Nalin Dahyabhai
1999-Dec-28 16:10 UTC
Patches to report rsaref build and to call pam_setcred
I've attached two patches. The first just changes the output of "ssh
-V"
to print that it was built against rsaref if libRSAglue (which is built
as part of openssl only when it is built against rsaref) is present at
build-time. The second adds appropriate calls to pam_setcred() in sshd.
Without them, our systems can't access AFS because the PAM modules only
get tokens at a pam_setcred() or pam_open_session() call.
Cheers,
Nalin
-------------- next part --------------
diff -uNr acconfig.h acconfig.h
--- acconfig.h Sat Dec 25 18:21:48 1999
+++ acconfig.h Mon Dec 27 10:46:05 1999
@@ -24,6 +24,10 @@
/* Define if your ssl headers are included with #include
<openssl/header.h> */
#undef HAVE_OPENSSL
+/* Define if you are linking against RSAref. Used only to print the right
+ * message at run-time. */
+#undef RSAREF
+
/* Define is utmp.h has a ut_host field */
#undef HAVE_HOST_IN_UTMP
diff -uNr config.h.in config.h.in
--- config.h.in Sat Dec 25 22:25:22 1999
+++ config.h.in Mon Dec 27 10:51:13 1999
@@ -27,6 +27,10 @@
/* Define if your ssl headers are included with #include
<openssl/header.h> */
#undef HAVE_OPENSSL
+/* Define if you are linking against RSAref. Used only to print the right
+ * message at run-time. */
+#undef RSAREF
+
/* Define is utmp.h has a ut_host field */
#undef HAVE_HOST_IN_UTMP
diff -uNr configure.in configure.in
--- configure.in Sat Dec 25 18:21:48 1999
+++ configure.in Mon Dec 27 10:45:09 1999
@@ -89,7 +89,8 @@
saved_LIBS="$LIBS"
LIBS="$saved_LIBS -lRSAglue -lrsaref"
AC_TRY_LINK([], [],
-[AC_MSG_RESULT(yes); ],
+[AC_MSG_RESULT(yes);
+ AC_DEFINE(RSAREF)],
[AC_MSG_RESULT(no)]; LIBS="$saved_LIBS")
dnl Checks for libraries.
diff -uNr ssh.c ssh.c
--- ssh.c Mon Dec 13 18:47:16 1999
+++ ssh.c Mon Dec 27 10:48:43 1999
@@ -305,7 +305,11 @@
case 'V':
fprintf(stderr, "SSH Version %s, protocol version %d.%d.\n",
SSH_VERSION, PROTOCOL_MAJOR, PROTOCOL_MINOR);
+#ifndef RSAREF
fprintf(stderr, "Compiled with SSL.\n");
+#else
+ fprintf(stderr, "Compiled with SSL (RSAref version).\n");
+#endif
if (opt == 'V')
exit(0);
debug_flag = 1;
-------------- next part --------------
--- sshd.c Mon Dec 27 23:09:36 1999
+++ sshd.c Tue Dec 28 10:57:00 1999
@@ -149,6 +149,7 @@
int do_pam_auth(const char *user, const char *password);
void do_pam_account(char *username, char *remote_user);
void do_pam_session(char *username, char *ttyname);
+void do_pam_setcred();
void pam_cleanup_proc(void *context);
static struct pam_conv conv = {
@@ -230,6 +231,12 @@
PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
}
+ pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED);
+ if (pam_retval != PAM_SUCCESS) {
+ log("Cannot delete credentials: %.200s",
+ PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ }
+
pam_retval = pam_end((pam_handle_t *)pamh, pam_retval);
if (pam_retval != PAM_SUCCESS) {
log("Cannot release PAM authentication: %.200s",
@@ -301,6 +308,16 @@
if (pam_retval != PAM_SUCCESS)
fatal("PAM session setup failed: %.200s",
PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
}
+
+void do_pam_setcred()
+{
+ int pam_retval;
+
+ debug("PAM establishing creds");
+ pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_ESTABLISH_CRED);
+ if (pam_retval != PAM_SUCCESS)
+ fatal("PAM setcred failed: %.200s", PAM_STRERROR((pam_handle_t
*)pamh, pam_retval));
+}
#endif /* USE_PAM */
/*
@@ -1903,6 +1920,9 @@
packet_set_interactive(have_pty || display != NULL,
options.keepalives);
+#ifdef USE_PAM
+ do_pam_setcred();
+#endif
if (forced_command != NULL)
goto do_forced_command;
debug("Forking shell.");
@@ -1918,6 +1938,9 @@
packet_set_interactive(have_pty || display != NULL,
options.keepalives);
+#ifdef USE_PAM
+ do_pam_setcred();
+#endif
if (forced_command != NULL)
goto do_forced_command;
/* Get command from the packet. */
Possibly Parallel Threads
Wisdom of the Ancients
