Hello community,
here is the log from the commit of package pam_ssh
checked in at Tue Jun 27 18:24:56 CEST 2006.
--------
--- pam_ssh/pam_ssh.changes 2006-05-31 23:28:58.000000000 +0200
+++ pam_ssh/pam_ssh.changes 2006-06-26 10:11:12.000000000 +0200
@@ -1,0 +2,15 @@
+Sat Jun 24 11:12:13 CEST 2006 - stark@suse.de
+
+- update to version 1.93 (r18)
+ * debug option works for auth and session module (#177885)
+ * debug option is really available now for auth and session
+ module (#177885)
+ * recover better if close_session wasn't executed (#187560)
+
+-------------------------------------------------------------------
+Wed Jun 7 08:59:20 CEST 2006 - stark@suse.de
+
+- logging fix is integrated now
+- auth handler now accepts nullok option
+
+-------------------------------------------------------------------
Old:
----
logging.patch
pam_ssh-1.92.tar.bz2
New:
----
pam_ssh-1.93.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pam_ssh.spec ++++++
--- /var/tmp/diff_new_pack.yf80We/_old 2006-06-27 18:23:53.000000000 +0200
+++ /var/tmp/diff_new_pack.yf80We/_new 2006-06-27 18:23:53.000000000 +0200
@@ -1,5 +1,5 @@
#
-# spec file for package pam_ssh (Version 1.92)
+# spec file for package pam_ssh (Version 1.93)
#
# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
@@ -15,12 +15,11 @@
License: BSD
Group: Productivity/Networking/SSH
Autoreqprov: on
-Version: 1.92
+Version: 1.93
Release: 1
Summary: PAM Module for SSH Authentication
URL: http://developer.novell.com/wiki/index.php/Pam_ssh
Source: %{name}-%{version}.tar.bz2
-Patch1: logging.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -38,7 +37,6 @@
%prep
%setup -q
-%patch1
%build
%{suse_update_config -f}
@@ -67,6 +65,15 @@
%attr(444,root,root) %_mandir/man*/*.*
%changelog -n pam_ssh
+* Sat Jun 24 2006 - stark@suse.de
+- update to version 1.93 (r18)
+ * debug option works for auth and session module (#177885)
+ * debug option is really available now for auth and session
+ module (#177885)
+ * recover better if close_session wasn't executed (#187560)
+* Wed Jun 07 2006 - stark@suse.de
+- logging fix is integrated now
+- auth handler now accepts nullok option
* Wed May 31 2006 - stark@suse.de
- update to version 1.92
* allow working as session module without authentication
++++++ pam_ssh-1.92.tar.bz2 -> pam_ssh-1.93.tar.bz2 ++++++
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/ChangeLog new/pam_ssh-1.93/ChangeLog
--- old/pam_ssh-1.92/ChangeLog 2006-05-31 23:02:20.000000000 +0200
+++ new/pam_ssh-1.93/ChangeLog 2006-06-24 10:37:09.000000000 +0200
@@ -1,3 +1,21 @@
+Version 1.93 released
+=====================
+
+2006-06-24 Wolfgang Rosenauer
+
+ * pam_ssh.c, pam_ssh.8: nullok option to allow blank passphrases
+ replaces allow_blank_passphrases (which is still available for
+ compat reasons)
+
+ * pam_ssh.c, pam_std_option.c, pam_ssh_log.c, pam_ssh_log.h:
+ fixed logging and separated into a logging module
+ PAM option 'debug' is supported now
+ added more syslog output in debug mode
+
+ * pam_ssh.c: we should be able to recover now correctly after system
+ crashes where we are not able to run the close_session using
+ the machine's uptime
+
Version 1.92 released
=====================
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/Makefile.am new/pam_ssh-1.93/Makefile.am
--- old/pam_ssh-1.92/Makefile.am 2006-05-31 22:50:48.000000000 +0200
+++ new/pam_ssh-1.93/Makefile.am 2006-06-22 19:48:37.000000000 +0200
@@ -33,7 +33,7 @@
cipher-3des1.c cipher-bf1.c cipher-ctr.c \
getput.h kex.h key.c key.h log.c log.h \
pam_ssh.c rijndael.c rijndael.h xmalloc.c \
- xmalloc.h
+ pam_ssh_log.c xmalloc.h
libdir = @PAMDIR@
man_MANS = pam_ssh.8
AM_CFLAGS = -Wall
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/Makefile.in new/pam_ssh-1.93/Makefile.in
--- old/pam_ssh-1.92/Makefile.in 2006-05-31 22:50:48.000000000 +0200
+++ new/pam_ssh-1.93/Makefile.in 2006-06-22 19:48:38.000000000 +0200
@@ -160,7 +160,7 @@
cipher-3des1.c cipher-bf1.c cipher-ctr.c \
getput.h kex.h key.c key.h log.c log.h \
pam_ssh.c rijndael.c rijndael.h xmalloc.c \
- xmalloc.h
+ pam_ssh_log.c xmalloc.h
man_MANS = pam_ssh.8
AM_CFLAGS = -Wall
@@ -199,6 +199,7 @@
@AMDEP_TRUE@ ./$(DEPDIR)/cipher-ctr.Plo ./$(DEPDIR)/cipher.Plo \
@AMDEP_TRUE@ ./$(DEPDIR)/key.Plo ./$(DEPDIR)/log.Plo \
@AMDEP_TRUE@ ./$(DEPDIR)/pam_ssh.Plo ./$(DEPDIR)/rijndael.Plo \
+@AMDEP_TRUE@ ./$(DEPDIR)/pam_ssh_log.Plo \
@AMDEP_TRUE@ ./$(DEPDIR)/xmalloc.Plo
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/NEWS new/pam_ssh-1.93/NEWS
--- old/pam_ssh-1.92/NEWS 2006-05-31 23:07:55.000000000 +0200
+++ new/pam_ssh-1.93/NEWS 2006-06-24 10:39:00.000000000 +0200
@@ -1,3 +1,13 @@
+Version 1.93
+============
+
+The option to allow blank passphrases is now 'nullok' while the old
+option is still available but deprecated.
+The debug option is now really supported as documented.
+We didn't start the ssh-agent if the close_session module wasn't called
+correctly but the ssh-agent was killed (e.g. system crashes).
+That should be solved in almost all cases now.
+
Version 1.92
============
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/TODO new/pam_ssh-1.93/TODO
--- old/pam_ssh-1.92/TODO 2006-05-31 23:12:32.000000000 +0200
+++ new/pam_ssh-1.93/TODO 2006-06-22 21:08:58.000000000 +0200
@@ -1,5 +1,3 @@
-* fix and cleanup logging stuff
-
* Unit testing
Honor a special line in pam.conf for testing various configurations.
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/configure new/pam_ssh-1.93/configure
--- old/pam_ssh-1.92/configure 2006-05-31 23:17:32.000000000 +0200
+++ new/pam_ssh-1.93/configure 2006-06-22 21:46:41.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.58 for pam_ssh 1.92.
+# Generated by GNU Autoconf 2.58 for pam_ssh 1.93.
#
# Report bugs to .
#
@@ -428,8 +428,8 @@
# Identity of this package.
PACKAGE_NAME='pam_ssh'
PACKAGE_TARNAME='pam_ssh'
-PACKAGE_VERSION='1.92'
-PACKAGE_STRING='pam_ssh 1.92'
+PACKAGE_VERSION='1.93'
+PACKAGE_STRING='pam_ssh 1.93'
PACKAGE_BUGREPORT='ajk@waterspout.com'
ac_unique_file="pam_ssh.c"
@@ -939,7 +939,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures pam_ssh 1.92 to adapt to many kinds of systems.
+\`configure' configures pam_ssh 1.93 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1006,7 +1006,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of pam_ssh 1.92:";;
+ short | recursive ) echo "Configuration of pam_ssh 1.93:";;
esac
cat <<\_ACEOF
@@ -1133,7 +1133,7 @@
test -n "$ac_init_help" && exit 0
if $ac_init_version; then
cat <<\_ACEOF
-pam_ssh configure 1.92
+pam_ssh configure 1.39
generated by GNU Autoconf 2.58
Copyright (C) 2003 Free Software Foundation, Inc.
@@ -1147,7 +1147,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by pam_ssh $as_me 1.92, which was
+It was created by pam_ssh $as_me 1.93, which was
generated by GNU Autoconf 2.58. Invocation command line was
$ $0 $@
@@ -1865,7 +1865,7 @@
# Define the identity of the package.
PACKAGE=pam_ssh
- VERSION=1.92
+ VERSION=1.93
cat >>confdefs.h <<_ACEOF
@@ -11291,7 +11291,7 @@
} >&5
cat >&5 <<_CSEOF
-This file was extended by pam_ssh $as_me 1.92, which was
+This file was extended by pam_ssh $as_me 1.93, which was
generated by GNU Autoconf 2.58. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -11354,7 +11354,7 @@
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-pam_ssh config.status 1.92
+pam_ssh config.status 1.93
configured by $0, generated by GNU Autoconf 2.58,
with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/configure.ac new/pam_ssh-1.93/configure.ac
--- old/pam_ssh-1.92/configure.ac 2006-05-31 23:14:07.000000000 +0200
+++ new/pam_ssh-1.93/configure.ac 2006-06-22 21:44:50.000000000 +0200
@@ -26,12 +26,12 @@
dnl Process this file with autoconf to produce a configure script.
-AC_INIT([pam_ssh],[1.92],[ajk@waterspout.com])
+AC_INIT([pam_ssh],[1.93],[ajk@waterspout.com])
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_SRCDIR([pam_ssh.c])
AC_CANONICAL_TARGET([])
AM_DISABLE_STATIC
-AM_INIT_AUTOMAKE(pam_ssh, 1.92)
+AM_INIT_AUTOMAKE(pam_ssh, 1.93)
AM_PROG_LIBTOOL
AC_SUBST(LIBTOOL_DEPS)
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/pam_ssh.8 new/pam_ssh-1.93/pam_ssh.8
--- old/pam_ssh-1.92/pam_ssh.8 2006-05-31 22:50:48.000000000 +0200
+++ new/pam_ssh-1.93/pam_ssh.8 2006-06-22 19:48:09.000000000 +0200
@@ -105,6 +105,8 @@
to check for SSH keys.
The default is
.Dq id_dsa,id_rsa,identity .
+.It Cm nullok
+Allow empty passphrases.
.El
.Ss SSH Session Management Module
The
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/pam_ssh.c new/pam_ssh-1.93/pam_ssh.c
--- old/pam_ssh-1.92/pam_ssh.c 2006-05-31 22:50:48.000000000 +0200
+++ new/pam_ssh-1.93/pam_ssh.c 2006-06-26 09:40:20.000000000 +0200
@@ -1,4 +1,7 @@
/*-
+ * Copyright (c) 2006 Wolfgang Rosenauer
+ * All rights reserved.
+ *
* Copyright (c) 1999, 2000, 2001, 2002, 2004 Andrew J. Korty
* All rights reserved.
*
@@ -31,7 +34,6 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $Id: pam_ssh.c,v 1.81 2004/04/12 13:55:08 akorty Exp $
*/
/* to get the asprintf() prototype from the glibc headers */
@@ -41,7 +43,6 @@
#include
#include
#include
-#include
#if HAVE_SYS_WAIT_H
# include
#endif
@@ -64,6 +65,7 @@
#include
#include
#include
+#include
#define PAM_SM_AUTH
#define PAM_SM_SESSION
@@ -83,7 +85,7 @@
#include "key.h"
#include "authfd.h"
#include "authfile.h"
-#include "log.h"
+#include "pam_ssh_log.h"
#if !HAVE_DECL_OPENPAM_BORROW_CRED || !HAVE_DECL_OPENPAM_RESTORE_CRED
# include "openpam_cred.h"
#endif
@@ -101,32 +103,39 @@
# define __unused
#endif
-#define MODULE_NAME "pam_ssh"
+#define MODULE_NAME PACKAGE_NAME
#define NEED_PASSPHRASE "SSH passphrase: "
#define DEF_KEYFILES "id_dsa,id_rsa,identity"
#define ENV_PID_SUFFIX "_AGENT_PID"
#define ENV_SOCKET_SUFFIX "_AUTH_SOCK"
#define PAM_OPT_KEYFILES_NAME "keyfiles"
#define PAM_OPT_BLANK_PASSPHRASE_NAME "allow_blank_passphrase"
+#define PAM_OPT_NULLOK_NAME "nullok"
#define SEP_KEYFILES ","
#define SSH_CLIENT_DIR ".ssh"
enum {
#if HAVE_OPENPAM || HAVE_PAM_STRUCT_OPTIONS || !HAVE_PAM_STD_OPTION
PAM_OPT_KEYFILES = PAM_OPT_STD_MAX,
- PAM_OPT_BLANK_PASSPHRASE
+ PAM_OPT_BLANK_PASSPHRASE,
+ PAM_OPT_NULLOK
#else
PAM_OPT_KEYFILES,
- PAM_OPT_BLANK_PASSPHRASE
+ PAM_OPT_BLANK_PASSPHRASE,
+ PAM_OPT_NULLOK
#endif
};
static struct opttab other_options[] = {
{ PAM_OPT_KEYFILES_NAME, PAM_OPT_KEYFILES },
{ PAM_OPT_BLANK_PASSPHRASE_NAME, PAM_OPT_BLANK_PASSPHRASE },
+ { PAM_OPT_NULLOK_NAME, PAM_OPT_NULLOK },
{ NULL, 0 }
};
+/* global variable to enable debug logging */
+int log_debug = 0;
+
char *
opt_arg(const char *arg)
{
@@ -138,28 +147,6 @@
return retval;
}
-/*
- * Generic logging function that tags a message with the module name,
- * saving errno so it doesn't get whacked by asprintf().
- */
-
-static void
-pam_ssh_log(int priority, const char *fmt, ...)
-{
- va_list ap; /* variable argument list */
- int errno_saved; /* for caching errno */
- char *tagged; /* format tagged with module name */
-
- errno_saved = errno;
- asprintf(&tagged, "%s: %s", MODULE_NAME, fmt);
- va_start(ap, fmt);
- errno = errno_saved;
- vsyslog(priority, tagged ? tagged : fmt, ap);
- free(tagged);
- va_end(ap);
-}
-
-
pid_t
waitpid_intr(pid_t pid, int *status, int options)
{
@@ -171,6 +158,29 @@
return retval;
}
+/* uptime function */
+static time_t
+uptime(void)
+{
+ FILE *fp;
+ double upsecs;
+
+ fp = fopen ("/proc/uptime", "r");
+ if (fp != NULL)
+ {
+ char buffer[BUFSIZ];
+ char *b = fgets(buffer, BUFSIZ, fp);
+ fclose (fp);
+ if (b == buffer)
+ {
+ char *end;
+ upsecs = strtod(buffer, &end);
+ if (end != buffer)
+ return upsecs;
+ }
+ }
+ return -1;
+}
/*
* Generic cleanup function for OpenSSH "Key" type.
@@ -354,8 +364,6 @@
int retval; /* from calls */
const char *user; /* username */
- log_init(MODULE_NAME, SYSLOG_LEVEL_ERROR, SYSLOG_FACILITY_AUTHPRIV, 0);
-
allow_blank_passphrase = 0;
keyfiles = kfspec = NULL;
#if HAVE_OPENPAM
@@ -366,15 +374,21 @@
}
} else
kfspec = DEF_KEYFILES;
- if ((kfspec = openpam_get_option(pamh, PAM_OPT_BLANK_PASSPHRASE)))
+ if ((kfspec = openpam_get_option(pamh, PAM_OPT_BLANK_PASSPHRASE))
+ || kfspec = openpam_get_option(pamh, PAM_OPT_NULLOK))
allow_blank_passphrase = 1;
#elif HAVE_PAM_STRUCT_OPTIONS || !HAVE_PAM_STD_OPTION
memset(&options, 0, sizeof options);
pam_std_option(&options, other_options, argc, argv);
+ log_debug = pam_test_option(&options, PAM_OPT_DEBUG, NULL);
+ pam_ssh_log(LOG_DEBUG, "init authentication module");
if (!pam_test_option(&options, PAM_OPT_KEYFILES, &kfspec))
kfspec = DEF_KEYFILES;
allow_blank_passphrase =
pam_test_option(&options, PAM_OPT_BLANK_PASSPHRASE, NULL);
+ if(!allow_blank_passphrase)
+ allow_blank_passphrase =
+ pam_test_option(&options, PAM_OPT_NULLOK, NULL);
#else
options = 0;
for (; argc; argc--, argv++) {
@@ -392,6 +406,7 @@
}
break;
PAM_OPT_BLANK_PASSPHRASE:
+ PAM_OPT_NULLOK:
allow_blank_passphrase = 1;
break;
}
@@ -402,16 +417,20 @@
kfspec = DEF_KEYFILES;
#endif
- if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
- return retval;
+ if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
+ pam_ssh_log(LOG_ERR, "can't get username (ret=%d)", retval);
+ return retval;
+ }
if (!(user && (pwent = getpwnam(user)) && pwent->pw_dir &&
- *pwent->pw_dir))
- return PAM_AUTH_ERR;
+ *pwent->pw_dir)) {
+ pam_ssh_log(LOG_ERR, "can't get homedirectory");
+ return PAM_AUTH_ERR;
+ }
retval = openpam_borrow_cred(pamh, pwent);
if (retval != PAM_SUCCESS && retval != PAM_PERM_DENIED) {
- pam_ssh_log(LOG_ERR, "can't drop privileges: %m");
- return retval;
+ pam_ssh_log(LOG_ERR, "can't drop privileges: %m");
+ return retval;
}
/* pass prompt message to application and receive passphrase */
@@ -424,12 +443,14 @@
retval = pam_get_pass(pamh, &pass, NEED_PASSPHRASE, options);
#endif
if (retval != PAM_SUCCESS) {
- openpam_restore_cred(pamh);
- return retval;
+ pam_ssh_log(LOG_ERR, "can't get passphrase from PAM");
+ openpam_restore_cred(pamh);
+ return retval;
}
if (!pass || (!allow_blank_passphrase && *pass == '\0')) {
- openpam_restore_cred(pamh);
- return PAM_AUTH_ERR;
+ pam_ssh_log(LOG_ERR, "blank passphrases disabled");
+ openpam_restore_cred(pamh);
+ return PAM_AUTH_ERR;
}
OpenSSL_add_all_algorithms(); /* required for DSA */
@@ -452,13 +473,16 @@
for (file = strtok(keyfiles, SEP_KEYFILES); file;
file = strtok(NULL, SEP_KEYFILES))
if (auth_via_key(pamh, file, dotdir, pwent, pass)
- == PAM_SUCCESS)
- authenticated = 1;
+ == PAM_SUCCESS) {
+ pam_ssh_log(LOG_DEBUG, "auth successful for key %s", file);
+ authenticated = 1;
+ }
free(dotdir);
free(keyfiles);
if (!authenticated) {
- openpam_restore_cred(pamh);
- return PAM_AUTH_ERR;
+ pam_ssh_log(LOG_DEBUG, "not able to open any key");
+ openpam_restore_cred(pamh);
+ return PAM_AUTH_ERR;
}
openpam_restore_cred(pamh);
@@ -475,8 +499,8 @@
PAM_EXTERN int
-pam_sm_open_session(pam_handle_t *pamh, int flags __unused,
- int argc __unused, const char **argv __unused)
+pam_sm_open_session(pam_handle_t *pamh, int flags,
+ int argc, const char **argv)
{
char *agent_pid; /* copy of agent PID */
char *agent_socket; /* agent socket */
@@ -491,7 +515,6 @@
char *env_value; /* envariable value */
int env_write; /* env file descriptor */
char hname[MAXHOSTNAMELEN]; /* local hostname */
- int no_link; /* link per-agent file? */
char *per_agent; /* to store env */
char *per_session; /* per-session filename */
const struct passwd *pwent; /* user's passwd entry */
@@ -500,22 +523,34 @@
const char *tty_raw; /* raw tty or display name */
char *tty_nodir; /* tty without / chars */
const char *user; /* username */
-
- log_init(MODULE_NAME, SYSLOG_LEVEL_ERROR, SYSLOG_FACILITY_AUTHPRIV, 0);
-
- /* dump output of ssh-agent in ~/.ssh */
- if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
- return retval;
+ struct options options; /* PAM options */
+ struct stat stat_buf; /* stat structure */
+ time_t file_ctime; /* creation time of per-agent file */
+ time_t time_now; /* current time */
+ time_t time_up; /* uptime */
+
+ memset(&options, 0, sizeof options);
+ pam_std_option(&options, other_options, argc, argv);
+ log_debug = pam_test_option(&options, PAM_OPT_DEBUG, NULL);
+ pam_ssh_log(LOG_DEBUG, "open session");
+
+ if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
+ pam_ssh_log(LOG_ERR, "can't get username (ret=%d)", retval);
+ return retval;
+ }
if (!(user && (pwent = getpwnam(user)) && pwent->pw_dir &&
- *pwent->pw_dir))
- return PAM_AUTH_ERR;
-
- retval = openpam_borrow_cred(pamh, pwent);
- if (retval != PAM_SUCCESS && retval != PAM_PERM_DENIED) {
- pam_ssh_log(LOG_ERR, "can't drop privileges: %m");
- return retval;
- }
+ *pwent->pw_dir)) {
+ pam_ssh_log(LOG_ERR, "can't get homedirectory");
+ return PAM_AUTH_ERR;
+ }
+
+ retval = openpam_borrow_cred(pamh, pwent);
+ if (retval != PAM_SUCCESS && retval != PAM_PERM_DENIED) {
+ pam_ssh_log(LOG_ERR, "can't drop privileges: %m");
+ return retval;
+ }
+
/*
* Use reference counts to limit agents to one per user per host.
*
@@ -544,9 +579,10 @@
if ((retval = pam_set_data(pamh, "ssh_agent_env_agent", per_agent,
ssh_cleanup)) != PAM_SUCCESS) {
- free(per_agent);
- openpam_restore_cred(pamh);
- return retval;
+ pam_ssh_log(LOG_ERR, "can't save per-agent filename to PAM env");
+ free(per_agent);
+ openpam_restore_cred(pamh);
+ return retval;
}
/* Try to create the per-agent file or open it for reading if it
@@ -554,13 +590,37 @@
per-session filename later. Start the agent if we can't open
the file for reading. */
- env_write = child_pid = no_link = start_agent = 0;
+ env_write = child_pid = 0;
env_read = NULL;
- if ((env_write = open(per_agent, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR))
- < 0 && !(env_read = fopen(per_agent, "r")))
- no_link = 1;
- if (!env_read) {
- start_agent = 1;
+ start_agent = 1;
+
+ if ((env_read = fopen(per_agent, "r"))) {
+ pam_ssh_log(LOG_DEBUG, "per_agent file already exists");
+ /* invalidate the status files if the reboot time was later
+ * than the file creation time */
+ if (retval = stat(per_agent, &stat_buf)) {
+ pam_ssh_log(LOG_ERR, "stat() failed on %s", per_agent);
+ free(per_agent);
+ fclose(env_read);
+ return retval;
+ }
+ file_ctime = stat_buf.st_mtime;
+
+ time_now = time(NULL);
+ if((time_up = uptime()) > 0) {
+ if (file_ctime > (time_now - time_up))
+ // session is still running - do nothing
+ start_agent = 0;
+ }
+ fclose(env_read);
+ }
+
+ if (start_agent) {
+ if ((env_write = open(per_agent, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR)) < 0) {
+ pam_ssh_log(LOG_ERR, "can't write to %s", per_agent);
+ free(per_agent);
+ return PAM_SERVICE_ERR;
+ }
if (pipe(child_pipe) < 0) {
pam_ssh_log(LOG_ERR, "pipe: %m");
close(env_write);
@@ -622,6 +682,7 @@
arg[1] = "-s";
arg[2] = NULL;
env[0] = NULL;
+ pam_ssh_log(LOG_DEBUG, "exec %s", PATH_SSH_AGENT);
execve(PATH_SSH_AGENT, arg, env);
pam_ssh_log(LOG_ERR, "%s: %m", PATH_SSH_AGENT);
_exit(127);
@@ -764,14 +825,6 @@
}
free(agent_socket);
- /* if we couldn't access the per-agent file, don't link a
- per-session filename to it */
-
- if (no_link) {
- openpam_restore_cred(pamh);
- return PAM_SUCCESS;
- }
-
/* the per-session file contains the display name or tty name as
well as the hostname */
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/pam_ssh.spec new/pam_ssh-1.93/pam_ssh.spec
--- old/pam_ssh-1.92/pam_ssh.spec 2006-05-31 23:36:56.000000000 +0200
+++ new/pam_ssh-1.93/pam_ssh.spec 2006-06-22 21:47:00.000000000 +0200
@@ -4,7 +4,7 @@
BuildRequires: pam-devel
License: BSD
Group: Productivity/Networking/SSH
-Version: 1.92
+Version: 1.93
Release: 1
Summary: A Pluggable Authentication Module (PAM) for use with SSH.
URL: http://developer.novell.com/wiki/index.php/Pam_ssh
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/pam_ssh_log.c new/pam_ssh-1.93/pam_ssh_log.c
--- old/pam_ssh-1.92/pam_ssh_log.c 1970-01-01 01:00:00.000000000 +0100
+++ new/pam_ssh-1.93/pam_ssh_log.c 2006-06-22 20:15:31.000000000 +0200
@@ -0,0 +1,63 @@
+/*-
+ *
+ * Copyright (c) 2006 Wolfgang Rosenauer
+ * All rights reserved.
+ *
+ * Copyright (c) 1999, 2000, 2001, 2002, 2004 Andrew J. Korty
+ * All rights reserved.
+ *
+ * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * Portions of this software were developed for the FreeBSD Project by
+ * ThinkSec AS and NAI Labs, the Security Research Division of Network
+ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+ * ("CBOSS"), as part of the DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+*/
+
+#include "config.h"
+#include "pam_ssh_log.h"
+
+extern int log_debug;
+
+/*
+ * Generic logging function.
+ */
+
+void
+pam_ssh_log(int priority, const char *fmt, ...)
+{
+ va_list ap; /* variable argument list */
+
+ /* don't log LOG_DEBUG priority unless
+ * PAM debug option is set */
+ if (priority != LOG_DEBUG || log_debug) {
+ openlog(PACKAGE_NAME, LOG_PID, LOG_AUTHPRIV);
+ va_start(ap, fmt);
+ vsyslog(priority, fmt, ap);
+ va_end(ap);
+ closelog();
+ }
+}
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/pam_ssh_log.h new/pam_ssh-1.93/pam_ssh_log.h
--- old/pam_ssh-1.92/pam_ssh_log.h 1970-01-01 01:00:00.000000000 +0100
+++ new/pam_ssh-1.93/pam_ssh_log.h 2006-06-22 19:48:31.000000000 +0200
@@ -0,0 +1,48 @@
+/*-
+ *
+ * Copyright (c) 2006 Wolfgang Rosenauer
+ * All rights reserved.
+ *
+ * Copyright (c) 1999, 2000, 2001, 2002, 2004 Andrew J. Korty
+ * All rights reserved.
+ *
+ * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * Portions of this software were developed for the FreeBSD Project by
+ * ThinkSec AS and NAI Labs, the Security Research Division of Network
+ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+ * ("CBOSS"), as part of the DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+*/
+
+#ifndef PAM_SSH_LOG_H
+#define PAM_SSH_LOG_H
+
+#include
+#include
+
+void pam_ssh_log(int priority, const char *fmt, ...);
+
+#endif
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/pam_std_option.c new/pam_ssh-1.93/pam_std_option.c
--- old/pam_ssh-1.92/pam_std_option.c 2006-05-31 22:50:48.000000000 +0200
+++ new/pam_ssh-1.93/pam_std_option.c 2006-06-22 21:13:02.000000000 +0200
@@ -28,7 +28,6 @@
#include
#include
-#include
#include
#include
@@ -36,6 +35,7 @@
# include "pam_opttab.h"
#endif
#include "pam_option.h"
+#include "pam_ssh_log.h"
/* Everyone has to have these options. It is not an error to
* specify them and then not use them.
@@ -73,7 +73,7 @@
options->opt[i].name = std_options[i].name;
else if (extra) {
if (oo->value != i)
- syslog(LOG_DEBUG, "Extra option fault: %d %d",
+ pam_ssh_log(LOG_NOTICE, "Extra option fault: %d %d",
oo->value, i);
options->opt[i].name = oo->name;
oo++;
@@ -87,7 +87,7 @@
for (j = 0; j < argc; j++) {
#ifdef DEBUG
- syslog(LOG_DEBUG, "Doing arg %s", argv[j]);
+ pam_ssh_log(LOG_INFO, "Doing arg %s", argv[j]);
#endif
found = 0;
for (i = 0; i < PAM_MAX_OPTIONS; i++) {
@@ -109,7 +109,7 @@
}
}
if (!found)
- syslog(LOG_WARNING, "PAM option: %s invalid", argv[j]);
+ pam_ssh_log(LOG_WARNING, "PAM option: %s invalid", argv[j]);
}
}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit-unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit-help@opensuse.org