I'm fairly new to the list and new to submitting patches. Can someone
please verify the attached patch for running a HP-UX Trusted System with
PAM and OpenSSH 3.4p1? The problem seemed to be that pam couldn't verify
the user via __pamh after the call to permanently_set_uid in session.c.
So I called do_pam_session prior to the call and added a function
do_pam_set_tty in order to set the tty after allocation.
--
Dan Wanek
-------------- next part --------------
diff -u -r openssh-3.4p1/auth-pam.c openssh-3.4p1-dw/auth-pam.c
--- openssh-3.4p1/auth-pam.c Tue May 7 21:27:56 2002
+++ openssh-3.4p1-dw/auth-pam.c Tue Jul 16 07:54:05 2002
@@ -294,6 +294,18 @@
session_opened = 1;
}
+/* Set the TTY after session is open */
+void do_pam_set_tty(const char *ttyname) {
+ int pam_retval;
+ if (ttyname != NULL) {
+ debug("PAM setting tty to \"%.200s\"", ttyname);
+ pam_retval = pam_set_item(__pamh, PAM_TTY, ttyname);
+ if (pam_retval != PAM_SUCCESS)
+ fatal("PAM set tty failed[%d]: %.200s",
+ pam_retval, PAM_STRERROR(__pamh, pam_retval));
+ }
+}
+
/* Set PAM credentials */
void do_pam_setcred(int init)
{
Only in openssh-3.4p1-dw: auth-pam.c.orig
diff -u -r openssh-3.4p1/auth-pam.h openssh-3.4p1-dw/auth-pam.h
--- openssh-3.4p1/auth-pam.h Thu Apr 4 13:02:28 2002
+++ openssh-3.4p1-dw/auth-pam.h Tue Jul 16 07:54:05 2002
@@ -12,6 +12,7 @@
int do_pam_authenticate(int flags);
int do_pam_account(char *username, char *remote_user);
void do_pam_session(char *username, const char *ttyname);
+void do_pam_set_tty(const char *ttyname);
void do_pam_setcred(int init);
void print_pam_messages(void);
int is_pam_password_change_required(void);
Only in openssh-3.4p1-dw: auth-pam.h.orig
diff -u -r openssh-3.4p1/session.c openssh-3.4p1-dw/session.c
--- openssh-3.4p1/session.c Wed Jun 26 08:51:06 2002
+++ openssh-3.4p1-dw/session.c Tue Jul 16 07:54:06 2002
@@ -461,7 +461,6 @@
session_proctitle(s);
#if defined(USE_PAM)
- do_pam_session(s->pw->pw_name, NULL);
do_pam_setcred(1);
if (is_pam_password_change_required())
packet_disconnect("Password change required but no "
@@ -579,7 +578,7 @@
ttyfd = s->ttyfd;
#if defined(USE_PAM)
- do_pam_session(s->pw->pw_name, s->tty);
+ do_pam_set_tty(s->tty);
do_pam_setcred(1);
#endif
@@ -1204,6 +1203,13 @@
* Reestablish them here.
*/
do_pam_setcred(0);
+
+ /*
+ * We need to open the session here because PAM on HP-UX does not
+ * work after the call to permanently_set_uid.
+ */
+ do_pam_session(pw->pw_name,NULL);
+
# endif /* USE_PAM */
# if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) ||
defined(WITH_IRIX_ARRAY)
irix_setusercontext(pw);
Only in openssh-3.4p1-dw: session.c.orig
The patch looks reasonable, but I don't believe Trust HP-UX has pam or at least we don't have it on our machines. I even asked around the office and no one thinks we have pam on 10.26. Are we mistaken or missing a patch? Or are you talking about something version other than Trusted HP-UX 10.26? Later version of HP-UX may have pam (I think 11i does), but I don't know of any later version of Trusted HP-UX than 10.26. Darren Cole ----- Original Message ----- From: "Dan Wanek" <dwanek at dexter.it-ias.depaul.edu> To: <openssh-unix-dev at mindrot.org> Sent: Tuesday, July 16, 2002 6:25 AM Subject: HP-UX PAM with Trusted System patch> I'm fairly new to the list and new to submitting patches. Can someone > please verify the attached patch for running a HP-UX Trusted System with > PAM and OpenSSH 3.4p1? The problem seemed to be that pam couldn't verify > the user via __pamh after the call to permanently_set_uid in session.c. > So I called do_pam_session prior to the call and added a function > do_pam_set_tty in order to set the tty after allocation. > > -- > Dan Wanek > >
Trusted HP-UX refers to any HP-UX running with the /tcb crap and various other security related extentions. On any of our systems from 10.20 through 11.11, you can go into SAM and choose "Convert to trusted system" or somesuch. -----Original Message----- From: Darren Cole [mailto:dcole at keysoftsys.com] Sent: Tuesday, July 16, 2002 8:06 PM To: Dan Wanek; openssh-unix-dev at mindrot.org Subject: Re: HP-UX PAM with Trusted System patch The patch looks reasonable, but I don't believe Trust HP-UX has pam or at least we don't have it on our machines. I even asked around the office and no one thinks we have pam on 10.26. Are we mistaken or missing a patch? Or are you talking about something version other than Trusted HP-UX 10.26? Later version of HP-UX may have pam (I think 11i does), but I don't know of any later version of Trusted HP-UX than 10.26. Darren Cole ----- Original Message ----- From: "Dan Wanek" <dwanek at dexter.it-ias.depaul.edu> To: <openssh-unix-dev at mindrot.org> Sent: Tuesday, July 16, 2002 6:25 AM Subject: HP-UX PAM with Trusted System patch> I'm fairly new to the list and new to submitting patches. Can someone > please verify the attached patch for running a HP-UX Trusted System with > PAM and OpenSSH 3.4p1? The problem seemed to be that pam couldn't verify > the user via __pamh after the call to permanently_set_uid in session.c. > So I called do_pam_session prior to the call and added a function > do_pam_set_tty in order to set the tty after allocation. > > -- > Dan Wanek > >_______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev *********************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. ************************************************************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020717/3c8255e3/attachment.html