Ticket #9138: sshd_pam.patch

File sshd_pam.patch, 12.0 KB (added by DkSoul, 5 years ago)

Enhanced/Hacked versions of openssh-server and libpam to use with Google Authenticator

  • libs/libpam/Makefile

     
    5050        ) 
    5151endef 
    5252 
    53  
    54  
    5553define Build/InstallDev 
    5654        $(INSTALL_DIR) $(1)/lib 
    5755        $(INSTALL_DIR) $(1)/usr/include 
     
    6058endef 
    6159 
    6260define Package/libpam/install 
    63         $(INSTALL_DIR) $(1)/lib 
    64         $(INSTALL_DIR) $(1)/etc 
     61        $(INSTALL_DIR) $(1)/lib $(1)/lib/security $(1)/lib/security/pam_filter  
     62        $(INSTALL_DIR) $(1)/etc $(1)/etc/pam.d 
    6563        $(INSTALL_DIR) $(1)/usr/sbin 
    66         $(CP) $(PKG_INSTALL_DIR)/lib/* $(1)/lib/ 
     64        $(CP) $(PKG_INSTALL_DIR)/lib/*.so* $(1)/lib/ 
     65        $(CP) $(PKG_INSTALL_DIR)/lib/security/*.so* $(1)/lib/security/ 
     66        $(CP) $(PKG_INSTALL_DIR)/lib/security/pam_filter/* $(1)/lib/security/pam_filter/ 
    6767        $(CP) $(PKG_INSTALL_DIR)/etc/* $(1)/etc/ 
     68        $(CP) ./files/* $(1)/etc/ 
    6869        $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/* $(1)/usr/sbin/ 
    6970endef 
    7071 
  • libs/libpam/files/pam.d/other

     
     1# 
     2# /etc/pam.d/other - specify the PAM fallback behaviour 
     3# 
     4# Note that this file is used for any unspecified service; for example 
     5#if /etc/pam.d/cron  specifies no session modules but cron calls 
     6#pam_open_session, the session module out of /etc/pam.d/other is 
     7#used.  If you really want nothing to happen then use pam_permit.so or 
     8#pam_deny.so as appropriate. 
     9 
     10# We fall back to the system default in /etc/pam.d/common-* 
     11#  
     12 
     13auth       include      common-auth 
     14account    include      common-account 
     15password   include      common-password 
     16session    include      common-session 
  • libs/libpam/files/pam.d/common-account

     
     1# 
     2# /etc/pam.d/common-account - authorization settings common to all services 
     3# 
     4# This file is included from other service-specific PAM config files, 
     5# and should contain a list of the authorization modules that define 
     6# the central access policy for use on the system.  The default is to 
     7# only deny service to users whose accounts are expired in /etc/shadow. 
     8# 
     9 
     10# here are the per-package modules (the "Primary" block) 
     11account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so  
     12# here's the fallback if no module succeeds 
     13account requisite                       pam_deny.so 
     14# prime the stack with a positive return value if there isn't one already; 
     15# this avoids us returning an error just because nothing sets a success code 
     16# since the modules above will each just jump around 
     17account required                        pam_permit.so 
     18# and here are more per-package modules (the "Additional" block) 
     19 
     20# end of pam-auth-update config 
  • libs/libpam/files/pam.d/common-auth

     
     1# 
     2# /etc/pam.d/common-auth - authentication settings common to all services 
     3# 
     4# This file is included from other service-specific PAM config files, 
     5# and should contain a list of the authentication modules that define 
     6# the central authentication scheme for use on the system 
     7# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the 
     8# traditional Unix authentication mechanisms. 
     9# 
     10 
     11# here are the per-package modules (the "Primary" block) 
     12auth    [success=1 default=ignore]      pam_unix.so nullok_secure 
     13# here's the fallback if no module succeeds 
     14auth    requisite                       pam_deny.so 
     15# prime the stack with a positive return value if there isn't one already; 
     16# this avoids us returning an error just because nothing sets a success code 
     17# since the modules above will each just jump around 
     18auth    required                        pam_permit.so 
     19# and here are more per-package modules (the "Additional" block) 
     20 
     21# end of pam-auth-update config 
  • libs/libpam/files/pam.d/common-password

     
     1# 
     2# /etc/pam.d/common-password - password-related modules common to all services 
     3# 
     4# This file is included from other service-specific PAM config files, 
     5# and should contain a list of modules that define the services to be 
     6# used to change user passwords.  The default is pam_unix. 
     7 
     8# Explanation of pam_unix options: 
     9# 
     10# The "sha512" option enables salted SHA512 passwords.  Without this option, 
     11# the default is Unix crypt.  Prior releases used the option "md5". 
     12# 
     13# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in 
     14# login.defs. 
     15# 
     16# See the pam_unix manpage for other options. 
     17 
     18# here are the per-package modules (the "Primary" block) 
     19password        [success=1 default=ignore]      pam_unix.so obscure sha512 
     20# here's the fallback if no module succeeds 
     21password        requisite                       pam_deny.so 
     22# prime the stack with a positive return value if there isn't one already; 
     23# this avoids us returning an error just because nothing sets a success code 
     24# since the modules above will each just jump around 
     25password        required                        pam_permit.so 
     26# and here are more per-package modules (the "Additional" block) 
     27 
     28# end of pam-auth-update config 
  • libs/libpam/files/pam.d/common-session

     
     1# 
     2# /etc/pam.d/common-session - session-related modules common to all services 
     3# 
     4# This file is included from other service-specific PAM config files, 
     5# and should contain a list of modules that define tasks to be performed 
     6# at the start and end of sessions of *any* kind (both interactive and 
     7# non-interactive). 
     8# 
     9 
     10# here are the per-package modules (the "Primary" block) 
     11session [default=1]                     pam_permit.so 
     12# here's the fallback if no module succeeds 
     13session requisite                       pam_deny.so 
     14# prime the stack with a positive return value if there isn't one already; 
     15# this avoids us returning an error just because nothing sets a success code 
     16# since the modules above will each just jump around 
     17session required                        pam_permit.so 
     18# The pam_umask module will set the umask according to the system default in 
     19# /etc/login.defs and user settings, solving the problem of different 
     20# umask settings with different shells, display managers, remote sessions etc. 
     21# See "man pam_umask". 
     22session optional                        pam_umask.so 
     23# and here are more per-package modules (the "Additional" block) 
     24session required                        pam_unix.so  
     25# end of pam-auth-update config 
  • libs/libpam/files/pam.d/common-session-noninteractive

     
     1# 
     2# /etc/pam.d/common-session-noninteractive - session-related modules 
     3# common to all non-interactive services 
     4# 
     5# This file is included from other service-specific PAM config files, 
     6# and should contain a list of modules that define tasks to be performed 
     7# at the start and end of all non-interactive sessions. 
     8# 
     9 
     10# here are the per-package modules (the "Primary" block) 
     11session [default=1]                     pam_permit.so 
     12# here's the fallback if no module succeeds 
     13session requisite                       pam_deny.so 
     14# prime the stack with a positive return value if there isn't one already; 
     15# this avoids us returning an error just because nothing sets a success code 
     16# since the modules above will each just jump around 
     17session required                        pam_permit.so 
     18# The pam_umask module will set the umask according to the system default in 
     19# /etc/login.defs and user settings, solving the problem of different 
     20# umask settings with different shells, display managers, remote sessions etc. 
     21# See "man pam_umask". 
     22session optional                        pam_umask.so 
     23# and here are more per-package modules (the "Additional" block) 
     24session required                        pam_unix.so  
     25# end of pam-auth-update config 
  • libs/libpam/files/pam.conf

     
     1# ---------------------------------------------------------------------------# 
     2# /etc/pam.conf                                                              # 
     3# ---------------------------------------------------------------------------# 
     4# 
     5# NOTE 
     6# ---- 
     7# 
     8# NOTE: Most program use a file under the /etc/pam.d/ directory to setup their 
     9# PAM service modules. This file is used only if that directory does not exist. 
     10# ---------------------------------------------------------------------------# 
     11 
     12# Format: 
     13# serv. module     ctrl       module [path]     ...[args..]                  # 
     14# name  type       flag                                                      # 
     15 
  • net/openssh/Makefile

     
    112112        --disable-wtmpx \ 
    113113        --without-bsd-auth \ 
    114114        --without-kerberos5 \ 
    115         --without-pam \ 
    116         --without-x 
     115        --without-x \ 
     116        --with-pam 
    117117 
    118118ifneq ($(CONFIG_SSP_SUPPORT),y) 
    119119CONFIGURE_ARGS += \ 
     
    122122 
    123123CONFIGURE_VARS += LD="$(TARGET_CC)" 
    124124 
     125TARGET_LDFLAGS += -lpthread 
     126 
    125127define Build/Compile 
    126128        $(MAKE) -C $(PKG_BUILD_DIR) \ 
    127129                DESTDIR="$(PKG_INSTALL_DIR)" \ 
     
    158160        chmod 0700 $(1)/etc/ssh 
    159161        $(CP) $(PKG_INSTALL_DIR)/etc/ssh/sshd_config $(1)/etc/ssh/ 
    160162        $(CP) $(PKG_INSTALL_DIR)/etc/ssh/moduli $(1)/etc/ssh/ 
     163        $(INSTALL_DIR) $(1)/etc/pam.d 
     164        $(INSTALL_DATA) ./files/sshd.pam $(1)/etc/pam.d/sshd 
    161165        $(INSTALL_DIR) $(1)/etc/init.d 
    162166        $(INSTALL_BIN) ./files/sshd.init $(1)/etc/init.d/sshd 
    163167        $(INSTALL_DIR) $(1)/usr/sbin 
  • net/openssh/files/sshd.pam

     
     1# PAM configuration for the Secure Shell service 
     2 
     3# Read environment variables from /etc/environment and 
     4# /etc/security/pam_env.conf. 
     5auth       required     pam_env.so 
     6 
     7# Skip Google Authenticator if logging in from the local network. 
     8# auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-sshd-local.conf 
     9# Google Authenticator 2-step verification. 
     10# auth       requisite    pam_google_authenticator.so 
     11 
     12# Standard Un*x authentication. 
     13auth       include      common-auth 
     14 
     15# Disallow non-root logins when /etc/nologin exists. 
     16account    required     pam_nologin.so 
     17 
     18# Uncomment and edit /etc/security/access.conf if you need to set complex 
     19# access limits that are hard to express in sshd_config. 
     20# account    required     pam_access.so 
     21 
     22# Standard Un*x authorization. 
     23account    include      common-account 
     24 
     25# Standard Un*x session setup and teardown. 
     26session    include      common-session 
     27 
     28# Print the message of the day upon successful login. 
     29session    optional     pam_motd.so 
     30 
     31# Print the status of the user's mailbox upon successful login. 
     32session    optional     pam_mail.so standard noenv 
     33 
     34# Set up user limits from /etc/security/limits.conf. 
     35session    required     pam_limits.so 
     36 
     37# Set up SELinux capabilities (need modified pam) 
     38# session    required     pam_selinux.so multiple 
     39 
     40# Standard Un*x password updating. 
     41password   include      common-password 
  • net/openssh/patches/250-pthread-hack

     
     1--- a/auth-pam.c 
     2+++ b/auth-pam.c 
     3@@ -108,6 +108,8 @@ 
     4 # error "USE_POSIX_THREADS replaced by UNSUPPORTED_POSIX_THREADS_HACK" 
     5 #endif 
     6  
     7+#define UNSUPPORTED_POSIX_THREADS_HACK 1 
     8+ 
     9 /* 
     10  * Formerly known as USE_POSIX_THREADS, using this is completely unsupported 
     11  * and generally a bad idea.  Use at own risk and do not expect support if