1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
|
/*
* Copyright (c) 2000 Damien Miller. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
#ifdef USE_PAM
#include <security/pam_appl.h>
#include "ssh.h"
#include "xmalloc.h"
#include "log.h"
#include "servconf.h"
#include "readpass.h"
#include "canohost.h"
RCSID("$FreeBSD$");
#define NEW_AUTHTOK_MSG \
"Warning: Your password has expired, please change it now"
#define SSHD_PAM_SERVICE "sshd"
#define PAM_STRERROR(a, b) pam_strerror((a), (b))
/* Callbacks */
static int do_pam_conversation(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr);
void do_pam_cleanup_proc(void *context);
void pam_msg_cat(const char *msg);
/* module-local variables */
static struct pam_conv conv = {
do_pam_conversation,
NULL
};
static pam_handle_t *pamh = NULL;
static const char *pampasswd = NULL;
static char *pam_msg = NULL;
extern ServerOptions options;
/* states for do_pam_conversation() */
typedef enum { INITIAL_LOGIN, OTHER } pamstates;
static pamstates pamstate = INITIAL_LOGIN;
/* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */
static int password_change_required = 0;
/* remember whether the last pam_authenticate() succeeded or not */
static int was_authenticated = 0;
/* Remember what has been initialised */
static int session_opened = 0;
static int creds_set = 0;
/*
* accessor which allows us to switch conversation structs according to
* the authentication method being used
*/
void do_pam_set_conv(struct pam_conv *conv)
{
pam_set_item(pamh, PAM_CONV, conv);
}
/*
* PAM conversation function.
* There are two states this can run in.
*
* INITIAL_LOGIN mode simply feeds the password from the client into
* PAM in response to PAM_PROMPT_ECHO_OFF, and collects output
* messages with pam_msg_cat(). This is used during initial
* authentication to bypass the normal PAM password prompt.
*
* OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase(prompt, 1)
* and outputs messages to stderr. This mode is used if pam_chauthtok()
* is called to update expired passwords.
*/
static int do_pam_conversation(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr)
{
struct pam_response *reply;
int count;
char buf[1024];
/* PAM will free this later */
reply = malloc(num_msg * sizeof(*reply));
if (reply == NULL)
return PAM_CONV_ERR;
for (count = 0; count < num_msg; count++) {
switch ((*msg)[count].msg_style) {
case PAM_PROMPT_ECHO_ON:
if (pamstate == INITIAL_LOGIN) {
free(reply);
return PAM_CONV_ERR;
} else {
fputs((*msg)[count].msg, stderr);
fgets(buf, sizeof(buf), stdin);
reply[count].resp = xstrdup(buf);
reply[count].resp_retcode = PAM_SUCCESS;
break;
}
case PAM_PROMPT_ECHO_OFF:
if (pamstate == INITIAL_LOGIN) {
if (pampasswd == NULL) {
free(reply);
return PAM_CONV_ERR;
}
reply[count].resp = xstrdup(pampasswd);
} else {
reply[count].resp =
xstrdup(read_passphrase((*msg)[count].msg, 1));
}
reply[count].resp_retcode = PAM_SUCCESS;
break;
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
if ((*msg)[count].msg != NULL) {
if (pamstate == INITIAL_LOGIN)
pam_msg_cat((*msg)[count].msg);
else {
fputs((*msg)[count].msg, stderr);
fputs("\n", stderr);
}
}
reply[count].resp = xstrdup("");
reply[count].resp_retcode = PAM_SUCCESS;
break;
default:
free(reply);
return PAM_CONV_ERR;
}
}
*resp = reply;
return PAM_SUCCESS;
}
/* Called at exit to cleanly shutdown PAM */
void do_pam_cleanup_proc(void *context)
{
int pam_retval;
if (pamh != NULL && session_opened) {
pam_retval = pam_close_session(pamh, 0);
if (pam_retval != PAM_SUCCESS) {
log("Cannot close PAM session[%d]: %.200s",
pam_retval, PAM_STRERROR(pamh, pam_retval));
}
}
if (pamh != NULL && creds_set) {
pam_retval = pam_setcred(pamh, PAM_DELETE_CRED);
if (pam_retval != PAM_SUCCESS) {
debug("Cannot delete credentials[%d]: %.200s",
pam_retval, PAM_STRERROR(pamh, pam_retval));
}
}
if (pamh != NULL) {
pam_retval = pam_end(pamh, pam_retval);
if (pam_retval != PAM_SUCCESS) {
log("Cannot release PAM authentication[%d]: %.200s",
pam_retval, PAM_STRERROR(pamh, pam_retval));
}
}
}
/* Attempt password authentation using PAM */
int auth_pam_password(Authctxt *authctxt, const char *password)
{
struct passwd *pw = authctxt->pw;
int pam_retval;
do_pam_set_conv(&conv);
/* deny if no user. */
if (pw == NULL)
return 0;
if (pw->pw_uid == 0 && options.permit_root_login == 2)
return 0;
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
pampasswd = password;
pamstate = INITIAL_LOGIN;
pam_retval = pam_authenticate(pamh, 0);
was_authenticated = (pam_retval == PAM_SUCCESS);
if (pam_retval == PAM_SUCCESS) {
debug("PAM Password authentication accepted for user \"%.100s\"",
pw->pw_name);
return 1;
} else {
debug("PAM Password authentication for \"%.100s\" failed[%d]: %s",
pw->pw_name, pam_retval, PAM_STRERROR(pamh, pam_retval));
return 0;
}
}
/* Do account management using PAM */
int do_pam_account(char *username, char *remote_user)
{
int pam_retval;
do_pam_set_conv(&conv);
debug("PAM setting rhost to \"%.200s\"",
get_canonical_hostname(options.verify_reverse_mapping));
pam_retval = pam_set_item(pamh, PAM_RHOST,
get_canonical_hostname(options.verify_reverse_mapping));
if (pam_retval != PAM_SUCCESS) {
fatal("PAM set rhost failed[%d]: %.200s",
pam_retval, PAM_STRERROR(pamh, pam_retval));
}
if (remote_user != NULL) {
debug("PAM setting ruser to \"%.200s\"", remote_user);
pam_retval = pam_set_item(pamh, PAM_RUSER, remote_user);
if (pam_retval != PAM_SUCCESS) {
fatal("PAM set ruser failed[%d]: %.200s",
pam_retval, PAM_STRERROR(pamh, pam_retval));
}
}
pam_retval = pam_acct_mgmt(pamh, 0);
switch (pam_retval) {
case PAM_SUCCESS:
/* This is what we want */
break;
case PAM_NEW_AUTHTOK_REQD:
pam_msg_cat(NEW_AUTHTOK_MSG);
/* flag that password change is necessary */
password_change_required = 1;
break;
default:
log("PAM rejected by account configuration[%d]: %.200s",
pam_retval, PAM_STRERROR(pamh, pam_retval));
return(0);
}
return(1);
}
/* Do PAM-specific session initialisation */
void do_pam_session(char *username, const char *ttyname)
{
int pam_retval;
do_pam_set_conv(&conv);
if (ttyname != NULL) {
debug("PAM setting tty to \"%.200s\"", ttyname);
pam_retval = pam_set_item(pamh, PAM_TTY, ttyname);
if (pam_retval != PAM_SUCCESS) {
fatal("PAM set tty failed[%d]: %.200s",
pam_retval, PAM_STRERROR(pamh, pam_retval));
}
}
debug("do_pam_session: euid %u, uid %u", geteuid(), getuid());
pam_retval = pam_open_session(pamh, 0);
if (pam_retval != PAM_SUCCESS) {
fatal("PAM session setup failed[%d]: %.200s",
pam_retval, PAM_STRERROR(pamh, pam_retval));
}
session_opened = 1;
}
/* Set PAM credentials */
void do_pam_setcred(void)
{
int pam_retval;
do_pam_set_conv(&conv);
debug("PAM establishing creds");
pam_retval = pam_setcred(pamh, PAM_ESTABLISH_CRED);
if (pam_retval != PAM_SUCCESS) {
if (was_authenticated)
fatal("PAM setcred failed[%d]: %.200s",
pam_retval, PAM_STRERROR(pamh, pam_retval));
else
debug("PAM setcred failed[%d]: %.200s",
pam_retval, PAM_STRERROR(pamh, pam_retval));
} else
creds_set = 1;
}
/* accessor function for file scope static variable */
int pam_password_change_required(void)
{
return password_change_required;
}
/*
* Have user change authentication token if pam_acct_mgmt() indicated
* it was expired. This needs to be called after an interactive
* session is established and the user's pty is connected to
* stdin/stout/stderr.
*/
void do_pam_chauthtok(void)
{
int pam_retval;
do_pam_set_conv(&conv);
if (password_change_required) {
pamstate = OTHER;
/*
* XXX: should we really loop forever?
*/
do {
pam_retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
if (pam_retval != PAM_SUCCESS) {
log("PAM pam_chauthtok failed[%d]: %.200s",
pam_retval, PAM_STRERROR(pamh, pam_retval));
}
} while (pam_retval != PAM_SUCCESS);
}
}
/* Cleanly shutdown PAM */
void finish_pam(void)
{
do_pam_cleanup_proc(NULL);
fatal_remove_cleanup(&do_pam_cleanup_proc, NULL);
}
/* Start PAM authentication for specified account */
void start_pam(struct passwd *pw)
{
int pam_retval;
debug("Starting up PAM with username \"%.200s\"", pw->pw_name);
pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, &pamh);
if (pam_retval != PAM_SUCCESS) {
fatal("PAM initialisation failed[%d]: %.200s",
pam_retval, PAM_STRERROR(pamh, pam_retval));
}
#ifdef PAM_TTY_KLUDGE
/*
* Some PAM modules (e.g. pam_time) require a TTY to operate,
* and will fail in various stupid ways if they don't get one.
* sshd doesn't set the tty until too late in the auth process and may
* not even need one (for tty-less connections)
* Kludge: Set a fake PAM_TTY
*/
pam_retval = pam_set_item(pamh, PAM_TTY, "ssh");
if (pam_retval != PAM_SUCCESS) {
fatal("PAM set tty failed[%d]: %.200s",
pam_retval, PAM_STRERROR(pamh, pam_retval));
}
#endif /* PAM_TTY_KLUDGE */
fatal_add_cleanup(&do_pam_cleanup_proc, NULL);
}
/* Return list of PAM enviornment strings */
char **fetch_pam_environment(void)
{
#ifdef HAVE_PAM_GETENVLIST
return(pam_getenvlist(pamh));
#else /* HAVE_PAM_GETENVLIST */
return(NULL);
#endif /* HAVE_PAM_GETENVLIST */
}
/* Print any messages that have been generated during authentication */
/* or account checking to stderr */
void print_pam_messages(void)
{
if (pam_msg != NULL)
fputs(pam_msg, stderr);
}
/* Append a message to the PAM message buffer */
void pam_msg_cat(const char *msg)
{
char *p;
size_t new_msg_len;
size_t pam_msg_len;
new_msg_len = strlen(msg);
if (pam_msg) {
pam_msg_len = strlen(pam_msg);
pam_msg = xrealloc(pam_msg, new_msg_len + pam_msg_len + 2);
p = pam_msg + pam_msg_len;
} else {
pam_msg = p = xmalloc(new_msg_len + 2);
}
memcpy(p, msg, new_msg_len);
p[new_msg_len] = '\n';
p[new_msg_len + 1] = '\0';
}
struct inverted_pam_userdata {
/*
* Pipe for telling whether we are doing conversation or sending
* authentication results.
*/
int statefd[2];
int challengefd[2];
int responsefd[2];
/* Whether we have sent off our challenge */
int state;
};
#define STATE_CONV 1
#define STATE_AUTH_OK 2
#define STATE_AUTH_FAIL 3
int
ssh_conv(int num_msg, const struct pam_message **msg, struct pam_response **resp,
void *userdata) {
int i;
FILE *reader;
char buf[1024];
struct pam_response *reply = NULL;
char state_to_write = STATE_CONV; /* One char to write */
struct inverted_pam_userdata *ud = userdata;
char *response = NULL;
/* The stdio functions are more convenient for the read half */
reader = fdopen(ud->responsefd[0], "rb");
if (reader == NULL)
goto protocol_failure;
reply = malloc(num_msg * sizeof(struct pam_response));
if (reply == NULL)
return PAM_CONV_ERR;
if (write(ud->statefd[1], &state_to_write, 1) != 1)
goto protocol_failure;
/*
* Re-package our data and send it off to our better half (the actual SSH
* process)
*/
if (write(ud->challengefd[1], buf,
sprintf(buf, "%d\n", num_msg)) == -1)
goto protocol_failure;
for (i = 0; i < num_msg; i++) {
if (write(ud->challengefd[1], buf,
sprintf(buf, "%d\n", msg[i]->msg_style)) == -1)
goto protocol_failure;
if (write(ud->challengefd[1], buf,
sprintf(buf, "%d\n", strlen(msg[i]->msg))) == -1)
goto protocol_failure;
if (write(ud->challengefd[1], msg[i]->msg,
strlen(msg[i]->msg)) == -1)
goto protocol_failure;
}
/*
* Read back responses. These may not be as nice as we want, as the SSH
* protocol isn't exactly a perfect fit with PAM.
*/
for (i = 0; i < num_msg; i++) {
char buf[1024];
char *endptr;
size_t len; /* Length of the response */
switch (msg[i]->msg_style) {
case PAM_PROMPT_ECHO_OFF:
case PAM_PROMPT_ECHO_ON:
if (fgets(buf, sizeof(buf), reader) == NULL)
goto protocol_failure;
len = (size_t)strtoul(buf, &endptr, 10);
/* The length is supposed to stand on a line by itself */
if (endptr == NULL || *endptr != '\n')
goto protocol_failure;
response = malloc(len+1);
if (response == NULL)
goto protocol_failure;
if (fread(response, len, 1, reader) != 1)
goto protocol_failure;
response[len] = '\0';
reply[i].resp = response;
response = NULL;
break;
default:
reply[i].resp = NULL;
break;
}
}
*resp = reply;
return PAM_SUCCESS;
protocol_failure:
free(reply);
return PAM_CONV_ERR;
}
void
ipam_free_cookie(struct inverted_pam_cookie *cookie) {
struct inverted_pam_userdata *ud;
int i;
if (cookie == NULL)
return;
ud = cookie->userdata;
cookie->userdata = NULL;
/* Free userdata if allocated */
if (ud) {
/* Close any opened file descriptors */
if (ud->statefd[0] != -1)
close(ud->statefd[0]);
if (ud->statefd[1] != -1)
close(ud->statefd[1]);
if (ud->challengefd[0] != -1)
close(ud->challengefd[0]);
if (ud->challengefd[1] != -1)
close(ud->challengefd[1]);
if (ud->responsefd[0] != -1)
close(ud->responsefd[0]);
if (ud->responsefd[1] != -1)
close(ud->responsefd[1]);
free(ud);
ud = NULL;
}
/* Now free the normal cookie */
if (cookie->pid != 0 && cookie->pid != -1) {
int status;
/* XXX Use different signal? */
kill(cookie->pid, SIGKILL);
waitpid(cookie->pid, &status, 0);
}
for (i = 0; i < cookie->num_msg; i++) {
if (cookie->resp && cookie->resp[i]) {
free(cookie->resp[i]->resp);
free(cookie->resp[i]);
}
if (cookie->msg && cookie->msg[i]) {
free((void *)cookie->msg[i]->msg);
free(cookie->msg[i]);
}
}
free(cookie->msg);
free(cookie->resp);
free(cookie);
}
/*
* Do first half of PAM authentication - this comes to the point where
* you get a message to send to the user.
*/
struct inverted_pam_cookie *
ipam_start_auth(const char *service, const char *username) {
struct inverted_pam_cookie *cookie;
struct inverted_pam_userdata *ud;
static struct pam_conv conv = {
ssh_conv,
NULL
};
const char *rhost;
cookie = malloc(sizeof(*cookie));
if (cookie == NULL)
return NULL;
cookie->state = 0;
/* Set up the cookie so ipam_freecookie can be used on it */
cookie->num_msg = 0;
cookie->msg = NULL;
cookie->resp = NULL;
cookie->pid = -1;
ud = calloc(sizeof(*ud), 1);
if (ud == NULL) {
free(cookie);
return NULL;
}
cookie->userdata = ud;
ud->statefd[0] = ud->statefd[1] = -1;
ud->challengefd[0] = ud->challengefd[1] = -1;
ud->responsefd[0] = ud->responsefd[1] = -1;
if (pipe(ud->statefd) != 0) {
ud->statefd[0] = ud->statefd[1] = -1;
ipam_free_cookie(cookie);
return NULL;
}
if (pipe(ud->challengefd) != 0) {
ud->challengefd[0] = ud->challengefd[1] = -1;
ipam_free_cookie(cookie);
return NULL;
}
if (pipe(ud->responsefd) != 0) {
ud->responsefd[0] = ud->responsefd[1] = -1;
ipam_free_cookie(cookie);
return NULL;
}
rhost = get_canonical_hostname(options.verify_reverse_mapping);
cookie->pid = fork();
if (cookie->pid == -1) {
ipam_free_cookie(cookie);
return NULL;
} else if (cookie->pid != 0) {
int num_msgs; /* Number of messages from PAM */
char *endptr;
char buf[1024];
FILE *reader;
size_t num_msg;
int i;
char state; /* Which state did the connection just enter? */
/* We are the parent - wait for a call to the communications
function to turn up, or the challenge to be finished */
if (read(ud->statefd[0], &state, 1) != 1) {
ipam_free_cookie(cookie);
return NULL;
}
cookie->state = state;
switch (state) {
case STATE_CONV:
/* We are running the conversation function */
/* The stdio functions are more convenient for read */
reader = fdopen(ud->challengefd[0], "r");
if (reader == NULL) {
ipam_free_cookie(cookie);
return NULL;
}
if (fgets(buf, 4, reader) == NULL) {
fclose(reader);
ipam_free_cookie(cookie);
return NULL;
}
num_msg = (size_t)strtoul(buf, &endptr, 10);
/* The length is supposed to stand on a line by itself */
if (endptr == NULL || *endptr != '\n') {
fclose(reader);
ipam_free_cookie(cookie);
return NULL;
}
cookie->msg =
malloc(sizeof(struct pam_message *) * num_msg);
cookie->resp =
malloc(sizeof(struct pam_response *) * num_msg);
if (cookie->msg == NULL || cookie->resp == NULL) {
fclose(reader);
ipam_free_cookie(cookie);
return NULL;
}
for (i = 0; i < num_msg; i++) {
cookie->msg[i] =
malloc(sizeof(struct pam_message));
cookie->resp[i] =
malloc(sizeof(struct pam_response));
if (cookie->msg[i] == NULL ||
cookie->resp[i] == NULL) {
for (;;) {
free(cookie->msg[i]);
free(cookie->resp[i]);
if (i == 0)
break;
i--;
}
fclose(reader);
ipam_free_cookie(cookie);
return NULL;
}
cookie->msg[i]->msg = NULL;
cookie->resp[i]->resp = NULL;
cookie->resp[i]->resp_retcode = 0;
}
/* Set up so the above will be freed on failure */
cookie->num_msg = num_msg;
/*
* We have a an allocated response and message for
* each of the entries in the PAM structure - transfer
* the data sent to the conversation function over.
*/
for (i = 0; i < num_msg; i++) {
size_t len;
if (fgets(buf, sizeof(buf), reader) == NULL) {
fclose(reader);
ipam_free_cookie(cookie);
return NULL;
}
cookie->msg[i]->msg_style =
(size_t)strtoul(buf, &endptr, 10);
if (endptr == NULL || *endptr != '\n') {
fclose(reader);
ipam_free_cookie(cookie);
return NULL;
}
if (fgets(buf, sizeof(buf), reader) == NULL) {
fclose(reader);
ipam_free_cookie(cookie);
return NULL;
}
len = (size_t)strtoul(buf, &endptr, 10);
if (endptr == NULL || *endptr != '\n') {
fclose(reader);
ipam_free_cookie(cookie);
return NULL;
}
cookie->msg[i]->msg = malloc(len + 1);
if (cookie->msg[i]->msg == NULL) {
fclose(reader);
ipam_free_cookie(cookie);
return NULL;
}
if (fread((char *)cookie->msg[i]->msg, len, 1, reader) !=
1) {
fclose(reader);
ipam_free_cookie(cookie);
return NULL;
}
*(char *)&(cookie->msg[i]->msg[len]) = '\0';
}
break;
case STATE_AUTH_OK:
case STATE_AUTH_FAIL:
break;
default:
/* Internal failure, somehow */
fclose(reader);
ipam_free_cookie(cookie);
return NULL;
}
return cookie;
} else {
/* We are the child */
pam_handle_t *pamh=NULL;
int retval;
char state;
conv.appdata_ptr = ud;
retval = pam_start(service, username, &conv, &pamh);
fprintf(stderr, "pam_start returned %d\n", retval);
if (retval == PAM_SUCCESS)
retval = pam_set_item(pamh, PAM_RHOST, rhost);
/* Is user really user? */
if (retval == PAM_SUCCESS)
retval = pam_authenticate(pamh, 0);
/* permitted access? */
if (retval == PAM_SUCCESS)
retval = pam_acct_mgmt(pamh, 0);
/* This is where we have been authorized or not. */
/* Be conservative - flag as auth failure if we can't close */
/*
* XXX This is based on example code from Linux-PAM -
* but can it really be correct to pam_end if
* pam_start failed?
*/
if (pam_end(pamh, retval) != PAM_SUCCESS)
retval = PAM_AUTH_ERR;
/* Message to parent */
state = retval == PAM_SUCCESS ? STATE_AUTH_OK : STATE_AUTH_FAIL;
if (write(ud->statefd[1], &state, 1) != 1) {
_exit(1);
}
/* FDs will be closed, so further communication will stop */
_exit(0);
}
}
/*
* Do second half of PAM authentication - cookie should now be filled
* in with the response to the challenge.
*/
int
ipam_complete_auth(struct inverted_pam_cookie *cookie) {
int i;
char buf[1024];
struct inverted_pam_userdata *ud = cookie->userdata;
char state;
/* Send over our responses */
for (i = 0; i < cookie->num_msg; i++) {
if (cookie->msg[i]->msg_style != PAM_PROMPT_ECHO_ON &&
cookie->msg[i]->msg_style != PAM_PROMPT_ECHO_OFF)
continue;
if (write(ud->responsefd[1], buf,
sprintf(buf, "%d\n", strlen(cookie->resp[i]->resp))) == -1) {
ipam_free_cookie(cookie);
return 0;
}
if (write(ud->responsefd[1], cookie->resp[i]->resp,
strlen(cookie->resp[i]->resp)) == -1) {
ipam_free_cookie(cookie);
return 0;
}
}
/* Find out what state we are changing to */
if (read(ud->statefd[0], &state, 1) != 1) {
ipam_free_cookie(cookie);
return 0;
}
return state == STATE_AUTH_OK ? 1 : 0;
}
#endif /* USE_PAM */
|
