summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--CREDITS1
-rw-r--r--ChangeLog4
-rw-r--r--acconfig.h3
-rw-r--r--auth-passwd.c6
-rw-r--r--auth1.c19
-rw-r--r--auth2.c27
-rw-r--r--bsd-snprintf.c2
-rw-r--r--bsd-snprintf.h2
-rw-r--r--configure.in14
-rw-r--r--session.c24
-rw-r--r--sshd.c2
11 files changed, 95 insertions, 9 deletions
diff --git a/CREDITS b/CREDITS
index 1774e276..4bcb1ae6 100644
--- a/CREDITS
+++ b/CREDITS
@@ -13,6 +13,7 @@ Ben Lindstrom <mouring@pconline.com> - NeXT support
Ben Taylor <bent@clark.net> - Solaris debugging and fixes
Bratislav ILICH <bilic@zepter.ru> - Configure fix
Chip Salzenberg <chip@valinux.com> - Assorted patches
+Chris Adams <cmadams@hiwaay.net> - OSF SIA support
Chris Saia <csaia@wtower.com> - SuSE packaging
Chris, the Young One <cky@pobox.com> - Password auth fixes
Christos Zoulas <christos@zoulas.com> - Autoconf fixes
diff --git a/ChangeLog b/ChangeLog
index 6398238b..ea4667ad 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,7 +4,9 @@
- (djm) Patch from Michael Stone <mstone@cs.loyola.edu> to add support for
Irix 6.x array sessions, project id's, and system audit trail id.
- (djm) Added 'distprep' make target to simplify packaging
-
+ - (djm) Added patch from Chris Adams <cmadams@hiwaay.net> to add OSF SIA
+ support. Enable using "USE_SIA=1 ./configure [options]"
+
20000627
- (djm) Fixes to login code - not setting li->uid, cleanups
- (djm) Formatting
diff --git a/acconfig.h b/acconfig.h
index 0a042587..6f375212 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -148,6 +148,9 @@
/* Define if you want have trusted HPUX */
#undef HAVE_HPUX_TRUSTED_SYSTEM_PW
+/* Define if you have Digital Unix Security Integration Architecture */
+#undef HAVE_OSF_SIA
+
/* Define if you have getpwanam(3) [SunOS 4.x] */
#undef HAVE_GETPWANAM
diff --git a/auth-passwd.c b/auth-passwd.c
index d722122c..93756e9e 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -9,10 +9,10 @@
#include "includes.h"
-#ifndef USE_PAM
-
RCSID("$OpenBSD: auth-passwd.c,v 1.16 2000/06/20 01:39:38 markus Exp $");
+#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
+
#include "packet.h"
#include "ssh.h"
#include "servconf.h"
@@ -139,4 +139,4 @@ auth_password(struct passwd * pw, const char *password)
/* Authentication is accepted if the encrypted passwords are identical. */
return (strcmp(encrypted_password, pw_password) == 0);
}
-#endif /* !USE_PAM */
+#endif /* !USE_PAM && !HAVE_OSF_SIA */
diff --git a/auth1.c b/auth1.c
index 3e7efcb2..0d440e52 100644
--- a/auth1.c
+++ b/auth1.c
@@ -18,6 +18,11 @@ RCSID("$OpenBSD: auth1.c,v 1.2 2000/04/29 18:11:52 markus Exp $");
#include "auth.h"
#include "session.h"
+#ifdef HAVE_OSF_SIA
+# include <sia.h>
+# include <siad.h>
+#endif
+
/* import */
extern ServerOptions options;
extern char *forced_command;
@@ -141,6 +146,10 @@ do_authloop(struct passwd * pw)
unsigned int ulen;
int type = 0;
void (*authlog) (const char *fmt,...) = verbose;
+#ifdef HAVE_OSF_SIA
+ extern int saved_argc;
+ extern char **saved_argv;
+#endif /* HAVE_OSF_SIA */
/* Indicate that authentication is needed. */
packet_start(SSH_SMSG_FAILURE);
@@ -299,7 +308,15 @@ do_authloop(struct passwd * pw)
#ifdef USE_PAM
/* Do PAM auth with password */
authenticated = auth_pam_password(pw, password);
-#else /* USE_PAM */
+#elif defined(HAVE_OSF_SIA)
+ /* Do SIA auth with password */
+ host = get_canonical_hostname();
+ if (sia_validate_user(NULL, saved_argc, saved_argv,
+ get_canonical_hostname(), pw->pw_name, NULL, 0,
+ NULL, password) == SIASUCCESS) {
+ authenticated = 1;
+ }
+#else /* !USE_PAM && !HAVE_OSF_SIA */
/* Try authentication with the password. */
authenticated = auth_password(pw, password);
#endif /* USE_PAM */
diff --git a/auth2.c b/auth2.c
index a3d4ab60..f20953a8 100644
--- a/auth2.c
+++ b/auth2.c
@@ -56,6 +56,11 @@ RCSID("$OpenBSD: auth2.c,v 1.11 2000/06/19 00:50:11 markus Exp $");
#include "uidswap.h"
#include "auth-options.h"
+#ifdef HAVE_OSF_SIA
+# include <sia.h>
+# include <siad.h>
+#endif
+
/* import */
extern ServerOptions options;
extern unsigned char *session_id2;
@@ -244,10 +249,20 @@ input_userauth_request(int type, int plen)
int
ssh2_auth_none(struct passwd *pw)
{
+#ifdef HAVE_OSF_SIA
+ extern int saved_argc;
+ extern char **saved_argv;
+#endif
+
packet_done();
+
#ifdef USE_PAM
return auth_pam_password(pw, "");
-#else /* USE_PAM */
+#elif defined(HAVE_OSF_SIA)
+ return(sia_validate_user(NULL, saved_argc, saved_argv,
+ get_canonical_hostname(), pw->pw_name, NULL, 0, NULL,
+ "") == SIASUCCESS);
+#else /* !HAVE_OSF_SIA && !USE_PAM */
return auth_password(pw, "");
#endif /* USE_PAM */
}
@@ -258,6 +273,10 @@ ssh2_auth_password(struct passwd *pw)
int authenticated = 0;
int change;
unsigned int len;
+#ifdef HAVE_OSF_SIA
+ extern int saved_argc;
+ extern char **saved_argv;
+#endif
change = packet_get_char();
if (change)
log("password change not supported");
@@ -266,7 +285,11 @@ ssh2_auth_password(struct passwd *pw)
if (options.password_authentication &&
#ifdef USE_PAM
auth_pam_password(pw, password) == 1)
-#else /* USE_PAM */
+#elif defined(HAVE_OSF_SIA)
+ sia_validate_user(NULL, saved_argc, saved_argv,
+ get_canonical_hostname(), pw->pw_name, NULL, 0,
+ NULL, password) == SIASUCCESS)
+#else /* !USE_PAM && !HAVE_OSF_SIA */
auth_password(pw, password) == 1)
#endif /* USE_PAM */
authenticated = 1;
diff --git a/bsd-snprintf.c b/bsd-snprintf.c
index 69534ecf..c31fc38d 100644
--- a/bsd-snprintf.c
+++ b/bsd-snprintf.c
@@ -126,7 +126,7 @@ vsnprintf(str, n, fmt, ap)
char *str;
size_t n;
char *fmt;
- va_list *ap;
+ va_list ap;
{
struct sigaction osa, nsa;
char *p;
diff --git a/bsd-snprintf.h b/bsd-snprintf.h
index 8f244604..6be2047e 100644
--- a/bsd-snprintf.h
+++ b/bsd-snprintf.h
@@ -10,7 +10,7 @@ int snprintf(char *str, size_t n, char const *fmt, ...);
#endif /* !HAVE_SNPRINTF */
#ifndef HAVE_VSNPRINTF
-int vsnprintf(char *str, size_t n, char *fmt, va_list *ap);
+int vsnprintf(char *str, size_t n, char *fmt, va_list ap);
#endif /* !HAVE_SNPRINTF */
diff --git a/configure.in b/configure.in
index c1bcb342..4dd08c71 100644
--- a/configure.in
+++ b/configure.in
@@ -150,6 +150,20 @@ case "$host" in
LIBS="$LIBS -lgen -lsocket"
no_dev_ptmx=1
;;
+*-dec-osf*)
+# This is untested
+ if test ! -z "USE_SIA" ; then
+ AC_MSG_CHECKING(for Digital Unix Security Integration Architecture)
+ if test -f /etc/sia/matrix.conf; then
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(HAVE_OSF_SIA)
+ AC_DEFINE(DISABLE_LOGIN)
+ LIBS="$LIBS -lsecurity -ldb -lm -laud"
+ else
+ AC_MSG_RESULT(no)
+ fi
+ fi
+ ;;
esac
# Allow user to specify flags
diff --git a/session.c b/session.c
index 1e22f477..ca4a994e 100644
--- a/session.c
+++ b/session.c
@@ -32,6 +32,11 @@ RCSID("$OpenBSD: session.c,v 1.20 2000/06/18 04:42:54 markus Exp $");
#include <proj.h>
#endif /* WITH_IRIX_PROJECT */
+#ifdef HAVE_OSF_SIA
+# include <sia.h>
+# include <siad.h>
+#endif
+
/* types */
#define TTYSZ 64
@@ -823,14 +828,32 @@ do_child(const char *command, struct passwd * pw, const char *term,
}
#endif /* USE_PAM */
+#ifndef HAVE_OSF_SIA
/* Set login name in the kernel. */
if (setlogin(pw->pw_name) < 0)
error("setlogin failed: %s", strerror(errno));
+#endif
/* Set uid, gid, and groups. */
/* Login(1) does this as well, and it needs uid 0 for the "-h"
switch, so we let login(1) to this for us. */
if (!options.use_login) {
+#ifdef HAVE_OSF_SIA
+ extern char **saved_argv;
+ extern int saved_argc;
+ char *host = get_canonical_hostname ();
+
+ if (sia_become_user(NULL, saved_argc, saved_argv, host,
+ pw->pw_name, ttyname, 0, NULL, NULL, SIA_BEU_SETLUID) !=
+ SIASUCCESS) {
+ perror("sia_become_user");
+ exit(1);
+ }
+ if (setreuid(geteuid(), geteuid()) < 0) {
+ perror("setreuid");
+ exit(1);
+ }
+#else /* HAVE_OSF_SIA */
if (getuid() == 0 || geteuid() == 0) {
if (setgid(pw->pw_gid) < 0) {
perror("setgid");
@@ -867,6 +890,7 @@ do_child(const char *command, struct passwd * pw, const char *term,
}
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %d.", (int) pw->pw_uid);
+#endif /* HAVE_OSF_SIA */
}
/*
* Get the shell from the password data. An empty shell field is
diff --git a/sshd.c b/sshd.c
index 32a6fac7..a4749fbe 100644
--- a/sshd.c
+++ b/sshd.c
@@ -88,6 +88,7 @@ char *av0;
/* Saved arguments to main(). */
char **saved_argv;
+int saved_argc;
/*
* The sockets that the server is listening; this is used in the SIGHUP
@@ -422,6 +423,7 @@ main(int ac, char **av)
int listen_sock, maxfd;
/* Save argv[0]. */
+ saved_argc = ac;
saved_argv = av;
if (strchr(av[0], '/'))
av0 = strrchr(av[0], '/') + 1;