[RFC][PATCH] Detect and handle PAM changing user name

--===============0793830414==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="pQhZXvAqiZgbeUkD"
Content-Disposition: inline


--pQhZXvAqiZgbeUkD
Content-Type: multipart/mixed; boundary="qtZFehHsKgwS5rPz"
Content-Disposition: inline


--qtZFehHsKgwS5rPz
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I've implemented a patch to openssh which allows the PAM auth layer
to detect if the PAM stack has changed the user name and then adjusts
its internal data structures accordingly. (imagine a PAM stack that
uses individual credentials to authenticate, but assigns the user to
a role account).

First, is the openssh community interested in this patch?
Second, if there is interest in the patch, how do I go about
submitting the patch for formal review?
Third, regardless of interest by the openssh community, is there
anyone willing to review this code for me?

PS I've tested the code path going through sshpam_auth_passwd(),
but do know how to test the code path that goes through sshpam_thread().

<patch against 4.6p1 (portable) attached>
--=20
James R. Leu
jleu at inoc.com
INOC -> http://inoc.com/
DELIVERING UPTIME

--qtZFehHsKgwS5rPz
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="openssh-4.6p1-pam-user-change.patch"
Content-Transfer-Encoding: quoted-printable

diff -uNr openssh-4.6p1/auth-pam.c openssh-4.6p1.jleu/auth-pam.c
--- openssh-4.6p1/auth-pam.c 2006-09-16 20:57:47.000000000 -0500
+++ openssh-4.6p1.jleu/auth-pam.c 2007-05-24 13:16:56.000000000 -0500
@@ -335,6 +335,39 @@
}
=20
/*
+ * Detect and deal with the PAM stack changing the user name on us
+ */
+static int
+sshpam_handle_user_change(pam_handle_t *sshpam_handle, Authctxt *authctxt)
+{
+ const char *pam_user;
+ const char **ptr_pam_user =3D &pam_user;
+
+ if (pam_get_item(sshpam_handle, PAM_USER,
+ (sshpam_const void **)ptr_pam_user) !=3D PAM_SUCCESS)
+ return PAM_AUTH_ERR;
+
+ if (strcmp(authctxt->user, pam_user)) {
+ char *user =3D strdup(pam_user);
+ struct passwd *pw;
+
+ if (!user)
+ return PAM_AUTH_ERR;
+ =09
+ if (!(pw =3D getpwnamallow(user))) {
+ free(user);
+ return PAM_AUTH_ERR;
+ }
+
+ free(authctxt->pw);
+ authctxt->pw =3D pw;
+ free(authctxt->user);
+ authctxt->user =3D user;
+ }
+ return PAM_SUCCESS;
+}
+
+/*
* Conversation function for authentication thread.
*/
static int
@@ -469,6 +502,10 @@
if (sshpam_err !=3D PAM_SUCCESS)
goto auth_fail;
=20
+ sshpam_err =3D sshpam_handle_user_change(sshpam_handle, sshpam_authctxt);
+ if (sshpam_err !=3D PAM_SUCCESS)
+ goto auth_fail;
+
if (compat20) {
if (!do_pam_account()) {
sshpam_err =3D PAM_ACCT_EXPIRED;
@@ -1206,7 +1243,8 @@
=20
sshpam_err =3D pam_authenticate(sshpam_handle, flags);
sshpam_password =3D NULL;
- if (sshpam_err =3D=3D PAM_SUCCESS && authctxt->valid) {
+ if (sshpam_err =3D=3D PAM_SUCCESS && authctxt->valid &&
+ sshpam_handle_user_change(sshpam_handle, authctxt) =3D=3D PAM_SUCCESS=
) {
debug("PAM: password authentication accepted for %.100s",
authctxt->user);
return 1;

--qtZFehHsKgwS5rPz--

--pQhZXvAqiZgbeUkD
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGVeUHJNb7hw1XmskRAtD1AJ9dJI9j/k425Y7MxRRLom4hPJVsNQCfXw6t
fp2aOLQCVZnDRXAvw93sCh8=
=ZcWO
-----END PGP SIGNATURE-----

--pQhZXvAqiZgbeUkD--

--===============0793830414==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://lists.mindrot.org/mailman/lis...enssh-unix-dev

--===============0793830414==--