diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2004-03-08 23:04:06 +1100 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2004-03-08 23:04:06 +1100 |
| commit | dbf7a74ee569a9544276db42eb7aee1141072a24 (patch) | |
| tree | f9aea6fab5efea9441557696611b04a065ad8128 /auth-pam.c | |
| parent | 86c093d2895989d1258459b797ce3630eaa47d1a (diff) | |
- (dtucker) [auth-pam.c auth-pam.h auth1.c auth2.c monitor.c monitor_wrap.c
monitor_wrap.h] Bug #808: Ensure force_pwchange is correctly initialized
even if keyboard-interactive is not used by the client. Prevents segfaults
in some cases where the user's password is expired (note this is not
considered a security exposure). ok djm@
Diffstat (limited to 'auth-pam.c')
| -rw-r--r-- | auth-pam.c | 29 |
1 files changed, 17 insertions, 12 deletions
diff --git a/auth-pam.c b/auth-pam.c index ea361f171..6f2264c5d 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
| @@ -31,7 +31,7 @@ | |||
| 31 | 31 | ||
| 32 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ | 32 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ |
| 33 | #include "includes.h" | 33 | #include "includes.h" |
| 34 | RCSID("$Id: auth-pam.c,v 1.97 2004/03/04 09:03:54 dtucker Exp $"); | 34 | RCSID("$Id: auth-pam.c,v 1.98 2004/03/08 12:04:06 dtucker Exp $"); |
| 35 | 35 | ||
| 36 | #ifdef USE_PAM | 36 | #ifdef USE_PAM |
| 37 | #if defined(HAVE_SECURITY_PAM_APPL_H) | 37 | #if defined(HAVE_SECURITY_PAM_APPL_H) |
| @@ -160,7 +160,7 @@ static int sshpam_session_open = 0; | |||
| 160 | static int sshpam_cred_established = 0; | 160 | static int sshpam_cred_established = 0; |
| 161 | static int sshpam_account_status = -1; | 161 | static int sshpam_account_status = -1; |
| 162 | static char **sshpam_env = NULL; | 162 | static char **sshpam_env = NULL; |
| 163 | static int *force_pwchange; | 163 | static Authctxt *the_authctxt = NULL; |
| 164 | 164 | ||
| 165 | /* Some PAM implementations don't implement this */ | 165 | /* Some PAM implementations don't implement this */ |
| 166 | #ifndef HAVE_PAM_GETENVLIST | 166 | #ifndef HAVE_PAM_GETENVLIST |
| @@ -180,7 +180,9 @@ void | |||
| 180 | pam_password_change_required(int reqd) | 180 | pam_password_change_required(int reqd) |
| 181 | { | 181 | { |
| 182 | debug3("%s %d", __func__, reqd); | 182 | debug3("%s %d", __func__, reqd); |
| 183 | *force_pwchange = reqd; | 183 | if (the_authctxt == NULL) |
| 184 | fatal("%s: PAM authctxt not initialized", __func__); | ||
| 185 | the_authctxt->force_pwchange = reqd; | ||
| 184 | if (reqd) { | 186 | if (reqd) { |
| 185 | no_port_forwarding_flag |= 2; | 187 | no_port_forwarding_flag |= 2; |
| 186 | no_agent_forwarding_flag |= 2; | 188 | no_agent_forwarding_flag |= 2; |
| @@ -339,6 +341,9 @@ sshpam_thread(void *ctxtp) | |||
| 339 | sshpam_conv.conv = sshpam_thread_conv; | 341 | sshpam_conv.conv = sshpam_thread_conv; |
| 340 | sshpam_conv.appdata_ptr = ctxt; | 342 | sshpam_conv.appdata_ptr = ctxt; |
| 341 | 343 | ||
| 344 | if (the_authctxt == NULL) | ||
| 345 | fatal("%s: PAM authctxt not initialized", __func__); | ||
| 346 | |||
| 342 | buffer_init(&buffer); | 347 | buffer_init(&buffer); |
| 343 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | 348 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, |
| 344 | (const void *)&sshpam_conv); | 349 | (const void *)&sshpam_conv); |
| @@ -351,7 +356,7 @@ sshpam_thread(void *ctxtp) | |||
| 351 | if (compat20) { | 356 | if (compat20) { |
| 352 | if (!do_pam_account()) | 357 | if (!do_pam_account()) |
| 353 | goto auth_fail; | 358 | goto auth_fail; |
| 354 | if (*force_pwchange) { | 359 | if (the_authctxt->force_pwchange) { |
| 355 | sshpam_err = pam_chauthtok(sshpam_handle, | 360 | sshpam_err = pam_chauthtok(sshpam_handle, |
| 356 | PAM_CHANGE_EXPIRED_AUTHTOK); | 361 | PAM_CHANGE_EXPIRED_AUTHTOK); |
| 357 | if (sshpam_err != PAM_SUCCESS) | 362 | if (sshpam_err != PAM_SUCCESS) |
| @@ -365,7 +370,7 @@ sshpam_thread(void *ctxtp) | |||
| 365 | #ifndef USE_POSIX_THREADS | 370 | #ifndef USE_POSIX_THREADS |
| 366 | /* Export variables set by do_pam_account */ | 371 | /* Export variables set by do_pam_account */ |
| 367 | buffer_put_int(&buffer, sshpam_account_status); | 372 | buffer_put_int(&buffer, sshpam_account_status); |
| 368 | buffer_put_int(&buffer, *force_pwchange); | 373 | buffer_put_int(&buffer, the_authctxt->force_pwchange); |
| 369 | 374 | ||
| 370 | /* Export any environment strings set in child */ | 375 | /* Export any environment strings set in child */ |
| 371 | for(i = 0; environ[i] != NULL; i++) | 376 | for(i = 0; environ[i] != NULL; i++) |
| @@ -446,11 +451,11 @@ sshpam_cleanup(void) | |||
| 446 | } | 451 | } |
| 447 | 452 | ||
| 448 | static int | 453 | static int |
| 449 | sshpam_init(const char *user) | 454 | sshpam_init(Authctxt *authctxt) |
| 450 | { | 455 | { |
| 451 | extern u_int utmp_len; | 456 | extern u_int utmp_len; |
| 452 | extern char *__progname; | 457 | extern char *__progname; |
| 453 | const char *pam_rhost, *pam_user; | 458 | const char *pam_rhost, *pam_user, *user = authctxt->user; |
| 454 | 459 | ||
| 455 | if (sshpam_handle != NULL) { | 460 | if (sshpam_handle != NULL) { |
| 456 | /* We already have a PAM context; check if the user matches */ | 461 | /* We already have a PAM context; check if the user matches */ |
| @@ -464,6 +469,8 @@ sshpam_init(const char *user) | |||
| 464 | debug("PAM: initializing for \"%s\"", user); | 469 | debug("PAM: initializing for \"%s\"", user); |
| 465 | sshpam_err = | 470 | sshpam_err = |
| 466 | pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle); | 471 | pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle); |
| 472 | the_authctxt = authctxt; | ||
| 473 | |||
| 467 | if (sshpam_err != PAM_SUCCESS) { | 474 | if (sshpam_err != PAM_SUCCESS) { |
| 468 | pam_end(sshpam_handle, sshpam_err); | 475 | pam_end(sshpam_handle, sshpam_err); |
| 469 | sshpam_handle = NULL; | 476 | sshpam_handle = NULL; |
| @@ -506,7 +513,7 @@ sshpam_init_ctx(Authctxt *authctxt) | |||
| 506 | return NULL; | 513 | return NULL; |
| 507 | 514 | ||
| 508 | /* Initialize PAM */ | 515 | /* Initialize PAM */ |
| 509 | if (sshpam_init(authctxt->user) == -1) { | 516 | if (sshpam_init(authctxt) == -1) { |
| 510 | error("PAM: initialization failed"); | 517 | error("PAM: initialization failed"); |
| 511 | return (NULL); | 518 | return (NULL); |
| 512 | } | 519 | } |
| @@ -514,8 +521,6 @@ sshpam_init_ctx(Authctxt *authctxt) | |||
| 514 | ctxt = xmalloc(sizeof *ctxt); | 521 | ctxt = xmalloc(sizeof *ctxt); |
| 515 | memset(ctxt, 0, sizeof(*ctxt)); | 522 | memset(ctxt, 0, sizeof(*ctxt)); |
| 516 | 523 | ||
| 517 | force_pwchange = &(authctxt->force_pwchange); | ||
| 518 | |||
| 519 | /* Start the authentication thread */ | 524 | /* Start the authentication thread */ |
| 520 | if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { | 525 | if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { |
| 521 | error("PAM: failed create sockets: %s", strerror(errno)); | 526 | error("PAM: failed create sockets: %s", strerror(errno)); |
| @@ -674,12 +679,12 @@ KbdintDevice mm_sshpam_device = { | |||
| 674 | * This replaces auth-pam.c | 679 | * This replaces auth-pam.c |
| 675 | */ | 680 | */ |
| 676 | void | 681 | void |
| 677 | start_pam(const char *user) | 682 | start_pam(Authctxt *authctxt) |
| 678 | { | 683 | { |
| 679 | if (!options.use_pam) | 684 | if (!options.use_pam) |
| 680 | fatal("PAM: initialisation requested when UsePAM=no"); | 685 | fatal("PAM: initialisation requested when UsePAM=no"); |
| 681 | 686 | ||
| 682 | if (sshpam_init(user) == -1) | 687 | if (sshpam_init(authctxt) == -1) |
| 683 | fatal("PAM: initialisation failed"); | 688 | fatal("PAM: initialisation failed"); |
| 684 | } | 689 | } |
| 685 | 690 | ||