From owner-freebsd-current Wed May 2 12:30:14 2001 Delivered-To: freebsd-current@freebsd.org Received: from quack.kfu.com (quack.kfu.com [205.178.90.194]) by hub.freebsd.org (Postfix) with ESMTP id 8AE7E37B424; Wed, 2 May 2001 12:29:49 -0700 (PDT) (envelope-from nsayer@quack.kfu.com) Received: from medusa.kfu.com (medusa.kfu.com [3ffe:1200:301b:0:290:27ff:fed1:576b]) by quack.kfu.com (8.11.3/8.11.3) with ESMTP id f42JTf058525 (using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified OK); Wed, 2 May 2001 12:29:47 -0700 (PDT) (envelope-from nsayer@quack.kfu.com) Received: (from nsayer@localhost) by medusa.kfu.com (8.11.3/8.11.3) id f42JTfs08425; Wed, 2 May 2001 12:29:41 -0700 (PDT) (envelope-from nsayer) Date: Wed, 2 May 2001 12:29:41 -0700 (PDT) From: nsayer@quack.kfu.com Message-Id: <200105021929.f42JTfs08425@medusa.kfu.com> To: freebsd-current@freebsd.org, freebsd-stable@freebsd.org Subject: RFD: SRA telnet PAM patch Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG The problem noted was that telnetd was allowing root logins. This patch doesn'tt directly address that, but by making SRA use PAM the hope is that it will be easier to have policy changes take place with PAM rather than all over the place. Suggestions on either how to imrpove this patch or what should be done to bar root logins are welcome. Index: src/etc/pam.conf =================================================================== RCS file: /home/ncvs/src/etc/pam.conf,v retrieving revision 1.13 diff -u -r1.13 pam.conf --- src/etc/pam.conf 2001/04/06 05:52:53 1.13 +++ src/etc/pam.conf 2001/05/02 19:26:35 @@ -86,6 +86,10 @@ # "csshd" is for challenge-based authentication with sshd (TIS auth, etc.) csshd auth required pam_skey.so +# SRA telnet. Non-SRA telnet uses 'login'. +telnetd auth required pam_unix.so try_first_pass +telnetd account required pam_unix.so + # Don't break startx xserver auth required pam_permit.so Index: crypto/telnet/libtelnet/sra.c =================================================================== RCS file: /home/ncvs/src/crypto/telnet/libtelnet/sra.c,v retrieving revision 1.1.2.1 diff -u -r1.1.2.1 sra.c --- crypto/telnet/libtelnet/sra.c 2000/09/20 02:32:05 1.1.2.1 +++ crypto/telnet/libtelnet/sra.c 2001/05/02 19:26:36 @@ -13,6 +13,10 @@ #include #endif +#if !defined(NOPAM) +#include +#endif + #include "auth.h" #include "misc.h" #include "encrypt.h" @@ -447,6 +451,7 @@ return (&save); } +#ifdef NOPAM char *crypt(); int check_user(name, pass) @@ -474,7 +479,135 @@ } return(0); } +#else + +/* + * The following is stolen from ftpd, which stole it from the imap-uw + * PAM module and login.c. It is needed because we can't really + * "converse" with the user, having already gone to the trouble of + * getting their username and password through an encrypted channel. + */ + +#define COPY_STRING(s) (s ? strdup(s):NULL) + +struct cred_t { + const char *uname; + const char *pass; +}; +typedef struct cred_t cred_t; + +auth_conv(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata) +{ + int i; + cred_t *cred = (cred_t *) appdata; + struct pam_response *reply = + malloc(sizeof(struct pam_response) * num_msg); + + for (i = 0; i < num_msg; i++) { + switch (msg[i]->msg_style) { + case PAM_PROMPT_ECHO_ON: /* assume want user name */ + reply[i].resp_retcode = PAM_SUCCESS; + reply[i].resp = COPY_STRING(cred->uname); + /* PAM frees resp. */ + break; + case PAM_PROMPT_ECHO_OFF: /* assume want password */ + reply[i].resp_retcode = PAM_SUCCESS; + reply[i].resp = COPY_STRING(cred->pass); + /* PAM frees resp. */ + break; + case PAM_TEXT_INFO: + case PAM_ERROR_MSG: + reply[i].resp_retcode = PAM_SUCCESS; + reply[i].resp = NULL; + break; + default: /* unknown message style */ + free(reply); + return PAM_CONV_ERR; + } + } + + *resp = reply; + return PAM_SUCCESS; +} + +/* + * The PAM version as a side effect may put a new username in *user. + */ +int check_user(const char *name, const char *pass) +{ + pam_handle_t *pamh = NULL; + const char *tmpl_user; + const void *item; + int rval; + int e; + cred_t auth_cred = { name, pass }; + struct pam_conv conv = { &auth_conv, &auth_cred }; + + e = pam_start("telnetd", name, &conv, &pamh); + if (e != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, e)); + return 0; + } + +#if 0 /* Where can we find this value? */ + e = pam_set_item(pamh, PAM_RHOST, remotehost); + if (e != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s", + pam_strerror(pamh, e)); + return 0; + } +#endif + + e = pam_authenticate(pamh, 0); + switch (e) { + case PAM_SUCCESS: + /* + * With PAM we support the concept of a "template" + * user. The user enters a login name which is + * authenticated by PAM, usually via a remote service + * such as RADIUS or TACACS+. If authentication + * succeeds, a different but related "template" name + * is used for setting the credentials, shell, and + * home directory. The name the user enters need only + * exist on the remote authentication server, but the + * template name must be present in the local password + * database. + * + * This is supported by two various mechanisms in the + * individual modules. However, from the application's + * point of view, the template user is always passed + * back as a changed value of the PAM_USER item. + */ + if ((e = pam_get_item(pamh, PAM_USER, &item)) == + PAM_SUCCESS) { + strcpy(user, (const char *) item); + } else + syslog(LOG_ERR, "Couldn't get PAM_USER: %s", + pam_strerror(pamh, e)); + rval = 1; + break; + + case PAM_AUTH_ERR: + case PAM_USER_UNKNOWN: + case PAM_MAXTRIES: + rval = 0; + break; + + default: + syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e)); + rval = 0; + break; + } + + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); + rval = 0; + } + return rval; +} +#endif #endif Index: secure/src/secure/libexec/telnetd/Makefile =================================================================== RCS file: /home/ncvs/src/secure/libexec/telnetd/Makefile,v retrieving revision 1.22 diff -u -r1.22 Makefile --- secure/src/secure/libexec/telnetd/Makefile 2001/03/28 12:08:19 1.22 +++ secure/src/secure/libexec/telnetd/Makefile 2001/05/02 19:26:37 @@ -15,7 +15,7 @@ DPADD= ${LIBUTIL} ${LIBTERMCAP} ${LIBTELNET} ${LIBCRYPTO} ${LIBMP} \ ${LIBCRYPT} -LDADD= -lutil -ltermcap ${LIBTELNET} -lcrypto -lcrypt -lmp +LDADD= -lutil -ltermcap ${LIBTELNET} -lcrypto -lcrypt -lmp -lpam .include Index: secure/src/secure/usr.bin/telnet/Makefile =================================================================== RCS file: /home/ncvs/src/secure/usr.bin/telnet/Makefile,v retrieving revision 1.24 diff -u -r1.24 Makefile --- secure/src/secure/usr.bin/telnet/Makefile 2001/03/28 12:08:19 1.24 +++ secure/src/secure/usr.bin/telnet/Makefile 2001/05/02 19:26:37 @@ -12,7 +12,7 @@ DPADD= ${LIBTERMCAP} ${LIBTELNET} ${LIBCRYPTO} ${LIBCRYPT} ${LIBMP} DPADD+= ${LIBIPSEC} LDADD= -ltermcap ${LIBTELNET} -lcrypto -lcrypt -lmp -LDADD+= -lipsec +LDADD+= -lipsec -lpam .include To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message