- (stevesk) [auth-pam.c] merge rest of solar's PAM patch;

   PAM_NEW_AUTHTOK_REQD remains in #if 0 for now.

2 files changed, 27 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index 702b6b6db..440aa914f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,8 @@
 20020721
  - (stevesk) [auth-pam.c] merge cosmetic changes from solar's
    openssh-3.4p1-owl-password-changing.diff
+ - (stevesk) [auth-pam.c] merge rest of solar's PAM patch;
+   PAM_NEW_AUTHTOK_REQD remains in #if 0 for now.
 
 20020720
  - (stevesk) [ssh-keygen.c] bug #231: always init/seed_rng().
@@ -1401,4 +1403,4 @@
  - (stevesk) entropy.c: typo in debug message
  - (djm) ssh-keygen -i needs seeded RNG; report from markus@
 
-$Id: ChangeLog,v 1.2381 2002/07/21 17:26:54 stevesk Exp $
+$Id: ChangeLog,v 1.2382 2002/07/21 17:57:01 stevesk Exp $
diff --git a/auth-pam.c b/auth-pam.c
index f31641c28..22807f1a9 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -29,6 +29,7 @@
 #include "xmalloc.h"
 #include "log.h"
 #include "auth.h"
+#include "auth-options.h"
 #include "auth-pam.h"
 #include "servconf.h"
 #include "canohost.h"
@@ -36,10 +37,14 @@
 
 extern char *__progname;
 
-RCSID("$Id: auth-pam.c,v 1.48 2002/07/21 17:26:54 stevesk Exp $");
+extern int use_privsep;
+
+RCSID("$Id: auth-pam.c,v 1.49 2002/07/21 17:57:01 stevesk Exp $");
 
 #define NEW_AUTHTOK_MSG \
         "Warning: Your password has expired, please change it now."
+#define NEW_AUTHTOK_MSG_PRIVSEP \
+        "Your password has expired, the session cannot proceed."
 
 static int do_pam_conversation(int num_msg, const struct pam_message **msg,
         struct pam_response **resp, void *appdata_ptr);
@@ -254,9 +259,14 @@ int do_pam_account(char *username, char *remote_user)
                         break;
 #if 0
                 case PAM_NEW_AUTHTOK_REQD:
-                        message_cat(&__pam_msg, NEW_AUTHTOK_MSG);
+                        message_cat(&__pam_msg, use_privsep ?
+                            NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);
                         /* flag that password change is necessary */
                         password_change_required = 1;
+                        /* disallow other functionality for now */
+                        no_port_forwarding_flag |= 2;
+                        no_agent_forwarding_flag |= 2;
+                        no_x11_forwarding_flag |= 2;
                         break;
 #endif
                 default:
@@ -335,11 +345,23 @@ void do_pam_chauthtok(void)
         do_pam_set_conv(&conv);
 
         if (password_change_required) {
+                if (use_privsep)
+                        fatal("Password changing is currently unsupported"
+                            " with privilege separation");
                 pamstate = OTHER;
                 pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
                 if (pam_retval != PAM_SUCCESS)
                         fatal("PAM pam_chauthtok failed[%d]: %.200s",
                             pam_retval, PAM_STRERROR(__pamh, pam_retval));
+#if 0
+                /* XXX: This would need to be done in the parent process,
+                 * but there's currently no way to pass such request. */
+                no_port_forwarding_flag &= ~2;
+                no_agent_forwarding_flag &= ~2;
+                no_x11_forwarding_flag &= ~2;
+                if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
+                        channel_permit_all_opens();
+#endif
         }
 }