pam_ssh.c revision 1.22.18.1
1 1.22.18.1 riz /* $NetBSD: pam_ssh.c,v 1.22.18.1 2015/04/30 06:07:34 riz Exp $ */ 2 1.2 christos 3 1.1 christos /*- 4 1.1 christos * Copyright (c) 2003 Networks Associates Technology, Inc. 5 1.1 christos * All rights reserved. 6 1.1 christos * 7 1.1 christos * This software was developed for the FreeBSD Project by ThinkSec AS and 8 1.1 christos * NAI Labs, the Security Research Division of Network Associates, Inc. 9 1.1 christos * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 10 1.1 christos * DARPA CHATS research program. 11 1.1 christos * 12 1.1 christos * Redistribution and use in source and binary forms, with or without 13 1.1 christos * modification, are permitted provided that the following conditions 14 1.1 christos * are met: 15 1.1 christos * 1. Redistributions of source code must retain the above copyright 16 1.1 christos * notice, this list of conditions and the following disclaimer. 17 1.1 christos * 2. Redistributions in binary form must reproduce the above copyright 18 1.1 christos * notice, this list of conditions and the following disclaimer in the 19 1.1 christos * documentation and/or other materials provided with the distribution. 20 1.1 christos * 3. The name of the author may not be used to endorse or promote 21 1.1 christos * products derived from this software without specific prior written 22 1.1 christos * permission. 23 1.1 christos * 24 1.1 christos * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 25 1.1 christos * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 1.1 christos * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 1.1 christos * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 28 1.1 christos * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 1.1 christos * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 1.1 christos * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 1.1 christos * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 1.1 christos * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 1.1 christos * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 1.1 christos * SUCH DAMAGE. 35 1.1 christos */ 36 1.1 christos 37 1.1 christos #include <sys/cdefs.h> 38 1.3 lukem #ifdef __FreeBSD__ 39 1.1 christos __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.40 2004/02/10 10:13:21 des Exp $"); 40 1.2 christos #else 41 1.22.18.1 riz __RCSID("$NetBSD: pam_ssh.c,v 1.22.18.1 2015/04/30 06:07:34 riz Exp $"); 42 1.2 christos #endif 43 1.1 christos 44 1.1 christos #include <sys/param.h> 45 1.1 christos #include <sys/wait.h> 46 1.1 christos 47 1.1 christos #include <errno.h> 48 1.1 christos #include <fcntl.h> 49 1.1 christos #include <paths.h> 50 1.1 christos #include <pwd.h> 51 1.1 christos #include <signal.h> 52 1.1 christos #include <stdio.h> 53 1.1 christos #include <string.h> 54 1.1 christos #include <unistd.h> 55 1.1 christos 56 1.1 christos #define PAM_SM_AUTH 57 1.1 christos #define PAM_SM_SESSION 58 1.1 christos 59 1.1 christos #include <security/pam_appl.h> 60 1.1 christos #include <security/pam_modules.h> 61 1.1 christos #include <security/openpam.h> 62 1.1 christos 63 1.1 christos #include <openssl/evp.h> 64 1.1 christos 65 1.1 christos #include "key.h" 66 1.13 dogcow #include "buffer.h" 67 1.1 christos #include "authfd.h" 68 1.1 christos #include "authfile.h" 69 1.1 christos 70 1.18 drochner #define ssh_add_identity(auth, key, comment) \ 71 1.18 drochner ssh_add_identity_constrained(auth, key, comment, 0, 0) 72 1.18 drochner 73 1.1 christos extern char **environ; 74 1.1 christos 75 1.1 christos struct pam_ssh_key { 76 1.1 christos Key *key; 77 1.1 christos char *comment; 78 1.1 christos }; 79 1.1 christos 80 1.1 christos static const char *pam_ssh_prompt = "SSH passphrase: "; 81 1.1 christos static const char *pam_ssh_have_keys = "pam_ssh_have_keys"; 82 1.1 christos 83 1.1 christos static const char *pam_ssh_keyfiles[] = { 84 1.1 christos ".ssh/identity", /* SSH1 RSA key */ 85 1.1 christos ".ssh/id_rsa", /* SSH2 RSA key */ 86 1.1 christos ".ssh/id_dsa", /* SSH2 DSA key */ 87 1.20 drochner ".ssh/id_ecdsa", /* SSH2 ECDSA key */ 88 1.1 christos NULL 89 1.1 christos }; 90 1.1 christos 91 1.1 christos static const char *pam_ssh_agent = "/usr/bin/ssh-agent"; 92 1.18 drochner static const char *const pam_ssh_agent_argv[] = { "ssh_agent", "-s", NULL }; 93 1.18 drochner static const char *const pam_ssh_agent_envp[] = { NULL }; 94 1.1 christos 95 1.1 christos /* 96 1.1 christos * Attempts to load a private key from the specified file in the specified 97 1.1 christos * directory, using the specified passphrase. If successful, returns a 98 1.1 christos * struct pam_ssh_key containing the key and its comment. 99 1.1 christos */ 100 1.1 christos static struct pam_ssh_key * 101 1.19 drochner pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase, 102 1.19 drochner int nullok) 103 1.1 christos { 104 1.1 christos struct pam_ssh_key *psk; 105 1.1 christos char fn[PATH_MAX]; 106 1.1 christos char *comment; 107 1.1 christos Key *key; 108 1.1 christos 109 1.18 drochner if (snprintf(fn, sizeof(fn), "%s/%s", dir, kfn) > (int)sizeof(fn)) 110 1.1 christos return (NULL); 111 1.1 christos comment = NULL; 112 1.19 drochner /* 113 1.19 drochner * If the key is unencrypted, OpenSSL ignores the passphrase, so 114 1.19 drochner * it will seem like the user typed in the right one. This allows 115 1.19 drochner * a user to circumvent nullok by providing a dummy passphrase. 116 1.19 drochner * Verify that the key really *is* encrypted by trying to load it 117 1.19 drochner * with an empty passphrase, and if the key is not encrypted, 118 1.19 drochner * accept only an empty passphrase. 119 1.19 drochner */ 120 1.19 drochner key = key_load_private(fn, "", &comment); 121 1.19 drochner if (key != NULL && !(*passphrase == '\0' && nullok)) { 122 1.19 drochner key_free(key); 123 1.19 drochner free(comment); 124 1.19 drochner return (NULL); 125 1.19 drochner } 126 1.19 drochner if (key == NULL) 127 1.19 drochner key = key_load_private(fn, passphrase, &comment); 128 1.1 christos if (key == NULL) { 129 1.17 drochner openpam_log(PAM_LOG_DEBUG, "failed to load key from %s", fn); 130 1.12 jnemeth if (comment != NULL) 131 1.12 jnemeth free(comment); 132 1.1 christos return (NULL); 133 1.1 christos } 134 1.1 christos 135 1.17 drochner openpam_log(PAM_LOG_DEBUG, "loaded '%s' from %s", comment, fn); 136 1.1 christos if ((psk = malloc(sizeof(*psk))) == NULL) { 137 1.1 christos key_free(key); 138 1.1 christos free(comment); 139 1.1 christos return (NULL); 140 1.1 christos } 141 1.1 christos psk->key = key; 142 1.1 christos psk->comment = comment; 143 1.1 christos return (psk); 144 1.1 christos } 145 1.1 christos 146 1.1 christos /* 147 1.1 christos * Wipes a private key and frees the associated resources. 148 1.1 christos */ 149 1.1 christos static void 150 1.1 christos pam_ssh_free_key(pam_handle_t *pamh __unused, 151 1.1 christos void *data, int pam_err __unused) 152 1.1 christos { 153 1.1 christos struct pam_ssh_key *psk; 154 1.1 christos 155 1.1 christos psk = data; 156 1.1 christos key_free(psk->key); 157 1.1 christos free(psk->comment); 158 1.1 christos free(psk); 159 1.1 christos } 160 1.1 christos 161 1.1 christos PAM_EXTERN int 162 1.1 christos pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 163 1.1 christos int argc __unused, const char *argv[] __unused) 164 1.1 christos { 165 1.1 christos const char **kfn, *passphrase, *user; 166 1.18 drochner const void *item; 167 1.10 thorpej struct passwd *pwd, pwres; 168 1.1 christos struct pam_ssh_key *psk; 169 1.19 drochner int nkeys, nullok, pam_err, pass; 170 1.10 thorpej char pwbuf[1024]; 171 1.1 christos 172 1.19 drochner nullok = (openpam_get_option(pamh, "nullok") != NULL); 173 1.19 drochner 174 1.1 christos /* PEM is not loaded by default */ 175 1.1 christos OpenSSL_add_all_algorithms(); 176 1.1 christos 177 1.1 christos /* get user name and home directory */ 178 1.1 christos pam_err = pam_get_user(pamh, &user, NULL); 179 1.1 christos if (pam_err != PAM_SUCCESS) 180 1.1 christos return (pam_err); 181 1.11 christos if (getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0 || 182 1.11 christos pwd == NULL) 183 1.1 christos return (PAM_USER_UNKNOWN); 184 1.1 christos if (pwd->pw_dir == NULL) 185 1.1 christos return (PAM_AUTH_ERR); 186 1.1 christos 187 1.19 drochner nkeys = 0; 188 1.18 drochner pass = (pam_get_item(pamh, PAM_AUTHTOK, &item) == PAM_SUCCESS && 189 1.18 drochner item != NULL); 190 1.1 christos load_keys: 191 1.1 christos /* get passphrase */ 192 1.1 christos pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, 193 1.1 christos &passphrase, pam_ssh_prompt); 194 1.22 drochner if (pam_err != PAM_SUCCESS) 195 1.22 drochner return (pam_err); 196 1.22 drochner 197 1.22 drochner /* switch to user credentials */ 198 1.22 drochner pam_err = openpam_borrow_cred(pamh, pwd); 199 1.22 drochner if (pam_err != PAM_SUCCESS) 200 1.1 christos return (pam_err); 201 1.1 christos 202 1.1 christos /* try to load keys from all keyfiles we know of */ 203 1.1 christos for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) { 204 1.19 drochner psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase, nullok); 205 1.1 christos if (psk != NULL) { 206 1.1 christos pam_set_data(pamh, *kfn, psk, pam_ssh_free_key); 207 1.1 christos ++nkeys; 208 1.1 christos } 209 1.1 christos } 210 1.1 christos 211 1.22 drochner /* switch back to arbitrator credentials */ 212 1.22 drochner openpam_restore_cred(pamh); 213 1.22 drochner 214 1.1 christos /* 215 1.1 christos * If we tried an old token and didn't get anything, and 216 1.1 christos * try_first_pass was specified, try again after prompting the 217 1.1 christos * user for a new passphrase. 218 1.1 christos */ 219 1.1 christos if (nkeys == 0 && pass == 1 && 220 1.1 christos openpam_get_option(pamh, "try_first_pass") != NULL) { 221 1.1 christos pam_set_item(pamh, PAM_AUTHTOK, NULL); 222 1.1 christos pass = 0; 223 1.1 christos goto load_keys; 224 1.1 christos } 225 1.1 christos 226 1.1 christos /* no keys? */ 227 1.1 christos if (nkeys == 0) 228 1.1 christos return (PAM_AUTH_ERR); 229 1.1 christos 230 1.1 christos pam_set_data(pamh, pam_ssh_have_keys, NULL, NULL); 231 1.1 christos return (PAM_SUCCESS); 232 1.1 christos } 233 1.1 christos 234 1.1 christos PAM_EXTERN int 235 1.1 christos pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, 236 1.1 christos int argc __unused, const char *argv[] __unused) 237 1.1 christos { 238 1.1 christos 239 1.1 christos return (PAM_SUCCESS); 240 1.1 christos } 241 1.1 christos 242 1.1 christos /* 243 1.1 christos * Parses a line from ssh-agent's output. 244 1.1 christos */ 245 1.1 christos static void 246 1.1 christos pam_ssh_process_agent_output(pam_handle_t *pamh, FILE *f) 247 1.1 christos { 248 1.1 christos char *line, *p, *key, *val; 249 1.1 christos size_t len; 250 1.1 christos 251 1.1 christos while ((line = fgetln(f, &len)) != NULL) { 252 1.1 christos if (len < 4 || strncmp(line, "SSH_", 4) != 0) 253 1.1 christos continue; 254 1.1 christos 255 1.1 christos /* find equal sign at end of key */ 256 1.1 christos for (p = key = line; p < line + len; ++p) 257 1.1 christos if (*p == '=') 258 1.1 christos break; 259 1.1 christos if (p == line + len || *p != '=') 260 1.1 christos continue; 261 1.1 christos *p = '\0'; 262 1.1 christos 263 1.1 christos /* find semicolon at end of value */ 264 1.1 christos for (val = ++p; p < line + len; ++p) 265 1.1 christos if (*p == ';') 266 1.1 christos break; 267 1.1 christos if (p == line + len || *p != ';') 268 1.1 christos continue; 269 1.1 christos *p = '\0'; 270 1.1 christos 271 1.1 christos /* store key-value pair in environment */ 272 1.1 christos openpam_log(PAM_LOG_DEBUG, "got %s: %s", key, val); 273 1.1 christos pam_setenv(pamh, key, val, 1); 274 1.1 christos } 275 1.1 christos } 276 1.1 christos 277 1.1 christos /* 278 1.1 christos * Starts an ssh agent and stores the environment variables derived from 279 1.1 christos * its output. 280 1.1 christos */ 281 1.1 christos static int 282 1.4 christos pam_ssh_start_agent(pam_handle_t *pamh, struct passwd *pwd) 283 1.1 christos { 284 1.1 christos int agent_pipe[2]; 285 1.1 christos pid_t pid; 286 1.1 christos FILE *f; 287 1.1 christos 288 1.1 christos /* get a pipe which we will use to read the agent's output */ 289 1.4 christos if (pipe(agent_pipe) == -1) 290 1.1 christos return (PAM_SYSTEM_ERR); 291 1.1 christos 292 1.1 christos /* start the agent */ 293 1.1 christos openpam_log(PAM_LOG_DEBUG, "starting an ssh agent"); 294 1.1 christos pid = fork(); 295 1.1 christos if (pid == (pid_t)-1) { 296 1.1 christos /* failed */ 297 1.1 christos close(agent_pipe[0]); 298 1.1 christos close(agent_pipe[1]); 299 1.1 christos return (PAM_SYSTEM_ERR); 300 1.1 christos } 301 1.1 christos if (pid == 0) { 302 1.2 christos #ifndef F_CLOSEM 303 1.1 christos int fd; 304 1.2 christos #endif 305 1.1 christos /* child: drop privs, close fds and start agent */ 306 1.4 christos if (setgid(pwd->pw_gid) == -1) { 307 1.21 christos openpam_log(PAM_LOG_DEBUG, "%s: Cannot setgid %d (%s)", 308 1.21 christos __func__, (int)pwd->pw_gid, strerror(errno)); 309 1.4 christos goto done; 310 1.4 christos } 311 1.4 christos if (initgroups(pwd->pw_name, pwd->pw_gid) == -1) { 312 1.4 christos openpam_log(PAM_LOG_DEBUG, 313 1.21 christos "%s: Cannot initgroups for %s (%s)", 314 1.21 christos __func__, pwd->pw_name, strerror(errno)); 315 1.4 christos goto done; 316 1.4 christos } 317 1.4 christos if (setuid(pwd->pw_uid) == -1) { 318 1.21 christos openpam_log(PAM_LOG_DEBUG, "%s: Cannot setuid %d (%s)", 319 1.21 christos __func__, (int)pwd->pw_uid, strerror(errno)); 320 1.4 christos goto done; 321 1.4 christos } 322 1.4 christos (void)close(STDIN_FILENO); 323 1.4 christos (void)open(_PATH_DEVNULL, O_RDONLY); 324 1.4 christos (void)dup2(agent_pipe[1], STDOUT_FILENO); 325 1.4 christos (void)dup2(agent_pipe[1], STDERR_FILENO); 326 1.2 christos #ifdef F_CLOSEM 327 1.2 christos (void)fcntl(3, F_CLOSEM, 0); 328 1.2 christos #else 329 1.1 christos for (fd = 3; fd < getdtablesize(); ++fd) 330 1.4 christos (void)close(fd); 331 1.2 christos #endif 332 1.4 christos (void)execve(pam_ssh_agent, 333 1.4 christos (char **)__UNCONST(pam_ssh_agent_argv), 334 1.2 christos (char **)__UNCONST(pam_ssh_agent_envp)); 335 1.4 christos done: 336 1.1 christos _exit(127); 337 1.1 christos } 338 1.1 christos 339 1.1 christos /* parent */ 340 1.1 christos close(agent_pipe[1]); 341 1.1 christos if ((f = fdopen(agent_pipe[0], "r")) == NULL) 342 1.1 christos return (PAM_SYSTEM_ERR); 343 1.1 christos pam_ssh_process_agent_output(pamh, f); 344 1.1 christos fclose(f); 345 1.1 christos 346 1.1 christos return (PAM_SUCCESS); 347 1.1 christos } 348 1.1 christos 349 1.1 christos /* 350 1.1 christos * Adds previously stored keys to a running agent. 351 1.1 christos */ 352 1.1 christos static int 353 1.1 christos pam_ssh_add_keys_to_agent(pam_handle_t *pamh) 354 1.1 christos { 355 1.15 christos const struct pam_ssh_key *psk; 356 1.1 christos const char **kfn; 357 1.1 christos char **envlist, **env; 358 1.1 christos int pam_err; 359 1.22.18.1 riz int agent_fd; 360 1.1 christos 361 1.1 christos /* switch to PAM environment */ 362 1.1 christos envlist = environ; 363 1.1 christos if ((environ = pam_getenvlist(pamh)) == NULL) { 364 1.4 christos openpam_log(PAM_LOG_DEBUG, "%s: cannot get envlist", 365 1.14 ragge __func__); 366 1.1 christos environ = envlist; 367 1.1 christos return (PAM_SYSTEM_ERR); 368 1.1 christos } 369 1.1 christos 370 1.1 christos /* get a connection to the agent */ 371 1.22.18.1 riz if (ssh_get_authentication_socket(&agent_fd) != 0) { 372 1.4 christos openpam_log(PAM_LOG_DEBUG, 373 1.4 christos "%s: cannot get authentication connection", 374 1.14 ragge __func__); 375 1.1 christos pam_err = PAM_SYSTEM_ERR; 376 1.22.18.1 riz agent_fd = -1; 377 1.1 christos goto end; 378 1.1 christos } 379 1.1 christos 380 1.1 christos /* look for keys to add to it */ 381 1.1 christos for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) { 382 1.15 christos const void *vp; 383 1.15 christos pam_err = pam_get_data(pamh, *kfn, &vp); 384 1.15 christos psk = vp; 385 1.1 christos if (pam_err == PAM_SUCCESS && psk != NULL) { 386 1.22.18.1 riz if (ssh_add_identity_constrained(agent_fd, psk->key, 387 1.22.18.1 riz psk->comment, 0, 0)) 388 1.1 christos openpam_log(PAM_LOG_DEBUG, 389 1.1 christos "added %s to ssh agent", psk->comment); 390 1.1 christos else 391 1.1 christos openpam_log(PAM_LOG_DEBUG, "failed " 392 1.1 christos "to add %s to ssh agent", psk->comment); 393 1.1 christos /* we won't need the key again, so wipe it */ 394 1.1 christos pam_set_data(pamh, *kfn, NULL, NULL); 395 1.1 christos } 396 1.1 christos } 397 1.1 christos pam_err = PAM_SUCCESS; 398 1.1 christos end: 399 1.1 christos /* disconnect from agent */ 400 1.22.18.1 riz if (agent_fd != -1) 401 1.22.18.1 riz ssh_close_authentication_socket(agent_fd); 402 1.1 christos 403 1.1 christos /* switch back to original environment */ 404 1.1 christos for (env = environ; *env != NULL; ++env) 405 1.1 christos free(*env); 406 1.1 christos free(environ); 407 1.1 christos environ = envlist; 408 1.1 christos 409 1.1 christos return (pam_err); 410 1.1 christos } 411 1.1 christos 412 1.1 christos PAM_EXTERN int 413 1.1 christos pam_sm_open_session(pam_handle_t *pamh, int flags __unused, 414 1.1 christos int argc __unused, const char *argv[] __unused) 415 1.1 christos { 416 1.10 thorpej struct passwd *pwd, pwres; 417 1.1 christos const char *user; 418 1.15 christos const void *data; 419 1.4 christos int pam_err = PAM_SUCCESS; 420 1.10 thorpej char pwbuf[1024]; 421 1.1 christos 422 1.1 christos /* no keys, no work */ 423 1.1 christos if (pam_get_data(pamh, pam_ssh_have_keys, &data) != PAM_SUCCESS && 424 1.1 christos openpam_get_option(pamh, "want_agent") == NULL) 425 1.1 christos return (PAM_SUCCESS); 426 1.1 christos 427 1.1 christos /* switch to user credentials */ 428 1.1 christos pam_err = pam_get_user(pamh, &user, NULL); 429 1.1 christos if (pam_err != PAM_SUCCESS) 430 1.1 christos return (pam_err); 431 1.11 christos if (getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0 || 432 1.11 christos pwd == NULL) 433 1.1 christos return (PAM_USER_UNKNOWN); 434 1.4 christos 435 1.4 christos /* start the agent */ 436 1.4 christos pam_err = pam_ssh_start_agent(pamh, pwd); 437 1.4 christos if (pam_err != PAM_SUCCESS) 438 1.4 christos return pam_err; 439 1.4 christos 440 1.1 christos pam_err = openpam_borrow_cred(pamh, pwd); 441 1.1 christos if (pam_err != PAM_SUCCESS) 442 1.4 christos return pam_err; 443 1.1 christos 444 1.1 christos /* we have an agent, see if we can add any keys to it */ 445 1.1 christos pam_err = pam_ssh_add_keys_to_agent(pamh); 446 1.1 christos if (pam_err != PAM_SUCCESS) { 447 1.1 christos /* XXX ignore failures */ 448 1.4 christos openpam_log(PAM_LOG_DEBUG, "failed adding keys to ssh agent"); 449 1.4 christos pam_err = PAM_SUCCESS; 450 1.1 christos } 451 1.1 christos 452 1.1 christos openpam_restore_cred(pamh); 453 1.4 christos return pam_err; 454 1.1 christos } 455 1.1 christos 456 1.1 christos PAM_EXTERN int 457 1.1 christos pam_sm_close_session(pam_handle_t *pamh, int flags __unused, 458 1.1 christos int argc __unused, const char *argv[] __unused) 459 1.1 christos { 460 1.1 christos const char *ssh_agent_pid; 461 1.1 christos char *end; 462 1.1 christos int status; 463 1.1 christos pid_t pid; 464 1.1 christos 465 1.1 christos if ((ssh_agent_pid = pam_getenv(pamh, "SSH_AGENT_PID")) == NULL) { 466 1.1 christos openpam_log(PAM_LOG_DEBUG, "no ssh agent"); 467 1.1 christos return (PAM_SUCCESS); 468 1.1 christos } 469 1.1 christos pid = (pid_t)strtol(ssh_agent_pid, &end, 10); 470 1.1 christos if (*ssh_agent_pid == '\0' || *end != '\0') { 471 1.1 christos openpam_log(PAM_LOG_DEBUG, "invalid ssh agent pid"); 472 1.1 christos return (PAM_SESSION_ERR); 473 1.1 christos } 474 1.1 christos openpam_log(PAM_LOG_DEBUG, "killing ssh agent %d", (int)pid); 475 1.1 christos if (kill(pid, SIGTERM) == -1 || 476 1.1 christos (waitpid(pid, &status, 0) == -1 && errno != ECHILD)) 477 1.1 christos return (PAM_SYSTEM_ERR); 478 1.1 christos return (PAM_SUCCESS); 479 1.1 christos } 480 1.1 christos 481 1.1 christos PAM_MODULE_ENTRY("pam_ssh"); 482
Indexes created Mon Sep 29 21:09:56 GMT 2025