summaryrefslogtreecommitdiffstats
path: root/auth-pam.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* propagate PAM crashes to PerSourcePenaltiesDamien Miller2024-06-171-7/+8
| | | | | | | If the PAM subprocess crashes, exit with a crash status that will be picked up by the sshd(8) listener process where it can be used by PerSourcePenalties to block the client. This is similar handling to the privsep preauth process.
* add a sshd_config PamServiceName optionDamien Miller2024-06-141-7/+6
| | | | | | | | Allows selecting which PAM service name to use when UsePAM is enabled. Defaults to "sshd" unless overridden at compile time by defining SSHD_PAM_SERVICE. bz2102, ok dtucker@
* sshd: don't use argv[0] as PAM service nameDamien Miller2024-06-131-2/+1
| | | | | | | | | | | | | sshd would implicitly use argv[0] as the PAM service name to allow people to select different PAM service names by making differently-named copies/links to the sshd binary. Splitting sshd into sshd/sshd-session broke this, as the process that starts PAM is always sshd-session and the user has no control over this. Hardcode "sshd" as the default PAM service name unless/until we figure out a better way. Should unbreak OSX integration tests.
* upstream: Start the process of splitting sshd into separatedjm@openbsd.org2024-05-171-12/+11
| | | | | | | | | | | | | | | | | | | | binaries. This step splits sshd into a listener and a session binary. More splits are planned. After this changes, the listener binary will validate the configuration, load the hostkeys, listen on port 22 and manage MaxStartups only. All session handling will be performed by a new sshd-session binary that the listener fork+execs. This reduces the listener process to the minimum necessary and sets us up for future work on the sshd-session binary. feedback/ok markus@ deraadt@ NB. if you're updating via source, please restart sshd after installing, otherwise you run the risk of locking yourself out. OpenBSD-Commit-ID: 43c04a1ab96cdbdeb53d2df0125a6d42c5f19934
* Expose SSH_AUTH_INFO_0 always to PAM auth modules.Eero Häkkinen2024-03-301-0/+2
| | | | | | This changes SSH_AUTH_INFO_0 to be exposed to PAM auth modules also when a password authentication method is in use and not only when a keyboard-interactive authentication method is in use.
* Fix typo in declaration of nmesg.Darren Tucker2023-07-141-1/+1
|
* portable-specific int overflow defence-in-depthDamien Miller2023-07-141-1/+3
| | | | | These too are unreachable, but we want the code to be safe regardless of context. Reported by Yair Mizrahi @ JFrog
* Limit the number of PAM environment variables.Darren Tucker2023-03-091-5/+10
| | | | From Coverity CID 405194, tweaks and ok djm@
* Simply handling of SSH_CONNECTION PAM env var.Darren Tucker2022-12-191-5/+11
| | | | | | Prompted by bz#3508: there's no need to cache the value of sshpam_conninfo so remove the global. While there, add check of return value from pam_putenv. ok djm@
* Fix memory leak in error path.Shchelkunov Artem2021-09-031-0/+1
| | | | | *info is allocated via xstrdup but was leaked in the PAM_AUTH_ERR path. From github PR#266.
* Remove reference to ChallengeResponse.Darren Tucker2021-07-031-1/+0
| | | | | challenge_response_authentication was removed from the struct, keeping kbd_interactive_authentication.
* polish whitespace for portable filesDamien Miller2021-04-031-2/+2
|
* Prevent excessively long username going to PAM.Darren Tucker2020-11-111-0/+6
| | | | | | | | | | | | This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. Based on github PR#212 from Mike Scott but implemented slightly differently. ok tim@ djm@
* document a PAM spec problem in a frustrated commentDamien Miller2020-06-261-1/+5
|
* Fix a couple of mysig_t leftovers.Darren Tucker2020-01-231-1/+2
|
* upstream: Replace all calls to signal(2) with a wrapper arounddtucker@openbsd.org2020-01-231-4/+4
| | | | | | | | sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations. OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519
* Make sshpam_password_change_required static.Ruben Kerkhof2020-01-211-1/+1
| | | | | sshpam_password_change_required is only used in auth-pam.c, so make it static to prevent a mising prototype warning.
* Fix a few warnings when on Mac OS X.Ruben Kerkhof2020-01-201-0/+1
| | | | Include stdlib.h for calloc, malloc, free and setenv.
* memleak of buffer in sshpam_queryDamien Miller2019-09-131-0/+5
| | | | coverity report via Ed Maste; ok dtucker@
* Typo fixes in error messages.Darren Tucker2019-06-071-3/+3
| | | | | Patch from knweiss at gmail.com via github pull req #97 (portable- specific parts).
* Have pthread_create return errno on failure.Darren Tucker2019-06-071-3/+2
| | | | | | According to POSIX, pthread_create returns the failure reason in the non-zero function return code so make the fork wrapper do that. Matches previous change.
* pthread_create(3) returns positive values on failure.Elliott Hughes2019-06-071-2/+4
| | | | | Found by inspection after finding similar bugs in other code used by Android.
* Add no-op implementation of pam_putenv.Darren Tucker2019-05-171-4/+8
| | | | | | Some platforms such as HP-UX do not have pam_putenv. Currently the calls are ifdef'ed out, but a new one was recently added. Remove the ifdefs and add a no-op implementation. bz#3008, ok djm.
* remove PAM dependencies on old packet APIDamien Miller2019-01-201-26/+42
| | | | | Requires some caching of values, because the PAM code isn't always called with packet context.
* expose $SSH_CONNECTION in the PAM environmentDamien Miller2018-12-141-0/+10
| | | | | This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741
* adapt -portable to OpenSSL 1.1x APIDamien Miller2018-09-131-0/+4
| | | | Polyfill missing API with replacement functions extracted from LibreSSL
* Remove key.h from portable files too.Darren Tucker2018-07-121-1/+0
| | | | | Commit 5467fbcb removed key.h so stop including it in portable files too. Fixes builds on lots of platforms.
* Adapt portable to legacy buffer API removalDamien Miller2018-07-101-85/+136
|
* Expose SSH_AUTH_INFO_0 to PAM auth modulesDamien Miller2018-04-061-20/+22
| | | | bz#2408, patch from Radoslaw Ejsmont; ok dtucker@
* Update PAM password change to new opts API.Darren Tucker2018-03-031-6/+15
|
* upstream: switch over to the new authorized_keys options API anddjm@openbsd.org2018-03-031-2/+2
| | | | | | | | | | | remove the legacy one. Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines. feedback and ok markus@ OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df
* Expose list of completed auth methods to PAMDamien Miller2017-07-281-0/+26
| | | | bz#2408; ok dtucker@
* Remove SSHv1 code path.Darren Tucker2017-03-291-12/+9
| | | | | Server-side support for Protocol 1 has been removed so remove !compat20 PAM code path.
* Check for NULL from malloc.Darren Tucker2017-03-101-0/+2
| | | | Part of bz#2687, from jjelen at redhat.com.
* Remove do_pam_set_tty which is dead code.Darren Tucker2016-10-141-12/+0
| | | | | The callers of do_pam_set_tty were removed in 2008, so this is now dead code. bz#2604, pointed out by jjelen at redhat.com.
* add --with-pam-service to specify PAM service nameDamien Miller2016-08-161-1/+5
| | | | Saves messing around with CFLAGS to do it.
* retry waitpid on EINTR failureDamien Miller2016-07-221-4/+11
| | | | patch from Jakub Jelen on bz#2581; ok dtucker@
* Handle PAM_MAXTRIES from modules.Darren Tucker2016-07-181-1/+29
| | | | | | | | | | | bz#2249: handle the case where PAM returns PAM_MAXTRIES by ceasing to offer password and keyboard-interative authentication methods. Should prevent "sshd ignoring max retries" warnings in the log. ok djm@ It probably won't trigger with keyboard-interactive in the default configuration because the retry counter is stored in module-private storage which goes away with the sshd PAM process (see bz#688). On the other hand, those cases probably won't log a warning either.
* Mitigate timing of disallowed users PAM logins.Darren Tucker2016-07-151-4/+31
| | | | | | | | | | | | When sshd decides to not allow a login (eg PermitRootLogin=no) and it's using PAM, it sends a fake password to PAM so that the timing for the failure is not noticeably different whether or not the password is correct. This behaviour can be detected by sending a very long password string which is slower to hash than the fake password. Mitigate by constructing an invalid password that is the same length as the one from the client and thus takes the same time to hash. Diff from djm@
* Remove duplicate code from PAM. ok djm@Darren Tucker2016-06-171-17/+0
|
* Fix comment about sshpam_const and AIX.Darren Tucker2016-05-201-2/+2
| | | | From mschwager via github.
* unbreak PAM after canohost refactorDamien Miller2016-03-081-2/+4
|
* avoid FreeBSD RCS Id in commentDamien Miller2016-02-051-1/+2
| | | | | Change old $FreeBSD version string in comment so it doesn't become an RCS ident downstream; requested by des AT des.no
* xrealloc -> xreallocarray in portable code too.Darren Tucker2015-04-301-2/+2
|
* - (dtucker) [auth-pam.c] bz#2163: check return value from pam_get_item().Darren Tucker2013-12-191-1/+3
| | | | Patch from Loganaden Velvindron.
* - (dtucker) [M auth-chall.c auth-krb5.c auth-pam.c cipher-aes.c cipher-ctr.cDarren Tucker2013-06-021-24/+20
| | | | | | | | groupaccess.c loginrec.c monitor.c monitor_wrap.c session.c sshd.c sshlogin.c uidswap.c openbsd-compat/bsd-cygwin_util.c openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/port-aix.c openbsd-compat/port-linux.c] Replace portable-specific instances of xfree with the equivalent calls to free.
* - (dtucker) [auth-pam.c] Bug #1534: move the deletion of PAM credentials onDarren Tucker2009-07-121-5/+5
| | | | logout to after the session close. Patch from Anicka Bernathova, ok djm.
* - (dtucker) [auth-pam.c monitor.c session.c sshd.c] Bug #926: MoveDarren Tucker2008-03-111-2/+4
| | | | | | pam_open_session and pam_close_session into the privsep monitor, which will ensure that pam_session_close is called as root. Patch from Tomas Mraz.
* - (dtucker) [auth-pam.c] Use sigdie here too. ok djm@Darren Tucker2007-08-101-2/+2
|
* - (dtucker) [auth-pam.c] Return empty string if fgets fails inDarren Tucker2007-05-201-1/+2
| | | | sshpam_tty_conv. Patch from ldv at altlinux.org.
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-03 06:35:31 +0100