
 +		if (client_user != NULL) {
 +			xfree(client_user);
 +			client_user = NULL;
@@ -92,14 +178,14 @@
  		if (authenticated)
  			return;
  
-@@ -354,6 +409,11 @@
+@@ -354,6 +463,11 @@
  		authctxt->valid = 1;
  	else
  		debug("do_authentication: illegal user %s", user);
 +
 +#ifdef USE_PAM
-+	if (pw != NULL)
-+		start_pam(pw);
++	if (authctxt->pw != NULL)
++		start_pam(authctxt->pw);
 +#endif
  
  	setproctitle("%s%s", authctxt->pw ? user : "unknown",