To support PAM better

Jian Lin lj at linjian.org
Tue Nov 24 08:56:06 WST 2009 

I am using Dropbear with PAM authentication. I found something may be bugs or
unkind features:

1. Line 119, svr-authpam.c (pamConvFunc), m_burn was called to destroy saved
password for security after each PAM conversation. However, there might be
more than one conversations in a PAM configuration for a certain program,
such as pam_unix.so, pam_ldap.so, ... If the password was destroyed in the
first conversation, the following conversations will get 'ffff...' and failed.
So I think this m_burn calling should be deleted. The password should be
destroyed only once after pam_authenticate.

2. I use my own NSS and PAM modules for user mapping in my environment. An
app_user and an app_password are sent to sshd, then sshd calls getpwnam (which
calls my own NSS modules) to return a struct_passwd including a local_user.
This routine works well with OpenSSHd and some similar programs (login, vsftpd,
and gdm). However, it doesn't work with dropbear server. I found the reason:
Dropbear saves the user name returned by getpwnam (of my own NSS) in
ses.authstate.pw_name. It calls pam_start with this user name (local_user) but
not the original input one (app_user). So the pair of "local_user + app_user"
will certainly reject by my own PAM. It is not a bug, but I think this is an
incompatible feature with OpenSSHd, login, vsftpd, and gdm.

In order to fit my application, I patched Dropbear as follows. Maybe these are
useful for PAM developers.


linjian at goslin:~/dev/dropbear-0.52$ cat options.h.diff
152c152
< #define ENABLE_SVR_PASSWORD_AUTH
---
> /*#define ENABLE_SVR_PASSWORD_AUTH*/
154c154
< /*#define ENABLE_SVR_PAM_AUTH*/
---
> #define ENABLE_SVR_PAM_AUTH


linjian at goslin:~/dev/dropbear-0.52$ cat svr-auth.c.diff
36a37,38
> char client_login_username[256];
>
142a145,146
>       strncpy(client_login_username, username, 256);
>


linjian at goslin:~/dev/dropbear-0.52$ cat svr-authpam.c.diff
41a42,43
> extern char client_login_username[256];
>
101c103
<                       if (!(strcmp(compare_message, "password:") == 0)) {
---
>                       if (/*!(strcmp(compare_message, "password:") == 0)*/ 0) {
119c121
<                       m_burn(userDatap->passwd, strlen(userDatap->passwd));
---
>                       /*m_burn(userDatap->passwd, strlen(userDatap->passwd));*/
198c200
<       userData.user = ses.authstate.pw_name;
---
>       userData.user = m_strdup(client_login_username);
247a250,252
>       if (userData.user != NULL) {
>               m_free(userData.user);
>       }


Jian LIN

More information about the Dropbear mailing list