ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-06-26 18:17:32 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

propagate of f51a272341ee12268fe7028bc2f2bad66c603069 and ab35ee4292ea910d4871c3609d6100fe34300720 from branch 'matt.dbclient.rez' to 'matt.dbclient.work'

Browse Source 
--HG--
branch : private-rez
extra : convert_revision : 23e9cf6a5b5e33f172b7b8505c0731ce9c0b93df
This commit is contained in:
Matt Johnston 2004-09-14 13:09:29 +00:00
commit 448a05ae2c
7 changed files with 292 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile.in
View File

@ -24,7 +24,7 @@ COMMONOBJS=dbutil.o buffer.o \
SVROBJS=svr-kex.o svr-algo.o svr-auth.o sshpty.o \ SVROBJS=svr-kex.o svr-algo.o svr-auth.o sshpty.o \
svr-authpasswd.o svr-authpubkey.o svr-session.o svr-service.o \ svr-authpasswd.o svr-authpubkey.o svr-session.o svr-service.o \
svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o\ svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o\
svr-tcpfwd.o svr-tcpfwd.o svr-authpam.o
CLIOBJS=cli-algo.o cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \ CLIOBJS=cli-algo.o cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \
cli-session.o cli-service.o cli-runopts.o cli-chansession.o \ cli-session.o cli-service.o cli-runopts.o cli-chansession.o \

1
auth.h
View File

@ -36,6 +36,7 @@ void send_msg_userauth_failure(int partial, int incrfail);
void send_msg_userauth_success(); void send_msg_userauth_success();
void svr_auth_password(); void svr_auth_password();
void svr_auth_pubkey(); void svr_auth_pubkey();
void svr_auth_pam();
/* Client functions */ /* Client functions */
void recv_msg_userauth_failure(); void recv_msg_userauth_failure();

39
configure.in
View File

@ -117,6 +117,43 @@ AC_ARG_ENABLE(zlib,
] ]
) )
# Check if pam is needed
AC_ARG_WITH(pam,
[ --with-pam=PATH Use pam in PATH],
[
# option is given
if test -d "$withval/lib"; then
LDFLAGS="-L${withval}/lib ${LDFLAGS}"
else
LDFLAGS="-L${withval} ${LDFLAGS}"
fi
if test -d "$withval/include"; then
CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
else
CPPFLAGS="-I${withval} ${CPPFLAGS}"
fi
]
)
AC_ARG_ENABLE(pam,
[ --enable-pam Try to include PAM support],
[
if test "x$enableval" = "xyes"; then
AC_CHECK_LIB(pam, pam_authenticate, , AC_MSG_ERROR([*** PAM missing - install first or check config.log ***]))
AC_MSG_RESULT(Enabling PAM)
else
AC_DEFINE(DISABLE_PAM,, Use PAM)
AC_MSG_RESULT(Disabling PAM)
fi
],
[
# disable it by default
AC_DEFINE(DISABLE_PAM,, Use PAM)
AC_MSG_RESULT(Disabling PAM)
]
)
AC_ARG_ENABLE(openpty, AC_ARG_ENABLE(openpty,
[ --disable-openpty Don't use openpty, use alternative method], [ --disable-openpty Don't use openpty, use alternative method],
[ [
@ -169,7 +206,7 @@ AC_ARG_ENABLE(shadow,
# Checks for header files. # Checks for header files.
AC_HEADER_STDC AC_HEADER_STDC
AC_HEADER_SYS_WAIT AC_HEADER_SYS_WAIT
AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h utmpx.h lastlog.h paths.h util.h netdb.h]) AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h utmpx.h lastlog.h paths.h util.h netdb.h security/pam_appl.h pam/pam_appl.h])
# Checks for typedefs, structures, and compiler characteristics. # Checks for typedefs, structures, and compiler characteristics.
AC_C_CONST AC_C_CONST

20
options.h
View File

@ -110,9 +110,19 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
#define MOTD_FILENAME "/etc/motd" #define MOTD_FILENAME "/etc/motd"
#endif #endif
/* Authentication types to enable, at least one required. /* Authentication Types - at least one required.
RFC Draft requires pubkey auth, and recommends password */ RFC Draft requires pubkey auth, and recommends password */
#define ENABLE_SVR_PASSWORD_AUTH
/* PAM auth is quite simple, and only works for PAM modules which just do a
* simple "Login: " "Password: " (or something like that - if your module is
* similar but not quite like that, edit the strings in svr-authpam.c).
* Basically, it's useful for systems like OS X where standard password crypts
* don't work, but there's and interface via a PAM module. You'll need to
* configure with --enable-pam as well, since it's off by default. And you
* should only enable either PASSWORD _or_ PAM auth, not both. */
/*#define ENABLE_SVR_PASSWORD_AUTH*/
#define ENABLE_SVR_PAM_AUTH
#define ENABLE_SVR_PUBKEY_AUTH #define ENABLE_SVR_PUBKEY_AUTH
#define ENABLE_CLI_PASSWORD_AUTH #define ENABLE_CLI_PASSWORD_AUTH
@ -173,7 +183,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
*******************************************************************/ *******************************************************************/
#ifndef DROPBEAR_VERSION #ifndef DROPBEAR_VERSION
#define DROPBEAR_VERSION "0.44test3" #define DROPBEAR_VERSION "0.44rez1"
#endif #endif
#define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
@ -322,6 +332,10 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
#define DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */ #define DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */
#endif #endif
#if defined(ENABLE_SVR_PASSWORD_AUTH) && defined(ENABLE_SVR_PAM_AUTH)
#error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h"
#endif
/* We use dropbear_client and dropbear_server as shortcuts to avoid redundant /* We use dropbear_client and dropbear_server as shortcuts to avoid redundant
* code, if we're just compiling as client or server */ * code, if we're just compiling as client or server */
#if defined(DROPBEAR_SERVER) && defined(DROPBEAR_CLIENT) #if defined(DROPBEAR_SERVER) && defined(DROPBEAR_CLIENT)

15
svr-auth.c
View File

@ -55,7 +55,7 @@ static void authclear() {
#ifdef ENABLE_SVR_PUBKEY_AUTH #ifdef ENABLE_SVR_PUBKEY_AUTH
ses.authstate.authtypes |= AUTH_TYPE_PUBKEY; ses.authstate.authtypes |= AUTH_TYPE_PUBKEY;
#endif #endif
#ifdef ENABLE_SVR_PASSWORD_AUTH #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
if (!svr_opts.noauthpass) { if (!svr_opts.noauthpass) {
ses.authstate.authtypes |= AUTH_TYPE_PASSWORD; ses.authstate.authtypes |= AUTH_TYPE_PASSWORD;
} }
@ -154,6 +154,19 @@ void recv_msg_userauth_request() {
} }
#endif #endif
#ifdef ENABLE_SVR_PAM_AUTH
if (!svr_opts.noauthpass &&
!(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) {
/* user wants to try password auth */
if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
strncmp(methodname, AUTH_METHOD_PASSWORD,
AUTH_METHOD_PASSWORD_LEN) == 0) {
svr_auth_pam();
goto out;
}
}
#endif
#ifdef ENABLE_SVR_PUBKEY_AUTH #ifdef ENABLE_SVR_PUBKEY_AUTH
/* user wants to try pubkey auth */ /* user wants to try pubkey auth */
if (methodlen == AUTH_METHOD_PUBKEY_LEN && if (methodlen == AUTH_METHOD_PUBKEY_LEN &&

219
svr-authpam.c Normal file
View File

@ -0,0 +1,219 @@
/*
* Dropbear SSH
*
* Copyright (c) 2004 Martin Carlsson
* Portions (c) 2004 Matt Johnston
* All rights reserved.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE. */
/* Validates a user password using PAM */
#include "includes.h"
#include "session.h"
#include "buffer.h"
#include "dbutil.h"
#include "auth.h"
#if defined(HAVE_SECURITY_PAM_APPL_H)
#include <security/pam_appl.h>
#elif defined (HAVE_PAM_PAM_APPL_H)
#include <pam/pam_appl.h>
#endif
struct UserDataS {
char* user;
char* passwd;
};
/* PAM conversation function - for now we only handle one message */
int
pamConvFunc(int num_msg,
const struct pam_message **msg,
struct pam_response **respp,
void *appdata_ptr) {
int rc = PAM_SUCCESS;
struct pam_response* resp = NULL;
struct UserDataS* userDatap = (struct UserDataS*) appdata_ptr;
const char* message = (*msg)->msg;
TRACE(("enter pamConvFunc"));
if (num_msg != 1) {
/* If you're getting here - Dropbear probably can't support your pam
* modules. This whole file is a bit of a hack around lack of
* asynchronocity in PAM anyway */
dropbear_log(LOG_INFO, "pamConvFunc() called with >1 messages: not supported.");
return PAM_CONV_ERR;
}
TRACE(("msg_style is %d", (*msg)->msg_style));
if (message) {
TRACE(("message is '%s'", message));
} else {
TRACE(("null message"));
}
switch((*msg)->msg_style) {
case PAM_PROMPT_ECHO_OFF:
if (strcmp(message, "Password:") != 0) {
TRACE(("PAM_PROMPT_ECHO_OFF: unrecognized prompt"));
rc = PAM_CONV_ERR;
break;
}
/* This looks leaky, but the PAM module-writer docs
* assure us that the caller will free it... */
resp = (struct pam_response*) m_malloc(sizeof(struct pam_response));
memset(resp, 0, sizeof(struct pam_response));
/* Safe to just use the direct pointer (no strdup) since
* it shouldn't be getting munged at all */
resp->resp = userDatap->passwd;
(*respp) = resp;
break;
case PAM_PROMPT_ECHO_ON:
if ((strcmp(message, "login: " ) != 0)
&& (strcmp(message, "login:" ) != 0)
&& (strcmp(message, "Please enter username: " ) != 0)) {
TRACE(("PAM_PROMPT_ECHO_ON: unrecognized prompt"));
rc = PAM_CONV_ERR;
break;
}
/* This looks leaky, but the PAM module-writer docs
* assure us that the caller will free it... */
resp = (struct pam_response*) m_malloc(sizeof(struct pam_response));
memset(resp, 0, sizeof(struct pam_response));
/* Safe to just use the direct pointer (no strdup) since
* it shouldn't be getting munged at all */
resp->resp = userDatap->user;
TRACE(("userDatap->user='%s'", userDatap->user));
(*respp) = resp;
break;
default:
TRACE(("Unknown message type"));
rc = PAM_CONV_ERR;
break;
}
TRACE(("leave pamConvFunc, rc %d", rc));
return rc;
}
/* Process a password auth request, sending success or failure messages as
* appropriate. To the client it looks like it's doing normal password auth (as
* opposed to keyboard-interactive or something), so the pam module has to be
* fairly standard (ie just "what's your username, what's your password, OK").
*
* Keyboard interactive would be a lot nicer, but since PAM is synchronous, it
* gets very messy trying to send the interactive challenges, and read the
* interactive responses, over the network. */
void svr_auth_pam() {
struct UserDataS userData;
struct pam_conv pamConv = {
pamConvFunc,
&userData /* submitted to pamvConvFunc as appdata_ptr */
};
pam_handle_t* pamHandlep = NULL;
unsigned char * password = NULL;
unsigned int passwordlen;
int rc = PAM_SUCCESS;
unsigned char changepw;
/* check if client wants to change password */
changepw = buf_getbyte(ses.payload);
if (changepw) {
/* not implemented by this server */
send_msg_userauth_failure(0, 1);
goto cleanup;
}
password = buf_getstring(ses.payload, &passwordlen);
/* used to pass data to the PAM conversation function */
userData.user = ses.authstate.printableuser;
userData.passwd = password;
/* Init pam */
if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) {
dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s\n",
rc, pam_strerror(pamHandlep, rc));
goto cleanup;
}
/* just to set it to something */
if ((rc = pam_set_item(pamHandlep, PAM_TTY, "ssh") != PAM_SUCCESS)) {
dropbear_log(LOG_WARNING, "pam_set_item() failed, rc=%d, %s\n",
rc, pam_strerror(pamHandlep, rc));
goto cleanup;
}
(void) pam_fail_delay(pamHandlep, 0 /* musec_delay */);
/* (void) pam_set_item(pamHandlep, PAM_FAIL_DELAY, (void*) pamDelayFunc); */
if ((rc = pam_authenticate(pamHandlep, 0)) != PAM_SUCCESS) {
dropbear_log(LOG_WARNING, "pam_authenticate() failed, rc=%d, %s\n",
rc, pam_strerror(pamHandlep, rc));
dropbear_log(LOG_WARNING,
"bad pam password attempt for '%s'",
ses.authstate.printableuser);
send_msg_userauth_failure(0, 1);
goto cleanup;
}
if ((rc = pam_acct_mgmt(pamHandlep, 0)) != PAM_SUCCESS) {
dropbear_log(LOG_WARNING, "pam_acct_mgmt() failed, rc=%d, %s\n",
rc, pam_strerror(pamHandlep, rc));
dropbear_log(LOG_WARNING,
"bad pam password attempt for '%s'",
ses.authstate.printableuser);
send_msg_userauth_failure(0, 1);
goto cleanup;
}
/* successful authentication */
dropbear_log(LOG_NOTICE, "pam password auth succeeded for '%s'",
ses.authstate.printableuser);
send_msg_userauth_success();
cleanup:
if (password != NULL) {
m_burn(password, passwordlen);
m_free(password);
}
if (pamHandlep != NULL) {
(void) pam_end(pamHandlep, 0 /* pam_status */);
}
}

4
svr-runopts.c
View File

@ -59,7 +59,7 @@ static void printhelp(const char * progname) {
"-m Don't display the motd on login\n" "-m Don't display the motd on login\n"
#endif #endif
"-w Disallow root logins\n" "-w Disallow root logins\n"
#ifdef ENABLE_SVR_PASSWORD_AUTH #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
"-s Disable password logins\n" "-s Disable password logins\n"
"-g Disable password logins for root\n" "-g Disable password logins for root\n"
#endif #endif
@ -183,7 +183,7 @@ void svr_getopts(int argc, char ** argv) {
case 'w': case 'w':
svr_opts.norootlogin = 1; svr_opts.norootlogin = 1;
break; break;
#ifdef ENABLE_SVR_PASSWORD_AUTH #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
case 's': case 's':
svr_opts.noauthpass = 1; svr_opts.noauthpass = 1;
break; break;