Date: Wed, 2 May 2001 12:29:41 -0700 (PDT) From: nsayer@quack.kfu.com To: freebsd-current@freebsd.org, freebsd-stable@freebsd.org Subject: RFD: SRA telnet PAM patch Message-ID: <200105021929.f42JTfs08425@medusa.kfu.com>
next in thread | raw e-mail | index | archive | help
The problem noted was that telnetd was allowing root logins. This patch doesn'tt
directly address that, but by making SRA use PAM the hope is that it will be
easier to have policy changes take place with PAM rather than all over
the place.
Suggestions on either how to imrpove this patch or what should be done
to bar root logins are welcome.
Index: src/etc/pam.conf
===================================================================
RCS file: /home/ncvs/src/etc/pam.conf,v
retrieving revision 1.13
diff -u -r1.13 pam.conf
--- src/etc/pam.conf 2001/04/06 05:52:53 1.13
+++ src/etc/pam.conf 2001/05/02 19:26:35
@@ -86,6 +86,10 @@
# "csshd" is for challenge-based authentication with sshd (TIS auth, etc.)
csshd auth required pam_skey.so
+# SRA telnet. Non-SRA telnet uses 'login'.
+telnetd auth required pam_unix.so try_first_pass
+telnetd account required pam_unix.so
+
# Don't break startx
xserver auth required pam_permit.so
Index: crypto/telnet/libtelnet/sra.c
===================================================================
RCS file: /home/ncvs/src/crypto/telnet/libtelnet/sra.c,v
retrieving revision 1.1.2.1
diff -u -r1.1.2.1 sra.c
--- crypto/telnet/libtelnet/sra.c 2000/09/20 02:32:05 1.1.2.1
+++ crypto/telnet/libtelnet/sra.c 2001/05/02 19:26:36
@@ -13,6 +13,10 @@
#include <string.h>
#endif
+#if !defined(NOPAM)
+#include <security/pam_appl.h>
+#endif
+
#include "auth.h"
#include "misc.h"
#include "encrypt.h"
@@ -447,6 +451,7 @@
return (&save);
}
+#ifdef NOPAM
char *crypt();
int check_user(name, pass)
@@ -474,7 +479,135 @@
}
return(0);
}
+#else
+
+/*
+ * The following is stolen from ftpd, which stole it from the imap-uw
+ * PAM module and login.c. It is needed because we can't really
+ * "converse" with the user, having already gone to the trouble of
+ * getting their username and password through an encrypted channel.
+ */
+
+#define COPY_STRING(s) (s ? strdup(s):NULL)
+
+struct cred_t {
+ const char *uname;
+ const char *pass;
+};
+typedef struct cred_t cred_t;
+
+auth_conv(int num_msg, const struct pam_message **msg,
+ struct pam_response **resp, void *appdata)
+{
+ int i;
+ cred_t *cred = (cred_t *) appdata;
+ struct pam_response *reply =
+ malloc(sizeof(struct pam_response) * num_msg);
+
+ for (i = 0; i < num_msg; i++) {
+ switch (msg[i]->msg_style) {
+ case PAM_PROMPT_ECHO_ON: /* assume want user name */
+ reply[i].resp_retcode = PAM_SUCCESS;
+ reply[i].resp = COPY_STRING(cred->uname);
+ /* PAM frees resp. */
+ break;
+ case PAM_PROMPT_ECHO_OFF: /* assume want password */
+ reply[i].resp_retcode = PAM_SUCCESS;
+ reply[i].resp = COPY_STRING(cred->pass);
+ /* PAM frees resp. */
+ break;
+ case PAM_TEXT_INFO:
+ case PAM_ERROR_MSG:
+ reply[i].resp_retcode = PAM_SUCCESS;
+ reply[i].resp = NULL;
+ break;
+ default: /* unknown message style */
+ free(reply);
+ return PAM_CONV_ERR;
+ }
+ }
+
+ *resp = reply;
+ return PAM_SUCCESS;
+}
+
+/*
+ * The PAM version as a side effect may put a new username in *user.
+ */
+int check_user(const char *name, const char *pass)
+{
+ pam_handle_t *pamh = NULL;
+ const char *tmpl_user;
+ const void *item;
+ int rval;
+ int e;
+ cred_t auth_cred = { name, pass };
+ struct pam_conv conv = { &auth_conv, &auth_cred };
+
+ e = pam_start("telnetd", name, &conv, &pamh);
+ if (e != PAM_SUCCESS) {
+ syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, e));
+ return 0;
+ }
+
+#if 0 /* Where can we find this value? */
+ e = pam_set_item(pamh, PAM_RHOST, remotehost);
+ if (e != PAM_SUCCESS) {
+ syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s",
+ pam_strerror(pamh, e));
+ return 0;
+ }
+#endif
+
+ e = pam_authenticate(pamh, 0);
+ switch (e) {
+ case PAM_SUCCESS:
+ /*
+ * With PAM we support the concept of a "template"
+ * user. The user enters a login name which is
+ * authenticated by PAM, usually via a remote service
+ * such as RADIUS or TACACS+. If authentication
+ * succeeds, a different but related "template" name
+ * is used for setting the credentials, shell, and
+ * home directory. The name the user enters need only
+ * exist on the remote authentication server, but the
+ * template name must be present in the local password
+ * database.
+ *
+ * This is supported by two various mechanisms in the
+ * individual modules. However, from the application's
+ * point of view, the template user is always passed
+ * back as a changed value of the PAM_USER item.
+ */
+ if ((e = pam_get_item(pamh, PAM_USER, &item)) ==
+ PAM_SUCCESS) {
+ strcpy(user, (const char *) item);
+ } else
+ syslog(LOG_ERR, "Couldn't get PAM_USER: %s",
+ pam_strerror(pamh, e));
+ rval = 1;
+ break;
+
+ case PAM_AUTH_ERR:
+ case PAM_USER_UNKNOWN:
+ case PAM_MAXTRIES:
+ rval = 0;
+ break;
+
+ default:
+ syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e));
+ rval = 0;
+ break;
+ }
+
+ if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
+ syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
+ rval = 0;
+ }
+ return rval;
+}
+#endif
#endif
Index: secure/src/secure/libexec/telnetd/Makefile
===================================================================
RCS file: /home/ncvs/src/secure/libexec/telnetd/Makefile,v
retrieving revision 1.22
diff -u -r1.22 Makefile
--- secure/src/secure/libexec/telnetd/Makefile 2001/03/28 12:08:19 1.22
+++ secure/src/secure/libexec/telnetd/Makefile 2001/05/02 19:26:37
@@ -15,7 +15,7 @@
DPADD= ${LIBUTIL} ${LIBTERMCAP} ${LIBTELNET} ${LIBCRYPTO} ${LIBMP} \
${LIBCRYPT}
-LDADD= -lutil -ltermcap ${LIBTELNET} -lcrypto -lcrypt -lmp
+LDADD= -lutil -ltermcap ${LIBTELNET} -lcrypto -lcrypt -lmp -lpam
.include <bsd.prog.mk>
Index: secure/src/secure/usr.bin/telnet/Makefile
===================================================================
RCS file: /home/ncvs/src/secure/usr.bin/telnet/Makefile,v
retrieving revision 1.24
diff -u -r1.24 Makefile
--- secure/src/secure/usr.bin/telnet/Makefile 2001/03/28 12:08:19 1.24
+++ secure/src/secure/usr.bin/telnet/Makefile 2001/05/02 19:26:37
@@ -12,7 +12,7 @@
DPADD= ${LIBTERMCAP} ${LIBTELNET} ${LIBCRYPTO} ${LIBCRYPT} ${LIBMP}
DPADD+= ${LIBIPSEC}
LDADD= -ltermcap ${LIBTELNET} -lcrypto -lcrypt -lmp
-LDADD+= -lipsec
+LDADD+= -lipsec -lpam
.include <bsd.prog.mk>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105021929.f42JTfs08425>