forked from rpms/openssh
Reabse to latest release of pam_ssh_agent_auth with preserving current functionality
* Rebase to latest upstream version * Clean up older patches for pam_ssh_agent_auth * Remove prefixes from upstream release so we can build it against current openssh library * Remove copied files and headers so we make sure we build against current openssh
This commit is contained in:
parent
7bc64374b0
commit
87ab5fc4af
@ -147,26 +147,6 @@ diff -up openssh-6.8p1/openbsd-compat/port-linux.h.coverity openssh-6.8p1/openbs
|
|||||||
+void linux_seed(void);
|
+void linux_seed(void);
|
||||||
+
|
+
|
||||||
#endif /* ! _PORT_LINUX_H */
|
#endif /* ! _PORT_LINUX_H */
|
||||||
diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c.coverity openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
|
|
||||||
--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c.coverity 2015-03-18 17:21:51.788265059 +0100
|
|
||||||
+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c 2015-03-18 17:21:51.898264829 +0100
|
|
||||||
@@ -87,7 +87,7 @@ pam_user_key_allowed2(struct passwd *pw,
|
|
||||||
found = key_new(key->type);
|
|
||||||
|
|
||||||
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
|
|
||||||
- char *cp, *key_options = NULL;
|
|
||||||
+ char *cp = NULL;
|
|
||||||
|
|
||||||
/* Skip leading whitespace, empty and comment lines. */
|
|
||||||
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
|
|
||||||
@@ -99,7 +99,6 @@ pam_user_key_allowed2(struct passwd *pw,
|
|
||||||
/* no key? check if there are options for this key */
|
|
||||||
int quoted = 0;
|
|
||||||
verbose("user_key_allowed: check options: '%s'", cp);
|
|
||||||
- key_options = cp;
|
|
||||||
for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
|
|
||||||
if (*cp == '\\' && cp[1] == '"')
|
|
||||||
cp++; /* Skip both */
|
|
||||||
diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c
|
diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c
|
||||||
--- openssh-6.8p1/scp.c.coverity 2015-03-18 17:21:51.868264891 +0100
|
--- openssh-6.8p1/scp.c.coverity 2015-03-18 17:21:51.868264891 +0100
|
||||||
+++ openssh-6.8p1/scp.c 2015-03-18 17:21:58.281251460 +0100
|
+++ openssh-6.8p1/scp.c 2015-03-18 17:21:58.281251460 +0100
|
||||||
|
21
openssh.spec
21
openssh.spec
@ -67,8 +67,8 @@
|
|||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%global openssh_ver 7.1p2
|
%global openssh_ver 7.1p2
|
||||||
%global openssh_rel 1
|
%global openssh_rel 1
|
||||||
%global pam_ssh_agent_ver 0.9.3
|
%global pam_ssh_agent_ver 0.10.2
|
||||||
%global pam_ssh_agent_rel 9
|
%global pam_ssh_agent_rel 1
|
||||||
|
|
||||||
Summary: An open source implementation of SSH protocol versions 1 and 2
|
Summary: An open source implementation of SSH protocol versions 1 and 2
|
||||||
Name: openssh
|
Name: openssh
|
||||||
@ -114,12 +114,10 @@ Patch300: pam_ssh_agent_auth-0.9.3-build.patch
|
|||||||
Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch
|
Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch
|
||||||
# explicitly make pam callbacks visible
|
# explicitly make pam callbacks visible
|
||||||
Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch
|
Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch
|
||||||
# don't use xfree (#1024965)
|
|
||||||
Patch303: pam_ssh_agent_auth-0.9.3-no-xfree.patch
|
|
||||||
# use SSH_DIGEST_* for fingerprint hashes
|
|
||||||
Patch304: pam_ssh_agent_auth-0.9.3-fingerprint-hash.patch
|
|
||||||
# update to current version of agent structure
|
# update to current version of agent structure
|
||||||
Patch305: pam_ssh_agent_auth-0.9.3-agent_structure.patch
|
Patch305: pam_ssh_agent_auth-0.9.3-agent_structure.patch
|
||||||
|
# remove prefixes to be able to build against current openssh library
|
||||||
|
Patch306: pam_ssh_agent_auth-0.10.2-compat.patch
|
||||||
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
|
||||||
Patch400: openssh-6.6p1-role-mls.patch
|
Patch400: openssh-6.6p1-role-mls.patch
|
||||||
@ -131,7 +129,7 @@ Patch501: openssh-6.7p1-ldap.patch
|
|||||||
#?
|
#?
|
||||||
Patch502: openssh-6.6p1-keycat.patch
|
Patch502: openssh-6.6p1-keycat.patch
|
||||||
|
|
||||||
#http6://bugzilla.mindrot.org/show_bug.cgi?id=1644
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1644
|
||||||
Patch601: openssh-6.6p1-allow-ip-opts.patch
|
Patch601: openssh-6.6p1-allow-ip-opts.patch
|
||||||
#http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c.diff?r1=1.13&r2=1.13.12.1&f=h
|
#http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c.diff?r1=1.13&r2=1.13.12.1&f=h
|
||||||
Patch603: openssh-5.8p1-glob.patch
|
Patch603: openssh-5.8p1-glob.patch
|
||||||
@ -407,13 +405,12 @@ The module is most useful for su and sudo service stacks.
|
|||||||
|
|
||||||
%if %{pam_ssh_agent}
|
%if %{pam_ssh_agent}
|
||||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||||
%patch300 -p1 -b .psaa-build
|
%patch300 -p2 -b .psaa-build
|
||||||
%patch301 -p1 -b .psaa-seteuid
|
%patch301 -p1 -b .psaa-seteuid
|
||||||
%patch302 -p1 -b .psaa-visibility
|
%patch302 -p2 -b .psaa-visibility
|
||||||
%patch303 -p1 -b .psaa-xfree
|
%patch306 -p2 -b .psaa-compat
|
||||||
%patch304 -p2 -b .psaa-fingerprint
|
|
||||||
%patch305 -p2 -b .psaa-agent
|
%patch305 -p2 -b .psaa-agent
|
||||||
# Remove duplicate headers
|
# Remove duplicate headers and library files
|
||||||
rm -f $(cat %{SOURCE5})
|
rm -f $(cat %{SOURCE5})
|
||||||
popd
|
popd
|
||||||
%endif
|
%endif
|
||||||
|
@ -1,20 +1,37 @@
|
|||||||
|
authfd.c
|
||||||
authfd.h
|
authfd.h
|
||||||
|
atomicio.c
|
||||||
atomicio.h
|
atomicio.h
|
||||||
|
bufaux.c
|
||||||
|
bufbn.c
|
||||||
buffer.h
|
buffer.h
|
||||||
|
buffer.c
|
||||||
|
cleanup.c
|
||||||
cipher.h
|
cipher.h
|
||||||
compat.h
|
compat.h
|
||||||
defines.h
|
defines.h
|
||||||
|
entropy.c
|
||||||
entropy.h
|
entropy.h
|
||||||
|
fatal.c
|
||||||
includes.h
|
includes.h
|
||||||
kex.h
|
kex.h
|
||||||
|
key.c
|
||||||
key.h
|
key.h
|
||||||
|
log.c
|
||||||
log.h
|
log.h
|
||||||
match.h
|
match.h
|
||||||
|
misc.c
|
||||||
misc.h
|
misc.h
|
||||||
pathnames.h
|
pathnames.h
|
||||||
platform.h
|
platform.h
|
||||||
rsa.h
|
rsa.h
|
||||||
|
ssh-dss.c
|
||||||
|
ssh-rsa.c
|
||||||
ssh.h
|
ssh.h
|
||||||
ssh2.h
|
ssh2.h
|
||||||
|
uidswap.c
|
||||||
|
uidswap.h
|
||||||
|
uuencode.c
|
||||||
uuencode.h
|
uuencode.h
|
||||||
|
xmalloc.c
|
||||||
xmalloc.h
|
xmalloc.h
|
||||||
|
688
pam_ssh_agent_auth-0.10.2-compat.patch
Normal file
688
pam_ssh_agent_auth-0.10.2-compat.patch
Normal file
@ -0,0 +1,688 @@
|
|||||||
|
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.old openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c
|
||||||
|
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.old 2016-01-22 16:27:56.867903172 +0100
|
||||||
|
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c 2016-01-22 16:56:48.114868014 +0100
|
||||||
|
@@ -59,6 +59,8 @@
|
||||||
|
#include "get_command_line.h"
|
||||||
|
extern char **environ;
|
||||||
|
|
||||||
|
+#define PAM_SSH_AGENT_AUTH_REQUESTv1 101
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Added by Jamie Beverly, ensure socket fd points to a socket owned by the user
|
||||||
|
* A cursory check is done, but to avoid race conditions, it is necessary
|
||||||
|
@@ -77,7 +77,7 @@ log_action(char ** action, size_t count)
|
||||||
|
if (count == 0)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
- buf = pamsshagentauth_xcalloc((count * MAX_LEN_PER_CMDLINE_ARG) + (count * 3), sizeof(*buf));
|
||||||
|
+ buf = xcalloc((count * MAX_LEN_PER_CMDLINE_ARG) + (count * 3), sizeof(*buf));
|
||||||
|
for (i = 0; i < count; i++) {
|
||||||
|
strcat(buf, (i > 0) ? " '" : "'");
|
||||||
|
strncat(buf, action[i], MAX_LEN_PER_CMDLINE_ARG);
|
||||||
|
@@ -71,12 +90,12 @@ void
|
||||||
|
agent_action(Buffer *buf, char ** action, size_t count)
|
||||||
|
{
|
||||||
|
size_t i;
|
||||||
|
- pamsshagentauth_buffer_init(buf);
|
||||||
|
+ buffer_init(buf);
|
||||||
|
|
||||||
|
- pamsshagentauth_buffer_put_int(buf, count);
|
||||||
|
+ buffer_put_int(buf, count);
|
||||||
|
|
||||||
|
for (i = 0; i < count; i++) {
|
||||||
|
- pamsshagentauth_buffer_put_cstring(buf, action[i]);
|
||||||
|
+ buffer_put_cstring(buf, action[i]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -100,7 +119,7 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||||
|
char * retc;
|
||||||
|
int32_t reti;
|
||||||
|
|
||||||
|
- rnd = pamsshagentauth_arc4random();
|
||||||
|
+ rnd = arc4random();
|
||||||
|
cookie_len = ((uint8_t) rnd);
|
||||||
|
while (cookie_len < 16) {
|
||||||
|
cookie_len += 16; /* Add 16 bytes to the size to ensure that while the length is random, the length is always reasonable; ticket #18 */
|
||||||
|
@@ -126,7 +128,7 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||||
|
cookie_len += 16; /* Add 16 bytes to the size to ensure that while the length is random, the length is always reasonable; ticket #18 */
|
||||||
|
}
|
||||||
|
|
||||||
|
- cookie = pamsshagentauth_xcalloc(1,cookie_len);
|
||||||
|
+ cookie = xcalloc(1,cookie_len);
|
||||||
|
|
||||||
|
for (i = 0; i < cookie_len; i++) {
|
||||||
|
if (i % 4 == 0) {
|
||||||
|
@@ -110,7 +129,7 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||||
|
|
||||||
|
for (i = 0; i < cookie_len; i++) {
|
||||||
|
if (i % 4 == 0) {
|
||||||
|
- rnd = pamsshagentauth_arc4random();
|
||||||
|
+ rnd = arc4random();
|
||||||
|
}
|
||||||
|
cookie[i] = (u_char) rnd;
|
||||||
|
rnd >>= 8;
|
||||||
|
@@ -125,7 +144,7 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
action_logbuf = "unknown on this platform";
|
||||||
|
- pamsshagentauth_buffer_init(&action_agentbuf); /* stays empty, means unavailable */
|
||||||
|
+ buffer_init(&action_agentbuf); /* stays empty, means unavailable */
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -142,35 +161,35 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||||
|
retc = getcwd(pwd, sizeof(pwd) - 1);
|
||||||
|
time(&ts);
|
||||||
|
|
||||||
|
- pamsshagentauth_buffer_init(session_id2);
|
||||||
|
+ buffer_init(session_id2);
|
||||||
|
|
||||||
|
- pamsshagentauth_buffer_put_int(session_id2, PAM_SSH_AGENT_AUTH_REQUESTv1);
|
||||||
|
- /* pamsshagentauth_debug3("cookie: %s", pamsshagentauth_tohex(cookie, cookie_len)); */
|
||||||
|
- pamsshagentauth_buffer_put_string(session_id2, cookie, cookie_len);
|
||||||
|
- /* pamsshagentauth_debug3("user: %s", user); */
|
||||||
|
- pamsshagentauth_buffer_put_cstring(session_id2, user);
|
||||||
|
- /* pamsshagentauth_debug3("ruser: %s", ruser); */
|
||||||
|
- pamsshagentauth_buffer_put_cstring(session_id2, ruser);
|
||||||
|
- /* pamsshagentauth_debug3("servicename: %s", servicename); */
|
||||||
|
- pamsshagentauth_buffer_put_cstring(session_id2, servicename);
|
||||||
|
- /* pamsshagentauth_debug3("pwd: %s", pwd); */
|
||||||
|
+ buffer_put_int(session_id2, PAM_SSH_AGENT_AUTH_REQUESTv1);
|
||||||
|
+ /* debug3("cookie: %s", tohex(cookie, cookie_len)); */
|
||||||
|
+ buffer_put_string(session_id2, cookie, cookie_len);
|
||||||
|
+ /* debug3("user: %s", user); */
|
||||||
|
+ buffer_put_cstring(session_id2, user);
|
||||||
|
+ /* debug3("ruser: %s", ruser); */
|
||||||
|
+ buffer_put_cstring(session_id2, ruser);
|
||||||
|
+ /* debug3("servicename: %s", servicename); */
|
||||||
|
+ buffer_put_cstring(session_id2, servicename);
|
||||||
|
+ /* debug3("pwd: %s", pwd); */
|
||||||
|
if(retc)
|
||||||
|
- pamsshagentauth_buffer_put_cstring(session_id2, pwd);
|
||||||
|
+ buffer_put_cstring(session_id2, pwd);
|
||||||
|
else
|
||||||
|
- pamsshagentauth_buffer_put_cstring(session_id2, "");
|
||||||
|
- /* pamsshagentauth_debug3("action: %s", action_logbuf); */
|
||||||
|
- pamsshagentauth_buffer_put_string(session_id2, action_agentbuf.buf + action_agentbuf.offset, action_agentbuf.end - action_agentbuf.offset);
|
||||||
|
+ buffer_put_cstring(session_id2, "");
|
||||||
|
+ /* debug3("action: %s", action_logbuf); */
|
||||||
|
+ buffer_put_string(session_id2, sshbuf_ptr(&action_agentbuf), sshbuf_len(&action_agentbuf));
|
||||||
|
if (free_logbuf) {
|
||||||
|
- pamsshagentauth_xfree(action_logbuf);
|
||||||
|
- pamsshagentauth_buffer_free(&action_agentbuf);
|
||||||
|
+ free(action_logbuf);
|
||||||
|
+ buffer_free(&action_agentbuf);
|
||||||
|
}
|
||||||
|
- /* pamsshagentauth_debug3("hostname: %s", hostname); */
|
||||||
|
+ /* debug3("hostname: %s", hostname); */
|
||||||
|
if(reti >= 0)
|
||||||
|
- pamsshagentauth_buffer_put_cstring(session_id2, hostname);
|
||||||
|
+ buffer_put_cstring(session_id2, hostname);
|
||||||
|
else
|
||||||
|
- pamsshagentauth_buffer_put_cstring(session_id2, "");
|
||||||
|
- /* pamsshagentauth_debug3("ts: %ld", ts); */
|
||||||
|
- pamsshagentauth_buffer_put_int64(session_id2, (uint64_t) ts);
|
||||||
|
+ buffer_put_cstring(session_id2, "");
|
||||||
|
+ /* debug3("ts: %ld", ts); */
|
||||||
|
+ buffer_put_int64(session_id2, (uint64_t) ts);
|
||||||
|
|
||||||
|
free(cookie);
|
||||||
|
return;
|
||||||
|
@@ -190,11 +289,11 @@ pamsshagentauth_find_authorized_keys(con
|
||||||
|
pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
|
||||||
|
|
||||||
|
if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
|
||||||
|
- pamsshagentauth_verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
|
||||||
|
+ verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
|
||||||
|
for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
|
||||||
|
{
|
||||||
|
if(key != NULL) {
|
||||||
|
- id = pamsshagentauth_xcalloc(1, sizeof(*id));
|
||||||
|
+ id = xcalloc(1, sizeof(*id));
|
||||||
|
id->key = key;
|
||||||
|
id->filename = comment;
|
||||||
|
id->ac = ac;
|
||||||
|
@@ -203,18 +302,18 @@ pamsshagentauth_find_authorized_keys(con
|
||||||
|
if(userauth_pubkey_from_id(ruser, id, &session_id2)) {
|
||||||
|
retval = 1;
|
||||||
|
}
|
||||||
|
- pamsshagentauth_xfree(id->filename);
|
||||||
|
- pamsshagentauth_key_free(id->key);
|
||||||
|
- pamsshagentauth_xfree(id);
|
||||||
|
+ free(id->filename);
|
||||||
|
+ key_free(id->key);
|
||||||
|
+ free(id);
|
||||||
|
if(retval == 1)
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- pamsshagentauth_buffer_free(&session_id2);
|
||||||
|
+ buffer_free(&session_id2);
|
||||||
|
ssh_close_authentication_connection(ac);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
- pamsshagentauth_verbose("No ssh-agent could be contacted");
|
||||||
|
+ verbose("No ssh-agent could be contacted");
|
||||||
|
}
|
||||||
|
/* pamsshagentauth_xfree(session_id2); */
|
||||||
|
EVP_cleanup();
|
||||||
|
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c.old openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c
|
||||||
|
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c.old 2016-01-22 17:03:42.746602825 +0100
|
||||||
|
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c 2016-01-22 17:06:07.841485483 +0100
|
||||||
|
@@ -104,7 +104,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
||||||
|
* a patch 8-)
|
||||||
|
*/
|
||||||
|
#if ! HAVE___PROGNAME || HAVE_BUNDLE
|
||||||
|
- __progname = pamsshagentauth_xstrdup(servicename);
|
||||||
|
+ __progname = xstrdup(servicename);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
for(i = argc, argv_ptr = (char **) argv; i > 0; ++argv_ptr, i--) {
|
||||||
|
@@ -130,11 +130,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
- pamsshagentauth_log_init(__progname, log_lvl, facility, 0);
|
||||||
|
+ log_init(__progname, log_lvl, facility, 0);
|
||||||
|
pam_get_item(pamh, PAM_USER, (void *) &user);
|
||||||
|
pam_get_item(pamh, PAM_RUSER, (void *) &ruser_ptr);
|
||||||
|
|
||||||
|
- pamsshagentauth_verbose("Beginning pam_ssh_agent_auth for user %s", user);
|
||||||
|
+ verbose("Beginning pam_ssh_agent_auth for user %s", user);
|
||||||
|
|
||||||
|
if(ruser_ptr) {
|
||||||
|
strncpy(ruser, ruser_ptr, sizeof(ruser) - 1);
|
||||||
|
@@ -149,12 +149,12 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
||||||
|
#ifdef ENABLE_SUDO_HACK
|
||||||
|
if( (strlen(sudo_service_name) > 0) && strncasecmp(servicename, sudo_service_name, sizeof(sudo_service_name) - 1) == 0 && getenv("SUDO_USER") ) {
|
||||||
|
strncpy(ruser, getenv("SUDO_USER"), sizeof(ruser) - 1 );
|
||||||
|
- pamsshagentauth_verbose( "Using environment variable SUDO_USER (%s)", ruser );
|
||||||
|
+ verbose( "Using environment variable SUDO_USER (%s)", ruser );
|
||||||
|
} else
|
||||||
|
#endif
|
||||||
|
{
|
||||||
|
if( ! getpwuid(getuid()) ) {
|
||||||
|
- pamsshagentauth_verbose("Unable to getpwuid(getuid())");
|
||||||
|
+ verbose("Unable to getpwuid(getuid())");
|
||||||
|
goto cleanexit;
|
||||||
|
}
|
||||||
|
strncpy(ruser, getpwuid(getuid())->pw_name, sizeof(ruser) - 1);
|
||||||
|
@@ -163,11 +163,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
||||||
|
|
||||||
|
/* Might as well explicitely confirm the user exists here */
|
||||||
|
if(! getpwnam(ruser) ) {
|
||||||
|
- pamsshagentauth_verbose("getpwnam(%s) failed, bailing out", ruser);
|
||||||
|
+ verbose("getpwnam(%s) failed, bailing out", ruser);
|
||||||
|
goto cleanexit;
|
||||||
|
}
|
||||||
|
if( ! getpwnam(user) ) {
|
||||||
|
- pamsshagentauth_verbose("getpwnam(%s) failed, bailing out", user);
|
||||||
|
+ verbose("getpwnam(%s) failed, bailing out", user);
|
||||||
|
goto cleanexit;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -177,8 +177,8 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
||||||
|
*/
|
||||||
|
parse_authorized_key_file(user, authorized_keys_file_input);
|
||||||
|
} else {
|
||||||
|
- pamsshagentauth_verbose("Using default file=/etc/security/authorized_keys");
|
||||||
|
- authorized_keys_file = pamsshagentauth_xstrdup("/etc/security/authorized_keys");
|
||||||
|
+ verbose("Using default file=/etc/security/authorized_keys");
|
||||||
|
+ authorized_keys_file = xstrdup("/etc/security/authorized_keys");
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -187,19 +187,19 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
||||||
|
*/
|
||||||
|
|
||||||
|
if(user && strlen(ruser) > 0) {
|
||||||
|
- pamsshagentauth_verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
||||||
|
+ verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* this pw_uid is used to validate the SSH_AUTH_SOCK, and so must be the uid of the ruser invoking the program, not the target-user
|
||||||
|
*/
|
||||||
|
if(pamsshagentauth_find_authorized_keys(user, ruser, servicename)) { /* getpwnam(ruser)->pw_uid)) { */
|
||||||
|
- pamsshagentauth_logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
||||||
|
+ logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
||||||
|
retval = PAM_SUCCESS;
|
||||||
|
} else {
|
||||||
|
- pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
||||||
|
+ logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
- pamsshagentauth_logit("No %s specified, cannot continue with this form of authentication", (user) ? "ruser" : "user" );
|
||||||
|
+ logit("No %s specified, cannot continue with this form of authentication", (user) ? "ruser" : "user" );
|
||||||
|
}
|
||||||
|
|
||||||
|
cleanexit:
|
||||||
|
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.old openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
|
||||||
|
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.old 2016-01-22 16:57:15.210850825 +0100
|
||||||
|
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c 2016-01-22 17:03:13.913623276 +0100
|
||||||
|
@@ -48,6 +48,8 @@
|
||||||
|
#include "identity.h"
|
||||||
|
#include "pam_user_authorized_keys.h"
|
||||||
|
|
||||||
|
+#define SSH2_MSG_USERAUTH_TRUST_REQUEST 54
|
||||||
|
+
|
||||||
|
/* extern u_char *session_id2;
|
||||||
|
extern uint8_t session_id_len;
|
||||||
|
*/
|
||||||
|
@@ -67,35 +67,35 @@ userauth_pubkey_from_id(const char *ruse
|
||||||
|
if(! pam_user_key_allowed(ruser, id->key))
|
||||||
|
goto user_auth_clean_exit;
|
||||||
|
|
||||||
|
- if(pamsshagentauth_key_to_blob(id->key, &pkblob, &blen) == 0)
|
||||||
|
+ if(key_to_blob(id->key, &pkblob, &blen) == 0)
|
||||||
|
goto user_auth_clean_exit;
|
||||||
|
|
||||||
|
/* construct packet to sign and test */
|
||||||
|
- pamsshagentauth_buffer_init(&b);
|
||||||
|
+ buffer_init(&b);
|
||||||
|
|
||||||
|
- pamsshagentauth_buffer_put_string(&b, session_id2->buf + session_id2->offset, session_id2->end - session_id2->offset);
|
||||||
|
- pamsshagentauth_buffer_put_char(&b, SSH2_MSG_USERAUTH_TRUST_REQUEST);
|
||||||
|
- pamsshagentauth_buffer_put_cstring(&b, ruser);
|
||||||
|
- pamsshagentauth_buffer_put_cstring(&b, "pam_ssh_agent_auth");
|
||||||
|
- pamsshagentauth_buffer_put_cstring(&b, "publickey");
|
||||||
|
- pamsshagentauth_buffer_put_char(&b, 1);
|
||||||
|
- pamsshagentauth_buffer_put_cstring(&b, pkalg);
|
||||||
|
- pamsshagentauth_buffer_put_string(&b, pkblob, blen);
|
||||||
|
+ buffer_put_string(&b, sshbuf_ptr(session_id2), sshbuf_len(session_id2));
|
||||||
|
+ buffer_put_char(&b, SSH2_MSG_USERAUTH_TRUST_REQUEST);
|
||||||
|
+ buffer_put_cstring(&b, ruser);
|
||||||
|
+ buffer_put_cstring(&b, "pam_ssh_agent_auth");
|
||||||
|
+ buffer_put_cstring(&b, "publickey");
|
||||||
|
+ buffer_put_char(&b, 1);
|
||||||
|
+ buffer_put_cstring(&b, pkalg);
|
||||||
|
+ buffer_put_string(&b, pkblob, blen);
|
||||||
|
|
||||||
|
- if(ssh_agent_sign(id->ac, id->key, &sig, &slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) != 0)
|
||||||
|
+ if(ssh_agent_sign(id->ac, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b)) != 0)
|
||||||
|
goto user_auth_clean_exit;
|
||||||
|
|
||||||
|
/* test for correct signature */
|
||||||
|
- if(pamsshagentauth_key_verify(id->key, sig, slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) == 1)
|
||||||
|
+ if(key_verify(id->key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
|
||||||
|
authenticated = 1;
|
||||||
|
|
||||||
|
user_auth_clean_exit:
|
||||||
|
/* if(&b != NULL) */
|
||||||
|
- pamsshagentauth_buffer_free(&b);
|
||||||
|
+ buffer_free(&b);
|
||||||
|
if(sig != NULL)
|
||||||
|
- pamsshagentauth_xfree(sig);
|
||||||
|
+ free(sig);
|
||||||
|
if(pkblob != NULL)
|
||||||
|
- pamsshagentauth_xfree(pkblob);
|
||||||
|
+ free(pkblob);
|
||||||
|
CRYPTO_cleanup_all_ex_data();
|
||||||
|
return authenticated;
|
||||||
|
}
|
||||||
|
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/secure_filename.c.old openssh-7.1p2/pam_ssh_agent_auth-0.10.2/secure_filename.c
|
||||||
|
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/secure_filename.c.old 2016-01-22 17:12:03.026198234 +0100
|
||||||
|
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/secure_filename.c 2016-01-22 17:12:31.817174950 +0100
|
||||||
|
@@ -80,7 +80,7 @@ pamsshagentauth_auth_secure_path(const c
|
||||||
|
int comparehome = 0;
|
||||||
|
struct stat st;
|
||||||
|
|
||||||
|
- pamsshagentauth_verbose("auth_secure_filename: checking for uid: %u", uid);
|
||||||
|
+ verbose("auth_secure_filename: checking for uid: %u", uid);
|
||||||
|
|
||||||
|
if (realpath(name, buf) == NULL) {
|
||||||
|
snprintf(err, errlen, "realpath %s failed: %s", name,
|
||||||
|
@@ -115,9 +115,9 @@ pamsshagentauth_auth_secure_path(const c
|
||||||
|
snprintf(err, errlen, "dirname() failed");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
- pamsshagentauth_strlcpy(buf, cp, sizeof(buf));
|
||||||
|
+ strlcpy(buf, cp, sizeof(buf));
|
||||||
|
|
||||||
|
- pamsshagentauth_verbose("secure_filename: checking '%s'", buf);
|
||||||
|
+ verbose("secure_filename: checking '%s'", buf);
|
||||||
|
if (stat(buf, &st) < 0 ||
|
||||||
|
(st.st_uid != 0 && st.st_uid != uid) ||
|
||||||
|
(st.st_mode & 022) != 0) {
|
||||||
|
@@ -128,7 +128,7 @@ pamsshagentauth_auth_secure_path(const c
|
||||||
|
|
||||||
|
/* If are passed the homedir then we can stop */
|
||||||
|
if (comparehome && strcmp(homedir, buf) == 0) {
|
||||||
|
- pamsshagentauth_verbose("secure_filename: terminating check at '%s'",
|
||||||
|
+ verbose("secure_filename: terminating check at '%s'",
|
||||||
|
buf);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/get_command_line.c.old openssh-7.1p2/pam_ssh_agent_auth-0.10.2/get_command_line.c
|
||||||
|
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/get_command_line.c.old 2016-01-22 17:13:18.226137418 +0100
|
||||||
|
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/get_command_line.c 2016-01-22 17:14:27.753081189 +0100
|
||||||
|
@@ -65,8 +65,8 @@ proc_pid_cmdline(char *** inargv)
|
||||||
|
case EOF:
|
||||||
|
case '\0':
|
||||||
|
if (len > 0) {
|
||||||
|
- argv = pamsshagentauth_xrealloc(argv, count + 1, sizeof(*argv));
|
||||||
|
- argv[count] = pamsshagentauth_xcalloc(len + 1, sizeof(*argv[count]));
|
||||||
|
+ argv = xreallocarray(argv, count + 1, sizeof(*argv));
|
||||||
|
+ argv[count] = xcalloc(len + 1, sizeof(*argv[count]));
|
||||||
|
strncpy(argv[count++], argbuf, len);
|
||||||
|
memset(argbuf, '\0', MAX_LEN_PER_CMDLINE_ARG + 1);
|
||||||
|
len = 0;
|
||||||
|
@@ -105,9 +105,9 @@ pamsshagentauth_free_command_line(char *
|
||||||
|
{
|
||||||
|
size_t i;
|
||||||
|
for (i = 0; i < n_args; i++)
|
||||||
|
- pamsshagentauth_xfree(argv[i]);
|
||||||
|
+ free(argv[i]);
|
||||||
|
|
||||||
|
- pamsshagentauth_xfree(argv);
|
||||||
|
+ free(argv);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c.old openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c
|
||||||
|
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c.old 2016-01-22 17:15:57.547008570 +0100
|
||||||
|
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c 2016-01-22 17:16:18.297991788 +0100
|
||||||
|
@@ -48,6 +48,7 @@
|
||||||
|
#include "buffer.h"
|
||||||
|
#include "log.h"
|
||||||
|
#include "compat.h"
|
||||||
|
+#include "digest.h"
|
||||||
|
#include "key.h"
|
||||||
|
#include "pathnames.h"
|
||||||
|
#include "misc.h"
|
||||||
|
@@ -54,6 +54,7 @@
|
||||||
|
#include "misc.h"
|
||||||
|
#include "secure_filename.h"
|
||||||
|
#include "uidswap.h"
|
||||||
|
+#include <unistd.h>
|
||||||
|
|
||||||
|
#include "identity.h"
|
||||||
|
|
||||||
|
@@ -68,7 +68,7 @@ pamsshagentauth_check_authkeys_file(FILE
|
||||||
|
char *fp;
|
||||||
|
|
||||||
|
found_key = 0;
|
||||||
|
- found = pamsshagentauth_key_new(key->type);
|
||||||
|
+ found = key_new(key->type);
|
||||||
|
|
||||||
|
while(read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
|
||||||
|
char *cp = NULL; /* *key_options = NULL; */
|
||||||
|
@@ -78,11 +78,11 @@ pamsshagentauth_check_authkeys_file(FILE
|
||||||
|
if(!*cp || *cp == '\n' || *cp == '#')
|
||||||
|
continue;
|
||||||
|
|
||||||
|
- if(pamsshagentauth_key_read(found, &cp) != 1) {
|
||||||
|
+ if(key_read(found, &cp) != 1) {
|
||||||
|
/* no key? check if there are options for this key */
|
||||||
|
int quoted = 0;
|
||||||
|
|
||||||
|
- pamsshagentauth_verbose("user_key_allowed: check options: '%s'", cp);
|
||||||
|
+ verbose("user_key_allowed: check options: '%s'", cp);
|
||||||
|
/* key_options = cp; */
|
||||||
|
for(; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
|
||||||
|
if(*cp == '\\' && cp[1] == '"')
|
||||||
|
@@ -92,26 +92,26 @@ pamsshagentauth_check_authkeys_file(FILE
|
||||||
|
}
|
||||||
|
/* Skip remaining whitespace. */
|
||||||
|
for(; *cp == ' ' || *cp == '\t'; cp++);
|
||||||
|
- if(pamsshagentauth_key_read(found, &cp) != 1) {
|
||||||
|
- pamsshagentauth_verbose("user_key_allowed: advance: '%s'", cp);
|
||||||
|
+ if(key_read(found, &cp) != 1) {
|
||||||
|
+ verbose("user_key_allowed: advance: '%s'", cp);
|
||||||
|
/* still no key? advance to next line */
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- if(pamsshagentauth_key_equal(found, key)) {
|
||||||
|
+ if(key_equal(found, key)) {
|
||||||
|
found_key = 1;
|
||||||
|
- pamsshagentauth_logit("matching key found: file/command %s, line %lu", file,
|
||||||
|
+ logit("matching key found: file/command %s, line %lu", file,
|
||||||
|
linenum);
|
||||||
|
- fp = pamsshagentauth_key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
|
||||||
|
- pamsshagentauth_logit("Found matching %s key: %s",
|
||||||
|
- pamsshagentauth_key_type(found), fp);
|
||||||
|
- pamsshagentauth_xfree(fp);
|
||||||
|
+ fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
|
||||||
|
+ logit("Found matching %s key: %s",
|
||||||
|
+ key_type(found), fp);
|
||||||
|
+ free(fp);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- pamsshagentauth_key_free(found);
|
||||||
|
+ key_free(found);
|
||||||
|
if(!found_key)
|
||||||
|
- pamsshagentauth_verbose("key not found");
|
||||||
|
+ verbose("key not found");
|
||||||
|
return found_key;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -128,11 +128,11 @@ pamsshagentauth_user_key_allowed2(struct
|
||||||
|
char buf[SSH_MAX_PUBKEY_BYTES];
|
||||||
|
|
||||||
|
/* Temporarily use the user's uid. */
|
||||||
|
- pamsshagentauth_verbose("trying public key file %s", file);
|
||||||
|
+ verbose("trying public key file %s", file);
|
||||||
|
|
||||||
|
/* Fail not so quietly if file does not exist */
|
||||||
|
if(stat(file, &st) < 0) {
|
||||||
|
- pamsshagentauth_verbose("File not found: %s", file);
|
||||||
|
+ verbose("File not found: %s", file);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -144,7 +144,7 @@ pamsshagentauth_user_key_allowed2(struct
|
||||||
|
|
||||||
|
if(pamsshagentauth_secure_filename(f, file, pw, buf, sizeof(buf)) != 0) {
|
||||||
|
fclose(f);
|
||||||
|
- pamsshagentauth_logit("Authentication refused: %s", buf);
|
||||||
|
+ logit("Authentication refused: %s", buf);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -187,44 +187,44 @@ pamsshagentauth_user_key_command_allowed
|
||||||
|
else {
|
||||||
|
pw = getpwnam(authorized_keys_command_user);
|
||||||
|
if(pw == NULL) {
|
||||||
|
- pamsshagentauth_logerror("authorized_keys_command_user \"%s\" not found: %s",
|
||||||
|
+ error("authorized_keys_command_user \"%s\" not found: %s",
|
||||||
|
authorized_keys_command_user, strerror(errno));
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- pamsshagentauth_temporarily_use_uid(pw);
|
||||||
|
+ temporarily_use_uid(pw);
|
||||||
|
|
||||||
|
if(stat(authorized_keys_command, &st) < 0) {
|
||||||
|
- pamsshagentauth_logerror
|
||||||
|
+ error
|
||||||
|
("Could not stat AuthorizedKeysCommand \"%s\": %s",
|
||||||
|
authorized_keys_command, strerror(errno));
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
if(pamsshagentauth_auth_secure_path
|
||||||
|
(authorized_keys_command, &st, NULL, 0, errmsg, sizeof(errmsg)) != 0) {
|
||||||
|
- pamsshagentauth_logerror("Unsafe AuthorizedKeysCommand: %s", errmsg);
|
||||||
|
+ error("Unsafe AuthorizedKeysCommand: %s", errmsg);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* open the pipe and read the keys */
|
||||||
|
if(pipe(p) != 0) {
|
||||||
|
- pamsshagentauth_logerror("%s: pipe: %s", __func__, strerror(errno));
|
||||||
|
+ error("%s: pipe: %s", __func__, strerror(errno));
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- pamsshagentauth_debug("Running AuthorizedKeysCommand: \"%s\" as \"%s\" with argument: \"%s\"",
|
||||||
|
+ debug("Running AuthorizedKeysCommand: \"%s\" as \"%s\" with argument: \"%s\"",
|
||||||
|
authorized_keys_command, pw->pw_name, username);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Don't want to call this in the child, where it can fatal() and
|
||||||
|
* run cleanup_exit() code.
|
||||||
|
*/
|
||||||
|
- pamsshagentauth_restore_uid();
|
||||||
|
+ restore_uid();
|
||||||
|
|
||||||
|
switch ((pid = fork())) {
|
||||||
|
case -1: /* error */
|
||||||
|
- pamsshagentauth_logerror("%s: fork: %s", __func__, strerror(errno));
|
||||||
|
+ error("%s: fork: %s", __func__, strerror(errno));
|
||||||
|
close(p[0]);
|
||||||
|
close(p[1]);
|
||||||
|
return 0;
|
||||||
|
@@ -234,13 +234,13 @@ pamsshagentauth_user_key_command_allowed
|
||||||
|
|
||||||
|
/* do this before the setresuid so thta they can be logged */
|
||||||
|
if((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
|
||||||
|
- pamsshagentauth_logerror("%s: open %s: %s", __func__, _PATH_DEVNULL,
|
||||||
|
+ error("%s: open %s: %s", __func__, _PATH_DEVNULL,
|
||||||
|
strerror(errno));
|
||||||
|
_exit(1);
|
||||||
|
}
|
||||||
|
if(dup2(devnull, STDIN_FILENO) == -1 || dup2(p[1], STDOUT_FILENO) == -1
|
||||||
|
|| dup2(devnull, STDERR_FILENO) == -1) {
|
||||||
|
- pamsshagentauth_logerror("%s: dup2: %s", __func__, strerror(errno));
|
||||||
|
+ error("%s: dup2: %s", __func__, strerror(errno));
|
||||||
|
_exit(1);
|
||||||
|
}
|
||||||
|
#if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID)
|
||||||
|
@@ -248,7 +248,7 @@ pamsshagentauth_user_key_command_allowed
|
||||||
|
#else
|
||||||
|
if (setgid(pw->pw_gid) != 0 || setegid(pw->pw_gid) != 0) {
|
||||||
|
#endif
|
||||||
|
- pamsshagentauth_logerror("setresgid %u: %s", (u_int) pw->pw_gid,
|
||||||
|
+ error("setresgid %u: %s", (u_int) pw->pw_gid,
|
||||||
|
strerror(errno));
|
||||||
|
_exit(1);
|
||||||
|
}
|
||||||
|
@@ -258,7 +258,7 @@ pamsshagentauth_user_key_command_allowed
|
||||||
|
#else
|
||||||
|
if (setuid(pw->pw_uid) != 0 || seteuid(pw->pw_uid) != 0) {
|
||||||
|
#endif
|
||||||
|
- pamsshagentauth_logerror("setresuid %u: %s", (u_int) pw->pw_uid,
|
||||||
|
+ error("setresuid %u: %s", (u_int) pw->pw_uid,
|
||||||
|
strerror(errno));
|
||||||
|
_exit(1);
|
||||||
|
}
|
||||||
|
@@ -270,18 +270,18 @@ pamsshagentauth_user_key_command_allowed
|
||||||
|
|
||||||
|
/* pretty sure this will barf because we are now suid, but since we
|
||||||
|
should't reach this anyway, I'll leave it here */
|
||||||
|
- pamsshagentauth_logerror("AuthorizedKeysCommand %s exec failed: %s",
|
||||||
|
+ error("AuthorizedKeysCommand %s exec failed: %s",
|
||||||
|
authorized_keys_command, strerror(errno));
|
||||||
|
_exit(127);
|
||||||
|
default: /* parent */
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
- pamsshagentauth_temporarily_use_uid(pw);
|
||||||
|
+ temporarily_use_uid(pw);
|
||||||
|
|
||||||
|
close(p[1]);
|
||||||
|
if((f = fdopen(p[0], "r")) == NULL) {
|
||||||
|
- pamsshagentauth_logerror("%s: fdopen: %s", __func__, strerror(errno));
|
||||||
|
+ error("%s: fdopen: %s", __func__, strerror(errno));
|
||||||
|
close(p[0]);
|
||||||
|
/* Don't leave zombie child */
|
||||||
|
while(waitpid(pid, NULL, 0) == -1 && errno == EINTR);
|
||||||
|
@@ -292,22 +292,22 @@ pamsshagentauth_user_key_command_allowed
|
||||||
|
|
||||||
|
while(waitpid(pid, &status, 0) == -1) {
|
||||||
|
if(errno != EINTR) {
|
||||||
|
- pamsshagentauth_logerror("%s: waitpid: %s", __func__,
|
||||||
|
+ error("%s: waitpid: %s", __func__,
|
||||||
|
strerror(errno));
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if(WIFSIGNALED(status)) {
|
||||||
|
- pamsshagentauth_logerror("AuthorizedKeysCommand %s exited on signal %d",
|
||||||
|
+ error("AuthorizedKeysCommand %s exited on signal %d",
|
||||||
|
authorized_keys_command, WTERMSIG(status));
|
||||||
|
goto out;
|
||||||
|
} else if(WEXITSTATUS(status) != 0) {
|
||||||
|
- pamsshagentauth_logerror("AuthorizedKeysCommand %s returned status %d",
|
||||||
|
+ error("AuthorizedKeysCommand %s returned status %d",
|
||||||
|
authorized_keys_command, WEXITSTATUS(status));
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
found_key = ok;
|
||||||
|
out:
|
||||||
|
- pamsshagentauth_restore_uid();
|
||||||
|
+ restore_uid();
|
||||||
|
return found_key;
|
||||||
|
}
|
||||||
|
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c.psaa-xfree openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c
|
||||||
|
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c.psaa-xfree 2016-01-22 15:30:26.300302721 +0100
|
||||||
|
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c 2016-01-22 15:33:57.567226875 +0100
|
||||||
|
@@ -117,12 +117,12 @@ parse_authorized_key_file(const char *us
|
||||||
|
} else {
|
||||||
|
slash_ptr = strchr(auth_keys_file_buf, '/');
|
||||||
|
if(!slash_ptr)
|
||||||
|
- pamsshagentauth_fatal
|
||||||
|
+ fatal
|
||||||
|
("cannot expand tilde in path without a `/'");
|
||||||
|
|
||||||
|
owner_uname_len = slash_ptr - auth_keys_file_buf - 1;
|
||||||
|
if(owner_uname_len > (sizeof(owner_uname) - 1))
|
||||||
|
- pamsshagentauth_fatal("Username too long");
|
||||||
|
+ fatal("Username too long");
|
||||||
|
|
||||||
|
strncat(owner_uname, auth_keys_file_buf + 1, owner_uname_len);
|
||||||
|
if(!authorized_keys_file_allowed_owner_uid)
|
||||||
|
@@ -130,11 +130,11 @@ parse_authorized_key_file(const char *us
|
||||||
|
getpwnam(owner_uname)->pw_uid;
|
||||||
|
}
|
||||||
|
authorized_keys_file =
|
||||||
|
- pamsshagentauth_tilde_expand_filename(auth_keys_file_buf,
|
||||||
|
+ tilde_expand_filename(auth_keys_file_buf,
|
||||||
|
authorized_keys_file_allowed_owner_uid);
|
||||||
|
strncpy(auth_keys_file_buf, authorized_keys_file,
|
||||||
|
sizeof(auth_keys_file_buf) - 1);
|
||||||
|
- pamsshagentauth_xfree(authorized_keys_file) /* when we
|
||||||
|
+ free(authorized_keys_file) /* when we
|
||||||
|
percent_expand
|
||||||
|
later, we'd step
|
||||||
|
on this, so free
|
||||||
|
@@ -150,7 +150,7 @@ parse_authorized_key_file(const char *us
|
||||||
|
strncat(hostname, fqdn, strcspn(fqdn, "."));
|
||||||
|
#endif
|
||||||
|
authorized_keys_file =
|
||||||
|
- pamsshagentauth_percent_expand(auth_keys_file_buf, "h",
|
||||||
|
+ percent_expand(auth_keys_file_buf, "h",
|
||||||
|
getpwnam(user)->pw_dir, "H", hostname,
|
||||||
|
"f", fqdn, "u", user, NULL);
|
||||||
|
}
|
||||||
|
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/uuencode.c.psaa-xfree openssh-7.1p2/pam_ssh_agent_auth-0.10.2/uuencode.c
|
||||||
|
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/uuencode.c.psaa-xfree 2014-03-23 23:52:21.000000000 +0100
|
||||||
|
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/uuencode.c 2016-01-22 15:39:26.210104334 +0100
|
||||||
|
@@ -56,7 +56,7 @@ pamsshagentauth_uudecode(const char *src
|
||||||
|
/* and remove trailing whitespace because __b64_pton needs this */
|
||||||
|
*p = '\0';
|
||||||
|
len = pamsshagentauth___b64_pton(encoded, target, targsize);
|
||||||
|
- pamsshagentauth_xfree(encoded);
|
||||||
|
+ xfree(encoded);
|
||||||
|
return len;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -70,7 +70,7 @@ pamsshagentauth_dump_base64(FILE *fp, u_
|
||||||
|
fprintf(fp, "dump_base64: len > 65536\n");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
- buf = pamsshagentauth_xmalloc(2*len);
|
||||||
|
+ buf = malloc(2*len);
|
||||||
|
n = pamsshagentauth_uuencode(data, len, buf, 2*len);
|
||||||
|
for (i = 0; i < n; i++) {
|
||||||
|
fprintf(fp, "%c", buf[i]);
|
||||||
|
@@ -79,5 +79,5 @@ pamsshagentauth_dump_base64(FILE *fp, u_
|
||||||
|
}
|
||||||
|
if (i % 70 != 69)
|
||||||
|
fprintf(fp, "\n");
|
||||||
|
- pamsshagentauth_xfree(buf);
|
||||||
|
+ free(buf);
|
||||||
|
}
|
@ -1,7 +1,7 @@
|
|||||||
diff -up pam_ssh_agent_auth-0.9.2/pam_ssh_agent_auth.c.visibility pam_ssh_agent_auth-0.9.2/pam_ssh_agent_auth.c
|
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c.psaa-visibility openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c
|
||||||
--- pam_ssh_agent_auth-0.9.2/pam_ssh_agent_auth.c.visibility 2009-12-21 20:57:34.000000000 +0100
|
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c.psaa-visibility 2014-03-31 19:35:17.000000000 +0200
|
||||||
+++ pam_ssh_agent_auth-0.9.2/pam_ssh_agent_auth.c 2012-06-21 20:01:31.356259429 +0200
|
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c 2016-01-22 15:22:40.984469774 +0100
|
||||||
@@ -68,7 +68,7 @@ char *__progname;
|
@@ -72,7 +72,7 @@ char *__progname;
|
||||||
extern char *__progname;
|
extern char *__progname;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -10,7 +10,7 @@ diff -up pam_ssh_agent_auth-0.9.2/pam_ssh_agent_auth.c.visibility pam_ssh_agent_
|
|||||||
pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
|
pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
|
||||||
{
|
{
|
||||||
char **argv_ptr;
|
char **argv_ptr;
|
||||||
@@ -184,7 +184,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
@@ -214,7 +214,7 @@ cleanexit:
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -18,4 +18,4 @@ diff -up pam_ssh_agent_auth-0.9.2/pam_ssh_agent_auth.c.visibility pam_ssh_agent_
|
|||||||
+PAM_EXTERN int __attribute__ ((visibility ("default")))
|
+PAM_EXTERN int __attribute__ ((visibility ("default")))
|
||||||
pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv)
|
pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv)
|
||||||
{
|
{
|
||||||
return PAM_SUCCESS;
|
UNUSED(pamh);
|
||||||
|
@ -1,30 +1,47 @@
|
|||||||
diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-agent openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c
|
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h.psaa-agent openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h
|
||||||
--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-agent 2015-06-02 16:43:09.231902255 +0200
|
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h.psaa-agent 2014-03-31 19:35:16.000000000 +0200
|
||||||
+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c 2015-06-02 16:43:09.235902253 +0200
|
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h 2016-01-22 15:47:15.999919059 +0100
|
||||||
@@ -37,6 +37,7 @@
|
@@ -38,6 +38,12 @@
|
||||||
|
typedef struct identity Identity;
|
||||||
|
typedef struct idlist Idlist;
|
||||||
|
|
||||||
|
+typedef struct {
|
||||||
|
+ int fd;
|
||||||
|
+ Buffer identities;
|
||||||
|
+ int howmany;
|
||||||
|
+} AuthenticationConnection;
|
||||||
|
+
|
||||||
|
struct identity {
|
||||||
|
TAILQ_ENTRY(identity) next;
|
||||||
|
AuthenticationConnection *ac; /* set if agent supports key */
|
||||||
|
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-agent openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c
|
||||||
|
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-agent 2016-01-22 15:47:15.998919060 +0100
|
||||||
|
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c 2016-01-22 15:53:38.427768239 +0100
|
||||||
|
@@ -39,6 +39,7 @@
|
||||||
#include "buffer.h"
|
#include "buffer.h"
|
||||||
#include "key.h"
|
#include "key.h"
|
||||||
#include "authfd.h"
|
#include "authfd.h"
|
||||||
+#include "ssherr.h"
|
+#include "ssherr.h"
|
||||||
#include "ssh.h"
|
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <sys/types.h>
|
#include <openssl/evp.h>
|
||||||
@@ -177,34 +178,41 @@ int
|
#include "ssh2.h"
|
||||||
find_authorized_keys(uid_t uid)
|
@@ -285,36 +286,43 @@ pamsshagentauth_find_authorized_keys(con
|
||||||
{
|
{
|
||||||
|
Buffer session_id2 = { 0 };
|
||||||
Identity *id;
|
Identity *id;
|
||||||
- Key *key;
|
- Key *key;
|
||||||
AuthenticationConnection *ac;
|
AuthenticationConnection *ac;
|
||||||
- char *comment;
|
- char *comment;
|
||||||
uint8_t retval = 0;
|
uint8_t retval = 0;
|
||||||
|
uid_t uid = getpwnam(ruser)->pw_uid;
|
||||||
+ struct ssh_identitylist *idlist;
|
+ struct ssh_identitylist *idlist;
|
||||||
+ int r, i;
|
+ int r, i;
|
||||||
|
|
||||||
OpenSSL_add_all_digests();
|
OpenSSL_add_all_digests();
|
||||||
session_id2 = session_id2_gen();
|
pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
|
||||||
|
|
||||||
if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
|
if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
|
||||||
verbose("Contacted ssh-agent of user %s (%u)", getpwuid(uid)->pw_name, uid);
|
verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
|
||||||
- for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
|
- for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
|
||||||
+ if ((r = ssh_fetch_identitylist(ac->fd, 2,
|
+ if ((r = ssh_fetch_identitylist(ac->fd, 2,
|
||||||
+ &idlist)) != 0) {
|
+ &idlist)) != 0) {
|
||||||
@ -42,7 +59,7 @@ diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-ag
|
|||||||
+ id->key = idlist->keys[i];
|
+ id->key = idlist->keys[i];
|
||||||
+ id->filename = idlist->comments[i];
|
+ id->filename = idlist->comments[i];
|
||||||
id->ac = ac;
|
id->ac = ac;
|
||||||
if(userauth_pubkey_from_id(id)) {
|
if(userauth_pubkey_from_id(ruser, id, &session_id2)) {
|
||||||
retval = 1;
|
retval = 1;
|
||||||
}
|
}
|
||||||
- free(id->filename);
|
- free(id->filename);
|
||||||
@ -52,6 +69,7 @@ diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-ag
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
buffer_free(&session_id2);
|
||||||
- ssh_close_authentication_connection(ac);
|
- ssh_close_authentication_connection(ac);
|
||||||
+ ssh_free_identitylist(idlist);
|
+ ssh_free_identitylist(idlist);
|
||||||
+ ssh_close_authentication_socket(ac->fd);
|
+ ssh_close_authentication_socket(ac->fd);
|
||||||
@ -60,28 +78,12 @@ diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-ag
|
|||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
verbose("No ssh-agent could be contacted");
|
verbose("No ssh-agent could be contacted");
|
||||||
diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h.psaa-agent openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h
|
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.psaa-agent openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
|
||||||
--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h.psaa-agent 2009-08-09 02:54:21.000000000 +0200
|
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.psaa-agent 2016-01-22 15:47:15.995919061 +0100
|
||||||
+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h 2015-06-02 16:43:09.235902253 +0200
|
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c 2016-01-22 16:06:20.611464261 +0100
|
||||||
@@ -14,6 +14,12 @@
|
@@ -55,10 +55,11 @@ extern uint8_t session_id_len;
|
||||||
typedef struct identity Identity;
|
|
||||||
typedef struct idlist Idlist;
|
|
||||||
|
|
||||||
+typedef struct {
|
|
||||||
+ int fd;
|
|
||||||
+ Buffer identities;
|
|
||||||
+ int howmany;
|
|
||||||
+} AuthenticationConnection;
|
|
||||||
+
|
|
||||||
struct identity {
|
|
||||||
TAILQ_ENTRY(identity) next;
|
|
||||||
AuthenticationConnection *ac; /* set if agent supports key */
|
|
||||||
diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.psaa-agent openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
|
|
||||||
--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.psaa-agent 2015-06-02 16:43:09.232902254 +0200
|
|
||||||
+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c 2015-06-02 16:45:07.699822094 +0200
|
|
||||||
@@ -54,10 +54,11 @@ extern uint8_t session_id_len;
|
|
||||||
int
|
int
|
||||||
userauth_pubkey_from_id(Identity * id)
|
userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
|
||||||
{
|
{
|
||||||
- Buffer b = { 0 };
|
- Buffer b = { 0 };
|
||||||
+ Buffer b;
|
+ Buffer b;
|
||||||
@ -93,20 +95,7 @@ diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.psaa-a
|
|||||||
int authenticated = 0;
|
int authenticated = 0;
|
||||||
|
|
||||||
pkalg = (char *) key_ssh_name(id->key);
|
pkalg = (char *) key_ssh_name(id->key);
|
||||||
@@ -65,10 +65,10 @@ userauth_pubkey_from_id(Identity * id)
|
@@ -82,7 +83,7 @@ userauth_pubkey_from_id(const char *ruse
|
||||||
|
|
||||||
/* first test if this key is even allowed */
|
|
||||||
if(! pam_user_key_allowed(id->key))
|
|
||||||
- goto user_auth_clean_exit;
|
|
||||||
+ goto user_auth_clean_exit_without_buffer;
|
|
||||||
|
|
||||||
if(key_to_blob(id->key, &pkblob, &blen) == 0)
|
|
||||||
- goto user_auth_clean_exit;
|
|
||||||
+ goto user_auth_clean_exit_without_buffer;
|
|
||||||
|
|
||||||
/* construct packet to sign and test */
|
|
||||||
buffer_init(&b);
|
|
||||||
@@ -70,7 +70,7 @@ userauth_pubkey_from_id(Identity * id)
|
|
||||||
buffer_put_cstring(&b, pkalg);
|
buffer_put_cstring(&b, pkalg);
|
||||||
buffer_put_string(&b, pkblob, blen);
|
buffer_put_string(&b, pkblob, blen);
|
||||||
|
|
||||||
@ -115,11 +104,3 @@ diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.psaa-a
|
|||||||
goto user_auth_clean_exit;
|
goto user_auth_clean_exit;
|
||||||
|
|
||||||
/* test for correct signature */
|
/* test for correct signature */
|
||||||
@@ -92,6 +92,7 @@ userauth_pubkey_from_id(Identity * id)
|
|
||||||
user_auth_clean_exit:
|
|
||||||
if(&b != NULL)
|
|
||||||
buffer_free(&b);
|
|
||||||
+ user_auth_clean_exit_without_buffer:
|
|
||||||
if(sig != NULL)
|
|
||||||
free(sig);
|
|
||||||
if(pkblob != NULL)
|
|
||||||
|
@ -1,12 +1,11 @@
|
|||||||
diff -up pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-build pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c
|
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-build openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c
|
||||||
--- pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-build 2010-01-13 03:17:01.000000000 +0100
|
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-build 2016-01-22 14:59:18.943919791 +0100
|
||||||
+++ pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c 2012-06-21 20:14:56.432527764 +0200
|
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c 2016-01-22 15:16:12.534599318 +0100
|
||||||
@@ -37,7 +37,16 @@
|
@@ -43,12 +43,31 @@
|
||||||
#include "buffer.h"
|
#include <openssl/evp.h>
|
||||||
#include "key.h"
|
#include "ssh2.h"
|
||||||
#include "authfd.h"
|
#include "misc.h"
|
||||||
+#include "ssh.h"
|
+#include "ssh.h"
|
||||||
#include <stdio.h>
|
|
||||||
+#include <sys/types.h>
|
+#include <sys/types.h>
|
||||||
+#include <sys/stat.h>
|
+#include <sys/stat.h>
|
||||||
+#include <sys/socket.h>
|
+#include <sys/socket.h>
|
||||||
@ -15,12 +14,11 @@ diff -up pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-build pam_ssh_ag
|
|||||||
+#include <stdlib.h>
|
+#include <stdlib.h>
|
||||||
+#include <errno.h>
|
+#include <errno.h>
|
||||||
+#include <fcntl.h>
|
+#include <fcntl.h>
|
||||||
#include <openssl/evp.h>
|
|
||||||
|
|
||||||
#include "userauth_pubkey_from_id.h"
|
#include "userauth_pubkey_from_id.h"
|
||||||
@@ -69,6 +78,96 @@ session_id2_gen()
|
#include "identity.h"
|
||||||
return cookie;
|
#include "get_command_line.h"
|
||||||
}
|
extern char **environ;
|
||||||
|
|
||||||
+/*
|
+/*
|
||||||
+ * Added by Jamie Beverly, ensure socket fd points to a socket owned by the user
|
+ * Added by Jamie Beverly, ensure socket fd points to a socket owned by the user
|
||||||
@ -32,7 +30,31 @@ diff -up pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-build pam_ssh_ag
|
|||||||
+ * race condition; so a more "direct" log message is generated.
|
+ * race condition; so a more "direct" log message is generated.
|
||||||
+ */
|
+ */
|
||||||
+
|
+
|
||||||
+int
|
static char *
|
||||||
|
log_action(char ** action, size_t count)
|
||||||
|
{
|
||||||
|
@@ -85,7 +104,7 @@ void
|
||||||
|
pamsshagentauth_session_id2_gen(Buffer * session_id2, const char * user,
|
||||||
|
const char * ruser, const char * servicename)
|
||||||
|
{
|
||||||
|
- char *cookie = NULL;
|
||||||
|
+ u_char *cookie = NULL;
|
||||||
|
uint8_t i = 0;
|
||||||
|
uint32_t rnd = 0;
|
||||||
|
uint8_t cookie_len;
|
||||||
|
@@ -110,7 +129,7 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||||
|
if (i % 4 == 0) {
|
||||||
|
rnd = pamsshagentauth_arc4random();
|
||||||
|
}
|
||||||
|
- cookie[i] = (char) rnd;
|
||||||
|
+ cookie[i] = (u_char) rnd;
|
||||||
|
rnd >>= 8;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -142,6 +161,86 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
+ssh_get_authentication_socket_for_uid(uid_t uid)
|
+ssh_get_authentication_socket_for_uid(uid_t uid)
|
||||||
+{
|
+{
|
||||||
+ const char *authsocket;
|
+ const char *authsocket;
|
||||||
@ -112,27 +134,23 @@ diff -up pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-build pam_ssh_ag
|
|||||||
+ return auth;
|
+ return auth;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
int
|
+int
|
||||||
find_authorized_keys(uid_t uid)
|
pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename)
|
||||||
{
|
{
|
||||||
@@ -81,7 +180,7 @@ find_authorized_keys(uid_t uid)
|
Buffer session_id2 = { 0 };
|
||||||
|
@@ -190,7 +289,7 @@ pamsshagentauth_find_authorized_keys(con
|
||||||
OpenSSL_add_all_digests();
|
OpenSSL_add_all_digests();
|
||||||
session_id2 = session_id2_gen();
|
pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
|
||||||
|
|
||||||
- if ((ac = ssh_get_authentication_connection(uid))) {
|
- if ((ac = ssh_get_authentication_connection(uid))) {
|
||||||
+ if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
|
+ if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
|
||||||
verbose("Contacted ssh-agent of user %s (%u)", getpwuid(uid)->pw_name, uid);
|
pamsshagentauth_verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
|
||||||
for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
|
for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
|
||||||
{
|
{
|
||||||
@@ -109,3 +208,4 @@ find_authorized_keys(uid_t uid)
|
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/Makefile.in.psaa-build openssh-7.1p2/pam_ssh_agent_auth-0.10.2/Makefile.in
|
||||||
EVP_cleanup();
|
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/Makefile.in.psaa-build 2014-03-31 19:35:17.000000000 +0200
|
||||||
return retval;
|
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/Makefile.in 2016-01-22 15:20:16.479521651 +0100
|
||||||
}
|
@@ -52,7 +52,7 @@ PATHS=
|
||||||
+
|
|
||||||
diff -up pam_ssh_agent_auth-0.9.3/Makefile.in.psaa-build pam_ssh_agent_auth-0.9.3/Makefile.in
|
|
||||||
--- pam_ssh_agent_auth-0.9.3/Makefile.in.psaa-build 2009-10-27 21:19:41.000000000 +0100
|
|
||||||
+++ pam_ssh_agent_auth-0.9.3/Makefile.in 2012-06-21 20:14:56.432527764 +0200
|
|
||||||
@@ -28,7 +28,7 @@ PATHS=
|
|
||||||
CC=@CC@
|
CC=@CC@
|
||||||
LD=@LD@
|
LD=@LD@
|
||||||
CFLAGS=@CFLAGS@
|
CFLAGS=@CFLAGS@
|
||||||
@ -141,7 +159,7 @@ diff -up pam_ssh_agent_auth-0.9.3/Makefile.in.psaa-build pam_ssh_agent_auth-0.9.
|
|||||||
LIBS=@LIBS@
|
LIBS=@LIBS@
|
||||||
AR=@AR@
|
AR=@AR@
|
||||||
AWK=@AWK@
|
AWK=@AWK@
|
||||||
@@ -37,7 +37,7 @@ INSTALL=@INSTALL@
|
@@ -61,7 +61,7 @@ INSTALL=@INSTALL@
|
||||||
PERL=@PERL@
|
PERL=@PERL@
|
||||||
SED=@SED@
|
SED=@SED@
|
||||||
ENT=@ENT@
|
ENT=@ENT@
|
||||||
@ -150,16 +168,16 @@ diff -up pam_ssh_agent_auth-0.9.3/Makefile.in.psaa-build pam_ssh_agent_auth-0.9.
|
|||||||
LDFLAGS_SHARED = @LDFLAGS_SHARED@
|
LDFLAGS_SHARED = @LDFLAGS_SHARED@
|
||||||
EXEEXT=@EXEEXT@
|
EXEEXT=@EXEEXT@
|
||||||
|
|
||||||
@@ -48,7 +48,7 @@ PAM_MODULES=pam_ssh_agent_auth.so
|
@@ -72,7 +72,7 @@ PAM_MODULES=pam_ssh_agent_auth.so
|
||||||
|
|
||||||
SSHOBJS=xmalloc.o atomicio.o authfd.o bufaux.o bufbn.o buffer.o cleanup.o entropy.o fatal.o key.o log.o misc.o secure_filename.o ssh-dss.o ssh-rsa.o uuencode.o compat.o
|
SSHOBJS=xmalloc.o atomicio.o authfd.o bufaux.o bufbn.o buffer.o cleanup.o entropy.o fatal.o key.o log.o misc.o secure_filename.o ssh-dss.o ssh-rsa.o uuencode.o compat.o uidswap.o
|
||||||
|
|
||||||
-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o
|
-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o
|
||||||
+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o secure_filename.o
|
+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o secure_filename.o
|
||||||
|
|
||||||
|
|
||||||
MANPAGES_IN = pam_ssh_agent_auth.pod
|
MANPAGES_IN = pam_ssh_agent_auth.pod
|
||||||
@@ -67,13 +67,13 @@ $(PAM_MODULES): Makefile.in config.h
|
@@ -91,13 +91,13 @@ $(PAM_MODULES): Makefile.in config.h
|
||||||
.c.o:
|
.c.o:
|
||||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||||
|
|
||||||
@ -170,31 +188,9 @@ diff -up pam_ssh_agent_auth-0.9.3/Makefile.in.psaa-build pam_ssh_agent_auth-0.9.
|
|||||||
always:
|
always:
|
||||||
|
|
||||||
-pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
|
-pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
|
||||||
- $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat $(LIBS) -lpam pam_ssh_agent_auth.o
|
- $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam
|
||||||
+pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
|
+pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
|
||||||
+ $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -lpam -lnss3 pam_ssh_agent_auth.o
|
+ $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam -lnss3
|
||||||
|
|
||||||
$(MANPAGES): $(MANPAGES_IN)
|
$(MANPAGES): $(MANPAGES_IN)
|
||||||
pod2man --section=8 --release=v0.8 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8
|
pod2man --section=8 --release=v0.10.2 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8
|
||||||
diff --git pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-build pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c
|
|
||||||
index e2c5777..9b8b863 100644
|
|
||||||
--- pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-build
|
|
||||||
+++ pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c
|
|
||||||
@@ -58,7 +58,7 @@ uint8_t session_id_len = 0;
|
|
||||||
u_char *
|
|
||||||
session_id2_gen()
|
|
||||||
{
|
|
||||||
- char *cookie = NULL;
|
|
||||||
+ u_char *cookie = NULL;
|
|
||||||
uint8_t i = 0;
|
|
||||||
uint32_t rnd = 0;
|
|
||||||
|
|
||||||
@@ -71,7 +71,7 @@ session_id2_gen()
|
|
||||||
if (i % 4 == 0) {
|
|
||||||
rnd = arc4random();
|
|
||||||
}
|
|
||||||
- cookie[i] = (char) rnd;
|
|
||||||
+ cookie[i] = (u_char) rnd;
|
|
||||||
rnd >>= 8;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
@ -1,64 +0,0 @@
|
|||||||
diff --git a/pam_ssh_agent_auth-0.9.3/key.c b/pam_ssh_agent_auth-0.9.3/key.c
|
|
||||||
index 9555e7e..c17aae6 100644
|
|
||||||
--- a/pam_ssh_agent_auth-0.9.3/key.c
|
|
||||||
+++ b/pam_ssh_agent_auth-0.9.3/key.c
|
|
||||||
@@ -55,6 +55,7 @@
|
|
||||||
#include "uuencode.h"
|
|
||||||
#include "buffer.h"
|
|
||||||
#include "log.h"
|
|
||||||
+#include "digest.h"
|
|
||||||
|
|
||||||
Key *
|
|
||||||
key_new(int type)
|
|
||||||
@@ -181,7 +182,7 @@ key_equal(const Key *a, const Key *b)
|
|
||||||
}
|
|
||||||
|
|
||||||
u_char*
|
|
||||||
-key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
|
|
||||||
+sshkey_fingerprint_raw(const Key *k, int dgst_type,
|
|
||||||
u_int *dgst_raw_length)
|
|
||||||
{
|
|
||||||
const EVP_MD *md = NULL;
|
|
||||||
@@ -194,10 +195,10 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
|
|
||||||
*dgst_raw_length = 0;
|
|
||||||
|
|
||||||
switch (dgst_type) {
|
|
||||||
- case SSH_FP_MD5:
|
|
||||||
+ case SSH_DIGEST_MD5:
|
|
||||||
md = EVP_md5();
|
|
||||||
break;
|
|
||||||
- case SSH_FP_SHA1:
|
|
||||||
+ case SSH_DIGEST_SHA1:
|
|
||||||
md = EVP_sha1();
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
@@ -302,7 +303,7 @@ key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len)
|
|
||||||
}
|
|
||||||
|
|
||||||
char *
|
|
||||||
-key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
|
|
||||||
+sshkey_fingerprint(const Key *k, int dgst_type, enum fp_rep dgst_rep)
|
|
||||||
{
|
|
||||||
char *retval = NULL;
|
|
||||||
u_char *dgst_raw;
|
|
||||||
diff --git a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
|
|
||||||
index dddcba9..8ba6d87 100644
|
|
||||||
--- a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
|
|
||||||
+++ b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
|
|
||||||
@@ -43,6 +43,7 @@
|
|
||||||
#include "buffer.h"
|
|
||||||
#include "log.h"
|
|
||||||
#include "compat.h"
|
|
||||||
+#include "digest.h"
|
|
||||||
#include "key.h"
|
|
||||||
#include "pathnames.h"
|
|
||||||
#include "misc.h"
|
|
||||||
@@ -118,7 +119,7 @@ pam_user_key_allowed2(struct passwd *pw, Key *key, char *file)
|
|
||||||
found_key = 1;
|
|
||||||
logit("matching key found: file %s, line %lu",
|
|
||||||
file, linenum);
|
|
||||||
- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
|
|
||||||
+ fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
|
|
||||||
logit("Found matching %s key: %s",
|
|
||||||
key_type(found), fp);
|
|
||||||
free(fp);
|
|
@ -1,430 +0,0 @@
|
|||||||
--- pam_ssh_agent_auth-0.9.3.orig/authfd.c 2013-10-30 17:14:26.013615342 +0100
|
|
||||||
+++ pam_ssh_agent_auth-0.9.3.orig/authfd.c 2013-10-30 17:15:07.353327799 +0100
|
|
||||||
@@ -260,7 +260,7 @@
|
|
||||||
{
|
|
||||||
buffer_free(&auth->identities);
|
|
||||||
close(auth->fd);
|
|
||||||
- xfree(auth);
|
|
||||||
+ free(auth);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Lock/unlock agent */
|
|
||||||
@@ -379,7 +379,7 @@
|
|
||||||
blob = buffer_get_string(&auth->identities, &blen);
|
|
||||||
*comment = buffer_get_string(&auth->identities, NULL);
|
|
||||||
key = key_from_blob(blob, blen);
|
|
||||||
- xfree(blob);
|
|
||||||
+ free(blob);
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
return NULL;
|
|
||||||
@@ -472,7 +472,7 @@
|
|
||||||
buffer_put_string(&msg, blob, blen);
|
|
||||||
buffer_put_string(&msg, data, datalen);
|
|
||||||
buffer_put_int(&msg, flags);
|
|
||||||
- xfree(blob);
|
|
||||||
+ free(blob);
|
|
||||||
|
|
||||||
if (ssh_request_reply(auth, &msg, &msg) == 0) {
|
|
||||||
buffer_free(&msg);
|
|
||||||
@@ -612,7 +612,7 @@
|
|
||||||
key_to_blob(key, &blob, &blen);
|
|
||||||
buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY);
|
|
||||||
buffer_put_string(&msg, blob, blen);
|
|
||||||
- xfree(blob);
|
|
||||||
+ free(blob);
|
|
||||||
} else {
|
|
||||||
buffer_free(&msg);
|
|
||||||
return 0;
|
|
||||||
--- pam_ssh_agent_auth-0.9.3.orig/bufaux.c 2013-10-30 17:14:26.014615310 +0100
|
|
||||||
+++ pam_ssh_agent_auth-0.9.3.orig/bufaux.c 2013-10-30 17:15:07.354327768 +0100
|
|
||||||
@@ -176,7 +176,7 @@
|
|
||||||
/* Get the string. */
|
|
||||||
if (buffer_get_ret(buffer, value, len) == -1) {
|
|
||||||
logerror("buffer_get_string_ret: buffer_get failed");
|
|
||||||
- xfree(value);
|
|
||||||
+ free(value);
|
|
||||||
return (NULL);
|
|
||||||
}
|
|
||||||
/* Append a null character to make processing easier. */
|
|
||||||
--- pam_ssh_agent_auth-0.9.3.orig/bufbn.c 2013-10-30 17:14:26.014615310 +0100
|
|
||||||
+++ pam_ssh_agent_auth-0.9.3.orig/bufbn.c 2013-10-30 17:15:07.354327768 +0100
|
|
||||||
@@ -69,7 +69,7 @@
|
|
||||||
if (oi != bin_size) {
|
|
||||||
logerror("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d",
|
|
||||||
oi, bin_size);
|
|
||||||
- xfree(buf);
|
|
||||||
+ free(buf);
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -80,7 +80,7 @@
|
|
||||||
buffer_append(buffer, buf, oi);
|
|
||||||
|
|
||||||
memset(buf, 0, bin_size);
|
|
||||||
- xfree(buf);
|
|
||||||
+ free(buf);
|
|
||||||
|
|
||||||
return (0);
|
|
||||||
}
|
|
||||||
@@ -167,13 +167,13 @@
|
|
||||||
if (oi < 0 || (u_int)oi != bytes - 1) {
|
|
||||||
logerror("buffer_put_bignum2_ret: BN_bn2bin() failed: "
|
|
||||||
"oi %d != bin_size %d", oi, bytes);
|
|
||||||
- xfree(buf);
|
|
||||||
+ free(buf);
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
hasnohigh = (buf[1] & 0x80) ? 0 : 1;
|
|
||||||
buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh);
|
|
||||||
memset(buf, 0, bytes);
|
|
||||||
- xfree(buf);
|
|
||||||
+ free(buf);
|
|
||||||
return (0);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -197,21 +197,21 @@
|
|
||||||
|
|
||||||
if (len > 0 && (bin[0] & 0x80)) {
|
|
||||||
logerror("buffer_get_bignum2_ret: negative numbers not supported");
|
|
||||||
- xfree(bin);
|
|
||||||
+ free(bin);
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
if (len > 8 * 1024) {
|
|
||||||
logerror("buffer_get_bignum2_ret: cannot handle BN of size %d",
|
|
||||||
len);
|
|
||||||
- xfree(bin);
|
|
||||||
+ free(bin);
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
if (BN_bin2bn(bin, len, value) == NULL) {
|
|
||||||
logerror("buffer_get_bignum2_ret: BN_bin2bn failed");
|
|
||||||
- xfree(bin);
|
|
||||||
+ free(bin);
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
- xfree(bin);
|
|
||||||
+ free(bin);
|
|
||||||
return (0);
|
|
||||||
}
|
|
||||||
|
|
||||||
--- pam_ssh_agent_auth-0.9.3.orig/buffer.c 2013-10-30 17:14:26.014615310 +0100
|
|
||||||
+++ pam_ssh_agent_auth-0.9.3.orig/buffer.c 2013-10-30 17:15:07.355327737 +0100
|
|
||||||
@@ -50,7 +50,7 @@
|
|
||||||
if (buffer->alloc > 0) {
|
|
||||||
memset(buffer->buf, 0, buffer->alloc);
|
|
||||||
buffer->alloc = 0;
|
|
||||||
- xfree(buffer->buf);
|
|
||||||
+ free(buffer->buf);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
--- pam_ssh_agent_auth-0.9.3.orig/iterate_ssh_agent_keys.c 2013-10-30 17:14:26.031614782 +0100
|
|
||||||
+++ pam_ssh_agent_auth-0.9.3.orig/iterate_ssh_agent_keys.c 2013-10-30 17:15:07.357327674 +0100
|
|
||||||
@@ -197,9 +197,9 @@
|
|
||||||
if(userauth_pubkey_from_id(id)) {
|
|
||||||
retval = 1;
|
|
||||||
}
|
|
||||||
- xfree(id->filename);
|
|
||||||
+ free(id->filename);
|
|
||||||
key_free(id->key);
|
|
||||||
- xfree(id);
|
|
||||||
+ free(id);
|
|
||||||
if(retval == 1)
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
@@ -209,7 +209,7 @@
|
|
||||||
else {
|
|
||||||
verbose("No ssh-agent could be contacted");
|
|
||||||
}
|
|
||||||
- xfree(session_id2);
|
|
||||||
+ free(session_id2);
|
|
||||||
EVP_cleanup();
|
|
||||||
return retval;
|
|
||||||
}
|
|
||||||
--- pam_ssh_agent_auth-0.9.3.orig/key.c 2013-10-30 17:14:26.017615218 +0100
|
|
||||||
+++ pam_ssh_agent_auth-0.9.3.orig/key.c 2013-10-30 17:15:07.358327643 +0100
|
|
||||||
@@ -154,7 +154,7 @@
|
|
||||||
fatal("key_free: bad key type %d", k->type);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
- xfree(k);
|
|
||||||
+ free(k);
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
@@ -229,7 +229,7 @@
|
|
||||||
EVP_DigestUpdate(&ctx, blob, len);
|
|
||||||
EVP_DigestFinal(&ctx, retval, dgst_raw_length);
|
|
||||||
memset(blob, 0, len);
|
|
||||||
- xfree(blob);
|
|
||||||
+ free(blob);
|
|
||||||
} else {
|
|
||||||
fatal("key_fingerprint_raw: blob is null");
|
|
||||||
}
|
|
||||||
@@ -324,7 +324,7 @@
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
memset(dgst_raw, 0, dgst_raw_len);
|
|
||||||
- xfree(dgst_raw);
|
|
||||||
+ free(dgst_raw);
|
|
||||||
return retval;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -447,11 +447,11 @@
|
|
||||||
n = uudecode(cp, blob, len);
|
|
||||||
if (n < 0) {
|
|
||||||
logerror("key_read: uudecode %s failed", cp);
|
|
||||||
- xfree(blob);
|
|
||||||
+ free(blob);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
k = key_from_blob(blob, (u_int)n);
|
|
||||||
- xfree(blob);
|
|
||||||
+ free(blob);
|
|
||||||
if (k == NULL) {
|
|
||||||
logerror("key_read: key_from_blob %s failed", cp);
|
|
||||||
return -1;
|
|
||||||
@@ -526,8 +526,8 @@
|
|
||||||
fprintf(f, "%s %s", key_ssh_name(key), uu);
|
|
||||||
success = 1;
|
|
||||||
}
|
|
||||||
- xfree(blob);
|
|
||||||
- xfree(uu);
|
|
||||||
+ free(blob);
|
|
||||||
+ free(uu);
|
|
||||||
}
|
|
||||||
return success;
|
|
||||||
}
|
|
||||||
@@ -673,12 +673,12 @@
|
|
||||||
switch (key_type_from_name(p)) {
|
|
||||||
case KEY_RSA1:
|
|
||||||
case KEY_UNSPEC:
|
|
||||||
- xfree(s);
|
|
||||||
+ free(s);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
verbose("key names ok: [%s]", names);
|
|
||||||
- xfree(s);
|
|
||||||
+ free(s);
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -743,7 +743,7 @@
|
|
||||||
logerror("key_from_blob: remaining bytes in key blob %d", rlen);
|
|
||||||
out:
|
|
||||||
if (ktype != NULL)
|
|
||||||
- xfree(ktype);
|
|
||||||
+ free(ktype);
|
|
||||||
buffer_free(&b);
|
|
||||||
return key;
|
|
||||||
}
|
|
||||||
--- pam_ssh_agent_auth-0.9.3.orig/misc.c 2013-10-30 17:14:26.017615218 +0100
|
|
||||||
+++ pam_ssh_agent_auth-0.9.3.orig/misc.c 2013-10-30 17:15:07.360327581 +0100
|
|
||||||
@@ -251,13 +251,13 @@
|
|
||||||
*remote = SSH_TUNID_ANY;
|
|
||||||
sp = xstrdup(s);
|
|
||||||
if ((ep = strchr(sp, ':')) == NULL) {
|
|
||||||
- xfree(sp);
|
|
||||||
+ free(sp);
|
|
||||||
return (a2tun(s, NULL));
|
|
||||||
}
|
|
||||||
ep[0] = '\0'; ep++;
|
|
||||||
*remote = a2tun(ep, NULL);
|
|
||||||
tun = a2tun(sp, NULL);
|
|
||||||
- xfree(sp);
|
|
||||||
+ free(sp);
|
|
||||||
return (*remote == SSH_TUNID_ERR ? *remote : tun);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -490,7 +490,7 @@
|
|
||||||
if (which >= args->num)
|
|
||||||
fatal("replacearg: tried to replace invalid arg %d >= %d",
|
|
||||||
which, args->num);
|
|
||||||
- xfree(args->list[which]);
|
|
||||||
+ free(args->list[which]);
|
|
||||||
args->list[which] = cp;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -501,8 +501,8 @@
|
|
||||||
|
|
||||||
if (args->list != NULL) {
|
|
||||||
for (i = 0; i < args->num; i++)
|
|
||||||
- xfree(args->list[i]);
|
|
||||||
- xfree(args->list);
|
|
||||||
+ free(args->list[i]);
|
|
||||||
+ free(args->list);
|
|
||||||
args->nalloc = args->num = 0;
|
|
||||||
args->list = NULL;
|
|
||||||
}
|
|
||||||
--- pam_ssh_agent_auth-0.9.3.orig/pam_user_authorized_keys.c 2013-10-30 17:14:26.017615218 +0100
|
|
||||||
+++ pam_ssh_agent_auth-0.9.3.orig/pam_user_authorized_keys.c 2013-10-30 17:15:07.361327550 +0100
|
|
||||||
@@ -121,7 +121,7 @@
|
|
||||||
}
|
|
||||||
authorized_keys_file = tilde_expand_filename(auth_keys_file_buf, authorized_keys_file_allowed_owner_uid);
|
|
||||||
strncpy(auth_keys_file_buf, authorized_keys_file, sizeof(auth_keys_file_buf) - 1 );
|
|
||||||
- xfree(authorized_keys_file) /* when we percent_expand later, we'd step on this, so free it immediately */;
|
|
||||||
+ free(authorized_keys_file) /* when we percent_expand later, we'd step on this, so free it immediately */;
|
|
||||||
}
|
|
||||||
|
|
||||||
if(strstr(auth_keys_file_buf, "%h")) {
|
|
||||||
--- pam_ssh_agent_auth-0.9.3.orig/pam_user_key_allowed2.c 2013-10-30 17:14:26.018615187 +0100
|
|
||||||
+++ pam_ssh_agent_auth-0.9.3.orig/pam_user_key_allowed2.c 2013-10-30 17:15:07.361327550 +0100
|
|
||||||
@@ -121,7 +121,7 @@
|
|
||||||
fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
|
|
||||||
logit("Found matching %s key: %s",
|
|
||||||
key_type(found), fp);
|
|
||||||
- xfree(fp);
|
|
||||||
+ free(fp);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
--- pam_ssh_agent_auth-0.9.3.orig/ssh-dss.c 2013-10-30 17:14:26.014615310 +0100
|
|
||||||
+++ pam_ssh_agent_auth-0.9.3.orig/ssh-dss.c 2013-10-30 17:15:07.361327550 +0100
|
|
||||||
@@ -135,17 +135,17 @@
|
|
||||||
if (strcmp("ssh-dss", ktype) != 0) {
|
|
||||||
logerror("ssh_dss_verify: cannot handle type %s", ktype);
|
|
||||||
buffer_free(&b);
|
|
||||||
- xfree(ktype);
|
|
||||||
+ free(ktype);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
- xfree(ktype);
|
|
||||||
+ free(ktype);
|
|
||||||
sigblob = buffer_get_string(&b, &len);
|
|
||||||
rlen = buffer_len(&b);
|
|
||||||
buffer_free(&b);
|
|
||||||
if (rlen != 0) {
|
|
||||||
logerror("ssh_dss_verify: "
|
|
||||||
"remaining bytes in signature %d", rlen);
|
|
||||||
- xfree(sigblob);
|
|
||||||
+ free(sigblob);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -167,7 +167,7 @@
|
|
||||||
|
|
||||||
/* clean up */
|
|
||||||
memset(sigblob, 0, len);
|
|
||||||
- xfree(sigblob);
|
|
||||||
+ free(sigblob);
|
|
||||||
|
|
||||||
/* sha1 the data */
|
|
||||||
EVP_DigestInit(&md, evp_md);
|
|
||||||
--- pam_ssh_agent_auth-0.9.3.orig/ssh-rsa.c 2013-10-30 17:14:26.015615278 +0100
|
|
||||||
+++ pam_ssh_agent_auth-0.9.3.orig/ssh-rsa.c 2013-10-30 17:15:07.362327518 +0100
|
|
||||||
@@ -70,7 +70,7 @@
|
|
||||||
|
|
||||||
logerror("ssh_rsa_sign: RSA_sign failed: %s",
|
|
||||||
ERR_error_string(ecode, NULL));
|
|
||||||
- xfree(sig);
|
|
||||||
+ free(sig);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
if (len < slen) {
|
|
||||||
@@ -80,7 +80,7 @@
|
|
||||||
memset(sig, 0, diff);
|
|
||||||
} else if (len > slen) {
|
|
||||||
logerror("ssh_rsa_sign: slen %u slen2 %u", slen, len);
|
|
||||||
- xfree(sig);
|
|
||||||
+ free(sig);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
/* encode signature */
|
|
||||||
@@ -96,7 +96,7 @@
|
|
||||||
}
|
|
||||||
buffer_free(&b);
|
|
||||||
memset(sig, 's', slen);
|
|
||||||
- xfree(sig);
|
|
||||||
+ free(sig);
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
@@ -128,23 +128,23 @@
|
|
||||||
if (strcmp("ssh-rsa", ktype) != 0) {
|
|
||||||
logerror("ssh_rsa_verify: cannot handle type %s", ktype);
|
|
||||||
buffer_free(&b);
|
|
||||||
- xfree(ktype);
|
|
||||||
+ free(ktype);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
- xfree(ktype);
|
|
||||||
+ free(ktype);
|
|
||||||
sigblob = buffer_get_string(&b, &len);
|
|
||||||
rlen = buffer_len(&b);
|
|
||||||
buffer_free(&b);
|
|
||||||
if (rlen != 0) {
|
|
||||||
logerror("ssh_rsa_verify: remaining bytes in signature %d", rlen);
|
|
||||||
- xfree(sigblob);
|
|
||||||
+ free(sigblob);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
/* RSA_verify expects a signature of RSA_size */
|
|
||||||
modlen = RSA_size(key->rsa);
|
|
||||||
if (len > modlen) {
|
|
||||||
logerror("ssh_rsa_verify: len %u > modlen %u", len, modlen);
|
|
||||||
- xfree(sigblob);
|
|
||||||
+ free(sigblob);
|
|
||||||
return -1;
|
|
||||||
} else if (len < modlen) {
|
|
||||||
u_int diff = modlen - len;
|
|
||||||
@@ -158,7 +158,7 @@
|
|
||||||
nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
|
|
||||||
if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
|
|
||||||
logerror("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid);
|
|
||||||
- xfree(sigblob);
|
|
||||||
+ free(sigblob);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
EVP_DigestInit(&md, evp_md);
|
|
||||||
@@ -168,7 +168,7 @@
|
|
||||||
ret = openssh_RSA_verify(nid, digest, dlen, sigblob, len, key->rsa);
|
|
||||||
memset(digest, 'd', sizeof(digest));
|
|
||||||
memset(sigblob, 's', len);
|
|
||||||
- xfree(sigblob);
|
|
||||||
+ free(sigblob);
|
|
||||||
verbose("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : "");
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
@@ -258,6 +258,6 @@
|
|
||||||
ret = 1;
|
|
||||||
done:
|
|
||||||
if (decrypted)
|
|
||||||
- xfree(decrypted);
|
|
||||||
+ free(decrypted);
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
--- pam_ssh_agent_auth-0.9.3.orig/userauth_pubkey_from_id.c 2013-10-30 17:14:26.014615310 +0100
|
|
||||||
+++ pam_ssh_agent_auth-0.9.3.orig/userauth_pubkey_from_id.c 2013-10-30 17:15:07.362327518 +0100
|
|
||||||
@@ -92,9 +92,9 @@
|
|
||||||
if(&b != NULL)
|
|
||||||
buffer_free(&b);
|
|
||||||
if(sig != NULL)
|
|
||||||
- xfree(sig);
|
|
||||||
+ free(sig);
|
|
||||||
if(pkblob != NULL)
|
|
||||||
- xfree(pkblob);
|
|
||||||
+ free(pkblob);
|
|
||||||
CRYPTO_cleanup_all_ex_data();
|
|
||||||
return authenticated;
|
|
||||||
}
|
|
||||||
--- pam_ssh_agent_auth-0.9.3.orig/uuencode.c 2013-10-30 17:14:26.015615278 +0100
|
|
||||||
+++ pam_ssh_agent_auth-0.9.3.orig/uuencode.c 2013-10-30 17:15:07.362327518 +0100
|
|
||||||
@@ -56,7 +56,7 @@
|
|
||||||
/* and remove trailing whitespace because __b64_pton needs this */
|
|
||||||
*p = '\0';
|
|
||||||
len = __b64_pton(encoded, target, targsize);
|
|
||||||
- xfree(encoded);
|
|
||||||
+ free(encoded);
|
|
||||||
return len;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -79,5 +79,5 @@
|
|
||||||
}
|
|
||||||
if (i % 70 != 69)
|
|
||||||
fprintf(fp, "\n");
|
|
||||||
- xfree(buf);
|
|
||||||
+ free(buf);
|
|
||||||
}
|
|
Loading…
Reference in New Issue
Block a user