[src/trunk]: src/lib/libpam/modules/pam_ssh pull in from FreeBSD rev.1.41: Na...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/lib/libpam/modules/pam_ssh pull in from FreeBSD rev.1.41: Na...
From: drochner <drochner%NetBSD.org@localhost>
Date: Mon, 06 Apr 2020 21:55:57 +0000

details:   https://anonhg.NetBSD.org/src/rev/8164de4033fd
branches:  trunk
changeset: 772509:8164de4033fd
user:      drochner <drochner%NetBSD.org@localhost>
date:      Fri Jan 06 14:04:02 2012 +0000

description:
pull in from FreeBSD rev.1.41: Narrow the use of user credentials.
(call pam_get_authtok() with caller's rights rather than user's)

diffstat:

 lib/libpam/modules/pam_ssh/pam_ssh.c |  24 +++++++++++-------------
 1 files changed, 11 insertions(+), 13 deletions(-)

diffs (67 lines):

diff -r e4547c21b781 -r 8164de4033fd lib/libpam/modules/pam_ssh/pam_ssh.c
--- a/lib/libpam/modules/pam_ssh/pam_ssh.c      Fri Jan 06 13:59:50 2012 +0000
+++ b/lib/libpam/modules/pam_ssh/pam_ssh.c      Fri Jan 06 14:04:02 2012 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: pam_ssh.c,v 1.21 2012/01/03 19:02:55 christos Exp $    */
+/*     $NetBSD: pam_ssh.c,v 1.22 2012/01/06 14:04:02 drochner Exp $    */
 
 /*-
  * Copyright (c) 2003 Networks Associates Technology, Inc.
@@ -38,7 +38,7 @@
 #ifdef __FreeBSD__
 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $");
 #else
-__RCSID("$NetBSD: pam_ssh.c,v 1.21 2012/01/03 19:02:55 christos Exp $");
+__RCSID("$NetBSD: pam_ssh.c,v 1.22 2012/01/06 14:04:02 drochner Exp $");
 #endif
 
 #include <sys/param.h>
@@ -184,11 +184,6 @@
        if (pwd->pw_dir == NULL)
                return (PAM_AUTH_ERR);
 
-       /* switch to user credentials */
-       pam_err = openpam_borrow_cred(pamh, pwd);
-       if (pam_err != PAM_SUCCESS)
-               return (pam_err);
-
        nkeys = 0;
        pass = (pam_get_item(pamh, PAM_AUTHTOK, &item) == PAM_SUCCESS &&
            item != NULL);
@@ -196,10 +191,13 @@
        /* get passphrase */
        pam_err = pam_get_authtok(pamh, PAM_AUTHTOK,
            &passphrase, pam_ssh_prompt);
-       if (pam_err != PAM_SUCCESS) {
-               openpam_restore_cred(pamh);
+       if (pam_err != PAM_SUCCESS)
                return (pam_err);
-       }
+
+       /* switch to user credentials */
+       pam_err = openpam_borrow_cred(pamh, pwd);
+       if (pam_err != PAM_SUCCESS)
+               return (pam_err);
 
        /* try to load keys from all keyfiles we know of */
        for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) {
@@ -210,6 +208,9 @@
                }
        }
 
+       /* switch back to arbitrator credentials */
+       openpam_restore_cred(pamh);
+
        /*
         * If we tried an old token and didn't get anything, and
         * try_first_pass was specified, try again after prompting the
@@ -222,9 +223,6 @@
                goto load_keys;
        }
 
-       /* switch back to arbitrator credentials before returning */
-       openpam_restore_cred(pamh);
-
        /* no keys? */
        if (nkeys == 0)
                return (PAM_AUTH_ERR);

Prev by Date: [src/trunk]: src/sys/dev/pci Forgot to commit this along with r128fb.c. Again.
Next by Date: [src/trunk]: src/sys/arch/usermode support disk images >= 2GB
Previous by Thread: [src/trunk]: src/sys/dev/pci Forgot to commit this along with r128fb.c. Again.
Next by Thread: [src/trunk]: src/sys/arch/usermode support disk images >= 2GB
Indexes:

Home | Main Index | Thread Index | Old Index