From owner-freebsd-current  Wed May  2 12:30:14 2001
Delivered-To: freebsd-current@freebsd.org
Received: from quack.kfu.com (quack.kfu.com [205.178.90.194])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8AE7E37B424; Wed,  2 May 2001 12:29:49 -0700 (PDT)
	(envelope-from nsayer@quack.kfu.com)
Received: from medusa.kfu.com (medusa.kfu.com [3ffe:1200:301b:0:290:27ff:fed1:576b])
	by quack.kfu.com (8.11.3/8.11.3) with ESMTP id f42JTf058525
	(using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified OK);
	Wed, 2 May 2001 12:29:47 -0700 (PDT)
	(envelope-from nsayer@quack.kfu.com)
Received: (from nsayer@localhost)
	by medusa.kfu.com (8.11.3/8.11.3) id f42JTfs08425;
	Wed, 2 May 2001 12:29:41 -0700 (PDT)
	(envelope-from nsayer)
Date: Wed, 2 May 2001 12:29:41 -0700 (PDT)
From: nsayer@quack.kfu.com
Message-Id: <200105021929.f42JTfs08425@medusa.kfu.com>
To: freebsd-current@freebsd.org, freebsd-stable@freebsd.org
Subject: RFD: SRA telnet PAM patch
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

The problem noted was that telnetd was allowing root logins. This patch doesn'tt
directly address that, but by making SRA use PAM the hope is that it will be
easier to have policy changes take place with PAM rather than all over
the place.

Suggestions on either how to imrpove this patch or what should be done
to bar root logins are welcome.

Index: src/etc/pam.conf
===================================================================
RCS file: /home/ncvs/src/etc/pam.conf,v
retrieving revision 1.13
diff -u -r1.13 pam.conf
--- src/etc/pam.conf	2001/04/06 05:52:53	1.13
+++ src/etc/pam.conf	2001/05/02 19:26:35
@@ -86,6 +86,10 @@
 # "csshd" is for challenge-based authentication with sshd (TIS auth, etc.)
 csshd	auth	required	pam_skey.so
 
+# SRA telnet. Non-SRA telnet uses 'login'.
+telnetd	auth	required	pam_unix.so			try_first_pass
+telnetd	account	required	pam_unix.so
+
 # Don't break startx
 xserver	auth	required	pam_permit.so
 
Index: crypto/telnet/libtelnet/sra.c
===================================================================
RCS file: /home/ncvs/src/crypto/telnet/libtelnet/sra.c,v
retrieving revision 1.1.2.1
diff -u -r1.1.2.1 sra.c
--- crypto/telnet/libtelnet/sra.c	2000/09/20 02:32:05	1.1.2.1
+++ crypto/telnet/libtelnet/sra.c	2001/05/02 19:26:36
@@ -13,6 +13,10 @@
 #include <string.h>
 #endif
 
+#if !defined(NOPAM)
+#include <security/pam_appl.h>
+#endif
+
 #include "auth.h"
 #include "misc.h"
 #include "encrypt.h"
@@ -447,6 +451,7 @@
 	return (&save);
 }
 
+#ifdef NOPAM
 char *crypt();
 
 int check_user(name, pass)
@@ -474,7 +479,135 @@
 	}
 	return(0);
 }
+#else
+
+/*
+ * The following is stolen from ftpd, which stole it from the imap-uw
+ * PAM module and login.c. It is needed because we can't really
+ * "converse" with the user, having already gone to the trouble of
+ * getting their username and password through an encrypted channel.
+ */
+
+#define COPY_STRING(s) (s ? strdup(s):NULL)
+
+struct cred_t {
+	const char *uname;
+	const char *pass;
+};
+typedef struct cred_t cred_t;
+
+auth_conv(int num_msg, const struct pam_message **msg,
+	struct pam_response **resp, void *appdata)
+{
+	int i;
+	cred_t *cred = (cred_t *) appdata;
+	struct pam_response *reply =
+		malloc(sizeof(struct pam_response) * num_msg);
+
+	for (i = 0; i < num_msg; i++) {
+		switch (msg[i]->msg_style) {
+		case PAM_PROMPT_ECHO_ON:        /* assume want user name */
+			reply[i].resp_retcode = PAM_SUCCESS;
+			reply[i].resp = COPY_STRING(cred->uname);
+			/* PAM frees resp. */
+			break;
+		case PAM_PROMPT_ECHO_OFF:       /* assume want password */
+			reply[i].resp_retcode = PAM_SUCCESS;
+			reply[i].resp = COPY_STRING(cred->pass);
+			/* PAM frees resp. */
+			break;
+		case PAM_TEXT_INFO:
+		case PAM_ERROR_MSG:
+			reply[i].resp_retcode = PAM_SUCCESS;
+			reply[i].resp = NULL;
+			break;
+		default:                        /* unknown message style */
+			free(reply);
+			return PAM_CONV_ERR;
+		}
+	}
+
+	*resp = reply;
+	return PAM_SUCCESS;
+}
+
+/*
+ * The PAM version as a side effect may put a new username in *user.
+ */
+int check_user(const char *name, const char *pass)
+{
+	pam_handle_t *pamh = NULL;
+	const char *tmpl_user;
+	const void *item;
+	int rval;
+	int e;
+	cred_t auth_cred = { name, pass };
+	struct pam_conv conv = { &auth_conv, &auth_cred };
+
+	e = pam_start("telnetd", name, &conv, &pamh);
+	if (e != PAM_SUCCESS) {
+		syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, e));
+		return 0;
+	}
+
+#if 0 /* Where can we find this value? */
+	e = pam_set_item(pamh, PAM_RHOST, remotehost);
+	if (e != PAM_SUCCESS) {
+		syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s",
+			pam_strerror(pamh, e));
+		return 0;
+	}
+#endif
+
+	e = pam_authenticate(pamh, 0);
+	switch (e) {
+	case PAM_SUCCESS:
+		/*
+		 * With PAM we support the concept of a "template"
+		 * user.  The user enters a login name which is
+		 * authenticated by PAM, usually via a remote service
+		 * such as RADIUS or TACACS+.  If authentication
+		 * succeeds, a different but related "template" name
+		 * is used for setting the credentials, shell, and
+		 * home directory.  The name the user enters need only
+		 * exist on the remote authentication server, but the
+		 * template name must be present in the local password
+		 * database.
+		 *
+		 * This is supported by two various mechanisms in the
+		 * individual modules.  However, from the application's
+		 * point of view, the template user is always passed
+		 * back as a changed value of the PAM_USER item.
+		 */
+		if ((e = pam_get_item(pamh, PAM_USER, &item)) ==
+		    PAM_SUCCESS) {
+			strcpy(user, (const char *) item);
+		} else
+			syslog(LOG_ERR, "Couldn't get PAM_USER: %s",
+			pam_strerror(pamh, e));
+		rval = 1;
+		break;
+
+	case PAM_AUTH_ERR:
+	case PAM_USER_UNKNOWN:
+	case PAM_MAXTRIES:
+		rval = 0;
+	break;
+
+	default:
+		syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e));
+		rval = 0;
+		break;
+	}
+
+	if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
+		syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
+		rval = 0;
+	}
+	return rval;
+}
 
+#endif
 
 #endif
 
Index: secure/src/secure/libexec/telnetd/Makefile
===================================================================
RCS file: /home/ncvs/src/secure/libexec/telnetd/Makefile,v
retrieving revision 1.22
diff -u -r1.22 Makefile
--- secure/src/secure/libexec/telnetd/Makefile	2001/03/28 12:08:19	1.22
+++ secure/src/secure/libexec/telnetd/Makefile	2001/05/02 19:26:37
@@ -15,7 +15,7 @@
 
 DPADD=		${LIBUTIL} ${LIBTERMCAP} ${LIBTELNET} ${LIBCRYPTO} ${LIBMP} \
                 ${LIBCRYPT}
-LDADD=		-lutil -ltermcap ${LIBTELNET} -lcrypto -lcrypt -lmp
+LDADD=		-lutil -ltermcap ${LIBTELNET} -lcrypto -lcrypt -lmp -lpam
 
 .include <bsd.prog.mk>
 
Index: secure/src/secure/usr.bin/telnet/Makefile
===================================================================
RCS file: /home/ncvs/src/secure/usr.bin/telnet/Makefile,v
retrieving revision 1.24
diff -u -r1.24 Makefile
--- secure/src/secure/usr.bin/telnet/Makefile	2001/03/28 12:08:19	1.24
+++ secure/src/secure/usr.bin/telnet/Makefile	2001/05/02 19:26:37
@@ -12,7 +12,7 @@
 DPADD=		${LIBTERMCAP} ${LIBTELNET} ${LIBCRYPTO} ${LIBCRYPT} ${LIBMP}
 DPADD+=		${LIBIPSEC}
 LDADD=		-ltermcap ${LIBTELNET} -lcrypto -lcrypt -lmp
-LDADD+=		-lipsec
+LDADD+=		-lipsec -lpam
 
 .include <bsd.prog.mk>
 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message