dropbear: svr-authpam.c annotate

annotate svr-authpam.c @ 1902:4a6725ac957c

Revert "Don't include sk keys at all in KEX list" This reverts git commit f972813ecdc7bb981d25b5a63638bd158f1c8e72. The sk algorithms need to remain in the sigalgs list so that they are included in the server-sig-algs ext-info message sent by the server. RFC8308 for server-sig-algs requires that all algorithms are listed (though OpenSSH client 8.4p1 tested doesn't require that)

author	Matt Johnston <matt@ucc.asn.au>
date	Thu, 24 Mar 2022 13:42:08 +0800
parents	258b57b208ae
children

rev	line source
57 3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1 /*
121 9337c9f9a607 PAM improvements Matt Johnston <matt@ucc.asn.au> parents: 119 diff changeset	2 * Dropbear SSH
57 3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3 *
121 9337c9f9a607 PAM improvements Matt Johnston <matt@ucc.asn.au> parents: 119 diff changeset	4 * Copyright (c) 2004 Martin Carlsson
9337c9f9a607 PAM improvements Matt Johnston <matt@ucc.asn.au> parents: 119 diff changeset	5 * Portions (c) 2004 Matt Johnston
57 3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	6 * All rights reserved.
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	7 *
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	8 * Permission is hereby granted, free of charge, to any person obtaining a copy
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	9 * of this software and associated documentation files (the "Software"), to deal
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	10 * in the Software without restriction, including without limitation the rights
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	11 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	12 * copies of the Software, and to permit persons to whom the Software is
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	13 * furnished to do so, subject to the following conditions:
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	14 *
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	15 * The above copyright notice and this permission notice shall be included in
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	16 * all copies or substantial portions of the Software.
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	17 *
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	19 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	20 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	21 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	23 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	24 * SOFTWARE. */
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	25
121 9337c9f9a607 PAM improvements Matt Johnston <matt@ucc.asn.au> parents: 119 diff changeset	26 /* Validates a user password using PAM */
57 3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	27
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	28 #include "includes.h"
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	29 #include "session.h"
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	30 #include "buffer.h"
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	31 #include "dbutil.h"
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	32 #include "auth.h"
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	33
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1238 diff changeset	34 #if DROPBEAR_SVR_PAM_AUTH
432 517e76bdfb2d Make sure the #includes for pam only get hit if PAM is enabled. Matt Johnston <matt@ucc.asn.au> parents: 258 diff changeset	35
57 3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	36 #if defined(HAVE_SECURITY_PAM_APPL_H)
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	37 #include <security/pam_appl.h>
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	38 #elif defined (HAVE_PAM_PAM_APPL_H)
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	39 #include <pam/pam_appl.h>
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	40 #endif
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	41
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	42 struct UserDataS {
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	43 char* user;
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	44 char* passwd;
57 3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	45 };
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	46
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	47 /* PAM conversation function - for now we only handle one message */
57 3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	48 int
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	49 pamConvFunc(int num_msg,
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	50 const struct pam_message **msg,
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	51 struct pam_response **respp,
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	52 void *appdata_ptr) {
57 3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	53
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	54 int rc = PAM_SUCCESS;
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	55 struct pam_response* resp = NULL;
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	56 struct UserDataS* userDatap = (struct UserDataS*) appdata_ptr;
226 9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	57 unsigned int msg_len = 0;
9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	58 unsigned int i = 0;
660 a842469ce8ad - Fix minor leak Matt Johnston <matt@ucc.asn.au> parents: 594 diff changeset	59 char * compare_message = NULL;
226 9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	60
165 0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place Matt Johnston <matt@ucc.asn.au> parents: 158 diff changeset	61 TRACE(("enter pamConvFunc"))
121 9337c9f9a607 PAM improvements Matt Johnston <matt@ucc.asn.au> parents: 119 diff changeset	62
9337c9f9a607 PAM improvements Matt Johnston <matt@ucc.asn.au> parents: 119 diff changeset	63 if (num_msg != 1) {
9337c9f9a607 PAM improvements Matt Johnston <matt@ucc.asn.au> parents: 119 diff changeset	64 /* If you're getting here - Dropbear probably can't support your pam
9337c9f9a607 PAM improvements Matt Johnston <matt@ucc.asn.au> parents: 119 diff changeset	65 * modules. This whole file is a bit of a hack around lack of
226 9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	66 * asynchronocity in PAM anyway. */
121 9337c9f9a607 PAM improvements Matt Johnston <matt@ucc.asn.au> parents: 119 diff changeset	67 dropbear_log(LOG_INFO, "pamConvFunc() called with >1 messages: not supported.");
9337c9f9a607 PAM improvements Matt Johnston <matt@ucc.asn.au> parents: 119 diff changeset	68 return PAM_CONV_ERR;
9337c9f9a607 PAM improvements Matt Johnston <matt@ucc.asn.au> parents: 119 diff changeset	69 }
660 a842469ce8ad - Fix minor leak Matt Johnston <matt@ucc.asn.au> parents: 594 diff changeset	70
a842469ce8ad - Fix minor leak Matt Johnston <matt@ucc.asn.au> parents: 594 diff changeset	71 /* make a copy we can strip */
a842469ce8ad - Fix minor leak Matt Johnston <matt@ucc.asn.au> parents: 594 diff changeset	72 compare_message = m_strdup((*msg)->msg);
121 9337c9f9a607 PAM improvements Matt Johnston <matt@ucc.asn.au> parents: 119 diff changeset	73
258 306499676384 * add -g (dbclient) and -a (dropbear) options for allowing non-local Matt Johnston <matt@ucc.asn.au> parents: 226 diff changeset	74 /* Make the string lowercase. */
226 9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	75 msg_len = strlen(compare_message);
9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	76 for (i = 0; i < msg_len; i++) {
9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	77 compare_message[i] = tolower(compare_message[i]);
9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	78 }
9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	79
258 306499676384 * add -g (dbclient) and -a (dropbear) options for allowing non-local Matt Johnston <matt@ucc.asn.au> parents: 226 diff changeset	80 /* If the string ends with ": ", remove the space.
306499676384 * add -g (dbclient) and -a (dropbear) options for allowing non-local Matt Johnston <matt@ucc.asn.au> parents: 226 diff changeset	81 ie "login: " vs "login:" */
226 9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	82 if (msg_len > 2
9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	83 && compare_message[msg_len-2] == ':'
9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	84 && compare_message[msg_len-1] == ' ') {
9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	85 compare_message[msg_len-1] = '\0';
9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	86 }
9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	87
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	88 switch((*msg)->msg_style) {
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	89
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	90 case PAM_PROMPT_ECHO_OFF:
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	91
226 9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	92 if (!(strcmp(compare_message, "password:") == 0)) {
258 306499676384 * add -g (dbclient) and -a (dropbear) options for allowing non-local Matt Johnston <matt@ucc.asn.au> parents: 226 diff changeset	93 /* We don't recognise the prompt as asking for a password,
306499676384 * add -g (dbclient) and -a (dropbear) options for allowing non-local Matt Johnston <matt@ucc.asn.au> parents: 226 diff changeset	94 so can't handle it. Add more above as required for
594 a98a2138364a Improve capitalisation for all logged strings Matt Johnston <matt@ucc.asn.au> parents: 573 diff changeset	95 different pam modules/implementations. If you need
a98a2138364a Improve capitalisation for all logged strings Matt Johnston <matt@ucc.asn.au> parents: 573 diff changeset	96 to add an entry here please mail the Dropbear developer */
573 d3ea8b9672f0 - Test for pam_fail_delay() function in configure Matt Johnston <matt@ucc.asn.au> parents: 464 diff changeset	97 dropbear_log(LOG_NOTICE, "PAM unknown prompt '%s' (no echo)",
226 9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	98 compare_message);
9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	99 rc = PAM_CONV_ERR;
9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	100 break;
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	101 }
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	102
131 9c372a039532 strdup() variables correctly for the PAM conversation function Matt Johnston <matt@ucc.asn.au> parents: 127 diff changeset	103 /* You have to read the PAM module-writers' docs (do we look like
9c372a039532 strdup() variables correctly for the PAM conversation function Matt Johnston <matt@ucc.asn.au> parents: 127 diff changeset	104 * module writers? no.) to find out that the module will
9c372a039532 strdup() variables correctly for the PAM conversation function Matt Johnston <matt@ucc.asn.au> parents: 127 diff changeset	105 * free the pam_response and its resp element - ie we _must_ malloc
9c372a039532 strdup() variables correctly for the PAM conversation function Matt Johnston <matt@ucc.asn.au> parents: 127 diff changeset	106 * it here */
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	107 resp = (struct pam_response*) m_malloc(sizeof(struct pam_response));
121 9337c9f9a607 PAM improvements Matt Johnston <matt@ucc.asn.au> parents: 119 diff changeset	108 memset(resp, 0, sizeof(struct pam_response));
9337c9f9a607 PAM improvements Matt Johnston <matt@ucc.asn.au> parents: 119 diff changeset	109
131 9c372a039532 strdup() variables correctly for the PAM conversation function Matt Johnston <matt@ucc.asn.au> parents: 127 diff changeset	110 resp->resp = m_strdup(userDatap->passwd);
9c372a039532 strdup() variables correctly for the PAM conversation function Matt Johnston <matt@ucc.asn.au> parents: 127 diff changeset	111 m_burn(userDatap->passwd, strlen(userDatap->passwd));
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	112 (*respp) = resp;
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	113 break;
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	114
57 3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	115
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	116 case PAM_PROMPT_ECHO_ON:
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	117
573 d3ea8b9672f0 - Test for pam_fail_delay() function in configure Matt Johnston <matt@ucc.asn.au> parents: 464 diff changeset	118 if (!(
d3ea8b9672f0 - Test for pam_fail_delay() function in configure Matt Johnston <matt@ucc.asn.au> parents: 464 diff changeset	119 (strcmp(compare_message, "login:" ) == 0)
d3ea8b9672f0 - Test for pam_fail_delay() function in configure Matt Johnston <matt@ucc.asn.au> parents: 464 diff changeset	120 \|\| (strcmp(compare_message, "please enter username:") == 0)
d3ea8b9672f0 - Test for pam_fail_delay() function in configure Matt Johnston <matt@ucc.asn.au> parents: 464 diff changeset	121 \|\| (strcmp(compare_message, "username:") == 0)
d3ea8b9672f0 - Test for pam_fail_delay() function in configure Matt Johnston <matt@ucc.asn.au> parents: 464 diff changeset	122 )) {
258 306499676384 * add -g (dbclient) and -a (dropbear) options for allowing non-local Matt Johnston <matt@ucc.asn.au> parents: 226 diff changeset	123 /* We don't recognise the prompt as asking for a username,
306499676384 * add -g (dbclient) and -a (dropbear) options for allowing non-local Matt Johnston <matt@ucc.asn.au> parents: 226 diff changeset	124 so can't handle it. Add more above as required for
594 a98a2138364a Improve capitalisation for all logged strings Matt Johnston <matt@ucc.asn.au> parents: 573 diff changeset	125 different pam modules/implementations. If you need
a98a2138364a Improve capitalisation for all logged strings Matt Johnston <matt@ucc.asn.au> parents: 573 diff changeset	126 to add an entry here please mail the Dropbear developer */
573 d3ea8b9672f0 - Test for pam_fail_delay() function in configure Matt Johnston <matt@ucc.asn.au> parents: 464 diff changeset	127 dropbear_log(LOG_NOTICE, "PAM unknown prompt '%s' (with echo)",
226 9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	128 compare_message);
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	129 rc = PAM_CONV_ERR;
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	130 break;
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	131 }
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	132
131 9c372a039532 strdup() variables correctly for the PAM conversation function Matt Johnston <matt@ucc.asn.au> parents: 127 diff changeset	133 /* You have to read the PAM module-writers' docs (do we look like
9c372a039532 strdup() variables correctly for the PAM conversation function Matt Johnston <matt@ucc.asn.au> parents: 127 diff changeset	134 * module writers? no.) to find out that the module will
9c372a039532 strdup() variables correctly for the PAM conversation function Matt Johnston <matt@ucc.asn.au> parents: 127 diff changeset	135 * free the pam_response and its resp element - ie we _must_ malloc
9c372a039532 strdup() variables correctly for the PAM conversation function Matt Johnston <matt@ucc.asn.au> parents: 127 diff changeset	136 * it here */
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	137 resp = (struct pam_response*) m_malloc(sizeof(struct pam_response));
121 9337c9f9a607 PAM improvements Matt Johnston <matt@ucc.asn.au> parents: 119 diff changeset	138 memset(resp, 0, sizeof(struct pam_response));
9337c9f9a607 PAM improvements Matt Johnston <matt@ucc.asn.au> parents: 119 diff changeset	139
131 9c372a039532 strdup() variables correctly for the PAM conversation function Matt Johnston <matt@ucc.asn.au> parents: 127 diff changeset	140 resp->resp = m_strdup(userDatap->user);
165 0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place Matt Johnston <matt@ucc.asn.au> parents: 158 diff changeset	141 TRACE(("userDatap->user='%s'", userDatap->user))
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	142 (*respp) = resp;
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	143 break;
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	144
818 8fe36617bf4e Send PAM error messages as a banner messages Matt Johnston <matt@ucc.asn.au> parents: 660 diff changeset	145 case PAM_ERROR_MSG:
8fe36617bf4e Send PAM error messages as a banner messages Matt Johnston <matt@ucc.asn.au> parents: 660 diff changeset	146 case PAM_TEXT_INFO:
8fe36617bf4e Send PAM error messages as a banner messages Matt Johnston <matt@ucc.asn.au> parents: 660 diff changeset	147
8fe36617bf4e Send PAM error messages as a banner messages Matt Johnston <matt@ucc.asn.au> parents: 660 diff changeset	148 if (msg_len > 0) {
8fe36617bf4e Send PAM error messages as a banner messages Matt Johnston <matt@ucc.asn.au> parents: 660 diff changeset	149 buffer * pam_err = buf_new(msg_len + 4);
8fe36617bf4e Send PAM error messages as a banner messages Matt Johnston <matt@ucc.asn.au> parents: 660 diff changeset	150 buf_setpos(pam_err, 0);
8fe36617bf4e Send PAM error messages as a banner messages Matt Johnston <matt@ucc.asn.au> parents: 660 diff changeset	151 buf_putbytes(pam_err, "\r\n", 2);
8fe36617bf4e Send PAM error messages as a banner messages Matt Johnston <matt@ucc.asn.au> parents: 660 diff changeset	152 buf_putbytes(pam_err, (*msg)->msg, msg_len);
8fe36617bf4e Send PAM error messages as a banner messages Matt Johnston <matt@ucc.asn.au> parents: 660 diff changeset	153 buf_putbytes(pam_err, "\r\n", 2);
8fe36617bf4e Send PAM error messages as a banner messages Matt Johnston <matt@ucc.asn.au> parents: 660 diff changeset	154 buf_setpos(pam_err, 0);
8fe36617bf4e Send PAM error messages as a banner messages Matt Johnston <matt@ucc.asn.au> parents: 660 diff changeset	155
8fe36617bf4e Send PAM error messages as a banner messages Matt Johnston <matt@ucc.asn.au> parents: 660 diff changeset	156 send_msg_userauth_banner(pam_err);
8fe36617bf4e Send PAM error messages as a banner messages Matt Johnston <matt@ucc.asn.au> parents: 660 diff changeset	157 buf_free(pam_err);
8fe36617bf4e Send PAM error messages as a banner messages Matt Johnston <matt@ucc.asn.au> parents: 660 diff changeset	158 }
8fe36617bf4e Send PAM error messages as a banner messages Matt Johnston <matt@ucc.asn.au> parents: 660 diff changeset	159 break;
8fe36617bf4e Send PAM error messages as a banner messages Matt Johnston <matt@ucc.asn.au> parents: 660 diff changeset	160
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	161 default:
165 0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place Matt Johnston <matt@ucc.asn.au> parents: 158 diff changeset	162 TRACE(("Unknown message type"))
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	163 rc = PAM_CONV_ERR;
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	164 break;
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	165 }
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	166
226 9a9c6d633972 channel.h: make definition extern Matt Johnston <matt@ucc.asn.au> parents: 179 diff changeset	167 m_free(compare_message);
165 0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place Matt Johnston <matt@ucc.asn.au> parents: 158 diff changeset	168 TRACE(("leave pamConvFunc, rc %d", rc))
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	169
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	170 return rc;
57 3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	171 }
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	172
3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	173 /* Process a password auth request, sending success or failure messages as
121 9337c9f9a607 PAM improvements Matt Johnston <matt@ucc.asn.au> parents: 119 diff changeset	174 * appropriate. To the client it looks like it's doing normal password auth (as
9337c9f9a607 PAM improvements Matt Johnston <matt@ucc.asn.au> parents: 119 diff changeset	175 * opposed to keyboard-interactive or something), so the pam module has to be
9337c9f9a607 PAM improvements Matt Johnston <matt@ucc.asn.au> parents: 119 diff changeset	176 * fairly standard (ie just "what's your username, what's your password, OK").
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	177 *
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	178 * Keyboard interactive would be a lot nicer, but since PAM is synchronous, it
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	179 * gets very messy trying to send the interactive challenges, and read the
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	180 * interactive responses, over the network. */
1616 5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	181 void svr_auth_pam(int valid_user) {
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	182
131 9c372a039532 strdup() variables correctly for the PAM conversation function Matt Johnston <matt@ucc.asn.au> parents: 127 diff changeset	183 struct UserDataS userData = {NULL, NULL};
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	184 struct pam_conv pamConv = {
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	185 pamConvFunc,
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	186 &userData /* submitted to pamvConvFunc as appdata_ptr */
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	187 };
1616 5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	188 const char* printable_user = NULL;
57 3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	189
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	190 pam_handle_t* pamHandlep = NULL;
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	191
1122 aaf576b27a10 Merge pull request #13 from gazoo74/fix-warnings Matt Johnston <matt@ucc.asn.au> parents: 819 diff changeset	192 char * password = NULL;
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	193 unsigned int passwordlen;
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	194
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	195 int rc = PAM_SUCCESS;
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	196 unsigned char changepw;
57 3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	197
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	198 /* check if client wants to change password */
179 161557a9dde8 * fix longstanding bug with connections being closed on failure to Matt Johnston <matt@ucc.asn.au> parents: 169 diff changeset	199 changepw = buf_getbool(ses.payload);
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	200 if (changepw) {
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	201 /* not implemented by this server */
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	202 send_msg_userauth_failure(0, 1);
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	203 goto cleanup;
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	204 }
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	205
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	206 password = buf_getstring(ses.payload, &passwordlen);
57 3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	207
1616 5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	208 /* We run the PAM conversation regardless of whether the username is valid
5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	209 in case the conversation function has an inherent delay.
5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	210 Use ses.authstate.username rather than ses.authstate.pw_name.
5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	211 After PAM succeeds we then check the valid_user flag too */
5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	212
131 9c372a039532 strdup() variables correctly for the PAM conversation function Matt Johnston <matt@ucc.asn.au> parents: 127 diff changeset	213 /* used to pass data to the PAM conversation function - don't bother with
9c372a039532 strdup() variables correctly for the PAM conversation function Matt Johnston <matt@ucc.asn.au> parents: 127 diff changeset	214 * strdup() etc since these are touched only by our own conversation
9c372a039532 strdup() variables correctly for the PAM conversation function Matt Johnston <matt@ucc.asn.au> parents: 127 diff changeset	215 * function (above) which takes care of it */
1616 5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	216 userData.user = ses.authstate.username;
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	217 userData.passwd = password;
57 3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	218
1616 5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	219 if (ses.authstate.pw_name) {
5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	220 printable_user = ses.authstate.pw_name;
5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	221 } else {
5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	222 printable_user = "<invalid username>";
5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	223 }
5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	224
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	225 /* Init pam */
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	226 if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) {
819 fee485ce81eb Get rid of spurious newlines in pam log messages Matt Johnston <matt@ucc.asn.au> parents: 818 diff changeset	227 dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s",
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	228 rc, pam_strerror(pamHandlep, rc));
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	229 goto cleanup;
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	230 }
57 3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	231
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	232 /* just to set it to something */
1238 c59c10803afd Fix parentheses weird placement Chocobo1 <Chocobo1@users.noreply.github.com> parents: 1122 diff changeset	233 if ((rc = pam_set_item(pamHandlep, PAM_TTY, "ssh")) != PAM_SUCCESS) {
819 fee485ce81eb Get rid of spurious newlines in pam log messages Matt Johnston <matt@ucc.asn.au> parents: 818 diff changeset	234 dropbear_log(LOG_WARNING, "pam_set_item() failed, rc=%d, %s",
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	235 rc, pam_strerror(pamHandlep, rc));
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	236 goto cleanup;
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	237 }
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	238
1425 39aaf9f4d576 set PAM_RHOST Matt Johnston <matt@ucc.asn.au> parents: 1295 diff changeset	239 if ((rc = pam_set_item(pamHandlep, PAM_RHOST, svr_ses.remotehost)) != PAM_SUCCESS) {
39aaf9f4d576 set PAM_RHOST Matt Johnston <matt@ucc.asn.au> parents: 1295 diff changeset	240 dropbear_log(LOG_WARNING, "pam_set_item() failed, rc=%d, %s",
39aaf9f4d576 set PAM_RHOST Matt Johnston <matt@ucc.asn.au> parents: 1295 diff changeset	241 rc, pam_strerror(pamHandlep, rc));
39aaf9f4d576 set PAM_RHOST Matt Johnston <matt@ucc.asn.au> parents: 1295 diff changeset	242 goto cleanup;
39aaf9f4d576 set PAM_RHOST Matt Johnston <matt@ucc.asn.au> parents: 1295 diff changeset	243 }
39aaf9f4d576 set PAM_RHOST Matt Johnston <matt@ucc.asn.au> parents: 1295 diff changeset	244
573 d3ea8b9672f0 - Test for pam_fail_delay() function in configure Matt Johnston <matt@ucc.asn.au> parents: 464 diff changeset	245 #ifdef HAVE_PAM_FAIL_DELAY
d3ea8b9672f0 - Test for pam_fail_delay() function in configure Matt Johnston <matt@ucc.asn.au> parents: 464 diff changeset	246 /* We have our own random delay code already, disable PAM's */
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	247 (void) pam_fail_delay(pamHandlep, 0 /* musec_delay */);
573 d3ea8b9672f0 - Test for pam_fail_delay() function in configure Matt Johnston <matt@ucc.asn.au> parents: 464 diff changeset	248 #endif
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	249
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	250 /* (void) pam_set_item(pamHandlep, PAM_FAIL_DELAY, (void) pamDelayFunc); /
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	251
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	252 if ((rc = pam_authenticate(pamHandlep, 0)) != PAM_SUCCESS) {
819 fee485ce81eb Get rid of spurious newlines in pam log messages Matt Johnston <matt@ucc.asn.au> parents: 818 diff changeset	253 dropbear_log(LOG_WARNING, "pam_authenticate() failed, rc=%d, %s",
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	254 rc, pam_strerror(pamHandlep, rc));
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	255 dropbear_log(LOG_WARNING,
594 a98a2138364a Improve capitalisation for all logged strings Matt Johnston <matt@ucc.asn.au> parents: 573 diff changeset	256 "Bad PAM password attempt for '%s' from %s",
1616 5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	257 printable_user,
158 364a75cfebab Log the IP along with auth success/fail attempts Matt Johnston <matt@ucc.asn.au> parents: 131 diff changeset	258 svr_ses.addrstring);
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	259 send_msg_userauth_failure(0, 1);
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	260 goto cleanup;
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	261 }
57 3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	262
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	263 if ((rc = pam_acct_mgmt(pamHandlep, 0)) != PAM_SUCCESS) {
819 fee485ce81eb Get rid of spurious newlines in pam log messages Matt Johnston <matt@ucc.asn.au> parents: 818 diff changeset	264 dropbear_log(LOG_WARNING, "pam_acct_mgmt() failed, rc=%d, %s",
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	265 rc, pam_strerror(pamHandlep, rc));
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	266 dropbear_log(LOG_WARNING,
594 a98a2138364a Improve capitalisation for all logged strings Matt Johnston <matt@ucc.asn.au> parents: 573 diff changeset	267 "Bad PAM password attempt for '%s' from %s",
1616 5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	268 printable_user,
158 364a75cfebab Log the IP along with auth success/fail attempts Matt Johnston <matt@ucc.asn.au> parents: 131 diff changeset	269 svr_ses.addrstring);
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	270 send_msg_userauth_failure(0, 1);
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	271 goto cleanup;
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	272 }
57 3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	273
1616 5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	274 if (!valid_user) {
5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	275 /* PAM auth succeeded but the username isn't allowed in for another reason
5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	276 (checkusername() failed) */
5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	277 send_msg_userauth_failure(0, 1);
1629 258b57b208ae Fix for issue successfull login of disabled user (#78) vincentto13 <33652988+vincentto13@users.noreply.github.com> parents: 1616 diff changeset	278 goto cleanup;
1616 5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	279 }
5d2d1021ca00 Wait to fail invalid usernames Matt Johnston <matt@ucc.asn.au> parents: 1425 diff changeset	280
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	281 /* successful authentication */
158 364a75cfebab Log the IP along with auth success/fail attempts Matt Johnston <matt@ucc.asn.au> parents: 131 diff changeset	282 dropbear_log(LOG_NOTICE, "PAM password auth succeeded for '%s' from %s",
464 4317be8b7cf9 Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep Matt Johnston <matt@ucc.asn.au> parents: 432 diff changeset	283 ses.authstate.pw_name,
158 364a75cfebab Log the IP along with auth success/fail attempts Matt Johnston <matt@ucc.asn.au> parents: 131 diff changeset	284 svr_ses.addrstring);
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	285 send_msg_userauth_success();
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	286
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	287 cleanup:
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	288 if (password != NULL) {
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	289 m_burn(password, passwordlen);
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	290 m_free(password);
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	291 }
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	292 if (pamHandlep != NULL) {
165 0cfba3034be5 Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place Matt Johnston <matt@ucc.asn.au> parents: 158 diff changeset	293 TRACE(("pam_end"))
119 3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	294 (void) pam_end(pamHandlep, 0 /* pam_status */);
3394a7cb30cd propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam' Matt Johnston <matt@ucc.asn.au> parents: 57 diff changeset	295 }
57 3b2a5a1c4347 svr-authpam code merged and works. needs tidying a log Matt Johnston <matt@ucc.asn.au> parents: diff changeset	296 }
127 33d976eeb859 put the #ifdefs back in for authpam Matt Johnston <matt@ucc.asn.au> parents: 121 diff changeset	297
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 1238 diff changeset	298 #endif /* DROPBEAR_SVR_PAM_AUTH */

Mercurial > dropbear

annotate svr-authpam.c @ 1902:4a6725ac957c