diff options
author | Kevin Steves <stevesk@pobox.com> | 2002-07-21 17:57:01 +0000 |
---|---|---|
committer | Kevin Steves <stevesk@pobox.com> | 2002-07-21 17:57:01 +0000 |
commit | 63007d42ee68157abc5a31a5003dae4448b03f7b (patch) | |
tree | 866c038236913115d40fd6232ca1cfd34c7ad5bb | |
parent | 6cdecd0892b9b9a7a8e3e3917272d04727eb82fa (diff) |
- (stevesk) [auth-pam.c] merge rest of solar's PAM patch;
PAM_NEW_AUTHTOK_REQD remains in #if 0 for now.
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | auth-pam.c | 26 |
2 files changed, 27 insertions, 3 deletions
@@ -1,6 +1,8 @@ | |||
1 | 20020721 | 1 | 20020721 |
2 | - (stevesk) [auth-pam.c] merge cosmetic changes from solar's | 2 | - (stevesk) [auth-pam.c] merge cosmetic changes from solar's |
3 | openssh-3.4p1-owl-password-changing.diff | 3 | openssh-3.4p1-owl-password-changing.diff |
4 | - (stevesk) [auth-pam.c] merge rest of solar's PAM patch; | ||
5 | PAM_NEW_AUTHTOK_REQD remains in #if 0 for now. | ||
4 | 6 | ||
5 | 20020720 | 7 | 20020720 |
6 | - (stevesk) [ssh-keygen.c] bug #231: always init/seed_rng(). | 8 | - (stevesk) [ssh-keygen.c] bug #231: always init/seed_rng(). |
@@ -1401,4 +1403,4 @@ | |||
1401 | - (stevesk) entropy.c: typo in debug message | 1403 | - (stevesk) entropy.c: typo in debug message |
1402 | - (djm) ssh-keygen -i needs seeded RNG; report from markus@ | 1404 | - (djm) ssh-keygen -i needs seeded RNG; report from markus@ |
1403 | 1405 | ||
1404 | $Id: ChangeLog,v 1.2381 2002/07/21 17:26:54 stevesk Exp $ | 1406 | $Id: ChangeLog,v 1.2382 2002/07/21 17:57:01 stevesk Exp $ |
diff --git a/auth-pam.c b/auth-pam.c index f31641c28..22807f1a9 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -29,6 +29,7 @@ | |||
29 | #include "xmalloc.h" | 29 | #include "xmalloc.h" |
30 | #include "log.h" | 30 | #include "log.h" |
31 | #include "auth.h" | 31 | #include "auth.h" |
32 | #include "auth-options.h" | ||
32 | #include "auth-pam.h" | 33 | #include "auth-pam.h" |
33 | #include "servconf.h" | 34 | #include "servconf.h" |
34 | #include "canohost.h" | 35 | #include "canohost.h" |
@@ -36,10 +37,14 @@ | |||
36 | 37 | ||
37 | extern char *__progname; | 38 | extern char *__progname; |
38 | 39 | ||
39 | RCSID("$Id: auth-pam.c,v 1.48 2002/07/21 17:26:54 stevesk Exp $"); | 40 | extern int use_privsep; |
41 | |||
42 | RCSID("$Id: auth-pam.c,v 1.49 2002/07/21 17:57:01 stevesk Exp $"); | ||
40 | 43 | ||
41 | #define NEW_AUTHTOK_MSG \ | 44 | #define NEW_AUTHTOK_MSG \ |
42 | "Warning: Your password has expired, please change it now." | 45 | "Warning: Your password has expired, please change it now." |
46 | #define NEW_AUTHTOK_MSG_PRIVSEP \ | ||
47 | "Your password has expired, the session cannot proceed." | ||
43 | 48 | ||
44 | static int do_pam_conversation(int num_msg, const struct pam_message **msg, | 49 | static int do_pam_conversation(int num_msg, const struct pam_message **msg, |
45 | struct pam_response **resp, void *appdata_ptr); | 50 | struct pam_response **resp, void *appdata_ptr); |
@@ -254,9 +259,14 @@ int do_pam_account(char *username, char *remote_user) | |||
254 | break; | 259 | break; |
255 | #if 0 | 260 | #if 0 |
256 | case PAM_NEW_AUTHTOK_REQD: | 261 | case PAM_NEW_AUTHTOK_REQD: |
257 | message_cat(&__pam_msg, NEW_AUTHTOK_MSG); | 262 | message_cat(&__pam_msg, use_privsep ? |
263 | NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); | ||
258 | /* flag that password change is necessary */ | 264 | /* flag that password change is necessary */ |
259 | password_change_required = 1; | 265 | password_change_required = 1; |
266 | /* disallow other functionality for now */ | ||
267 | no_port_forwarding_flag |= 2; | ||
268 | no_agent_forwarding_flag |= 2; | ||
269 | no_x11_forwarding_flag |= 2; | ||
260 | break; | 270 | break; |
261 | #endif | 271 | #endif |
262 | default: | 272 | default: |
@@ -335,11 +345,23 @@ void do_pam_chauthtok(void) | |||
335 | do_pam_set_conv(&conv); | 345 | do_pam_set_conv(&conv); |
336 | 346 | ||
337 | if (password_change_required) { | 347 | if (password_change_required) { |
348 | if (use_privsep) | ||
349 | fatal("Password changing is currently unsupported" | ||
350 | " with privilege separation"); | ||
338 | pamstate = OTHER; | 351 | pamstate = OTHER; |
339 | pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); | 352 | pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); |
340 | if (pam_retval != PAM_SUCCESS) | 353 | if (pam_retval != PAM_SUCCESS) |
341 | fatal("PAM pam_chauthtok failed[%d]: %.200s", | 354 | fatal("PAM pam_chauthtok failed[%d]: %.200s", |
342 | pam_retval, PAM_STRERROR(__pamh, pam_retval)); | 355 | pam_retval, PAM_STRERROR(__pamh, pam_retval)); |
356 | #if 0 | ||
357 | /* XXX: This would need to be done in the parent process, | ||
358 | * but there's currently no way to pass such request. */ | ||
359 | no_port_forwarding_flag &= ~2; | ||
360 | no_agent_forwarding_flag &= ~2; | ||
361 | no_x11_forwarding_flag &= ~2; | ||
362 | if (!no_port_forwarding_flag && options.allow_tcp_forwarding) | ||
363 | channel_permit_all_opens(); | ||
364 | #endif | ||
343 | } | 365 | } |
344 | } | 366 | } |
345 | 367 | ||