Hello community, here is the log from the commit of package pam_ssh checked in at Tue Jun 27 18:24:56 CEST 2006. -------- --- pam_ssh/pam_ssh.changes 2006-05-31 23:28:58.000000000 +0200 +++ pam_ssh/pam_ssh.changes 2006-06-26 10:11:12.000000000 +0200 @@ -1,0 +2,15 @@ +Sat Jun 24 11:12:13 CEST 2006 - stark@suse.de + +- update to version 1.93 (r18) + * debug option works for auth and session module (#177885) + * debug option is really available now for auth and session + module (#177885) + * recover better if close_session wasn't executed (#187560) + +------------------------------------------------------------------- +Wed Jun 7 08:59:20 CEST 2006 - stark@suse.de + +- logging fix is integrated now +- auth handler now accepts nullok option + +------------------------------------------------------------------- Old: ---- logging.patch pam_ssh-1.92.tar.bz2 New: ---- pam_ssh-1.93.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam_ssh.spec ++++++ --- /var/tmp/diff_new_pack.yf80We/_old 2006-06-27 18:23:53.000000000 +0200 +++ /var/tmp/diff_new_pack.yf80We/_new 2006-06-27 18:23:53.000000000 +0200 @@ -1,5 +1,5 @@ # -# spec file for package pam_ssh (Version 1.92) +# spec file for package pam_ssh (Version 1.93) # # Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -15,12 +15,11 @@ License: BSD Group: Productivity/Networking/SSH Autoreqprov: on -Version: 1.92 +Version: 1.93 Release: 1 Summary: PAM Module for SSH Authentication URL: http://developer.novell.com/wiki/index.php/Pam_ssh Source: %{name}-%{version}.tar.bz2 -Patch1: logging.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -38,7 +37,6 @@ %prep %setup -q -%patch1 %build %{suse_update_config -f} @@ -67,6 +65,15 @@ %attr(444,root,root) %_mandir/man*/*.* %changelog -n pam_ssh +* Sat Jun 24 2006 - stark@suse.de +- update to version 1.93 (r18) + * debug option works for auth and session module (#177885) + * debug option is really available now for auth and session + module (#177885) + * recover better if close_session wasn't executed (#187560) +* Wed Jun 07 2006 - stark@suse.de +- logging fix is integrated now +- auth handler now accepts nullok option * Wed May 31 2006 - stark@suse.de - update to version 1.92 * allow working as session module without authentication ++++++ pam_ssh-1.92.tar.bz2 -> pam_ssh-1.93.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/ChangeLog new/pam_ssh-1.93/ChangeLog --- old/pam_ssh-1.92/ChangeLog 2006-05-31 23:02:20.000000000 +0200 +++ new/pam_ssh-1.93/ChangeLog 2006-06-24 10:37:09.000000000 +0200 @@ -1,3 +1,21 @@ +Version 1.93 released +===================== + +2006-06-24 Wolfgang Rosenauer + + * pam_ssh.c, pam_ssh.8: nullok option to allow blank passphrases + replaces allow_blank_passphrases (which is still available for + compat reasons) + + * pam_ssh.c, pam_std_option.c, pam_ssh_log.c, pam_ssh_log.h: + fixed logging and separated into a logging module + PAM option 'debug' is supported now + added more syslog output in debug mode + + * pam_ssh.c: we should be able to recover now correctly after system + crashes where we are not able to run the close_session using + the machine's uptime + Version 1.92 released ===================== diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/Makefile.am new/pam_ssh-1.93/Makefile.am --- old/pam_ssh-1.92/Makefile.am 2006-05-31 22:50:48.000000000 +0200 +++ new/pam_ssh-1.93/Makefile.am 2006-06-22 19:48:37.000000000 +0200 @@ -33,7 +33,7 @@ cipher-3des1.c cipher-bf1.c cipher-ctr.c \ getput.h kex.h key.c key.h log.c log.h \ pam_ssh.c rijndael.c rijndael.h xmalloc.c \ - xmalloc.h + pam_ssh_log.c xmalloc.h libdir = @PAMDIR@ man_MANS = pam_ssh.8 AM_CFLAGS = -Wall diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/Makefile.in new/pam_ssh-1.93/Makefile.in --- old/pam_ssh-1.92/Makefile.in 2006-05-31 22:50:48.000000000 +0200 +++ new/pam_ssh-1.93/Makefile.in 2006-06-22 19:48:38.000000000 +0200 @@ -160,7 +160,7 @@ cipher-3des1.c cipher-bf1.c cipher-ctr.c \ getput.h kex.h key.c key.h log.c log.h \ pam_ssh.c rijndael.c rijndael.h xmalloc.c \ - xmalloc.h + pam_ssh_log.c xmalloc.h man_MANS = pam_ssh.8 AM_CFLAGS = -Wall @@ -199,6 +199,7 @@ @AMDEP_TRUE@ ./$(DEPDIR)/cipher-ctr.Plo ./$(DEPDIR)/cipher.Plo \ @AMDEP_TRUE@ ./$(DEPDIR)/key.Plo ./$(DEPDIR)/log.Plo \ @AMDEP_TRUE@ ./$(DEPDIR)/pam_ssh.Plo ./$(DEPDIR)/rijndael.Plo \ +@AMDEP_TRUE@ ./$(DEPDIR)/pam_ssh_log.Plo \ @AMDEP_TRUE@ ./$(DEPDIR)/xmalloc.Plo COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/NEWS new/pam_ssh-1.93/NEWS --- old/pam_ssh-1.92/NEWS 2006-05-31 23:07:55.000000000 +0200 +++ new/pam_ssh-1.93/NEWS 2006-06-24 10:39:00.000000000 +0200 @@ -1,3 +1,13 @@ +Version 1.93 +============ + +The option to allow blank passphrases is now 'nullok' while the old +option is still available but deprecated. +The debug option is now really supported as documented. +We didn't start the ssh-agent if the close_session module wasn't called +correctly but the ssh-agent was killed (e.g. system crashes). +That should be solved in almost all cases now. + Version 1.92 ============ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/TODO new/pam_ssh-1.93/TODO --- old/pam_ssh-1.92/TODO 2006-05-31 23:12:32.000000000 +0200 +++ new/pam_ssh-1.93/TODO 2006-06-22 21:08:58.000000000 +0200 @@ -1,5 +1,3 @@ -* fix and cleanup logging stuff - * Unit testing Honor a special line in pam.conf for testing various configurations. diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/configure new/pam_ssh-1.93/configure --- old/pam_ssh-1.92/configure 2006-05-31 23:17:32.000000000 +0200 +++ new/pam_ssh-1.93/configure 2006-06-22 21:46:41.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.58 for pam_ssh 1.92. +# Generated by GNU Autoconf 2.58 for pam_ssh 1.93. # # Report bugs to <ajk@waterspout.com>. # @@ -428,8 +428,8 @@ # Identity of this package. PACKAGE_NAME='pam_ssh' PACKAGE_TARNAME='pam_ssh' -PACKAGE_VERSION='1.92' -PACKAGE_STRING='pam_ssh 1.92' +PACKAGE_VERSION='1.93' +PACKAGE_STRING='pam_ssh 1.93' PACKAGE_BUGREPORT='ajk@waterspout.com' ac_unique_file="pam_ssh.c" @@ -939,7 +939,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -`configure' configures pam_ssh 1.92 to adapt to many kinds of systems. +`configure' configures pam_ssh 1.93 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1006,7 +1006,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of pam_ssh 1.92:";; + short | recursive ) echo "Configuration of pam_ssh 1.93:";; esac cat <<_ACEOF @@ -1133,7 +1133,7 @@ test -n "$ac_init_help" && exit 0 if $ac_init_version; then cat <<_ACEOF -pam_ssh configure 1.92 +pam_ssh configure 1.39 generated by GNU Autoconf 2.58 Copyright (C) 2003 Free Software Foundation, Inc. @@ -1147,7 +1147,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by pam_ssh $as_me 1.92, which was +It was created by pam_ssh $as_me 1.93, which was generated by GNU Autoconf 2.58. Invocation command line was $ $0 $@ @@ -1865,7 +1865,7 @@ # Define the identity of the package. PACKAGE=pam_ssh - VERSION=1.92 + VERSION=1.93 cat >>confdefs.h <<_ACEOF @@ -11291,7 +11291,7 @@ } >&5 cat >&5 <<_CSEOF -This file was extended by pam_ssh $as_me 1.92, which was +This file was extended by pam_ssh $as_me 1.93, which was generated by GNU Autoconf 2.58. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -11354,7 +11354,7 @@ cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\ -pam_ssh config.status 1.92 +pam_ssh config.status 1.93 configured by $0, generated by GNU Autoconf 2.58, with options \"`echo "$ac_configure_args" | sed 's/[\""`$]/\\&/g'`\" diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/configure.ac new/pam_ssh-1.93/configure.ac --- old/pam_ssh-1.92/configure.ac 2006-05-31 23:14:07.000000000 +0200 +++ new/pam_ssh-1.93/configure.ac 2006-06-22 21:44:50.000000000 +0200 @@ -26,12 +26,12 @@ dnl Process this file with autoconf to produce a configure script. -AC_INIT([pam_ssh],[1.92],[ajk@waterspout.com]) +AC_INIT([pam_ssh],[1.93],[ajk@waterspout.com]) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_SRCDIR([pam_ssh.c]) AC_CANONICAL_TARGET([]) AM_DISABLE_STATIC -AM_INIT_AUTOMAKE(pam_ssh, 1.92) +AM_INIT_AUTOMAKE(pam_ssh, 1.93) AM_PROG_LIBTOOL AC_SUBST(LIBTOOL_DEPS) diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/pam_ssh.8 new/pam_ssh-1.93/pam_ssh.8 --- old/pam_ssh-1.92/pam_ssh.8 2006-05-31 22:50:48.000000000 +0200 +++ new/pam_ssh-1.93/pam_ssh.8 2006-06-22 19:48:09.000000000 +0200 @@ -105,6 +105,8 @@ to check for SSH keys. The default is .Dq id_dsa,id_rsa,identity . +.It Cm nullok +Allow empty passphrases. .El .Ss SSH Session Management Module The diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/pam_ssh.c new/pam_ssh-1.93/pam_ssh.c --- old/pam_ssh-1.92/pam_ssh.c 2006-05-31 22:50:48.000000000 +0200 +++ new/pam_ssh-1.93/pam_ssh.c 2006-06-26 09:40:20.000000000 +0200 @@ -1,4 +1,7 @@ /*- + * Copyright (c) 2006 Wolfgang Rosenauer + * All rights reserved. + * * Copyright (c) 1999, 2000, 2001, 2002, 2004 Andrew J. Korty * All rights reserved. * @@ -31,7 +34,6 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_ssh.c,v 1.81 2004/04/12 13:55:08 akorty Exp $ */ /* to get the asprintf() prototype from the glibc headers */ @@ -41,7 +43,6 @@ #include <sys/param.h> #include <sys/stat.h> #include <config.h> -#include <syslog.h> #if HAVE_SYS_WAIT_H # include <sys/wait.h> #endif @@ -64,6 +65,7 @@ #include <string.h> #include <sysexits.h> #include <unistd.h> +#include <time.h> #define PAM_SM_AUTH #define PAM_SM_SESSION @@ -83,7 +85,7 @@ #include "key.h" #include "authfd.h" #include "authfile.h" -#include "log.h" +#include "pam_ssh_log.h" #if !HAVE_DECL_OPENPAM_BORROW_CRED || !HAVE_DECL_OPENPAM_RESTORE_CRED # include "openpam_cred.h" #endif @@ -101,32 +103,39 @@ # define __unused #endif -#define MODULE_NAME "pam_ssh" +#define MODULE_NAME PACKAGE_NAME #define NEED_PASSPHRASE "SSH passphrase: " #define DEF_KEYFILES "id_dsa,id_rsa,identity" #define ENV_PID_SUFFIX "_AGENT_PID" #define ENV_SOCKET_SUFFIX "_AUTH_SOCK" #define PAM_OPT_KEYFILES_NAME "keyfiles" #define PAM_OPT_BLANK_PASSPHRASE_NAME "allow_blank_passphrase" +#define PAM_OPT_NULLOK_NAME "nullok" #define SEP_KEYFILES "," #define SSH_CLIENT_DIR ".ssh" enum { #if HAVE_OPENPAM || HAVE_PAM_STRUCT_OPTIONS || !HAVE_PAM_STD_OPTION PAM_OPT_KEYFILES = PAM_OPT_STD_MAX, - PAM_OPT_BLANK_PASSPHRASE + PAM_OPT_BLANK_PASSPHRASE, + PAM_OPT_NULLOK #else PAM_OPT_KEYFILES, - PAM_OPT_BLANK_PASSPHRASE + PAM_OPT_BLANK_PASSPHRASE, + PAM_OPT_NULLOK #endif }; static struct opttab other_options[] = { { PAM_OPT_KEYFILES_NAME, PAM_OPT_KEYFILES }, { PAM_OPT_BLANK_PASSPHRASE_NAME, PAM_OPT_BLANK_PASSPHRASE }, + { PAM_OPT_NULLOK_NAME, PAM_OPT_NULLOK }, { NULL, 0 } }; +/* global variable to enable debug logging */ +int log_debug = 0; + char * opt_arg(const char *arg) { @@ -138,28 +147,6 @@ return retval; } -/* - * Generic logging function that tags a message with the module name, - * saving errno so it doesn't get whacked by asprintf(). - */ - -static void -pam_ssh_log(int priority, const char *fmt, ...) -{ - va_list ap; /* variable argument list */ - int errno_saved; /* for caching errno */ - char *tagged; /* format tagged with module name */ - - errno_saved = errno; - asprintf(&tagged, "%s: %s", MODULE_NAME, fmt); - va_start(ap, fmt); - errno = errno_saved; - vsyslog(priority, tagged ? tagged : fmt, ap); - free(tagged); - va_end(ap); -} - - pid_t waitpid_intr(pid_t pid, int *status, int options) { @@ -171,6 +158,29 @@ return retval; } +/* uptime function */ +static time_t +uptime(void) +{ + FILE *fp; + double upsecs; + + fp = fopen ("/proc/uptime", "r"); + if (fp != NULL) + { + char buffer[BUFSIZ]; + char *b = fgets(buffer, BUFSIZ, fp); + fclose (fp); + if (b == buffer) + { + char *end; + upsecs = strtod(buffer, &end); + if (end != buffer) + return upsecs; + } + } + return -1; +} /* * Generic cleanup function for OpenSSH "Key" type. @@ -354,8 +364,6 @@ int retval; /* from calls */ const char *user; /* username */ - log_init(MODULE_NAME, SYSLOG_LEVEL_ERROR, SYSLOG_FACILITY_AUTHPRIV, 0); - allow_blank_passphrase = 0; keyfiles = kfspec = NULL; #if HAVE_OPENPAM @@ -366,15 +374,21 @@ } } else kfspec = DEF_KEYFILES; - if ((kfspec = openpam_get_option(pamh, PAM_OPT_BLANK_PASSPHRASE))) + if ((kfspec = openpam_get_option(pamh, PAM_OPT_BLANK_PASSPHRASE)) + || kfspec = openpam_get_option(pamh, PAM_OPT_NULLOK)) allow_blank_passphrase = 1; #elif HAVE_PAM_STRUCT_OPTIONS || !HAVE_PAM_STD_OPTION memset(&options, 0, sizeof options); pam_std_option(&options, other_options, argc, argv); + log_debug = pam_test_option(&options, PAM_OPT_DEBUG, NULL); + pam_ssh_log(LOG_DEBUG, "init authentication module"); if (!pam_test_option(&options, PAM_OPT_KEYFILES, &kfspec)) kfspec = DEF_KEYFILES; allow_blank_passphrase = pam_test_option(&options, PAM_OPT_BLANK_PASSPHRASE, NULL); + if(!allow_blank_passphrase) + allow_blank_passphrase = + pam_test_option(&options, PAM_OPT_NULLOK, NULL); #else options = 0; for (; argc; argc--, argv++) { @@ -392,6 +406,7 @@ } break; PAM_OPT_BLANK_PASSPHRASE: + PAM_OPT_NULLOK: allow_blank_passphrase = 1; break; } @@ -402,16 +417,20 @@ kfspec = DEF_KEYFILES; #endif - if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) - return retval; + if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { + pam_ssh_log(LOG_ERR, "can't get username (ret=%d)", retval); + return retval; + } if (!(user && (pwent = getpwnam(user)) && pwent->pw_dir && - *pwent->pw_dir)) - return PAM_AUTH_ERR; + *pwent->pw_dir)) { + pam_ssh_log(LOG_ERR, "can't get homedirectory"); + return PAM_AUTH_ERR; + } retval = openpam_borrow_cred(pamh, pwent); if (retval != PAM_SUCCESS && retval != PAM_PERM_DENIED) { - pam_ssh_log(LOG_ERR, "can't drop privileges: %m"); - return retval; + pam_ssh_log(LOG_ERR, "can't drop privileges: %m"); + return retval; } /* pass prompt message to application and receive passphrase */ @@ -424,12 +443,14 @@ retval = pam_get_pass(pamh, &pass, NEED_PASSPHRASE, options); #endif if (retval != PAM_SUCCESS) { - openpam_restore_cred(pamh); - return retval; + pam_ssh_log(LOG_ERR, "can't get passphrase from PAM"); + openpam_restore_cred(pamh); + return retval; } if (!pass || (!allow_blank_passphrase && *pass == '\0')) { - openpam_restore_cred(pamh); - return PAM_AUTH_ERR; + pam_ssh_log(LOG_ERR, "blank passphrases disabled"); + openpam_restore_cred(pamh); + return PAM_AUTH_ERR; } OpenSSL_add_all_algorithms(); /* required for DSA */ @@ -452,13 +473,16 @@ for (file = strtok(keyfiles, SEP_KEYFILES); file; file = strtok(NULL, SEP_KEYFILES)) if (auth_via_key(pamh, file, dotdir, pwent, pass) - == PAM_SUCCESS) - authenticated = 1; + == PAM_SUCCESS) { + pam_ssh_log(LOG_DEBUG, "auth successful for key %s", file); + authenticated = 1; + } free(dotdir); free(keyfiles); if (!authenticated) { - openpam_restore_cred(pamh); - return PAM_AUTH_ERR; + pam_ssh_log(LOG_DEBUG, "not able to open any key"); + openpam_restore_cred(pamh); + return PAM_AUTH_ERR; } openpam_restore_cred(pamh); @@ -475,8 +499,8 @@ PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh, int flags __unused, - int argc __unused, const char **argv __unused) +pam_sm_open_session(pam_handle_t *pamh, int flags, + int argc, const char **argv) { char *agent_pid; /* copy of agent PID */ char *agent_socket; /* agent socket */ @@ -491,7 +515,6 @@ char *env_value; /* envariable value */ int env_write; /* env file descriptor */ char hname[MAXHOSTNAMELEN]; /* local hostname */ - int no_link; /* link per-agent file? */ char *per_agent; /* to store env */ char *per_session; /* per-session filename */ const struct passwd *pwent; /* user's passwd entry */ @@ -500,22 +523,34 @@ const char *tty_raw; /* raw tty or display name */ char *tty_nodir; /* tty without / chars */ const char *user; /* username */ - - log_init(MODULE_NAME, SYSLOG_LEVEL_ERROR, SYSLOG_FACILITY_AUTHPRIV, 0); - - /* dump output of ssh-agent in ~/.ssh */ - if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) - return retval; + struct options options; /* PAM options */ + struct stat stat_buf; /* stat structure */ + time_t file_ctime; /* creation time of per-agent file */ + time_t time_now; /* current time */ + time_t time_up; /* uptime */ + + memset(&options, 0, sizeof options); + pam_std_option(&options, other_options, argc, argv); + log_debug = pam_test_option(&options, PAM_OPT_DEBUG, NULL); + pam_ssh_log(LOG_DEBUG, "open session"); + + if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { + pam_ssh_log(LOG_ERR, "can't get username (ret=%d)", retval); + return retval; + } if (!(user && (pwent = getpwnam(user)) && pwent->pw_dir && - *pwent->pw_dir)) - return PAM_AUTH_ERR; - - retval = openpam_borrow_cred(pamh, pwent); - if (retval != PAM_SUCCESS && retval != PAM_PERM_DENIED) { - pam_ssh_log(LOG_ERR, "can't drop privileges: %m"); - return retval; - } + *pwent->pw_dir)) { + pam_ssh_log(LOG_ERR, "can't get homedirectory"); + return PAM_AUTH_ERR; + } + + retval = openpam_borrow_cred(pamh, pwent); + if (retval != PAM_SUCCESS && retval != PAM_PERM_DENIED) { + pam_ssh_log(LOG_ERR, "can't drop privileges: %m"); + return retval; + } + /* * Use reference counts to limit agents to one per user per host. * @@ -544,9 +579,10 @@ if ((retval = pam_set_data(pamh, "ssh_agent_env_agent", per_agent, ssh_cleanup)) != PAM_SUCCESS) { - free(per_agent); - openpam_restore_cred(pamh); - return retval; + pam_ssh_log(LOG_ERR, "can't save per-agent filename to PAM env"); + free(per_agent); + openpam_restore_cred(pamh); + return retval; } /* Try to create the per-agent file or open it for reading if it @@ -554,13 +590,37 @@ per-session filename later. Start the agent if we can't open the file for reading. */ - env_write = child_pid = no_link = start_agent = 0; + env_write = child_pid = 0; env_read = NULL; - if ((env_write = open(per_agent, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR)) - < 0 && !(env_read = fopen(per_agent, "r"))) - no_link = 1; - if (!env_read) { - start_agent = 1; + start_agent = 1; + + if ((env_read = fopen(per_agent, "r"))) { + pam_ssh_log(LOG_DEBUG, "per_agent file already exists"); + /* invalidate the status files if the reboot time was later + * than the file creation time */ + if (retval = stat(per_agent, &stat_buf)) { + pam_ssh_log(LOG_ERR, "stat() failed on %s", per_agent); + free(per_agent); + fclose(env_read); + return retval; + } + file_ctime = stat_buf.st_mtime; + + time_now = time(NULL); + if((time_up = uptime()) > 0) { + if (file_ctime > (time_now - time_up)) + // session is still running - do nothing + start_agent = 0; + } + fclose(env_read); + } + + if (start_agent) { + if ((env_write = open(per_agent, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR)) < 0) { + pam_ssh_log(LOG_ERR, "can't write to %s", per_agent); + free(per_agent); + return PAM_SERVICE_ERR; + } if (pipe(child_pipe) < 0) { pam_ssh_log(LOG_ERR, "pipe: %m"); close(env_write); @@ -622,6 +682,7 @@ arg[1] = "-s"; arg[2] = NULL; env[0] = NULL; + pam_ssh_log(LOG_DEBUG, "exec %s", PATH_SSH_AGENT); execve(PATH_SSH_AGENT, arg, env); pam_ssh_log(LOG_ERR, "%s: %m", PATH_SSH_AGENT); _exit(127); @@ -764,14 +825,6 @@ } free(agent_socket); - /* if we couldn't access the per-agent file, don't link a - per-session filename to it */ - - if (no_link) { - openpam_restore_cred(pamh); - return PAM_SUCCESS; - } - /* the per-session file contains the display name or tty name as well as the hostname */ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/pam_ssh.spec new/pam_ssh-1.93/pam_ssh.spec --- old/pam_ssh-1.92/pam_ssh.spec 2006-05-31 23:36:56.000000000 +0200 +++ new/pam_ssh-1.93/pam_ssh.spec 2006-06-22 21:47:00.000000000 +0200 @@ -4,7 +4,7 @@ BuildRequires: pam-devel License: BSD Group: Productivity/Networking/SSH -Version: 1.92 +Version: 1.93 Release: 1 Summary: A Pluggable Authentication Module (PAM) for use with SSH. URL: http://developer.novell.com/wiki/index.php/Pam_ssh diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/pam_ssh_log.c new/pam_ssh-1.93/pam_ssh_log.c --- old/pam_ssh-1.92/pam_ssh_log.c 1970-01-01 01:00:00.000000000 +0100 +++ new/pam_ssh-1.93/pam_ssh_log.c 2006-06-22 20:15:31.000000000 +0200 @@ -0,0 +1,63 @@ +/*- + * + * Copyright (c) 2006 Wolfgang Rosenauer + * All rights reserved. + * + * Copyright (c) 1999, 2000, 2001, 2002, 2004 Andrew J. Korty + * All rights reserved. + * + * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. + * All rights reserved. + * + * Portions of this software were developed for the FreeBSD Project by + * ThinkSec AS and NAI Labs, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * +*/ + +#include "config.h" +#include "pam_ssh_log.h" + +extern int log_debug; + +/* + * Generic logging function. + */ + +void +pam_ssh_log(int priority, const char *fmt, ...) +{ + va_list ap; /* variable argument list */ + + /* don't log LOG_DEBUG priority unless + * PAM debug option is set */ + if (priority != LOG_DEBUG || log_debug) { + openlog(PACKAGE_NAME, LOG_PID, LOG_AUTHPRIV); + va_start(ap, fmt); + vsyslog(priority, fmt, ap); + va_end(ap); + closelog(); + } +} diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/pam_ssh_log.h new/pam_ssh-1.93/pam_ssh_log.h --- old/pam_ssh-1.92/pam_ssh_log.h 1970-01-01 01:00:00.000000000 +0100 +++ new/pam_ssh-1.93/pam_ssh_log.h 2006-06-22 19:48:31.000000000 +0200 @@ -0,0 +1,48 @@ +/*- + * + * Copyright (c) 2006 Wolfgang Rosenauer + * All rights reserved. + * + * Copyright (c) 1999, 2000, 2001, 2002, 2004 Andrew J. Korty + * All rights reserved. + * + * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. + * All rights reserved. + * + * Portions of this software were developed for the FreeBSD Project by + * ThinkSec AS and NAI Labs, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * +*/ + +#ifndef PAM_SSH_LOG_H +#define PAM_SSH_LOG_H + +#include <syslog.h> +#include <stdarg.h> + +void pam_ssh_log(int priority, const char *fmt, ...); + +#endif diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_ssh-1.92/pam_std_option.c new/pam_ssh-1.93/pam_std_option.c --- old/pam_ssh-1.92/pam_std_option.c 2006-05-31 22:50:48.000000000 +0200 +++ new/pam_ssh-1.93/pam_std_option.c 2006-06-22 21:13:02.000000000 +0200 @@ -28,7 +28,6 @@ #include <stdio.h> #include <string.h> -#include <syslog.h> #include <pam_appl.h> #include <config.h> @@ -36,6 +35,7 @@ # include "pam_opttab.h" #endif #include "pam_option.h" +#include "pam_ssh_log.h" /* Everyone has to have these options. It is not an error to * specify them and then not use them. @@ -73,7 +73,7 @@ options->opt[i].name = std_options[i].name; else if (extra) { if (oo->value != i) - syslog(LOG_DEBUG, "Extra option fault: %d %d", + pam_ssh_log(LOG_NOTICE, "Extra option fault: %d %d", oo->value, i); options->opt[i].name = oo->name; oo++; @@ -87,7 +87,7 @@ for (j = 0; j < argc; j++) { #ifdef DEBUG - syslog(LOG_DEBUG, "Doing arg %s", argv[j]); + pam_ssh_log(LOG_INFO, "Doing arg %s", argv[j]); #endif found = 0; for (i = 0; i < PAM_MAX_OPTIONS; i++) { @@ -109,7 +109,7 @@ } } if (!found) - syslog(LOG_WARNING, "PAM option: %s invalid", argv[j]); + pam_ssh_log(LOG_WARNING, "PAM option: %s invalid", argv[j]); } } ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit-help@opensuse.org