Date: Mon, 21 Jan 2002 05:50:09 +0300 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: Dag-Erling Smorgrav <des@ofug.org> Cc: Mark Murray <mark@grondar.za>, current@FreeBSD.ORG Subject: Re: Step5, pam_opie OPIE auth fix for review Message-ID: <20020121025009.GA30673@nagual.pp.ru> In-Reply-To: <xzp665w1otd.fsf@flood.ping.uio.no> References: <20020120220254.GA25886@nagual.pp.ru> <200201202314.g0KNEDt34526@grimreaper.grondar.org> <20020120233050.GA26913@nagual.pp.ru> <xzpvgdw1sqp.fsf@flood.ping.uio.no> <20020121000446.GB27206@nagual.pp.ru> <xzpn0z81rrr.fsf@flood.ping.uio.no> <20020121002557.GB27831@nagual.pp.ru> <xzpelkk1qnb.fsf@flood.ping.uio.no> <20020121004906.GA28231@nagual.pp.ru> <xzp665w1otd.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 21, 2002 at 02:21:34 +0100, Dag-Erling Smorgrav wrote:
>
> No need. See the attached patch.
>
Tested. I use /etc/pam.d/login for test with following OPIE lines:
auth sufficient pam_opie.so no_warn
auth requisite pam_opieaccess.so no_warn
Two problems found, patch included below.
1) When OPIE turned on in the system, not neccessary all users are
OPIE-ed, only those who listed in /etc/opiekeys. It means that
pam_opieaccess() module must do something only for valid OPIE users
listed in /etc/opiekeys and do nothing for others. I use opiechallenge()
check for it, and if it fails, return PAM_IGNORE.
2) opiealways() return just opposite to what you might expect, see
/usr/src/contrib/opie/libopie/accessfile.c comment about it. Fixed by
removing "!"
Besides this two things, all works as expected.
--- pam_opieaccess.c.old Mon Jan 21 04:35:08 2002
+++ pam_opieaccess.c Mon Jan 21 05:47:27 2002
@@ -55,8 +55,10 @@
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
+ struct opie opie;
struct options options;
struct passwd *pwent;
+ char challenge[OPIE_CHALLENGE_MAX];
char *luser, *rhost;
int r;
@@ -64,22 +66,32 @@
PAM_LOG("Options processed");
- r = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost);
- if (r != PAM_SUCCESS)
- PAM_RETURN(r);
- if (rhost == NULL)
- PAM_RETURN(PAM_SYSTEM_ERR);
-
r = pam_get_item(pamh, PAM_USER, (const void **)&luser);
if (r != PAM_SUCCESS)
PAM_RETURN(r);
if (luser == NULL)
PAM_RETURN(PAM_SYSTEM_ERR);
+ /*
+ * Don't call the OPIE atexit() handler when our program exits,
+ * since the module has been unloaded and we will SEGV.
+ */
+ opiedisableaeh();
+
+ if (opiechallenge(&opie, (char *)luser, challenge) != 0)
+ PAM_RETURN(PAM_IGNORE);
+ opieunlock();
+
+ r = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost);
+ if (r != PAM_SUCCESS)
+ PAM_RETURN(r);
+ if (rhost == NULL)
+ PAM_RETURN(PAM_SYSTEM_ERR);
+
if ((pwent = getpwnam(luser)) == NULL)
PAM_RETURN(PAM_SYSTEM_ERR);
- if (opieaccessfile(rhost) && !opiealways(pwent->pw_dir))
+ if (opieaccessfile(rhost) && opiealways(pwent->pw_dir))
PAM_RETURN(PAM_IGNORE);
PAM_VERBOSE_ERROR("Refused; remote host is not in opieaccess");
--
Andrey A. Chernov
http://ache.pp.ru/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020121025009.GA30673>