svr-authpam code merged and works. needs tidying a logauthpam

6 files changed, 273 insertions, 4 deletions

diff --git a/Makefile.in b/Makefile.in
index 2bffe90..6cb94e4 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -24,7 +24,8 @@ COMMONOBJS=dbutil.o buffer.o \
 
 SVROBJS=svr-kex.o svr-algo.o svr-auth.o sshpty.o \
 		svr-authpasswd.o svr-authpubkey.o svr-session.o svr-service.o \
-		svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o
+		svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o\
+		svr-authpam.o
 
 CLIOBJS=cli-algo.o cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \
 		cli-session.o cli-service.o cli-runopts.o cli-chansession.o \
diff --git a/auth.h b/auth.h
index edac5a9..399db2d 100644
--- a/auth.h
+++ b/auth.h
@@ -36,6 +36,7 @@ void send_msg_userauth_failure(int partial, int incrfail);
 void send_msg_userauth_success();
 void svr_auth_password();
 void svr_auth_pubkey();
+void svr_auth_pam();
 
 /* Client functions */
 void recv_msg_userauth_failure();
diff --git a/configure.in b/configure.in
index 47a9a29..d3c5229 100644
--- a/configure.in
+++ b/configure.in
@@ -108,6 +108,42 @@ AC_ARG_ENABLE(zlib,
 	]
 )
 
+# Check if pam is needed
+AC_ARG_WITH(pam,
+	[  --with-pam=PATH        Use pam in PATH],
+	[
+		# option is given
+		if test -d "$withval/lib"; then
+			LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+		else
+			LDFLAGS="-L${withval} ${LDFLAGS}"
+		fi
+		if test -d "$withval/include"; then
+			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+		else
+			CPPFLAGS="-I${withval} ${CPPFLAGS}"
+		fi
+	]
+)
+
+AC_ARG_ENABLE(pam,
+	[  --disable-pam          Don't include PAM support],
+	[
+		if test "x$enableval" = "xno"; then
+			AC_DEFINE(DISABLE_PAM,, Use PAM)
+			AC_MSG_RESULT(Disabling PAM)
+		else
+			AC_CHECK_LIB(pam, pam_authenticate, , AC_MSG_ERROR([*** PAM missing - install first or check config.log ***]))
+			AC_MSG_RESULT(Enabling PAM)
+		fi
+	],
+	[
+		# if not disabled, check for pam
+		AC_CHECK_LIB(pam, pam_authenticate, , AC_MSG_ERROR([*** PAM missing - install first or check config.log ***]))
+		AC_MSG_RESULT(Enabling PAM)
+	]
+)
+
 AC_ARG_ENABLE(openpty,
 	[  --disable-openpty       Don't use openpty, use alternative method],
 	[
@@ -160,7 +196,7 @@ AC_ARG_ENABLE(shadow,
 # Checks for header files.
 AC_HEADER_STDC
 AC_HEADER_SYS_WAIT
-AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h utmpx.h lastlog.h paths.h util.h netdb.h sys/dirent.h])
+AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h utmpx.h lastlog.h paths.h util.h netdb.h sys/dirent.h security/pam_appl.h pam/pam_appl.h])
 
 # Checks for typedefs, structures, and compiler characteristics.
 AC_C_CONST
diff --git a/options.h b/options.h
index d4abf09..6ea5277 100644
--- a/options.h
+++ b/options.h
@@ -110,7 +110,10 @@
 
 /* Authentication types to enable, at least one required.
    RFC Draft requires pubkey auth, and recommends password */
-#define DROPBEAR_PASSWORD_AUTH
+//#define DROPBEAR_PASSWORD_AUTH
+/* Only set PAM auth if you aren't using PASSWORD auth. Also, you'll need
+ * to make sure PAM libraries etc are installed */
+#define DROPBEAR_PAM_AUTH
 #define DROPBEAR_PUBKEY_AUTH
 
 /* Random device to use - you must specify _one only_.
diff --git a/svr-auth.c b/svr-auth.c
index db1d6a4..9e82b25 100644
--- a/svr-auth.c
+++ b/svr-auth.c
@@ -57,7 +57,7 @@ static void authclear() {
 #ifdef DROPBEAR_PUBKEY_AUTH
 	ses.authstate.authtypes |= AUTH_TYPE_PUBKEY;
 #endif
-#ifdef DROPBEAR_PASSWORD_AUTH
+#if defined(DROPBEAR_PASSWORD_AUTH) || defined(DROPBEAR_PAM_AUTH)
 	if (!svr_opts.noauthpass) {
 		ses.authstate.authtypes |= AUTH_TYPE_PASSWORD;
 	}
@@ -156,6 +156,19 @@ void recv_msg_userauth_request() {
 	}
 #endif
 
+#ifdef DROPBEAR_PAM_AUTH
+	if (!svr_opts.noauthpass &&
+			!(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) {
+		/* user wants to try password auth */
+		if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
+				strncmp(methodname, AUTH_METHOD_PASSWORD,
+					AUTH_METHOD_PASSWORD_LEN) == 0) {
+			svr_auth_pam();
+			goto out;
+		}
+	}
+#endif
+
 #ifdef DROPBEAR_PUBKEY_AUTH
 	/* user wants to try pubkey auth */
 	if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
diff --git a/svr-authpam.c b/svr-authpam.c
new file mode 100644
index 0000000..cfd4327
--- /dev/null
+++ b/svr-authpam.c
@@ -0,0 +1,215 @@
+/*
+ * Dropbear - a SSH2 server
+ * 
+ * Copyright (c) 2002,2003 Matt Johnston
+ * All rights reserved.
+ * 
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ * 
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE. */
+
+/* Validates a user password */
+
+#include "includes.h"
+#include "session.h"
+#include "buffer.h"
+#include "dbutil.h"
+#include "auth.h"
+
+#if defined(HAVE_SECURITY_PAM_APPL_H)
+#include <security/pam_appl.h>
+#elif defined (HAVE_PAM_PAM_APPL_H)
+#include <pam/pam_appl.h>
+#endif
+
+#ifdef DROPBEAR_PAM_AUTH
+
+struct UserDataS {
+    char* user;
+    char* passwd;
+};
+
+/* PAM conversation function */
+int 
+pamConvFunc(int num_msg, 
+	    const struct pam_message **msg,
+	    struct pam_response **respp, 
+	    void *appdata_ptr) {
+  int rc = PAM_SUCCESS;
+  struct pam_response* resp = NULL;
+  struct UserDataS* userDatap = (struct UserDataS*) appdata_ptr;
+
+  /* tbd only handles one msg */
+    
+  switch((*msg)->msg_style) {
+  case PAM_PROMPT_ECHO_OFF:
+    dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_PROMPT_ECHO_OFF: (*msg)->msg=\"%s\"", (*msg)->msg);
+
+    if (strcmp((*msg)->msg, "Password:") == 0) {
+      resp = (struct pam_response*) malloc(sizeof(struct pam_response));
+      resp->resp = (char*) strdup(userDatap->passwd);
+      /* dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_PROMPT_ECHO_ON: userDatap->passwd=\"%s\"", userDatap->passwd); */
+      resp->resp_retcode = 0;
+      (*respp) = resp;
+    }
+    else {
+      dropbear_log(LOG_WARNING, "pamConvFunc(): PAM_PROMPT_ECHO_OFF: unrecognized prompt, (*msg)->msg=\"%s\"", (*msg)->msg);
+      rc = PAM_CONV_ERR;
+    }
+    break;
+  case PAM_PROMPT_ECHO_ON:
+    dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_PROMPT_ECHO_ON: (*msg)->msg=\"%s\"", (*msg)->msg);
+
+    if ((strcmp((*msg)->msg, "login: " ) == 0) || (strcmp((*msg)->msg, "Please enter username: " ) == 0)) {
+      resp = (struct pam_response*) malloc(sizeof(struct pam_response));
+      resp->resp = (char*) strdup(userDatap->user);
+      dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_PROMPT_ECHO_ON: userDatap->user=\"%s\"", userDatap->user);
+      resp->resp_retcode = 0;
+      (*respp) = resp;
+    }
+    else {
+      dropbear_log(LOG_WARNING, "pamConvFunc(): PAM_PROMPT_ECHO_ON: unrecognized prompt, (*msg)->msg=\"%s\"", 
+		   (*msg)->msg);
+      rc = PAM_CONV_ERR;
+    }
+    break;
+  case PAM_ERROR_MSG:
+    dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_ERROR_MSG: (*msg)->msg=\"%s\"", (*msg)->msg);
+    /* printf("error msg: '%s'\n", (*msg)->msg); */
+    rc = PAM_CONV_ERR;
+    break;
+  case PAM_TEXT_INFO:
+    dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_TEXT_INFO: (*msg)->msg=\"%s\"", (*msg)->msg);
+    /* printf("text info: '%s'\n", (*msg)->msg); */
+    rc = PAM_CONV_ERR;
+    break;
+  case PAM_RADIO_TYPE:
+    dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_RADIO_TYPE: (*msg)->msg=\"%s\"", (*msg)->msg);
+    /* printf("radio type: '%s'\n", (*msg)->msg); */
+    rc = PAM_CONV_ERR;
+    break;
+  case PAM_BINARY_PROMPT:
+    dropbear_log(LOG_DEBUG, "pamConvFunc(): PAM_BINARY_PROMPT: (*msg)->msg=\"%s\"", (*msg)->msg);
+    /* printf("binary prompt: '%s'\n", (*msg)->msg); */
+    rc = PAM_CONV_ERR;
+    break;
+  default:
+    dropbear_log(LOG_DEBUG, "pamConvFunc(): Unknown PAM message");
+    /* printf("unknown message\n"); */
+    rc = PAM_CONV_ERR;
+    break;      
+  }
+
+  return rc;
+}
+
+/* Process a password auth request, sending success or failure messages as
+ * appropriate */
+void svr_auth_pam() {
+  // PAM stuff
+  int rc = PAM_SUCCESS;
+  struct UserDataS userData;
+  struct pam_conv pamConv = {
+    pamConvFunc,
+    &userData /* submitted to pamvConvFunc as appdata_ptr */ 
+  };
+  pam_handle_t* pamHandlep = NULL;
+  unsigned char * password = NULL;
+  unsigned int passwordlen;
+
+  unsigned char changepw;
+
+  /* check if client wants to change password */
+  changepw = buf_getbyte(ses.payload);
+  if (changepw) {
+    /* not implemented by this server */
+    send_msg_userauth_failure(0, 1);
+    return;
+  }
+
+  password = buf_getstring(ses.payload, &passwordlen);
+
+  /* clear the buffer containing the password */
+  buf_incrpos(ses.payload, -passwordlen - 4);
+  m_burn(buf_getptr(ses.payload, passwordlen + 4), passwordlen + 4);
+
+  /* used to pass data to the PAM conversation function */
+  userData.user = ses.authstate.printableuser;
+  TRACE(("user is %s\n", userData.user));
+  userData.passwd = password;
+
+  /* Init pam */
+  if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) {
+    dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc));
+    /* fprintf(stderr, "pam_start() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc)); */
+    goto clean;
+  }
+  
+  /*
+  if ((rc = pam_set_item(pamHandlep, PAM_RHOST, webReqp->ipaddr) != PAM_SUCCESS)) {
+    dropbear_log(LOG_WARNING, "pam_set_item() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc));
+    return;
+  }
+  */
+  
+  /* just to set it to something */
+  if ((rc = pam_set_item(pamHandlep, PAM_TTY, "ssh") != PAM_SUCCESS)) {
+    dropbear_log(LOG_WARNING, "pam_set_item() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc));
+    goto clean;
+  }
+  
+  (void) pam_fail_delay(pamHandlep, 0 /* musec_delay */);
+ 
+  /* (void) pam_set_item(pamHandlep, PAM_FAIL_DELAY, (void*) pamDelayFunc); */
+  
+  if ((rc = pam_authenticate(pamHandlep, 0)) != PAM_SUCCESS) {
+    dropbear_log(LOG_WARNING, "pam_authenticate() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc));
+    /* fprintf(stderr, "pam_authenticate() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc)); */
+    dropbear_log(LOG_WARNING,
+		 "bad pam password attempt for '%s'",
+		 ses.authstate.printableuser);
+    send_msg_userauth_failure(0, 1);
+    goto clean;
+  }
+
+  if ((rc = pam_acct_mgmt(pamHandlep, 0)) != PAM_SUCCESS) {
+    dropbear_log(LOG_WARNING, "pam_acct_mgmt() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc));
+    /* fprintf(stderr, "pam_acct_mgmt() failed, rc=%d, %s\n", rc, pam_strerror(pamHandlep, rc)); */
+    dropbear_log(LOG_WARNING,
+		 "bad pam password attempt for '%s'",
+		 ses.authstate.printableuser);
+    send_msg_userauth_failure(0, 1);
+    goto clean;
+  }
+
+  /* successful authentication */
+  dropbear_log(LOG_NOTICE, 
+	       "password auth succeeded for '%s'",
+	       ses.authstate.printableuser);
+  send_msg_userauth_success();
+  
+ clean:
+  if (password != NULL) {
+    m_burn(password, passwordlen);
+    m_free(password);
+  }
+  if (pamHandlep != NULL) {
+    (void) pam_end(pamHandlep, 0 /* pam_status */);
+  }
+}
+
+#endif /* DROPBEAR_PAM_AUTH */