4 files changed, 29 insertions, 41 deletions

diff --git a/ChangeLog b/ChangeLog
index a5bb31b91..3acb6eca9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,9 @@
    change for platforms using /etc/shadow.  ok djm@
  - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #563: Prepend ssh_ to compat
    functions to avoid conflicts with Heimdal's libroken.  ok djm@
+ - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #14: Use do_pwchange to
+   change expired PAM passwords for SSHv1 connections without privsep.
+   pam_chauthtok is still used when privsep is disabled.  ok djm@
 
 20040207
  - (dtucker) OpenBSD CVS Sync
@@ -1830,4 +1833,4 @@
  - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
    Report from murple@murple.net, diagnosis from dtucker@zip.com.au
 
-$Id: ChangeLog,v 1.3220 2004/02/10 02:05:40 dtucker Exp $
+$Id: ChangeLog,v 1.3221 2004/02/10 02:23:28 dtucker Exp $
diff --git a/auth-pam.c b/auth-pam.c
index 0e2725b80..562fb01f2 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -31,7 +31,7 @@
 
 /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.92 2004/01/14 13:15:08 dtucker Exp $");
+RCSID("$Id: auth-pam.c,v 1.93 2004/02/10 02:23:29 dtucker Exp $");
 
 #ifdef USE_PAM
 #if defined(HAVE_SECURITY_PAM_APPL_H)
@@ -155,11 +155,11 @@ pthread_join(sp_pthread_t thread, void **value __unused)
 static pam_handle_t *sshpam_handle = NULL;
 static int sshpam_err = 0;
 static int sshpam_authenticated = 0;
-static int sshpam_new_authtok_reqd = 0;
 static int sshpam_session_open = 0;
 static int sshpam_cred_established = 0;
 static int sshpam_account_status = -1;
 static char **sshpam_env = NULL;
+static int *force_pwchange;
 
 /* Some PAM implementations don't implement this */
 #ifndef HAVE_PAM_GETENVLIST
@@ -179,7 +179,7 @@ void
 pam_password_change_required(int reqd)
 {
         debug3("%s %d", __func__, reqd);
-        sshpam_new_authtok_reqd = reqd;
+        *force_pwchange = reqd;
         if (reqd) {
                 no_port_forwarding_flag |= 2;
                 no_agent_forwarding_flag |= 2;
@@ -188,9 +188,9 @@ pam_password_change_required(int reqd)
                 no_port_forwarding_flag &= ~2;
                 no_agent_forwarding_flag &= ~2;
                 no_x11_forwarding_flag &= ~2;
-
         }
 }
+
 /* Import regular and PAM environment from subprocess */
 static void
 import_environments(Buffer *b)
@@ -348,7 +348,7 @@ sshpam_thread(void *ctxtp)
         if (compat20) {
                 if (!do_pam_account())
                         goto auth_fail;
-                if (sshpam_new_authtok_reqd) {
+                if (*force_pwchange) {
                         sshpam_err = pam_chauthtok(sshpam_handle,
                             PAM_CHANGE_EXPIRED_AUTHTOK);
                         if (sshpam_err != PAM_SUCCESS)
@@ -362,7 +362,7 @@ sshpam_thread(void *ctxtp)
 #ifndef USE_POSIX_THREADS
         /* Export variables set by do_pam_account */
         buffer_put_int(&buffer, sshpam_account_status);
-        buffer_put_int(&buffer, sshpam_new_authtok_reqd);
+        buffer_put_int(&buffer, *force_pwchange);
 
         /* Export any environment strings set in child */
         for(i = 0; environ[i] != NULL; i++)
@@ -437,7 +437,7 @@ sshpam_cleanup(void)
                 pam_close_session(sshpam_handle, PAM_SILENT);
                 sshpam_session_open = 0;
         }
-        sshpam_authenticated = sshpam_new_authtok_reqd = 0;
+        sshpam_authenticated = 0;
         pam_end(sshpam_handle, sshpam_err);
         sshpam_handle = NULL;
 }
@@ -511,6 +511,8 @@ sshpam_init_ctx(Authctxt *authctxt)
         ctxt = xmalloc(sizeof *ctxt);
         memset(ctxt, 0, sizeof(*ctxt));
 
+        force_pwchange = &(authctxt->force_pwchange);
+
         /* Start the authentication thread */
         if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
                 error("PAM: failed create sockets: %s", strerror(errno));
@@ -744,12 +746,6 @@ do_pam_setcred(int init)
                     pam_strerror(sshpam_handle, sshpam_err));
 }
 
-int
-is_pam_password_change_required(void)
-{
-        return (sshpam_new_authtok_reqd);
-}
-
 static int
 pam_tty_conv(int n, const struct pam_message **msg,
     struct pam_response **resp, void *data)
@@ -828,6 +824,7 @@ do_pam_chauthtok(void)
 void
 do_pam_session(void)
 {
+        debug3("PAM: opening session");
         sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
             (const void *)&tty_conv);
         if (sshpam_err != PAM_SUCCESS)
@@ -864,12 +861,6 @@ do_pam_putenv(char *name, char *value)
         return (ret);
 }
 
-void
-print_pam_messages(void)
-{
-        /* XXX */
-}
-
 char **
 fetch_pam_child_environment(void)
 {
diff --git a/auth-pam.h b/auth-pam.h
index fd62e9534..4bc8d6955 100644
--- a/auth-pam.h
+++ b/auth-pam.h
@@ -1,4 +1,4 @@
-/* $Id: auth-pam.h,v 1.23 2003/11/17 10:41:42 djm Exp $ */
+/* $Id: auth-pam.h,v 1.24 2004/02/10 02:23:29 dtucker Exp $ */
 
 /*
  * Copyright (c) 2000 Damien Miller.  All rights reserved.
@@ -37,10 +37,8 @@ u_int do_pam_account(void);
 void do_pam_session(void);
 void do_pam_set_tty(const char *);
 void do_pam_setcred(int );
-int is_pam_password_change_required(void);
 void do_pam_chauthtok(void);
 int do_pam_putenv(char *, char *);
-void print_pam_messages(void);
 char ** fetch_pam_environment(void);
 char ** fetch_pam_child_environment(void);
 void free_pam_environment(char **);
diff --git a/session.c b/session.c
index 5742296d5..864967565 100644
--- a/session.c
+++ b/session.c
@@ -193,6 +193,15 @@ auth_input_request_forwarding(struct passwd * pw)
         return 1;
 }
 
+static void
+display_loginmsg(void)
+{
+        if (buffer_len(&loginmsg) > 0) {
+                buffer_append(&loginmsg, "\0", 1);
+                printf("%s\n", (char *)buffer_ptr(&loginmsg));
+                buffer_clear(&loginmsg);
+        }
+}
 
 void
 do_authenticated(Authctxt *authctxt)
@@ -389,12 +398,8 @@ do_exec_no_pty(Session *s, const char *command)
         session_proctitle(s);
 
 #if defined(USE_PAM)
-        if (options.use_pam) {
+        if (options.use_pam)
                 do_pam_setcred(1);
-                if (is_pam_password_change_required())
-                        packet_disconnect("Password change required but no "
-                            "TTY available");
-        }
 #endif /* USE_PAM */
 
         /* Fork the child. */
@@ -698,9 +703,10 @@ do_login(Session *s, const char *command)
          * If password change is needed, do it now.
          * This needs to occur before the ~/.hushlogin check.
          */
-        if (options.use_pam && is_pam_password_change_required()) {
-                print_pam_messages();
+        if (options.use_pam && !use_privsep && s->authctxt->force_pwchange) {
+                display_loginmsg();
                 do_pam_chauthtok();
+                s->authctxt->force_pwchange = 0;
                 /* XXX - signal [net] parent to enable forwardings */
         }
 #endif
@@ -708,17 +714,7 @@ do_login(Session *s, const char *command)
         if (check_quietlogin(s, command))
                 return;
 
-#ifdef USE_PAM
-        if (options.use_pam && !is_pam_password_change_required())
-                print_pam_messages();
-#endif /* USE_PAM */
-
-        /* display post-login message */
-        if (buffer_len(&loginmsg) > 0) {
-                buffer_append(&loginmsg, "\0", 1);
-                printf("%s\n", (char *)buffer_ptr(&loginmsg));
-        }
-        buffer_free(&loginmsg);
+        display_loginmsg();
 
 #ifndef NO_SSH_LASTLOG
         if (options.print_lastlog && s->last_login_time != 0) {