thr3ads.net - linux security - [linux-security] Re: sshd and PAM [summary] [Oct 1998]

If this information is useful, please help other people find it:
Share via:

Rafael J. Wysocki

1998-Oct-07 09:39 UTC

[linux-security] Re: sshd and PAM [summary]

-----BEGIN PGP SIGNED MESSAGE-----

	Hi,

I''ve got several replies, thank you for them.  Let me summarize:

o Many people say there is a PAMified version of ssh available at

	ftp://ftp.replay.com/pub/crypto/redhat/SRPMS (the source)
	ftp://ftp.replay.com/pub/crypto/redhat/i386  (Intel binaries)

  (there are analogous paths for the other architectures).  The packages
  are made by Jan "Yenya" Kasprzak <kas@eunet.cz>.  Of course,
the mirrors
  of ftp.replay.com contain these RPMs as well.

o John A. Martin <jam@jamux.com> says there are PAMified ssh packages at

	ftp://ftp.fi.muni.cz/pub/ssh/local-fi.muni.cz/linux/

o Andy McRory <amacc@mailer.org> says there is a patch for ssh-1.2.25 at

	ftp://ftp.dhp.com/pub/linux/dhp-dist

o Some people say the "original" sshd does not have PAM support built
in (not
  surprising) and it should be patched.  The patch can be taken from the
  SRPM at ftp.replay.com, for example (see above).

I have downloaded the RPMs from ftp.replay.com and done some (small) tests.

I''ve installed the binaries and configs/docs from
ssh-1.2.26-1i.i386.rpm
and ssh-server-1.2.26-1i.i386.rpm and found that the stuff works with PAM
as long as the password authentication is used.  However, if a client
uses RSA authentication, many PAM restrictions can be evaded.  For example,
the RSA-authenticated client is always allowed to log in independently
of the PAM settings.  Similarly, if I turn pam_limits.so on and set
maxlogins (in /etc/security/limits.conf) to, say, 2 for everyone, the
RSA-authenticated client is allowed to log in as many times as (s)he wants
(if the same client is password-authenticated, the limit takes effect, of
course).  There are some other useful PAM modules which I suspect may not
work with this version of (PAMified) sshd.  I''ll verify this in a few
days,
I hope.

For me, the conclusion is that if you need sshd which supports PAM, the
packages from ftp.replay.com may be useful, although you shouldn''t
expect
everything to work like you want it to.

	Regards

		Rafael

- --

My public PGP key is available at http://www.czacki.waw.ids.edu.pl/~rafael

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBNhupZMbfgppnl6DpAQGmlQL5AZ0HsjIkAUzsX/DohXYOj35BSCBrAFcU
mTntAJpGYA+4r68FZV417NSxyLp158AvDsRpYVmAN6cVwsm9WqLPNbLV3sSfhEBk
F0DKynn+gTQoIMlg1dsXa5N02iq2lttA
=wJG6
-----END PGP SIGNATURE-----

[mod: It seems that the ssh-password authentification is PAM-ified,
but the RSA-authentification is not. SSH probably doesn''t even call
PAM in the case that the RSA-authentification works. The current
implementation provides the PAM-features that go with passwords
(e.g. being able to switch to shadow passwords), as long as you use
passwords, but not with the RSA authentification.  Still some work to
be done: take the ssh-RSA stuff and make it into a PAM module..... -- REW]

Pawel Krawczyk

1998-Oct-08 03:16 UTC

head link

[linux-security] Re: sshd and PAM [summary]

On Wed, Oct 07, 1998 at 06:39:12PM +0200, Rafael J. Wysocki
wrote:> of the PAM settings.  Similarly, if I turn pam_limits.so on and set
> maxlogins (in /etc/security/limits.conf) to, say, 2 for everyone, the
> RSA-authenticated client is allowed to log in as many times as (s)he wants
> (if the same client is password-authenticated, the limit takes effect, of
> course).  There are some other useful PAM modules which I suspect may not
> work with this version of (PAMified) sshd.  I''ll verify this in a
few days,
> I hope.
I have modified the original patch moving the call to pam_sm_open_session()
to do_exec_pty() and do_exec_no_pty() and it seems to work (i.e. set limits)
for all types of authentication. Here''s the diff against ssh-1.2.26,
apply
to clean sources:

--- sshd.c.orig	Tue Oct  6 18:15:32 1998
+++ sshd.c	Tue Oct  6 18:14:31 1998
@@ -89,6 +89,9 @@
  * 	feature. Added {Allow,Deny}Users feature from Steve Kann
  * 	<stevek@SteveK.COM>.
  *
+ * Revision 1.42a 1997/06/06 18:40:00  jonchen
+ *	Added support for PAM
+ *
  * Revision 1.42  1997/04/23 00:05:35  kivinen
  * 	Added ifdefs around password expiration and inactivity checks,
  * 	because some systems dont have sp_expire and sp_inact fields.
@@ -525,6 +528,14 @@
 char *ticket = "none\0";
 #endif /* KERBEROS */

+#ifdef HAVE_PAM
+#include <security/pam_appl.h>
+struct pam_handle_t *pamh=NULL;
+char *pampasswd=NULL;
+int retval;
+int origretval;
+#endif /* HAVE_PAM */
+
 /* Server configuration options. */
 ServerOptions options;

@@ -620,7 +631,56 @@
 void do_child(const char *command, struct passwd *pw, const char *term,
 	      const char *display, const char *auth_proto,
 	      const char *auth_data, const char *ttyname);
+#ifdef HAVE_PAM
+static int pamconv (int num_msg,
+                     const struct pam_message **msg,
+                     struct pam_response **resp,
+                     void *appdata_ptr) {
+  int count = 0, replies = 0;
+  struct pam_response *reply = NULL;
+  int size = sizeof(struct pam_response);
+
+  for (count = 0; count < num_msg; count++) {
+    switch (msg[count]->msg_style) {
+      case PAM_PROMPT_ECHO_ON:
+      case PAM_PROMPT_ECHO_OFF:
+        if (reply)
+          realloc(reply, size);
+        else
+          reply = malloc(size);
+        if (!reply) return PAM_CONV_ERR;
+        size += sizeof(struct pam_response);
+        reply[replies].resp_retcode = PAM_SUCCESS;
+        reply[replies++].resp = xstrdup (pampasswd);
+          /* PAM frees resp */
+        break;
+      case PAM_TEXT_INFO:
+        /* ignore it... */
+        break;
+      case PAM_ERROR_MSG:
+      default:
+        /* Must be an error of some sort... */
+        free (reply);
+        return PAM_CONV_ERR;
+    }
+  }
+  if (reply) *resp = reply;
+  return PAM_SUCCESS;
+}
+
+static struct pam_conv conv = {
+    pamconv,
+    NULL
+};
+
+void pam_cleanup_proc (void *context) {
+  if (retval == PAM_SUCCESS)
+    retval = pam_close_session ((pam_handle_t *)pamh, 0);
+  if (pam_end ((pam_handle_t *)pamh, retval) != PAM_SUCCESS)
+    log_msg ("Cannot release PAM authentication.");
+}

+#endif /* HAVE_PAM */

 /* Signal handler for SIGHUP.  Sshd execs itself when it receives SIGHUP;
    the effect is to reread the configuration file (and to regenerate
@@ -1379,6 +1439,13 @@

   /* The connection has been terminated. */
   log_msg("Closing connection to %.100s", get_remote_ipaddr());
+#ifdef HAVE_PAM
+  if (retval == PAM_SUCCESS)
+    retval = pam_close_session ((pam_handle_t *)pamh, 0);
+  if (pam_end ((pam_handle_t *)pamh, retval) != PAM_SUCCESS)
+    log_msg ("Cannot release PAM authentication.");
+  fatal_remove_cleanup (&pam_cleanup_proc, NULL);
+#endif /* HAVE_PAM */
   packet_close();
   exit(0);
 }
@@ -2157,7 +2224,13 @@
      with any characters that are commonly used to start NIS entries. */
   pw = getpwnam(user);
   if (!pw || user[0] == ''-'' || user[0] ==
''+'' || user[0] == ''@'' ||
-      !login_permitted(user, pw))
+      !login_permitted(user, pw)
+#ifdef HAVE_PAM
+      || ((retval=pam_start("ssh", pw->pw_name, &conv,
(pam_handle_t **)&pamh)),
+	  (fatal_add_cleanup (&pam_cleanup_proc, NULL)),
+          (origretval = retval), (retval != PAM_SUCCESS))
+#endif /* HAVE_PAM */
+      )
     do_authentication_fail_loop();

   /* Take a copy of the returned structure. */
@@ -2189,6 +2262,7 @@

   debug("Attempting authentication for %.100s.", user);

+
 #if defined (KERBEROS) && defined (KRB5)
   if (!options.kerberos_authentication &&
options.password_authentication &&
       auth_password(user, "", 0))
@@ -3043,6 +3117,10 @@
   int inout[2], err[2];
 #endif /* USE_PIPES */

+#ifdef HAVE_PAM
+    retval = pam_open_session ((pam_handle_t *)pamh, 0);
+#endif /* HAVE_PAM */
+
 #ifdef HAVE_OSF1_C2_SECURITY
   {
     const char *str;
@@ -3203,6 +3281,10 @@
 #if defined (__bsdi__) && _BSDI_VERSION >= 199510
   struct timeval tp;
 #endif /*  __bsdi__ && _BSDI_VERSION >= 199510 */
+
+#ifdef HAVE_PAM
+    retval = pam_open_session ((pam_handle_t *)pamh, 0);
+#endif /* HAVE_PAM */

 #ifdef HAVE_OSF1_C2_SECURITY
   {
--- auth-passwd.c.orig	Tue Oct  6 18:15:46 1998
+++ auth-passwd.c	Tue Oct  6 18:14:35 1998
@@ -47,6 +47,9 @@
  * 	Fixed kerberos ticket name handling. Added OSF C2 account
  * 	locking and expiration support.
  *
+ * Revision 1.11a 1997/06/06 06:40:00  jonchen
+ *    Added support for PAM
+ *
  * Revision 1.11  1997/04/17 03:57:05  kivinen
  * 	Kept FILE: prefix in kerberos ticket filename as DCE cache
  * 	code requires it (patch from Doug Engert <DEEngert@anl.gov>).
@@ -138,6 +141,13 @@
 #include <auth.h>
 #include <sys/svcinfo.h>
 #endif /* HAVE_ULTRIX_SHADOW_PASSWORDS */
+#ifdef HAVE_PAM
+#include <security/pam_appl.h>
+extern pam_handle_t *pamh;
+extern int retval;
+extern char* pampasswd;
+extern int origretval;
+#endif /* HAVE_PAM */
 #include "packet.h"
 #include "ssh.h"
 #include "servconf.h"
@@ -712,6 +722,17 @@
   seteuid(UID_ROOT);                /* just let it fail if ran by user */
 #endif /* SECURE_RPC */

+#ifdef HAVE_PAM
+  {
+    retval = origretval;
+    pampasswd = xstrdup(password);
+    if (retval == PAM_SUCCESS)
+      retval = pam_authenticate ((pam_handle_t *)pamh, 0);
+    if (retval == PAM_SUCCESS)
+      retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0);
+    xfree(pampasswd);
+  }
+#else /* HAVE_PAM */
 #ifdef HAVE_OSF1_C2_SECURITY
   if (osf1c2_getprpwent(correct_passwd, saved_pw_name,
 			sizeof(correct_passwd)))
@@ -823,6 +844,7 @@
 #endif /* HAVE_ETC_SHADOW */
 #endif /* HAVE_SCO_ETC_SHADOW */
 #endif /* HAVE_OSF1_C2_SECURITY */
+#endif /* HAVE_PAM */

   /* Check for users with no password. */
   if (strcmp(password, "") == 0 && strcmp(correct_passwd,
"") == 0)
@@ -844,6 +866,14 @@

   xfree(saved_pw_name);
   xfree(saved_pw_passwd);
+
+#if 0
+  {
+    if (retval == PAM_SUCCESS)
+      retval = pam_open_session ((pam_handle_t *)pamh, 0);
+    return (retval == PAM_SUCCESS);
+  }
+#endif /* HAVE_PAM */

 #ifdef HAVE_ULTRIX_SHADOW_PASSWORDS
   {
--- acconfig.h.pam	Wed Jul  8 18:40:35 1998
+++ acconfig.h	Sun Sep 27 18:38:10 1998
@@ -266,6 +266,9 @@
 /* Define this if your spwd struct defined shadow.h have sp_inact field */
 #undef HAVE_STRUCT_SPWD_INACT

+/* Define this if you use PAM */
+#undef HAVE_PAM
+
 /* Define this if you want to enable TCP_NODELAY option */
 #undef ENABLE_TCP_NODELAY

--- config.h.in.pam	Wed Jul  8 18:41:12 1998
+++ config.h.in	Sun Sep 27 18:38:10 1998
@@ -344,6 +344,9 @@
    file */
 #undef SCP_ALL_STATISTICS_ENABLED

+/* Define this if you use PAM */
+#undef HAVE_PAM
+
 /* The number of bytes in a int.  */
 #undef SIZEOF_INT

--- configure.in.pam	Wed Jul  8 18:41:10 1998
+++ configure.in	Sun Sep 27 18:38:10 1998
@@ -362,6 +362,11 @@
 AC_CHECK_SIZEOF(int,4)
 AC_CHECK_SIZEOF(short,2)

+if test -f /usr/include/security/pam_appl.h; then
+  AC_DEFINE(HAVE_PAM)
+  LIBS="$LIBS -lpam -ldl"
+fi
+
 if test -z "$no_termios"; then
   AC_CHECK_HEADERS(termios.h)
 fi

--
Pawel Krawczyk, CETI internet, Krakow. http://www.ceti.com.pl/

Reasonably Related Threads

Search for more reasonably related threads

linux security - Oct 1998 - Re: sshd and PAM [summary]

[linux-security] Re: sshd and PAM [summary]

[linux-security] Re: sshd and PAM [summary]

Reasonably Related Threads