[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-259-g60110
|
From: |
Mats Erik Andersson |
|
Subject: |
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-259-g601105e |
|
Date: |
Wed, 20 Mar 2013 20:09:58 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Inetutils ".
The branch, master has been updated
via 601105eae504371d873782596996c82899db897d (commit)
from dc951ef19cd5568ec15630a4c9ffd0decdb201af (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=601105eae504371d873782596996c82899db897d
commit 601105eae504371d873782596996c82899db897d
Author: Mats Erik Andersson <address@hidden>
Date: Tue Mar 19 23:51:35 2013 +0100
ftpd: Support PAM beyond Linux-PAM.
diff --git a/ChangeLog b/ChangeLog
index 4bb36a1..180b2de 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,32 @@
+2013-03-19 Mats Erik Andersson <address@hidden>
+
+ ftpd: Support PAM beyond Linux-PAM.
+
+ * configure.ac (FTPD_LIBPAM): Set to $LIBPAM
+ for all PAM implementations.
+ * ftpd/auth.c (auth_user) <default case>
+ [WITH_PAM && !WITH_LINUX_PAM]: Call pam_user()
+ if preceding tests were passed and if `auth_type'
+ is AUTH_TYPE_PAM.
+ (auth_pass) [WITH_PAM] <AUTH_TYPE_PAM>: Relax old
+ conditioning on WITH_LINUX_PAM.
+ * ftpd/extern.h (pam_user, pam_pass, pam_end_login)
+ [WITH_PAM]: Likewise.
+ * ftpd/ftpd.c (options) [WITH_PAM] <pam>: Likewise.
+ (parse_opt) <pam> [WITH_PAM]: Likewise.
+ (end_login) [WITH_PAM]: Likewise, use of pam_end_login().
+ * ftpd/pam.c [WITH_PAM]: Likewise, entire file.
+ (PAM_conv) <PAM_PROMPT_ECHO_OFF> [!WITH_LINUX_PAM]:
+ Return PAM_CRED_INSUFFICIENT.
+ (pam_doit) <failed pam_authenticate> [!WITH_LINUX_PAM]:
+ Check for status PAM_CRED_INSUFFICIENT with empty
+ password.
+
+ * ftpd/ftpd.c (doc) [WITH_PAM]: Mention PAM service
+ name 'ftp' in text.
+ (options) [WITH_KERBEROS5] <kerberos5>: Correct
+ misspelled authentication name.
+
2013-03-15 Mats Erik Andersson <address@hidden>
rlogind: Incomplete source route security.
diff --git a/configure.ac b/configure.ac
index 1ba889e..4232703 100644
--- a/configure.ac
+++ b/configure.ac
@@ -201,11 +201,12 @@ if test "$with_pam" = yes ; then
AC_CHECK_LIB(pam, pam_authenticate, LIBPAM=-lpam)
if test "$ac_cv_lib_pam_pam_authenticate" = yes ; then
AC_DEFINE([WITH_PAM], 1, [Define to one if you have -lpam.])
+ # ftpd was originally coded for Linux-PAM and was later
+ # adapted to go with OpenPAM and with Solaris-PAM.
+ FTPD_LIBPAM=$LIBPAM
AC_CHECK_DECLS(PAM_CONV_AGAIN, , , [#include <security/pam_appl.h>])
if test "$ac_cv_have_decl_PAM_CONV_AGAIN" = yes ; then
AC_DEFINE([WITH_LINUX_PAM], 1, [Define to one if you use Linux-PAM.])
- # Presently ftpd is coded for Linux-PAM only.
- FTPD_LIBPAM=$LIBPAM
fi
fi
fi
diff --git a/ftpd/auth.c b/ftpd/auth.c
index db9668d..8773a59 100644
--- a/ftpd/auth.c
+++ b/ftpd/auth.c
@@ -83,7 +83,13 @@ auth_user (const char *name, struct credentials *pcred)
if (pcred->message == NULL)
return -1;
- /* check for anonymous logging */
+ /* Check for anonymous log in.
+ *
+ * This code simulates part of `pam_ftp.so'
+ * for PAM variants that are not Linux-PAM,
+ * in addition to perform the original
+ * default authentication checks.
+ */
if (strcmp (name, "ftp") == 0 || strcmp (name, "anonymous") == 0)
{
if (checkuser (PATH_FTPUSERS, "ftp")
@@ -141,7 +147,14 @@ auth_user (const char *name, struct credentials *pcred)
}
if (err == 0)
- pcred->dochroot = checkuser (PATH_FTPCHROOT, pcred->name);
+ {
+ pcred->dochroot = checkuser (PATH_FTPCHROOT, pcred->name);
+
+#if defined WITH_PAM && !defined WITH_LINUX_PAM
+ if (pcred->auth_type == AUTH_TYPE_PAM)
+ err = pam_user (name, pcred);
+#endif /* WITH_PAM && !WITH_LINUX_PAM */
+ }
return err;
}
@@ -151,7 +164,7 @@ auth_pass (const char *passwd, struct credentials *pcred)
{
switch (pcred->auth_type)
{
-#ifdef WITH_LINUX_PAM
+#ifdef WITH_PAM
case AUTH_TYPE_PAM:
return pam_pass (passwd, pcred);
#endif
diff --git a/ftpd/extern.h b/ftpd/extern.h
index a10317d..aa52530 100644
--- a/ftpd/extern.h
+++ b/ftpd/extern.h
@@ -154,8 +154,8 @@ extern int auth_user (const char *, struct credentials *);
extern int auth_pass (const char *, struct credentials *);
/* Exported from pam.c */
-#ifdef WITH_LINUX_PAM
+#ifdef WITH_PAM
extern int pam_user (const char *, struct credentials *);
extern int pam_pass (const char *, struct credentials *);
extern void pam_end_login (struct credentials *);
-#endif
+#endif /* WITH_PAM */
diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c
index 11a69fb..b333004 100644
--- a/ftpd/ftpd.c
+++ b/ftpd/ftpd.c
@@ -253,7 +253,12 @@ static int receive_data (FILE *, FILE *, off_t);
static void send_data (FILE *, FILE *, off_t);
static void sigquit (int);
-const char doc[] = "File Transfer Protocol Daemon";
+const char doc[] =
+#ifdef WITH_PAM
+ "File Transfer Protocol daemon, offering PAM service 'ftp'.";
+#else
+ "File Transfer Protocol daemon.";
+#endif
static struct argp_option options[] = {
#define GRID 0
@@ -297,9 +302,9 @@ static struct argp_option options[] = {
{ " default", 0, NULL, OPTION_DOC|OPTION_NO_TRANS,
"passwd authentication",
GRID+3 },
-#ifdef WITH_LINUX_PAM
+#ifdef WITH_PAM
{ " pam", 0, NULL, OPTION_DOC|OPTION_NO_TRANS,
- "using pam 'ftp' module",
+ "using PAM service 'ftp'",
GRID+3 },
#endif
#ifdef WITH_KERBEROS
@@ -308,7 +313,7 @@ static struct argp_option options[] = {
GRID+3 },
#endif
#ifdef WITH_KERBEROS5
- { " kderberos5", 0, NULL, OPTION_DOC|OPTION_NO_TRANS,
+ { " kerberos5", 0, NULL, OPTION_DOC|OPTION_NO_TRANS,
"",
GRID+3 },
#endif
@@ -343,7 +348,7 @@ parse_opt (int key, char *arg, struct argp_state *state)
case 'a':
if (strcasecmp (arg, "default") == 0)
cred.auth_type = AUTH_TYPE_PASSWD;
-#ifdef WITH_LINUX_PAM
+#ifdef WITH_PAM
else if (strcasecmp (arg, "pam") == 0)
cred.auth_type = AUTH_TYPE_PAM;
#endif
@@ -835,7 +840,7 @@ end_login (struct credentials *pcred)
if (pcred->logged_in)
{
logwtmp_keep_open (ttyline, "", "");
-#ifdef WITH_LINUX_PAM
+#ifdef WITH_PAM
pam_end_login (pcred);
#endif
}
diff --git a/ftpd/pam.c b/ftpd/pam.c
index ff08a7c..3a970a4 100644
--- a/ftpd/pam.c
+++ b/ftpd/pam.c
@@ -30,6 +30,23 @@
# include <security/pam_appl.h>
#endif
+/*
+ * Mechanisms and prerequisites.
+ *
+ * The original code was tailored to rely on the side-effects
+ * of the Linux-PAM module `pam_ftp.so', with its peculiarities:
+ *
+ * 1. If PAM_USER is `ftp' or `anonymous', fetch PAM_AUTHTOK
+ * and split it at `@' into PAM_RUSER and PAM_RHOST.
+ * Return with success and set PAM_USER to `ftp'.
+ *
+ * 2. For other values of PAM_USER, keep the gotten PAM_AUTHTOK
+ * unchanged, and fail.
+ *
+ * This module `pam_ftp.so' does not exist in OpenPAM, nor in
+ * Solaris-PAM. Thus portability requires some care.
+ */
+
/* June 3rd, 2012:
* The draft of A.G Morgan on behalf of the the Open-PAM
* working group has clearly not been able to get the
@@ -39,16 +56,16 @@
* by preprocessor conditionals for the time being.
*/
-#ifdef WITH_LINUX_PAM
+#ifdef WITH_PAM
+
+/* PAM authentication, now using the PAM's async feature. */
+static pam_handle_t *pamh;
static int PAM_conv (int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr);
static struct pam_conv PAM_conversation = { &PAM_conv, NULL };
-/* PAM authentication, now using the PAM's async feature. */
-static pam_handle_t *pamh;
-
static int
PAM_conv (int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr)
@@ -83,8 +100,15 @@ PAM_conv (int num_msg, const struct pam_message **msg,
{
savemsg = 1;
# ifdef PAM_CONV_AGAIN
- retval = PAM_CONV_AGAIN;
-# else /* !PAM_CONV_AGAIN */
+ retval = PAM_CONV_AGAIN; /* Linux-PAM */
+# elif !defined WITH_LINUX_PAM
+ /*
+ * Simulate PAM_CONV_AGAIN.
+ * The alternate value PAM_TRY_AGAIN is not
+ * an expected return value here, so it will
+ * leave an audit trail. */
+ retval = PAM_CRED_INSUFFICIENT;
+# else /* !PAM_CONV_AGAIN && !WITH_LINUX_PAM */
retval = PAM_CONV_ERR;
# endif
}
@@ -166,7 +190,7 @@ PAM_conv (int num_msg, const struct pam_message **msg,
return PAM_SUCCESS;
}
-/* Non-zero means failure. */
+/* Non-zero return status means failure. */
static int
pam_doit (struct credentials *pcred)
{
@@ -175,7 +199,7 @@ pam_doit (struct credentials *pcred)
error = pam_authenticate (pamh, 0);
- /* Probably being called for the passwd. */
+ /* Probably being called with empty passwd. */
if (0
# ifdef PAM_CONV_AGAIN
|| error == PAM_CONV_AGAIN
@@ -183,6 +207,13 @@ pam_doit (struct credentials *pcred)
# ifdef PAM_INCOMPLETE
|| error == PAM_INCOMPLETE
# endif
+# ifndef WITH_LINUX_PAM
+ /*
+ * In absence of `pam_ftp.so', catch the simulated,
+ * incomplete state reported by our PAM_conv().
+ */
+ || (error == PAM_CRED_INSUFFICIENT && pcred->pass == NULL)
+# endif /* !WITH_LINUX_PAM */
)
{
/* Avoid overly terse passwd messages and let the people
@@ -295,4 +326,4 @@ pam_end_login (struct credentials * pcred
_GL_UNUSED_PARAMETER)
pamh = NULL;
}
}
-#endif /* WITH_LINUX_PAM */
+#endif /* WITH_PAM */
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 29 +++++++++++++++++++++++++++++
configure.ac | 5 +++--
ftpd/auth.c | 19 ++++++++++++++++---
ftpd/extern.h | 4 ++--
ftpd/ftpd.c | 17 +++++++++++------
ftpd/pam.c | 49 ++++++++++++++++++++++++++++++++++++++++---------
6 files changed, 101 insertions(+), 22 deletions(-)
hooks/post-receive
--
GNU Inetutils
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-259-g601105e,
Mats Erik Andersson <=