Re: Step5, pam_opie OPIE auth fix for review

Sun, 20 Jan 2002 18:47:22 -0800 

On Mon, Jan 21, 2002 at 02:21:34 +0100, Dag-Erling Smorgrav wrote:
> 
> No need.  See the attached patch.
> 

Tested. I use /etc/pam.d/login for test with following OPIE lines:

auth            sufficient      pam_opie.so     no_warn
auth            requisite       pam_opieaccess.so       no_warn

Two problems found, patch included below.

1) When OPIE turned on in the system, not neccessary all users are 
OPIE-ed, only those who listed in /etc/opiekeys. It means that 
pam_opieaccess() module must do something only for valid OPIE users 
listed in /etc/opiekeys and do nothing for others. I use opiechallenge() 
check for it, and if it fails, return PAM_IGNORE.

2) opiealways() return just opposite to what you might expect, see 
/usr/src/contrib/opie/libopie/accessfile.c comment about it. Fixed by 
removing "!"

Besides this two things, all works as expected.

--- pam_opieaccess.c.old        Mon Jan 21 04:35:08 2002
+++ pam_opieaccess.c    Mon Jan 21 05:47:27 2002
@@ -55,8 +55,10 @@
 PAM_EXTERN int
 pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
+       struct opie opie;
        struct options options;
        struct passwd *pwent;
+       char challenge[OPIE_CHALLENGE_MAX];
        char *luser, *rhost;
        int r;
 
@@ -64,22 +66,32 @@
 
        PAM_LOG("Options processed");
 
-       r = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost);
-       if (r != PAM_SUCCESS)
-               PAM_RETURN(r);
-       if (rhost == NULL)
-               PAM_RETURN(PAM_SYSTEM_ERR);
-       
        r = pam_get_item(pamh, PAM_USER, (const void **)&luser);
        if (r != PAM_SUCCESS)
                PAM_RETURN(r);
        if (luser == NULL)
                PAM_RETURN(PAM_SYSTEM_ERR);
 
+       /*
+        * Don't call the OPIE atexit() handler when our program exits,
+        * since the module has been unloaded and we will SEGV.
+        */
+       opiedisableaeh();
+
+       if (opiechallenge(&opie, (char *)luser, challenge) != 0)
+               PAM_RETURN(PAM_IGNORE);
+       opieunlock();
+
+       r = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost);
+       if (r != PAM_SUCCESS)
+               PAM_RETURN(r);
+       if (rhost == NULL)
+               PAM_RETURN(PAM_SYSTEM_ERR);
+       
        if ((pwent = getpwnam(luser)) == NULL)
                PAM_RETURN(PAM_SYSTEM_ERR);
        
-       if (opieaccessfile(rhost) && !opiealways(pwent->pw_dir))
+       if (opieaccessfile(rhost) && opiealways(pwent->pw_dir))
                PAM_RETURN(PAM_IGNORE);
        
        PAM_VERBOSE_ERROR("Refused; remote host is not in opieaccess");

-- 
Andrey A. Chernov
http://ache.pp.ru/

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to