pam_ssh.c revision 1.12 1 1.12 jnemeth /* $NetBSD: pam_ssh.c,v 1.12 2006/03/19 06:52:26 jnemeth Exp $ */
2 1.2 christos
3 1.1 christos /*-
4 1.1 christos * Copyright (c) 2003 Networks Associates Technology, Inc.
5 1.1 christos * All rights reserved.
6 1.1 christos *
7 1.1 christos * This software was developed for the FreeBSD Project by ThinkSec AS and
8 1.1 christos * NAI Labs, the Security Research Division of Network Associates, Inc.
9 1.1 christos * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
10 1.1 christos * DARPA CHATS research program.
11 1.1 christos *
12 1.1 christos * Redistribution and use in source and binary forms, with or without
13 1.1 christos * modification, are permitted provided that the following conditions
14 1.1 christos * are met:
15 1.1 christos * 1. Redistributions of source code must retain the above copyright
16 1.1 christos * notice, this list of conditions and the following disclaimer.
17 1.1 christos * 2. Redistributions in binary form must reproduce the above copyright
18 1.1 christos * notice, this list of conditions and the following disclaimer in the
19 1.1 christos * documentation and/or other materials provided with the distribution.
20 1.1 christos * 3. The name of the author may not be used to endorse or promote
21 1.1 christos * products derived from this software without specific prior written
22 1.1 christos * permission.
23 1.1 christos *
24 1.1 christos * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
25 1.1 christos * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 1.1 christos * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 1.1 christos * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
28 1.1 christos * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 1.1 christos * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 1.1 christos * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 1.1 christos * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 1.1 christos * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 1.1 christos * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 1.1 christos * SUCH DAMAGE.
35 1.1 christos */
36 1.1 christos
37 1.1 christos #include <sys/cdefs.h>
38 1.3 lukem #ifdef __FreeBSD__
39 1.1 christos __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $");
40 1.2 christos #else
41 1.12 jnemeth __RCSID("$NetBSD: pam_ssh.c,v 1.12 2006/03/19 06:52:26 jnemeth Exp $");
42 1.2 christos #endif
43 1.1 christos
44 1.1 christos #include <sys/param.h>
45 1.1 christos #include <sys/wait.h>
46 1.1 christos
47 1.1 christos #include <errno.h>
48 1.1 christos #include <fcntl.h>
49 1.1 christos #include <paths.h>
50 1.1 christos #include <pwd.h>
51 1.1 christos #include <signal.h>
52 1.1 christos #include <stdio.h>
53 1.1 christos #include <string.h>
54 1.1 christos #include <unistd.h>
55 1.1 christos
56 1.1 christos #define PAM_SM_AUTH
57 1.1 christos #define PAM_SM_SESSION
58 1.1 christos
59 1.1 christos #include <security/pam_appl.h>
60 1.1 christos #include <security/pam_modules.h>
61 1.1 christos #include <security/openpam.h>
62 1.1 christos
63 1.1 christos #include <openssl/evp.h>
64 1.1 christos
65 1.1 christos #include "key.h"
66 1.1 christos #include "authfd.h"
67 1.1 christos #include "authfile.h"
68 1.1 christos
69 1.1 christos extern char **environ;
70 1.1 christos
71 1.1 christos struct pam_ssh_key {
72 1.1 christos Key *key;
73 1.1 christos char *comment;
74 1.1 christos };
75 1.1 christos
76 1.1 christos static const char *pam_ssh_prompt = "SSH passphrase: ";
77 1.1 christos static const char *pam_ssh_have_keys = "pam_ssh_have_keys";
78 1.1 christos
79 1.1 christos static const char *pam_ssh_keyfiles[] = {
80 1.1 christos ".ssh/identity", /* SSH1 RSA key */
81 1.1 christos ".ssh/id_rsa", /* SSH2 RSA key */
82 1.1 christos ".ssh/id_dsa", /* SSH2 DSA key */
83 1.1 christos NULL
84 1.1 christos };
85 1.1 christos
86 1.1 christos static const char *pam_ssh_agent = "/usr/bin/ssh-agent";
87 1.2 christos static const char *pam_ssh_agent_argv[] = { "ssh_agent", "-s", NULL };
88 1.2 christos static const char *pam_ssh_agent_envp[] = { NULL };
89 1.1 christos
90 1.1 christos /*
91 1.1 christos * Attempts to load a private key from the specified file in the specified
92 1.1 christos * directory, using the specified passphrase. If successful, returns a
93 1.1 christos * struct pam_ssh_key containing the key and its comment.
94 1.1 christos */
95 1.1 christos static struct pam_ssh_key *
96 1.7 christos pam_ssh_load_key(struct passwd *pwd, const char *kfn, const char *passphrase)
97 1.1 christos {
98 1.1 christos struct pam_ssh_key *psk;
99 1.1 christos char fn[PATH_MAX];
100 1.1 christos char *comment;
101 1.1 christos Key *key;
102 1.1 christos
103 1.7 christos if (snprintf(fn, sizeof(fn), "%s/%s", pwd->pw_dir, kfn) >
104 1.7 christos (int)sizeof(fn))
105 1.1 christos return (NULL);
106 1.1 christos comment = NULL;
107 1.1 christos key = key_load_private(fn, passphrase, &comment);
108 1.1 christos if (key == NULL) {
109 1.1 christos openpam_log(PAM_LOG_DEBUG, "failed to load key from %s\n", fn);
110 1.12 jnemeth if (comment != NULL)
111 1.12 jnemeth free(comment);
112 1.1 christos return (NULL);
113 1.1 christos }
114 1.1 christos
115 1.1 christos openpam_log(PAM_LOG_DEBUG, "loaded '%s' from %s\n", comment, fn);
116 1.1 christos if ((psk = malloc(sizeof(*psk))) == NULL) {
117 1.1 christos key_free(key);
118 1.1 christos free(comment);
119 1.1 christos return (NULL);
120 1.1 christos }
121 1.1 christos psk->key = key;
122 1.1 christos psk->comment = comment;
123 1.1 christos return (psk);
124 1.1 christos }
125 1.1 christos
126 1.1 christos /*
127 1.1 christos * Wipes a private key and frees the associated resources.
128 1.1 christos */
129 1.1 christos static void
130 1.1 christos pam_ssh_free_key(pam_handle_t *pamh __unused,
131 1.1 christos void *data, int pam_err __unused)
132 1.1 christos {
133 1.1 christos struct pam_ssh_key *psk;
134 1.1 christos
135 1.1 christos psk = data;
136 1.1 christos key_free(psk->key);
137 1.1 christos free(psk->comment);
138 1.1 christos free(psk);
139 1.1 christos }
140 1.1 christos
141 1.1 christos PAM_EXTERN int
142 1.1 christos pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
143 1.1 christos int argc __unused, const char *argv[] __unused)
144 1.1 christos {
145 1.1 christos const char **kfn, *passphrase, *user;
146 1.10 thorpej struct passwd *pwd, pwres;
147 1.1 christos struct pam_ssh_key *psk;
148 1.1 christos int nkeys, pam_err, pass;
149 1.10 thorpej char pwbuf[1024];
150 1.1 christos
151 1.1 christos /* PEM is not loaded by default */
152 1.1 christos OpenSSL_add_all_algorithms();
153 1.1 christos
154 1.1 christos /* get user name and home directory */
155 1.1 christos pam_err = pam_get_user(pamh, &user, NULL);
156 1.1 christos if (pam_err != PAM_SUCCESS)
157 1.1 christos return (pam_err);
158 1.11 christos if (getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0 ||
159 1.11 christos pwd == NULL)
160 1.1 christos return (PAM_USER_UNKNOWN);
161 1.1 christos if (pwd->pw_dir == NULL)
162 1.1 christos return (PAM_AUTH_ERR);
163 1.1 christos
164 1.1 christos /* switch to user credentials */
165 1.1 christos pam_err = openpam_borrow_cred(pamh, pwd);
166 1.1 christos if (pam_err != PAM_SUCCESS)
167 1.1 christos return (pam_err);
168 1.1 christos
169 1.5 christos #ifdef notyet
170 1.5 christos for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) {
171 1.5 christos char path[MAXPATHLEN];
172 1.5 christos (void)snprintf(path, sizeof(path), "%s/%s", pwd->pw_dir, *kfn);
173 1.5 christos if (access(path, R_OK) == 0)
174 1.5 christos break;
175 1.5 christos }
176 1.5 christos
177 1.5 christos if (*kfn == NULL) {
178 1.5 christos openpam_restore_cred(pamh);
179 1.5 christos return (PAM_AUTH_ERR);
180 1.5 christos }
181 1.5 christos #endif
182 1.5 christos
183 1.1 christos pass = (pam_get_item(pamh, PAM_AUTHTOK,
184 1.2 christos (const void **)__UNCONST(&passphrase)) == PAM_SUCCESS);
185 1.1 christos load_keys:
186 1.1 christos /* get passphrase */
187 1.1 christos pam_err = pam_get_authtok(pamh, PAM_AUTHTOK,
188 1.1 christos &passphrase, pam_ssh_prompt);
189 1.1 christos if (pam_err != PAM_SUCCESS) {
190 1.1 christos openpam_restore_cred(pamh);
191 1.1 christos return (pam_err);
192 1.1 christos }
193 1.1 christos
194 1.1 christos /* try to load keys from all keyfiles we know of */
195 1.1 christos nkeys = 0;
196 1.1 christos for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) {
197 1.7 christos psk = pam_ssh_load_key(pwd, *kfn, passphrase);
198 1.1 christos if (psk != NULL) {
199 1.1 christos pam_set_data(pamh, *kfn, psk, pam_ssh_free_key);
200 1.1 christos ++nkeys;
201 1.1 christos }
202 1.1 christos }
203 1.1 christos
204 1.1 christos /*
205 1.1 christos * If we tried an old token and didn't get anything, and
206 1.1 christos * try_first_pass was specified, try again after prompting the
207 1.1 christos * user for a new passphrase.
208 1.1 christos */
209 1.1 christos if (nkeys == 0 && pass == 1 &&
210 1.1 christos openpam_get_option(pamh, "try_first_pass") != NULL) {
211 1.1 christos pam_set_item(pamh, PAM_AUTHTOK, NULL);
212 1.1 christos pass = 0;
213 1.1 christos goto load_keys;
214 1.1 christos }
215 1.1 christos
216 1.1 christos /* switch back to arbitrator credentials before returning */
217 1.1 christos openpam_restore_cred(pamh);
218 1.1 christos
219 1.1 christos /* no keys? */
220 1.1 christos if (nkeys == 0)
221 1.1 christos return (PAM_AUTH_ERR);
222 1.1 christos
223 1.1 christos pam_set_data(pamh, pam_ssh_have_keys, NULL, NULL);
224 1.1 christos return (PAM_SUCCESS);
225 1.1 christos }
226 1.1 christos
227 1.1 christos PAM_EXTERN int
228 1.1 christos pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
229 1.1 christos int argc __unused, const char *argv[] __unused)
230 1.1 christos {
231 1.1 christos
232 1.1 christos return (PAM_SUCCESS);
233 1.1 christos }
234 1.1 christos
235 1.1 christos /*
236 1.1 christos * Parses a line from ssh-agent's output.
237 1.1 christos */
238 1.1 christos static void
239 1.1 christos pam_ssh_process_agent_output(pam_handle_t *pamh, FILE *f)
240 1.1 christos {
241 1.1 christos char *line, *p, *key, *val;
242 1.1 christos size_t len;
243 1.1 christos
244 1.1 christos while ((line = fgetln(f, &len)) != NULL) {
245 1.1 christos if (len < 4 || strncmp(line, "SSH_", 4) != 0)
246 1.1 christos continue;
247 1.1 christos
248 1.1 christos /* find equal sign at end of key */
249 1.1 christos for (p = key = line; p < line + len; ++p)
250 1.1 christos if (*p == '=')
251 1.1 christos break;
252 1.1 christos if (p == line + len || *p != '=')
253 1.1 christos continue;
254 1.1 christos *p = '\0';
255 1.1 christos
256 1.1 christos /* find semicolon at end of value */
257 1.1 christos for (val = ++p; p < line + len; ++p)
258 1.1 christos if (*p == ';')
259 1.1 christos break;
260 1.1 christos if (p == line + len || *p != ';')
261 1.1 christos continue;
262 1.1 christos *p = '\0';
263 1.1 christos
264 1.1 christos /* store key-value pair in environment */
265 1.1 christos openpam_log(PAM_LOG_DEBUG, "got %s: %s", key, val);
266 1.1 christos pam_setenv(pamh, key, val, 1);
267 1.1 christos }
268 1.1 christos }
269 1.1 christos
270 1.1 christos /*
271 1.1 christos * Starts an ssh agent and stores the environment variables derived from
272 1.1 christos * its output.
273 1.1 christos */
274 1.1 christos static int
275 1.4 christos pam_ssh_start_agent(pam_handle_t *pamh, struct passwd *pwd)
276 1.1 christos {
277 1.1 christos int agent_pipe[2];
278 1.1 christos pid_t pid;
279 1.1 christos FILE *f;
280 1.1 christos
281 1.1 christos /* get a pipe which we will use to read the agent's output */
282 1.4 christos if (pipe(agent_pipe) == -1)
283 1.1 christos return (PAM_SYSTEM_ERR);
284 1.1 christos
285 1.1 christos /* start the agent */
286 1.1 christos openpam_log(PAM_LOG_DEBUG, "starting an ssh agent");
287 1.1 christos pid = fork();
288 1.1 christos if (pid == (pid_t)-1) {
289 1.1 christos /* failed */
290 1.1 christos close(agent_pipe[0]);
291 1.1 christos close(agent_pipe[1]);
292 1.1 christos return (PAM_SYSTEM_ERR);
293 1.1 christos }
294 1.1 christos if (pid == 0) {
295 1.2 christos #ifndef F_CLOSEM
296 1.1 christos int fd;
297 1.2 christos #endif
298 1.1 christos /* child: drop privs, close fds and start agent */
299 1.4 christos if (setgid(pwd->pw_gid) == -1) {
300 1.4 christos openpam_log(PAM_LOG_DEBUG, "%s: Cannot setgid %d (%m)",
301 1.4 christos __FUNCTION__, (int)pwd->pw_gid);
302 1.4 christos goto done;
303 1.4 christos }
304 1.4 christos if (initgroups(pwd->pw_name, pwd->pw_gid) == -1) {
305 1.4 christos openpam_log(PAM_LOG_DEBUG,
306 1.4 christos "%s: Cannot initgroups for %s (%m)",
307 1.4 christos __FUNCTION__, pwd->pw_name);
308 1.4 christos goto done;
309 1.4 christos }
310 1.4 christos if (setuid(pwd->pw_uid) == -1) {
311 1.4 christos openpam_log(PAM_LOG_DEBUG, "%s: Cannot setuid %d (%m)",
312 1.4 christos __FUNCTION__, (int)pwd->pw_uid);
313 1.4 christos goto done;
314 1.4 christos }
315 1.4 christos (void)close(STDIN_FILENO);
316 1.4 christos (void)open(_PATH_DEVNULL, O_RDONLY);
317 1.4 christos (void)dup2(agent_pipe[1], STDOUT_FILENO);
318 1.4 christos (void)dup2(agent_pipe[1], STDERR_FILENO);
319 1.2 christos #ifdef F_CLOSEM
320 1.2 christos (void)fcntl(3, F_CLOSEM, 0);
321 1.2 christos #else
322 1.1 christos for (fd = 3; fd < getdtablesize(); ++fd)
323 1.4 christos (void)close(fd);
324 1.2 christos #endif
325 1.4 christos (void)execve(pam_ssh_agent,
326 1.4 christos (char **)__UNCONST(pam_ssh_agent_argv),
327 1.2 christos (char **)__UNCONST(pam_ssh_agent_envp));
328 1.4 christos done:
329 1.1 christos _exit(127);
330 1.1 christos }
331 1.1 christos
332 1.1 christos /* parent */
333 1.1 christos close(agent_pipe[1]);
334 1.1 christos if ((f = fdopen(agent_pipe[0], "r")) == NULL)
335 1.1 christos return (PAM_SYSTEM_ERR);
336 1.1 christos pam_ssh_process_agent_output(pamh, f);
337 1.1 christos fclose(f);
338 1.1 christos
339 1.1 christos return (PAM_SUCCESS);
340 1.1 christos }
341 1.1 christos
342 1.1 christos /*
343 1.1 christos * Adds previously stored keys to a running agent.
344 1.1 christos */
345 1.1 christos static int
346 1.1 christos pam_ssh_add_keys_to_agent(pam_handle_t *pamh)
347 1.1 christos {
348 1.1 christos AuthenticationConnection *ac;
349 1.1 christos struct pam_ssh_key *psk;
350 1.1 christos const char **kfn;
351 1.1 christos char **envlist, **env;
352 1.1 christos int pam_err;
353 1.1 christos
354 1.1 christos /* switch to PAM environment */
355 1.1 christos envlist = environ;
356 1.1 christos if ((environ = pam_getenvlist(pamh)) == NULL) {
357 1.4 christos openpam_log(PAM_LOG_DEBUG, "%s: cannot get envlist",
358 1.4 christos __FUNCTION__);
359 1.1 christos environ = envlist;
360 1.1 christos return (PAM_SYSTEM_ERR);
361 1.1 christos }
362 1.1 christos
363 1.1 christos /* get a connection to the agent */
364 1.1 christos if ((ac = ssh_get_authentication_connection()) == NULL) {
365 1.4 christos openpam_log(PAM_LOG_DEBUG,
366 1.4 christos "%s: cannot get authentication connection",
367 1.4 christos __FUNCTION__);
368 1.1 christos pam_err = PAM_SYSTEM_ERR;
369 1.1 christos goto end;
370 1.1 christos }
371 1.1 christos
372 1.1 christos /* look for keys to add to it */
373 1.1 christos for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) {
374 1.2 christos pam_err = pam_get_data(pamh, *kfn, (void **)__UNCONST(&psk));
375 1.1 christos if (pam_err == PAM_SUCCESS && psk != NULL) {
376 1.1 christos if (ssh_add_identity(ac, psk->key, psk->comment))
377 1.1 christos openpam_log(PAM_LOG_DEBUG,
378 1.1 christos "added %s to ssh agent", psk->comment);
379 1.1 christos else
380 1.1 christos openpam_log(PAM_LOG_DEBUG, "failed "
381 1.1 christos "to add %s to ssh agent", psk->comment);
382 1.1 christos /* we won't need the key again, so wipe it */
383 1.1 christos pam_set_data(pamh, *kfn, NULL, NULL);
384 1.1 christos }
385 1.1 christos }
386 1.1 christos pam_err = PAM_SUCCESS;
387 1.1 christos end:
388 1.1 christos /* disconnect from agent */
389 1.1 christos if (ac != NULL)
390 1.1 christos ssh_close_authentication_connection(ac);
391 1.1 christos
392 1.1 christos /* switch back to original environment */
393 1.1 christos for (env = environ; *env != NULL; ++env)
394 1.1 christos free(*env);
395 1.1 christos free(environ);
396 1.1 christos environ = envlist;
397 1.1 christos
398 1.1 christos return (pam_err);
399 1.1 christos }
400 1.1 christos
401 1.1 christos PAM_EXTERN int
402 1.1 christos pam_sm_open_session(pam_handle_t *pamh, int flags __unused,
403 1.1 christos int argc __unused, const char *argv[] __unused)
404 1.1 christos {
405 1.10 thorpej struct passwd *pwd, pwres;
406 1.1 christos const char *user;
407 1.1 christos void *data;
408 1.4 christos int pam_err = PAM_SUCCESS;
409 1.10 thorpej char pwbuf[1024];
410 1.1 christos
411 1.1 christos /* no keys, no work */
412 1.1 christos if (pam_get_data(pamh, pam_ssh_have_keys, &data) != PAM_SUCCESS &&
413 1.1 christos openpam_get_option(pamh, "want_agent") == NULL)
414 1.1 christos return (PAM_SUCCESS);
415 1.1 christos
416 1.1 christos /* switch to user credentials */
417 1.1 christos pam_err = pam_get_user(pamh, &user, NULL);
418 1.1 christos if (pam_err != PAM_SUCCESS)
419 1.1 christos return (pam_err);
420 1.11 christos if (getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0 ||
421 1.11 christos pwd == NULL)
422 1.1 christos return (PAM_USER_UNKNOWN);
423 1.4 christos
424 1.4 christos /* start the agent */
425 1.4 christos pam_err = pam_ssh_start_agent(pamh, pwd);
426 1.4 christos if (pam_err != PAM_SUCCESS)
427 1.4 christos return pam_err;
428 1.4 christos
429 1.1 christos pam_err = openpam_borrow_cred(pamh, pwd);
430 1.1 christos if (pam_err != PAM_SUCCESS)
431 1.4 christos return pam_err;
432 1.1 christos
433 1.1 christos /* we have an agent, see if we can add any keys to it */
434 1.1 christos pam_err = pam_ssh_add_keys_to_agent(pamh);
435 1.1 christos if (pam_err != PAM_SUCCESS) {
436 1.1 christos /* XXX ignore failures */
437 1.4 christos openpam_log(PAM_LOG_DEBUG, "failed adding keys to ssh agent");
438 1.4 christos pam_err = PAM_SUCCESS;
439 1.1 christos }
440 1.1 christos
441 1.1 christos openpam_restore_cred(pamh);
442 1.4 christos return pam_err;
443 1.1 christos }
444 1.1 christos
445 1.1 christos PAM_EXTERN int
446 1.1 christos pam_sm_close_session(pam_handle_t *pamh, int flags __unused,
447 1.1 christos int argc __unused, const char *argv[] __unused)
448 1.1 christos {
449 1.1 christos const char *ssh_agent_pid;
450 1.1 christos char *end;
451 1.1 christos int status;
452 1.1 christos pid_t pid;
453 1.1 christos
454 1.1 christos if ((ssh_agent_pid = pam_getenv(pamh, "SSH_AGENT_PID")) == NULL) {
455 1.1 christos openpam_log(PAM_LOG_DEBUG, "no ssh agent");
456 1.1 christos return (PAM_SUCCESS);
457 1.1 christos }
458 1.1 christos pid = (pid_t)strtol(ssh_agent_pid, &end, 10);
459 1.1 christos if (*ssh_agent_pid == '\0' || *end != '\0') {
460 1.1 christos openpam_log(PAM_LOG_DEBUG, "invalid ssh agent pid");
461 1.1 christos return (PAM_SESSION_ERR);
462 1.1 christos }
463 1.1 christos openpam_log(PAM_LOG_DEBUG, "killing ssh agent %d", (int)pid);
464 1.1 christos if (kill(pid, SIGTERM) == -1 ||
465 1.1 christos (waitpid(pid, &status, 0) == -1 && errno != ECHILD))
466 1.1 christos return (PAM_SYSTEM_ERR);
467 1.1 christos return (PAM_SUCCESS);
468 1.1 christos }
469 1.1 christos
470 1.1 christos PAM_MODULE_ENTRY("pam_ssh");
471