diff options
| author | des <des@FreeBSD.org> | 2005-09-21 16:08:40 +0000 |
|---|---|---|
| committer | des <des@FreeBSD.org> | 2005-09-21 16:08:40 +0000 |
| commit | 4ee54de329836e5788a7c6ce501d5a3403795925 (patch) | |
| tree | 0f164e6323711665c7ca1550a285a6337e2f5252 /lib | |
| parent | 6fae9305e00796d1c3330ed161c9b6e731378efa (diff) | |
| download | FreeBSD-src-4ee54de329836e5788a7c6ce501d5a3403795925.zip FreeBSD-src-4ee54de329836e5788a7c6ce501d5a3403795925.tar.gz | |
Narrow the use of user credentials.
Fix one case where openpam_restore_cred() might be called twice in a row.
MFC after: 3 days
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libpam/modules/pam_ssh/pam_ssh.c | 24 |
1 files changed, 10 insertions, 14 deletions
diff --git a/lib/libpam/modules/pam_ssh/pam_ssh.c b/lib/libpam/modules/pam_ssh/pam_ssh.c index 719178c..0d0b130 100644 --- a/lib/libpam/modules/pam_ssh/pam_ssh.c +++ b/lib/libpam/modules/pam_ssh/pam_ssh.c @@ -151,21 +151,19 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, if (pwd->pw_dir == NULL) return (PAM_AUTH_ERR); - /* switch to user credentials */ - pam_err = openpam_borrow_cred(pamh, pwd); - if (pam_err != PAM_SUCCESS) - return (pam_err); - pass = (pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase) == PAM_SUCCESS); load_keys: /* get passphrase */ pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, &passphrase, pam_ssh_prompt); - if (pam_err != PAM_SUCCESS) { - openpam_restore_cred(pamh); + if (pam_err != PAM_SUCCESS) + return (pam_err); + + /* switch to user credentials */ + pam_err = openpam_borrow_cred(pamh, pwd); + if (pam_err != PAM_SUCCESS) return (pam_err); - } /* try to load keys from all keyfiles we know of */ nkeys = 0; @@ -177,6 +175,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, } } + /* switch back to arbitrator credentials */ + openpam_restore_cred(pamh); + /* * If we tried an old token and didn't get anything, and * try_first_pass was specified, try again after prompting the @@ -189,9 +190,6 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, goto load_keys; } - /* switch back to arbitrator credentials before returning */ - openpam_restore_cred(pamh); - /* no keys? */ if (nkeys == 0) return (PAM_AUTH_ERR); @@ -255,10 +253,8 @@ pam_ssh_start_agent(pam_handle_t *pamh) FILE *f; /* get a pipe which we will use to read the agent's output */ - if (pipe(agent_pipe) == -1) { - openpam_restore_cred(pamh); + if (pipe(agent_pipe) == -1) return (PAM_SYSTEM_ERR); - } /* start the agent */ openpam_log(PAM_LOG_DEBUG, "starting an ssh agent"); |
