diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2004-02-10 13:23:28 +1100 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2004-02-10 13:23:28 +1100 |
| commit | 1921ed9f966b6d8262a906d01e515b2737962e2b (patch) | |
| tree | b28d822e9ad172508e7d8349c7a7010d5f879939 /auth-pam.c | |
| parent | ffae5320769fab707a8f0c533e5900d5e03f5820 (diff) | |
- (dtucker) [auth-pam.c auth-pam.h session.c] Bug #14: Use do_pwchange to
change expired PAM passwords for SSHv1 connections without privsep.
pam_chauthtok is still used when privsep is disabled. ok djm@
Diffstat (limited to 'auth-pam.c')
| -rw-r--r-- | auth-pam.c | 29 |
1 files changed, 10 insertions, 19 deletions
diff --git a/auth-pam.c b/auth-pam.c index 0e2725b80..562fb01f2 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
| @@ -31,7 +31,7 @@ | |||
| 31 | 31 | ||
| 32 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ | 32 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ |
| 33 | #include "includes.h" | 33 | #include "includes.h" |
| 34 | RCSID("$Id: auth-pam.c,v 1.92 2004/01/14 13:15:08 dtucker Exp $"); | 34 | RCSID("$Id: auth-pam.c,v 1.93 2004/02/10 02:23:29 dtucker Exp $"); |
| 35 | 35 | ||
| 36 | #ifdef USE_PAM | 36 | #ifdef USE_PAM |
| 37 | #if defined(HAVE_SECURITY_PAM_APPL_H) | 37 | #if defined(HAVE_SECURITY_PAM_APPL_H) |
| @@ -155,11 +155,11 @@ pthread_join(sp_pthread_t thread, void **value __unused) | |||
| 155 | static pam_handle_t *sshpam_handle = NULL; | 155 | static pam_handle_t *sshpam_handle = NULL; |
| 156 | static int sshpam_err = 0; | 156 | static int sshpam_err = 0; |
| 157 | static int sshpam_authenticated = 0; | 157 | static int sshpam_authenticated = 0; |
| 158 | static int sshpam_new_authtok_reqd = 0; | ||
| 159 | static int sshpam_session_open = 0; | 158 | static int sshpam_session_open = 0; |
| 160 | static int sshpam_cred_established = 0; | 159 | static int sshpam_cred_established = 0; |
| 161 | static int sshpam_account_status = -1; | 160 | static int sshpam_account_status = -1; |
| 162 | static char **sshpam_env = NULL; | 161 | static char **sshpam_env = NULL; |
| 162 | static int *force_pwchange; | ||
| 163 | 163 | ||
| 164 | /* Some PAM implementations don't implement this */ | 164 | /* Some PAM implementations don't implement this */ |
| 165 | #ifndef HAVE_PAM_GETENVLIST | 165 | #ifndef HAVE_PAM_GETENVLIST |
| @@ -179,7 +179,7 @@ void | |||
| 179 | pam_password_change_required(int reqd) | 179 | pam_password_change_required(int reqd) |
| 180 | { | 180 | { |
| 181 | debug3("%s %d", __func__, reqd); | 181 | debug3("%s %d", __func__, reqd); |
| 182 | sshpam_new_authtok_reqd = reqd; | 182 | *force_pwchange = reqd; |
| 183 | if (reqd) { | 183 | if (reqd) { |
| 184 | no_port_forwarding_flag |= 2; | 184 | no_port_forwarding_flag |= 2; |
| 185 | no_agent_forwarding_flag |= 2; | 185 | no_agent_forwarding_flag |= 2; |
| @@ -188,9 +188,9 @@ pam_password_change_required(int reqd) | |||
| 188 | no_port_forwarding_flag &= ~2; | 188 | no_port_forwarding_flag &= ~2; |
| 189 | no_agent_forwarding_flag &= ~2; | 189 | no_agent_forwarding_flag &= ~2; |
| 190 | no_x11_forwarding_flag &= ~2; | 190 | no_x11_forwarding_flag &= ~2; |
| 191 | |||
| 192 | } | 191 | } |
| 193 | } | 192 | } |
| 193 | |||
| 194 | /* Import regular and PAM environment from subprocess */ | 194 | /* Import regular and PAM environment from subprocess */ |
| 195 | static void | 195 | static void |
| 196 | import_environments(Buffer *b) | 196 | import_environments(Buffer *b) |
| @@ -348,7 +348,7 @@ sshpam_thread(void *ctxtp) | |||
| 348 | if (compat20) { | 348 | if (compat20) { |
| 349 | if (!do_pam_account()) | 349 | if (!do_pam_account()) |
| 350 | goto auth_fail; | 350 | goto auth_fail; |
| 351 | if (sshpam_new_authtok_reqd) { | 351 | if (*force_pwchange) { |
| 352 | sshpam_err = pam_chauthtok(sshpam_handle, | 352 | sshpam_err = pam_chauthtok(sshpam_handle, |
| 353 | PAM_CHANGE_EXPIRED_AUTHTOK); | 353 | PAM_CHANGE_EXPIRED_AUTHTOK); |
| 354 | if (sshpam_err != PAM_SUCCESS) | 354 | if (sshpam_err != PAM_SUCCESS) |
| @@ -362,7 +362,7 @@ sshpam_thread(void *ctxtp) | |||
| 362 | #ifndef USE_POSIX_THREADS | 362 | #ifndef USE_POSIX_THREADS |
| 363 | /* Export variables set by do_pam_account */ | 363 | /* Export variables set by do_pam_account */ |
| 364 | buffer_put_int(&buffer, sshpam_account_status); | 364 | buffer_put_int(&buffer, sshpam_account_status); |
| 365 | buffer_put_int(&buffer, sshpam_new_authtok_reqd); | 365 | buffer_put_int(&buffer, *force_pwchange); |
| 366 | 366 | ||
| 367 | /* Export any environment strings set in child */ | 367 | /* Export any environment strings set in child */ |
| 368 | for(i = 0; environ[i] != NULL; i++) | 368 | for(i = 0; environ[i] != NULL; i++) |
| @@ -437,7 +437,7 @@ sshpam_cleanup(void) | |||
| 437 | pam_close_session(sshpam_handle, PAM_SILENT); | 437 | pam_close_session(sshpam_handle, PAM_SILENT); |
| 438 | sshpam_session_open = 0; | 438 | sshpam_session_open = 0; |
| 439 | } | 439 | } |
| 440 | sshpam_authenticated = sshpam_new_authtok_reqd = 0; | 440 | sshpam_authenticated = 0; |
| 441 | pam_end(sshpam_handle, sshpam_err); | 441 | pam_end(sshpam_handle, sshpam_err); |
| 442 | sshpam_handle = NULL; | 442 | sshpam_handle = NULL; |
| 443 | } | 443 | } |
| @@ -511,6 +511,8 @@ sshpam_init_ctx(Authctxt *authctxt) | |||
| 511 | ctxt = xmalloc(sizeof *ctxt); | 511 | ctxt = xmalloc(sizeof *ctxt); |
| 512 | memset(ctxt, 0, sizeof(*ctxt)); | 512 | memset(ctxt, 0, sizeof(*ctxt)); |
| 513 | 513 | ||
| 514 | force_pwchange = &(authctxt->force_pwchange); | ||
| 515 | |||
| 514 | /* Start the authentication thread */ | 516 | /* Start the authentication thread */ |
| 515 | if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { | 517 | if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { |
| 516 | error("PAM: failed create sockets: %s", strerror(errno)); | 518 | error("PAM: failed create sockets: %s", strerror(errno)); |
| @@ -744,12 +746,6 @@ do_pam_setcred(int init) | |||
| 744 | pam_strerror(sshpam_handle, sshpam_err)); | 746 | pam_strerror(sshpam_handle, sshpam_err)); |
| 745 | } | 747 | } |
| 746 | 748 | ||
| 747 | int | ||
| 748 | is_pam_password_change_required(void) | ||
| 749 | { | ||
| 750 | return (sshpam_new_authtok_reqd); | ||
| 751 | } | ||
| 752 | |||
| 753 | static int | 749 | static int |
| 754 | pam_tty_conv(int n, const struct pam_message **msg, | 750 | pam_tty_conv(int n, const struct pam_message **msg, |
| 755 | struct pam_response **resp, void *data) | 751 | struct pam_response **resp, void *data) |
| @@ -828,6 +824,7 @@ do_pam_chauthtok(void) | |||
| 828 | void | 824 | void |
| 829 | do_pam_session(void) | 825 | do_pam_session(void) |
| 830 | { | 826 | { |
| 827 | debug3("PAM: opening session"); | ||
| 831 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | 828 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, |
| 832 | (const void *)&tty_conv); | 829 | (const void *)&tty_conv); |
| 833 | if (sshpam_err != PAM_SUCCESS) | 830 | if (sshpam_err != PAM_SUCCESS) |
| @@ -864,12 +861,6 @@ do_pam_putenv(char *name, char *value) | |||
| 864 | return (ret); | 861 | return (ret); |
| 865 | } | 862 | } |
| 866 | 863 | ||
| 867 | void | ||
| 868 | print_pam_messages(void) | ||
| 869 | { | ||
| 870 | /* XXX */ | ||
| 871 | } | ||
| 872 | |||
| 873 | char ** | 864 | char ** |
| 874 | fetch_pam_child_environment(void) | 865 | fetch_pam_child_environment(void) |
| 875 | { | 866 | { |