diff options
author | Dirk Meyer <dinoex@FreeBSD.org> | 2002-07-04 18:29:18 +0000 |
---|---|---|
committer | Dirk Meyer <dinoex@FreeBSD.org> | 2002-07-04 18:29:18 +0000 |
commit | 5e5d96c36b924fc79d191a6d2f7079433727ee2d (patch) | |
tree | ade1db51d64737c6abd5019babd83234026ca31f /security/hpn-ssh/files/patch-monitor.c | |
parent | e97a16d2f3bc14b5d310dad41bbbe8b1a3d7d55f (diff) | |
download | ports-5e5d96c36b924fc79d191a6d2f7079433727ee2d.tar.gz ports-5e5d96c36b924fc79d191a6d2f7079433727ee2d.zip |
'PermitRootLogin no' is the new default for the OpenSSH port.
This now matches the PermitRootLogin configuration of OpenSSH in
the base system. Please be aware of this when upgrading your
OpenSSH port, and if truly necessary, re-enable remote root login
by readjusting this option in your sshd_config.
Users are encouraged to create single-purpose users with ssh keys
and very narrowly defined sudo privileges instead of using root
for automated tasks.
- PKGNAMESUFFIX for GSSAPI set.
- Merged some patches from current to improve PAM.
- Fix BATCH=yes for bento.
Notes
Notes:
svn path=/head/; revision=62437
Diffstat (limited to 'security/hpn-ssh/files/patch-monitor.c')
-rw-r--r-- | security/hpn-ssh/files/patch-monitor.c | 136 |
1 files changed, 136 insertions, 0 deletions
diff --git a/security/hpn-ssh/files/patch-monitor.c b/security/hpn-ssh/files/patch-monitor.c new file mode 100644 index 000000000000..7671cf64e3b7 --- /dev/null +++ b/security/hpn-ssh/files/patch-monitor.c @@ -0,0 +1,136 @@ +--- monitor.c.orig Wed Jun 26 15:27:11 2002 ++++ monitor.c Wed Jul 3 06:24:31 2002 +@@ -118,6 +127,10 @@ + + #ifdef USE_PAM + int mm_answer_pam_start(int, Buffer *); ++int mm_answer_pam_init_ctx(int, Buffer *); ++int mm_answer_pam_query(int, Buffer *); ++int mm_answer_pam_respond(int, Buffer *); ++int mm_answer_pam_free_ctx(int, Buffer *); + #endif + + static Authctxt *authctxt; +@@ -156,6 +169,10 @@ + {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, + #ifdef USE_PAM + {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, ++ {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, ++ {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, ++ {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, ++ {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, + #endif + #ifdef BSD_AUTH + {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, +@@ -198,6 +215,10 @@ + #endif + #ifdef USE_PAM + {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, ++ {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, ++ {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, ++ {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, ++ {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, + #endif + {0, 0, NULL} + }; +@@ -732,6 +749,100 @@ + xfree(user); + + return (0); ++} ++ ++static void *pam_ctxt, *pam_authok; ++extern KbdintDevice pam_device; ++ ++int ++mm_answer_pam_init_ctx(int socket, Buffer *m) ++{ ++ ++ debug3("%s", __func__); ++ authctxt->user = buffer_get_string(m, NULL); ++ pam_ctxt = (pam_device.init_ctx)(authctxt); ++ pam_authok = NULL; ++ buffer_clear(m); ++ if (pam_ctxt != NULL) { ++ monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1); ++ buffer_put_int(m, 1); ++ } else { ++ buffer_put_int(m, 0); ++ } ++ mm_request_send(socket, MONITOR_ANS_PAM_INIT_CTX, m); ++ return (0); ++} ++ ++int ++mm_answer_pam_query(int socket, Buffer *m) ++{ ++ char *name, *info, **prompts; ++ u_int num, *echo_on; ++ int i, ret; ++ ++ debug3("%s", __func__); ++ pam_authok = NULL; ++ ret = (pam_device.query)(pam_ctxt, &name, &info, &num, &prompts, &echo_on); ++ if (num > 1 || name == NULL || info == NULL) ++ ret = -1; ++ buffer_put_int(m, ret); ++ buffer_put_cstring(m, name); ++ xfree(name); ++ buffer_put_cstring(m, info); ++ xfree(info); ++ buffer_put_int(m, num); ++ for (i = 0; i < num; ++i) { ++ buffer_put_cstring(m, prompts[i]); ++ xfree(prompts[i]); ++ buffer_put_int(m, echo_on[i]); ++ } ++ if (prompts != NULL) ++ xfree(prompts); ++ if (echo_on != NULL) ++ xfree(echo_on); ++ mm_request_send(socket, MONITOR_ANS_PAM_QUERY, m); ++ return (0); ++} ++ ++int ++mm_answer_pam_respond(int socket, Buffer *m) ++{ ++ char **resp; ++ u_int num; ++ int i, ret; ++ ++ debug3("%s", __func__); ++ pam_authok = NULL; ++ num = buffer_get_int(m); ++ if (num > 0) { ++ resp = xmalloc(num * sizeof(char *)); ++ for (i = 0; i < num; ++i) ++ resp[i] = buffer_get_string(m, NULL); ++ ret = (pam_device.respond)(pam_ctxt, num, resp); ++ for (i = 0; i < num; ++i) ++ xfree(resp[i]); ++ xfree(resp); ++ } else { ++ ret = (pam_device.respond)(pam_ctxt, num, NULL); ++ } ++ buffer_clear(m); ++ buffer_put_int(m, ret); ++ mm_request_send(socket, MONITOR_ANS_PAM_RESPOND, m); ++ auth_method = "keyboard-interactive/pam"; ++ if (ret == 0) ++ pam_authok = pam_ctxt; ++ return (0); ++} ++ ++int ++mm_answer_pam_free_ctx(int socket, Buffer *m) ++{ ++ ++ debug3("%s", __func__); ++ (pam_device.free_ctx)(pam_ctxt); ++ buffer_clear(m); ++ mm_request_send(socket, MONITOR_ANS_PAM_FREE_CTX, m); ++ return (pam_authok == pam_ctxt); + } + #endif + |