To support PAM better
Jian Lin
lj at linjian.org
Tue Nov 24 08:56:06 WST 2009
I am using Dropbear with PAM authentication. I found something may be bugs or
unkind features:
1. Line 119, svr-authpam.c (pamConvFunc), m_burn was called to destroy saved
password for security after each PAM conversation. However, there might be
more than one conversations in a PAM configuration for a certain program,
such as pam_unix.so, pam_ldap.so, ... If the password was destroyed in the
first conversation, the following conversations will get 'ffff...' and failed.
So I think this m_burn calling should be deleted. The password should be
destroyed only once after pam_authenticate.
2. I use my own NSS and PAM modules for user mapping in my environment. An
app_user and an app_password are sent to sshd, then sshd calls getpwnam (which
calls my own NSS modules) to return a struct_passwd including a local_user.
This routine works well with OpenSSHd and some similar programs (login, vsftpd,
and gdm). However, it doesn't work with dropbear server. I found the reason:
Dropbear saves the user name returned by getpwnam (of my own NSS) in
ses.authstate.pw_name. It calls pam_start with this user name (local_user) but
not the original input one (app_user). So the pair of "local_user + app_user"
will certainly reject by my own PAM. It is not a bug, but I think this is an
incompatible feature with OpenSSHd, login, vsftpd, and gdm.
In order to fit my application, I patched Dropbear as follows. Maybe these are
useful for PAM developers.
linjian at goslin:~/dev/dropbear-0.52$ cat options.h.diff
152c152
< #define ENABLE_SVR_PASSWORD_AUTH
---
> /*#define ENABLE_SVR_PASSWORD_AUTH*/
154c154
< /*#define ENABLE_SVR_PAM_AUTH*/
---
> #define ENABLE_SVR_PAM_AUTH
linjian at goslin:~/dev/dropbear-0.52$ cat svr-auth.c.diff
36a37,38
> char client_login_username[256];
>
142a145,146
> strncpy(client_login_username, username, 256);
>
linjian at goslin:~/dev/dropbear-0.52$ cat svr-authpam.c.diff
41a42,43
> extern char client_login_username[256];
>
101c103
< if (!(strcmp(compare_message, "password:") == 0)) {
---
> if (/*!(strcmp(compare_message, "password:") == 0)*/ 0) {
119c121
< m_burn(userDatap->passwd, strlen(userDatap->passwd));
---
> /*m_burn(userDatap->passwd, strlen(userDatap->passwd));*/
198c200
< userData.user = ses.authstate.pw_name;
---
> userData.user = m_strdup(client_login_username);
247a250,252
> if (userData.user != NULL) {
> m_free(userData.user);
> }
Jian LIN
More information about the Dropbear
mailing list