Index: crypto/external/bsd/openssh/dist/auth-pam.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth-pam.c,v retrieving revision 1.25 diff -u -p -r1.25 auth-pam.c --- crypto/external/bsd/openssh/dist/auth-pam.c 26 Mar 2025 01:33:02 -0000 1.25 +++ crypto/external/bsd/openssh/dist/auth-pam.c 18 Apr 2026 08:12:15 -0000 @@ -120,6 +120,7 @@ __RCSID("$NetBSD: auth-pam.c,v 1.25 2025 #include "ssh-gss.h" #endif #include "monitor_wrap.h" +#include "srclimit.h" extern ServerOptions options; extern struct sshbuf *loginmsg; @@ -152,11 +153,17 @@ typedef pid_t sp_pthread_t; #define pthread_join fake_pthread_join #endif +typedef int SshPamDone; +#define SshPamError -1 +#define SshPamNone 0 +#define SshPamAuthenticated 1 +#define SshPamAgain 2 + struct pam_ctxt { sp_pthread_t pam_thread; int pam_psock; int pam_csock; - int pam_done; + SshPamDone pam_done; }; static void sshpam_free_ctx(void *); @@ -178,7 +185,7 @@ sshpam_sigchld_handler(int sig) return; /* handler called after PAM cleanup, shouldn't happen */ if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, WNOHANG) <= 0) { - /* PAM thread has not exitted, privsep slave must have */ + /* PAM thread has not exited, privsep slave must have */ kill(cleanup_ctxt->pam_thread, SIGTERM); while (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0) == -1) { @@ -194,7 +201,6 @@ sshpam_sigchld_handler(int sig) _exit(EXIT_CHILD_CRASH); } else if (!WIFEXITED(sshpam_thread_status)) _exit(EXIT_CHILD_CRASH); - } /* ARGSUSED */ @@ -258,6 +264,7 @@ pthread_join(sp_pthread_t thread, void * static pam_handle_t *sshpam_handle = NULL; +static char *sshpam_initial_user; static int sshpam_err = 0; static int sshpam_authenticated = 0; static int sshpam_session_open = 0; @@ -292,31 +299,6 @@ pam_putenv(pam_handle_t *pamh, const cha } #endif /* HAVE_PAM_PUTENV */ -/* - * Some platforms, notably Solaris, do not enforce password complexity - * rules during pam_chauthtok() if the real uid of the calling process - * is 0, on the assumption that it's being called by "passwd" run by root. - * This wraps pam_chauthtok and sets/restore the real uid so PAM will do - * the right thing. - */ -#ifdef SSHPAM_CHAUTHTOK_NEEDS_RUID -static int -sshpam_chauthtok_ruid(pam_handle_t *pamh, int flags) -{ - int result; - - if (sshpam_authctxt == NULL) - fatal("PAM: sshpam_authctxt not initialized"); - if (setreuid(sshpam_authctxt->pw->pw_uid, -1) == -1) - fatal("%s: setreuid failed: %s", __func__, strerror(errno)); - result = pam_chauthtok(pamh, flags); - if (setreuid(0, -1) == -1) - fatal("%s: setreuid failed: %s", __func__, strerror(errno)); - return result; -} -# define pam_chauthtok(a,b) (sshpam_chauthtok_ruid((a), (b))) -#endif - static void sshpam_password_change_required(int reqd) { @@ -464,6 +446,10 @@ sshpam_thread_conv(int n, sshpam_const s break; case PAM_ERROR_MSG: case PAM_TEXT_INFO: + debug3("PAM: %s: Got message of type %d: %s", + __func__, + PAM_MSG_MEMBER(msg, i, msg_style), + PAM_MSG_MEMBER(msg, i, msg)); if ((r = sshbuf_put_cstring(buffer, PAM_MSG_MEMBER(msg, i, msg))) != 0) fatal("%s: buffer error: %s", @@ -490,6 +476,34 @@ sshpam_thread_conv(int n, sshpam_const s return (PAM_CONV_ERR); } +static int +check_pam_user(Authctxt *authctxt) +{ + const char *pam_user; + + if (authctxt == NULL || authctxt->pw == NULL || + authctxt->pw->pw_name == NULL) + fatal_f("PAM authctxt user not initialized"); + + if ((sshpam_err = pam_get_item(sshpam_handle, PAM_USER, + (sshpam_const void **) &pam_user)) != PAM_SUCCESS) + return sshpam_err; + + if (pam_user == NULL) { + debug("PAM error: PAM_USER is NULL"); + return PAM_USER_UNKNOWN; + } + + if (sshpam_initial_user == NULL) + fatal_f("internal error: sshpam_initial_user NULL"); + if (strcmp(sshpam_initial_user, pam_user) != 0) { + error_f("PAM user \"%s\" does not match previous \"%s\"", + pam_user, sshpam_initial_user); + return PAM_USER_UNKNOWN; + } + return PAM_SUCCESS; +} + /* * Authentication thread. */ @@ -704,15 +718,16 @@ sshpam_cleanup(void) sshpam_authenticated = 0; pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; + free(sshpam_initial_user); + sshpam_initial_user = NULL; } static int sshpam_init(struct ssh *ssh, Authctxt *authctxt) { - const char *pam_user, *user = authctxt->user; - const char **ptr_pam_user = &pam_user; + const char *user = authctxt->user; int r; - + if (options.pam_service_name == NULL) fatal_f("internal error: NULL PAM service name"); #if defined(PAM_SUN_CODEBASE) && defined(PAM_MAX_RESP_SIZE) @@ -721,25 +736,19 @@ sshpam_init(struct ssh *ssh, Authctxt *a fatal("Username too long from %s port %d", ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); #endif - if (sshpam_handle == NULL) { - if (ssh == NULL) { - fatal("%s: called initially with no " - "packet context", __func__); - } - } + if (sshpam_handle == NULL && ssh == NULL) + fatal("%s: called initially with no packet context", __func__); if (sshpam_handle != NULL) { /* We already have a PAM context; check if the user matches */ - sshpam_err = pam_get_item(sshpam_handle, - PAM_USER, (sshpam_const void **)ptr_pam_user); - if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0) - return (0); - pam_end(sshpam_handle, sshpam_err); - sshpam_handle = NULL; + if ((sshpam_err = check_pam_user(authctxt)) != PAM_SUCCESS) + fatal("PAM user mismatch"); + return 0; } debug("PAM: initializing for \"%s\" with service \"%s\"", user, options.pam_service_name); sshpam_err = pam_start(options.pam_service_name, user, &store_conv, &sshpam_handle); + sshpam_initial_user = xstrdup(user); sshpam_authctxt = authctxt; if (sshpam_err != PAM_SUCCESS) { @@ -758,7 +767,7 @@ sshpam_init(struct ssh *ssh, Authctxt *a sshpam_laddr = get_local_ipaddr( ssh_packet_get_connection_in(ssh)); } - if (sshpam_rhost != NULL) { + if (sshpam_rhost != NULL && strcmp(sshpam_rhost, "UNKNOWN") != 0) { debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost); sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, sshpam_rhost); @@ -771,7 +780,7 @@ sshpam_init(struct ssh *ssh, Authctxt *a if (ssh != NULL && sshpam_laddr != NULL) { char *conninfo; - /* Put SSH_CONNECTION in the PAM environment too */ + /* Put SSH_CONNECTION in the PAM environment too */ xasprintf(&conninfo, "SSH_CONNECTION=%.50s %d %.50s %d", ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), sshpam_laddr, ssh_local_port(ssh)); @@ -868,10 +877,9 @@ sshpam_query(void *ctx, char **name, cha { struct sshbuf *buffer; struct pam_ctxt *ctxt = ctx; - size_t plen; u_char type; char *msg; - size_t len, mlen, nmesg = 0; + size_t mlen, nmesg = 0; int r; debug3("PAM: %s entering", __func__); @@ -879,10 +887,10 @@ sshpam_query(void *ctx, char **name, cha fatal("%s: sshbuf_new failed", __func__); *name = xstrdup(""); *info = xstrdup(""); - *prompts = xmalloc(sizeof(char *)); - **prompts = NULL; - plen = 0; - *echo_on = xmalloc(sizeof(u_int)); + *prompts = NULL; + *num = 0; + ctxt->pam_done = SshPamNone; + while (ssh_msg_recv(ctxt->pam_psock, buffer) == 0) { if (++nmesg > PAM_MAX_NUM_MSG) fatal_f("too many query messages"); @@ -892,26 +900,21 @@ sshpam_query(void *ctx, char **name, cha switch (type) { case PAM_PROMPT_ECHO_ON: case PAM_PROMPT_ECHO_OFF: + *prompts = xcalloc(1, sizeof(char *)); + *echo_on = xcalloc(1, sizeof(u_int)); + (*prompts)[0] = msg; /* transfer ownership */ + (*echo_on)[0] = (type == PAM_PROMPT_ECHO_ON); *num = 1; - len = plen + mlen + 1; - **prompts = xreallocarray(**prompts, 1, len); - strlcpy(**prompts + plen, msg, len - plen); - plen += mlen; - **echo_on = (type == PAM_PROMPT_ECHO_ON); - free(msg); sshbuf_free(buffer); return (0); case PAM_ERROR_MSG: case PAM_TEXT_INFO: - /* accumulate messages */ - len = plen + mlen + 2; - **prompts = xreallocarray(**prompts, 1, len); - strlcpy(**prompts + plen, msg, len - plen); - plen += mlen; - strlcat(**prompts + plen, "\n", len - plen); - plen++; - free(msg); - break; + free(*info); + *info = msg; /* transfer ownership */ + msg = NULL; + ctxt->pam_done = SshPamAgain; + sshbuf_free(buffer); + return (0); case PAM_ACCT_EXPIRED: case PAM_MAXTRIES: if (type == PAM_ACCT_EXPIRED) @@ -921,29 +924,8 @@ sshpam_query(void *ctx, char **name, cha /* FALLTHROUGH */ case PAM_AUTH_ERR: debug3("PAM: %s", pam_strerror(sshpam_handle, type)); - if (**prompts != NULL && strlen(**prompts) != 0) { - free(*info); - *info = **prompts; - **prompts = NULL; - *num = 0; - **echo_on = 0; - ctxt->pam_done = -1; - free(msg); - sshbuf_free(buffer); - return 0; - } /* FALLTHROUGH */ case PAM_SUCCESS: - if (**prompts != NULL) { - /* drain any accumulated messages */ - debug("PAM: %s", **prompts); - if ((r = sshbuf_put(loginmsg, **prompts, - strlen(**prompts))) != 0) - fatal("%s: buffer error: %s", - __func__, ssh_err(r)); - free(**prompts); - **prompts = NULL; - } if (type == PAM_SUCCESS) { if (!sshpam_authctxt->valid || (sshpam_authctxt->pw->pw_uid == 0 && @@ -952,9 +934,7 @@ sshpam_query(void *ctx, char **name, cha "succeeded when it should have " "failed"); import_environments(buffer); - *num = 0; - **echo_on = 0; - ctxt->pam_done = 1; + ctxt->pam_done = SshPamAuthenticated; free(msg); sshbuf_free(buffer); return (0); @@ -965,10 +945,8 @@ sshpam_query(void *ctx, char **name, cha sshpam_authctxt->user, sshpam_rhost); /* FALLTHROUGH */ default: - *num = 0; - **echo_on = 0; free(msg); - ctxt->pam_done = -1; + ctxt->pam_done = SshPamError; sshbuf_free(buffer); return (-1); } @@ -1001,7 +979,6 @@ fake_password(const char *wire_password) return ret; } -/* XXX - see also comment in auth-chall.c:verify_response */ static int sshpam_respond(void *ctx, u_int num, char **resp) { @@ -1012,11 +989,13 @@ sshpam_respond(void *ctx, u_int num, cha debug2("PAM: %s entering, %u responses", __func__, num); switch (ctxt->pam_done) { - case 1: + case SshPamAuthenticated: sshpam_authenticated = 1; return (0); - case 0: + case SshPamNone: break; + case SshPamAgain: + return 1; /* KbdintResultAgain */ default: return (-1); } @@ -1061,6 +1040,14 @@ sshpam_free_ctx(void *ctxtp) */ } +int +sshpam_priv_kbdint_authdone(void *ctxtp) +{ + struct pam_ctxt *ctxt = ctxtp; + + return ctxt->pam_done == SshPamAuthenticated; +} + KbdintDevice sshpam_device = { "pam", sshpam_init_ctx, @@ -1146,87 +1133,6 @@ do_pam_setcred(void) pam_strerror(sshpam_handle, sshpam_err)); } -#if 0 -static int -sshpam_tty_conv(int n, sshpam_const struct pam_message **msg, - struct pam_response **resp, void *data) -{ - char input[PAM_MAX_MSG_SIZE]; - struct pam_response *reply; - int i; - - debug3("PAM: %s called with %d messages", __func__, n); - - *resp = NULL; - - if (n <= 0 || n > PAM_MAX_NUM_MSG || !isatty(STDIN_FILENO)) - return (PAM_CONV_ERR); - - if ((reply = calloc(n, sizeof(*reply))) == NULL) - return (PAM_CONV_ERR); - - for (i = 0; i < n; ++i) { - switch (PAM_MSG_MEMBER(msg, i, msg_style)) { - case PAM_PROMPT_ECHO_OFF: - reply[i].resp = - read_passphrase(PAM_MSG_MEMBER(msg, i, msg), - RP_ALLOW_STDIN); - reply[i].resp_retcode = PAM_SUCCESS; - break; - case PAM_PROMPT_ECHO_ON: - fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg)); - if (fgets(input, sizeof input, stdin) == NULL) - input[0] = '\0'; - if ((reply[i].resp = strdup(input)) == NULL) - goto fail; - reply[i].resp_retcode = PAM_SUCCESS; - break; - case PAM_ERROR_MSG: - case PAM_TEXT_INFO: - fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg)); - reply[i].resp_retcode = PAM_SUCCESS; - break; - default: - goto fail; - } - } - *resp = reply; - return (PAM_SUCCESS); - - fail: - for(i = 0; i < n; i++) { - free(reply[i].resp); - } - free(reply); - return (PAM_CONV_ERR); -} - -static struct pam_conv tty_conv = { sshpam_tty_conv, NULL }; -#endif - -/* - * XXX this should be done in the authentication phase, but ssh1 doesn't - * support that - */ -__dead /* fatal is __dead */ -void -do_pam_chauthtok(void) -{ - fatal("Password expired"); -#if 0 - sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, - (const void *)&tty_conv); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: failed to set PAM_CONV: %s", - pam_strerror(sshpam_handle, sshpam_err)); - debug("PAM: changing password"); - sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: pam_chauthtok(): %s", - pam_strerror(sshpam_handle, sshpam_err)); -#endif -} - void do_pam_session(struct ssh *ssh) { @@ -1400,9 +1306,13 @@ sshpam_auth_passwd(Authctxt *authctxt, c fatal("PAM: %s: failed to set PAM_CONV: %s", __func__, pam_strerror(sshpam_handle, sshpam_err)); + expose_authinfo(__func__); + sshpam_err = pam_authenticate(sshpam_handle, flags); sshpam_password = NULL; free(fake); + if (sshpam_err == PAM_SUCCESS) + sshpam_err = check_pam_user(authctxt); if (sshpam_err == PAM_MAXTRIES) sshpam_set_maxtries_reached(1); if (sshpam_err == PAM_SUCCESS && authctxt->valid) { Index: crypto/external/bsd/openssh/dist/auth-pam.h =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth-pam.h,v retrieving revision 1.11 diff -u -p -r1.11 auth-pam.h --- crypto/external/bsd/openssh/dist/auth-pam.h 8 Jul 2024 22:33:43 -0000 1.11 +++ crypto/external/bsd/openssh/dist/auth-pam.h 18 Apr 2026 08:12:15 -0000 @@ -44,5 +44,6 @@ int sshpam_auth_passwd(Authctxt *, const int sshpam_get_maxtries_reached(void); void sshpam_set_maxtries_reached(int); int is_pam_session_open(void); +int sshpam_priv_kbdint_authdone(void *ctxtp); #endif /* USE_PAM */