rpms/pam_ssh/devel pam_ssh-1.91-getpwnam.patch, NONE, 1.1 pam_ssh-1.91-man_agent_files.diff, NONE, 1.1 pam_ssh-1.91-var_run.patch, NONE, 1.1 pam_ssh.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2

Patrice Dumas (pertusus) fedora-extras-commits at redhat.com
Fri Aug 26 08:10:16 UTC 2005 

Author: pertusus

Update of /cvs/extras/rpms/pam_ssh/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv2120/devel

Modified Files:
	.cvsignore sources 
Added Files:
	pam_ssh-1.91-getpwnam.patch pam_ssh-1.91-man_agent_files.diff 
	pam_ssh-1.91-var_run.patch pam_ssh.spec 
Log Message:
auto-import pam_ssh-1.91-7 on branch devel from pam_ssh-1.91-7.src.rpm

pam_ssh-1.91-getpwnam.patch:

--- NEW FILE pam_ssh-1.91-getpwnam.patch ---
diff -Nrbu pam_ssh-1.91/pam_ssh.c pam_ssh-1.91-OK/pam_ssh.c
--- pam_ssh-1.91/pam_ssh.c	2004-04-12 17:55:08.000000000 +0400
+++ pam_ssh-1.91-OK/pam_ssh.c	2004-10-04 18:45:43.000000000 +0400
@@ -350,7 +350,6 @@
 #endif
 	const char *pass;		/* passphrase */
 	const struct passwd *pwent;	/* user's passwd entry */
-	struct passwd *pwent_keep;	/* our own copy */
 	int retval;			/* from calls */
 	const char *user;		/* username */
 
@@ -461,22 +460,6 @@
 		return PAM_AUTH_ERR;
 	}
 
-	/* copy the passwd entry (in case successive calls are made) and
-           save it for the session phase */
-
-	if (!(pwent_keep = malloc(sizeof *pwent))) {
-		pam_ssh_log(LOG_CRIT, "out of memory");
-		openpam_restore_cred(pamh);
-		return PAM_SERVICE_ERR;
-	}
-	memcpy(pwent_keep, pwent, sizeof *pwent_keep);
-	if ((retval = pam_set_data(pamh, "ssh_passwd_entry", pwent_keep,
-	    ssh_cleanup)) != PAM_SUCCESS) {
-		free(pwent_keep);
-		openpam_restore_cred(pamh);
-		return retval;
-	}
-
 	openpam_restore_cred(pamh);
 	return PAM_SUCCESS;
 }
@@ -515,14 +498,16 @@
 	int start_agent;		/* start agent? */
 	const char *tty_raw;		/* raw tty or display name */
 	char *tty_nodir;		/* tty without / chars */
+	const char *user;		/* username */
 
 	log_init(MODULE_NAME, SYSLOG_LEVEL_ERROR, SYSLOG_FACILITY_AUTHPRIV, 0);
 
 	/* dump output of ssh-agent in ~/.ssh */
-	if ((retval = pam_get_data(pamh, "ssh_passwd_entry",
-	    (const void **)(void *)&pwent))
-	    != PAM_SUCCESS)
+	if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
 		return retval;
+	if (!(user && (pwent = getpwnam(user)) && pwent->pw_dir &&
+	    *pwent->pw_dir))
+		return PAM_AUTH_ERR;
 
 	retval = openpam_borrow_cred(pamh, pwent);
 	if (retval != PAM_SUCCESS && retval != PAM_PERM_DENIED) {
@@ -842,10 +827,13 @@
 	const char *ssh_agent_pid;	/* ssh-agent pid string */
 	const struct passwd *pwent;	/* user's passwd entry */
 	struct stat sb;			/* to check st_nlink */
+	const char *user;		/* username */
 
-	if ((retval = pam_get_data(pamh, "ssh_passwd_entry",
-	    (const void **)(void *)&pwent)) != PAM_SUCCESS)
+	if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
 		return retval;
+	if (!(user && (pwent = getpwnam(user)) && pwent->pw_dir &&
+	    *pwent->pw_dir))
+		return PAM_AUTH_ERR;
 
 	retval = openpam_borrow_cred(pamh, pwent);
 	if (retval != PAM_SUCCESS && retval != PAM_PERM_DENIED) {

pam_ssh-1.91-man_agent_files.diff:

--- NEW FILE pam_ssh-1.91-man_agent_files.diff ---
--- ./pam_ssh.8.old	2005-08-16 18:32:35.000000000 +0200
+++ pam_ssh.8	2005-08-17 09:13:19.000000000 +0200
@@ -146,6 +146,10 @@
 SSH2 RSA keys
 .It Pa $HOME/.ssh2/id_dsa_*
 SSH2 DSA keys
+.It Pa /var/run/pam_ssh/<user>*
+ssh-agent environment information. The files are owned by the superuser but 
+readable by the users. The location is Fedora specific, in the original package
+these files are in $HOME/.ssh/agent-*
 .El
 .Sh SEE ALSO
 .Xr ssh-agent 1 ,

pam_ssh-1.91-var_run.patch:

--- NEW FILE pam_ssh-1.91-var_run.patch ---
diff -Nrbu pam_ssh-1.91/pam_ssh.c pam_ssh-1.91-OK/pam_ssh.c
--- pam_ssh-1.91/pam_ssh.c	2005-08-16 19:22:54.000000000 +0400
+++ pam_ssh-1.91-OK/pam_ssh.c	2005-08-16 19:22:03.000000000 +0400
@@ -109,6 +109,7 @@
 #define PAM_OPT_BLANK_PASSPHRASE_NAME	"allow_blank_passphrase"
 #define SEP_KEYFILES			","
 #define SSH_CLIENT_DIR			".ssh"
+#define STATE_DIR			"/var/run/" MODULE_NAME
 
 enum {
 #if HAVE_OPENPAM || HAVE_PAM_STRUCT_OPTIONS || !HAVE_PAM_STD_OPTION
@@ -489,7 +490,6 @@
 	char env_string[BUFSIZ];	/* environment string */
 	char *env_value;		/* envariable value */
 	int env_write;			/* env file descriptor */
-	char hname[MAXHOSTNAMELEN];	/* local hostname */
 	int no_link;			/* link per-agent file? */
 	char *per_agent;		/* to store env */
 	char *per_session;		/* per-session filename */
@@ -502,7 +502,6 @@
 
 	log_init(MODULE_NAME, SYSLOG_LEVEL_ERROR, SYSLOG_FACILITY_AUTHPRIV, 0);
 
-	/* dump output of ssh-agent in ~/.ssh */
 	if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
 		return retval;
 	if (!(user && (pwent = getpwnam(user)) && pwent->pw_dir &&
@@ -521,17 +520,16 @@
 	 * Technique: Create an environment file containing
 	 * information about the agent.  Only one file is created, but
 	 * it may be given many names.  One name is given for the
-	 * agent itself, agent-<host>.  Another name is given for each
-	 * session, agent-<host>-<display> or agent-<host>-<tty>.  We
+	 * agent itself, /var/run/pam_ssh/<user>. Another name is given
+	 * for each session, <user>-<display> or <user>-<tty>.  We
 	 * delete the per-session filename on session close, and when
 	 * the link count goes to unity on the per-agent file, we
 	 * delete the file and kill the agent.
 	 */
 
-	/* the per-agent file contains just the hostname */
+	/* the per-agent file contains just the username */
 
-	gethostname(hname, sizeof hname);
-	if (asprintf(&per_agent, "%s/.ssh/agent-%s", pwent->pw_dir, hname)
+	if (asprintf(&per_agent, STATE_DIR "/%s", pwent->pw_name)
 	    == -1) {
 		pam_ssh_log(LOG_CRIT, "out of memory");
 		openpam_restore_cred(pamh);
@@ -555,9 +553,14 @@
 
 	env_write = child_pid = no_link = start_agent = 0;
 	env_read = NULL;
-	if ((env_write = open(per_agent, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR))
-	    < 0 && !(env_read = fopen(per_agent, "r")))
+
+	openpam_restore_cred(pamh);
+	if ((env_write = open(per_agent, O_CREAT | O_EXCL | O_WRONLY,
+	     S_IRUSR | S_IRGRP | S_IROTH)) < 0 &&
+	    !(env_read = fopen(per_agent, "r")))
 		no_link = 1;
+	openpam_borrow_cred(pamh, pwent);
+
 	if (!env_read) {
 		start_agent = 1;
 		if (pipe(child_pipe) < 0) {
@@ -790,7 +793,7 @@
 	for (cp = tty_nodir; (cp = strchr(cp, '/')); )
 		*cp = '_';
 
-	if (asprintf(&per_session, "%s/.ssh/agent-%s-%s", pwent->pw_dir, hname,
+	if (asprintf(&per_session, STATE_DIR "/%s-%s", pwent->pw_name,
 	    tty_nodir) == -1) {
 		pam_ssh_log(LOG_CRIT, "out of memory");
 		free(tty_nodir);
@@ -809,10 +812,10 @@
 		return retval;
 	}
 
+	openpam_restore_cred(pamh);
 	unlink(per_session);	/* remove cruft */
 	link(per_agent, per_session);
 
-	openpam_restore_cred(pamh);
 	return PAM_SUCCESS;
 }
 
@@ -842,8 +845,11 @@
 	}
 
 	if (pam_get_data(pamh, "ssh_agent_env_session",
-	    (const void **)(void *)&env_file) == PAM_SUCCESS && env_file)
+	    (const void **)(void *)&env_file) == PAM_SUCCESS && env_file) {
+		openpam_restore_cred(pamh);
 		unlink(env_file);
+		openpam_borrow_cred(pamh, pwent);
+	}
 
 	/* Retrieve per-agent filename and check link count.  If it's
            greater than unity, other sessions are still using this
@@ -858,7 +864,9 @@
 				openpam_restore_cred(pamh);
 				return PAM_SUCCESS;
 			}
+			openpam_restore_cred(pamh);
 			unlink(env_file);
+			openpam_borrow_cred(pamh, pwent);
 		}
 	}
 


--- NEW FILE pam_ssh.spec ---
Name: pam_ssh
Version: 1.91
Release: 7
Summary: PAM module for use with SSH keys and ssh-agent
Source: http://dl.sourceforge.net/sourceforge/pam-ssh/pam_ssh-%{version}.tar.bz2
URL: http://sourceforge.net/projects/pam-ssh/
Patch0: pam_ssh-1.91-getpwnam.patch
Patch1: pam_ssh-1.91-var_run.patch
Patch2: pam_ssh-1.91-man_agent_files.diff

License: BSD
BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: openssh-clients
BuildRequires: pam-devel, openssh-clients, openssl-devel
Group: System Environment/Base

%description
This PAM module provides single sign-on behavior for UNIX using SSH keys. 
Users are authenticated by decrypting their SSH private keys with the 
password provided. In the first PAM login session phase, an ssh-agent 
process is started and keys are added. The same agent is used for the
following PAM sessions. In any case the appropriate environment variables
are set in the session phase.

%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p0

%build
%configure
make clean
make %{?_smp_mflags}

%install
rm -rf $RPM_BUILD_ROOT
make install DESTDIR=$RPM_BUILD_ROOT

install -d -m 755 $RPM_BUILD_ROOT/%{_localstatedir}/run/pam_ssh

find $RPM_BUILD_ROOT -type f -name "*.la" -exec rm -f {} ';'

%clean
rm -rf $RPM_BUILD_ROOT

%files
%defattr(-,root,root,-)
%doc AUTHORS NEWS README ChangeLog TODO COPYING
/%{_lib}/security/pam_ssh.so
%{_mandir}/man[^3]/pam_ssh*
%dir %{_localstatedir}/run/pam_ssh

%changelog
* Wed Aug 17 2005 <dumas at centre-cired.fr> 1.91-7
- remove openssh from BuildRequires (Dmitry)
- remove pam from Requires, it is picked up automatically

* Tue Aug 16 2005 <dumas at centre-cired.fr> 1.91-6
- new summary from me and Dmirty
- use Dmitry modified patch1 to let user see the informations in 
  /var/run/pam_ssh/ (modified at my request)
- document the agent environment information files location in
  the man page

* Mon Aug 15 2005 Patrice Dumas <dumas at centre-cired.fr> 1.91-5
- remove gcc-g++ from BuildRequires. Merge description with 
  Dmitry description

* Mon Aug 15 2005 Dmitry Butskoy <Dmitry at Butskoy.name> 1.91-3
- Allow standalone session module (patch0)
- Move runtime state files from ~/.ssh/agent-<hostname>* to
  /var/run/pam_ssh/<user>* . This is an easy way to provide properly
  cleanups after system crash. (patch1)

* Mon Aug 15 2005 Patrice Dumas <dumas at centre-cired.fr> 1.91-2
- correct URL, use upstream source, add COPYING to %doc

* Sat Apr 01 2004 Patrice Dumas <dumas at centre-cired.fr> 1.91-1
- update source

* Mon Mar 15 2004 Patrice Dumas <dumas at centre-cired.fr> 1.9-0.fdr.1
- Use fedora-newrpmspec to update the spec file

* Fri Aug 16 2002 Dumas Patrice <dumas at centre-cired.fr>
- Initial build.


Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/pam_ssh/devel/.cvsignore,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- .cvsignore	26 Aug 2005 08:08:43 -0000	1.1
+++ .cvsignore	26 Aug 2005 08:10:14 -0000	1.2
@@ -0,0 +1 @@
+pam_ssh-1.91.tar.bz2


Index: sources
===================================================================
RCS file: /cvs/extras/rpms/pam_ssh/devel/sources,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sources	26 Aug 2005 08:08:43 -0000	1.1
+++ sources	26 Aug 2005 08:10:14 -0000	1.2
@@ -0,0 +1 @@
+57a3aa476394efa219a8a99f527d4e4b  pam_ssh-1.91.tar.bz2

More information about the fedora-extras-commits mailing list