- (djm) Add Steve VanDevender's <stevev@darkwing.uoregon.edu> PAM

   password change patch.
 - (djm) Bring licenses on my stuff in line with OpenBSD's

10 files changed, 102 insertions, 79 deletions

diff --git a/ChangeLog b/ChangeLog
index a8707f45c..5db81bca8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,7 @@
 20000916
+ - (djm) Add Steve VanDevender's <stevev@darkwing.uoregon.edu> PAM 
+   password change patch.
+ - (djm) Bring licenses on my stuff in line with OpenBSD's
  - (djm) Cleanup auth-passwd.c and unify HP/UX authentication. Patch from
    Kevin Steves <stevesk@sweden.hp.com>
  - (djm) Shadow expiry check fix from Pavel Troller <patrol@omni.sinus.cz>
diff --git a/auth-pam.c b/auth-pam.c
index e2bac9e88..5914cab17 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -9,11 +9,6 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by Markus Friedl.
- * 4. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
@@ -34,10 +29,10 @@
 #include "xmalloc.h"
 #include "servconf.h"
 
-RCSID("$Id: auth-pam.c,v 1.12 2000/08/29 22:57:50 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.13 2000/09/16 05:09:27 djm Exp $");
 
 #define NEW_AUTHTOK_MSG \
-        "Warning: You password has expired, please change it now"
+        "Warning: Your password has expired, please change it now"
 
 /* Callbacks */
 static int pamconv(int num_msg, const struct pam_message **msg,
@@ -50,40 +45,72 @@ static struct pam_conv conv = {
         pamconv,
         NULL
 };
-static struct pam_handle_t *pamh = NULL;
+static pam_handle_t *pamh = NULL;
 static const char *pampasswd = NULL;
 static char *pam_msg = NULL;
 
-/* PAM conversation function. This is really a kludge to get the password */
-/* into PAM and to pick up any messages generated by PAM into pamconv_msg */
+/* states for pamconv() */
+typedef enum { INITIAL_LOGIN, OTHER } pamstates;
+static pamstates pamstate = INITIAL_LOGIN;
+/* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */
+static int password_change_required = 0;
+
+/*
+ * PAM conversation function.
+ * There are two states this can run in.
+ *
+ * INITIAL_LOGIN mode simply feeds the password from the client into
+ * PAM in response to PAM_PROMPT_ECHO_OFF, and collects output
+ * messages with pam_msg_cat().  This is used during initial
+ * authentication to bypass the normal PAM password prompt.
+ *
+ * OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase(prompt, 1)
+ * and outputs messages to stderr. This mode is used if pam_chauthtok()
+ * is called to update expired passwords.
+ */
 static int pamconv(int num_msg, const struct pam_message **msg,
         struct pam_response **resp, void *appdata_ptr)
 {
         struct pam_response *reply;
         int count;
+        char buf[1024];
 
         /* PAM will free this later */
         reply = malloc(num_msg * sizeof(*reply));
         if (reply == NULL)
                 return PAM_CONV_ERR; 
 
-        for(count = 0; count < num_msg; count++) {
-                switch (msg[count]->msg_style) {
+        for (count = 0; count < num_msg; count++) {
+                switch ((*msg)[count].msg_style) {
+                        case PAM_PROMPT_ECHO_ON:
+                                fputs((*msg)[count].msg, stderr);
+                                fgets(buf, sizeof(buf), stdin);
+                                reply[count].resp = xstrdup(buf);
+                                reply[count].resp_retcode = PAM_SUCCESS;
+                                break;
                         case PAM_PROMPT_ECHO_OFF:
-                                if (pampasswd == NULL) {
-                                        free(reply);
-                                        return PAM_CONV_ERR;
-                                }
+                                if (pamstate == INITIAL_LOGIN) {
+                                        if (pampasswd == NULL) {
+                                                free(reply);
+                                                return PAM_CONV_ERR;
+                                        }
+                                        reply[count].resp = xstrdup(pampasswd);
+                                } else
+                                        reply[count].resp = xstrdup(read_passphrase((*msg)[count].msg, 1));
                                 reply[count].resp_retcode = PAM_SUCCESS;
-                                reply[count].resp = xstrdup(pampasswd);
                                 break;
+                        case PAM_ERROR_MSG:
                         case PAM_TEXT_INFO:
-                                reply[count].resp_retcode = PAM_SUCCESS;
+                                if ((*msg)[count].msg != NULL) {
+                                        if (pamstate == INITIAL_LOGIN)
+                                                pam_msg_cat((*msg)[count].msg);
+                                        else {
+                                                fputs((*msg)[count].msg, stderr);
+                                                fputs("\n", stderr);
+                                        }
+                                }
                                 reply[count].resp = xstrdup("");
-
-                                if (msg[count]->msg != NULL)
-                                        pam_msg_cat(msg[count]->msg);
-
+                                reply[count].resp_retcode = PAM_SUCCESS;
                                 break;
                         default:
                                 free(reply);
@@ -103,22 +130,22 @@ void pam_cleanup_proc(void *context)
 
         if (pamh != NULL)
         {
-                pam_retval = pam_close_session((pam_handle_t *)pamh, 0);
+                pam_retval = pam_close_session(pamh, 0);
                 if (pam_retval != PAM_SUCCESS) {
                         log("Cannot close PAM session: %.200s", 
-                                PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+                                PAM_STRERROR(pamh, pam_retval));
                 }
 
-                pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED);
+                pam_retval = pam_setcred(pamh, PAM_DELETE_CRED);
                 if (pam_retval != PAM_SUCCESS) {
                         debug("Cannot delete credentials: %.200s", 
-                                PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+                                PAM_STRERROR(pamh, pam_retval));
                 }
 
-                pam_retval = pam_end((pam_handle_t *)pamh, pam_retval);
+                pam_retval = pam_end(pamh, pam_retval);
                 if (pam_retval != PAM_SUCCESS) {
                         log("Cannot release PAM authentication: %.200s", 
-                                PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+                                PAM_STRERROR(pamh, pam_retval));
                 }
         }
 }
@@ -139,14 +166,15 @@ int auth_pam_password(struct passwd *pw, const char *password)
 
         pampasswd = password;
         
-        pam_retval = pam_authenticate((pam_handle_t *)pamh, 0);
+        pamstate = INITIAL_LOGIN;
+        pam_retval = pam_authenticate(pamh, 0);
         if (pam_retval == PAM_SUCCESS) {
                 debug("PAM Password authentication accepted for user \"%.100s\"", 
                         pw->pw_name);
                 return 1;
         } else {
                 debug("PAM Password authentication for \"%.100s\" failed: %s", 
-                        pw->pw_name, PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+                        pw->pw_name, PAM_STRERROR(pamh, pam_retval));
                 return 0;
         }
 }
@@ -157,33 +185,35 @@ int do_pam_account(char *username, char *remote_user)
         int pam_retval;
         
         debug("PAM setting rhost to \"%.200s\"", get_canonical_hostname());
-        pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, 
+        pam_retval = pam_set_item(pamh, PAM_RHOST, 
                 get_canonical_hostname());
         if (pam_retval != PAM_SUCCESS) {
                 fatal("PAM set rhost failed: %.200s", 
-                        PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+                        PAM_STRERROR(pamh, pam_retval));
         }
 
         if (remote_user != NULL) {
                 debug("PAM setting ruser to \"%.200s\"", remote_user);
-                pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user);
+                pam_retval = pam_set_item(pamh, PAM_RUSER, remote_user);
                 if (pam_retval != PAM_SUCCESS) {
                         fatal("PAM set ruser failed: %.200s", 
-                                PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+                                PAM_STRERROR(pamh, pam_retval));
                 }
         }
 
-        pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0);
+        pam_retval = pam_acct_mgmt(pamh, 0);
         switch (pam_retval) {
                 case PAM_SUCCESS:
                         /* This is what we want */
                         break;
                 case PAM_NEW_AUTHTOK_REQD:
                         pam_msg_cat(NEW_AUTHTOK_MSG);
+                        /* flag that password change is necessary */
+                        password_change_required = 1;
                         break;
                 default:
                         log("PAM rejected by account configuration: %.200s", 
-                                PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+                                PAM_STRERROR(pamh, pam_retval));
                         return(0);
         }
         
@@ -197,17 +227,17 @@ void do_pam_session(char *username, const char *ttyname)
 
         if (ttyname != NULL) {
                 debug("PAM setting tty to \"%.200s\"", ttyname);
-                pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, ttyname);
+                pam_retval = pam_set_item(pamh, PAM_TTY, ttyname);
                 if (pam_retval != PAM_SUCCESS) {
                         fatal("PAM set tty failed: %.200s", 
-                                PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+                                PAM_STRERROR(pamh, pam_retval));
                 }
         }
 
-        pam_retval = pam_open_session((pam_handle_t *)pamh, 0);
+        pam_retval = pam_open_session(pamh, 0);
         if (pam_retval != PAM_SUCCESS) {
                 fatal("PAM session setup failed: %.200s", 
-                        PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+                        PAM_STRERROR(pamh, pam_retval));
         }
 }
 
@@ -217,10 +247,28 @@ void do_pam_setcred()
         int pam_retval;
  
         debug("PAM establishing creds");
-        pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_ESTABLISH_CRED);
+        pam_retval = pam_setcred(pamh, PAM_ESTABLISH_CRED);
         if (pam_retval != PAM_SUCCESS) {
                 fatal("PAM setcred failed: %.200s", 
-                        PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+                        PAM_STRERROR(pamh, pam_retval));
+        }
+}
+
+/* 
+ * Have user change authentication token if pam_acct_mgmt() indicated
+ * it was expired.  This needs to be called after an interactive
+ * session is established and the user's pty is connected to
+ * stdin/stout/stderr.
+ */
+void do_pam_chauthtok()
+{
+        int pam_retval;
+
+        if (password_change_required) {
+                pamstate = OTHER;
+                do {
+                        pam_retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+                } while (pam_retval != PAM_SUCCESS);
         }
 }
 
@@ -238,12 +286,11 @@ void start_pam(struct passwd *pw)
 
         debug("Starting up PAM with username \"%.200s\"", pw->pw_name);
 
-        pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, 
-                (pam_handle_t**)&pamh);
+        pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, &pamh);
 
         if (pam_retval != PAM_SUCCESS) {
                 fatal("PAM initialisation failed: %.200s", 
-                        PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+                        PAM_STRERROR(pamh, pam_retval));
         }
 
 #ifdef PAM_TTY_KLUDGE
@@ -254,10 +301,10 @@ void start_pam(struct passwd *pw)
          * not even need one (for tty-less connections)
          * Kludge: Set a fake PAM_TTY 
          */
-        pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, "ssh");
+        pam_retval = pam_set_item(pamh, PAM_TTY, "ssh");
         if (pam_retval != PAM_SUCCESS) {
                 fatal("PAM set tty failed: %.200s", 
-                        PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+                        PAM_STRERROR(pamh, pam_retval));
         }
 #endif /* PAM_TTY_KLUDGE */
 
@@ -268,7 +315,7 @@ void start_pam(struct passwd *pw)
 char **fetch_pam_environment(void)
 {
 #ifdef HAVE_PAM_GETENVLIST
-        return(pam_getenvlist((pam_handle_t *)pamh));
+        return(pam_getenvlist(pamh));
 #else /* HAVE_PAM_GETENVLIST */
         return(NULL);
 #endif /* HAVE_PAM_GETENVLIST */
diff --git a/auth-pam.h b/auth-pam.h
index 191d80ca6..f537fe7ba 100644
--- a/auth-pam.h
+++ b/auth-pam.h
@@ -11,5 +11,6 @@ int do_pam_account(char *username, char *remote_user);
 void do_pam_session(char *username, const char *ttyname);
 void do_pam_setcred();
 void print_pam_messages(void);
+void do_pam_chauthtok();
 
 #endif /* USE_PAM */
diff --git a/bsd-arc4random.c b/bsd-arc4random.c
index 86d158243..fb378d848 100644
--- a/bsd-arc4random.c
+++ b/bsd-arc4random.c
@@ -9,11 +9,6 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by Markus Friedl.
- * 4. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
diff --git a/bsd-arc4random.h b/bsd-arc4random.h
index c6ccd35f2..9819b848c 100644
--- a/bsd-arc4random.h
+++ b/bsd-arc4random.h
@@ -9,11 +9,6 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by Markus Friedl.
- * 4. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
diff --git a/bsd-misc.c b/bsd-misc.c
index 67614eb76..6059f5d39 100644
--- a/bsd-misc.c
+++ b/bsd-misc.c
@@ -9,11 +9,6 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by Markus Friedl.
- * 4. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
diff --git a/bsd-misc.h b/bsd-misc.h
index aea285c8d..477048b74 100644
--- a/bsd-misc.h
+++ b/bsd-misc.h
@@ -9,11 +9,6 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by Markus Friedl.
- * 4. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
diff --git a/entropy.c b/entropy.c
index aa62650a2..6a64963ab 100644
--- a/entropy.c
+++ b/entropy.c
@@ -9,11 +9,6 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by Markus Friedl.
- * 4. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
@@ -40,7 +35,7 @@
 # include <floatingpoint.h>
 #endif /* HAVE_FLOATINGPOINT_H */
 
-RCSID("$Id: entropy.c,v 1.18 2000/07/15 04:59:15 djm Exp $");
+RCSID("$Id: entropy.c,v 1.19 2000/09/16 05:09:28 djm Exp $");
 
 #ifndef offsetof
 # define offsetof(type, member) ((size_t) &((type *)0)->member)
diff --git a/entropy.h b/entropy.h
index a6f7bfc60..b145f7c6d 100644
--- a/entropy.h
+++ b/entropy.h
@@ -9,11 +9,6 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by Markus Friedl.
- * 4. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
diff --git a/session.c b/session.c
index 0cc919c6b..296dfadec 100644
--- a/session.c
+++ b/session.c
@@ -729,6 +729,8 @@ do_login(Session *s)
 
 #ifdef USE_PAM
         print_pam_messages();
+        /* If password change is needed, do it now. */
+        do_pam_chauthtok();
 #endif /* USE_PAM */
 #ifdef WITH_AIXAUTHENTICATE
         if (aixloginmsg && *aixloginmsg)