Mercurial > dropbear
annotate svr-authpam.c @ 1902:4a6725ac957c
Revert "Don't include sk keys at all in KEX list"
This reverts git commit f972813ecdc7bb981d25b5a63638bd158f1c8e72.
The sk algorithms need to remain in the sigalgs list so that they
are included in the server-sig-algs ext-info message sent by
the server. RFC8308 for server-sig-algs requires that all algorithms are
listed (though OpenSSH client 8.4p1 tested doesn't require that)
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Thu, 24 Mar 2022 13:42:08 +0800 |
parents | 258b57b208ae |
children |
rev | line source |
---|---|
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
1 /* |
121 | 2 * Dropbear SSH |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
3 * |
121 | 4 * Copyright (c) 2004 Martin Carlsson |
5 * Portions (c) 2004 Matt Johnston | |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
6 * All rights reserved. |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
7 * |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
8 * Permission is hereby granted, free of charge, to any person obtaining a copy |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
9 * of this software and associated documentation files (the "Software"), to deal |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
10 * in the Software without restriction, including without limitation the rights |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
11 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
12 * copies of the Software, and to permit persons to whom the Software is |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
13 * furnished to do so, subject to the following conditions: |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
14 * |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
15 * The above copyright notice and this permission notice shall be included in |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
16 * all copies or substantial portions of the Software. |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
17 * |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
19 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
20 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
21 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
23 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
24 * SOFTWARE. */ |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
25 |
121 | 26 /* Validates a user password using PAM */ |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
27 |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
28 #include "includes.h" |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
29 #include "session.h" |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
30 #include "buffer.h" |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
31 #include "dbutil.h" |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
32 #include "auth.h" |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
33 |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1238
diff
changeset
|
34 #if DROPBEAR_SVR_PAM_AUTH |
432
517e76bdfb2d
Make sure the #includes for pam only get hit if PAM is enabled.
Matt Johnston <matt@ucc.asn.au>
parents:
258
diff
changeset
|
35 |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
36 #if defined(HAVE_SECURITY_PAM_APPL_H) |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
37 #include <security/pam_appl.h> |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
38 #elif defined (HAVE_PAM_PAM_APPL_H) |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
39 #include <pam/pam_appl.h> |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
40 #endif |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
41 |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
42 struct UserDataS { |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
43 char* user; |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
44 char* passwd; |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
45 }; |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
46 |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
47 /* PAM conversation function - for now we only handle one message */ |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
48 int |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
49 pamConvFunc(int num_msg, |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
50 const struct pam_message **msg, |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
51 struct pam_response **respp, |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
52 void *appdata_ptr) { |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
53 |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
54 int rc = PAM_SUCCESS; |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
55 struct pam_response* resp = NULL; |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
56 struct UserDataS* userDatap = (struct UserDataS*) appdata_ptr; |
226
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
57 unsigned int msg_len = 0; |
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
58 unsigned int i = 0; |
660 | 59 char * compare_message = NULL; |
226
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
60 |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
61 TRACE(("enter pamConvFunc")) |
121 | 62 |
63 if (num_msg != 1) { | |
64 /* If you're getting here - Dropbear probably can't support your pam | |
65 * modules. This whole file is a bit of a hack around lack of | |
226
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
66 * asynchronocity in PAM anyway. */ |
121 | 67 dropbear_log(LOG_INFO, "pamConvFunc() called with >1 messages: not supported."); |
68 return PAM_CONV_ERR; | |
69 } | |
660 | 70 |
71 /* make a copy we can strip */ | |
72 compare_message = m_strdup((*msg)->msg); | |
121 | 73 |
258
306499676384
* add -g (dbclient) and -a (dropbear) options for allowing non-local
Matt Johnston <matt@ucc.asn.au>
parents:
226
diff
changeset
|
74 /* Make the string lowercase. */ |
226
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
75 msg_len = strlen(compare_message); |
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
76 for (i = 0; i < msg_len; i++) { |
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
77 compare_message[i] = tolower(compare_message[i]); |
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
78 } |
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
79 |
258
306499676384
* add -g (dbclient) and -a (dropbear) options for allowing non-local
Matt Johnston <matt@ucc.asn.au>
parents:
226
diff
changeset
|
80 /* If the string ends with ": ", remove the space. |
306499676384
* add -g (dbclient) and -a (dropbear) options for allowing non-local
Matt Johnston <matt@ucc.asn.au>
parents:
226
diff
changeset
|
81 ie "login: " vs "login:" */ |
226
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
82 if (msg_len > 2 |
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
83 && compare_message[msg_len-2] == ':' |
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
84 && compare_message[msg_len-1] == ' ') { |
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
85 compare_message[msg_len-1] = '\0'; |
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
86 } |
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
87 |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
88 switch((*msg)->msg_style) { |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
89 |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
90 case PAM_PROMPT_ECHO_OFF: |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
91 |
226
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
92 if (!(strcmp(compare_message, "password:") == 0)) { |
258
306499676384
* add -g (dbclient) and -a (dropbear) options for allowing non-local
Matt Johnston <matt@ucc.asn.au>
parents:
226
diff
changeset
|
93 /* We don't recognise the prompt as asking for a password, |
306499676384
* add -g (dbclient) and -a (dropbear) options for allowing non-local
Matt Johnston <matt@ucc.asn.au>
parents:
226
diff
changeset
|
94 so can't handle it. Add more above as required for |
594
a98a2138364a
Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents:
573
diff
changeset
|
95 different pam modules/implementations. If you need |
a98a2138364a
Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents:
573
diff
changeset
|
96 to add an entry here please mail the Dropbear developer */ |
573
d3ea8b9672f0
- Test for pam_fail_delay() function in configure
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
97 dropbear_log(LOG_NOTICE, "PAM unknown prompt '%s' (no echo)", |
226
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
98 compare_message); |
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
99 rc = PAM_CONV_ERR; |
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
100 break; |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
101 } |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
102 |
131
9c372a039532
strdup() variables correctly for the PAM conversation function
Matt Johnston <matt@ucc.asn.au>
parents:
127
diff
changeset
|
103 /* You have to read the PAM module-writers' docs (do we look like |
9c372a039532
strdup() variables correctly for the PAM conversation function
Matt Johnston <matt@ucc.asn.au>
parents:
127
diff
changeset
|
104 * module writers? no.) to find out that the module will |
9c372a039532
strdup() variables correctly for the PAM conversation function
Matt Johnston <matt@ucc.asn.au>
parents:
127
diff
changeset
|
105 * free the pam_response and its resp element - ie we _must_ malloc |
9c372a039532
strdup() variables correctly for the PAM conversation function
Matt Johnston <matt@ucc.asn.au>
parents:
127
diff
changeset
|
106 * it here */ |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
107 resp = (struct pam_response*) m_malloc(sizeof(struct pam_response)); |
121 | 108 memset(resp, 0, sizeof(struct pam_response)); |
109 | |
131
9c372a039532
strdup() variables correctly for the PAM conversation function
Matt Johnston <matt@ucc.asn.au>
parents:
127
diff
changeset
|
110 resp->resp = m_strdup(userDatap->passwd); |
9c372a039532
strdup() variables correctly for the PAM conversation function
Matt Johnston <matt@ucc.asn.au>
parents:
127
diff
changeset
|
111 m_burn(userDatap->passwd, strlen(userDatap->passwd)); |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
112 (*respp) = resp; |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
113 break; |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
114 |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
115 |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
116 case PAM_PROMPT_ECHO_ON: |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
117 |
573
d3ea8b9672f0
- Test for pam_fail_delay() function in configure
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
118 if (!( |
d3ea8b9672f0
- Test for pam_fail_delay() function in configure
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
119 (strcmp(compare_message, "login:" ) == 0) |
d3ea8b9672f0
- Test for pam_fail_delay() function in configure
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
120 || (strcmp(compare_message, "please enter username:") == 0) |
d3ea8b9672f0
- Test for pam_fail_delay() function in configure
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
121 || (strcmp(compare_message, "username:") == 0) |
d3ea8b9672f0
- Test for pam_fail_delay() function in configure
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
122 )) { |
258
306499676384
* add -g (dbclient) and -a (dropbear) options for allowing non-local
Matt Johnston <matt@ucc.asn.au>
parents:
226
diff
changeset
|
123 /* We don't recognise the prompt as asking for a username, |
306499676384
* add -g (dbclient) and -a (dropbear) options for allowing non-local
Matt Johnston <matt@ucc.asn.au>
parents:
226
diff
changeset
|
124 so can't handle it. Add more above as required for |
594
a98a2138364a
Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents:
573
diff
changeset
|
125 different pam modules/implementations. If you need |
a98a2138364a
Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents:
573
diff
changeset
|
126 to add an entry here please mail the Dropbear developer */ |
573
d3ea8b9672f0
- Test for pam_fail_delay() function in configure
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
127 dropbear_log(LOG_NOTICE, "PAM unknown prompt '%s' (with echo)", |
226
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
128 compare_message); |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
129 rc = PAM_CONV_ERR; |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
130 break; |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
131 } |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
132 |
131
9c372a039532
strdup() variables correctly for the PAM conversation function
Matt Johnston <matt@ucc.asn.au>
parents:
127
diff
changeset
|
133 /* You have to read the PAM module-writers' docs (do we look like |
9c372a039532
strdup() variables correctly for the PAM conversation function
Matt Johnston <matt@ucc.asn.au>
parents:
127
diff
changeset
|
134 * module writers? no.) to find out that the module will |
9c372a039532
strdup() variables correctly for the PAM conversation function
Matt Johnston <matt@ucc.asn.au>
parents:
127
diff
changeset
|
135 * free the pam_response and its resp element - ie we _must_ malloc |
9c372a039532
strdup() variables correctly for the PAM conversation function
Matt Johnston <matt@ucc.asn.au>
parents:
127
diff
changeset
|
136 * it here */ |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
137 resp = (struct pam_response*) m_malloc(sizeof(struct pam_response)); |
121 | 138 memset(resp, 0, sizeof(struct pam_response)); |
139 | |
131
9c372a039532
strdup() variables correctly for the PAM conversation function
Matt Johnston <matt@ucc.asn.au>
parents:
127
diff
changeset
|
140 resp->resp = m_strdup(userDatap->user); |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
141 TRACE(("userDatap->user='%s'", userDatap->user)) |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
142 (*respp) = resp; |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
143 break; |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
144 |
818
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
660
diff
changeset
|
145 case PAM_ERROR_MSG: |
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
660
diff
changeset
|
146 case PAM_TEXT_INFO: |
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
660
diff
changeset
|
147 |
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
660
diff
changeset
|
148 if (msg_len > 0) { |
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
660
diff
changeset
|
149 buffer * pam_err = buf_new(msg_len + 4); |
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
660
diff
changeset
|
150 buf_setpos(pam_err, 0); |
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
660
diff
changeset
|
151 buf_putbytes(pam_err, "\r\n", 2); |
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
660
diff
changeset
|
152 buf_putbytes(pam_err, (*msg)->msg, msg_len); |
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
660
diff
changeset
|
153 buf_putbytes(pam_err, "\r\n", 2); |
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
660
diff
changeset
|
154 buf_setpos(pam_err, 0); |
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
660
diff
changeset
|
155 |
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
660
diff
changeset
|
156 send_msg_userauth_banner(pam_err); |
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
660
diff
changeset
|
157 buf_free(pam_err); |
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
660
diff
changeset
|
158 } |
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
660
diff
changeset
|
159 break; |
8fe36617bf4e
Send PAM error messages as a banner messages
Matt Johnston <matt@ucc.asn.au>
parents:
660
diff
changeset
|
160 |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
161 default: |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
162 TRACE(("Unknown message type")) |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
163 rc = PAM_CONV_ERR; |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
164 break; |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
165 } |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
166 |
226
9a9c6d633972
channel.h: make definition extern
Matt Johnston <matt@ucc.asn.au>
parents:
179
diff
changeset
|
167 m_free(compare_message); |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
168 TRACE(("leave pamConvFunc, rc %d", rc)) |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
169 |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
170 return rc; |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
171 } |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
172 |
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
173 /* Process a password auth request, sending success or failure messages as |
121 | 174 * appropriate. To the client it looks like it's doing normal password auth (as |
175 * opposed to keyboard-interactive or something), so the pam module has to be | |
176 * fairly standard (ie just "what's your username, what's your password, OK"). | |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
177 * |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
178 * Keyboard interactive would be a lot nicer, but since PAM is synchronous, it |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
179 * gets very messy trying to send the interactive challenges, and read the |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
180 * interactive responses, over the network. */ |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
181 void svr_auth_pam(int valid_user) { |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
182 |
131
9c372a039532
strdup() variables correctly for the PAM conversation function
Matt Johnston <matt@ucc.asn.au>
parents:
127
diff
changeset
|
183 struct UserDataS userData = {NULL, NULL}; |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
184 struct pam_conv pamConv = { |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
185 pamConvFunc, |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
186 &userData /* submitted to pamvConvFunc as appdata_ptr */ |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
187 }; |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
188 const char* printable_user = NULL; |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
189 |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
190 pam_handle_t* pamHandlep = NULL; |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
191 |
1122
aaf576b27a10
Merge pull request #13 from gazoo74/fix-warnings
Matt Johnston <matt@ucc.asn.au>
parents:
819
diff
changeset
|
192 char * password = NULL; |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
193 unsigned int passwordlen; |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
194 |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
195 int rc = PAM_SUCCESS; |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
196 unsigned char changepw; |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
197 |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
198 /* check if client wants to change password */ |
179
161557a9dde8
* fix longstanding bug with connections being closed on failure to
Matt Johnston <matt@ucc.asn.au>
parents:
169
diff
changeset
|
199 changepw = buf_getbool(ses.payload); |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
200 if (changepw) { |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
201 /* not implemented by this server */ |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
202 send_msg_userauth_failure(0, 1); |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
203 goto cleanup; |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
204 } |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
205 |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
206 password = buf_getstring(ses.payload, &passwordlen); |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
207 |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
208 /* We run the PAM conversation regardless of whether the username is valid |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
209 in case the conversation function has an inherent delay. |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
210 Use ses.authstate.username rather than ses.authstate.pw_name. |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
211 After PAM succeeds we then check the valid_user flag too */ |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
212 |
131
9c372a039532
strdup() variables correctly for the PAM conversation function
Matt Johnston <matt@ucc.asn.au>
parents:
127
diff
changeset
|
213 /* used to pass data to the PAM conversation function - don't bother with |
9c372a039532
strdup() variables correctly for the PAM conversation function
Matt Johnston <matt@ucc.asn.au>
parents:
127
diff
changeset
|
214 * strdup() etc since these are touched only by our own conversation |
9c372a039532
strdup() variables correctly for the PAM conversation function
Matt Johnston <matt@ucc.asn.au>
parents:
127
diff
changeset
|
215 * function (above) which takes care of it */ |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
216 userData.user = ses.authstate.username; |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
217 userData.passwd = password; |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
218 |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
219 if (ses.authstate.pw_name) { |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
220 printable_user = ses.authstate.pw_name; |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
221 } else { |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
222 printable_user = "<invalid username>"; |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
223 } |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
224 |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
225 /* Init pam */ |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
226 if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) { |
819
fee485ce81eb
Get rid of spurious newlines in pam log messages
Matt Johnston <matt@ucc.asn.au>
parents:
818
diff
changeset
|
227 dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s", |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
228 rc, pam_strerror(pamHandlep, rc)); |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
229 goto cleanup; |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
230 } |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
231 |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
232 /* just to set it to something */ |
1238
c59c10803afd
Fix parentheses weird placement
Chocobo1 <Chocobo1@users.noreply.github.com>
parents:
1122
diff
changeset
|
233 if ((rc = pam_set_item(pamHandlep, PAM_TTY, "ssh")) != PAM_SUCCESS) { |
819
fee485ce81eb
Get rid of spurious newlines in pam log messages
Matt Johnston <matt@ucc.asn.au>
parents:
818
diff
changeset
|
234 dropbear_log(LOG_WARNING, "pam_set_item() failed, rc=%d, %s", |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
235 rc, pam_strerror(pamHandlep, rc)); |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
236 goto cleanup; |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
237 } |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
238 |
1425 | 239 if ((rc = pam_set_item(pamHandlep, PAM_RHOST, svr_ses.remotehost)) != PAM_SUCCESS) { |
240 dropbear_log(LOG_WARNING, "pam_set_item() failed, rc=%d, %s", | |
241 rc, pam_strerror(pamHandlep, rc)); | |
242 goto cleanup; | |
243 } | |
244 | |
573
d3ea8b9672f0
- Test for pam_fail_delay() function in configure
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
245 #ifdef HAVE_PAM_FAIL_DELAY |
d3ea8b9672f0
- Test for pam_fail_delay() function in configure
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
246 /* We have our own random delay code already, disable PAM's */ |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
247 (void) pam_fail_delay(pamHandlep, 0 /* musec_delay */); |
573
d3ea8b9672f0
- Test for pam_fail_delay() function in configure
Matt Johnston <matt@ucc.asn.au>
parents:
464
diff
changeset
|
248 #endif |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
249 |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
250 /* (void) pam_set_item(pamHandlep, PAM_FAIL_DELAY, (void*) pamDelayFunc); */ |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
251 |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
252 if ((rc = pam_authenticate(pamHandlep, 0)) != PAM_SUCCESS) { |
819
fee485ce81eb
Get rid of spurious newlines in pam log messages
Matt Johnston <matt@ucc.asn.au>
parents:
818
diff
changeset
|
253 dropbear_log(LOG_WARNING, "pam_authenticate() failed, rc=%d, %s", |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
254 rc, pam_strerror(pamHandlep, rc)); |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
255 dropbear_log(LOG_WARNING, |
594
a98a2138364a
Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents:
573
diff
changeset
|
256 "Bad PAM password attempt for '%s' from %s", |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
257 printable_user, |
158
364a75cfebab
Log the IP along with auth success/fail attempts
Matt Johnston <matt@ucc.asn.au>
parents:
131
diff
changeset
|
258 svr_ses.addrstring); |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
259 send_msg_userauth_failure(0, 1); |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
260 goto cleanup; |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
261 } |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
262 |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
263 if ((rc = pam_acct_mgmt(pamHandlep, 0)) != PAM_SUCCESS) { |
819
fee485ce81eb
Get rid of spurious newlines in pam log messages
Matt Johnston <matt@ucc.asn.au>
parents:
818
diff
changeset
|
264 dropbear_log(LOG_WARNING, "pam_acct_mgmt() failed, rc=%d, %s", |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
265 rc, pam_strerror(pamHandlep, rc)); |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
266 dropbear_log(LOG_WARNING, |
594
a98a2138364a
Improve capitalisation for all logged strings
Matt Johnston <matt@ucc.asn.au>
parents:
573
diff
changeset
|
267 "Bad PAM password attempt for '%s' from %s", |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
268 printable_user, |
158
364a75cfebab
Log the IP along with auth success/fail attempts
Matt Johnston <matt@ucc.asn.au>
parents:
131
diff
changeset
|
269 svr_ses.addrstring); |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
270 send_msg_userauth_failure(0, 1); |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
271 goto cleanup; |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
272 } |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
273 |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
274 if (!valid_user) { |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
275 /* PAM auth succeeded but the username isn't allowed in for another reason |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
276 (checkusername() failed) */ |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
277 send_msg_userauth_failure(0, 1); |
1629
258b57b208ae
Fix for issue successfull login of disabled user (#78)
vincentto13 <33652988+vincentto13@users.noreply.github.com>
parents:
1616
diff
changeset
|
278 goto cleanup; |
1616
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
279 } |
5d2d1021ca00
Wait to fail invalid usernames
Matt Johnston <matt@ucc.asn.au>
parents:
1425
diff
changeset
|
280 |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
281 /* successful authentication */ |
158
364a75cfebab
Log the IP along with auth success/fail attempts
Matt Johnston <matt@ucc.asn.au>
parents:
131
diff
changeset
|
282 dropbear_log(LOG_NOTICE, "PAM password auth succeeded for '%s' from %s", |
464
4317be8b7cf9
Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep
Matt Johnston <matt@ucc.asn.au>
parents:
432
diff
changeset
|
283 ses.authstate.pw_name, |
158
364a75cfebab
Log the IP along with auth success/fail attempts
Matt Johnston <matt@ucc.asn.au>
parents:
131
diff
changeset
|
284 svr_ses.addrstring); |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
285 send_msg_userauth_success(); |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
286 |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
287 cleanup: |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
288 if (password != NULL) { |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
289 m_burn(password, passwordlen); |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
290 m_free(password); |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
291 } |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
292 if (pamHandlep != NULL) { |
165
0cfba3034be5
Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place
Matt Johnston <matt@ucc.asn.au>
parents:
158
diff
changeset
|
293 TRACE(("pam_end")) |
119
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
294 (void) pam_end(pamHandlep, 0 /* pam_status */); |
3394a7cb30cd
propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'
Matt Johnston <matt@ucc.asn.au>
parents:
57
diff
changeset
|
295 } |
57
3b2a5a1c4347
svr-authpam code merged and works. needs tidying a log
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
296 } |
127
33d976eeb859
put the #ifdefs back in for authpam
Matt Johnston <matt@ucc.asn.au>
parents:
121
diff
changeset
|
297 |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
1238
diff
changeset
|
298 #endif /* DROPBEAR_SVR_PAM_AUTH */ |