ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-06-04 03:36:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

propagate of 08347df3bca787bd3621602fe2b466c85c9dc3e2 and 717950f4061f1123659ee87c7c168805af920ab7 from branch 'matt.dbclient.rez' to 'matt.dbclient.authpam'

Browse Source 
--HG--
branch : private-rez
extra : convert_revision : 555c429bf4e557ea5fd0af9db3987166d8217d8b
This commit is contained in:
Matt Johnston 2004-09-12 05:52:36 +00:00
parent c23ffe4bc1
commit fa26b59b0c
6 changed files with 163 additions and 172 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Makefile.in
View File

@ -23,9 +23,8 @@ COMMONOBJS=dbutil.o buffer.o \
SVROBJS=svr-kex.o svr-algo.o svr-auth.o sshpty.o \ SVROBJS=svr-kex.o svr-algo.o svr-auth.o sshpty.o \
svr-authpasswd.o svr-authpubkey.o svr-session.o svr-service.o \ svr-authpasswd.o svr-authpubkey.o svr-session.o svr-service.o \
svr-authpam.o
svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o\ svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o\
svr-tcpfwd.o svr-tcpfwd.o svr-authpam.o
CLIOBJS=cli-algo.o cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \ CLIOBJS=cli-algo.o cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \
cli-session.o cli-service.o cli-runopts.o cli-chansession.o \ cli-session.o cli-service.o cli-runopts.o cli-chansession.o \

2
configure.in
View File

@ -205,7 +205,7 @@ AC_ARG_ENABLE(shadow,
# Checks for header files. # Checks for header files.
AC_HEADER_STDC AC_HEADER_STDC
AC_HEADER_SYS_WAIT AC_HEADER_SYS_WAIT
AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h utmpx.h lastlog.h paths.h util.h netdb.h sys/dirent.h security/pam_appl.h pam/pam_appl.h]) AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h utmpx.h lastlog.h paths.h util.h netdb.h security/pam_appl.h pam/pam_appl.h])
# Checks for typedefs, structures, and compiler characteristics. # Checks for typedefs, structures, and compiler characteristics.
AC_C_CONST AC_C_CONST

17
options.h
View File

@ -112,12 +112,11 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
/* Authentication types to enable, at least one required. /* Authentication types to enable, at least one required.
RFC Draft requires pubkey auth, and recommends password */ RFC Draft requires pubkey auth, and recommends password */
//#define DROPBEAR_PASSWORD_AUTH /*#define ENABLE_SVR_PASSWORD_AUTH*/
/* Only set PAM auth if you aren't using PASSWORD auth. Also, you'll need /* Only set PAM auth if you aren't using SVR_PASSWORD_AUTH. Also, you'll need
* to make sure PAM libraries etc are installed */ * to make sure PAM libraries etc are installed. To the client, PAM auth looks
#define DROPBEAR_PAM_AUTH * just like password auth. */
#define DROPBEAR_PUBKEY_AUTH #define ENABLE_SVR_PAM_AUTH
#define ENABLE_SVR_PASSWORD_AUTH
#define ENABLE_SVR_PUBKEY_AUTH #define ENABLE_SVR_PUBKEY_AUTH
#define ENABLE_CLI_PASSWORD_AUTH #define ENABLE_CLI_PASSWORD_AUTH
@ -178,7 +177,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
*******************************************************************/ *******************************************************************/
#ifndef DROPBEAR_VERSION #ifndef DROPBEAR_VERSION
#define DROPBEAR_VERSION "0.44test3" #define DROPBEAR_VERSION "0.44rez1"
#endif #endif
#define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
@ -327,6 +326,10 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
#define DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */ #define DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */
#endif #endif
#if defined(ENABLE_SVR_PASSWORD_AUTH) && defined(ENABLE_SVR_PAM_AUTH)
#error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h"
#endif
/* We use dropbear_client and dropbear_server as shortcuts to avoid redundant /* We use dropbear_client and dropbear_server as shortcuts to avoid redundant
* code, if we're just compiling as client or server */ * code, if we're just compiling as client or server */
#if defined(DROPBEAR_SERVER) && defined(DROPBEAR_CLIENT) #if defined(DROPBEAR_SERVER) && defined(DROPBEAR_CLIENT)

5
svr-auth.c
View File

@ -55,8 +55,7 @@ static void authclear() {
#ifdef ENABLE_SVR_PUBKEY_AUTH #ifdef ENABLE_SVR_PUBKEY_AUTH
ses.authstate.authtypes |= AUTH_TYPE_PUBKEY; ses.authstate.authtypes |= AUTH_TYPE_PUBKEY;
#endif #endif
#if defined(DROPBEAR_PASSWORD_AUTH) || defined(DROPBEAR_PAM_AUTH) #if defined(ENABLE_SVR_PUBKEY_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
#ifdef ENABLE_SVR_PASSWORD_AUTH
if (!svr_opts.noauthpass) { if (!svr_opts.noauthpass) {
ses.authstate.authtypes |= AUTH_TYPE_PASSWORD; ses.authstate.authtypes |= AUTH_TYPE_PASSWORD;
} }
@ -155,7 +154,7 @@ void recv_msg_userauth_request() {
} }
#endif #endif
#ifdef DROPBEAR_PAM_AUTH #ifdef ENABLE_SVR_PAM_AUTH
if (!svr_opts.noauthpass && if (!svr_opts.noauthpass &&
!(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) { !(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) {
/* user wants to try password auth */ /* user wants to try password auth */

304
svr-authpam.c
View File

@ -36,180 +36,174 @@
#include <pam/pam_appl.h> #include <pam/pam_appl.h>
#endif #endif
#ifdef DROPBEAR_PAM_AUTH
struct UserDataS { struct UserDataS {
char* user; char* user;
char* passwd; char* passwd;
}; };
/* PAM conversation function */ /* PAM conversation function - for now we only handle one message */
int int
pamConvFunc(int num_msg, pamConvFunc(int num_msg,
const struct pam_message **msg, const struct pam_message **msg,
struct pam_response **respp, struct pam_response **respp,
void *appdata_ptr) { void *appdata_ptr) {
int rc = PAM_SUCCESS;
struct pam_response* resp = NULL;
struct UserDataS* userDatap = (struct UserDataS*) appdata_ptr;
/* tbd only handles one msg */ int rc = PAM_SUCCESS;
struct pam_response* resp = NULL;
switch((*msg)->msg_style) { struct UserDataS* userDatap = (struct UserDataS*) appdata_ptr;
case PAM_PROMPT_ECHO_OFF: const char* message = (*msg)->msg;
dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_PROMPT_ECHO_OFF: (*msg)->msg=\"%s\"", (*msg)->msg);
if (strcmp((*msg)->msg, "Password:") == 0) { TRACE(("enter pamConvFunc"));
resp = (struct pam_response*) malloc(sizeof(struct pam_response)); TRACE(("msg_style is %d", (*msg)->msg_style));
resp->resp = (char*) strdup(userDatap->passwd); if (message) {
/* dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_PROMPT_ECHO_ON: userDatap->passwd=\"%s\"", userDatap->passwd); */ TRACE(("message is '%s'", message));
resp->resp_retcode = 0; } else {
(*respp) = resp; TRACE(("null message"));
} }
else {
dropbear_log(LOG_WARNING, "pamConvFunc(): PAM_PROMPT_ECHO_OFF: unrecognized prompt, (*msg)->msg=\"%s\"", (*msg)->msg);
rc = PAM_CONV_ERR;
}
break;
case PAM_PROMPT_ECHO_ON:
dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_PROMPT_ECHO_ON: (*msg)->msg=\"%s\"", (*msg)->msg);
if ((strcmp((*msg)->msg, "login: " ) == 0) || (strcmp((*msg)->msg, "Please enter username: " ) == 0)) { switch((*msg)->msg_style) {
resp = (struct pam_response*) malloc(sizeof(struct pam_response));
resp->resp = (char*) strdup(userDatap->user);
dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_PROMPT_ECHO_ON: userDatap->user=\"%s\"", userDatap->user);
resp->resp_retcode = 0;
(*respp) = resp;
}
else {
dropbear_log(LOG_WARNING, "pamConvFunc(): PAM_PROMPT_ECHO_ON: unrecognized prompt, (*msg)->msg=\"%s\"",
(*msg)->msg);
rc = PAM_CONV_ERR;
}
break;
case PAM_ERROR_MSG:
dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_ERROR_MSG: (*msg)->msg=\"%s\"", (*msg)->msg);
/* printf("error msg: '%s'\n", (*msg)->msg); */
rc = PAM_CONV_ERR;
break;
case PAM_TEXT_INFO:
dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_TEXT_INFO: (*msg)->msg=\"%s\"", (*msg)->msg);
/* printf("text info: '%s'\n", (*msg)->msg); */
rc = PAM_CONV_ERR;
break;
case PAM_RADIO_TYPE:
dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_RADIO_TYPE: (*msg)->msg=\"%s\"", (*msg)->msg);
/* printf("radio type: '%s'\n", (*msg)->msg); */
rc = PAM_CONV_ERR;
break;
case PAM_BINARY_PROMPT:
dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_BINARY_PROMPT: (*msg)->msg=\"%s\"", (*msg)->msg);
/* printf("binary prompt: '%s'\n", (*msg)->msg); */
rc = PAM_CONV_ERR;
break;
default:
dropbear_log(LOG_DEBUG, "pamConvFunc(): Unknown PAM message");
/* printf("unknown message\n"); */
rc = PAM_CONV_ERR;
break;
}
return rc; case PAM_PROMPT_ECHO_OFF:
if (strcmp(message, "Password:") != 0) {
TRACE(("PAM_PROMPT_ECHO_OFF: unrecognized prompt"));
rc = PAM_CONV_ERR;
break;
}
/* XXX leak */
resp = (struct pam_response*) m_malloc(sizeof(struct pam_response));
/* XXX leak */
resp->resp = (char*) m_strdup(userDatap->passwd);
resp->resp_retcode = 0;
(*respp) = resp;
break;
case PAM_PROMPT_ECHO_ON:
if ((strcmp(message, "login: " ) != 0)
&& (strcmp(message, "login:" ) != 0)
&& (strcmp(message, "Please enter username: " ) != 0)) {
TRACE(("PAM_PROMPT_ECHO_ON: unrecognized prompt"));
rc = PAM_CONV_ERR;
break;
}
/* XXX leak */
resp = (struct pam_response*) m_malloc(sizeof(struct pam_response));
/* XXX leak */
resp->resp = (char*) m_strdup(userDatap->user);
TRACE(("userDatap->user='%s'", userDatap->user));
resp->resp_retcode = 0;
(*respp) = resp;
break;
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
case PAM_RADIO_TYPE:
case PAM_BINARY_PROMPT:
TRACE(("Unhandled message type"));
rc = PAM_CONV_ERR;
break;
default:
TRACE(("Unknown message type"));
rc = PAM_CONV_ERR;
break;
}
TRACE(("leave pamConvFunc, rc %d", rc));
return rc;
} }
/* Process a password auth request, sending success or failure messages as /* Process a password auth request, sending success or failure messages as
* appropriate */ * appropriate. To the client it looks like it's doing normal password auth (as opposed to keyboard-interactive or something), so the pam module has to be fairly standard (ie just "what's your username, what's your password, OK").
*
* Keyboard interactive would be a lot nicer, but since PAM is synchronous, it
* gets very messy trying to send the interactive challenges, and read the
* interactive responses, over the network. */
void svr_auth_pam() { void svr_auth_pam() {
// PAM stuff
int rc = PAM_SUCCESS;
struct UserDataS userData;
struct pam_conv pamConv = {
pamConvFunc,
&userData /* submitted to pamvConvFunc as appdata_ptr */
};
pam_handle_t* pamHandlep = NULL;
unsigned char * password = NULL;
unsigned int passwordlen;
unsigned char changepw; struct UserDataS userData;
struct pam_conv pamConv = {
pamConvFunc,
&userData /* submitted to pamvConvFunc as appdata_ptr */
};
/* check if client wants to change password */ pam_handle_t* pamHandlep = NULL;
changepw = buf_getbyte(ses.payload);
if (changepw) {
/* not implemented by this server */
send_msg_userauth_failure(0, 1);
return;
}
password = buf_getstring(ses.payload, &passwordlen); unsigned char * password = NULL;
unsigned int passwordlen;
/* clear the buffer containing the password */ int rc = PAM_SUCCESS;
buf_incrpos(ses.payload, -passwordlen - 4); unsigned char changepw;
m_burn(buf_getptr(ses.payload, passwordlen + 4), passwordlen + 4);
/* used to pass data to the PAM conversation function */ /* check if client wants to change password */
userData.user = ses.authstate.printableuser; changepw = buf_getbyte(ses.payload);
TRACE(("user is %s\n", userData.user)); if (changepw) {
userData.passwd = password; /* not implemented by this server */
send_msg_userauth_failure(0, 1);
goto cleanup;
}
/* Init pam */ password = buf_getstring(ses.payload, &passwordlen);
if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) {
dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc));
/* fprintf(stderr, "pam_start() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc)); */
goto clean;
}
/*
if ((rc = pam_set_item(pamHandlep, PAM_RHOST, webReqp->ipaddr) != PAM_SUCCESS)) {
dropbear_log(LOG_WARNING, "pam_set_item() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc));
return;
}
*/
/* just to set it to something */
if ((rc = pam_set_item(pamHandlep, PAM_TTY, "ssh") != PAM_SUCCESS)) {
dropbear_log(LOG_WARNING, "pam_set_item() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc));
goto clean;
}
(void) pam_fail_delay(pamHandlep, 0 /* musec_delay */);
/* (void) pam_set_item(pamHandlep, PAM_FAIL_DELAY, (void*) pamDelayFunc); */
if ((rc = pam_authenticate(pamHandlep, 0)) != PAM_SUCCESS) {
dropbear_log(LOG_WARNING, "pam_authenticate() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc));
/* fprintf(stderr, "pam_authenticate() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc)); */
dropbear_log(LOG_WARNING,
"bad pam password attempt for '%s'",
ses.authstate.printableuser);
send_msg_userauth_failure(0, 1);
goto clean;
}
if ((rc = pam_acct_mgmt(pamHandlep, 0)) != PAM_SUCCESS) { /* used to pass data to the PAM conversation function */
dropbear_log(LOG_WARNING, "pam_acct_mgmt() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc)); userData.user = ses.authstate.printableuser;
/* fprintf(stderr, "pam_acct_mgmt() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc)); */ userData.passwd = password;
dropbear_log(LOG_WARNING,
"bad pam password attempt for '%s'",
ses.authstate.printableuser);
send_msg_userauth_failure(0, 1);
goto clean;
}
/* successful authentication */ /* Init pam */
dropbear_log(LOG_NOTICE, if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) {
"password auth succeeded for '%s'", dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s\n",
ses.authstate.printableuser); rc, pam_strerror(pamHandlep, rc));
send_msg_userauth_success(); goto cleanup;
}
clean:
if (password != NULL) { /* just to set it to something */
m_burn(password, passwordlen); if ((rc = pam_set_item(pamHandlep, PAM_TTY, "ssh") != PAM_SUCCESS)) {
m_free(password); dropbear_log(LOG_WARNING, "pam_set_item() failed, rc=%d, %s\n",
} rc, pam_strerror(pamHandlep, rc));
if (pamHandlep != NULL) { goto cleanup;
(void) pam_end(pamHandlep, 0 /* pam_status */); }
}
(void) pam_fail_delay(pamHandlep, 0 /* musec_delay */);
/* (void) pam_set_item(pamHandlep, PAM_FAIL_DELAY, (void*) pamDelayFunc); */
if ((rc = pam_authenticate(pamHandlep, 0)) != PAM_SUCCESS) {
dropbear_log(LOG_WARNING, "pam_authenticate() failed, rc=%d, %s\n",
rc, pam_strerror(pamHandlep, rc));
dropbear_log(LOG_WARNING,
"bad pam password attempt for '%s'",
ses.authstate.printableuser);
send_msg_userauth_failure(0, 1);
goto cleanup;
}
if ((rc = pam_acct_mgmt(pamHandlep, 0)) != PAM_SUCCESS) {
dropbear_log(LOG_WARNING, "pam_acct_mgmt() failed, rc=%d, %s\n",
rc, pam_strerror(pamHandlep, rc));
dropbear_log(LOG_WARNING,
"bad pam password attempt for '%s'",
ses.authstate.printableuser);
send_msg_userauth_failure(0, 1);
goto cleanup;
}
/* successful authentication */
dropbear_log(LOG_NOTICE, "pam password auth succeeded for '%s'",
ses.authstate.printableuser);
send_msg_userauth_success();
cleanup:
if (password != NULL) {
m_burn(password, passwordlen);
m_free(password);
}
if (pamHandlep != NULL) {
(void) pam_end(pamHandlep, 0 /* pam_status */);
}
} }
#endif /* DROPBEAR_PAM_AUTH */

4
svr-authpasswd.c
View File

@ -80,10 +80,6 @@ void svr_auth_password() {
password = buf_getstring(ses.payload, &passwordlen); password = buf_getstring(ses.payload, &passwordlen);
/* clear the buffer containing the password */
buf_incrpos(ses.payload, -passwordlen - 4);
m_burn(buf_getptr(ses.payload, passwordlen + 4), passwordlen + 4);
/* the first bytes of passwdcrypt are the salt */ /* the first bytes of passwdcrypt are the salt */
testcrypt = crypt((char*)password, passwdcrypt); testcrypt = crypt((char*)password, passwdcrypt);
m_burn(password, passwordlen); m_burn(password, passwordlen);