Hi,
There have been a bunch of useful submissions for the compare /contrast
thread.
To reduce the load on your mailbox, they are gathered here in one go...
Roger.
Date: Wed, 28 Oct 1998 15:11:37 +0000
From: "David L. Sifry" <dsifry@linuxcare.com>
To: "Matthew S. Crocker" <matthew@crocker.com>
CC: Rob Bringman <rob@trion.com>, linux-security@redhat.com
Subject: [linux-security] Re: compare / contrast of linux fw and others
For an extra module, Firewall-1 does VPN. Linux also has various VPN
options. Check out VPS <http://www.strongcrypto.com/> for one, CIPE
and IP Tunnel (ipip.o) are others off the top of my head.
Dave
--
Dave Sifry, Chief Technical Officer
LinuxCare, Inc.
415 831-9507 tel, 415 831-9763 fax
dsifry@linuxcare.com, http://www.linuxcare.com/
LinuxCare, The Leader in Linux Support
From: "Danyell Wilt" <danyell@ctelcom.net>
To: "Matthew S. Crocker" <matthew@crocker.com>
Cc: <linux-security@redhat.com>
Subject: [linux-security] Re: compare / contrast of linux fw and others
Date: Wed, 28 Oct 1998 09:17:45 -0600
>Can you do VPN with your linux solution. I love linux and have setup
>several linux firewalls. I have only played with firewall-1 for a bit and
>the GUI is the only thing I can think of which makes it a better
>''corporate'' solution.
You can use ssh to make a VPN using Linux , pppd , and pty-redir. The
HOWTO was written by Arpad Magosanyi and is avaliable
http://www.cdrom.com/pub/linux/slackware/docs/mini/VPN
The VPN more or less sets up ppp between two Linux machines, and
encrypts all traffic using secure shell encryption.
Date: Wed, 28 Oct 1998 11:10:28 -0500 (EST)
From: "Peter H. Lemieux" <phl@cyways.com>
To: "Matthew S. Crocker" <matthew@crocker.com>
cc: Rob Bringman <rob@trion.com>, linux-security@redhat.com
Subject: [linux-security] Re: compare / contrast of linux fw and others
On Wed, 28 Oct 1998, Matthew S. Crocker wrote:
> Can you do VPN with your linux solution. I love linux and have setup
> several linux firewalls.
Check out http://sites.inka.de/sites/bigred/devel/cipe.html for a VPN
implementation for Linux. Installs as a kernel module plus daemon. By
default it uses 128-bit Blowfish, but can be configured to use other
encryption methods. Right now it uses a static key, but Olaf Titz, the
developer has said he''s looking to implement public-key solutions down
the
road. His first priority at the moment is to make it all run with 2.1.x
kernels.
I now use it routinely to communicate with my remote servers. Makes it
look like the server resides on my private IP network which is behind my
Linux office firewall.
Peter
-----
Peter H. Lemieux Voice: (800) 5-CYWAYS
CYWAYS, Incorporated (+1 617 796 8995)
19 Westchester Road Fax: (617) 796-8997
Newton, Massachusetts 02458-2519 USA Web: http://www.cyways.com
To: linux-security@redhat.com
Subject: [linux-security] Re: compare / contrast of linux fw and others
Reply-To: oboyle@csociety.purdue.edu
Date: Wed, 28 Oct 1998 10:23:00 -0600
From: "Todd O''Boyle" <oboyle@csociety.purdue.edu>
> Doesn''t Firewall-1 do VPN? Virus scanning (optional), HTTP
scanning
> (virus/content optional) QoS.
HTTP content and Virus scanning comes with FW-1, but Checkpoint''s VPN
software is a different product. They do seem to integrate seamlessly,
though.
> Can you do VPN with your linux solution. I love linux and have setup
> several linux firewalls. I have only played with firewall-1 for a bit and
> the GUI is the only thing I can think of which makes it a better
> ''corporate'' solution.
One can build VPNs using SSH. There is a bit of information here, but
a web search would probably do you better:
http://csociety.ecn.purdue.edu/~sigos/projects/ssh/forwarding/index.html#VPN
It''s based on running PPP over the encrypted SSH link.
The virus and HTTP scanning, if it isn''t implemented already, would
probably be a fun project if we can find an algorithm to do such a thing.
Also, I have come across a WWW based rule-generator for IPFW. You can find it
at ftp://coast.cs.purdue.edu/pub/tools/unix/fwconfig/. This may be something
that may be a plus to sell IPFW to your boss.
cheers,
-Todd
To: linux-security@redhat.com
Subject: [linux-security] Re: compare / contrast of linux fw and others
Date: Wed, 28 Oct 1998 17:27:07 -0500
From: "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
In message <Pine.LNX.3.95.981028080106.17173A-100000@rmc1.crocker.com>,
"Matthe
w S. Crocker" writes:
+-----
| > I am the Firewall-1 administrator where I work and it has a very nice
| > GUI tool for defining objects (can be hosts, networks, DNS domains,
| > groups of hosts, etc.) and a straightforward way of building a
| > rulebase.
|
| Doesn''t Firewall-1 do VPN? Virus scanning (optional), HTTP scanning
| (virus/content optional) QoS.
+--->8
You could probably come up with modules to do these kinds of things in
connection with ipchains, but technically Linux''s solution is a packet
filter, not a firewall. That''s only one part of the equation ---
products
like FireWall-1 also provide other parts such as proxy servers.
--
brandon s. allbery [os/2][linux][solaris][japh] allbery@kf8nh.apk.net
system administrator [WAY too many hats] allbery@ece.cmu.edu
electrical and computer engineering KF8NH
carnegie mellon university
From: "Carric Dooley" <carric@com2usa.com>
To: "''Matthew S. Crocker''"
<matthew@crocker.com>,
"''Rob Bringman''" <rob@trion.com>
Cc: <linux-security@redhat.com>
Subject: Re: [Linux-security] Re: compare / contrast of Linux FW and others
Date: Wed, 28 Oct 1998 20:04:41 -0500
Firewall 1 will do FW to FW encrypted tunneling and you can download the
free "SecuRemote" client for VPN. The only VPN solution I have heard
of for
Linux would be SSH. I was talking to the FSecure Rep and he said you can
run everything through SSH (mail, ftp, http, etc.). If you fire up and SSHd
on your Linux box, then use FSecure client on a windows box (and he said he
was sure it could be done with Linux, though he didn''t'' know
how -- I would
love to play with it). Now rootshell did get hacked through ssh today, so
maybe this requires more evaluation...
The other solution I have seen is to use SSH on two Linux boxes, then setup
tunneling between them as secure gateways between two networks.
Date: Thu, 29 Oct 1998 11:44:41 +0800
To: linux-security@redhat.com
From: Chan Kar Heng <khchan@cyberdude.com>
Subject: [linux-security] Re: compare / contrast of linux fw and others
At 08:05 AM 10/28/98 -0500, you wrote:
how about reporting? anything useful to please
the eyes of the management people?
>> I am the Firewall-1 administrator where I work and it has a very nice
>> GUI tool for defining objects (can be hosts, networks, DNS
<snipped>
http://home.backroom.net/~bozo
--
| Most people would die sooner than think.... | R.E.Wolff@BitWizard.nl
| in fact, most do. -- Bertrand Russsell | phone: +31-15-2137555
We write Linux device drivers for any device you may have! fax: ..-2138217
From mail@mail.redhat.com Fri Oct 2 11:53:09 1998
Received: (qmail 11711 invoked from network); 2 Oct 1998 15:55:30 -0000
Received: from mail.redhat.com (199.183.24.239)
by mail2.redhat.com with SMTP; 2 Oct 1998 15:55:30 -0000
Received: from rosie.BitWizard.nl (root@3dyn98.delft.casema.net [195.96.104.98])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id LAA14580
for <linux-security@redhat.com>; Fri, 2 Oct 1998 11:53:09 -0400
Received: from cave.BitWizard.nl (wolff@cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id RAA13664
for <linux-security@redhat.com>; Fri, 2 Oct 1998 17:52:42 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id RAA03785
for linux-security@redhat.com; Fri, 2 Oct 1998 17:52:34 +0200
Received: from pop.vuurwerk.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by bitwiz)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Fri Oct 2 16:37:31 1998
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
(with Cubic Circle''s cucipop (v1.31 1998/05/13) Fri Oct 2 16:39:31
1998)
X-From_: linux-security-request@redhat.com Fri Oct 2 16:38:06 1998
Received: from leeuwarden.vuurwerk.nl (IDENT:root@leeuwarden.vuurwerk.nl
[194.178.232.16])
by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id QAA14860
for <bitwiz@haarlem-2.vuurwerk.nl>; Fri, 2 Oct 1998 16:37:57 +0200
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247])
by leeuwarden.vuurwerk.nl (8.9.1/8.9.1) with SMTP id QAA21633
for <r.e.wolff@BitWizard.nl>; Fri, 2 Oct 1998 16:35:47 +0200
Received: (qmail 4511 invoked by uid 501); 2 Oct 1998 14:38:30 -0000
Received: (qmail 4499 invoked from network); 2 Oct 1998 14:38:30 -0000
Received: from mail.redhat.com (199.183.24.239)
by mail2.redhat.com with SMTP; 2 Oct 1998 14:38:30 -0000
Received: from fs.czacki.waw.ids.edu.pl (rafael@[195.117.4.90])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id KAA11755
for <linux-security@redhat.com>; Fri, 2 Oct 1998 10:35:47 -0400
Received: (from rafael@localhost)
by fs.czacki.waw.ids.edu.pl (8.8.7/8.8.7) id QAA03220;
Fri, 2 Oct 1998 16:35:05 +0200
Message-ID: <19981002163505.A3216@fs.czacki.waw.ids.edu.pl>
Date: Fri, 2 Oct 1998 16:35:05 +0200
From: "Rafael J. Wysocki" <rafael@fs.czacki.waw.ids.edu.pl>
To: linux-security@redhat.com
Subject: sshd and PAM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.91.1
X-moderate: yes
Hi,
forgive me this (stupid?) question:
how to make sshd use PAM?
1) Do I need to recompile it?
2) What should I change in the source (if anything)?
Regards
Rafael
[mod: People, please reply to Rafael. Rafael, you will summarize in a
week OK? -- REW]
From mail@mail.redhat.com Wed Oct 7 18:37:32 1998
Received: (qmail 10520 invoked from network); 7 Oct 1998 22:42:08 -0000
Received: from mail.redhat.com (199.183.24.239)
by mail2.redhat.com with SMTP; 7 Oct 1998 22:42:08 -0000
Received: from rosie.BitWizard.nl (root@3dyn118.delft.casema.net
[195.96.104.118])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id SAA27008
for <linux-security@redhat.com>; Wed, 7 Oct 1998 18:37:32 -0400
Received: from cave.BitWizard.nl (wolff@cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id AAA14801
for <linux-security@redhat.com>; Thu, 8 Oct 1998 00:37:17 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id AAA03389
for linux-security@redhat.com; Thu, 8 Oct 1998 00:37:17 +0200
Received: from pop.vuurwerk.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by bitwiz)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Wed Oct 7 23:26:08 1998
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
(with Cubic Circle''s cucipop (v1.31 1998/05/13) Wed Oct 7 23:28:17
1998)
X-From_: linux-security-request@redhat.com Wed Oct 7 23:25:42 1998
Received: from leeuwarden.vuurwerk.nl (IDENT:root@leeuwarden.vuurwerk.nl
[194.178.232.16])
by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id XAA01319
for <bitwiz@haarlem-2.vuurwerk.nl>; Wed, 7 Oct 1998 23:25:41 +0200
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247])
by leeuwarden.vuurwerk.nl (8.9.1/8.9.1) with SMTP id XAA23359
for <r.e.wolff@BitWizard.nl>; Wed, 7 Oct 1998 23:23:27 +0200
Received: (qmail 12811 invoked by uid 501); 7 Oct 1998 21:09:12 -0000
Received: (qmail 12796 invoked from network); 7 Oct 1998 21:09:12 -0000
Received: from mail.redhat.com (199.183.24.239)
by mail2.redhat.com with SMTP; 7 Oct 1998 21:09:12 -0000
Received: from fs.czacki.waw.ids.edu.pl (root@[195.117.4.90])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id RAA22613
for <linux-security@redhat.com>; Wed, 7 Oct 1998 17:04:44 -0400
Received: from dwarf.czacki.waw.ids.edu.pl (rafael@term12.waw.ids.edu.pl
[148.81.58.140])
by fs.czacki.waw.ids.edu.pl (8.8.7/8.8.7) with SMTP id XAA00954
for <linux-security@redhat.com>; Wed, 7 Oct 1998 23:05:40 +0200
From: "Rafael J. Wysocki"
<rafael@llinuxsite.czacki.waw.ids.edu.pl>
Reply-To: rafael@llinuxsite.czacki.waw.ids.edu.pl
To: linux-security@redhat.com
Subject: [linux-security] Re: sshd and PAM [summary]
Date: Wed, 7 Oct 1998 18:39:12 +0200
X-Mailer: KMail [version 0.7.9]
Content-Type: text/plain
References: <19981002163505.A3216@fs.czacki.waw.ids.edu.pl>
MIME-Version: 1.0
Message-Id: <98100719482004.00431@dwarf.czacki.waw.ids.edu.pl>
X-moderate: yes
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by haarlem-2.vuurwerk.nl id
XAA01319
-----BEGIN PGP SIGNED MESSAGE-----
Hi,
I''ve got several replies, thank you for them. Let me summarize:
o Many people say there is a PAMified version of ssh available at
ftp://ftp.replay.com/pub/crypto/redhat/SRPMS (the source)
ftp://ftp.replay.com/pub/crypto/redhat/i386 (Intel binaries)
(there are analogous paths for the other architectures). The packages
are made by Jan "Yenya" Kasprzak <kas@eunet.cz>. Of course,
the mirrors
of ftp.replay.com contain these RPMs as well.
o John A. Martin <jam@jamux.com> says there are PAMified ssh packages at
ftp://ftp.fi.muni.cz/pub/ssh/local-fi.muni.cz/linux/
o Andy McRory <amacc@mailer.org> says there is a patch for ssh-1.2.25 at
ftp://ftp.dhp.com/pub/linux/dhp-dist
o Some people say the "original" sshd does not have PAM support built
in (not
surprising) and it should be patched. The patch can be taken from the
SRPM at ftp.replay.com, for example (see above).
I have downloaded the RPMs from ftp.replay.com and done some (small) tests.
I''ve installed the binaries and configs/docs from
ssh-1.2.26-1i.i386.rpm
and ssh-server-1.2.26-1i.i386.rpm and found that the stuff works with PAM
as long as the password authentication is used. However, if a client
uses RSA authentication, many PAM restrictions can be evaded. For example,
the RSA-authenticated client is always allowed to log in independently
of the PAM settings. Similarly, if I turn pam_limits.so on and set
maxlogins (in /etc/security/limits.conf) to, say, 2 for everyone, the
RSA-authenticated client is allowed to log in as many times as (s)he wants
(if the same client is password-authenticated, the limit takes effect, of
course). There are some other useful PAM modules which I suspect may not
work with this version of (PAMified) sshd. I''ll verify this in a few
days,
I hope.
For me, the conclusion is that if you need sshd which supports PAM, the
packages from ftp.replay.com may be useful, although you shouldn''t
expect
everything to work like you want it to.
Regards
Rafael
- --
My public PGP key is available at http://www.czacki.waw.ids.edu.pl/~rafael
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQB1AwUBNhupZMbfgppnl6DpAQGmlQL5AZ0HsjIkAUzsX/DohXYOj35BSCBrAFcU
mTntAJpGYA+4r68FZV417NSxyLp158AvDsRpYVmAN6cVwsm9WqLPNbLV3sSfhEBk
F0DKynn+gTQoIMlg1dsXa5N02iq2lttA
=wJG6
-----END PGP SIGNATURE-----
[mod: It seems that the ssh-password authentification is PAM-ified,
but the RSA-authentification is not. SSH probably doesn''t even call
PAM in the case that the RSA-authentification works. The current
implementation provides the PAM-features that go with passwords
(e.g. being able to switch to shadow passwords), as long as you use
passwords, but not with the RSA authentification. Still some work to
be done: take the ssh-RSA stuff and make it into a PAM module..... -- REW]
From mail@mail.redhat.com Thu Oct 8 07:04:11 1998
Received: (qmail 12173 invoked from network); 8 Oct 1998 11:08:57 -0000
Received: from mail.redhat.com (199.183.24.239)
by mail2.redhat.com with SMTP; 8 Oct 1998 11:08:57 -0000
Received: from rosie.BitWizard.nl (root@3dyn46.delft.casema.net [195.96.104.46])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id HAA15492
for <linux-security@redhat.com>; Thu, 8 Oct 1998 07:04:11 -0400
Received: from cave.BitWizard.nl (wolff@cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id NAA18290
for <linux-security@redhat.com>; Thu, 8 Oct 1998 13:03:49 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id NAA01635
for linux-security@redhat.com; Thu, 8 Oct 1998 13:03:50 +0200
Received: from pop.vuurwerk.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by bitwiz)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Thu Oct 8 12:19:16 1998
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
(with Cubic Circle''s cucipop (v1.31 1998/05/13) Thu Oct 8 12:21:26
1998)
X-From_: linux-security-request@redhat.com Thu Oct 8 12:19:16 1998
Received: from leeuwarden.vuurwerk.nl (leeuwarden.vuurwerk.nl [194.178.232.16])
by haarlem-2.vuurwerk.nl (8.9.1/8.9.1) with ESMTP id MAA24493
for <bitwiz@haarlem-2.vuurwerk.nl>; Thu, 8 Oct 1998 12:18:35 +0200
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247])
by leeuwarden.vuurwerk.nl (8.9.1/8.9.1) with SMTP id MAA15710
for <r.e.wolff@BitWizard.nl>; Thu, 8 Oct 1998 12:16:22 +0200
Received: (qmail 24539 invoked by uid 501); 8 Oct 1998 10:20:58 -0000
Received: (qmail 24525 invoked from network); 8 Oct 1998 10:20:53 -0000
Received: from mail.redhat.com (199.183.24.239)
by mail2.redhat.com with SMTP; 8 Oct 1998 10:20:53 -0000
Received: from tau.ceti.com.pl (kravietz@tau.ceti.com.pl [195.116.211.2])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id GAA14789
for <linux-security@redhat.com>; Thu, 8 Oct 1998 06:16:18 -0400
Received: (from kravietz@localhost)
by tau.ceti.com.pl (8.8.8/8.8.8/bspm1.13/prot) id MAA06971;
Thu, 8 Oct 1998 12:16:03 +0200
Message-ID: <19981008121602.B4328@ceti.com.pl>
Date: Thu, 8 Oct 1998 12:16:02 +0200
From: Pawel Krawczyk <kravietz@ceti.com.pl>
To: rafael@llinuxsite.czacki.waw.ids.edu.pl, linux-security@redhat.com
Subject: [linux-security] Re: sshd and PAM [summary]
References: <19981002163505.A3216@fs.czacki.waw.ids.edu.pl>
<98100719482004.00431@dwarf.czacki.waw.ids.edu.pl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <98100719482004.00431@dwarf.czacki.waw.ids.edu.pl>; from
Rafael J. Wysocki on Wed, Oct 07, 1998 at 06:39:12PM +0200
X-moderate: yes
On Wed, Oct 07, 1998 at 06:39:12PM +0200, Rafael J. Wysocki
wrote:> of the PAM settings. Similarly, if I turn pam_limits.so on and set
> maxlogins (in /etc/security/limits.conf) to, say, 2 for everyone, the
> RSA-authenticated client is allowed to log in as many times as (s)he wants
> (if the same client is password-authenticated, the limit takes effect, of
> course). There are some other useful PAM modules which I suspect may not
> work with this version of (PAMified) sshd. I''ll verify this in a
few days,
> I hope.
I have modified the original patch moving the call to pam_sm_open_session()
to do_exec_pty() and do_exec_no_pty() and it seems to work (i.e. set limits)
for all types of authentication. Here''s the diff against ssh-1.2.26,
apply
to clean sources:
--- sshd.c.orig Tue Oct 6 18:15:32 1998
+++ sshd.c Tue Oct 6 18:14:31 1998
@@ -89,6 +89,9 @@
* feature. Added {Allow,Deny}Users feature from Steve Kann
* <stevek@SteveK.COM>.
*
+ * Revision 1.42a 1997/06/06 18:40:00 jonchen
+ * Added support for PAM
+ *
* Revision 1.42 1997/04/23 00:05:35 kivinen
* Added ifdefs around password expiration and inactivity checks,
* because some systems dont have sp_expire and sp_inact fields.
@@ -525,6 +528,14 @@
char *ticket = "none\0";
#endif /* KERBEROS */
+#ifdef HAVE_PAM
+#include <security/pam_appl.h>
+struct pam_handle_t *pamh=NULL;
+char *pampasswd=NULL;
+int retval;
+int origretval;
+#endif /* HAVE_PAM */
+
/* Server configuration options. */
ServerOptions options;
@@ -620,7 +631,56 @@
void do_child(const char *command, struct passwd *pw, const char *term,
const char *display, const char *auth_proto,
const char *auth_data, const char *ttyname);
+#ifdef HAVE_PAM
+static int pamconv (int num_msg,
+ const struct pam_message **msg,
+ struct pam_response **resp,
+ void *appdata_ptr) {
+ int count = 0, replies = 0;
+ struct pam_response *reply = NULL;
+ int size = sizeof(struct pam_response);
+
+ for (count = 0; count < num_msg; count++) {
+ switch (msg[count]->msg_style) {
+ case PAM_PROMPT_ECHO_ON:
+ case PAM_PROMPT_ECHO_OFF:
+ if (reply)
+ realloc(reply, size);
+ else
+ reply = malloc(size);
+ if (!reply) return PAM_CONV_ERR;
+ size += sizeof(struct pam_response);
+ reply[replies].resp_retcode = PAM_SUCCESS;
+ reply[replies++].resp = xstrdup (pampasswd);
+ /* PAM frees resp */
+ break;
+ case PAM_TEXT_INFO:
+ /* ignore it... */
+ break;
+ case PAM_ERROR_MSG:
+ default:
+ /* Must be an error of some sort... */
+ free (reply);
+ return PAM_CONV_ERR;
+ }
+ }
+ if (reply) *resp = reply;
+ return PAM_SUCCESS;
+}
+
+static struct pam_conv conv = {
+ pamconv,
+ NULL
+};
+
+void pam_cleanup_proc (void *context) {
+ if (retval == PAM_SUCCESS)
+ retval = pam_close_session ((pam_handle_t *)pamh, 0);
+ if (pam_end ((pam_handle_t *)pamh, retval) != PAM_SUCCESS)
+ log_msg ("Cannot release PAM authentication.");
+}
+#endif /* HAVE_PAM */
/* Signal handler for SIGHUP. Sshd execs itself when it receives SIGHUP;
the effect is to reread the configuration file (and to regenerate
@@ -1379,6 +1439,13 @@
/* The connection has been terminated. */
log_msg("Closing connection to %.100s", get_remote_ipaddr());
+#ifdef HAVE_PAM
+ if (retval == PAM_SUCCESS)
+ retval = pam_close_session ((pam_handle_t *)pamh, 0);
+ if (pam_end ((pam_handle_t *)pamh, retval) != PAM_SUCCESS)
+ log_msg ("Cannot release PAM authentication.");
+ fatal_remove_cleanup (&pam_cleanup_proc, NULL);
+#endif /* HAVE_PAM */
packet_close();
exit(0);
}
@@ -2157,7 +2224,13 @@
with any characters that are commonly used to start NIS entries. */
pw = getpwnam(user);
if (!pw || user[0] == ''-'' || user[0] ==
''+'' || user[0] == ''@'' ||
- !login_permitted(user, pw))
+ !login_permitted(user, pw)
+#ifdef HAVE_PAM
+ || ((retval=pam_start("ssh", pw->pw_name, &conv,
(pam_handle_t **)&pamh)),
+ (fatal_add_cleanup (&pam_cleanup_proc, NULL)),
+ (origretval = retval), (retval != PAM_SUCCESS))
+#endif /* HAVE_PAM */
+ )
do_authentication_fail_loop();
/* Take a copy of the returned structure. */
@@ -2189,6 +2262,7 @@
debug("Attempting authentication for %.100s.", user);
+
#if defined (KERBEROS) && defined (KRB5)
if (!options.kerberos_authentication &&
options.password_authentication &&
auth_password(user, "", 0))
@@ -3043,6 +3117,10 @@
int inout[2], err[2];
#endif /* USE_PIPES */
+#ifdef HAVE_PAM
+ retval = pam_open_session ((pam_handle_t *)pamh, 0);
+#endif /* HAVE_PAM */
+
#ifdef HAVE_OSF1_C2_SECURITY
{
const char *str;
@@ -3203,6 +3281,10 @@
#if defined (__bsdi__) && _BSDI_VERSION >= 199510
struct timeval tp;
#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
+
+#ifdef HAVE_PAM
+ retval = pam_open_session ((pam_handle_t *)pamh, 0);
+#endif /* HAVE_PAM */
#ifdef HAVE_OSF1_C2_SECURITY
{
--- auth-passwd.c.orig Tue Oct 6 18:15:46 1998
+++ auth-passwd.c Tue Oct 6 18:14:35 1998
@@ -47,6 +47,9 @@
* Fixed kerberos ticket name handling. Added OSF C2 account
* locking and expiration support.
*
+ * Revision 1.11a 1997/06/06 06:40:00 jonchen
+ * Added support for PAM
+ *
* Revision 1.11 1997/04/17 03:57:05 kivinen
* Kept FILE: prefix in kerberos ticket filename as DCE cache
* code requires it (patch from Doug Engert <DEEngert@anl.gov>).
@@ -138,6 +141,13 @@
#include <auth.h>
#include <sys/svcinfo.h>
#endif /* HAVE_ULTRIX_SHADOW_PASSWORDS */
+#ifdef HAVE_PAM
+#include <security/pam_appl.h>
+extern pam_handle_t *pamh;
+extern int retval;
+extern char* pampasswd;
+extern int origretval;
+#endif /* HAVE_PAM */
#include "packet.h"
#include "ssh.h"
#include "servconf.h"
@@ -712,6 +722,17 @@
seteuid(UID_ROOT); /* just let it fail if ran by user */
#endif /* SECURE_RPC */
+#ifdef HAVE_PAM
+ {
+ retval = origretval;
+ pampasswd = xstrdup(password);
+ if (retval == PAM_SUCCESS)
+ retval = pam_authenticate ((pam_handle_t *)pamh, 0);
+ if (retval == PAM_SUCCESS)
+ retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0);
+ xfree(pampasswd);
+ }
+#else /* HAVE_PAM */
#ifdef HAVE_OSF1_C2_SECURITY
if (osf1c2_getprpwent(correct_passwd, saved_pw_name,
sizeof(correct_passwd)))
@@ -823,6 +844,7 @@
#endif /* HAVE_ETC_SHADOW */
#endif /* HAVE_SCO_ETC_SHADOW */
#endif /* HAVE_OSF1_C2_SECURITY */
+#endif /* HAVE_PAM */
/* Check for users with no password. */
if (strcmp(password, "") == 0 && strcmp(correct_passwd,
"") == 0)
@@ -844,6 +866,14 @@
xfree(saved_pw_name);
xfree(saved_pw_passwd);
+
+#if 0
+ {
+ if (retval == PAM_SUCCESS)
+ retval = pam_open_session ((pam_handle_t *)pamh, 0);
+ return (retval == PAM_SUCCESS);
+ }
+#endif /* HAVE_PAM */
#ifdef HAVE_ULTRIX_SHADOW_PASSWORDS
{
--- acconfig.h.pam Wed Jul 8 18:40:35 1998
+++ acconfig.h Sun Sep 27 18:38:10 1998
@@ -266,6 +266,9 @@
/* Define this if your spwd struct defined shadow.h have sp_inact field */
#undef HAVE_STRUCT_SPWD_INACT
+/* Define this if you use PAM */
+#undef HAVE_PAM
+
/* Define this if you want to enable TCP_NODELAY option */
#undef ENABLE_TCP_NODELAY
--- config.h.in.pam Wed Jul 8 18:41:12 1998
+++ config.h.in Sun Sep 27 18:38:10 1998
@@ -344,6 +344,9 @@
file */
#undef SCP_ALL_STATISTICS_ENABLED
+/* Define this if you use PAM */
+#undef HAVE_PAM
+
/* The number of bytes in a int. */
#undef SIZEOF_INT
--- configure.in.pam Wed Jul 8 18:41:10 1998
+++ configure.in Sun Sep 27 18:38:10 1998
@@ -362,6 +362,11 @@
AC_CHECK_SIZEOF(int,4)
AC_CHECK_SIZEOF(short,2)
+if test -f /usr/include/security/pam_appl.h; then
+ AC_DEFINE(HAVE_PAM)
+ LIBS="$LIBS -lpam -ldl"
+fi
+
if test -z "$no_termios"; then
AC_CHECK_HEADERS(termios.h)
fi
--
Pawel Krawczyk, CETI internet, Krakow. http://www.ceti.com.pl/
