Debian Bug report logs -
#61906
ssh: pam support is minimal
Reported by: Magosanyi Arpad <mag@bunuel.tii.matav.hu>
Date: Thu, 6 Apr 2000 14:52:48 UTC
Severity: normal
Tags: potato
Found in version 1:1.2.1pre24-1
Done: Matthew Vernon <matthew@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Philip Hands <phil@hands.com>
:
Bug#61906
; Package ssh
.
(full text, mbox, link).
Acknowledgement sent to Magosanyi Arpad <mag@bunuel.tii.matav.hu>
:
New Bug report received and forwarded. Copy sent to Philip Hands <phil@hands.com>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ssh
Version: 1:1.2.1pre24-1
Severity: normal
If ssh uses pam, it cannot handle challenge-response. Here comes the patch
made by johans@medeia.tii.matav.hu .
diff -u openssh-1.2.2.orig/auth-pam.c openssh-1.2.2/auth-pam.c
--- openssh-1.2.2.orig/auth-pam.c Thu Jan 27 00:55:38 2000
+++ openssh-1.2.2/auth-pam.c Thu Apr 6 13:44:01 2000
@@ -12,6 +12,7 @@
#include "ssh.h"
#include "xmalloc.h"
#include "servconf.h"
+#include "packet.h"
RCSID("$Id: auth-pam.c,v 1.2 2000/01/26 23:55:38 damien Exp $");
@@ -26,7 +27,6 @@
NULL
};
static struct pam_handle_t *pamh = NULL;
-static const char *pampasswd = NULL;
static char *pamconv_msg = NULL;
/* PAM conversation function. This is really a kludge to get the password */
@@ -38,6 +38,8 @@
int count;
size_t msg_len;
char *p;
+ char *password = NULL;
+ int dlen, plen, type;
/* PAM will free this later */
reply = malloc(num_msg * sizeof(*reply));
@@ -47,12 +49,23 @@
for(count = 0; count < num_msg; count++) {
switch (msg[count]->msg_style) {
case PAM_PROMPT_ECHO_OFF:
- if (pampasswd == NULL) {
+ packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
+ packet_put_string(msg[count]->msg, strlen(msg[count]->msg));
+ packet_send();
+ packet_write_wait();
+ if (type = packet_read(&plen) == SSH_CMSG_AUTH_TIS_RESPONSE) {
+ debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE in PAM");
+ password = packet_get_string(&dlen);
+ debug("PAM response == '%s'", password);
+ packet_integrity_check(plen, 4 + dlen, type);
+ }
+
+ if (password == NULL) {
free(reply);
return PAM_CONV_ERR;
}
reply[count].resp_retcode = PAM_SUCCESS;
- reply[count].resp = xstrdup(pampasswd);
+ reply[count].resp = password;
break;
case PAM_TEXT_INFO:
@@ -118,7 +131,7 @@
}
/* Attempt password authentation using PAM */
-int auth_pam_password(struct passwd *pw, const char *password)
+int auth_pam_password(struct passwd *pw)
{
extern ServerOptions options;
int pam_retval;
@@ -128,10 +141,6 @@
return 0;
if (pw->pw_uid == 0 && options.permit_root_login == 2)
return 0;
- if (*password == '\0' && options.permit_empty_passwd == 0)
- return 0;
-
- pampasswd = password;
pam_retval = pam_authenticate((pam_handle_t *)pamh, 0);
if (pam_retval == PAM_SUCCESS) {
diff -u openssh-1.2.2.orig/auth-pam.h openssh-1.2.2/auth-pam.h
--- openssh-1.2.2.orig/auth-pam.h Thu Jan 27 00:55:38 2000
+++ openssh-1.2.2/auth-pam.h Thu Apr 6 13:44:53 2000
@@ -5,7 +5,7 @@
void start_pam(struct passwd *pw);
void finish_pam(void);
-int auth_pam_password(struct passwd *pw, const char *password);
+int auth_pam_password(struct passwd *pw);
char **fetch_pam_environment(void);
int do_pam_account(char *username, char *remote_user);
void do_pam_session(char *username, const char *ttyname);
Common subdirectories: openssh-1.2.2.orig/packages and openssh-1.2.2/packages
diff -u openssh-1.2.2.orig/sshd.c openssh-1.2.2/sshd.c
--- openssh-1.2.2.orig/sshd.c Wed Jan 26 01:07:22 2000
+++ openssh-1.2.2/sshd.c Thu Apr 6 13:48:31 2000
@@ -139,13 +139,14 @@
void do_exec_pty(const char *command, int ptyfd, int ttyfd,
const char *ttyname, struct passwd * pw, const char *term,
const char *display, const char *auth_proto,
- const char *auth_data);
+ const char *auth_data, const char *original);
void do_exec_no_pty(const char *command, struct passwd * pw,
const char *display, const char *auth_proto,
- const char *auth_data);
+ const char *auth_data, const char *original);
void do_child(const char *command, struct passwd * pw, const char *term,
const char *display, const char *auth_proto,
- const char *auth_data, const char *ttyname);
+ const char *auth_data, const char *ttyname,
+ const char *original);
/*
* Close all listening sockets
@@ -237,6 +238,10 @@
switch (type) {
case SSH_CMSG_AUTH_PASSWORD:
return "password";
+#ifdef USE_PAM
+ case SSH_CMSG_AUTH_TIS:
+ return "PAM";
+#endif
case SSH_CMSG_AUTH_RSA:
return "rsa";
case SSH_CMSG_AUTH_RHOSTS_RSA:
@@ -970,9 +975,13 @@
if (options.skey_authentication == 1)
auth_mask |= 1 << SSH_AUTH_TIS;
#endif
- if (options.password_authentication)
+ if (options.password_authentication)
+#ifdef USE_PAM
+ auth_mask |= 1 << SSH_AUTH_TIS;
+#else /* USE_PAM */
auth_mask |= 1 << SSH_AUTH_PASSWORD;
- packet_put_int(auth_mask);
+#endif /* USE_PAM */
+ packet_put_int(auth_mask);
/* Send the packet and wait for it to be sent. */
packet_send();
@@ -1234,11 +1243,11 @@
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
#endif /* KRB4 */
#ifdef USE_PAM
- auth_pam_password(pw, "")) {
-#else /* USE_PAM */
+ 0) {
+#else /* USE_PAM */
auth_password(pw, "")) {
-#endif /* USE_PAM */
- /* Authentication with empty password succeeded. */
+#endif
+ /* Authentication with empty password succeeded. */
log("Login for user %s from %.100s, accepted without authentication.",
pw->pw_name, get_remote_ipaddr());
} else {
@@ -1268,8 +1277,13 @@
do_authenticated(pw);
}
+#ifdef USE_PAM
+#define AUTH_FAIL_MAX 1
+#define AUTH_FAIL_LOG 1
+#else /* USE_PAM */
#define AUTH_FAIL_MAX 6
#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
+#endif /* USE PAM */
#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
/*
@@ -1426,30 +1440,30 @@
authenticated = auth_rsa(pw, n);
BN_clear_free(n);
break;
-
+#ifdef USE_PAM
+ case SSH_CMSG_AUTH_TIS:
+ if (!options.password_authentication) {
+ verbose("Password authentication disabled.");
+ break;
+ }
+ authenticated = auth_pam_password(pw);
+ break;
+
+#else
case SSH_CMSG_AUTH_PASSWORD:
if (!options.password_authentication) {
verbose("Password authentication disabled.");
break;
}
- /*
- * Read user password. It is in plain text, but was
- * transmitted over the encrypted channel so it is
- * not visible to an outside observer.
- */
- password = packet_get_string(&dlen);
- packet_integrity_check(plen, 4 + dlen, type);
-#ifdef USE_PAM
- /* Do PAM auth with password */
- authenticated = auth_pam_password(pw, password);
-#else /* USE_PAM */
- /* Try authentication with the password. */
+ password = packet_get_string(&dlen);
+ packet_integrity_check(plen, 4 + dlen, type);
authenticated = auth_password(pw, password);
-#endif /* USE_PAM */
memset(password, 0, strlen(password));
xfree(password);
- break;
+ break
+
+#endif
#ifdef SKEY
case SSH_CMSG_AUTH_TIS:
@@ -1483,11 +1497,13 @@
}
break;
#else
+#ifndef USE_PAM
case SSH_CMSG_AUTH_TIS:
/* TIS Authentication is unsupported */
log("TIS authentication unsupported.");
break;
#endif
+#endif
default:
/*
@@ -1638,7 +1654,7 @@
int row, col, xpixel, ypixel, screen;
char ttyname[64];
char *command, *term = NULL, *display = NULL, *proto = NULL,
- *data = NULL;
+ *data = NULL, *original = NULL;
struct group *grp;
gid_t tty_gid;
mode_t tty_mode;
@@ -1820,9 +1836,9 @@
debug("Forking shell.");
packet_integrity_check(plen, 0, type);
if (have_pty)
- do_exec_pty(NULL, ptyfd, ttyfd, ttyname, pw, term, display, proto, data);
+ do_exec_pty(NULL, ptyfd, ttyfd, ttyname, pw, term, display, proto, data, NULL);
else
- do_exec_no_pty(NULL, pw, display, proto, data);
+ do_exec_no_pty(NULL, pw, display, proto, data, NULL);
return;
case SSH_CMSG_EXEC_CMD:
@@ -1830,19 +1846,19 @@
packet_set_interactive(have_pty || display != NULL,
options.keepalives);
- if (forced_command != NULL)
- goto do_forced_command;
/* Get command from the packet. */
{
int dlen;
- command = packet_get_string(&dlen);
- debug("Executing command '%.500s'", command);
+ original = command = packet_get_string(&dlen);
+ debug("Executing (original) command '%.500s'", command);
packet_integrity_check(plen, 4 + dlen, type);
}
+ if (forced_command != NULL)
+ goto do_forced_command;
if (have_pty)
- do_exec_pty(command, ptyfd, ttyfd, ttyname, pw, term, display, proto, data);
+ do_exec_pty(command, ptyfd, ttyfd, ttyname, pw, term, display, proto, data, original);
else
- do_exec_no_pty(command, pw, display, proto, data);
+ do_exec_no_pty(command, pw, display, proto, data, original);
xfree(command);
return;
@@ -1881,9 +1897,9 @@
*/
debug("Executing forced command: %.900s", forced_command);
if (have_pty)
- do_exec_pty(forced_command, ptyfd, ttyfd, ttyname, pw, term, display, proto, data);
+ do_exec_pty(forced_command, ptyfd, ttyfd, ttyname, pw, term, display, proto, data, original);
else
- do_exec_no_pty(forced_command, pw, display, proto, data);
+ do_exec_no_pty(forced_command, pw, display, proto, data, original);
return;
}
}
@@ -1896,7 +1912,7 @@
void
do_exec_no_pty(const char *command, struct passwd * pw,
const char *display, const char *auth_proto,
- const char *auth_data)
+ const char *auth_data, const char *original)
{
int pid;
@@ -1971,7 +1987,7 @@
#endif /* USE_PIPES */
/* Do processing for the child (exec command etc). */
- do_child(command, pw, NULL, display, auth_proto, auth_data, NULL);
+ do_child(command, pw, NULL, display, auth_proto, auth_data, NULL, original);
/* NOTREACHED */
}
if (pid < 0)
@@ -2032,7 +2048,7 @@
do_exec_pty(const char *command, int ptyfd, int ttyfd,
const char *ttyname, struct passwd * pw, const char *term,
const char *display, const char *auth_proto,
- const char *auth_data)
+ const char *auth_data, const char *original)
{
int pid, fdout;
const char *hostname;
@@ -2159,7 +2175,7 @@
}
}
/* Do common processing for the child, such as execing the command. */
- do_child(command, pw, term, display, auth_proto, auth_data, ttyname);
+ do_child(command, pw, term, display, auth_proto, auth_data, ttyname, original);
/* NOTREACHED */
}
if (pid < 0)
@@ -2324,7 +2340,8 @@
void
do_child(const char *command, struct passwd * pw, const char *term,
const char *display, const char *auth_proto,
- const char *auth_data, const char *ttyname)
+ const char *auth_data, const char *ttyname,
+ const char *original)
{
const char *shell, *cp = NULL;
char buf[256];
@@ -2439,6 +2456,8 @@
child_set_env(&env, &envsize, "TERM", term);
if (display)
child_set_env(&env, &envsize, "DISPLAY", display);
+ if (original)
+ child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", original);
#ifdef _AIX
{
-- System Information
Debian Release: potato
Kernel Version: Linux bunuel 2.2.9 #2 Fri Jun 4 23:14:38 EST 1999 i686 unknown
Versions of the packages ssh depends on:
ii libc6 2.1.2-11 GNU C Library: Shared libraries and Timezone
ii libpam-modules 0.72-1 Pluggable Authentication Modules for PAM
ii libpam0g 0.72-1 Pluggable Authentication Modules library
ii libssl09 0.9.4-3 SSL shared libraries
pi libwrap0 7.6-2 Wietse Venema's TCP wrappers library
ii zlib1g 1.1.3-5 compression library - runtime
^^^ (Provides virtual package libz1)
--- Begin /etc/ssh/sshd_config (modified conffile)
Port 22
ListenAddress 0.0.0.0
HostKey /etc/ssh/ssh_host_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
IgnoreRhosts yes
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd yes
KeepAlive yes
SyslogFacility DAEMON
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
UseLogin no
--- End /etc/ssh/sshd_config
--- Begin /etc/ssh/ssh_config (modified conffile)
TISAuthentication yes
--- End /etc/ssh/ssh_config
Information forwarded to debian-bugs-dist@lists.debian.org, Philip Hands <phil@hands.com>
:
Bug#61906
; Package ssh
.
(full text, mbox, link).
Acknowledgement sent to Hein Roehrig <hein@acm.org>
:
Extra info received and forwarded to list. Copy sent to Philip Hands <phil@hands.com>
.
(full text, mbox, link).
Message #10 received at 61906@bugs.debian.org (full text, mbox, reply):
Hello,
on my Debian woody system, I tried to get sshd to accept OPIE (one
time password) authorization through PAM. This currently fails because
there is no way to permit the OPIE challenge to be displayed at the
password prompt.
Starting from the patch at
http://www.debian.org/Bugs/db/61/61906.html
I managed to get OPIE working. However, the patch above is not very
clean in that it replaces password authentication by TIS
authentication. A related issue is that it is a priori not clear which
of ssh's authentication mechanisms should be handled by
PAM... password, TIS, s/key?
Therefore my question: Is anybody working on cleaning up and extending
the PAM code? Otherwise, I would be ready to spend some effort on
that.
-Hein
Tags added: potato
Request was from Matthew Vernon <matthew@sel.cam.ac.uk>
to control@bugs.debian.org
.
(full text, mbox, link).
Reply sent to Matthew Vernon <matthew@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Magosanyi Arpad <mag@bunuel.tii.matav.hu>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #17 received at 61906-done@bugs.debian.org (full text, mbox, reply):
Hi,
Woody is out of the door, so it is with the greatest pleasure that I
close these 37 potato bugs :)
Matthew
--
Rapun.sel - outermost outpost of the Pick Empire
http://www.pick.ucam.org
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Apr 25 23:30:42 2024;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.