CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src
Committed By: christos
Date: Sun Mar 1 14:50:43 UTC 2020
Modified Files:
src/lib/libpam/modules/pam_ssh: Makefile
Log Message:
Add the sign client part.
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 src/lib/libpam/modules/pam_ssh/Makefile
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libpam/modules/pam_ssh/Makefile
diff -u src/lib/libpam/modules/pam_ssh/Makefile:1.11 src/lib/libpam/modules/pam_ssh/Makefile:1.12
--- src/lib/libpam/modules/pam_ssh/Makefile:1.11 Sat Feb 3 22:19:53 2018
+++ src/lib/libpam/modules/pam_ssh/Makefile Sun Mar 1 09:50:43 2020
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.11 2018/02/04 03:19:53 christos Exp $
+# $NetBSD: Makefile,v 1.12 2020/03/01 14:50:43 christos Exp $
# PAM module for SSH
# $FreeBSD: src/lib/libpam/modules/pam_ssh/Makefile,v 1.18 2004/08/06 07:27:04 cperciva Exp $
@@ -10,9 +10,10 @@ NOPICINSTALL= # don't install _pic.a lib
SSHSRC= ${NETBSDSRCDIR}/crypto/external/bsd/openssh/dist
+.PATH: ${SSHSRC}
LIB= pam_ssh
MAN= pam_ssh.8
-SRCS= pam_ssh.c
+SRCS= pam_ssh.c ssh-sk-client.c
CPPFLAGS+= -I${SSHSRC}
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src
Committed By: christos
Date: Thu Feb 27 03:25:09 UTC 2020
Modified Files:
src/lib/libpam/modules/pam_ssh: pam_ssh.c
Log Message:
This takes a provider now
To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 src/lib/libpam/modules/pam_ssh/pam_ssh.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c
diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.27 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.28
--- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.27 Sat Jun 1 03:15:39 2019
+++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Wed Feb 26 22:25:08 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: pam_ssh.c,v 1.27 2019/06/01 07:15:39 mlelstv Exp $ */
+/* $NetBSD: pam_ssh.c,v 1.28 2020/02/27 03:25:08 christos Exp $ */
/*-
* Copyright (c) 2003 Networks Associates Technology, Inc.
@@ -38,7 +38,7 @@
#ifdef __FreeBSD__
__FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $");
#else
-__RCSID("$NetBSD: pam_ssh.c,v 1.27 2019/06/01 07:15:39 mlelstv Exp $");
+__RCSID("$NetBSD: pam_ssh.c,v 1.28 2020/02/27 03:25:08 christos Exp $");
#endif
#include
@@ -68,7 +68,7 @@ __RCSID("$NetBSD: pam_ssh.c,v 1.27 2019/
#include "authfile.h"
#define ssh_add_identity(auth, key, comment) \
- ssh_add_identity_constrained(auth, key, comment, 0, 0, 0)
+ ssh_add_identity_constrained(auth, key, comment, 0, 0, 0, "pam")
extern char **environ;
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src
Committed By: christos
Date: Sun Aug 26 08:54:03 UTC 2018
Modified Files:
src/lib/libpam/modules/pam_ssh: pam_ssh.c
Log Message:
adjust to new libssh api.
To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 src/lib/libpam/modules/pam_ssh/pam_ssh.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c
diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.25 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.26
--- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.25 Sat Apr 7 15:28:32 2018
+++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Sun Aug 26 04:54:03 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: pam_ssh.c,v 1.25 2018/04/07 19:28:32 christos Exp $ */
+/* $NetBSD: pam_ssh.c,v 1.26 2018/08/26 08:54:03 christos Exp $ */
/*-
* Copyright (c) 2003 Networks Associates Technology, Inc.
@@ -38,7 +38,7 @@
#ifdef __FreeBSD__
__FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $");
#else
-__RCSID("$NetBSD: pam_ssh.c,v 1.25 2018/04/07 19:28:32 christos Exp $");
+__RCSID("$NetBSD: pam_ssh.c,v 1.26 2018/08/26 08:54:03 christos Exp $");
#endif
#include
@@ -62,8 +62,8 @@ __RCSID("$NetBSD: pam_ssh.c,v 1.25 2018/
#include
-#include "key.h"
-#include "buffer.h"
+#include "sshkey.h"
+#include "sshbuf.h"
#include "authfd.h"
#include "authfile.h"
@@ -73,7 +73,7 @@ __RCSID("$NetBSD: pam_ssh.c,v 1.25 2018/
extern char **environ;
struct pam_ssh_key {
- Key *key;
+ struct sshkey *key;
char *comment;
};
@@ -103,8 +103,9 @@ pam_ssh_load_key(const char *dir, const
{
struct pam_ssh_key *psk;
char fn[PATH_MAX];
+ int r;
char *comment;
- Key *key;
+ struct sshkey *key;
if (snprintf(fn, sizeof(fn), "%s/%s", dir, kfn) > (int)sizeof(fn))
return (NULL);
@@ -117,15 +118,15 @@ pam_ssh_load_key(const char *dir, const
* with an empty passphrase, and if the key is not encrypted,
* accept only an empty passphrase.
*/
- key = key_load_private(fn, "", );
- if (key != NULL && !(*passphrase == '\0' && nullok)) {
- key_free(key);
+ r = sshkey_load_private(fn, "", , );
+ if (r && !(*passphrase == '\0' && nullok)) {
+ sshkey_free(key);
free(comment);
return (NULL);
}
- if (key == NULL)
- key = key_load_private(fn, passphrase, );
- if (key == NULL) {
+ if (r)
+ sshkey_load_private(fn, passphrase, , );
+ if (r) {
openpam_log(PAM_LOG_DEBUG, "failed to load key from %s", fn);
if (comment != NULL)
free(comment);
@@ -134,7 +135,7 @@ pam_ssh_load_key(const char *dir, const
openpam_log(PAM_LOG_DEBUG, "loaded '%s' from %s", comment, fn);
if ((psk = malloc(sizeof(*psk))) == NULL) {
- key_free(key);
+ sshkey_free(key);
free(comment);
return (NULL);
}
@@ -153,7 +154,7 @@ pam_ssh_free_key(pam_handle_t *pamh __un
struct pam_ssh_key *psk;
psk = data;
- key_free(psk->key);
+ sshkey_free(psk->key);
free(psk->comment);
free(psk);
}
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src
Committed By: christos
Date: Sat Apr 7 19:28:32 UTC 2018
Modified Files:
src/lib/libpam/modules/pam_ssh: pam_ssh.c
Log Message:
fix and use the macro.
To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 src/lib/libpam/modules/pam_ssh/pam_ssh.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c
diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.24 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.25
--- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.24 Sat Apr 7 09:57:12 2018
+++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Sat Apr 7 15:28:32 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: pam_ssh.c,v 1.24 2018/04/07 13:57:12 christos Exp $ */
+/* $NetBSD: pam_ssh.c,v 1.25 2018/04/07 19:28:32 christos Exp $ */
/*-
* Copyright (c) 2003 Networks Associates Technology, Inc.
@@ -38,7 +38,7 @@
#ifdef __FreeBSD__
__FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $");
#else
-__RCSID("$NetBSD: pam_ssh.c,v 1.24 2018/04/07 13:57:12 christos Exp $");
+__RCSID("$NetBSD: pam_ssh.c,v 1.25 2018/04/07 19:28:32 christos Exp $");
#endif
#include
@@ -68,7 +68,7 @@ __RCSID("$NetBSD: pam_ssh.c,v 1.24 2018/
#include "authfile.h"
#define ssh_add_identity(auth, key, comment) \
- ssh_add_identity_constrained(auth, key, comment, 0, 0)
+ ssh_add_identity_constrained(auth, key, comment, 0, 0, 0)
extern char **environ;
@@ -383,8 +383,7 @@ pam_ssh_add_keys_to_agent(pam_handle_t *
pam_err = pam_get_data(pamh, *kfn, );
psk = vp;
if (pam_err == PAM_SUCCESS && psk != NULL) {
- if (ssh_add_identity_constrained(agent_fd, psk->key,
- psk->comment, 0, 0, 0))
+ if (ssh_add_identity(agent_fd, psk->key, psk->comment))
openpam_log(PAM_LOG_DEBUG,
"added %s to ssh agent", psk->comment);
else
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src
Committed By: christos
Date: Sat Apr 7 13:57:12 UTC 2018
Modified Files:
src/lib/libpam/modules/pam_ssh: pam_ssh.c
Log Message:
function grew an extra argument now.
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/lib/libpam/modules/pam_ssh/pam_ssh.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c
diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.23 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.24
--- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.23 Fri Apr 3 22:51:10 2015
+++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Sat Apr 7 09:57:12 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: pam_ssh.c,v 1.23 2015/04/04 02:51:10 christos Exp $ */
+/* $NetBSD: pam_ssh.c,v 1.24 2018/04/07 13:57:12 christos Exp $ */
/*-
* Copyright (c) 2003 Networks Associates Technology, Inc.
@@ -38,7 +38,7 @@
#ifdef __FreeBSD__
__FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $");
#else
-__RCSID("$NetBSD: pam_ssh.c,v 1.23 2015/04/04 02:51:10 christos Exp $");
+__RCSID("$NetBSD: pam_ssh.c,v 1.24 2018/04/07 13:57:12 christos Exp $");
#endif
#include
@@ -384,7 +384,7 @@ pam_ssh_add_keys_to_agent(pam_handle_t *
psk = vp;
if (pam_err == PAM_SUCCESS && psk != NULL) {
if (ssh_add_identity_constrained(agent_fd, psk->key,
- psk->comment, 0, 0))
+ psk->comment, 0, 0, 0))
openpam_log(PAM_LOG_DEBUG,
"added %s to ssh agent", psk->comment);
else
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src
Committed By: christos
Date: Sat Apr 4 02:51:10 UTC 2015
Modified Files:
src/lib/libpam/modules/pam_ssh: pam_ssh.c
Log Message:
Adapt to the new API.
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/lib/libpam/modules/pam_ssh/pam_ssh.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c
diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.22 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.23
--- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.22 Fri Jan 6 09:04:02 2012
+++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Fri Apr 3 22:51:10 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: pam_ssh.c,v 1.22 2012/01/06 14:04:02 drochner Exp $ */
+/* $NetBSD: pam_ssh.c,v 1.23 2015/04/04 02:51:10 christos Exp $ */
/*-
* Copyright (c) 2003 Networks Associates Technology, Inc.
@@ -38,7 +38,7 @@
#ifdef __FreeBSD__
__FBSDID($FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $);
#else
-__RCSID($NetBSD: pam_ssh.c,v 1.22 2012/01/06 14:04:02 drochner Exp $);
+__RCSID($NetBSD: pam_ssh.c,v 1.23 2015/04/04 02:51:10 christos Exp $);
#endif
#include sys/param.h
@@ -352,11 +352,11 @@ done:
static int
pam_ssh_add_keys_to_agent(pam_handle_t *pamh)
{
- AuthenticationConnection *ac;
const struct pam_ssh_key *psk;
const char **kfn;
char **envlist, **env;
int pam_err;
+ int agent_fd;
/* switch to PAM environment */
envlist = environ;
@@ -368,11 +368,12 @@ pam_ssh_add_keys_to_agent(pam_handle_t *
}
/* get a connection to the agent */
- if ((ac = ssh_get_authentication_connection()) == NULL) {
+ if (ssh_get_authentication_socket(agent_fd) != 0) {
openpam_log(PAM_LOG_DEBUG,
%s: cannot get authentication connection,
__func__);
pam_err = PAM_SYSTEM_ERR;
+ agent_fd = -1;
goto end;
}
@@ -382,7 +383,8 @@ pam_ssh_add_keys_to_agent(pam_handle_t *
pam_err = pam_get_data(pamh, *kfn, vp);
psk = vp;
if (pam_err == PAM_SUCCESS psk != NULL) {
- if (ssh_add_identity(ac, psk-key, psk-comment))
+ if (ssh_add_identity_constrained(agent_fd, psk-key,
+ psk-comment, 0, 0))
openpam_log(PAM_LOG_DEBUG,
added %s to ssh agent, psk-comment);
else
@@ -395,8 +397,8 @@ pam_ssh_add_keys_to_agent(pam_handle_t *
pam_err = PAM_SUCCESS;
end:
/* disconnect from agent */
- if (ac != NULL)
- ssh_close_authentication_connection(ac);
+ if (agent_fd != -1)
+ ssh_close_authentication_socket(agent_fd);
/* switch back to original environment */
for (env = environ; *env != NULL; ++env)
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src
Committed By: drochner
Date: Fri Jan 6 14:04:02 UTC 2012
Modified Files:
src/lib/libpam/modules/pam_ssh: pam_ssh.c
Log Message:
pull in from FreeBSD rev.1.41: Narrow the use of user credentials.
(call pam_get_authtok() with caller's rights rather than user's)
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/lib/libpam/modules/pam_ssh/pam_ssh.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c
diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.21 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.22
--- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.21 Tue Jan 3 19:02:55 2012
+++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Fri Jan 6 14:04:02 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: pam_ssh.c,v 1.21 2012/01/03 19:02:55 christos Exp $ */
+/* $NetBSD: pam_ssh.c,v 1.22 2012/01/06 14:04:02 drochner Exp $ */
/*-
* Copyright (c) 2003 Networks Associates Technology, Inc.
@@ -38,7 +38,7 @@
#ifdef __FreeBSD__
__FBSDID($FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $);
#else
-__RCSID($NetBSD: pam_ssh.c,v 1.21 2012/01/03 19:02:55 christos Exp $);
+__RCSID($NetBSD: pam_ssh.c,v 1.22 2012/01/06 14:04:02 drochner Exp $);
#endif
#include sys/param.h
@@ -184,11 +184,6 @@ pam_sm_authenticate(pam_handle_t *pamh,
if (pwd-pw_dir == NULL)
return (PAM_AUTH_ERR);
- /* switch to user credentials */
- pam_err = openpam_borrow_cred(pamh, pwd);
- if (pam_err != PAM_SUCCESS)
- return (pam_err);
-
nkeys = 0;
pass = (pam_get_item(pamh, PAM_AUTHTOK, item) == PAM_SUCCESS
item != NULL);
@@ -196,10 +191,13 @@ pam_sm_authenticate(pam_handle_t *pamh,
/* get passphrase */
pam_err = pam_get_authtok(pamh, PAM_AUTHTOK,
passphrase, pam_ssh_prompt);
- if (pam_err != PAM_SUCCESS) {
- openpam_restore_cred(pamh);
+ if (pam_err != PAM_SUCCESS)
+ return (pam_err);
+
+ /* switch to user credentials */
+ pam_err = openpam_borrow_cred(pamh, pwd);
+ if (pam_err != PAM_SUCCESS)
return (pam_err);
- }
/* try to load keys from all keyfiles we know of */
for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) {
@@ -210,6 +208,9 @@ pam_sm_authenticate(pam_handle_t *pamh,
}
}
+ /* switch back to arbitrator credentials */
+ openpam_restore_cred(pamh);
+
/*
* If we tried an old token and didn't get anything, and
* try_first_pass was specified, try again after prompting the
@@ -222,9 +223,6 @@ pam_sm_authenticate(pam_handle_t *pamh,
goto load_keys;
}
- /* switch back to arbitrator credentials before returning */
- openpam_restore_cred(pamh);
-
/* no keys? */
if (nkeys == 0)
return (PAM_AUTH_ERR);
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src
Committed By: drochner
Date: Fri Dec 16 17:30:12 UTC 2011
Modified Files:
src/lib/libpam/modules/pam_ssh: pam_ssh.c
Log Message:
-remove remainders of the misguided changes in revs 1.5-1.9
-iron out more unnecessary differences to FreeBSD
To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 src/lib/libpam/modules/pam_ssh/pam_ssh.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c
diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.17 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.18
--- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.17 Fri May 6 17:22:09 2011
+++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Fri Dec 16 17:30:12 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: pam_ssh.c,v 1.17 2011/05/06 17:22:09 drochner Exp $ */
+/* $NetBSD: pam_ssh.c,v 1.18 2011/12/16 17:30:12 drochner Exp $ */
/*-
* Copyright (c) 2003 Networks Associates Technology, Inc.
@@ -38,7 +38,7 @@
#ifdef __FreeBSD__
__FBSDID($FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $);
#else
-__RCSID($NetBSD: pam_ssh.c,v 1.17 2011/05/06 17:22:09 drochner Exp $);
+__RCSID($NetBSD: pam_ssh.c,v 1.18 2011/12/16 17:30:12 drochner Exp $);
#endif
#include sys/param.h
@@ -67,6 +67,9 @@ __RCSID($NetBSD: pam_ssh.c,v 1.17 2011/
#include authfd.h
#include authfile.h
+#define ssh_add_identity(auth, key, comment) \
+ ssh_add_identity_constrained(auth, key, comment, 0, 0)
+
extern char **environ;
struct pam_ssh_key {
@@ -85,8 +88,8 @@ static const char *pam_ssh_keyfiles[] =
};
static const char *pam_ssh_agent = /usr/bin/ssh-agent;
-static const char *pam_ssh_agent_argv[] = { ssh_agent, -s, NULL };
-static const char *pam_ssh_agent_envp[] = { NULL };
+static const char *const pam_ssh_agent_argv[] = { ssh_agent, -s, NULL };
+static const char *const pam_ssh_agent_envp[] = { NULL };
/*
* Attempts to load a private key from the specified file in the specified
@@ -94,15 +97,14 @@ static const char *pam_ssh_agent_envp[]
* struct pam_ssh_key containing the key and its comment.
*/
static struct pam_ssh_key *
-pam_ssh_load_key(struct passwd *pwd, const char *kfn, const char *passphrase)
+pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase)
{
struct pam_ssh_key *psk;
char fn[PATH_MAX];
char *comment;
Key *key;
- if (snprintf(fn, sizeof(fn), %s/%s, pwd-pw_dir, kfn)
- (int)sizeof(fn))
+ if (snprintf(fn, sizeof(fn), %s/%s, dir, kfn) (int)sizeof(fn))
return (NULL);
comment = NULL;
key = key_load_private(fn, passphrase, comment);
@@ -144,6 +146,7 @@ pam_sm_authenticate(pam_handle_t *pamh,
int argc __unused, const char *argv[] __unused)
{
const char **kfn, *passphrase, *user;
+ const void *item;
struct passwd *pwd, pwres;
struct pam_ssh_key *psk;
int nkeys, pam_err, pass;
@@ -167,22 +170,8 @@ pam_sm_authenticate(pam_handle_t *pamh,
if (pam_err != PAM_SUCCESS)
return (pam_err);
-#ifdef notyet
- for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) {
- char path[MAXPATHLEN];
- (void)snprintf(path, sizeof(path), %s/%s, pwd-pw_dir, *kfn);
- if (access(path, R_OK) == 0)
- break;
- }
-
- if (*kfn == NULL) {
- openpam_restore_cred(pamh);
- return (PAM_AUTH_ERR);
- }
-#endif
-
- pass = (pam_get_item(pamh, PAM_AUTHTOK,
- (const void **)__UNCONST(passphrase)) == PAM_SUCCESS);
+ pass = (pam_get_item(pamh, PAM_AUTHTOK, item) == PAM_SUCCESS
+ item != NULL);
load_keys:
/* get passphrase */
pam_err = pam_get_authtok(pamh, PAM_AUTHTOK,
@@ -195,7 +184,7 @@ pam_sm_authenticate(pam_handle_t *pamh,
/* try to load keys from all keyfiles we know of */
nkeys = 0;
for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) {
- psk = pam_ssh_load_key(pwd, *kfn, passphrase);
+ psk = pam_ssh_load_key(pwd-pw_dir, *kfn, passphrase);
if (psk != NULL) {
pam_set_data(pamh, *kfn, psk, pam_ssh_free_key);
++nkeys;
@@ -376,7 +365,7 @@ pam_ssh_add_keys_to_agent(pam_handle_t *
pam_err = pam_get_data(pamh, *kfn, vp);
psk = vp;
if (pam_err == PAM_SUCCESS psk != NULL) {
- if (ssh_add_identity_constrained(ac, psk-key, psk-comment, 0, 0))
+ if (ssh_add_identity(ac, psk-key, psk-comment))
openpam_log(PAM_LOG_DEBUG,
added %s to ssh agent, psk-comment);
else
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src
Committed By: drochner
Date: Fri Dec 16 17:35:09 UTC 2011
Modified Files:
src/lib/libpam/modules/pam_ssh: pam_ssh.c
Log Message:
disallow empty passphrases per default, and implement the nullok
option to allow it if the administator wishes, from FreeBSD
To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.19 src/lib/libpam/modules/pam_ssh/pam_ssh.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c
diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.18 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.19
--- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.18 Fri Dec 16 17:30:12 2011
+++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Fri Dec 16 17:35:09 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: pam_ssh.c,v 1.18 2011/12/16 17:30:12 drochner Exp $ */
+/* $NetBSD: pam_ssh.c,v 1.19 2011/12/16 17:35:09 drochner Exp $ */
/*-
* Copyright (c) 2003 Networks Associates Technology, Inc.
@@ -38,7 +38,7 @@
#ifdef __FreeBSD__
__FBSDID($FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $);
#else
-__RCSID($NetBSD: pam_ssh.c,v 1.18 2011/12/16 17:30:12 drochner Exp $);
+__RCSID($NetBSD: pam_ssh.c,v 1.19 2011/12/16 17:35:09 drochner Exp $);
#endif
#include sys/param.h
@@ -97,7 +97,8 @@ static const char *const pam_ssh_agent_e
* struct pam_ssh_key containing the key and its comment.
*/
static struct pam_ssh_key *
-pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase)
+pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase,
+int nullok)
{
struct pam_ssh_key *psk;
char fn[PATH_MAX];
@@ -107,7 +108,22 @@ pam_ssh_load_key(const char *dir, const
if (snprintf(fn, sizeof(fn), %s/%s, dir, kfn) (int)sizeof(fn))
return (NULL);
comment = NULL;
- key = key_load_private(fn, passphrase, comment);
+ /*
+ * If the key is unencrypted, OpenSSL ignores the passphrase, so
+ * it will seem like the user typed in the right one. This allows
+ * a user to circumvent nullok by providing a dummy passphrase.
+ * Verify that the key really *is* encrypted by trying to load it
+ * with an empty passphrase, and if the key is not encrypted,
+ * accept only an empty passphrase.
+ */
+ key = key_load_private(fn, , comment);
+ if (key != NULL !(*passphrase == '\0' nullok)) {
+ key_free(key);
+ free(comment);
+ return (NULL);
+ }
+ if (key == NULL)
+ key = key_load_private(fn, passphrase, comment);
if (key == NULL) {
openpam_log(PAM_LOG_DEBUG, failed to load key from %s, fn);
if (comment != NULL)
@@ -149,9 +165,11 @@ pam_sm_authenticate(pam_handle_t *pamh,
const void *item;
struct passwd *pwd, pwres;
struct pam_ssh_key *psk;
- int nkeys, pam_err, pass;
+ int nkeys, nullok, pam_err, pass;
char pwbuf[1024];
+ nullok = (openpam_get_option(pamh, nullok) != NULL);
+
/* PEM is not loaded by default */
OpenSSL_add_all_algorithms();
@@ -170,6 +188,7 @@ pam_sm_authenticate(pam_handle_t *pamh,
if (pam_err != PAM_SUCCESS)
return (pam_err);
+ nkeys = 0;
pass = (pam_get_item(pamh, PAM_AUTHTOK, item) == PAM_SUCCESS
item != NULL);
load_keys:
@@ -182,9 +201,8 @@ pam_sm_authenticate(pam_handle_t *pamh,
}
/* try to load keys from all keyfiles we know of */
- nkeys = 0;
for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) {
- psk = pam_ssh_load_key(pwd-pw_dir, *kfn, passphrase);
+ psk = pam_ssh_load_key(pwd-pw_dir, *kfn, passphrase, nullok);
if (psk != NULL) {
pam_set_data(pamh, *kfn, psk, pam_ssh_free_key);
++nkeys;
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src Committed By: drochner Date: Fri Dec 16 17:37:14 UTC 2011 Modified Files: src/lib/libpam/modules/pam_ssh: pam_ssh.8 pam_ssh.c Log Message: support ECDSA keys used by recent ssh To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/lib/libpam/modules/pam_ssh/pam_ssh.8 cvs rdiff -u -r1.19 -r1.20 src/lib/libpam/modules/pam_ssh/pam_ssh.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libpam/modules/pam_ssh/pam_ssh.8 diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.8:1.5 src/lib/libpam/modules/pam_ssh/pam_ssh.8:1.6 --- src/lib/libpam/modules/pam_ssh/pam_ssh.8:1.5 Mon Feb 28 10:31:41 2005 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.8 Fri Dec 16 17:37:14 2011 @@ -1,4 +1,4 @@ -.\ $NetBSD: pam_ssh.8,v 1.5 2005/02/28 10:31:41 wiz Exp $ +.\ $NetBSD: pam_ssh.8,v 1.6 2011/12/16 17:37:14 drochner Exp $ .\ Copyright (c) 2001 Mark R V Murray .\ All rights reserved. .\ Copyright (c) 2001-2003 Networks Associates Technology, Inc. @@ -35,7 +35,7 @@ .\ .\ $FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.8,v 1.13 2004/07/02 23:52:18 ru Exp $ .\ -.Dd February 27, 2005 +.Dd December 16, 2011 .Dt PAM_SSH 8 .Os .Sh NAME @@ -93,6 +93,10 @@ This option is similar to the option, except that if the previously obtained password fails, the user is prompted for another password. +.It Cm nullok +Normally, keys with no passphrase are ignored for authentication purposes. +If this option is set, keys with no passphrase will be taken into +consideration, allowing the user to log in with a blank password. .El .Ss SSH Session Management Module The @@ -130,6 +134,8 @@ SSH1 RSA key SSH2 RSA key .It Pa $HOME/.ssh/id_dsa SSH2 DSA key +.It Pa $HOME/.ssh/id_ecdsa +SSH2 ECDSA key .El .Sh SEE ALSO .Xr ssh-agent 1 , Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.19 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.20 --- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.19 Fri Dec 16 17:35:09 2011 +++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Fri Dec 16 17:37:14 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_ssh.c,v 1.19 2011/12/16 17:35:09 drochner Exp $ */ +/* $NetBSD: pam_ssh.c,v 1.20 2011/12/16 17:37:14 drochner Exp $ */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. @@ -38,7 +38,7 @@ #ifdef __FreeBSD__ __FBSDID($FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $); #else -__RCSID($NetBSD: pam_ssh.c,v 1.19 2011/12/16 17:35:09 drochner Exp $); +__RCSID($NetBSD: pam_ssh.c,v 1.20 2011/12/16 17:37:14 drochner Exp $); #endif #include sys/param.h @@ -84,6 +84,7 @@ static const char *pam_ssh_keyfiles[] = .ssh/identity, /* SSH1 RSA key */ .ssh/id_rsa, /* SSH2 RSA key */ .ssh/id_dsa, /* SSH2 DSA key */ + .ssh/id_ecdsa, /* SSH2 ECDSA key */ NULL };
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src
Committed By: drochner
Date: Fri May 6 17:22:09 UTC 2011
Modified Files:
src/lib/libpam/modules/pam_ssh: pam_ssh.c
Log Message:
remove excess newlines in debug output
To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.17 src/lib/libpam/modules/pam_ssh/pam_ssh.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c
diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.16 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.17
--- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.16 Sun Nov 21 20:41:36 2010
+++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Fri May 6 17:22:09 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: pam_ssh.c,v 1.16 2010/11/21 20:41:36 adam Exp $ */
+/* $NetBSD: pam_ssh.c,v 1.17 2011/05/06 17:22:09 drochner Exp $ */
/*-
* Copyright (c) 2003 Networks Associates Technology, Inc.
@@ -38,7 +38,7 @@
#ifdef __FreeBSD__
__FBSDID($FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $);
#else
-__RCSID($NetBSD: pam_ssh.c,v 1.16 2010/11/21 20:41:36 adam Exp $);
+__RCSID($NetBSD: pam_ssh.c,v 1.17 2011/05/06 17:22:09 drochner Exp $);
#endif
#include sys/param.h
@@ -107,13 +107,13 @@
comment = NULL;
key = key_load_private(fn, passphrase, comment);
if (key == NULL) {
- openpam_log(PAM_LOG_DEBUG, failed to load key from %s\n, fn);
+ openpam_log(PAM_LOG_DEBUG, failed to load key from %s, fn);
if (comment != NULL)
free(comment);
return (NULL);
}
- openpam_log(PAM_LOG_DEBUG, loaded '%s' from %s\n, comment, fn);
+ openpam_log(PAM_LOG_DEBUG, loaded '%s' from %s, comment, fn);
if ((psk = malloc(sizeof(*psk))) == NULL) {
key_free(key);
free(comment);
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src
Committed By: adam
Date: Sun Nov 21 20:41:36 UTC 2010
Modified Files:
src/lib/libpam/modules/pam_ssh: pam_ssh.c
Log Message:
Use ssh_add_identity_constrained() instead of ssh_add_identity()
To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 src/lib/libpam/modules/pam_ssh/pam_ssh.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c
diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.15 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.16
--- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.15 Sun Jan 27 01:23:20 2008
+++ src/lib/libpam/modules/pam_ssh/pam_ssh.c Sun Nov 21 20:41:36 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: pam_ssh.c,v 1.15 2008/01/27 01:23:20 christos Exp $ */
+/* $NetBSD: pam_ssh.c,v 1.16 2010/11/21 20:41:36 adam Exp $ */
/*-
* Copyright (c) 2003 Networks Associates Technology, Inc.
@@ -38,7 +38,7 @@
#ifdef __FreeBSD__
__FBSDID($FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $);
#else
-__RCSID($NetBSD: pam_ssh.c,v 1.15 2008/01/27 01:23:20 christos Exp $);
+__RCSID($NetBSD: pam_ssh.c,v 1.16 2010/11/21 20:41:36 adam Exp $);
#endif
#include sys/param.h
@@ -376,7 +376,7 @@
pam_err = pam_get_data(pamh, *kfn, vp);
psk = vp;
if (pam_err == PAM_SUCCESS psk != NULL) {
- if (ssh_add_identity(ac, psk-key, psk-comment))
+ if (ssh_add_identity_constrained(ac, psk-key, psk-comment, 0, 0))
openpam_log(PAM_LOG_DEBUG,
added %s to ssh agent, psk-comment);
else
CVS commit: src/lib/libpam/modules/pam_ssh
Module Name:src
Committed By: christos
Date: Mon Jul 20 18:01:41 UTC 2009
Modified Files:
src/lib/libpam/modules/pam_ssh: Makefile
Log Message:
use new openssh tree
To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 src/lib/libpam/modules/pam_ssh/Makefile
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libpam/modules/pam_ssh/Makefile
diff -u src/lib/libpam/modules/pam_ssh/Makefile:1.9 src/lib/libpam/modules/pam_ssh/Makefile:1.10
--- src/lib/libpam/modules/pam_ssh/Makefile:1.9 Mon Jul 20 13:29:08 2009
+++ src/lib/libpam/modules/pam_ssh/Makefile Mon Jul 20 14:01:41 2009
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.9 2009/07/20 17:29:08 christos Exp $
+# $NetBSD: Makefile,v 1.10 2009/07/20 18:01:41 christos Exp $
# PAM module for SSH
# $FreeBSD: src/lib/libpam/modules/pam_ssh/Makefile,v 1.18 2004/08/06 07:27:04 cperciva Exp $
@@ -8,7 +8,7 @@
.include bsd.own.mk
-SSHSRC= ${NETBSDSRCDIR}/crypto/dist/ssh
+SSHSRC= ${NETBSDSRCDIR}/crypto/external/bsd/openssh/dist
LIB= pam_ssh
MAN= pam_ssh.8
