CVS commit: src/lib/libpam/modules/pam_ssh

Fri, 06 Jan 2012 06:04:07 -0800 

Module Name:    src
Committed By:   drochner
Date:           Fri Jan  6 14:04:02 UTC 2012

Modified Files:
        src/lib/libpam/modules/pam_ssh: pam_ssh.c

Log Message:
pull in from FreeBSD rev.1.41: Narrow the use of user credentials.
(call pam_get_authtok() with caller's rights rather than user's)


To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/lib/libpam/modules/pam_ssh/pam_ssh.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/lib/libpam/modules/pam_ssh/pam_ssh.c
diff -u src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.21 src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.22
--- src/lib/libpam/modules/pam_ssh/pam_ssh.c:1.21	Tue Jan  3 19:02:55 2012
+++ src/lib/libpam/modules/pam_ssh/pam_ssh.c	Fri Jan  6 14:04:02 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: pam_ssh.c,v 1.21 2012/01/03 19:02:55 christos Exp $	*/
+/*	$NetBSD: pam_ssh.c,v 1.22 2012/01/06 14:04:02 drochner Exp $	*/
 
 /*-
  * Copyright (c) 2003 Networks Associates Technology, Inc.
@@ -38,7 +38,7 @@
 #ifdef __FreeBSD__
 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $");
 #else
-__RCSID("$NetBSD: pam_ssh.c,v 1.21 2012/01/03 19:02:55 christos Exp $");
+__RCSID("$NetBSD: pam_ssh.c,v 1.22 2012/01/06 14:04:02 drochner Exp $");
 #endif
 
 #include <sys/param.h>
@@ -184,11 +184,6 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 	if (pwd->pw_dir == NULL)
 		return (PAM_AUTH_ERR);
 
-	/* switch to user credentials */
-	pam_err = openpam_borrow_cred(pamh, pwd);
-	if (pam_err != PAM_SUCCESS)
-		return (pam_err);
-
 	nkeys = 0;
 	pass = (pam_get_item(pamh, PAM_AUTHTOK, &item) == PAM_SUCCESS &&
 	    item != NULL);
@@ -196,10 +191,13 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 	/* get passphrase */
 	pam_err = pam_get_authtok(pamh, PAM_AUTHTOK,
 	    &passphrase, pam_ssh_prompt);
-	if (pam_err != PAM_SUCCESS) {
-		openpam_restore_cred(pamh);
+	if (pam_err != PAM_SUCCESS)
+		return (pam_err);
+
+	/* switch to user credentials */
+	pam_err = openpam_borrow_cred(pamh, pwd);
+	if (pam_err != PAM_SUCCESS)
 		return (pam_err);
-	}
 
 	/* try to load keys from all keyfiles we know of */
 	for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) {
@@ -210,6 +208,9 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 		}
 	}
 
+	/* switch back to arbitrator credentials */
+	openpam_restore_cred(pamh);
+
 	/*
 	 * If we tried an old token and didn't get anything, and
 	 * try_first_pass was specified, try again after prompting the
@@ -222,9 +223,6 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 		goto load_keys;
 	}
 
-	/* switch back to arbitrator credentials before returning */
-	openpam_restore_cred(pamh);
-
 	/* no keys? */
 	if (nkeys == 0)
 		return (PAM_AUTH_ERR);

Reply via email to