CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: christos Date: Sun Mar 1 14:50:43 UTC 2020 Modified Files: src/lib/libpam/modules/pam_ssh: Makefile Log Message: Add the sign client part. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/lib/libpam/modules/pam_ssh/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/Makefile diff -u src/lib/libpam/modules/pam_ssh/Makefile:1.11 src/lib/libpam/modules/pam_ssh/Makefile:1.12 --- src/lib/libpam/modules/pam_ssh/Makefile:1.11 Sat Feb 3 22:19:53 2018 +++ src/lib/libpam/modules/pam_ssh/Makefile Sun Mar 1 09:50:43 2020 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.11 2018/02/04 03:19:53 christos Exp $ +# $NetBSD: Makefile,v 1.12 2020/03/01 14:50:43 christos Exp $ # PAM module for SSH # $FreeBSD: src/lib/libpam/modules/pam_ssh/Makefile,v 1.18 2004/08/06 07:27:04 cperciva Exp $ @@ -10,9 +10,10 @@ NOPICINSTALL= # don't install _pic.a lib SSHSRC= ${NETBSDSRCDIR}/crypto/external/bsd/openssh/dist +.PATH: ${SSHSRC} LIB= pam_ssh MAN= pam_ssh.8 -SRCS= pam_ssh.c +SRCS= pam_ssh.c ssh-sk-client.c CPPFLAGS+= -I${SSHSRC}
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: christos Date: Thu Feb 27 03:25:09 UTC 2020 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: This takes a provider now To generate a diff of this commit: cvs rdiff -u -r1.27 -r1.28 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.27 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.28 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.27 Sat Jun 1 03:15:39 2019 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Wed Feb 26 22:25:08 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.27 2019/06/01 07:15:39 mlelstv Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.28 2020/02/27 03:25:08 christos Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ssh.c,v 1.27 2019/06/01 07:15:39 mlelstv Exp $"); +__RCSID("$NetBSD: pam_ssh.c,v 1.28 2020/02/27 03:25:08 christos Exp $"); #endif #include @@ -68,7 +68,7 @@ __RCSID("$NetBSD: pam_ssh.c,v 1.27 2019/ #include "authfile.h" #define ssh_add_identity(auth, key, comment) \ - ssh_add_identity_constrained(auth, key, comment, 0, 0, 0) + ssh_add_identity_constrained(auth, key, comment, 0, 0, 0, "pam") extern char **environ;
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: christos Date: Sun Aug 26 08:54:03 UTC 2018 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: adjust to new libssh api. To generate a diff of this commit: cvs rdiff -u -r1.25 -r1.26 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.25 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.26 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.25 Sat Apr 7 15:28:32 2018 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Sun Aug 26 04:54:03 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.25 2018/04/07 19:28:32 christos Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.26 2018/08/26 08:54:03 christos Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ssh.c,v 1.25 2018/04/07 19:28:32 christos Exp $"); +__RCSID("$NetBSD: pam_ssh.c,v 1.26 2018/08/26 08:54:03 christos Exp $"); #endif #include @@ -62,8 +62,8 @@ __RCSID("$NetBSD: pam_ssh.c,v 1.25 2018/ #include -#include "key.h" -#include "buffer.h" +#include "sshkey.h" +#include "sshbuf.h" #include "authfd.h" #include "authfile.h" @@ -73,7 +73,7 @@ __RCSID("$NetBSD: pam_ssh.c,v 1.25 2018/ extern char **environ; struct pam_ssh_key { - Key *key; + struct sshkey *key; char *comment; }; @@ -103,8 +103,9 @@ pam_ssh_load_key(const char *dir, const { struct pam_ssh_key *psk; char fn[PATH_MAX]; + int r; char *comment; - Key *key; + struct sshkey *key; if (snprintf(fn, sizeof(fn), "%s/%s", dir, kfn) > (int)sizeof(fn)) return (NULL); @@ -117,15 +118,15 @@ pam_ssh_load_key(const char *dir, const * with an empty passphrase, and if the key is not encrypted, * accept only an empty passphrase. */ - key = key_load_private(fn, "", ); - if (key != NULL && !(*passphrase == '\0' && nullok)) { - key_free(key); + r = sshkey_load_private(fn, "", , ); + if (r && !(*passphrase == '\0' && nullok)) { + sshkey_free(key); free(comment); return (NULL); } - if (key == NULL) - key = key_load_private(fn, passphrase, ); - if (key == NULL) { + if (r) + sshkey_load_private(fn, passphrase, , ); + if (r) { openpam_log(PAM_LOG_DEBUG, "failed to load key from %s", fn); if (comment != NULL) free(comment); @@ -134,7 +135,7 @@ pam_ssh_load_key(const char *dir, const openpam_log(PAM_LOG_DEBUG, "loaded '%s' from %s", comment, fn); if ((psk = malloc(sizeof(*psk))) == NULL) { - key_free(key); + sshkey_free(key); free(comment); return (NULL); } @@ -153,7 +154,7 @@ pam_ssh_free_key(pam_handle_t *pamh __un struct pam_ssh_key *psk; psk = data; - key_free(psk->key); + sshkey_free(psk->key); free(psk->comment); free(psk); }
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: christos Date: Sat Apr 7 19:28:32 UTC 2018 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: fix and use the macro. To generate a diff of this commit: cvs rdiff -u -r1.24 -r1.25 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.24 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.25 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.24 Sat Apr 7 09:57:12 2018 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Sat Apr 7 15:28:32 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.24 2018/04/07 13:57:12 christos Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.25 2018/04/07 19:28:32 christos Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ssh.c,v 1.24 2018/04/07 13:57:12 christos Exp $"); +__RCSID("$NetBSD: pam_ssh.c,v 1.25 2018/04/07 19:28:32 christos Exp $"); #endif #include @@ -68,7 +68,7 @@ __RCSID("$NetBSD: pam_ssh.c,v 1.24 2018/ #include "authfile.h" #define ssh_add_identity(auth, key, comment) \ - ssh_add_identity_constrained(auth, key, comment, 0, 0) + ssh_add_identity_constrained(auth, key, comment, 0, 0, 0) extern char **environ; @@ -383,8 +383,7 @@ pam_ssh_add_keys_to_agent(pam_handle_t * pam_err = pam_get_data(pamh, *kfn, ); psk = vp; if (pam_err == PAM_SUCCESS && psk != NULL) { - if (ssh_add_identity_constrained(agent_fd, psk->key, - psk->comment, 0, 0, 0)) + if (ssh_add_identity(agent_fd, psk->key, psk->comment)) openpam_log(PAM_LOG_DEBUG, "added %s to ssh agent", psk->comment); else
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: christos Date: Sat Apr 7 13:57:12 UTC 2018 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: function grew an extra argument now. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.23 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.24 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.23 Fri Apr 3 22:51:10 2015 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Sat Apr 7 09:57:12 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.23 2015/04/04 02:51:10 christos Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.24 2018/04/07 13:57:12 christos Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $"); #else -__RCSID("$NetBSD: pam_ssh.c,v 1.23 2015/04/04 02:51:10 christos Exp $"); +__RCSID("$NetBSD: pam_ssh.c,v 1.24 2018/04/07 13:57:12 christos Exp $"); #endif #include @@ -384,7 +384,7 @@ pam_ssh_add_keys_to_agent(pam_handle_t * psk = vp; if (pam_err == PAM_SUCCESS && psk != NULL) { if (ssh_add_identity_constrained(agent_fd, psk->key, - psk->comment, 0, 0)) + psk->comment, 0, 0, 0)) openpam_log(PAM_LOG_DEBUG, "added %s to ssh agent", psk->comment); else
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: christos Date: Sat Apr 4 02:51:10 UTC 2015 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: Adapt to the new API. To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.22 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.23 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.22 Fri Jan 6 09:04:02 2012 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Fri Apr 3 22:51:10 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.22 2012/01/06 14:04:02 drochner Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.23 2015/04/04 02:51:10 christos Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID($FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $); #else -__RCSID($NetBSD: pam_ssh.c,v 1.22 2012/01/06 14:04:02 drochner Exp $); +__RCSID($NetBSD: pam_ssh.c,v 1.23 2015/04/04 02:51:10 christos Exp $); #endif #include sys/param.h @@ -352,11 +352,11 @@ done: static int pam_ssh_add_keys_to_agent(pam_handle_t *pamh) { - AuthenticationConnection *ac; const struct pam_ssh_key *psk; const char **kfn; char **envlist, **env; int pam_err; + int agent_fd; /* switch to PAM environment */ envlist = environ; @@ -368,11 +368,12 @@ pam_ssh_add_keys_to_agent(pam_handle_t * } /* get a connection to the agent */ - if ((ac = ssh_get_authentication_connection()) == NULL) { + if (ssh_get_authentication_socket(agent_fd) != 0) { openpam_log(PAM_LOG_DEBUG, %s: cannot get authentication connection, __func__); pam_err = PAM_SYSTEM_ERR; + agent_fd = -1; goto end; } @@ -382,7 +383,8 @@ pam_ssh_add_keys_to_agent(pam_handle_t * pam_err = pam_get_data(pamh, *kfn, vp); psk = vp; if (pam_err == PAM_SUCCESS psk != NULL) { - if (ssh_add_identity(ac, psk-key, psk-comment)) + if (ssh_add_identity_constrained(agent_fd, psk-key, + psk-comment, 0, 0)) openpam_log(PAM_LOG_DEBUG, added %s to ssh agent, psk-comment); else @@ -395,8 +397,8 @@ pam_ssh_add_keys_to_agent(pam_handle_t * pam_err = PAM_SUCCESS; end: /* disconnect from agent */ - if (ac != NULL) - ssh_close_authentication_connection(ac); + if (agent_fd != -1) + ssh_close_authentication_socket(agent_fd); /* switch back to original environment */ for (env = environ; *env != NULL; ++env)
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: drochner Date: Fri Jan 6 14:04:02 UTC 2012 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: pull in from FreeBSD rev.1.41: Narrow the use of user credentials. (call pam_get_authtok() with caller's rights rather than user's) To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.21 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.22 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.21 Tue Jan 3 19:02:55 2012 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Fri Jan 6 14:04:02 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.21 2012/01/03 19:02:55 christos Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.22 2012/01/06 14:04:02 drochner Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID($FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $); #else -__RCSID($NetBSD: pam_ssh.c,v 1.21 2012/01/03 19:02:55 christos Exp $); +__RCSID($NetBSD: pam_ssh.c,v 1.22 2012/01/06 14:04:02 drochner Exp $); #endif #include sys/param.h @@ -184,11 +184,6 @@ pam_sm_authenticate(pam_handle_t *pamh, if (pwd-pw_dir == NULL) return (PAM_AUTH_ERR); - /* switch to user credentials */ - pam_err = openpam_borrow_cred(pamh, pwd); - if (pam_err != PAM_SUCCESS) - return (pam_err); - nkeys = 0; pass = (pam_get_item(pamh, PAM_AUTHTOK, item) == PAM_SUCCESS item != NULL); @@ -196,10 +191,13 @@ pam_sm_authenticate(pam_handle_t *pamh, /* get passphrase */ pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, passphrase, pam_ssh_prompt); - if (pam_err != PAM_SUCCESS) { - openpam_restore_cred(pamh); + if (pam_err != PAM_SUCCESS) + return (pam_err); + + /* switch to user credentials */ + pam_err = openpam_borrow_cred(pamh, pwd); + if (pam_err != PAM_SUCCESS) return (pam_err); - } /* try to load keys from all keyfiles we know of */ for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) { @@ -210,6 +208,9 @@ pam_sm_authenticate(pam_handle_t *pamh, } } + /* switch back to arbitrator credentials */ + openpam_restore_cred(pamh); + /* * If we tried an old token and didn't get anything, and * try_first_pass was specified, try again after prompting the @@ -222,9 +223,6 @@ pam_sm_authenticate(pam_handle_t *pamh, goto load_keys; } - /* switch back to arbitrator credentials before returning */ - openpam_restore_cred(pamh); - /* no keys? */ if (nkeys == 0) return (PAM_AUTH_ERR);
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: drochner Date: Fri Dec 16 17:30:12 UTC 2011 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: -remove remainders of the misguided changes in revs 1.5-1.9 -iron out more unnecessary differences to FreeBSD To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.17 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.18 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.17 Fri May 6 17:22:09 2011 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Fri Dec 16 17:30:12 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.17 2011/05/06 17:22:09 drochner Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.18 2011/12/16 17:30:12 drochner Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID($FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $); #else -__RCSID($NetBSD: pam_ssh.c,v 1.17 2011/05/06 17:22:09 drochner Exp $); +__RCSID($NetBSD: pam_ssh.c,v 1.18 2011/12/16 17:30:12 drochner Exp $); #endif #include sys/param.h @@ -67,6 +67,9 @@ __RCSID($NetBSD: pam_ssh.c,v 1.17 2011/ #include authfd.h #include authfile.h +#define ssh_add_identity(auth, key, comment) \ + ssh_add_identity_constrained(auth, key, comment, 0, 0) + extern char **environ; struct pam_ssh_key { @@ -85,8 +88,8 @@ static const char *pam_ssh_keyfiles[] = }; static const char *pam_ssh_agent = /usr/bin/ssh-agent; -static const char *pam_ssh_agent_argv[] = { ssh_agent, -s, NULL }; -static const char *pam_ssh_agent_envp[] = { NULL }; +static const char *const pam_ssh_agent_argv[] = { ssh_agent, -s, NULL }; +static const char *const pam_ssh_agent_envp[] = { NULL }; /* * Attempts to load a private key from the specified file in the specified @@ -94,15 +97,14 @@ static const char *pam_ssh_agent_envp[] * struct pam_ssh_key containing the key and its comment. */ static struct pam_ssh_key * -pam_ssh_load_key(struct passwd *pwd, const char *kfn, const char *passphrase) +pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase) { struct pam_ssh_key *psk; char fn[PATH_MAX]; char *comment; Key *key; - if (snprintf(fn, sizeof(fn), %s/%s, pwd-pw_dir, kfn) - (int)sizeof(fn)) + if (snprintf(fn, sizeof(fn), %s/%s, dir, kfn) (int)sizeof(fn)) return (NULL); comment = NULL; key = key_load_private(fn, passphrase, comment); @@ -144,6 +146,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int argc __unused, const char *argv[] __unused) { const char **kfn, *passphrase, *user; + const void *item; struct passwd *pwd, pwres; struct pam_ssh_key *psk; int nkeys, pam_err, pass; @@ -167,22 +170,8 @@ pam_sm_authenticate(pam_handle_t *pamh, if (pam_err != PAM_SUCCESS) return (pam_err); -#ifdef notyet - for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) { - char path[MAXPATHLEN]; - (void)snprintf(path, sizeof(path), %s/%s, pwd-pw_dir, *kfn); - if (access(path, R_OK) == 0) - break; - } - - if (*kfn == NULL) { - openpam_restore_cred(pamh); - return (PAM_AUTH_ERR); - } -#endif - - pass = (pam_get_item(pamh, PAM_AUTHTOK, - (const void **)__UNCONST(passphrase)) == PAM_SUCCESS); + pass = (pam_get_item(pamh, PAM_AUTHTOK, item) == PAM_SUCCESS + item != NULL); load_keys: /* get passphrase */ pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, @@ -195,7 +184,7 @@ pam_sm_authenticate(pam_handle_t *pamh, /* try to load keys from all keyfiles we know of */ nkeys = 0; for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) { - psk = pam_ssh_load_key(pwd, *kfn, passphrase); + psk = pam_ssh_load_key(pwd-pw_dir, *kfn, passphrase); if (psk != NULL) { pam_set_data(pamh, *kfn, psk, pam_ssh_free_key); ++nkeys; @@ -376,7 +365,7 @@ pam_ssh_add_keys_to_agent(pam_handle_t * pam_err = pam_get_data(pamh, *kfn, vp); psk = vp; if (pam_err == PAM_SUCCESS psk != NULL) { - if (ssh_add_identity_constrained(ac, psk-key, psk-comment, 0, 0)) + if (ssh_add_identity(ac, psk-key, psk-comment)) openpam_log(PAM_LOG_DEBUG, added %s to ssh agent, psk-comment); else
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: drochner Date: Fri Dec 16 17:35:09 UTC 2011 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: disallow empty passphrases per default, and implement the nullok option to allow it if the administator wishes, from FreeBSD To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.18 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.19 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.18 Fri Dec 16 17:30:12 2011 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Fri Dec 16 17:35:09 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.18 2011/12/16 17:30:12 drochner Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.19 2011/12/16 17:35:09 drochner Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID($FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $); #else -__RCSID($NetBSD: pam_ssh.c,v 1.18 2011/12/16 17:30:12 drochner Exp $); +__RCSID($NetBSD: pam_ssh.c,v 1.19 2011/12/16 17:35:09 drochner Exp $); #endif #include sys/param.h @@ -97,7 +97,8 @@ static const char *const pam_ssh_agent_e * struct pam_ssh_key containing the key and its comment. */ static struct pam_ssh_key * -pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase) +pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase, +int nullok) { struct pam_ssh_key *psk; char fn[PATH_MAX]; @@ -107,7 +108,22 @@ pam_ssh_load_key(const char *dir, const if (snprintf(fn, sizeof(fn), %s/%s, dir, kfn) (int)sizeof(fn)) return (NULL); comment = NULL; - key = key_load_private(fn, passphrase, comment); + /* + * If the key is unencrypted, OpenSSL ignores the passphrase, so + * it will seem like the user typed in the right one. This allows + * a user to circumvent nullok by providing a dummy passphrase. + * Verify that the key really *is* encrypted by trying to load it + * with an empty passphrase, and if the key is not encrypted, + * accept only an empty passphrase. + */ + key = key_load_private(fn, , comment); + if (key != NULL !(*passphrase == '\0' nullok)) { + key_free(key); + free(comment); + return (NULL); + } + if (key == NULL) + key = key_load_private(fn, passphrase, comment); if (key == NULL) { openpam_log(PAM_LOG_DEBUG, failed to load key from %s, fn); if (comment != NULL) @@ -149,9 +165,11 @@ pam_sm_authenticate(pam_handle_t *pamh, const void *item; struct passwd *pwd, pwres; struct pam_ssh_key *psk; - int nkeys, pam_err, pass; + int nkeys, nullok, pam_err, pass; char pwbuf[1024]; + nullok = (openpam_get_option(pamh, nullok) != NULL); + /* PEM is not loaded by default */ OpenSSL_add_all_algorithms(); @@ -170,6 +188,7 @@ pam_sm_authenticate(pam_handle_t *pamh, if (pam_err != PAM_SUCCESS) return (pam_err); + nkeys = 0; pass = (pam_get_item(pamh, PAM_AUTHTOK, item) == PAM_SUCCESS item != NULL); load_keys: @@ -182,9 +201,8 @@ pam_sm_authenticate(pam_handle_t *pamh, } /* try to load keys from all keyfiles we know of */ - nkeys = 0; for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) { - psk = pam_ssh_load_key(pwd-pw_dir, *kfn, passphrase); + psk = pam_ssh_load_key(pwd-pw_dir, *kfn, passphrase, nullok); if (psk != NULL) { pam_set_data(pamh, *kfn, psk, pam_ssh_free_key); ++nkeys;
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: drochner Date: Fri Dec 16 17:37:14 UTC 2011 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.8 pam_ssh.c Log Message: support ECDSA keys used by recent ssh To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/lib/libpam/modules/pam_ssh/pam_ssh.8 cvs rdiff -u -r1.19 -r1.20 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.8 diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.8:1.5 src/lib/libpam/modules/pam_ssh/pam_ssh.8:1.6 --- src/lib/libpam/modules/pam_ssh/pam_ssh.8:1.5 Mon Feb 28 10:31:41 2005 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.8 Fri Dec 16 17:37:14 2011 @@ -1,4 +1,4 @@ -.\ $NetBSD: pam_ssh.8,v 1.5 2005/02/28 10:31:41 wiz Exp $ +.\ $NetBSD: pam_ssh.8,v 1.6 2011/12/16 17:37:14 drochner Exp $ .\ Copyright (c) 2001 Mark R V Murray .\ All rights reserved. .\ Copyright (c) 2001-2003 Networks Associates Technology, Inc. @@ -35,7 +35,7 @@ .\ .\ $FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.8,v 1.13 2004/07/02 23:52:18 ru Exp $ .\ -.Dd February 27, 2005 +.Dd December 16, 2011 .Dt PAM_SSH 8 .Os .Sh NAME @@ -93,6 +93,10 @@ This option is similar to the option, except that if the previously obtained password fails, the user is prompted for another password. +.It Cm nullok +Normally, keys with no passphrase are ignored for authentication purposes. +If this option is set, keys with no passphrase will be taken into +consideration, allowing the user to log in with a blank password. .El .Ss SSH Session Management Module The @@ -130,6 +134,8 @@ SSH1 RSA key SSH2 RSA key .It Pa $HOME/.ssh/id_dsa SSH2 DSA key +.It Pa $HOME/.ssh/id_ecdsa +SSH2 ECDSA key .El .Sh SEE ALSO .Xr ssh-agent 1 , Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.19 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.20 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.19 Fri Dec 16 17:35:09 2011 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Fri Dec 16 17:37:14 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.19 2011/12/16 17:35:09 drochner Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.20 2011/12/16 17:37:14 drochner Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID($FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $); #else -__RCSID($NetBSD: pam_ssh.c,v 1.19 2011/12/16 17:35:09 drochner Exp $); +__RCSID($NetBSD: pam_ssh.c,v 1.20 2011/12/16 17:37:14 drochner Exp $); #endif #include sys/param.h @@ -84,6 +84,7 @@ static const char *pam_ssh_keyfiles[] = .ssh/identity, /* SSH1 RSA key */ .ssh/id_rsa, /* SSH2 RSA key */ .ssh/id_dsa, /* SSH2 DSA key */ + .ssh/id_ecdsa, /* SSH2 ECDSA key */ NULL };
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: drochner Date: Fri May 6 17:22:09 UTC 2011 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: remove excess newlines in debug output To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.16 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.17 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.16 Sun Nov 21 20:41:36 2010 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Fri May 6 17:22:09 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.16 2010/11/21 20:41:36 adam Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.17 2011/05/06 17:22:09 drochner Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID($FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $); #else -__RCSID($NetBSD: pam_ssh.c,v 1.16 2010/11/21 20:41:36 adam Exp $); +__RCSID($NetBSD: pam_ssh.c,v 1.17 2011/05/06 17:22:09 drochner Exp $); #endif #include sys/param.h @@ -107,13 +107,13 @@ comment = NULL; key = key_load_private(fn, passphrase, comment); if (key == NULL) { - openpam_log(PAM_LOG_DEBUG, failed to load key from %s\n, fn); + openpam_log(PAM_LOG_DEBUG, failed to load key from %s, fn); if (comment != NULL) free(comment); return (NULL); } - openpam_log(PAM_LOG_DEBUG, loaded '%s' from %s\n, comment, fn); + openpam_log(PAM_LOG_DEBUG, loaded '%s' from %s, comment, fn); if ((psk = malloc(sizeof(*psk))) == NULL) { key_free(key); free(comment);
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: adam Date: Sun Nov 21 20:41:36 UTC 2010 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.c Log Message: Use ssh_add_identity_constrained() instead of ssh_add_identity() To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.15 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.16 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.15 Sun Jan 27 01:23:20 2008 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Sun Nov 21 20:41:36 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.15 2008/01/27 01:23:20 christos Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.16 2010/11/21 20:41:36 adam Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID($FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $); #else -__RCSID($NetBSD: pam_ssh.c,v 1.15 2008/01/27 01:23:20 christos Exp $); +__RCSID($NetBSD: pam_ssh.c,v 1.16 2010/11/21 20:41:36 adam Exp $); #endif #include sys/param.h @@ -376,7 +376,7 @@ pam_err = pam_get_data(pamh, *kfn, vp); psk = vp; if (pam_err == PAM_SUCCESS psk != NULL) { - if (ssh_add_identity(ac, psk-key, psk-comment)) + if (ssh_add_identity_constrained(ac, psk-key, psk-comment, 0, 0)) openpam_log(PAM_LOG_DEBUG, added %s to ssh agent, psk-comment); else
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: christos Date: Mon Jul 20 18:01:41 UTC 2009 Modified Files: src/lib/libpam/modules/pam_ssh: Makefile Log Message: use new openssh tree To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/lib/libpam/modules/pam_ssh/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/Makefile diff -u src/lib/libpam/modules/pam_ssh/Makefile:1.9 src/lib/libpam/modules/pam_ssh/Makefile:1.10 --- src/lib/libpam/modules/pam_ssh/Makefile:1.9 Mon Jul 20 13:29:08 2009 +++ src/lib/libpam/modules/pam_ssh/Makefile Mon Jul 20 14:01:41 2009 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.9 2009/07/20 17:29:08 christos Exp $ +# $NetBSD: Makefile,v 1.10 2009/07/20 18:01:41 christos Exp $ # PAM module for SSH # $FreeBSD: src/lib/libpam/modules/pam_ssh/Makefile,v 1.18 2004/08/06 07:27:04 cperciva Exp $ @@ -8,7 +8,7 @@ .include bsd.own.mk -SSHSRC= ${NETBSDSRCDIR}/crypto/dist/ssh +SSHSRC= ${NETBSDSRCDIR}/crypto/external/bsd/openssh/dist LIB= pam_ssh MAN= pam_ssh.8