Mercurial > illumos > illumos-gate
changeset 12317:89504ac80dd0
PSARC/2010/155 sshd(1M) PAM Service name options
4877708 PAM service name for sshd needs to be configurable
author | Darren J Moffat <Darren.Moffat@oracle.com> |
---|---|
date | Thu, 06 May 2010 15:46:48 +0100 |
parents | 69d4c3b671ec |
children | a036286976a0 |
files | usr/src/cmd/ssh/include/auth-pam.h usr/src/cmd/ssh/include/servconf.h usr/src/cmd/ssh/sshd/auth-pam.c usr/src/cmd/ssh/sshd/servconf.c |
diffstat | 4 files changed, 90 insertions(+), 35 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/cmd/ssh/include/auth-pam.h Thu May 06 11:47:15 2010 +0200 +++ b/usr/src/cmd/ssh/include/auth-pam.h Thu May 06 15:46:48 2010 +0100 @@ -1,15 +1,3 @@ -/* $Id: auth-pam.h,v 1.16 2002/07/23 00:44:07 stevesk Exp $ */ - -#ifndef _AUTH_PAM_H -#define _AUTH_PAM_H - -#pragma ident "%Z%%M% %I% %E% SMI" - -#ifdef __cplusplus -extern "C" { -#endif - - /* * Copyright (c) 2000 Damien Miller. All rights reserved. * @@ -34,14 +22,22 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. */ +/* $Id: auth-pam.h,v 1.16 2002/07/23 00:44:07 stevesk Exp $ */ + +#ifndef _AUTH_PAM_H +#define _AUTH_PAM_H + +#ifdef __cplusplus +extern "C" { +#endif + #include "includes.h" #ifdef USE_PAM -const char * derive_pam_svc_name(Authmethod *method); +char * derive_pam_svc_name(Authmethod *method); void new_start_pam(Authctxt *authctxt, struct pam_conv *conv); int auth_pam_password(Authctxt *authctxt, const char *password); int do_pam_non_initial_userauth(Authctxt *authctxt);
--- a/usr/src/cmd/ssh/include/servconf.h Thu May 06 11:47:15 2010 +0200 +++ b/usr/src/cmd/ssh/include/servconf.h Thu May 06 15:46:48 2010 +0100 @@ -11,8 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ /* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. */ /* $OpenBSD: servconf.h,v 1.59 2002/07/30 17:03:55 markus Exp $ */ @@ -42,6 +41,7 @@ /* Magic name for internal sftp-server */ #define INTERNAL_SFTP_NAME "internal-sftp" +#define _SSH_PAM_SERVICE_PREFIX "sshd" typedef struct { u_int num_ports; @@ -164,6 +164,8 @@ int use_openssl_engine; char *chroot_directory; char *pre_userauth_hook; + char *pam_service_prefix; + char *pam_service_name; } ServerOptions;
--- a/usr/src/cmd/ssh/sshd/auth-pam.c Thu May 06 11:47:15 2010 +0200 +++ b/usr/src/cmd/ssh/sshd/auth-pam.c Thu May 06 15:46:48 2010 +0100 @@ -22,8 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. */ #include "includes.h" @@ -88,42 +87,66 @@ return authctxt->method->name; } -const char * -derive_pam_svc_name(Authmethod *method) +derive_pam_service_name(Authmethod *method) { + char *svcname = xmalloc(BUFSIZ); + + /* + * If PamServiceName is set we use that for everything, including + * SSHv1 + */ + if (options.pam_service_name != NULL) { + (void) strlcpy(svcname, options.pam_service_name, BUFSIZ); + return (svcname); + } + if (compat20 && method) { char *method_name = method->name; if (!method_name) fatal("Userauth method unknown while starting PAM"); - /* For SSHv2 we use "sshd-<userauth name> */ + /* + * For SSHv2 we use "sshd-<userauth name> + * The "sshd" prefix can be changed via the PAMServicePrefix + * sshd_config option. + */ if (strcmp(method_name, "none") == 0) { - return "sshd-none"; + snprintf(svcname, BUFSIZ, "%s-none", + options.pam_service_prefix); } if (strcmp(method_name, "password") == 0) { - return "sshd-password"; + snprintf(svcname, BUFSIZ, "%s-password", + options.pam_service_prefix); } if (strcmp(method_name, "keyboard-interactive") == 0) { /* "keyboard-interactive" is too long, shorten it */ - return "sshd-kbdint"; + snprintf(svcname, BUFSIZ, "%s-kbdint", + options.pam_service_prefix); } if (strcmp(method_name, "publickey") == 0) { /* "publickey" is too long, shorten it */ - return "sshd-pubkey"; + snprintf(svcname, BUFSIZ, "%s-pubkey", + options.pam_service_prefix); } if (strcmp(method_name, "hostbased") == 0) { /* "hostbased" can't really be shortened... */ - return "sshd-hostbased"; + snprintf(svcname, BUFSIZ, "%s-hostbased", + options.pam_service_prefix); } if (strncmp(method_name, "gss", 3) == 0) { /* "gss" is too short, elongate it */ - return "sshd-gssapi"; + snprintf(svcname, BUFSIZ, "%s-gssapi", + options.pam_service_prefix); } + return svcname; + } else { + /* SSHv1 doesn't get to be so cool */ + snprintf(svcname, BUFSIZ, "%s-v1", + options.pam_service_prefix); } - - return "sshd-v1"; /* SSHv1 doesn't get to be so cool */ + return svcname; } void @@ -131,7 +154,8 @@ { int retval; pam_handle_t *pamh; - const char *rhost, *svc; + const char *rhost; + char *svc; char *user = NULL; pam_stuff *pam; @@ -142,7 +166,7 @@ fatal("Userauth method unknown while starting PAM"); /* PAM service selected here */ - svc = derive_pam_svc_name(authctxt->method); + svc = derive_pam_service_name(authctxt->method); debug2("Starting PAM service %s for method %s", svc, get_method_name(authctxt)); @@ -186,6 +210,8 @@ get_method_name(authctxt)); } + free(svc); + fatal_add_cleanup((void (*)(void *)) &do_pam_cleanup_proc, (void *) authctxt->pam);
--- a/usr/src/cmd/ssh/sshd/servconf.c Thu May 06 11:47:15 2010 +0200 +++ b/usr/src/cmd/ssh/sshd/servconf.c Thu May 06 15:46:48 2010 +0100 @@ -9,8 +9,7 @@ * called by a name other than "ssh" or "Secure Shell". */ /* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. */ #include "includes.h" @@ -155,6 +154,8 @@ options->use_openssl_engine = -1; options->chroot_directory = NULL; options->pre_userauth_hook = NULL; + options->pam_service_name = NULL; + options->pam_service_prefix = NULL; } #ifdef HAVE_DEFOPEN @@ -383,6 +384,10 @@ options->lookup_client_hostnames = 1; if (options->use_openssl_engine == -1) options->use_openssl_engine = 1; + if (options->pam_service_prefix == NULL) + options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX; + if (options->pam_service_name == NULL) + options->pam_service_name = NULL; } /* Keyword tokens. */ @@ -421,7 +426,7 @@ sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sMaxAuthTries, sMaxAuthTriesLog, sUsePrivilegeSeparation, sLookupClientHostnames, sUseOpenSSLEngine, sChrootDirectory, - sPreUserauthHook, sMatch, + sPreUserauthHook, sMatch, sPAMServicePrefix, sPAMServiceName, sDeprecated } ServerOpCodes; @@ -525,6 +530,8 @@ { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, { "preuserauthhook", sPreUserauthHook, SSHCFG_ALL}, { "match", sMatch, SSHCFG_ALL }, + { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL }, + { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL }, { NULL, sBadOption, 0 } }; @@ -1322,6 +1329,30 @@ arg = strdelim(&cp); break; + case sPAMServicePrefix: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", + filename, linenum); + if (options->pam_service_name != NULL) + fatal("%s line %d: PAMServiceName and PAMServicePrefix " + "are mutually exclusive.", filename, linenum); + if (options->pam_service_prefix == NULL) + options->pam_service_prefix = xstrdup(arg); + break; + + case sPAMServiceName: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", + filename, linenum); + if (options->pam_service_prefix != NULL) + fatal("%s line %d: PAMServiceName and PAMServicePrefix " + "are mutually exclusive.", filename, linenum); + if (options->pam_service_name == NULL) + options->pam_service_name = xstrdup(arg); + break; + default: fatal("%s line %d: Missing handler for opcode %s (%d)", filename, linenum, arg, opcode);