PSARC/2010/155 sshd(1M) PAM Service name options

4877708 PAM service name for sshd needs to be configurable
author: Darren J Moffat <Darren.Moffat@oracle.com> 2010-05-06 15:46:48 +0100
committer: Darren J Moffat <Darren.Moffat@oracle.com> 2010-05-06 15:46:48 +0100
commit: bdb005b59455f11dc7f68cad9b1ec5b07de11e5d (patch)
tree: 9c44a5b5c619ef88232312812820900e163ddf5f /usr/src/cmd/ssh
parent: 960c63051304dfa89fe85ae0d0d46a893eb59b41 (diff)
download: illumos-joyent-bdb005b59455f11dc7f68cad9b1ec5b07de11e5d.tar.gz
4 files changed, 90 insertions, 35 deletions
diff --git a/usr/src/cmd/ssh/include/auth-pam.h b/usr/src/cmd/ssh/include/auth-pam.h
index 70f9a3d388..3c3dd409fd 100644
--- a/usr/src/cmd/ssh/include/auth-pam.h
+++ b/usr/src/cmd/ssh/include/auth-pam.h
@@ -1,15 +1,3 @@
-/* $Id: auth-pam.h,v 1.16 2002/07/23 00:44:07 stevesk Exp $ */
-
-#ifndef	_AUTH_PAM_H
-#define	_AUTH_PAM_H
-
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-
 /*
  * Copyright (c) 2000 Damien Miller.  All rights reserved.
  *
@@ -34,14 +22,22 @@ extern "C" {
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
+ * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
+/* $Id: auth-pam.h,v 1.16 2002/07/23 00:44:07 stevesk Exp $ */
+
+#ifndef	_AUTH_PAM_H
+#define	_AUTH_PAM_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 #include "includes.h"
 #ifdef USE_PAM
 
-const char * derive_pam_svc_name(Authmethod *method);
+char * derive_pam_svc_name(Authmethod *method);
 void new_start_pam(Authctxt *authctxt, struct pam_conv *conv);
 int auth_pam_password(Authctxt *authctxt, const char *password);
 int do_pam_non_initial_userauth(Authctxt *authctxt);
diff --git a/usr/src/cmd/ssh/include/servconf.h b/usr/src/cmd/ssh/include/servconf.h
index d6458ab619..4d7022f1a1 100644
--- a/usr/src/cmd/ssh/include/servconf.h
+++ b/usr/src/cmd/ssh/include/servconf.h
@@ -11,8 +11,7 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
+ * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
 /*	$OpenBSD: servconf.h,v 1.59 2002/07/30 17:03:55 markus Exp $	*/
@@ -42,6 +41,7 @@ extern "C" {
 
 /* Magic name for internal sftp-server */
 #define	INTERNAL_SFTP_NAME	"internal-sftp"
+#define	_SSH_PAM_SERVICE_PREFIX	"sshd"
 
 typedef struct {
 	u_int	num_ports;
@@ -164,6 +164,8 @@ typedef struct {
 	int	use_openssl_engine;
 	char   *chroot_directory;
 	char   *pre_userauth_hook;
+	char   *pam_service_prefix;
+	char   *pam_service_name;
 
 }       ServerOptions;
 
diff --git a/usr/src/cmd/ssh/sshd/auth-pam.c b/usr/src/cmd/ssh/sshd/auth-pam.c
index 01c34c7c9a..c3686b4928 100644
--- a/usr/src/cmd/ssh/sshd/auth-pam.c
+++ b/usr/src/cmd/ssh/sshd/auth-pam.c
@@ -22,8 +22,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
+ * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
 #include "includes.h"
@@ -88,42 +87,66 @@ get_method_name(Authctxt *authctxt)
 	return authctxt->method->name;
 }
 
-const
 char *
-derive_pam_svc_name(Authmethod *method)
+derive_pam_service_name(Authmethod *method)
 {
+	char *svcname = xmalloc(BUFSIZ);
+
+	/*
+	 * If PamServiceName is set we use that for everything, including
+	 * SSHv1
+	 */
+	if (options.pam_service_name != NULL) {
+		(void) strlcpy(svcname, options.pam_service_name, BUFSIZ);
+		return (svcname);
+	}
+
 	if (compat20 && method) {
 		char *method_name = method->name;
 
 		if (!method_name)
 			fatal("Userauth method unknown while starting PAM");
 
-		/* For SSHv2 we use "sshd-<userauth name> */
+		/*
+		 * For SSHv2 we use "sshd-<userauth name>
+		 * The "sshd" prefix can be changed via the PAMServicePrefix
+		 * sshd_config option.
+		 */
 		if (strcmp(method_name, "none") == 0) {
-			return "sshd-none";
+			snprintf(svcname, BUFSIZ, "%s-none",
+			    options.pam_service_prefix);
 		}
 		if (strcmp(method_name, "password") == 0) {
-			return "sshd-password";
+			snprintf(svcname, BUFSIZ, "%s-password",
+			    options.pam_service_prefix);
 		}
 		if (strcmp(method_name, "keyboard-interactive") == 0) {
 			/* "keyboard-interactive" is too long, shorten it */
-			return "sshd-kbdint";
+			snprintf(svcname, BUFSIZ, "%s-kbdint",
+			    options.pam_service_prefix);
 		}
 		if (strcmp(method_name, "publickey") == 0) {
 			/* "publickey" is too long, shorten it */
-			return "sshd-pubkey";
+			snprintf(svcname, BUFSIZ, "%s-pubkey",
+			    options.pam_service_prefix);
 		}
 		if (strcmp(method_name, "hostbased") == 0) {
 			/* "hostbased" can't really be shortened... */
-			return "sshd-hostbased";
+			snprintf(svcname, BUFSIZ, "%s-hostbased",
+			    options.pam_service_prefix);
 		}
 		if (strncmp(method_name, "gss", 3) == 0) {
 			/* "gss" is too short, elongate it */
-			return "sshd-gssapi";
+			snprintf(svcname, BUFSIZ, "%s-gssapi",
+			    options.pam_service_prefix);
 		}
+		return svcname;
+	} else {
+		/* SSHv1 doesn't get to be so cool */
+		snprintf(svcname, BUFSIZ, "%s-v1",
+		    options.pam_service_prefix);
 	}
-
-	return "sshd-v1"; /* SSHv1 doesn't get to be so cool */
+	return svcname;
 }
 
 void
@@ -131,7 +154,8 @@ new_start_pam(Authctxt *authctxt, struct pam_conv *conv)
 {
 	int		retval;
 	pam_handle_t	*pamh;
-	const char	*rhost, *svc;
+	const char	*rhost;
+	char		*svc;
 	char		*user = NULL;
 	pam_stuff	*pam;
 
@@ -142,7 +166,7 @@ new_start_pam(Authctxt *authctxt, struct pam_conv *conv)
 		fatal("Userauth method unknown while starting PAM");
 
 	/* PAM service selected here */
-	svc = derive_pam_svc_name(authctxt->method);
+	svc = derive_pam_service_name(authctxt->method);
 	debug2("Starting PAM service %s for method %s", svc,
 		get_method_name(authctxt));
 
@@ -186,6 +210,8 @@ new_start_pam(Authctxt *authctxt, struct pam_conv *conv)
 			get_method_name(authctxt));
 	}
 
+	free(svc);
+
 	fatal_add_cleanup((void (*)(void *)) &do_pam_cleanup_proc,
 			  (void *) authctxt->pam);
 
diff --git a/usr/src/cmd/ssh/sshd/servconf.c b/usr/src/cmd/ssh/sshd/servconf.c
index aa923ce57c..9a2a91d18d 100644
--- a/usr/src/cmd/ssh/sshd/servconf.c
+++ b/usr/src/cmd/ssh/sshd/servconf.c
@@ -9,8 +9,7 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
+ * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
 #include "includes.h"
@@ -155,6 +154,8 @@ initialize_server_options(ServerOptions *options)
 	options->use_openssl_engine = -1;
 	options->chroot_directory = NULL;
 	options->pre_userauth_hook = NULL;
+	options->pam_service_name = NULL;
+	options->pam_service_prefix = NULL;
 }
 
 #ifdef HAVE_DEFOPEN
@@ -383,6 +384,10 @@ fill_default_server_options(ServerOptions *options)
 		options->lookup_client_hostnames = 1;
 	if (options->use_openssl_engine == -1)
 		options->use_openssl_engine = 1;
+	if (options->pam_service_prefix == NULL)
+		options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX;
+	if (options->pam_service_name == NULL)
+		options->pam_service_name = NULL;
 }
 
 /* Keyword tokens. */
@@ -421,7 +426,7 @@ typedef enum {
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
 	sMaxAuthTries, sMaxAuthTriesLog, sUsePrivilegeSeparation,
 	sLookupClientHostnames, sUseOpenSSLEngine, sChrootDirectory,
-	sPreUserauthHook, sMatch,
+	sPreUserauthHook, sMatch, sPAMServicePrefix, sPAMServiceName,
 	sDeprecated
 } ServerOpCodes;
 
@@ -525,6 +530,8 @@ static struct {
 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
 	{ "preuserauthhook", sPreUserauthHook, SSHCFG_ALL},
 	{ "match", sMatch, SSHCFG_ALL },
+	{ "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL },
+	{ "pamservicename", sPAMServiceName, SSHCFG_GLOBAL },
 
 	{ NULL, sBadOption, 0 }
 };
@@ -1322,6 +1329,30 @@ parse_flag:
 		    arg = strdelim(&cp);
 		break;
 
+	case sPAMServicePrefix:
+		arg = strdelim(&cp);
+		if (!arg || *arg == '\0')
+			fatal("%s line %d: Missing argument.",
+			    filename, linenum);
+		if (options->pam_service_name != NULL)
+			fatal("%s line %d: PAMServiceName and PAMServicePrefix "
+			    "are mutually exclusive.", filename, linenum);
+		if (options->pam_service_prefix == NULL)
+			options->pam_service_prefix = xstrdup(arg);
+		break;
+
+	case sPAMServiceName:
+		arg = strdelim(&cp);
+		if (!arg || *arg == '\0')
+			fatal("%s line %d: Missing argument.",
+			    filename, linenum);
+		if (options->pam_service_prefix != NULL)
+			fatal("%s line %d: PAMServiceName and PAMServicePrefix "
+			    "are mutually exclusive.", filename, linenum);
+		if (options->pam_service_name == NULL)
+			options->pam_service_name = xstrdup(arg);
+		break;
+
 	default:
 		fatal("%s line %d: Missing handler for opcode %s (%d)",
 		    filename, linenum, arg, opcode);
author	Darren J Moffat <Darren.Moffat@oracle.com>	2010-05-06 15:46:48 +0100
committer	Darren J Moffat <Darren.Moffat@oracle.com>	2010-05-06 15:46:48 +0100
commit	bdb005b59455f11dc7f68cad9b1ec5b07de11e5d (patch)
tree	9c44a5b5c619ef88232312812820900e163ddf5f /usr/src/cmd/ssh
parent	960c63051304dfa89fe85ae0d0d46a893eb59b41 (diff)
download	illumos-joyent-bdb005b59455f11dc7f68cad9b1ec5b07de11e5d.tar.gz