summaryrefslogtreecommitdiff
path: root/auth-pam.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2004-03-05 16:26:32 +0000
committerColin Watson <cjwatson@debian.org>2004-03-05 16:26:32 +0000
commit9414b9d65cdc953c2436ba0a607b149e4b4cde1a (patch)
treeb17f98ded50ec565754e1a1dd6a16d7ee5739afe /auth-pam.c
parentf8e0d0cb8e77672526baf211bda0b4baae557d33 (diff)
Really pick up upstream fix for OpenSSH bug #808, a segfault. The previous
auth-pam.c change was in fact a different bug.
Diffstat (limited to 'auth-pam.c')
-rw-r--r--auth-pam.c27
1 files changed, 16 insertions, 11 deletions
diff --git a/auth-pam.c b/auth-pam.c
index 15a691b11..d3186372e 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -160,7 +160,7 @@ static int sshpam_session_open = 0;
160static int sshpam_cred_established = 0; 160static int sshpam_cred_established = 0;
161static int sshpam_account_status = -1; 161static int sshpam_account_status = -1;
162static char **sshpam_env = NULL; 162static char **sshpam_env = NULL;
163static int *force_pwchange; 163static Authctxt *the_authctxt = NULL;
164 164
165/* Some PAM implementations don't implement this */ 165/* Some PAM implementations don't implement this */
166#ifndef HAVE_PAM_GETENVLIST 166#ifndef HAVE_PAM_GETENVLIST
@@ -180,7 +180,9 @@ void
180pam_password_change_required(int reqd) 180pam_password_change_required(int reqd)
181{ 181{
182 debug3("%s %d", __func__, reqd); 182 debug3("%s %d", __func__, reqd);
183 *force_pwchange = reqd; 183 if (the_authctxt == NULL)
184 fatal("%s: PAM authctxt not initialized", __func__);
185 the_authctxt->force_pwchange = reqd;
184 if (reqd) { 186 if (reqd) {
185 no_port_forwarding_flag |= 2; 187 no_port_forwarding_flag |= 2;
186 no_agent_forwarding_flag |= 2; 188 no_agent_forwarding_flag |= 2;
@@ -337,6 +339,9 @@ sshpam_thread(void *ctxtp)
337 sshpam_conv.conv = sshpam_thread_conv; 339 sshpam_conv.conv = sshpam_thread_conv;
338 sshpam_conv.appdata_ptr = ctxt; 340 sshpam_conv.appdata_ptr = ctxt;
339 341
342 if (the_authctxt == NULL)
343 fatal("%s: PAM authctxt not initialized", __func__);
344
340 buffer_init(&buffer); 345 buffer_init(&buffer);
341 sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, 346 sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
342 (const void *)&sshpam_conv); 347 (const void *)&sshpam_conv);
@@ -349,7 +354,7 @@ sshpam_thread(void *ctxtp)
349 if (compat20) { 354 if (compat20) {
350 if (!do_pam_account()) 355 if (!do_pam_account())
351 goto auth_fail; 356 goto auth_fail;
352 if (*force_pwchange) { 357 if (the_authctxt->force_pwchange) {
353 sshpam_err = pam_chauthtok(sshpam_handle, 358 sshpam_err = pam_chauthtok(sshpam_handle,
354 PAM_CHANGE_EXPIRED_AUTHTOK); 359 PAM_CHANGE_EXPIRED_AUTHTOK);
355 if (sshpam_err != PAM_SUCCESS) 360 if (sshpam_err != PAM_SUCCESS)
@@ -363,7 +368,7 @@ sshpam_thread(void *ctxtp)
363#ifndef USE_POSIX_THREADS 368#ifndef USE_POSIX_THREADS
364 /* Export variables set by do_pam_account */ 369 /* Export variables set by do_pam_account */
365 buffer_put_int(&buffer, sshpam_account_status); 370 buffer_put_int(&buffer, sshpam_account_status);
366 buffer_put_int(&buffer, *force_pwchange); 371 buffer_put_int(&buffer, the_authctxt->force_pwchange);
367 372
368 /* Export any environment strings set in child */ 373 /* Export any environment strings set in child */
369 for(i = 0; environ[i] != NULL; i++) 374 for(i = 0; environ[i] != NULL; i++)
@@ -444,11 +449,11 @@ sshpam_cleanup(void)
444} 449}
445 450
446static int 451static int
447sshpam_init(const char *user) 452sshpam_init(Authctxt *authctxt)
448{ 453{
449 extern u_int utmp_len; 454 extern u_int utmp_len;
450 extern char *__progname; 455 extern char *__progname;
451 const char *pam_rhost, *pam_user; 456 const char *pam_rhost, *pam_user, *user = authctxt->user;
452 457
453 if (sshpam_handle != NULL) { 458 if (sshpam_handle != NULL) {
454 /* We already have a PAM context; check if the user matches */ 459 /* We already have a PAM context; check if the user matches */
@@ -462,6 +467,8 @@ sshpam_init(const char *user)
462 debug("PAM: initializing for \"%s\"", user); 467 debug("PAM: initializing for \"%s\"", user);
463 sshpam_err = 468 sshpam_err =
464 pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle); 469 pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle);
470 the_authctxt = authctxt;
471
465 if (sshpam_err != PAM_SUCCESS) { 472 if (sshpam_err != PAM_SUCCESS) {
466 pam_end(sshpam_handle, sshpam_err); 473 pam_end(sshpam_handle, sshpam_err);
467 sshpam_handle = NULL; 474 sshpam_handle = NULL;
@@ -504,7 +511,7 @@ sshpam_init_ctx(Authctxt *authctxt)
504 return NULL; 511 return NULL;
505 512
506 /* Initialize PAM */ 513 /* Initialize PAM */
507 if (sshpam_init(authctxt->user) == -1) { 514 if (sshpam_init(authctxt) == -1) {
508 error("PAM: initialization failed"); 515 error("PAM: initialization failed");
509 return (NULL); 516 return (NULL);
510 } 517 }
@@ -512,8 +519,6 @@ sshpam_init_ctx(Authctxt *authctxt)
512 ctxt = xmalloc(sizeof *ctxt); 519 ctxt = xmalloc(sizeof *ctxt);
513 memset(ctxt, 0, sizeof(*ctxt)); 520 memset(ctxt, 0, sizeof(*ctxt));
514 521
515 force_pwchange = &(authctxt->force_pwchange);
516
517 /* Start the authentication thread */ 522 /* Start the authentication thread */
518 if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { 523 if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
519 error("PAM: failed create sockets: %s", strerror(errno)); 524 error("PAM: failed create sockets: %s", strerror(errno));
@@ -672,12 +677,12 @@ KbdintDevice mm_sshpam_device = {
672 * This replaces auth-pam.c 677 * This replaces auth-pam.c
673 */ 678 */
674void 679void
675start_pam(const char *user) 680start_pam(Authctxt *authctxt)
676{ 681{
677 if (!options.use_pam) 682 if (!options.use_pam)
678 fatal("PAM: initialisation requested when UsePAM=no"); 683 fatal("PAM: initialisation requested when UsePAM=no");
679 684
680 if (sshpam_init(user) == -1) 685 if (sshpam_init(authctxt) == -1)
681 fatal("PAM: initialisation failed"); 686 fatal("PAM: initialisation failed");
682} 687}
683 688