From owner-freebsd-current Sun Jan 20 18:50:30 2002 Delivered-To: freebsd-current@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 0660037B400 for ; Sun, 20 Jan 2002 18:50:25 -0800 (PST) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id g0L2o9N30716; Mon, 21 Jan 2002 05:50:09 +0300 (MSK) (envelope-from ache) Date: Mon, 21 Jan 2002 05:50:09 +0300 From: "Andrey A. Chernov" To: Dag-Erling Smorgrav Cc: Mark Murray , current@FreeBSD.ORG Subject: Re: Step5, pam_opie OPIE auth fix for review Message-ID: <20020121025009.GA30673@nagual.pp.ru> References: <20020120220254.GA25886@nagual.pp.ru> <200201202314.g0KNEDt34526@grimreaper.grondar.org> <20020120233050.GA26913@nagual.pp.ru> <20020121000446.GB27206@nagual.pp.ru> <20020121002557.GB27831@nagual.pp.ru> <20020121004906.GA28231@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.24i Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jan 21, 2002 at 02:21:34 +0100, Dag-Erling Smorgrav wrote: > > No need. See the attached patch. > Tested. I use /etc/pam.d/login for test with following OPIE lines: auth sufficient pam_opie.so no_warn auth requisite pam_opieaccess.so no_warn Two problems found, patch included below. 1) When OPIE turned on in the system, not neccessary all users are OPIE-ed, only those who listed in /etc/opiekeys. It means that pam_opieaccess() module must do something only for valid OPIE users listed in /etc/opiekeys and do nothing for others. I use opiechallenge() check for it, and if it fails, return PAM_IGNORE. 2) opiealways() return just opposite to what you might expect, see /usr/src/contrib/opie/libopie/accessfile.c comment about it. Fixed by removing "!" Besides this two things, all works as expected. --- pam_opieaccess.c.old Mon Jan 21 04:35:08 2002 +++ pam_opieaccess.c Mon Jan 21 05:47:27 2002 @@ -55,8 +55,10 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { + struct opie opie; struct options options; struct passwd *pwent; + char challenge[OPIE_CHALLENGE_MAX]; char *luser, *rhost; int r; @@ -64,22 +66,32 @@ PAM_LOG("Options processed"); - r = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost); - if (r != PAM_SUCCESS) - PAM_RETURN(r); - if (rhost == NULL) - PAM_RETURN(PAM_SYSTEM_ERR); - r = pam_get_item(pamh, PAM_USER, (const void **)&luser); if (r != PAM_SUCCESS) PAM_RETURN(r); if (luser == NULL) PAM_RETURN(PAM_SYSTEM_ERR); + /* + * Don't call the OPIE atexit() handler when our program exits, + * since the module has been unloaded and we will SEGV. + */ + opiedisableaeh(); + + if (opiechallenge(&opie, (char *)luser, challenge) != 0) + PAM_RETURN(PAM_IGNORE); + opieunlock(); + + r = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost); + if (r != PAM_SUCCESS) + PAM_RETURN(r); + if (rhost == NULL) + PAM_RETURN(PAM_SYSTEM_ERR); + if ((pwent = getpwnam(luser)) == NULL) PAM_RETURN(PAM_SYSTEM_ERR); - if (opieaccessfile(rhost) && !opiealways(pwent->pw_dir)) + if (opieaccessfile(rhost) && opiealways(pwent->pw_dir)) PAM_RETURN(PAM_IGNORE); PAM_VERBOSE_ERROR("Refused; remote host is not in opieaccess"); -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message