CVS commit: src/lib/libpam/modules/pam_krb5
Module Name:src Committed By: fox Date: Fri Jun 12 01:20:32 UTC 2020 Modified Files: src/lib/libpam/modules/pam_krb5: pam_krb5.c Log Message: lib/libpam: Fix the possible -Werror=stringop-truncation Replace strncpy(3) with the safer strlcpy(3) and adjust the code. Error was reported when build.sh was run with MKLIBCSANITIZER=yes flag. Reviewed by: kamil@, christos@ To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.29 src/lib/libpam/modules/pam_krb5/pam_krb5.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_krb5/pam_krb5.c diff -u src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.28 src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.29 --- src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.28 Fri Feb 7 23:28:59 2020 +++ src/lib/libpam/modules/pam_krb5/pam_krb5.c Fri Jun 12 01:20:32 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_krb5.c,v 1.28 2020/02/07 23:28:59 christos Exp $ */ +/* $NetBSD: pam_krb5.c,v 1.29 2020/06/12 01:20:32 fox Exp $ */ /*- * This pam_krb5 module contains code that is: @@ -53,7 +53,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.c,v 1.22 2005/01/24 16:49:50 rwatson Exp $"); #else -__RCSID("$NetBSD: pam_krb5.c,v 1.28 2020/02/07 23:28:59 christos Exp $"); +__RCSID("$NetBSD: pam_krb5.c,v 1.29 2020/06/12 01:20:32 fox Exp $"); #endif #include @@ -945,9 +945,8 @@ verify_krb_v5_tgt(krb5_context context, return -1; /* Extract the name directly. */ - strncpy(phost, compat_princ_component(context, princ, 1), - BUFSIZ); - phost[BUFSIZ - 1] = '\0'; + strlcpy(phost, compat_princ_component(context, princ, 1), + sizeof(phost)); /* * Do we have service/ keys?
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: christos Date: Sun Mar 1 14:50:43 UTC 2020 Modified Files: src/lib/libpam/modules/pam_ssh: Makefile Log Message: Add the sign client part. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/lib/libpam/modules/pam_ssh/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/Makefile diff -u src/lib/libpam/modules/pam_ssh/Makefile:1.11 src/lib/libpam/modules/pam_ssh/Makefile:1.12 --- src/lib/libpam/modules/pam_ssh/Makefile:1.11 Sat Feb 3 22:19:53 2018 +++ src/lib/libpam/modules/pam_ssh/Makefile Sun Mar 1 09:50:43 2020 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.11 2018/02/04 03:19:53 christos Exp $ +# $NetBSD: Makefile,v 1.12 2020/03/01 14:50:43 christos Exp $ # PAM module for SSH # $FreeBSD: src/lib/libpam/modules/pam_ssh/Makefile,v 1.18 2004/08/06 07:27:04 cperciva Exp $ @@ -10,9 +10,10 @@ NOPICINSTALL= # don't install _pic.a lib SSHSRC= ${NETBSDSRCDIR}/crypto/external/bsd/openssh/dist +.PATH: ${SSHSRC} LIB= pam_ssh MAN= pam_ssh.8 -SRCS= pam_ssh.c +SRCS= pam_ssh.c ssh-sk-client.c CPPFLAGS+= -I${SSHSRC}
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: christos Date: Thu Feb 27 03:25:09 UTC 2020 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: This takes a provider now To generate a diff of this commit: cvs rdiff -u -r1.27 -r1.28 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.27 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.28 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.27 Sat Jun 1 03:15:39 2019 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Wed Feb 26 22:25:08 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.27 2019/06/01 07:15:39 mlelstv Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.28 2020/02/27 03:25:08 christos Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ssh.c,v 1.27 2019/06/01 07:15:39 mlelstv Exp $"); +__RCSID("$NetBSD: pam_ssh.c,v 1.28 2020/02/27 03:25:08 christos Exp $"); #endif #include @@ -68,7 +68,7 @@ __RCSID("$NetBSD: pam_ssh.c,v 1.27 2019/ #include "authfile.h" #define ssh_add_identity(auth, key, comment) \ - ssh_add_identity_constrained(auth, key, comment, 0, 0, 0) + ssh_add_identity_constrained(auth, key, comment, 0, 0, 0, "pam") extern char **environ;
CVS commit: src/lib/libpam/modules
Module Name:src Committed By: christos Date: Thu Feb 27 02:56:46 UTC 2020 Modified Files: src/lib/libpam/modules: mod.mk Log Message: one more level down To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/lib/libpam/modules/mod.mk Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/mod.mk diff -u src/lib/libpam/modules/mod.mk:1.14 src/lib/libpam/modules/mod.mk:1.15 --- src/lib/libpam/modules/mod.mk:1.14 Wed Feb 26 19:02:56 2020 +++ src/lib/libpam/modules/mod.mk Wed Feb 26 21:56:46 2020 @@ -1,4 +1,4 @@ -# $NetBSD: mod.mk,v 1.14 2020/02/27 00:02:56 mrg Exp $ +# $NetBSD: mod.mk,v 1.15 2020/02/27 02:56:46 christos Exp $ NOLINT= # don't build a lint library NOPROFILE= # don't build a profile library @@ -16,7 +16,7 @@ LIBDIR=/usr/lib/security WARNS=6 .if ${MKPIC} != "no" -LIBDPLIBS+= pam ${NETBSDSRCDIR}/lib/libpam +LIBDPLIBS+= pam ${NETBSDSRCDIR}/lib/libpam/libpam .PRECIOUS: ${DESTDIR}${LIBDIR}/${LIB}.so.${SHLIB_MAJOR} libinstall:: ${DESTDIR}${LIBDIR}/${LIB}.so.${SHLIB_MAJOR} .else
CVS commit: src/lib/libpam/modules
Module Name:src Committed By: mrg Date: Thu Feb 27 00:02:57 UTC 2020 Modified Files: src/lib/libpam/modules: mod.mk Log Message: probably fix previous: it wants mod.mk's PARSEDIR/.., not ../.., so it picks up the libpam/Makefile.inc. To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.14 src/lib/libpam/modules/mod.mk Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/mod.mk diff -u src/lib/libpam/modules/mod.mk:1.13 src/lib/libpam/modules/mod.mk:1.14 --- src/lib/libpam/modules/mod.mk:1.13 Wed Feb 26 19:33:30 2020 +++ src/lib/libpam/modules/mod.mk Thu Feb 27 00:02:56 2020 @@ -1,4 +1,4 @@ -# $NetBSD: mod.mk,v 1.13 2020/02/26 19:33:30 christos Exp $ +# $NetBSD: mod.mk,v 1.14 2020/02/27 00:02:56 mrg Exp $ NOLINT= # don't build a lint library NOPROFILE= # don't build a profile library @@ -6,7 +6,7 @@ NOPICINSTALL= # don't install _pic.a lib .include -.include "${.PARSEDIR}/../../Makefile.inc" +.include "${.PARSEDIR}/../Makefile.inc" .if defined(MLIBDIR) LIBDIR=/usr/lib/${MLIBDIR}/security
CVS commit: src/lib/libpam/modules
Module Name:src Committed By: christos Date: Wed Feb 26 19:33:30 UTC 2020 Modified Files: src/lib/libpam/modules: mod.mk Log Message: Handle pam modules that are not in this subtree. To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 src/lib/libpam/modules/mod.mk Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/mod.mk diff -u src/lib/libpam/modules/mod.mk:1.12 src/lib/libpam/modules/mod.mk:1.13 --- src/lib/libpam/modules/mod.mk:1.12 Sat Dec 28 13:04:18 2013 +++ src/lib/libpam/modules/mod.mk Wed Feb 26 14:33:30 2020 @@ -1,4 +1,4 @@ -# $NetBSD: mod.mk,v 1.12 2013/12/28 18:04:18 christos Exp $ +# $NetBSD: mod.mk,v 1.13 2020/02/26 19:33:30 christos Exp $ NOLINT= # don't build a lint library NOPROFILE= # don't build a profile library @@ -6,7 +6,7 @@ NOPICINSTALL= # don't install _pic.a lib .include -.include "${.CURDIR}/../../Makefile.inc" +.include "${.PARSEDIR}/../../Makefile.inc" .if defined(MLIBDIR) LIBDIR=/usr/lib/${MLIBDIR}/security @@ -16,7 +16,7 @@ LIBDIR=/usr/lib/security WARNS=6 .if ${MKPIC} != "no" -LIBDPLIBS+= pam ${.CURDIR}/../../libpam +LIBDPLIBS+= pam ${NETBSDSRCDIR}/lib/libpam .PRECIOUS: ${DESTDIR}${LIBDIR}/${LIB}.so.${SHLIB_MAJOR} libinstall:: ${DESTDIR}${LIBDIR}/${LIB}.so.${SHLIB_MAJOR} .else
CVS commit: src/lib/libpam/modules/pam_krb5
Module Name:src Committed By: christos Date: Fri Feb 7 23:28:59 UTC 2020 Modified Files: src/lib/libpam/modules/pam_krb5: pam_krb5.c Log Message: there is no potential overflow anymore (thanks Kamil) To generate a diff of this commit: cvs rdiff -u -r1.27 -r1.28 src/lib/libpam/modules/pam_krb5/pam_krb5.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_krb5/pam_krb5.c diff -u src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.27 src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.28 --- src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.27 Fri Feb 7 17:13:35 2020 +++ src/lib/libpam/modules/pam_krb5/pam_krb5.c Fri Feb 7 18:28:59 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_krb5.c,v 1.27 2020/02/07 22:13:35 christos Exp $ */ +/* $NetBSD: pam_krb5.c,v 1.28 2020/02/07 23:28:59 christos Exp $ */ /*- * This pam_krb5 module contains code that is: @@ -53,7 +53,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.c,v 1.22 2005/01/24 16:49:50 rwatson Exp $"); #else -__RCSID("$NetBSD: pam_krb5.c,v 1.27 2020/02/07 22:13:35 christos Exp $"); +__RCSID("$NetBSD: pam_krb5.c,v 1.28 2020/02/07 23:28:59 christos Exp $"); #endif #include @@ -467,7 +467,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f cache_name = cache_name_buf; } - /* XXX potential overflow */ cache_name_buf2 = p = calloc(len, sizeof(char)); q = cache_name;
CVS commit: src/lib/libpam/modules/pam_krb5
Module Name:src Committed By: christos Date: Fri Feb 7 22:13:35 UTC 2020 Modified Files: src/lib/libpam/modules/pam_krb5: pam_krb5.c Log Message: stop using sprintf and check for buffer overflow. To generate a diff of this commit: cvs rdiff -u -r1.26 -r1.27 src/lib/libpam/modules/pam_krb5/pam_krb5.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_krb5/pam_krb5.c diff -u src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.26 src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.27 --- src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.26 Sat Dec 28 13:04:03 2013 +++ src/lib/libpam/modules/pam_krb5/pam_krb5.c Fri Feb 7 17:13:35 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_krb5.c,v 1.26 2013/12/28 18:04:03 christos Exp $ */ +/* $NetBSD: pam_krb5.c,v 1.27 2020/02/07 22:13:35 christos Exp $ */ /*- * This pam_krb5 module contains code that is: @@ -53,7 +53,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.c,v 1.22 2005/01/24 16:49:50 rwatson Exp $"); #else -__RCSID("$NetBSD: pam_krb5.c,v 1.26 2013/12/28 18:04:03 christos Exp $"); +__RCSID("$NetBSD: pam_krb5.c,v 1.27 2020/02/07 22:13:35 christos Exp $"); #endif #include @@ -459,6 +459,7 @@ pam_sm_setcred(pam_handle_t *pamh, int f if (!cache_name) goto cleanup3; } else { + size_t len = PATH_MAX + 16; /* Get the cache name */ cache_name = openpam_get_option(pamh, PAM_OPT_CCACHE); if (cache_name == NULL) { @@ -467,7 +468,7 @@ pam_sm_setcred(pam_handle_t *pamh, int f } /* XXX potential overflow */ - cache_name_buf2 = p = calloc(PATH_MAX + 16, sizeof(char)); + cache_name_buf2 = p = calloc(len, sizeof(char)); q = cache_name; if (p == NULL) { @@ -479,27 +480,42 @@ pam_sm_setcred(pam_handle_t *pamh, int f /* convert %u and %p */ while (*q) { + int l; if (*q == '%') { q++; if (*q == 'u') { - sprintf(p, "%d", pwd->pw_uid); - p += strlen(p); + l = snprintf(p, len, "%d", pwd->pw_uid); } else if (*q == 'p') { - sprintf(p, "%d", getpid()); - p += strlen(p); + l = snprintf(p, len, "%d", getpid()); } else { /* Not a special token */ - *p++ = '%'; + if (!len) + goto truncated; + *p = '%'; + l = 1; q--; } +if ((size_t)l > len) { +truncated:PAM_LOG("string truncation failure"); + retval = PAM_BUF_ERR; + goto cleanup3; +} q++; } else { -*p++ = *q++; +if (!len) + goto truncated; +*p = *q++; +l = 1; } + p += l; + len -= (size_t)l; } + if (!len) + goto truncated; + *p = '\0'; } PAM_LOG("Got cache_name: %s", cache_name);
CVS commit: src/lib/libpam/modules/pam_unix
Module Name:src Committed By: reed Date: Mon Dec 23 17:51:58 UTC 2019 Modified Files: src/lib/libpam/modules/pam_unix: pam_unix.8 Log Message: Simply Subsection headers There was a formatting issue with mandoc showing the literal "Ss" macros. I reported this bug to mandoc since groff didn't have same formatting. It was recommended to simplify the formatting due to the weird feature. Note because of this for groff I didn't use the Ux macro but spelled out UNIX literally for these subsection headers (since the macro reset the subsection formatting which was why the Ss macro was repeated before to reactivate it). To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/lib/libpam/modules/pam_unix/pam_unix.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_unix/pam_unix.8 diff -u src/lib/libpam/modules/pam_unix/pam_unix.8:1.8 src/lib/libpam/modules/pam_unix/pam_unix.8:1.9 --- src/lib/libpam/modules/pam_unix/pam_unix.8:1.8 Sat Feb 26 15:59:34 2005 +++ src/lib/libpam/modules/pam_unix/pam_unix.8 Mon Dec 23 17:51:57 2019 @@ -1,4 +1,4 @@ -.\" $NetBSD: pam_unix.8,v 1.8 2005/02/26 15:59:34 thorpej Exp $ +.\" $NetBSD: pam_unix.8,v 1.9 2019/12/23 17:51:57 reed Exp $ .\" Copyright (c) 2001 Mark R V Murray .\" All rights reserved. .\" Copyright (c) 2001 Networks Associates Technology, Inc. @@ -62,7 +62,7 @@ and .Dq Li account features. It also provides a null function for session management. -.Ss Ux Ss Authentication Module +.Ss UNIX Authentication Module The .Ux authentication component @@ -137,7 +137,7 @@ and silently allow authentication to suc .\" system is not configured to use the specified password database, an .\" authentication failure will occur. .El -.Ss Ux Ss Account Management Module +.Ss UNIX Account Management Module The .Ux account management component @@ -156,7 +156,7 @@ debugging information at .Dv LOG_DEBUG level. .El -.Ss Ux Ss Password Management Module +.Ss UNIX Password Management Module The .Ux password management component
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: christos Date: Sun Aug 26 08:54:03 UTC 2018 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: adjust to new libssh api. To generate a diff of this commit: cvs rdiff -u -r1.25 -r1.26 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.25 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.26 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.25 Sat Apr 7 15:28:32 2018 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Sun Aug 26 04:54:03 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.25 2018/04/07 19:28:32 christos Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.26 2018/08/26 08:54:03 christos Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ssh.c,v 1.25 2018/04/07 19:28:32 christos Exp $"); +__RCSID("$NetBSD: pam_ssh.c,v 1.26 2018/08/26 08:54:03 christos Exp $"); #endif #include @@ -62,8 +62,8 @@ __RCSID("$NetBSD: pam_ssh.c,v 1.25 2018/ #include -#include "key.h" -#include "buffer.h" +#include "sshkey.h" +#include "sshbuf.h" #include "authfd.h" #include "authfile.h" @@ -73,7 +73,7 @@ __RCSID("$NetBSD: pam_ssh.c,v 1.25 2018/ extern char **environ; struct pam_ssh_key { - Key *key; + struct sshkey *key; char *comment; }; @@ -103,8 +103,9 @@ pam_ssh_load_key(const char *dir, const { struct pam_ssh_key *psk; char fn[PATH_MAX]; + int r; char *comment; - Key *key; + struct sshkey *key; if (snprintf(fn, sizeof(fn), "%s/%s", dir, kfn) > (int)sizeof(fn)) return (NULL); @@ -117,15 +118,15 @@ pam_ssh_load_key(const char *dir, const * with an empty passphrase, and if the key is not encrypted, * accept only an empty passphrase. */ - key = key_load_private(fn, "", &comment); - if (key != NULL && !(*passphrase == '\0' && nullok)) { - key_free(key); + r = sshkey_load_private(fn, "", &key, &comment); + if (r && !(*passphrase == '\0' && nullok)) { + sshkey_free(key); free(comment); return (NULL); } - if (key == NULL) - key = key_load_private(fn, passphrase, &comment); - if (key == NULL) { + if (r) + sshkey_load_private(fn, passphrase, &key, &comment); + if (r) { openpam_log(PAM_LOG_DEBUG, "failed to load key from %s", fn); if (comment != NULL) free(comment); @@ -134,7 +135,7 @@ pam_ssh_load_key(const char *dir, const openpam_log(PAM_LOG_DEBUG, "loaded '%s' from %s", comment, fn); if ((psk = malloc(sizeof(*psk))) == NULL) { - key_free(key); + sshkey_free(key); free(comment); return (NULL); } @@ -153,7 +154,7 @@ pam_ssh_free_key(pam_handle_t *pamh __un struct pam_ssh_key *psk; psk = data; - key_free(psk->key); + sshkey_free(psk->key); free(psk->comment); free(psk); }
CVS commit: src/lib/libpam/modules/pam_unix
Module Name:src Committed By: joerg Date: Wed May 16 13:55:39 UTC 2018 Modified Files: src/lib/libpam/modules/pam_unix: pam_unix.c Log Message: Improve type safety by using the correct enum values. To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 src/lib/libpam/modules/pam_unix/pam_unix.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_unix/pam_unix.c diff -u src/lib/libpam/modules/pam_unix/pam_unix.c:1.16 src/lib/libpam/modules/pam_unix/pam_unix.c:1.17 --- src/lib/libpam/modules/pam_unix/pam_unix.c:1.16 Sun Dec 29 22:54:58 2013 +++ src/lib/libpam/modules/pam_unix/pam_unix.c Wed May 16 13:55:39 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_unix.c,v 1.16 2013/12/29 22:54:58 christos Exp $ */ +/* $NetBSD: pam_unix.c,v 1.17 2018/05/16 13:55:39 joerg Exp $ */ /*- * Copyright 1998 Juniper Networks, Inc. @@ -40,7 +40,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.c,v 1.49 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_unix.c,v 1.16 2013/12/29 22:54:58 christos Exp $"); +__RCSID("$NetBSD: pam_unix.c,v 1.17 2018/05/16 13:55:39 joerg Exp $"); #endif @@ -248,6 +248,7 @@ yp_set_password(pam_handle_t *pamh, stru { char *master; int r, rpcport, status; + enum clnt_stat r2; struct yppasswd yppwd; CLIENT *client; uid_t uid; @@ -318,9 +319,9 @@ yp_set_password(pam_handle_t *pamh, stru client->cl_auth = authunix_create_default(); tv.tv_sec = 2; tv.tv_usec = 0; - r = clnt_call(client, YPPASSWDPROC_UPDATE, + r2 = clnt_call(client, YPPASSWDPROC_UPDATE, xdr_yppasswd, &yppwd, xdr_int, &status, tv); - if (r) + if (r2 != RPC_SUCCESS) pam_error(pamh, "RPC to yppasswdd failed."); else if (status) pam_error(pamh, "Couldn't change NIS password.");
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: christos Date: Sat Apr 7 19:28:32 UTC 2018 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: fix and use the macro. To generate a diff of this commit: cvs rdiff -u -r1.24 -r1.25 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.24 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.25 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.24 Sat Apr 7 09:57:12 2018 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Sat Apr 7 15:28:32 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.24 2018/04/07 13:57:12 christos Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.25 2018/04/07 19:28:32 christos Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ssh.c,v 1.24 2018/04/07 13:57:12 christos Exp $"); +__RCSID("$NetBSD: pam_ssh.c,v 1.25 2018/04/07 19:28:32 christos Exp $"); #endif #include @@ -68,7 +68,7 @@ __RCSID("$NetBSD: pam_ssh.c,v 1.24 2018/ #include "authfile.h" #define ssh_add_identity(auth, key, comment) \ - ssh_add_identity_constrained(auth, key, comment, 0, 0) + ssh_add_identity_constrained(auth, key, comment, 0, 0, 0) extern char **environ; @@ -383,8 +383,7 @@ pam_ssh_add_keys_to_agent(pam_handle_t * pam_err = pam_get_data(pamh, *kfn, &vp); psk = vp; if (pam_err == PAM_SUCCESS && psk != NULL) { - if (ssh_add_identity_constrained(agent_fd, psk->key, - psk->comment, 0, 0, 0)) + if (ssh_add_identity(agent_fd, psk->key, psk->comment)) openpam_log(PAM_LOG_DEBUG, "added %s to ssh agent", psk->comment); else
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: christos Date: Sat Apr 7 13:57:12 UTC 2018 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: function grew an extra argument now. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.23 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.24 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.23 Fri Apr 3 22:51:10 2015 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Sat Apr 7 09:57:12 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.23 2015/04/04 02:51:10 christos Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.24 2018/04/07 13:57:12 christos Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ssh.c,v 1.23 2015/04/04 02:51:10 christos Exp $"); +__RCSID("$NetBSD: pam_ssh.c,v 1.24 2018/04/07 13:57:12 christos Exp $"); #endif #include @@ -384,7 +384,7 @@ pam_ssh_add_keys_to_agent(pam_handle_t * psk = vp; if (pam_err == PAM_SUCCESS && psk != NULL) { if (ssh_add_identity_constrained(agent_fd, psk->key, - psk->comment, 0, 0)) + psk->comment, 0, 0, 0)) openpam_log(PAM_LOG_DEBUG, "added %s to ssh agent", psk->comment); else
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: christos Date: Sat Apr 4 02:51:10 UTC 2015 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: Adapt to the new API. To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.22 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.23 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.22 Fri Jan 6 09:04:02 2012 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Fri Apr 3 22:51:10 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.22 2012/01/06 14:04:02 drochner Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.23 2015/04/04 02:51:10 christos Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ssh.c,v 1.22 2012/01/06 14:04:02 drochner Exp $"); +__RCSID("$NetBSD: pam_ssh.c,v 1.23 2015/04/04 02:51:10 christos Exp $"); #endif #include @@ -352,11 +352,11 @@ done: static int pam_ssh_add_keys_to_agent(pam_handle_t *pamh) { - AuthenticationConnection *ac; const struct pam_ssh_key *psk; const char **kfn; char **envlist, **env; int pam_err; + int agent_fd; /* switch to PAM environment */ envlist = environ; @@ -368,11 +368,12 @@ pam_ssh_add_keys_to_agent(pam_handle_t * } /* get a connection to the agent */ - if ((ac = ssh_get_authentication_connection()) == NULL) { + if (ssh_get_authentication_socket(&agent_fd) != 0) { openpam_log(PAM_LOG_DEBUG, "%s: cannot get authentication connection", __func__); pam_err = PAM_SYSTEM_ERR; + agent_fd = -1; goto end; } @@ -382,7 +383,8 @@ pam_ssh_add_keys_to_agent(pam_handle_t * pam_err = pam_get_data(pamh, *kfn, &vp); psk = vp; if (pam_err == PAM_SUCCESS && psk != NULL) { - if (ssh_add_identity(ac, psk->key, psk->comment)) + if (ssh_add_identity_constrained(agent_fd, psk->key, + psk->comment, 0, 0)) openpam_log(PAM_LOG_DEBUG, "added %s to ssh agent", psk->comment); else @@ -395,8 +397,8 @@ pam_ssh_add_keys_to_agent(pam_handle_t * pam_err = PAM_SUCCESS; end: /* disconnect from agent */ - if (ac != NULL) - ssh_close_authentication_connection(ac); + if (agent_fd != -1) + ssh_close_authentication_socket(agent_fd); /* switch back to original environment */ for (env = environ; *env != NULL; ++env)
CVS commit: src/lib/libpam/modules/pam_ksu
Module Name:src Committed By: joerg Date: Thu Feb 27 18:09:38 UTC 2014 Modified Files: src/lib/libpam/modules/pam_ksu: pam_ksu.c Log Message: Remove tautological check. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/lib/libpam/modules/pam_ksu/pam_ksu.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ksu/pam_ksu.c diff -u src/lib/libpam/modules/pam_ksu/pam_ksu.c:1.8 src/lib/libpam/modules/pam_ksu/pam_ksu.c:1.9 --- src/lib/libpam/modules/pam_ksu/pam_ksu.c:1.8 Sun Dec 29 22:54:58 2013 +++ src/lib/libpam/modules/pam_ksu/pam_ksu.c Thu Feb 27 18:09:38 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ksu.c,v 1.8 2013/12/29 22:54:58 christos Exp $ */ +/* $NetBSD: pam_ksu.c,v 1.9 2014/02/27 18:09:38 joerg Exp $ */ /*- * Copyright (c) 2002 Jacques A. Vidrine @@ -29,7 +29,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ksu/pam_ksu.c,v 1.5 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ksu.c,v 1.8 2013/12/29 22:54:58 christos Exp $"); +__RCSID("$NetBSD: pam_ksu.c,v 1.9 2014/02/27 18:09:38 joerg Exp $"); #endif #include @@ -139,8 +139,6 @@ auth_krb5(pam_handle_t *pamh, krb5_conte su_principal_name); else (void)snprintf(prompt, sizeof(prompt), "Password:"); - if (prompt == NULL) - return (PAM_BUF_ERR); pass = NULL; pamret = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); if (pamret != PAM_SUCCESS)
CVS commit: src/lib/libpam/modules
Module Name:src Committed By: joerg Date: Tue Jan 7 02:07:43 UTC 2014 Modified Files: src/lib/libpam/modules/pam_lastlog: pam_lastlog.c src/lib/libpam/modules/pam_login_access: login_access.c src/lib/libpam/modules/pam_radius: pam_radius.c Log Message: Annotate logit to provide transitive format string checks. To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/lib/libpam/modules/pam_lastlog/pam_lastlog.c cvs rdiff -u -r1.7 -r1.8 \ src/lib/libpam/modules/pam_login_access/login_access.c cvs rdiff -u -r1.7 -r1.8 src/lib/libpam/modules/pam_radius/pam_radius.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_lastlog/pam_lastlog.c diff -u src/lib/libpam/modules/pam_lastlog/pam_lastlog.c:1.14 src/lib/libpam/modules/pam_lastlog/pam_lastlog.c:1.15 --- src/lib/libpam/modules/pam_lastlog/pam_lastlog.c:1.14 Tue Jan 3 19:02:55 2012 +++ src/lib/libpam/modules/pam_lastlog/pam_lastlog.c Tue Jan 7 02:07:43 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_lastlog.c,v 1.14 2012/01/03 19:02:55 christos Exp $ */ +/* $NetBSD: pam_lastlog.c,v 1.15 2014/01/07 02:07:43 joerg Exp $ */ /*- * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994 @@ -47,7 +47,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_lastlog/pam_lastlog.c,v 1.20 2004/01/26 19:28:37 des Exp $"); #else -__RCSID("$NetBSD: pam_lastlog.c,v 1.14 2012/01/03 19:02:55 christos Exp $"); +__RCSID("$NetBSD: pam_lastlog.c,v 1.15 2014/01/07 02:07:43 joerg Exp $"); #endif #include @@ -95,6 +95,7 @@ static void domsg(pam_handle_t *, time_t size_t); #endif +__printflike(2, 3) static void logit(int level, const char *fmt, ...) { Index: src/lib/libpam/modules/pam_login_access/login_access.c diff -u src/lib/libpam/modules/pam_login_access/login_access.c:1.7 src/lib/libpam/modules/pam_login_access/login_access.c:1.8 --- src/lib/libpam/modules/pam_login_access/login_access.c:1.7 Sun Dec 29 22:54:58 2013 +++ src/lib/libpam/modules/pam_login_access/login_access.c Tue Jan 7 02:07:43 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: login_access.c,v 1.7 2013/12/29 22:54:58 christos Exp $ */ +/* $NetBSD: login_access.c,v 1.8 2014/01/07 02:07:43 joerg Exp $ */ /* * This module implements a simple but effective form of login access @@ -19,7 +19,7 @@ static char sccsid[] = "%Z% %M% %I% %E% #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_login_access/login_access.c,v 1.12 2004/03/05 08:10:18 markm Exp $"); #else -__RCSID("$NetBSD: login_access.c,v 1.7 2013/12/29 22:54:58 christos Exp $"); +__RCSID("$NetBSD: login_access.c,v 1.8 2014/01/07 02:07:43 joerg Exp $"); #endif #include @@ -56,6 +56,7 @@ static int user_match(const char *, cons /* login_access - match username/group and host/tty with access control file */ +__printflike(2, 3) static void logit(int level, const char *fmt, ...) { Index: src/lib/libpam/modules/pam_radius/pam_radius.c diff -u src/lib/libpam/modules/pam_radius/pam_radius.c:1.7 src/lib/libpam/modules/pam_radius/pam_radius.c:1.8 --- src/lib/libpam/modules/pam_radius/pam_radius.c:1.7 Fri Nov 3 18:55:40 2006 +++ src/lib/libpam/modules/pam_radius/pam_radius.c Tue Jan 7 02:07:43 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_radius.c,v 1.7 2006/11/03 18:55:40 christos Exp $ */ +/* $NetBSD: pam_radius.c,v 1.8 2014/01/07 02:07:43 joerg Exp $ */ /*- * Copyright 1998 Juniper Networks, Inc. @@ -40,7 +40,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_radius/pam_radius.c,v 1.22 2004/06/25 12:32:45 kan Exp $"); #else -__RCSID("$NetBSD: pam_radius.c,v 1.7 2006/11/03 18:55:40 christos Exp $"); +__RCSID("$NetBSD: pam_radius.c,v 1.8 2014/01/07 02:07:43 joerg Exp $"); #endif #include @@ -76,6 +76,7 @@ static int do_accept(pam_handle_t *, st static int do_challenge(pam_handle_t *, struct rad_handle *, const char *); +__printflike(2, 3) static void logit(int level, const char *fmt, ...) {
CVS commit: src/lib/libpam/modules
Module Name:src Committed By: christos Date: Sun Dec 29 22:54:58 UTC 2013 Modified Files: src/lib/libpam/modules/pam_exec: pam_exec.c src/lib/libpam/modules/pam_ksu: pam_ksu.c src/lib/libpam/modules/pam_login_access: login_access.c src/lib/libpam/modules/pam_nologin: pam_nologin.c src/lib/libpam/modules/pam_unix: pam_unix.c Log Message: Fix incorrect types To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/lib/libpam/modules/pam_exec/pam_exec.c cvs rdiff -u -r1.7 -r1.8 src/lib/libpam/modules/pam_ksu/pam_ksu.c cvs rdiff -u -r1.6 -r1.7 \ src/lib/libpam/modules/pam_login_access/login_access.c cvs rdiff -u -r1.9 -r1.10 src/lib/libpam/modules/pam_nologin/pam_nologin.c cvs rdiff -u -r1.15 -r1.16 src/lib/libpam/modules/pam_unix/pam_unix.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_exec/pam_exec.c diff -u src/lib/libpam/modules/pam_exec/pam_exec.c:1.6 src/lib/libpam/modules/pam_exec/pam_exec.c:1.7 --- src/lib/libpam/modules/pam_exec/pam_exec.c:1.6 Tue Jan 3 14:02:54 2012 +++ src/lib/libpam/modules/pam_exec/pam_exec.c Sun Dec 29 17:54:58 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_exec.c,v 1.6 2012/01/03 19:02:54 christos Exp $ */ +/* $NetBSD: pam_exec.c,v 1.7 2013/12/29 22:54:58 christos Exp $ */ /*- * Copyright (c) 2001,2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_exec/pam_exec.c,v 1.4 2005/02/01 10:37:07 des Exp $"); #else -__RCSID("$NetBSD: pam_exec.c,v 1.6 2012/01/03 19:02:54 christos Exp $"); +__RCSID("$NetBSD: pam_exec.c,v 1.7 2013/12/29 22:54:58 christos Exp $"); #endif #include @@ -70,7 +70,8 @@ static int _pam_exec(pam_handle_t *pamh __unused, int flags __unused, int argc, const char *argv[]) { - int envlen, i, nitems, pam_err, status; + size_t envlen, i, nitems; + int pam_err, status; char **envlist, **tmp; volatile int childerr; pid_t pid; Index: src/lib/libpam/modules/pam_ksu/pam_ksu.c diff -u src/lib/libpam/modules/pam_ksu/pam_ksu.c:1.7 src/lib/libpam/modules/pam_ksu/pam_ksu.c:1.8 --- src/lib/libpam/modules/pam_ksu/pam_ksu.c:1.7 Sat Dec 28 13:04:03 2013 +++ src/lib/libpam/modules/pam_ksu/pam_ksu.c Sun Dec 29 17:54:58 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ksu.c,v 1.7 2013/12/28 18:04:03 christos Exp $ */ +/* $NetBSD: pam_ksu.c,v 1.8 2013/12/29 22:54:58 christos Exp $ */ /*- * Copyright (c) 2002 Jacques A. Vidrine @@ -29,7 +29,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ksu/pam_ksu.c,v 1.5 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ksu.c,v 1.7 2013/12/28 18:04:03 christos Exp $"); +__RCSID("$NetBSD: pam_ksu.c,v 1.8 2013/12/29 22:54:58 christos Exp $"); #endif #include @@ -53,8 +53,8 @@ static const char superuser[] = "root"; static void log_krb5(krb5_context, krb5_error_code, const char *, ...) __printflike(3, 4); -static long get_su_principal(krb5_context, const char *, const char *, - char **, krb5_principal *); +static krb5_error_code get_su_principal(krb5_context, const char *, +const char *, char **, krb5_principal *); static int auth_krb5(pam_handle_t *, krb5_context, const char *, krb5_principal); @@ -67,7 +67,7 @@ pam_sm_authenticate(pam_handle_t *pamh, const char *user; const void *ruser; char *su_principal_name; - long rv; + krb5_error_code rv; int pamret; pamret = pam_get_user(pamh, &user, NULL); @@ -125,7 +125,7 @@ auth_krb5(pam_handle_t *pamh, krb5_conte krb5_verify_init_creds_opt vic_opt; const char *pass; char prompt[80]; - long rv; + krb5_error_code rv; int pamret; rv = krb5_get_init_creds_opt_alloc(context, &gic_opt); @@ -200,14 +200,14 @@ log_krb5(krb5_context ctx, krb5_error_co * * Returns 0 for success, or a com_err error code on failure. */ -static long +static krb5_error_code get_su_principal(krb5_context context, const char *target_user, const char *current_user, char **su_principal_name, krb5_principal *su_principal) { krb5_principal default_principal; krb5_ccache ccache; char *principal_name, *ccname, *p; - long rv; + krb5_error_code rv; uid_t euid, ruid; *su_principal = NULL; Index: src/lib/libpam/modules/pam_login_access/login_access.c diff -u src/lib/libpam/modules/pam_login_access/login_access.c:1.6 src/lib/libpam/modules/pam_login_access/login_access.c:1.7 --- src/lib/libpam/modules/pam_login_access/login_access.c:1.6 Tue Jan 3 14:02:55 2012 +++ src/lib/libpam/modules/pam_login_access/login_access.c Sun Dec 29 17:54:58 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: login_access.c,v 1.6 2012/01/03 19:02:55 christos Exp $ */ +/* $NetBSD: login_access.c,v 1.7 2013/12/29 22:54:58 christos Exp $ */ /* * This module implements a simple but effective form of login access @@ -19,7 +19,7 @@ static char sccsid[] = "%Z% %M% %I% %E% #ifdef
CVS commit: src/lib/libpam/modules
Module Name:src Committed By: christos Date: Sat Dec 28 18:04:03 UTC 2013 Modified Files: src/lib/libpam/modules/pam_krb5: pam_krb5.c src/lib/libpam/modules/pam_ksu: pam_ksu.c Log Message: avoid using freed pointers and non-format strings To generate a diff of this commit: cvs rdiff -u -r1.25 -r1.26 src/lib/libpam/modules/pam_krb5/pam_krb5.c cvs rdiff -u -r1.6 -r1.7 src/lib/libpam/modules/pam_ksu/pam_ksu.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_krb5/pam_krb5.c diff -u src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.25 src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.26 --- src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.25 Mon Apr 25 18:22:25 2011 +++ src/lib/libpam/modules/pam_krb5/pam_krb5.c Sat Dec 28 13:04:03 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_krb5.c,v 1.25 2011/04/25 22:22:25 christos Exp $ */ +/* $NetBSD: pam_krb5.c,v 1.26 2013/12/28 18:04:03 christos Exp $ */ /*- * This pam_krb5 module contains code that is: @@ -53,7 +53,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.c,v 1.22 2005/01/24 16:49:50 rwatson Exp $"); #else -__RCSID("$NetBSD: pam_krb5.c,v 1.25 2011/04/25 22:22:25 christos Exp $"); +__RCSID("$NetBSD: pam_krb5.c,v 1.26 2013/12/28 18:04:03 christos Exp $"); #endif #include @@ -861,15 +861,15 @@ log_krb5(krb5_context ctx, krb5_error_co else errtxt = NULL; if (errtxt != NULL) { + snprintf(b2, sizeof(b2), "%s", errtxt); krb5_free_error_message(ctx, errtxt); - snprintf(b2, sizeof(b2), "%s (%s)", b1, errtxt); } else { - snprintf(b2, sizeof(b2), "%s (unknown %d)", b1, (int)err); + snprintf(b2, sizeof(b2), "unknown %d", (int)err); } if (data) - syslog_r(LOG_DEBUG, data, "%s", b2); + syslog_r(LOG_DEBUG, data, "%s (%s)", b1, b2); else - PAM_LOG(b2); + PAM_LOG("%s (%s)", b1, b2); } /* Index: src/lib/libpam/modules/pam_ksu/pam_ksu.c diff -u src/lib/libpam/modules/pam_ksu/pam_ksu.c:1.6 src/lib/libpam/modules/pam_ksu/pam_ksu.c:1.7 --- src/lib/libpam/modules/pam_ksu/pam_ksu.c:1.6 Mon Apr 25 18:03:20 2011 +++ src/lib/libpam/modules/pam_ksu/pam_ksu.c Sat Dec 28 13:04:03 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ksu.c,v 1.6 2011/04/25 22:03:20 christos Exp $ */ +/* $NetBSD: pam_ksu.c,v 1.7 2013/12/28 18:04:03 christos Exp $ */ /*- * Copyright (c) 2002 Jacques A. Vidrine @@ -29,7 +29,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ksu/pam_ksu.c,v 1.5 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ksu.c,v 1.6 2011/04/25 22:03:20 christos Exp $"); +__RCSID("$NetBSD: pam_ksu.c,v 1.7 2013/12/28 18:04:03 christos Exp $"); #endif #include @@ -177,12 +177,12 @@ log_krb5(krb5_context ctx, krb5_error_co else errtxt = NULL; if (errtxt != NULL) { + snprintf(b2, sizeof(b2), "%s", errtxt); krb5_free_error_message(ctx, errtxt); - snprintf(b2, sizeof(b2), "%s (%s)", b1, errtxt); } else { - snprintf(b2, sizeof(b2), "%s (unknown %d)", b1, (int)err); + snprintf(b2, sizeof(b2), "unknown %d", (int)err); } - PAM_LOG(b2); + PAM_LOG("%s (%s)", b1, b2); } /* Determine the target principal given the current user and the target user.
CVS commit: src/lib/libpam/modules/pam_deny
Module Name:src Committed By: mrg Date: Sat Oct 19 22:57:46 UTC 2013 Modified Files: src/lib/libpam/modules/pam_deny: pam_deny.c Log Message: remove useless variable To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/lib/libpam/modules/pam_deny/pam_deny.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_deny/pam_deny.c diff -u src/lib/libpam/modules/pam_deny/pam_deny.c:1.3 src/lib/libpam/modules/pam_deny/pam_deny.c:1.4 --- src/lib/libpam/modules/pam_deny/pam_deny.c:1.3 Tue Aug 20 22:07:44 2013 +++ src/lib/libpam/modules/pam_deny/pam_deny.c Sat Oct 19 22:57:46 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_deny.c,v 1.3 2013/08/20 22:07:44 perseant Exp $ */ +/* $NetBSD: pam_deny.c,v 1.4 2013/10/19 22:57:46 mrg Exp $ */ /*- * Copyright 2001 Mark R V Murray @@ -30,7 +30,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_deny/pam_deny.c,v 1.9 2002/04/12 22:27:19 des Exp $"); #else -__RCSID("$NetBSD: pam_deny.c,v 1.3 2013/08/20 22:07:44 perseant Exp $"); +__RCSID("$NetBSD: pam_deny.c,v 1.4 2013/10/19 22:57:46 mrg Exp $"); #endif #include @@ -78,14 +78,14 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags, int argc, const char *argv[]) { - int prelim_ignore = 0, debug = 0; + int prelim_ignore = 0; int i; for (i = 0; i < argc; i++) { if (strcmp(argv[i], "prelim_ignore") == 0) prelim_ignore = 1; else if (strcmp(argv[i], "debug") == 0) - debug = 1; + /* nothing */; else syslog(LOG_ERR, "illegal option %s", argv[i]); }
CVS commit: src/lib/libpam/modules/pam_deny
Module Name:src Committed By: wiz Date: Tue Aug 20 22:44:38 UTC 2013 Modified Files: src/lib/libpam/modules/pam_deny: pam_deny.8 Log Message: Whitespace and markup improvements. Bump date for previous. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/lib/libpam/modules/pam_deny/pam_deny.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_deny/pam_deny.8 diff -u src/lib/libpam/modules/pam_deny/pam_deny.8:1.4 src/lib/libpam/modules/pam_deny/pam_deny.8:1.5 --- src/lib/libpam/modules/pam_deny/pam_deny.8:1.4 Tue Aug 20 22:07:44 2013 +++ src/lib/libpam/modules/pam_deny/pam_deny.8 Tue Aug 20 22:44:37 2013 @@ -1,4 +1,4 @@ -.\" $NetBSD: pam_deny.8,v 1.4 2013/08/20 22:07:44 perseant Exp $ +.\" $NetBSD: pam_deny.8,v 1.5 2013/08/20 22:44:37 wiz Exp $ .\" Copyright (c) 2001 Mark R V Murray .\" All rights reserved. .\" @@ -25,7 +25,7 @@ .\" .\" $FreeBSD: src/lib/libpam/modules/pam_deny/pam_deny.8,v 1.4 2001/08/15 20:05:30 markm Exp $ .\" -.Dd July 7, 2001 +.Dd August 21, 2013 .Dt PAM_DENY 8 .Os .Sh NAME @@ -74,9 +74,10 @@ These messages include reasons why the user's authentication attempt was declined. .It Cm prelim_ignore -for password management ( -.Dq Li password -feature), return PAM_IGNORE +for password management +.Dq ( Li password +feature), return +.Dv PAM_IGNORE in the preliminary phase. This allows the module to be used (with the .Dq Li required
CVS commit: src/lib/libpam/modules/pam_deny
Module Name:src Committed By: perseant Date: Tue Aug 20 22:07:44 UTC 2013 Modified Files: src/lib/libpam/modules/pam_deny: pam_deny.8 pam_deny.c Log Message: Add Edgar Fuss's patch to pam_deny, to allow users to be able to change their LDAP password with "passwd". To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/lib/libpam/modules/pam_deny/pam_deny.8 cvs rdiff -u -r1.2 -r1.3 src/lib/libpam/modules/pam_deny/pam_deny.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_deny/pam_deny.8 diff -u src/lib/libpam/modules/pam_deny/pam_deny.8:1.3 src/lib/libpam/modules/pam_deny/pam_deny.8:1.4 --- src/lib/libpam/modules/pam_deny/pam_deny.8:1.3 Sat Feb 26 14:54:25 2005 +++ src/lib/libpam/modules/pam_deny/pam_deny.8 Tue Aug 20 22:07:44 2013 @@ -1,4 +1,4 @@ -.\" $NetBSD: pam_deny.8,v 1.3 2005/02/26 14:54:25 thorpej Exp $ +.\" $NetBSD: pam_deny.8,v 1.4 2013/08/20 22:07:44 perseant Exp $ .\" Copyright (c) 2001 Mark R V Murray .\" All rights reserved. .\" @@ -73,6 +73,17 @@ suppress warning messages to the user. These messages include reasons why the user's authentication attempt was declined. +.It Cm prelim_ignore +for password management ( +.Dq Li password +feature), return PAM_IGNORE +in the preliminary phase. +This allows the module to be used (with the +.Dq Li required +flag) at the end of a chain of +.Dq Li sufficient +modules with this service +(where the entire chain is in fact run twice). .El .Sh SEE ALSO .Xr syslog 3 , Index: src/lib/libpam/modules/pam_deny/pam_deny.c diff -u src/lib/libpam/modules/pam_deny/pam_deny.c:1.2 src/lib/libpam/modules/pam_deny/pam_deny.c:1.3 --- src/lib/libpam/modules/pam_deny/pam_deny.c:1.2 Sun Dec 12 08:18:44 2004 +++ src/lib/libpam/modules/pam_deny/pam_deny.c Tue Aug 20 22:07:44 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_deny.c,v 1.2 2004/12/12 08:18:44 christos Exp $ */ +/* $NetBSD: pam_deny.c,v 1.3 2013/08/20 22:07:44 perseant Exp $ */ /*- * Copyright 2001 Mark R V Murray @@ -30,10 +30,12 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_deny/pam_deny.c,v 1.9 2002/04/12 22:27:19 des Exp $"); #else -__RCSID("$NetBSD: pam_deny.c,v 1.2 2004/12/12 08:18:44 christos Exp $"); +__RCSID("$NetBSD: pam_deny.c,v 1.3 2013/08/20 22:07:44 perseant Exp $"); #endif #include +#include +#include #define PAM_SM_AUTH #define PAM_SM_ACCOUNT @@ -61,7 +63,7 @@ pam_sm_setcred(pam_handle_t *pamh __unus int argc __unused, const char *argv[] __unused) { - return (PAM_AUTH_ERR); + return (PAM_CRED_ERR); } PAM_EXTERN int @@ -73,11 +75,25 @@ pam_sm_acct_mgmt(pam_handle_t *pamh __un } PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, -int argc __unused, const char *argv[] __unused) +pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags, +int argc, const char *argv[]) { + int prelim_ignore = 0, debug = 0; + int i; - return (PAM_AUTH_ERR); + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "prelim_ignore") == 0) + prelim_ignore = 1; + else if (strcmp(argv[i], "debug") == 0) + debug = 1; + else + syslog(LOG_ERR, "illegal option %s", argv[i]); + } + + if (flags & PAM_PRELIM_CHECK && prelim_ignore) + return (PAM_IGNORE); + else + return (PAM_AUTHTOK_ERR); } PAM_EXTERN int @@ -85,7 +101,7 @@ pam_sm_open_session(pam_handle_t *pamh _ int argc __unused, const char *argv[] __unused) { - return (PAM_AUTH_ERR); + return (PAM_SESSION_ERR); } PAM_EXTERN int @@ -93,7 +109,7 @@ pam_sm_close_session(pam_handle_t *pamh int argc __unused, const char *argv[] __unused) { - return (PAM_AUTH_ERR); + return (PAM_SESSION_ERR); } PAM_MODULE_ENTRY("pam_deny");
CVS commit: src/lib/libpam/modules/pam_login_access
Module Name:src Committed By: dholland Date: Sun Jun 23 01:44:23 UTC 2013 Modified Files: src/lib/libpam/modules/pam_login_access: login.access.5 Log Message: add missing word To generate a diff of this commit: cvs rdiff -u -r1.1.1.1 -r1.2 \ src/lib/libpam/modules/pam_login_access/login.access.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_login_access/login.access.5 diff -u src/lib/libpam/modules/pam_login_access/login.access.5:1.1.1.1 src/lib/libpam/modules/pam_login_access/login.access.5:1.2 --- src/lib/libpam/modules/pam_login_access/login.access.5:1.1.1.1 Sun Dec 12 06:50:17 2004 +++ src/lib/libpam/modules/pam_login_access/login.access.5 Sun Jun 23 01:44:22 2013 @@ -16,7 +16,7 @@ combinations for which a login will be e .Pp When someone logs in, the .Nm -is scanned for the first entry that +file is scanned for the first entry that matches the (user, host) combination, or, in case of non-networked logins, the first entry that matches the (user, tty) combination. The
CVS commit: src/lib/libpam/modules
Module Name:src Committed By: christos Date: Thu Jun 20 20:54:52 UTC 2013 Modified Files: src/lib/libpam/modules/pam_nologin: pam_nologin.c src/lib/libpam/modules/pam_unix: pam_unix.c Log Message: use login_getpwclass() everywhere for consistency. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/lib/libpam/modules/pam_nologin/pam_nologin.c cvs rdiff -u -r1.14 -r1.15 src/lib/libpam/modules/pam_unix/pam_unix.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_nologin/pam_nologin.c diff -u src/lib/libpam/modules/pam_nologin/pam_nologin.c:1.8 src/lib/libpam/modules/pam_nologin/pam_nologin.c:1.9 --- src/lib/libpam/modules/pam_nologin/pam_nologin.c:1.8 Sun Jan 17 18:17:08 2010 +++ src/lib/libpam/modules/pam_nologin/pam_nologin.c Thu Jun 20 16:54:52 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_nologin.c,v 1.8 2010/01/17 23:17:08 wiz Exp $ */ +/* $NetBSD: pam_nologin.c,v 1.9 2013/06/20 20:54:52 christos Exp $ */ /*- * Copyright 2001 Mark R V Murray @@ -40,7 +40,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_nologin/pam_nologin.c,v 1.10 2002/04/12 22:27:21 des Exp $"); #else -__RCSID("$NetBSD: pam_nologin.c,v 1.8 2010/01/17 23:17:08 wiz Exp $"); +__RCSID("$NetBSD: pam_nologin.c,v 1.9 2013/06/20 20:54:52 christos Exp $"); #endif @@ -100,7 +100,7 @@ pam_sm_authenticate(pam_handle_t *pamh, rootlogin = 1; } - lc = login_getclass(pwd->pw_class); + lc = login_getpwclass(pwd); ignorenologin = login_getcapbool(lc, "ignorenologin", rootlogin); nologin = login_getcapstr(lc, "nologin", nologin_def, nologin_def); login_close(lc); Index: src/lib/libpam/modules/pam_unix/pam_unix.c diff -u src/lib/libpam/modules/pam_unix/pam_unix.c:1.14 src/lib/libpam/modules/pam_unix/pam_unix.c:1.15 --- src/lib/libpam/modules/pam_unix/pam_unix.c:1.14 Wed Nov 18 12:06:23 2009 +++ src/lib/libpam/modules/pam_unix/pam_unix.c Thu Jun 20 16:54:52 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_unix.c,v 1.14 2009/11/18 17:06:23 drochner Exp $ */ +/* $NetBSD: pam_unix.c,v 1.15 2013/06/20 20:54:52 christos Exp $ */ /*- * Copyright 1998 Juniper Networks, Inc. @@ -40,7 +40,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.c,v 1.49 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_unix.c,v 1.14 2009/11/18 17:06:23 drochner Exp $"); +__RCSID("$NetBSD: pam_unix.c,v 1.15 2013/06/20 20:54:52 christos Exp $"); #endif @@ -111,12 +111,11 @@ pam_sm_authenticate(pam_handle_t *pamh, return (PAM_SUCCESS); realpw = "*"; } - lc = login_getpwclass(pwd); } else { PAM_LOG("Doing dummy authentication"); realpw = "*"; - lc = login_getclass(NULL); } + lc = login_getpwclass(pwd); retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NULL); login_close(lc); if (retval != PAM_SUCCESS) @@ -543,7 +542,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int PAM_LOG("UPDATE round"); - if ((lc = login_getclass(pwd->pw_class)) != NULL) { + if ((lc = login_getpwclass(pwd)) != NULL) { min_pw_len = (int) login_getcapnum(lc, "minpasswordlen", (quad_t)0, (quad_t)0); pw_expiry = (int) login_getcapnum(lc,
CVS commit: src/lib/libpam/modules
Module Name:src Committed By: christos Date: Sat Jan 28 21:54:26 UTC 2012 Modified Files: src/lib/libpam/modules: mod.mk Log Message: remove unneeded change To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 src/lib/libpam/modules/mod.mk Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/mod.mk diff -u src/lib/libpam/modules/mod.mk:1.10 src/lib/libpam/modules/mod.mk:1.11 --- src/lib/libpam/modules/mod.mk:1.10 Sat Jan 28 16:34:22 2012 +++ src/lib/libpam/modules/mod.mk Sat Jan 28 16:54:26 2012 @@ -1,4 +1,4 @@ -# $NetBSD: mod.mk,v 1.10 2012/01/28 21:34:22 christos Exp $ +# $NetBSD: mod.mk,v 1.11 2012/01/28 21:54:26 christos Exp $ NOLINT= # don't build a lint library NOPROFILE= # don't build a profile library @@ -23,9 +23,6 @@ libinstall:: ${DESTDIR}${LIBDIR}/${LIB}. libinstall:: .endif -# Don't use -x because strips link_set symbols (which are local) -OBJCOPYLIBFLAGS=-X - .include ${DESTDIR}${LIBDIR}/${LIB}.so.${SHLIB_MAJOR}: lib${LIB}.so.${SHLIB_FULLVERSION}
CVS commit: src/lib/libpam/modules
Module Name:src Committed By: christos Date: Sat Jan 28 21:34:22 UTC 2012 Modified Files: src/lib/libpam/modules: mod.mk Log Message: Use -X so that the link-set symbols are not stripped. To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/lib/libpam/modules/mod.mk Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/mod.mk diff -u src/lib/libpam/modules/mod.mk:1.9 src/lib/libpam/modules/mod.mk:1.10 --- src/lib/libpam/modules/mod.mk:1.9 Mon May 3 18:12:32 2010 +++ src/lib/libpam/modules/mod.mk Sat Jan 28 16:34:22 2012 @@ -1,4 +1,4 @@ -# $NetBSD: mod.mk,v 1.9 2010/05/03 22:12:32 christos Exp $ +# $NetBSD: mod.mk,v 1.10 2012/01/28 21:34:22 christos Exp $ NOLINT= # don't build a lint library NOPROFILE= # don't build a profile library @@ -23,6 +23,9 @@ libinstall:: ${DESTDIR}${LIBDIR}/${LIB}. libinstall:: .endif +# Don't use -x because strips link_set symbols (which are local) +OBJCOPYLIBFLAGS=-X + .include ${DESTDIR}${LIBDIR}/${LIB}.so.${SHLIB_MAJOR}: lib${LIB}.so.${SHLIB_FULLVERSION}
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: drochner Date: Fri Jan 6 14:04:02 UTC 2012 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: pull in from FreeBSD rev.1.41: Narrow the use of user credentials. (call pam_get_authtok() with caller's rights rather than user's) To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.21 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.22 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.21 Tue Jan 3 19:02:55 2012 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Fri Jan 6 14:04:02 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.21 2012/01/03 19:02:55 christos Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.22 2012/01/06 14:04:02 drochner Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ssh.c,v 1.21 2012/01/03 19:02:55 christos Exp $"); +__RCSID("$NetBSD: pam_ssh.c,v 1.22 2012/01/06 14:04:02 drochner Exp $"); #endif #include @@ -184,11 +184,6 @@ pam_sm_authenticate(pam_handle_t *pamh, if (pwd->pw_dir == NULL) return (PAM_AUTH_ERR); - /* switch to user credentials */ - pam_err = openpam_borrow_cred(pamh, pwd); - if (pam_err != PAM_SUCCESS) - return (pam_err); - nkeys = 0; pass = (pam_get_item(pamh, PAM_AUTHTOK, &item) == PAM_SUCCESS && item != NULL); @@ -196,10 +191,13 @@ pam_sm_authenticate(pam_handle_t *pamh, /* get passphrase */ pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, &passphrase, pam_ssh_prompt); - if (pam_err != PAM_SUCCESS) { - openpam_restore_cred(pamh); + if (pam_err != PAM_SUCCESS) + return (pam_err); + + /* switch to user credentials */ + pam_err = openpam_borrow_cred(pamh, pwd); + if (pam_err != PAM_SUCCESS) return (pam_err); - } /* try to load keys from all keyfiles we know of */ for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) { @@ -210,6 +208,9 @@ pam_sm_authenticate(pam_handle_t *pamh, } } + /* switch back to arbitrator credentials */ + openpam_restore_cred(pamh); + /* * If we tried an old token and didn't get anything, and * try_first_pass was specified, try again after prompting the @@ -222,9 +223,6 @@ pam_sm_authenticate(pam_handle_t *pamh, goto load_keys; } - /* switch back to arbitrator credentials before returning */ - openpam_restore_cred(pamh); - /* no keys? */ if (nkeys == 0) return (PAM_AUTH_ERR);
CVS commit: src/lib/libpam/modules
Module Name:src Committed By: christos Date: Tue Jan 3 19:02:55 UTC 2012 Modified Files: src/lib/libpam/modules/pam_chroot: pam_chroot.c src/lib/libpam/modules/pam_exec: pam_exec.c src/lib/libpam/modules/pam_ftpusers: pam_ftpusers.c src/lib/libpam/modules/pam_lastlog: pam_lastlog.c src/lib/libpam/modules/pam_login_access: login_access.c src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: avoid using %m in format. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/lib/libpam/modules/pam_chroot/pam_chroot.c cvs rdiff -u -r1.5 -r1.6 src/lib/libpam/modules/pam_exec/pam_exec.c cvs rdiff -u -r1.5 -r1.6 src/lib/libpam/modules/pam_ftpusers/pam_ftpusers.c cvs rdiff -u -r1.13 -r1.14 src/lib/libpam/modules/pam_lastlog/pam_lastlog.c cvs rdiff -u -r1.5 -r1.6 \ src/lib/libpam/modules/pam_login_access/login_access.c cvs rdiff -u -r1.20 -r1.21 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_chroot/pam_chroot.c diff -u src/lib/libpam/modules/pam_chroot/pam_chroot.c:1.4 src/lib/libpam/modules/pam_chroot/pam_chroot.c:1.5 --- src/lib/libpam/modules/pam_chroot/pam_chroot.c:1.4 Mon Apr 18 23:15:34 2005 +++ src/lib/libpam/modules/pam_chroot/pam_chroot.c Tue Jan 3 14:02:54 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_chroot.c,v 1.4 2005/04/19 03:15:34 christos Exp $ */ +/* $NetBSD: pam_chroot.c,v 1.5 2012/01/03 19:02:54 christos Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_chroot/pam_chroot.c,v 1.3 2003/04/30 00:40:24 des Exp $"); #else -__RCSID("$NetBSD: pam_chroot.c,v 1.4 2005/04/19 03:15:34 christos Exp $"); +__RCSID("$NetBSD: pam_chroot.c,v 1.5 2012/01/03 19:02:54 christos Exp $"); #endif #include @@ -46,6 +46,7 @@ __RCSID("$NetBSD: pam_chroot.c,v 1.4 200 #include #include #include +#include #include #define PAM_SM_SESSION @@ -96,11 +97,11 @@ pam_sm_open_session(pam_handle_t *pamh, openpam_log(PAM_LOG_DEBUG, "chrooting %s to %s", dir, user); if (chroot(dir) == -1) { - openpam_log(PAM_LOG_ERROR, "chroot(): %m"); + openpam_log(PAM_LOG_ERROR, "chroot(): %s", strerror(errno)); return (PAM_SESSION_ERR); } if (chdir(cwd) == -1) { - openpam_log(PAM_LOG_ERROR, "chdir(): %m"); + openpam_log(PAM_LOG_ERROR, "chdir(): %s", strerror(errno)); return (PAM_SESSION_ERR); } pam_setenv(pamh, "HOME", cwd, 1); Index: src/lib/libpam/modules/pam_exec/pam_exec.c diff -u src/lib/libpam/modules/pam_exec/pam_exec.c:1.5 src/lib/libpam/modules/pam_exec/pam_exec.c:1.6 --- src/lib/libpam/modules/pam_exec/pam_exec.c:1.5 Wed Feb 2 21:05:59 2011 +++ src/lib/libpam/modules/pam_exec/pam_exec.c Tue Jan 3 14:02:54 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_exec.c,v 1.5 2011/02/03 02:05:59 christos Exp $ */ +/* $NetBSD: pam_exec.c,v 1.6 2012/01/03 19:02:54 christos Exp $ */ /*- * Copyright (c) 2001,2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_exec/pam_exec.c,v 1.4 2005/02/01 10:37:07 des Exp $"); #else -__RCSID("$NetBSD: pam_exec.c,v 1.5 2011/02/03 02:05:59 christos Exp $"); +__RCSID("$NetBSD: pam_exec.c,v 1.6 2012/01/03 19:02:54 christos Exp $"); #endif #include @@ -128,15 +128,15 @@ _pam_exec(pam_handle_t *pamh __unused, i } openpam_free_envlist(envlist); if (pid == -1) { - openpam_log(PAM_LOG_ERROR, "vfork(): %m"); + openpam_log(PAM_LOG_ERROR, "vfork(): %s", strerror(errno)); return (PAM_SYSTEM_ERR); } if (waitpid(pid, &status, 0) == -1) { - openpam_log(PAM_LOG_ERROR, "waitpid(): %m"); + openpam_log(PAM_LOG_ERROR, "waitpid(): %s", strerror(errno)); return (PAM_SYSTEM_ERR); } if (childerr != 0) { - openpam_log(PAM_LOG_ERROR, "execve(): %m"); + openpam_log(PAM_LOG_ERROR, "execve(): %s", strerror(errno)); return (PAM_SYSTEM_ERR); } if (WIFSIGNALED(status)) { Index: src/lib/libpam/modules/pam_ftpusers/pam_ftpusers.c diff -u src/lib/libpam/modules/pam_ftpusers/pam_ftpusers.c:1.5 src/lib/libpam/modules/pam_ftpusers/pam_ftpusers.c:1.6 --- src/lib/libpam/modules/pam_ftpusers/pam_ftpusers.c:1.5 Tue Apr 19 09:04:38 2005 +++ src/lib/libpam/modules/pam_ftpusers/pam_ftpusers.c Tue Jan 3 14:02:55 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ftpusers.c,v 1.5 2005/04/19 13:04:38 christos Exp $ */ +/* $NetBSD: pam_ftpusers.c,v 1.6 2012/01/03 19:02:55 christos Exp $ */ /*- * Copyright (c) 2001 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ftpusers/pam_ftpusers.c,v 1.1 2002/05/08 00:30:10 des Exp $"); #else -__RCSID("$NetBSD: pam_ftpusers.c,v 1.5 2005/04/19 13:04:38 christos Exp $"); +__RCSID("$NetBSD: pam_ftpusers.c,v 1.6 2012/01/03 19:02:55 christos Exp $"); #endif #include @@ -46,
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: drochner Date: Fri Dec 16 17:37:14 UTC 2011 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.8 pam_ssh.c Log Message: support ECDSA keys used by recent ssh To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/lib/libpam/modules/pam_ssh/pam_ssh.8 cvs rdiff -u -r1.19 -r1.20 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.8 diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.8:1.5 src/lib/libpam/modules/pam_ssh/pam_ssh.8:1.6 --- src/lib/libpam/modules/pam_ssh/pam_ssh.8:1.5 Mon Feb 28 10:31:41 2005 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.8 Fri Dec 16 17:37:14 2011 @@ -1,4 +1,4 @@ -.\" $NetBSD: pam_ssh.8,v 1.5 2005/02/28 10:31:41 wiz Exp $ +.\" $NetBSD: pam_ssh.8,v 1.6 2011/12/16 17:37:14 drochner Exp $ .\" Copyright (c) 2001 Mark R V Murray .\" All rights reserved. .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. @@ -35,7 +35,7 @@ .\" .\" $FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.8,v 1.13 2004/07/02 23:52:18 ru Exp $ .\" -.Dd February 27, 2005 +.Dd December 16, 2011 .Dt PAM_SSH 8 .Os .Sh NAME @@ -93,6 +93,10 @@ This option is similar to the option, except that if the previously obtained password fails, the user is prompted for another password. +.It Cm nullok +Normally, keys with no passphrase are ignored for authentication purposes. +If this option is set, keys with no passphrase will be taken into +consideration, allowing the user to log in with a blank password. .El .Ss SSH Session Management Module The @@ -130,6 +134,8 @@ SSH1 RSA key SSH2 RSA key .It Pa $HOME/.ssh/id_dsa SSH2 DSA key +.It Pa $HOME/.ssh/id_ecdsa +SSH2 ECDSA key .El .Sh SEE ALSO .Xr ssh-agent 1 , Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.19 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.20 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.19 Fri Dec 16 17:35:09 2011 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Fri Dec 16 17:37:14 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.19 2011/12/16 17:35:09 drochner Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.20 2011/12/16 17:37:14 drochner Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ssh.c,v 1.19 2011/12/16 17:35:09 drochner Exp $"); +__RCSID("$NetBSD: pam_ssh.c,v 1.20 2011/12/16 17:37:14 drochner Exp $"); #endif #include @@ -84,6 +84,7 @@ static const char *pam_ssh_keyfiles[] = ".ssh/identity", /* SSH1 RSA key */ ".ssh/id_rsa", /* SSH2 RSA key */ ".ssh/id_dsa", /* SSH2 DSA key */ + ".ssh/id_ecdsa", /* SSH2 ECDSA key */ NULL };
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: drochner Date: Fri Dec 16 17:35:09 UTC 2011 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: disallow empty passphrases per default, and implement the "nullok" option to allow it if the administator wishes, from FreeBSD To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.18 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.19 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.18 Fri Dec 16 17:30:12 2011 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Fri Dec 16 17:35:09 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.18 2011/12/16 17:30:12 drochner Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.19 2011/12/16 17:35:09 drochner Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ssh.c,v 1.18 2011/12/16 17:30:12 drochner Exp $"); +__RCSID("$NetBSD: pam_ssh.c,v 1.19 2011/12/16 17:35:09 drochner Exp $"); #endif #include @@ -97,7 +97,8 @@ static const char *const pam_ssh_agent_e * struct pam_ssh_key containing the key and its comment. */ static struct pam_ssh_key * -pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase) +pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase, +int nullok) { struct pam_ssh_key *psk; char fn[PATH_MAX]; @@ -107,7 +108,22 @@ pam_ssh_load_key(const char *dir, const if (snprintf(fn, sizeof(fn), "%s/%s", dir, kfn) > (int)sizeof(fn)) return (NULL); comment = NULL; - key = key_load_private(fn, passphrase, &comment); + /* + * If the key is unencrypted, OpenSSL ignores the passphrase, so + * it will seem like the user typed in the right one. This allows + * a user to circumvent nullok by providing a dummy passphrase. + * Verify that the key really *is* encrypted by trying to load it + * with an empty passphrase, and if the key is not encrypted, + * accept only an empty passphrase. + */ + key = key_load_private(fn, "", &comment); + if (key != NULL && !(*passphrase == '\0' && nullok)) { + key_free(key); + free(comment); + return (NULL); + } + if (key == NULL) + key = key_load_private(fn, passphrase, &comment); if (key == NULL) { openpam_log(PAM_LOG_DEBUG, "failed to load key from %s", fn); if (comment != NULL) @@ -149,9 +165,11 @@ pam_sm_authenticate(pam_handle_t *pamh, const void *item; struct passwd *pwd, pwres; struct pam_ssh_key *psk; - int nkeys, pam_err, pass; + int nkeys, nullok, pam_err, pass; char pwbuf[1024]; + nullok = (openpam_get_option(pamh, "nullok") != NULL); + /* PEM is not loaded by default */ OpenSSL_add_all_algorithms(); @@ -170,6 +188,7 @@ pam_sm_authenticate(pam_handle_t *pamh, if (pam_err != PAM_SUCCESS) return (pam_err); + nkeys = 0; pass = (pam_get_item(pamh, PAM_AUTHTOK, &item) == PAM_SUCCESS && item != NULL); load_keys: @@ -182,9 +201,8 @@ pam_sm_authenticate(pam_handle_t *pamh, } /* try to load keys from all keyfiles we know of */ - nkeys = 0; for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) { - psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase); + psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase, nullok); if (psk != NULL) { pam_set_data(pamh, *kfn, psk, pam_ssh_free_key); ++nkeys;
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: drochner Date: Fri Dec 16 17:30:12 UTC 2011 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: -remove remainders of the misguided changes in revs 1.5-1.9 -iron out more unnecessary differences to FreeBSD To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.17 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.18 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.17 Fri May 6 17:22:09 2011 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Fri Dec 16 17:30:12 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.17 2011/05/06 17:22:09 drochner Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.18 2011/12/16 17:30:12 drochner Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ssh.c,v 1.17 2011/05/06 17:22:09 drochner Exp $"); +__RCSID("$NetBSD: pam_ssh.c,v 1.18 2011/12/16 17:30:12 drochner Exp $"); #endif #include @@ -67,6 +67,9 @@ __RCSID("$NetBSD: pam_ssh.c,v 1.17 2011/ #include "authfd.h" #include "authfile.h" +#define ssh_add_identity(auth, key, comment) \ + ssh_add_identity_constrained(auth, key, comment, 0, 0) + extern char **environ; struct pam_ssh_key { @@ -85,8 +88,8 @@ static const char *pam_ssh_keyfiles[] = }; static const char *pam_ssh_agent = "/usr/bin/ssh-agent"; -static const char *pam_ssh_agent_argv[] = { "ssh_agent", "-s", NULL }; -static const char *pam_ssh_agent_envp[] = { NULL }; +static const char *const pam_ssh_agent_argv[] = { "ssh_agent", "-s", NULL }; +static const char *const pam_ssh_agent_envp[] = { NULL }; /* * Attempts to load a private key from the specified file in the specified @@ -94,15 +97,14 @@ static const char *pam_ssh_agent_envp[] * struct pam_ssh_key containing the key and its comment. */ static struct pam_ssh_key * -pam_ssh_load_key(struct passwd *pwd, const char *kfn, const char *passphrase) +pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase) { struct pam_ssh_key *psk; char fn[PATH_MAX]; char *comment; Key *key; - if (snprintf(fn, sizeof(fn), "%s/%s", pwd->pw_dir, kfn) > - (int)sizeof(fn)) + if (snprintf(fn, sizeof(fn), "%s/%s", dir, kfn) > (int)sizeof(fn)) return (NULL); comment = NULL; key = key_load_private(fn, passphrase, &comment); @@ -144,6 +146,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int argc __unused, const char *argv[] __unused) { const char **kfn, *passphrase, *user; + const void *item; struct passwd *pwd, pwres; struct pam_ssh_key *psk; int nkeys, pam_err, pass; @@ -167,22 +170,8 @@ pam_sm_authenticate(pam_handle_t *pamh, if (pam_err != PAM_SUCCESS) return (pam_err); -#ifdef notyet - for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) { - char path[MAXPATHLEN]; - (void)snprintf(path, sizeof(path), "%s/%s", pwd->pw_dir, *kfn); - if (access(path, R_OK) == 0) - break; - } - - if (*kfn == NULL) { - openpam_restore_cred(pamh); - return (PAM_AUTH_ERR); - } -#endif - - pass = (pam_get_item(pamh, PAM_AUTHTOK, - (const void **)__UNCONST(&passphrase)) == PAM_SUCCESS); + pass = (pam_get_item(pamh, PAM_AUTHTOK, &item) == PAM_SUCCESS && + item != NULL); load_keys: /* get passphrase */ pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, @@ -195,7 +184,7 @@ pam_sm_authenticate(pam_handle_t *pamh, /* try to load keys from all keyfiles we know of */ nkeys = 0; for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) { - psk = pam_ssh_load_key(pwd, *kfn, passphrase); + psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase); if (psk != NULL) { pam_set_data(pamh, *kfn, psk, pam_ssh_free_key); ++nkeys; @@ -376,7 +365,7 @@ pam_ssh_add_keys_to_agent(pam_handle_t * pam_err = pam_get_data(pamh, *kfn, &vp); psk = vp; if (pam_err == PAM_SUCCESS && psk != NULL) { - if (ssh_add_identity_constrained(ac, psk->key, psk->comment, 0, 0)) + if (ssh_add_identity(ac, psk->key, psk->comment)) openpam_log(PAM_LOG_DEBUG, "added %s to ssh agent", psk->comment); else
CVS commit: src/lib/libpam/modules/pam_login_access
Module Name:src Committed By: cheusov Date: Fri Aug 19 11:56:02 UTC 2011 Modified Files: src/lib/libpam/modules/pam_login_access: pam_login_access.8 Log Message: Minor grammar fix To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 \ src/lib/libpam/modules/pam_login_access/pam_login_access.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_login_access/pam_login_access.8 diff -u src/lib/libpam/modules/pam_login_access/pam_login_access.8:1.3 src/lib/libpam/modules/pam_login_access/pam_login_access.8:1.4 --- src/lib/libpam/modules/pam_login_access/pam_login_access.8:1.3 Sat Feb 26 15:06:51 2005 +++ src/lib/libpam/modules/pam_login_access/pam_login_access.8 Fri Aug 19 11:56:01 2011 @@ -1,4 +1,4 @@ -.\" $NetBSD: pam_login_access.8,v 1.3 2005/02/26 15:06:51 thorpej Exp $ +.\" $NetBSD: pam_login_access.8,v 1.4 2011/08/19 11:56:01 cheusov Exp $ .\" Copyright (c) 2001 Mark R V Murray .\" All rights reserved. .\" Copyright (c) 2001 Networks Associates Technology, Inc. @@ -61,7 +61,7 @@ .Pa login.access account management component .Pq Fn pam_sm_acct_mgmt , -returns success if and only the user is allowed to log in on the +returns success if and only if the user is allowed to log in on the specified tty (in the case of a local login) or from the specified remote host (in the case of a remote login), according to the restrictions listed in
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: drochner Date: Fri May 6 17:22:09 UTC 2011 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: remove excess newlines in debug output To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.16 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.17 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.16 Sun Nov 21 20:41:36 2010 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Fri May 6 17:22:09 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.16 2010/11/21 20:41:36 adam Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.17 2011/05/06 17:22:09 drochner Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ssh.c,v 1.16 2010/11/21 20:41:36 adam Exp $"); +__RCSID("$NetBSD: pam_ssh.c,v 1.17 2011/05/06 17:22:09 drochner Exp $"); #endif #include @@ -107,13 +107,13 @@ comment = NULL; key = key_load_private(fn, passphrase, &comment); if (key == NULL) { - openpam_log(PAM_LOG_DEBUG, "failed to load key from %s\n", fn); + openpam_log(PAM_LOG_DEBUG, "failed to load key from %s", fn); if (comment != NULL) free(comment); return (NULL); } - openpam_log(PAM_LOG_DEBUG, "loaded '%s' from %s\n", comment, fn); + openpam_log(PAM_LOG_DEBUG, "loaded '%s' from %s", comment, fn); if ((psk = malloc(sizeof(*psk))) == NULL) { key_free(key); free(comment);
CVS commit: src/lib/libpam/modules/pam_krb5
Module Name:src Committed By: christos Date: Mon Apr 25 22:22:25 UTC 2011 Modified Files: src/lib/libpam/modules/pam_krb5: pam_krb5.c Log Message: - make log_krb5 varyadic - centralize error handling to one function - check for NULL context To generate a diff of this commit: cvs rdiff -u -r1.24 -r1.25 src/lib/libpam/modules/pam_krb5/pam_krb5.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_krb5/pam_krb5.c diff -u src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.24 src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.25 --- src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.24 Sun Apr 24 14:48:04 2011 +++ src/lib/libpam/modules/pam_krb5/pam_krb5.c Mon Apr 25 18:22:25 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_krb5.c,v 1.24 2011/04/24 18:48:04 elric Exp $ */ +/* $NetBSD: pam_krb5.c,v 1.25 2011/04/25 22:22:25 christos Exp $ */ /*- * This pam_krb5 module contains code that is: @@ -53,7 +53,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.c,v 1.22 2005/01/24 16:49:50 rwatson Exp $"); #else -__RCSID("$NetBSD: pam_krb5.c,v 1.24 2011/04/24 18:48:04 elric Exp $"); +__RCSID("$NetBSD: pam_krb5.c,v 1.25 2011/04/25 22:22:25 christos Exp $"); #endif #include @@ -83,7 +83,8 @@ #define COMPAT_HEIMDAL /* #define COMPAT_MIT */ -static void log_krb5(krb5_context, const char *, krb5_error_code); +static void log_krb5(krb5_context, krb5_error_code, struct syslog_data *, +const char *, ...) __printflike(4, 5); static int verify_krb_v5_tgt(krb5_context, krb5_ccache, char *, int); static void cleanup_cache(pam_handle_t *, void *, int); static const char *compat_princ_component(krb5_context, krb5_principal, int); @@ -201,7 +202,7 @@ krbret = krb5_parse_name(pam_context, principal, &princ); free(principal); if (krbret != 0) { - log_krb5(pam_context, "Error krb5_parse_name(): %s", krbret); + log_krb5(pam_context, krbret, NULL, "krb5_parse_name"); PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; goto cleanup3; @@ -212,7 +213,7 @@ /* Now convert the principal name into something human readable */ krbret = krb5_unparse_name(pam_context, princ, &princ_name); if (krbret != 0) { - log_krb5(pam_context, "Error krb5_unparse_name(): %s", krbret); + log_krb5(pam_context, krbret, NULL, "krb5_unparse_name"); PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; goto cleanup2; @@ -236,8 +237,8 @@ sizeof(luser), luser); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - log_krb5(pam_context, - "Error krb5_aname_to_localname(): %s", krbret); + log_krb5(pam_context, krbret, NULL, + "krb5_aname_to_localname"); retval = PAM_USER_UNKNOWN; goto cleanup2; } @@ -263,8 +264,8 @@ pass, NULL, pamh, 0, NULL, opts); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - log_krb5(pam_context, - "Error krb5_get_init_creds_password(): %s", krbret); + log_krb5(pam_context, krbret, NULL, + "krb5_get_init_creds_password"); retval = PAM_AUTH_ERR; goto cleanup2; } @@ -275,21 +276,21 @@ krbret = krb5_cc_new_unique(pam_context, "MEMORY", NULL, &ccache); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - log_krb5(pam_context, "Error krb5_cc_gen_new(): %s", krbret); + log_krb5(pam_context, krbret, NULL, "krb5_cc_gen_new"); retval = PAM_SERVICE_ERR; goto cleanup; } krbret = krb5_cc_initialize(pam_context, ccache, princ); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - log_krb5(pam_context, "Error krb5_cc_initialize(): %s", krbret); + log_krb5(pam_context, krbret, NULL, "krb5_cc_initialize"); retval = PAM_SERVICE_ERR; goto cleanup; } krbret = krb5_cc_store_cred(pam_context, ccache, &creds); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - log_krb5(pam_context, "Error krb5_cc_store_cred(): %s", krbret); + log_krb5(pam_context, krbret, NULL, "krb5_cc_store_cred"); krb5_cc_destroy(pam_context, ccache); retval = PAM_SERVICE_ERR; goto cleanup; @@ -382,7 +383,6 @@ const void *cache_data; char *cache_name_buf = NULL, *p, *cache_name_buf2 = NULL; char pwbuf[1024]; - const char *errtxt; uid_t euid; gid_t egid; @@ -427,15 +427,8 @@ } krbret = krb5_cc_resolve(pam_context, cache_data, &ccache_temp); if (krbret != 0) { - errtxt = krb5_get_error_message(pam_context, krbret); - if (errtxt != NULL) { - PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s", - (const char *)cache_data, errtxt); - krb5_free_error_message(pam_context, errtxt); - } else { - PAM_LOG("Error krb5_cc_resolve(\"%s\"): %d", - (const char *)cache_data, krbret); - } + log_krb5(pam_context, krbret, NULL, "krb5_cc_resolve(\"%s\")", + (const char *)cache_data); retval = PAM_SERVICE_ERR; goto cleanup3; } @@ -514,21 +507,20 @@ /* Initialize the new ccache */ krbret = krb
CVS commit: src/lib/libpam/modules/pam_ksu
Module Name:src Committed By: christos Date: Mon Apr 25 22:03:20 UTC 2011 Modified Files: src/lib/libpam/modules/pam_ksu: pam_ksu.c Log Message: fix pasto (of no consequence) To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/lib/libpam/modules/pam_ksu/pam_ksu.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ksu/pam_ksu.c diff -u src/lib/libpam/modules/pam_ksu/pam_ksu.c:1.5 src/lib/libpam/modules/pam_ksu/pam_ksu.c:1.6 --- src/lib/libpam/modules/pam_ksu/pam_ksu.c:1.5 Mon Apr 25 18:01:04 2011 +++ src/lib/libpam/modules/pam_ksu/pam_ksu.c Mon Apr 25 18:03:20 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ksu.c,v 1.5 2011/04/25 22:01:04 christos Exp $ */ +/* $NetBSD: pam_ksu.c,v 1.6 2011/04/25 22:03:20 christos Exp $ */ /*- * Copyright (c) 2002 Jacques A. Vidrine @@ -29,7 +29,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ksu/pam_ksu.c,v 1.5 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ksu.c,v 1.5 2011/04/25 22:01:04 christos Exp $"); +__RCSID("$NetBSD: pam_ksu.c,v 1.6 2011/04/25 22:03:20 christos Exp $"); #endif #include @@ -180,7 +180,7 @@ krb5_free_error_message(ctx, errtxt); snprintf(b2, sizeof(b2), "%s (%s)", b1, errtxt); } else { - snprintf(b2, sizeof(b1), "%s (unknown %d)", b1, (int)err); + snprintf(b2, sizeof(b2), "%s (unknown %d)", b1, (int)err); } PAM_LOG(b2); }
CVS commit: src/lib/libpam/modules/pam_ksu
Module Name:src Committed By: christos Date: Mon Apr 25 22:01:04 UTC 2011 Modified Files: src/lib/libpam/modules/pam_ksu: pam_ksu.c Log Message: - make log_krb5 varyadic and merge the last error message. - check for NULL context. - print a more meaningful error when things go south To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/lib/libpam/modules/pam_ksu/pam_ksu.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ksu/pam_ksu.c diff -u src/lib/libpam/modules/pam_ksu/pam_ksu.c:1.4 src/lib/libpam/modules/pam_ksu/pam_ksu.c:1.5 --- src/lib/libpam/modules/pam_ksu/pam_ksu.c:1.4 Sun Apr 24 14:53:55 2011 +++ src/lib/libpam/modules/pam_ksu/pam_ksu.c Mon Apr 25 18:01:04 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ksu.c,v 1.4 2011/04/24 18:53:55 elric Exp $ */ +/* $NetBSD: pam_ksu.c,v 1.5 2011/04/25 22:01:04 christos Exp $ */ /*- * Copyright (c) 2002 Jacques A. Vidrine @@ -29,7 +29,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ksu/pam_ksu.c,v 1.5 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ksu.c,v 1.4 2011/04/24 18:53:55 elric Exp $"); +__RCSID("$NetBSD: pam_ksu.c,v 1.5 2011/04/25 22:01:04 christos Exp $"); #endif #include @@ -51,7 +51,8 @@ #define PASSWORD_PROMPT "%s's password:" -static void log_krb5(krb5_context, const char *, krb5_error_code); +static void log_krb5(krb5_context, krb5_error_code, const char *, ...) +__printflike(3, 4); static long get_su_principal(krb5_context, const char *, const char *, char **, krb5_principal *); static int auth_krb5(pam_handle_t *, krb5_context, const char *, @@ -79,7 +80,7 @@ PAM_LOG("Got ruser: %s", (const char *)ruser); rv = krb5_init_context(&context); if (rv != 0) { - log_krb5(context, "krb5_init_context failed: %s", rv); + log_krb5(context, rv, "krb5_init_context failed"); return (PAM_SERVICE_ERR); } rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal); @@ -129,7 +130,7 @@ rv = krb5_get_init_creds_opt_alloc(context, &gic_opt); if (rv != 0) { - log_krb5(context, "krb5_get_init_creds_opt_alloc: %s", rv); + log_krb5(context, rv, "krb5_get_init_creds_opt_alloc"); return (PAM_SERVICE_ERR); } krb5_verify_init_creds_opt_init(&vic_opt); @@ -147,7 +148,7 @@ rv = krb5_get_init_creds_password(context, &creds, su_principal, pass, NULL, NULL, 0, NULL, gic_opt); if (rv != 0) { - log_krb5(context, "krb5_get_init_creds_password: %s", rv); + log_krb5(context, rv, "krb5_get_init_creds_password"); return (PAM_AUTH_ERR); } krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_opt, 1); @@ -155,24 +156,33 @@ &vic_opt); krb5_free_cred_contents(context, &creds); if (rv != 0) { - log_krb5(context, "krb5_verify_init_creds: %s", rv); + log_krb5(context, rv, "krb5_verify_init_creds"); return (PAM_AUTH_ERR); } return (PAM_SUCCESS); } static void -log_krb5(krb5_context ctx, const char *fmt, krb5_error_code err) +log_krb5(krb5_context ctx, krb5_error_code err, const char *fmt, ...) { - const char *errtxt; + char b1[1024], b2[1024]; + const char *errtxt; + va_list ap; -errtxt = krb5_get_error_message(ctx, err); + va_start(ap, fmt); + vsnprintf(b1, sizeof(b1), fmt, ap); + va_end(ap); + if (ctx) + errtxt = krb5_get_error_message(ctx, err); + else + errtxt = NULL; if (errtxt != NULL) { - PAM_LOG(fmt, errtxt); krb5_free_error_message(ctx, errtxt); + snprintf(b2, sizeof(b2), "%s (%s)", b1, errtxt); } else { - PAM_LOG(fmt, "unknown"); + snprintf(b2, sizeof(b1), "%s (unknown %d)", b1, (int)err); } + PAM_LOG(b2); } /* Determine the target principal given the current user and the target user. @@ -199,7 +209,6 @@ char *principal_name, *ccname, *p; long rv; uid_t euid, ruid; - const char *errtxt; *su_principal = NULL; default_principal = NULL; @@ -244,7 +253,7 @@ rv = krb5_unparse_name(context, default_principal, &principal_name); krb5_free_principal(context, default_principal); if (rv != 0) { - log_krb5(context, "krb5_unparse_name: %s", rv); + log_krb5(context, rv, "krb5_unparse_name"); return (rv); } PAM_LOG("Default principal name: %s", principal_name); @@ -266,16 +275,8 @@ return (errno); rv = krb5_parse_name(context, *su_principal_name, &default_principal); if (rv != 0) { - errtxt = krb5_get_error_message(context, rv); - if (errtxt != NULL) { - PAM_LOG("krb5_parse_name `%s': %s", *su_principal_name, - errtxt); - krb5_free_error_message(context, errtxt); - } else { - PAM_LOG("krb5_parse_name `%s': %ld", *su_principal_name, - rv); - } - free(*su_principal_name); + log_krb5(context, rv, "krb5_parse_name `%s'", + *su_principal_name); return (rv); } PAM_LOG("Target principal name: %s", *su_principal_name);
CVS commit: src/lib/libpam/modules/pam_ksu
Module Name:src Committed By: elric Date: Sun Apr 24 18:53:55 UTC 2011 Modified Files: src/lib/libpam/modules/pam_ksu: pam_ksu.c Log Message: Stop using functions that are marked as deprecated in Heimdal. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/lib/libpam/modules/pam_ksu/pam_ksu.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ksu/pam_ksu.c diff -u src/lib/libpam/modules/pam_ksu/pam_ksu.c:1.3 src/lib/libpam/modules/pam_ksu/pam_ksu.c:1.4 --- src/lib/libpam/modules/pam_ksu/pam_ksu.c:1.3 Sun Mar 8 19:38:03 2009 +++ src/lib/libpam/modules/pam_ksu/pam_ksu.c Sun Apr 24 18:53:55 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ksu.c,v 1.3 2009/03/08 19:38:03 christos Exp $ */ +/* $NetBSD: pam_ksu.c,v 1.4 2011/04/24 18:53:55 elric Exp $ */ /*- * Copyright (c) 2002 Jacques A. Vidrine @@ -29,7 +29,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ksu/pam_ksu.c,v 1.5 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ksu.c,v 1.3 2009/03/08 19:38:03 christos Exp $"); +__RCSID("$NetBSD: pam_ksu.c,v 1.4 2011/04/24 18:53:55 elric Exp $"); #endif #include @@ -51,6 +51,7 @@ #define PASSWORD_PROMPT "%s's password:" +static void log_krb5(krb5_context, const char *, krb5_error_code); static long get_su_principal(krb5_context, const char *, const char *, char **, krb5_principal *); static int auth_krb5(pam_handle_t *, krb5_context, const char *, @@ -78,8 +79,7 @@ PAM_LOG("Got ruser: %s", (const char *)ruser); rv = krb5_init_context(&context); if (rv != 0) { - PAM_LOG("krb5_init_context failed: %s", - krb5_get_err_text(context, rv)); + log_krb5(context, "krb5_init_context failed: %s", rv); return (PAM_SERVICE_ERR); } rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal); @@ -120,14 +120,18 @@ krb5_principal su_principal) { krb5_creds creds; - krb5_get_init_creds_opt gic_opt; + krb5_get_init_creds_opt *gic_opt; krb5_verify_init_creds_opt vic_opt; const char *pass; char prompt[80]; long rv; int pamret; - krb5_get_init_creds_opt_init(&gic_opt); + rv = krb5_get_init_creds_opt_alloc(context, &gic_opt); + if (rv != 0) { + log_krb5(context, "krb5_get_init_creds_opt_alloc: %s", rv); + return (PAM_SERVICE_ERR); + } krb5_verify_init_creds_opt_init(&vic_opt); if (su_principal_name != NULL) (void)snprintf(prompt, sizeof(prompt), PASSWORD_PROMPT, @@ -141,10 +145,9 @@ if (pamret != PAM_SUCCESS) return (pamret); rv = krb5_get_init_creds_password(context, &creds, su_principal, - pass, NULL, NULL, 0, NULL, &gic_opt); + pass, NULL, NULL, 0, NULL, gic_opt); if (rv != 0) { - PAM_LOG("krb5_get_init_creds_password: %s", - krb5_get_err_text(context, rv)); + log_krb5(context, "krb5_get_init_creds_password: %s", rv); return (PAM_AUTH_ERR); } krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_opt, 1); @@ -152,13 +155,26 @@ &vic_opt); krb5_free_cred_contents(context, &creds); if (rv != 0) { - PAM_LOG("krb5_verify_init_creds: %s", - krb5_get_err_text(context, rv)); + log_krb5(context, "krb5_verify_init_creds: %s", rv); return (PAM_AUTH_ERR); } return (PAM_SUCCESS); } +static void +log_krb5(krb5_context ctx, const char *fmt, krb5_error_code err) +{ + const char *errtxt; + +errtxt = krb5_get_error_message(ctx, err); + if (errtxt != NULL) { + PAM_LOG(fmt, errtxt); + krb5_free_error_message(ctx, errtxt); + } else { + PAM_LOG(fmt, "unknown"); + } +} + /* Determine the target principal given the current user and the target user. * context -- An initialized krb5_context. * target_user -- The target username. @@ -183,6 +199,7 @@ char *principal_name, *ccname, *p; long rv; uid_t euid, ruid; + const char *errtxt; *su_principal = NULL; default_principal = NULL; @@ -227,8 +244,7 @@ rv = krb5_unparse_name(context, default_principal, &principal_name); krb5_free_principal(context, default_principal); if (rv != 0) { - PAM_LOG("krb5_unparse_name: %s", - krb5_get_err_text(context, rv)); + log_krb5(context, "krb5_unparse_name: %s", rv); return (rv); } PAM_LOG("Default principal name: %s", principal_name); @@ -250,8 +266,15 @@ return (errno); rv = krb5_parse_name(context, *su_principal_name, &default_principal); if (rv != 0) { - PAM_LOG("krb5_parse_name `%s': %s", *su_principal_name, - krb5_get_err_text(context, rv)); + errtxt = krb5_get_error_message(context, rv); + if (errtxt != NULL) { + PAM_LOG("krb5_parse_name `%s': %s", *su_principal_name, + errtxt); + krb5_free_error_message(context, errtxt); + } else { + PAM_LOG("krb5_parse_name `%s': %ld", *su_principal_name, + rv); + } free(*su_principal_name); return (rv); }
CVS commit: src/lib/libpam/modules/pam_krb5
Module Name:src Committed By: elric Date: Sun Apr 24 18:48:05 UTC 2011 Modified Files: src/lib/libpam/modules/pam_krb5: pam_krb5.c Log Message: Remove use of functions marked as deprecated in Heimdal. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 src/lib/libpam/modules/pam_krb5/pam_krb5.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_krb5/pam_krb5.c diff -u src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.23 src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.24 --- src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.23 Sat Apr 2 10:22:09 2011 +++ src/lib/libpam/modules/pam_krb5/pam_krb5.c Sun Apr 24 18:48:04 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_krb5.c,v 1.23 2011/04/02 10:22:09 mbalmer Exp $ */ +/* $NetBSD: pam_krb5.c,v 1.24 2011/04/24 18:48:04 elric Exp $ */ /*- * This pam_krb5 module contains code that is: @@ -53,7 +53,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.c,v 1.22 2005/01/24 16:49:50 rwatson Exp $"); #else -__RCSID("$NetBSD: pam_krb5.c,v 1.23 2011/04/02 10:22:09 mbalmer Exp $"); +__RCSID("$NetBSD: pam_krb5.c,v 1.24 2011/04/24 18:48:04 elric Exp $"); #endif #include @@ -83,6 +83,7 @@ #define COMPAT_HEIMDAL /* #define COMPAT_MIT */ +static void log_krb5(krb5_context, const char *, krb5_error_code); static int verify_krb_v5_tgt(krb5_context, krb5_ccache, char *, int); static void cleanup_cache(pam_handle_t *, void *, int); static const char *compat_princ_component(krb5_context, krb5_principal, int); @@ -111,7 +112,7 @@ krb5_creds creds; krb5_principal princ; krb5_ccache ccache; - krb5_get_init_creds_opt opts; + krb5_get_init_creds_opt *opts = NULL; struct passwd *pwd, pwres; int retval; const void *ccache_data; @@ -150,10 +151,14 @@ PAM_LOG("Context initialised"); - krb5_get_init_creds_opt_init(&opts); + krbret = krb5_get_init_creds_opt_alloc(pam_context, &opts); + if (krbret != 0) { + PAM_VERBOSE_ERROR("Kerberos 5 error"); + return (PAM_SERVICE_ERR); + } if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE)) - krb5_get_init_creds_opt_set_forwardable(&opts, 1); + krb5_get_init_creds_opt_set_forwardable(opts, 1); if ((rtime = openpam_get_option(pamh, PAM_OPT_RENEWABLE)) != NULL) { krb5_deltat renew; @@ -169,7 +174,7 @@ else rtime = "1 month"; renew = parse_time(rtime, "s"); - krb5_get_init_creds_opt_set_renew_life(&opts, renew); + krb5_get_init_creds_opt_set_renew_life(opts, renew); } @@ -196,8 +201,7 @@ krbret = krb5_parse_name(pam_context, principal, &princ); free(principal); if (krbret != 0) { - PAM_LOG("Error krb5_parse_name(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, "Error krb5_parse_name(): %s", krbret); PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; goto cleanup3; @@ -208,8 +212,7 @@ /* Now convert the principal name into something human readable */ krbret = krb5_unparse_name(pam_context, princ, &princ_name); if (krbret != 0) { - PAM_LOG("Error krb5_unparse_name(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, "Error krb5_unparse_name(): %s", krbret); PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; goto cleanup2; @@ -233,8 +236,8 @@ sizeof(luser), luser); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG("Error krb5_aname_to_localname(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, + "Error krb5_aname_to_localname(): %s", krbret); retval = PAM_USER_UNKNOWN; goto cleanup2; } @@ -257,11 +260,11 @@ /* Get a TGT */ memset(&creds, 0, sizeof(krb5_creds)); krbret = krb5_get_init_creds_password(pam_context, &creds, princ, - pass, NULL, pamh, 0, NULL, &opts); + pass, NULL, pamh, 0, NULL, opts); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG("Error krb5_get_init_creds_password(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, + "Error krb5_get_init_creds_password(): %s", krbret); retval = PAM_AUTH_ERR; goto cleanup2; } @@ -269,27 +272,24 @@ PAM_LOG("Got TGT"); /* Generate a temporary cache */ - krbret = krb5_cc_gen_new(pam_context, &krb5_mcc_ops, &ccache); + krbret = krb5_cc_new_unique(pam_context, "MEMORY", NULL, &ccache); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG("Error krb5_cc_gen_new(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, "Error krb5_cc_gen_new(): %s", krbret); retval = PAM_SERVICE_ERR; goto cleanup; } krbret = krb5_cc_initialize(pam_context, ccache, princ); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG("Error krb5_cc_initialize(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, "Error krb5_cc_initializ
CVS commit: src/lib/libpam/modules/pam_krb5
Module Name:src Committed By: mbalmer Date: Sat Apr 2 10:22:09 UTC 2011 Modified Files: src/lib/libpam/modules/pam_krb5: pam_krb5.c Log Message: Fix misplaced parenthesis, from henning.peter...@t-online.de, thanks. To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/lib/libpam/modules/pam_krb5/pam_krb5.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_krb5/pam_krb5.c diff -u src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.22 src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.23 --- src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.22 Sun Mar 8 19:38:03 2009 +++ src/lib/libpam/modules/pam_krb5/pam_krb5.c Sat Apr 2 10:22:09 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_krb5.c,v 1.22 2009/03/08 19:38:03 christos Exp $ */ +/* $NetBSD: pam_krb5.c,v 1.23 2011/04/02 10:22:09 mbalmer Exp $ */ /*- * This pam_krb5 module contains code that is: @@ -53,7 +53,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.c,v 1.22 2005/01/24 16:49:50 rwatson Exp $"); #else -__RCSID("$NetBSD: pam_krb5.c,v 1.22 2009/03/08 19:38:03 christos Exp $"); +__RCSID("$NetBSD: pam_krb5.c,v 1.23 2011/04/02 10:22:09 mbalmer Exp $"); #endif #include @@ -540,7 +540,7 @@ /* Copy the creds (should be two of them) */ while ((krbret = krb5_cc_next_cred(pam_context, ccache_temp, -&cursor, &creds) == 0)) { +&cursor, &creds)) == 0) { krbret = krb5_cc_store_cred(pam_context, ccache_perm, &creds); if (krbret != 0) {
CVS commit: src/lib/libpam/modules
Module Name:src Committed By: mlelstv Date: Tue Mar 8 09:49:43 UTC 2011 Modified Files: src/lib/libpam/modules: Makefile Log Message: Don't try to clean/build or install a library here, there are only subdirectories. Also, bsd.lib.mk requires a defined LIB, otherwise it will generate unwanted commands during clean. It even failed on netbsd-4 where 'rm -f' needs at least one parameter which is missing due to recent corrections in make/vars.c. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/lib/libpam/modules/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/Makefile diff -u src/lib/libpam/modules/Makefile:1.11 src/lib/libpam/modules/Makefile:1.12 --- src/lib/libpam/modules/Makefile:1.11 Mon Oct 27 07:48:27 2008 +++ src/lib/libpam/modules/Makefile Tue Mar 8 09:49:42 2011 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.11 2008/10/27 07:48:27 mrg Exp $ +# $NetBSD: Makefile,v 1.12 2011/03/08 09:49:42 mlelstv Exp $ # Copyright 1998 Juniper Networks, Inc. # All rights reserved. # @@ -43,7 +43,4 @@ SUBDIR+= pam_ssh .endif -libinstall:: # disable install rule in - -.include .include
CVS commit: src/lib/libpam/modules/pam_exec
Module Name:src Committed By: christos Date: Thu Feb 3 02:06:00 UTC 2011 Modified Files: src/lib/libpam/modules/pam_exec: pam_exec.c Log Message: PR/44505: Mark Davies: pam_exec fails to realloc enough space, while there add a volatile variable (From FreeBSD) To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/lib/libpam/modules/pam_exec/pam_exec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_exec/pam_exec.c diff -u src/lib/libpam/modules/pam_exec/pam_exec.c:1.4 src/lib/libpam/modules/pam_exec/pam_exec.c:1.5 --- src/lib/libpam/modules/pam_exec/pam_exec.c:1.4 Sat Feb 26 17:45:52 2005 +++ src/lib/libpam/modules/pam_exec/pam_exec.c Wed Feb 2 21:05:59 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_exec.c,v 1.4 2005/02/26 22:45:52 christos Exp $ */ +/* $NetBSD: pam_exec.c,v 1.5 2011/02/03 02:05:59 christos Exp $ */ /*- * Copyright (c) 2001,2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_exec/pam_exec.c,v 1.4 2005/02/01 10:37:07 des Exp $"); #else -__RCSID("$NetBSD: pam_exec.c,v 1.4 2005/02/26 22:45:52 christos Exp $"); +__RCSID("$NetBSD: pam_exec.c,v 1.5 2011/02/03 02:05:59 christos Exp $"); #endif #include @@ -70,8 +70,9 @@ _pam_exec(pam_handle_t *pamh __unused, int flags __unused, int argc, const char *argv[]) { - int childerr, envlen, i, nitems, pam_err, status; + int envlen, i, nitems, pam_err, status; char **envlist, **tmp; + volatile int childerr; pid_t pid; if (argc < 1) @@ -90,7 +91,7 @@ for (envlen = 0; envlist[envlen] != NULL; ++envlen) /* nothing */ ; nitems = sizeof(env_items) / sizeof(*env_items); - tmp = realloc(envlist, (envlen + nitems + 1) * sizeof **envlist); + tmp = realloc(envlist, (envlen + nitems + 1) * sizeof(*envlist)); if (tmp == NULL) { openpam_free_envlist(envlist); return (PAM_BUF_ERR);
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: adam Date: Sun Nov 21 20:41:36 UTC 2010 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: Use ssh_add_identity_constrained() instead of ssh_add_identity() To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.15 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.16 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.15 Sun Jan 27 01:23:20 2008 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Sun Nov 21 20:41:36 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.15 2008/01/27 01:23:20 christos Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.16 2010/11/21 20:41:36 adam Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ssh.c,v 1.15 2008/01/27 01:23:20 christos Exp $"); +__RCSID("$NetBSD: pam_ssh.c,v 1.16 2010/11/21 20:41:36 adam Exp $"); #endif #include @@ -376,7 +376,7 @@ pam_err = pam_get_data(pamh, *kfn, &vp); psk = vp; if (pam_err == PAM_SUCCESS && psk != NULL) { - if (ssh_add_identity(ac, psk->key, psk->comment)) + if (ssh_add_identity_constrained(ac, psk->key, psk->comment, 0, 0)) openpam_log(PAM_LOG_DEBUG, "added %s to ssh agent", psk->comment); else
CVS commit: src/lib/libpam/modules/pam_echo
Module Name:src Committed By: joerg Date: Thu May 13 23:07:47 UTC 2010 Modified Files: src/lib/libpam/modules/pam_echo: pam_echo.8 Log Message: Mask %U To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/lib/libpam/modules/pam_echo/pam_echo.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_echo/pam_echo.8 diff -u src/lib/libpam/modules/pam_echo/pam_echo.8:1.2 src/lib/libpam/modules/pam_echo/pam_echo.8:1.3 --- src/lib/libpam/modules/pam_echo/pam_echo.8:1.2 Sun Dec 12 08:18:44 2004 +++ src/lib/libpam/modules/pam_echo/pam_echo.8 Thu May 13 23:07:46 2010 @@ -1,4 +1,4 @@ -.\" $NetBSD: pam_echo.8,v 1.2 2004/12/12 08:18:44 christos Exp $ +.\" $NetBSD: pam_echo.8,v 1.3 2010/05/13 23:07:46 joerg Exp $ .\" Copyright (c) 2001,2003 Networks Associates Technology, Inc. .\" All rights reserved. .\" @@ -66,7 +66,7 @@ .It Cm %t The name of the controlling tty .Pq Dv PAM_TTY . -.It Cm %U +.It Cm \&%U The applicant's user name .Pq Dv PAM_RUSER . .It Cm %u
CVS commit: src/lib/libpam/modules
Module Name:src Committed By: christos Date: Mon May 3 12:58:09 UTC 2010 Modified Files: src/lib/libpam/modules: mod.mk Log Message: make the dependency to libpam, explicit. Fixes afpd in pkgsrc. From Mark Davies XXX: Should be pulled up to 4.x and 5.x. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/lib/libpam/modules/mod.mk Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/mod.mk diff -u src/lib/libpam/modules/mod.mk:1.7 src/lib/libpam/modules/mod.mk:1.8 --- src/lib/libpam/modules/mod.mk:1.7 Sun Dec 13 03:25:20 2009 +++ src/lib/libpam/modules/mod.mk Mon May 3 08:58:09 2010 @@ -1,4 +1,4 @@ -# $NetBSD: mod.mk,v 1.7 2009/12/13 08:25:20 mrg Exp $ +# $NetBSD: mod.mk,v 1.8 2010/05/03 12:58:09 christos Exp $ NOLINT= # don't build a lint library NOPROFILE= # don't build a profile library @@ -15,6 +15,8 @@ .endif WARNS=3 +LIBDPLIBS+= pam ${.CURDIR}/../../libpam + .if ${MKPIC} != "no" .PRECIOUS: ${DESTDIR}${LIBDIR}/${LIB}.so.${SHLIB_MAJOR} libinstall:: ${DESTDIR}${LIBDIR}/${LIB}.so.${SHLIB_MAJOR}
CVS commit: src/lib/libpam/modules/pam_nologin
Module Name:src Committed By: wiz Date: Sun Jan 17 23:17:08 UTC 2010 Modified Files: src/lib/libpam/modules/pam_nologin: pam_nologin.c Log Message: Close file handle after using it. Found by cppcheck. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/lib/libpam/modules/pam_nologin/pam_nologin.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_nologin/pam_nologin.c diff -u src/lib/libpam/modules/pam_nologin/pam_nologin.c:1.7 src/lib/libpam/modules/pam_nologin/pam_nologin.c:1.8 --- src/lib/libpam/modules/pam_nologin/pam_nologin.c:1.7 Sun Jan 27 01:23:20 2008 +++ src/lib/libpam/modules/pam_nologin/pam_nologin.c Sun Jan 17 23:17:08 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_nologin.c,v 1.7 2008/01/27 01:23:20 christos Exp $ */ +/* $NetBSD: pam_nologin.c,v 1.8 2010/01/17 23:17:08 wiz Exp $ */ /*- * Copyright 2001 Mark R V Murray @@ -40,7 +40,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_nologin/pam_nologin.c,v 1.10 2002/04/12 22:27:21 des Exp $"); #else -__RCSID("$NetBSD: pam_nologin.c,v 1.7 2008/01/27 01:23:20 christos Exp $"); +__RCSID("$NetBSD: pam_nologin.c,v 1.8 2010/01/17 23:17:08 wiz Exp $"); #endif @@ -127,8 +127,10 @@ PAM_LOG("Opened %s file", nologin); - if (fstat(fd, &st) < 0) + if (fstat(fd, &st) < 0) { + close(fd); return PAM_AUTH_ERR; + } mtmp = malloc(st.st_size + 1); if (mtmp != NULL) { @@ -137,6 +139,7 @@ pam_error(pamh, "%s", mtmp); free(mtmp); } + close(fd); PAM_VERBOSE_ERROR("Administrator refusing you: %s", nologin);
CVS commit: src/lib/libpam/modules/pam_unix
Module Name:src Committed By: drochner Date: Wed Nov 18 17:06:23 UTC 2009 Modified Files: src/lib/libpam/modules/pam_unix: pam_unix.c Log Message: if changing the password, don't clear PAM_AUTHTOK at the beginning -- this sabotages external password strength checkers To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.14 src/lib/libpam/modules/pam_unix/pam_unix.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_unix/pam_unix.c diff -u src/lib/libpam/modules/pam_unix/pam_unix.c:1.13 src/lib/libpam/modules/pam_unix/pam_unix.c:1.14 --- src/lib/libpam/modules/pam_unix/pam_unix.c:1.13 Sun Jun 14 23:23:54 2009 +++ src/lib/libpam/modules/pam_unix/pam_unix.c Wed Nov 18 17:06:23 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_unix.c,v 1.13 2009/06/14 23:23:54 tonnerre Exp $ */ +/* $NetBSD: pam_unix.c,v 1.14 2009/11/18 17:06:23 drochner Exp $ */ /*- * Copyright 1998 Juniper Networks, Inc. @@ -40,7 +40,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.c,v 1.49 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_unix.c,v 1.13 2009/06/14 23:23:54 tonnerre Exp $"); +__RCSID("$NetBSD: pam_unix.c,v 1.14 2009/11/18 17:06:23 drochner Exp $"); #endif @@ -557,7 +557,6 @@ /* Get the new password. */ for (tries = 0;;) { - pam_set_item(pamh, PAM_AUTHTOK, NULL); retval = pam_get_authtok(pamh, PAM_AUTHTOK, &new_pass, NULL); if (retval == PAM_TRY_AGAIN) { @@ -576,12 +575,12 @@ } if (min_pw_len > 0 && strlen(new_pass) < (size_t)min_pw_len) { pam_error(pamh, "Password is too short."); -continue; +goto retry; } if (strlen(new_pass) <= 5 && ++tries < 2) { pam_error(pamh, "Please enter a longer password."); -continue; +goto retry; } for (p = new_pass; *p && islower((unsigned char)*p); ++p); if (!*p && ++tries < 2) { @@ -590,10 +589,12 @@ "password.\nUnusual capitalization, " "control characters or digits are " "suggested."); -continue; +goto retry; } /* Password is OK. */ break; +retry: + pam_set_item(pamh, PAM_AUTHTOK, NULL); } pw_getpwconf(option, sizeof(option), pwd, #ifdef YP
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: christos Date: Mon Jul 20 18:01:41 UTC 2009 Modified Files: src/lib/libpam/modules/pam_ssh: Makefile Log Message: use new openssh tree To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/lib/libpam/modules/pam_ssh/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/Makefile diff -u src/lib/libpam/modules/pam_ssh/Makefile:1.9 src/lib/libpam/modules/pam_ssh/Makefile:1.10 --- src/lib/libpam/modules/pam_ssh/Makefile:1.9 Mon Jul 20 13:29:08 2009 +++ src/lib/libpam/modules/pam_ssh/Makefile Mon Jul 20 14:01:41 2009 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.9 2009/07/20 17:29:08 christos Exp $ +# $NetBSD: Makefile,v 1.10 2009/07/20 18:01:41 christos Exp $ # PAM module for SSH # $FreeBSD: src/lib/libpam/modules/pam_ssh/Makefile,v 1.18 2004/08/06 07:27:04 cperciva Exp $ @@ -8,7 +8,7 @@ .include -SSHSRC= ${NETBSDSRCDIR}/crypto/dist/ssh +SSHSRC= ${NETBSDSRCDIR}/crypto/external/bsd/openssh/dist LIB= pam_ssh MAN= pam_ssh.8
CVS commit: src/lib/libpam/modules
Module Name:src Committed By: christos Date: Mon Jul 20 17:29:08 UTC 2009 Modified Files: src/lib/libpam/modules/pam_afslog: Makefile src/lib/libpam/modules/pam_krb5: Makefile src/lib/libpam/modules/pam_ksu: Makefile src/lib/libpam/modules/pam_ssh: Makefile Log Message: use the proper libcrypto To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/lib/libpam/modules/pam_afslog/Makefile cvs rdiff -u -r1.8 -r1.9 src/lib/libpam/modules/pam_krb5/Makefile cvs rdiff -u -r1.8 -r1.9 src/lib/libpam/modules/pam_ksu/Makefile cvs rdiff -u -r1.8 -r1.9 src/lib/libpam/modules/pam_ssh/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_afslog/Makefile diff -u src/lib/libpam/modules/pam_afslog/Makefile:1.4 src/lib/libpam/modules/pam_afslog/Makefile:1.5 --- src/lib/libpam/modules/pam_afslog/Makefile:1.4 Mon Oct 27 03:57:41 2008 +++ src/lib/libpam/modules/pam_afslog/Makefile Mon Jul 20 13:29:08 2009 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.4 2008/10/27 07:57:41 mrg Exp $ +# $NetBSD: Makefile,v 1.5 2009/07/20 17:29:08 christos Exp $ LIB= pam_afslog SRCS= pam_afslog.c @@ -10,6 +10,6 @@ roken ${.CURDIR}/../../../libroken \ com_err ${.CURDIR}/../../../libcom_err \ crypt ${.CURDIR}/../../../libcrypt \ - crypto ${.CURDIR}/../../../libcrypto + crypto ${NETBSDSRCDIR}/crypto/external/bsd/openssl/lib/libcrypto .include "${.CURDIR}/../mod.mk" Index: src/lib/libpam/modules/pam_krb5/Makefile diff -u src/lib/libpam/modules/pam_krb5/Makefile:1.8 src/lib/libpam/modules/pam_krb5/Makefile:1.9 --- src/lib/libpam/modules/pam_krb5/Makefile:1.8 Mon Oct 27 03:57:41 2008 +++ src/lib/libpam/modules/pam_krb5/Makefile Mon Jul 20 13:29:08 2009 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.8 2008/10/27 07:57:41 mrg Exp $ +# $NetBSD: Makefile,v 1.9 2009/07/20 17:29:08 christos Exp $ # Copyright 2001 FreeBSD, Inc. # All rights reserved. # @@ -34,6 +34,6 @@ roken ${.CURDIR}/../../../libroken \ com_err ${.CURDIR}/../../../libcom_err \ crypt ${.CURDIR}/../../../libcrypt \ - crypto ${.CURDIR}/../../../libcrypto + crypto ${NETBSDSRCDIR}/crypto/external/bsd/openssl/lib/libcrypto .include "${.CURDIR}/../mod.mk" Index: src/lib/libpam/modules/pam_ksu/Makefile diff -u src/lib/libpam/modules/pam_ksu/Makefile:1.8 src/lib/libpam/modules/pam_ksu/Makefile:1.9 --- src/lib/libpam/modules/pam_ksu/Makefile:1.8 Mon Oct 27 03:57:41 2008 +++ src/lib/libpam/modules/pam_ksu/Makefile Mon Jul 20 13:29:08 2009 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.8 2008/10/27 07:57:41 mrg Exp $ +# $NetBSD: Makefile,v 1.9 2009/07/20 17:29:08 christos Exp $ # Copyright 2002 FreeBSD, Inc. # All rights reserved. # @@ -34,6 +34,6 @@ roken ${.CURDIR}/../../../libroken \ com_err ${.CURDIR}/../../../libcom_err \ crypt ${.CURDIR}/../../../libcrypt \ - crypto ${.CURDIR}/../../../libcrypto + crypto ${NETBSDSRCDIR}/crypto/external/bsd/openssl/lib/libcrypto .include "${.CURDIR}/../mod.mk" Index: src/lib/libpam/modules/pam_ssh/Makefile diff -u src/lib/libpam/modules/pam_ssh/Makefile:1.8 src/lib/libpam/modules/pam_ssh/Makefile:1.9 --- src/lib/libpam/modules/pam_ssh/Makefile:1.8 Tue Jun 9 01:20:16 2009 +++ src/lib/libpam/modules/pam_ssh/Makefile Mon Jul 20 13:29:08 2009 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.8 2009/06/09 05:20:16 mrg Exp $ +# $NetBSD: Makefile,v 1.9 2009/07/20 17:29:08 christos Exp $ # PAM module for SSH # $FreeBSD: src/lib/libpam/modules/pam_ssh/Makefile,v 1.18 2004/08/06 07:27:04 cperciva Exp $ @@ -16,8 +16,8 @@ CPPFLAGS+= -I${SSHSRC} -LIBDPLIBS+= ssh ${.CURDIR}/../../../../crypto/external/bsd/openssh/lib \ +LIBDPLIBS+= ssh ${NETBSDSRCDIR}/crypto/external/bsd/openssh/lib \ crypt ${.CURDIR}/../../../libcrypt \ - crypto ${.CURDIR}/../../../libcrypto + crypto ${NETBSDSRCDIR}/crypto/external/bsd/openssl/lib/libcrypto .include "${.CURDIR}/../mod.mk"
CVS commit: src/lib/libpam/modules/pam_unix
Module Name:src Committed By: tonnerre Date: Sun Jun 14 23:23:54 UTC 2009 Modified Files: src/lib/libpam/modules/pam_unix: pam_unix.c Log Message: Restore the good old UNIX behavior of root password changing: only root may change the root password. (Checked that everybody else's password can be changed without any problem, and checked that root can still change the root password.) To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 src/lib/libpam/modules/pam_unix/pam_unix.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_unix/pam_unix.c diff -u src/lib/libpam/modules/pam_unix/pam_unix.c:1.12 src/lib/libpam/modules/pam_unix/pam_unix.c:1.13 --- src/lib/libpam/modules/pam_unix/pam_unix.c:1.12 Mon Jan 26 04:01:14 2009 +++ src/lib/libpam/modules/pam_unix/pam_unix.c Sun Jun 14 23:23:54 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_unix.c,v 1.12 2009/01/26 04:01:14 lukem Exp $ */ +/* $NetBSD: pam_unix.c,v 1.13 2009/06/14 23:23:54 tonnerre Exp $ */ /*- * Copyright 1998 Juniper Networks, Inc. @@ -40,7 +40,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.c,v 1.49 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_unix.c,v 1.12 2009/01/26 04:01:14 lukem Exp $"); +__RCSID("$NetBSD: pam_unix.c,v 1.13 2009/06/14 23:23:54 tonnerre Exp $"); #endif @@ -508,6 +508,14 @@ /* Root doesn't need the old password. */ return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); } + /* + * Apparently we're not root, so let's forbid editing + * root. + * XXX Check for some flag to indicate if this + * XXX is the desired behavior. + */ + if (pwd->pw_uid == 0) +return (PAM_PERM_DENIED); } if (pwd->pw_passwd[0] == '\0') {