diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | auth-pam.c | 29 | ||||
-rw-r--r-- | auth-pam.h | 4 | ||||
-rw-r--r-- | session.c | 32 |
4 files changed, 29 insertions, 41 deletions
@@ -7,6 +7,9 @@ | |||
7 | change for platforms using /etc/shadow. ok djm@ | 7 | change for platforms using /etc/shadow. ok djm@ |
8 | - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #563: Prepend ssh_ to compat | 8 | - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #563: Prepend ssh_ to compat |
9 | functions to avoid conflicts with Heimdal's libroken. ok djm@ | 9 | functions to avoid conflicts with Heimdal's libroken. ok djm@ |
10 | - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #14: Use do_pwchange to | ||
11 | change expired PAM passwords for SSHv1 connections without privsep. | ||
12 | pam_chauthtok is still used when privsep is disabled. ok djm@ | ||
10 | 13 | ||
11 | 20040207 | 14 | 20040207 |
12 | - (dtucker) OpenBSD CVS Sync | 15 | - (dtucker) OpenBSD CVS Sync |
@@ -1830,4 +1833,4 @@ | |||
1830 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. | 1833 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. |
1831 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au | 1834 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au |
1832 | 1835 | ||
1833 | $Id: ChangeLog,v 1.3220 2004/02/10 02:05:40 dtucker Exp $ | 1836 | $Id: ChangeLog,v 1.3221 2004/02/10 02:23:28 dtucker Exp $ |
diff --git a/auth-pam.c b/auth-pam.c index 0e2725b80..562fb01f2 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -31,7 +31,7 @@ | |||
31 | 31 | ||
32 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ | 32 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ |
33 | #include "includes.h" | 33 | #include "includes.h" |
34 | RCSID("$Id: auth-pam.c,v 1.92 2004/01/14 13:15:08 dtucker Exp $"); | 34 | RCSID("$Id: auth-pam.c,v 1.93 2004/02/10 02:23:29 dtucker Exp $"); |
35 | 35 | ||
36 | #ifdef USE_PAM | 36 | #ifdef USE_PAM |
37 | #if defined(HAVE_SECURITY_PAM_APPL_H) | 37 | #if defined(HAVE_SECURITY_PAM_APPL_H) |
@@ -155,11 +155,11 @@ pthread_join(sp_pthread_t thread, void **value __unused) | |||
155 | static pam_handle_t *sshpam_handle = NULL; | 155 | static pam_handle_t *sshpam_handle = NULL; |
156 | static int sshpam_err = 0; | 156 | static int sshpam_err = 0; |
157 | static int sshpam_authenticated = 0; | 157 | static int sshpam_authenticated = 0; |
158 | static int sshpam_new_authtok_reqd = 0; | ||
159 | static int sshpam_session_open = 0; | 158 | static int sshpam_session_open = 0; |
160 | static int sshpam_cred_established = 0; | 159 | static int sshpam_cred_established = 0; |
161 | static int sshpam_account_status = -1; | 160 | static int sshpam_account_status = -1; |
162 | static char **sshpam_env = NULL; | 161 | static char **sshpam_env = NULL; |
162 | static int *force_pwchange; | ||
163 | 163 | ||
164 | /* Some PAM implementations don't implement this */ | 164 | /* Some PAM implementations don't implement this */ |
165 | #ifndef HAVE_PAM_GETENVLIST | 165 | #ifndef HAVE_PAM_GETENVLIST |
@@ -179,7 +179,7 @@ void | |||
179 | pam_password_change_required(int reqd) | 179 | pam_password_change_required(int reqd) |
180 | { | 180 | { |
181 | debug3("%s %d", __func__, reqd); | 181 | debug3("%s %d", __func__, reqd); |
182 | sshpam_new_authtok_reqd = reqd; | 182 | *force_pwchange = reqd; |
183 | if (reqd) { | 183 | if (reqd) { |
184 | no_port_forwarding_flag |= 2; | 184 | no_port_forwarding_flag |= 2; |
185 | no_agent_forwarding_flag |= 2; | 185 | no_agent_forwarding_flag |= 2; |
@@ -188,9 +188,9 @@ pam_password_change_required(int reqd) | |||
188 | no_port_forwarding_flag &= ~2; | 188 | no_port_forwarding_flag &= ~2; |
189 | no_agent_forwarding_flag &= ~2; | 189 | no_agent_forwarding_flag &= ~2; |
190 | no_x11_forwarding_flag &= ~2; | 190 | no_x11_forwarding_flag &= ~2; |
191 | |||
192 | } | 191 | } |
193 | } | 192 | } |
193 | |||
194 | /* Import regular and PAM environment from subprocess */ | 194 | /* Import regular and PAM environment from subprocess */ |
195 | static void | 195 | static void |
196 | import_environments(Buffer *b) | 196 | import_environments(Buffer *b) |
@@ -348,7 +348,7 @@ sshpam_thread(void *ctxtp) | |||
348 | if (compat20) { | 348 | if (compat20) { |
349 | if (!do_pam_account()) | 349 | if (!do_pam_account()) |
350 | goto auth_fail; | 350 | goto auth_fail; |
351 | if (sshpam_new_authtok_reqd) { | 351 | if (*force_pwchange) { |
352 | sshpam_err = pam_chauthtok(sshpam_handle, | 352 | sshpam_err = pam_chauthtok(sshpam_handle, |
353 | PAM_CHANGE_EXPIRED_AUTHTOK); | 353 | PAM_CHANGE_EXPIRED_AUTHTOK); |
354 | if (sshpam_err != PAM_SUCCESS) | 354 | if (sshpam_err != PAM_SUCCESS) |
@@ -362,7 +362,7 @@ sshpam_thread(void *ctxtp) | |||
362 | #ifndef USE_POSIX_THREADS | 362 | #ifndef USE_POSIX_THREADS |
363 | /* Export variables set by do_pam_account */ | 363 | /* Export variables set by do_pam_account */ |
364 | buffer_put_int(&buffer, sshpam_account_status); | 364 | buffer_put_int(&buffer, sshpam_account_status); |
365 | buffer_put_int(&buffer, sshpam_new_authtok_reqd); | 365 | buffer_put_int(&buffer, *force_pwchange); |
366 | 366 | ||
367 | /* Export any environment strings set in child */ | 367 | /* Export any environment strings set in child */ |
368 | for(i = 0; environ[i] != NULL; i++) | 368 | for(i = 0; environ[i] != NULL; i++) |
@@ -437,7 +437,7 @@ sshpam_cleanup(void) | |||
437 | pam_close_session(sshpam_handle, PAM_SILENT); | 437 | pam_close_session(sshpam_handle, PAM_SILENT); |
438 | sshpam_session_open = 0; | 438 | sshpam_session_open = 0; |
439 | } | 439 | } |
440 | sshpam_authenticated = sshpam_new_authtok_reqd = 0; | 440 | sshpam_authenticated = 0; |
441 | pam_end(sshpam_handle, sshpam_err); | 441 | pam_end(sshpam_handle, sshpam_err); |
442 | sshpam_handle = NULL; | 442 | sshpam_handle = NULL; |
443 | } | 443 | } |
@@ -511,6 +511,8 @@ sshpam_init_ctx(Authctxt *authctxt) | |||
511 | ctxt = xmalloc(sizeof *ctxt); | 511 | ctxt = xmalloc(sizeof *ctxt); |
512 | memset(ctxt, 0, sizeof(*ctxt)); | 512 | memset(ctxt, 0, sizeof(*ctxt)); |
513 | 513 | ||
514 | force_pwchange = &(authctxt->force_pwchange); | ||
515 | |||
514 | /* Start the authentication thread */ | 516 | /* Start the authentication thread */ |
515 | if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { | 517 | if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { |
516 | error("PAM: failed create sockets: %s", strerror(errno)); | 518 | error("PAM: failed create sockets: %s", strerror(errno)); |
@@ -744,12 +746,6 @@ do_pam_setcred(int init) | |||
744 | pam_strerror(sshpam_handle, sshpam_err)); | 746 | pam_strerror(sshpam_handle, sshpam_err)); |
745 | } | 747 | } |
746 | 748 | ||
747 | int | ||
748 | is_pam_password_change_required(void) | ||
749 | { | ||
750 | return (sshpam_new_authtok_reqd); | ||
751 | } | ||
752 | |||
753 | static int | 749 | static int |
754 | pam_tty_conv(int n, const struct pam_message **msg, | 750 | pam_tty_conv(int n, const struct pam_message **msg, |
755 | struct pam_response **resp, void *data) | 751 | struct pam_response **resp, void *data) |
@@ -828,6 +824,7 @@ do_pam_chauthtok(void) | |||
828 | void | 824 | void |
829 | do_pam_session(void) | 825 | do_pam_session(void) |
830 | { | 826 | { |
827 | debug3("PAM: opening session"); | ||
831 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | 828 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, |
832 | (const void *)&tty_conv); | 829 | (const void *)&tty_conv); |
833 | if (sshpam_err != PAM_SUCCESS) | 830 | if (sshpam_err != PAM_SUCCESS) |
@@ -864,12 +861,6 @@ do_pam_putenv(char *name, char *value) | |||
864 | return (ret); | 861 | return (ret); |
865 | } | 862 | } |
866 | 863 | ||
867 | void | ||
868 | print_pam_messages(void) | ||
869 | { | ||
870 | /* XXX */ | ||
871 | } | ||
872 | |||
873 | char ** | 864 | char ** |
874 | fetch_pam_child_environment(void) | 865 | fetch_pam_child_environment(void) |
875 | { | 866 | { |
diff --git a/auth-pam.h b/auth-pam.h index fd62e9534..4bc8d6955 100644 --- a/auth-pam.h +++ b/auth-pam.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: auth-pam.h,v 1.23 2003/11/17 10:41:42 djm Exp $ */ | 1 | /* $Id: auth-pam.h,v 1.24 2004/02/10 02:23:29 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2000 Damien Miller. All rights reserved. |
@@ -37,10 +37,8 @@ u_int do_pam_account(void); | |||
37 | void do_pam_session(void); | 37 | void do_pam_session(void); |
38 | void do_pam_set_tty(const char *); | 38 | void do_pam_set_tty(const char *); |
39 | void do_pam_setcred(int ); | 39 | void do_pam_setcred(int ); |
40 | int is_pam_password_change_required(void); | ||
41 | void do_pam_chauthtok(void); | 40 | void do_pam_chauthtok(void); |
42 | int do_pam_putenv(char *, char *); | 41 | int do_pam_putenv(char *, char *); |
43 | void print_pam_messages(void); | ||
44 | char ** fetch_pam_environment(void); | 42 | char ** fetch_pam_environment(void); |
45 | char ** fetch_pam_child_environment(void); | 43 | char ** fetch_pam_child_environment(void); |
46 | void free_pam_environment(char **); | 44 | void free_pam_environment(char **); |
@@ -193,6 +193,15 @@ auth_input_request_forwarding(struct passwd * pw) | |||
193 | return 1; | 193 | return 1; |
194 | } | 194 | } |
195 | 195 | ||
196 | static void | ||
197 | display_loginmsg(void) | ||
198 | { | ||
199 | if (buffer_len(&loginmsg) > 0) { | ||
200 | buffer_append(&loginmsg, "\0", 1); | ||
201 | printf("%s\n", (char *)buffer_ptr(&loginmsg)); | ||
202 | buffer_clear(&loginmsg); | ||
203 | } | ||
204 | } | ||
196 | 205 | ||
197 | void | 206 | void |
198 | do_authenticated(Authctxt *authctxt) | 207 | do_authenticated(Authctxt *authctxt) |
@@ -389,12 +398,8 @@ do_exec_no_pty(Session *s, const char *command) | |||
389 | session_proctitle(s); | 398 | session_proctitle(s); |
390 | 399 | ||
391 | #if defined(USE_PAM) | 400 | #if defined(USE_PAM) |
392 | if (options.use_pam) { | 401 | if (options.use_pam) |
393 | do_pam_setcred(1); | 402 | do_pam_setcred(1); |
394 | if (is_pam_password_change_required()) | ||
395 | packet_disconnect("Password change required but no " | ||
396 | "TTY available"); | ||
397 | } | ||
398 | #endif /* USE_PAM */ | 403 | #endif /* USE_PAM */ |
399 | 404 | ||
400 | /* Fork the child. */ | 405 | /* Fork the child. */ |
@@ -698,9 +703,10 @@ do_login(Session *s, const char *command) | |||
698 | * If password change is needed, do it now. | 703 | * If password change is needed, do it now. |
699 | * This needs to occur before the ~/.hushlogin check. | 704 | * This needs to occur before the ~/.hushlogin check. |
700 | */ | 705 | */ |
701 | if (options.use_pam && is_pam_password_change_required()) { | 706 | if (options.use_pam && !use_privsep && s->authctxt->force_pwchange) { |
702 | print_pam_messages(); | 707 | display_loginmsg(); |
703 | do_pam_chauthtok(); | 708 | do_pam_chauthtok(); |
709 | s->authctxt->force_pwchange = 0; | ||
704 | /* XXX - signal [net] parent to enable forwardings */ | 710 | /* XXX - signal [net] parent to enable forwardings */ |
705 | } | 711 | } |
706 | #endif | 712 | #endif |
@@ -708,17 +714,7 @@ do_login(Session *s, const char *command) | |||
708 | if (check_quietlogin(s, command)) | 714 | if (check_quietlogin(s, command)) |
709 | return; | 715 | return; |
710 | 716 | ||
711 | #ifdef USE_PAM | 717 | display_loginmsg(); |
712 | if (options.use_pam && !is_pam_password_change_required()) | ||
713 | print_pam_messages(); | ||
714 | #endif /* USE_PAM */ | ||
715 | |||
716 | /* display post-login message */ | ||
717 | if (buffer_len(&loginmsg) > 0) { | ||
718 | buffer_append(&loginmsg, "\0", 1); | ||
719 | printf("%s\n", (char *)buffer_ptr(&loginmsg)); | ||
720 | } | ||
721 | buffer_free(&loginmsg); | ||
722 | 718 | ||
723 | #ifndef NO_SSH_LASTLOG | 719 | #ifndef NO_SSH_LASTLOG |
724 | if (options.print_lastlog && s->last_login_time != 0) { | 720 | if (options.print_lastlog && s->last_login_time != 0) { |