Date: Fri, 26 May 2000 21:18:12 -0500 (EST) From: ajk@iu.edu To: FreeBSD-gnats-submit@freebsd.org Subject: bin/19251: [PATCH] pam_ssh broken by OpenSSH DSA changes Message-ID: <200005270218.VAA01234@verbal.uits.iupui.edu>
next in thread | raw e-mail | index | archive | help
>Number: 19251
>Category: bin
>Synopsis: [PATCH] pam_ssh broken by OpenSSH DSA changes
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jun 13 14:30:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Andrew J. Korty
>Release: FreeBSD 5.0-CURRENT i386
>Organization:
Office of the VP for Information Technology, Indiana University
>Environment:
FreeBSD verbal.uits.iupui.edu 5.0-CURRENT FreeBSD 5.0-CURRENT #2:
Fri May 26 15:11:58 EST 2000
ajk@verbal.uits.iupui.edu:/usr/src/sys/compile/KUJAN i386
>Description:
Newly DSA support added to OpenSSH causes pam_ssh to compile
incorrectly, which in turn causes PAM applications that use it to
SEGV.
>How-To-Repeat:
Try to use any PAM-aware application in conjunction with pam_ssh.
>Fix:
Apply the following hastily-written patch, hastily:
Index: pam_ssh.c
===================================================================
RCS file: /var/cvs/src/crypto/openssh/pam_ssh/pam_ssh.c,v
retrieving revision 1.6
diff -u -r1.6 pam_ssh.c
--- pam_ssh.c 2000/05/26 01:58:49 1.6
+++ pam_ssh.c 2000/05/27 02:09:29
@@ -45,10 +45,14 @@
#include <security/pam_modules.h>
#include <security/pam_mod_misc.h>
+#include <openssl/dsa.h>
+#include <openssl/rsa.h>
+
#include "includes.h"
-#include "rsa.h"
#include "ssh.h"
+#include "key.h"
#include "authfd.h"
+#include "authfile.h"
#define MODULE_NAME "pam_ssh"
#define NEED_PASSPHRASE "Need passphrase for %s (%s).\nEnter passphrase: "
@@ -56,10 +60,10 @@
void
-rsa_cleanup(pam_handle_t *pamh, void *data, int error_status)
+key_cleanup(pam_handle_t *pamh, void *data, int error_status)
{
if (data)
- RSA_free(data);
+ key_free(data);
}
@@ -205,11 +209,11 @@
char *comment_priv; /* on private key */
char *comment_pub; /* on public key */
char *identity; /* user's identity file */
- RSA *key; /* user's private key */
+ Key *key; /* user's private key */
int options; /* module options */
const char *pass; /* passphrase */
char *prompt; /* passphrase prompt */
- RSA *public_key; /* user's public key */
+ Key *public_key; /* user's public key */
const PASSWD *pwent; /* user's passwd entry */
PASSWD *pwent_keep; /* our own copy */
int retval; /* from calls */
@@ -235,8 +239,8 @@
* Fail unless we can load the public key. Change to the
* owner's UID to appease load_public_key().
*/
- key = RSA_new();
- public_key = RSA_new();
+ key = key_new(KEY_RSA);
+ public_key = key_new(KEY_RSA);
saved_uid = getuid();
(void)setreuid(pwent->pw_uid, saved_uid);
retval = load_public_key(identity, public_key, &comment_pub);
@@ -245,7 +249,7 @@
free(identity);
return PAM_AUTH_ERR;
}
- RSA_free(public_key);
+ key_free(public_key);
/* build the passphrase prompt */
retval = asprintf(&prompt, NEED_PASSPHRASE, identity, comment_pub);
free(comment_pub);
@@ -276,8 +280,8 @@
* phase.
*/
if ((retval = pam_set_data(pamh, "ssh_private_key", key,
- rsa_cleanup)) != PAM_SUCCESS) {
- RSA_free(key);
+ key_cleanup)) != PAM_SUCCESS) {
+ key_free(key);
free(comment_priv);
return retval;
}
@@ -329,7 +333,7 @@
char *env_end; /* end of env */
char *env_file; /* to store env */
FILE *env_fp; /* env_file handle */
- RSA *key; /* user's private key */
+ Key *key; /* user's private key */
FILE *pipe; /* ssh-agent handle */
const PASSWD *pwent; /* user's passwd entry */
int retval; /* from calls */
@@ -439,7 +443,7 @@
env_destroy(ssh_env);
return PAM_SESSION_ERR;
}
- retval = ssh_add_identity(ac, key, comment);
+ retval = ssh_add_identity(ac, key->rsa, comment);
ssh_close_authentication_connection(ac);
env_swap(ssh_env, 0);
return retval ? PAM_SUCCESS : PAM_SESSION_ERR;
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005270218.VAA01234>