4 files changed, 37 insertions, 4 deletions

diff --git a/ChangeLog b/ChangeLog
index ff0659708..ca9f92983 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+20040816
+ - (dtucker) [acconfig.h auth-pam.c configure.ac] Set real uid to non-root
+   to convince Solaris PAM to honour password complexity rules.  ok djm@
+
 20040815
  - (dtucker) [Makefile.in ssh-keysign.c ssh.c] Use permanently_set_uid() since
    it does the right thing on all platforms.  ok djm@
@@ -1641,4 +1645,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3512 2004/08/15 11:01:37 dtucker Exp $
+$Id: ChangeLog,v 1.3513 2004/08/16 13:12:05 dtucker Exp $
diff --git a/acconfig.h b/acconfig.h
index bb069630d..014413505 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -1,4 +1,4 @@
-/* $Id: acconfig.h,v 1.179 2004/08/15 08:40:59 djm Exp $ */
+/* $Id: acconfig.h,v 1.180 2004/08/16 13:12:06 dtucker Exp $ */
 
 /*
  * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
@@ -104,6 +104,9 @@
 /* Work around problematic Linux PAM modules handling of PAM_TTY */
 #undef PAM_TTY_KLUDGE
 
+/* Define if pam_chauthtok wants real uid set to the unpriv'ed user */
+#undef SSHPAM_CHAUTHTOK_NEEDS_RUID
+
 /* Use PIPES instead of a socketpair() */
 #undef USE_PIPES
 
diff --git a/auth-pam.c b/auth-pam.c
index 7d610d0bb..b93241f48 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -47,7 +47,7 @@
 
 /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.113 2004/07/21 10:54:47 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.114 2004/08/16 13:12:06 dtucker Exp $");
 
 #ifdef USE_PAM
 #if defined(HAVE_SECURITY_PAM_APPL_H)
@@ -201,6 +201,31 @@ pam_getenvlist(pam_handle_t *pamh)
 }
 #endif
 
+/*
+ * Some platforms, notably Solaris, do not enforce password complexity
+ * rules during pam_chauthtok() if the real uid of the calling process
+ * is 0, on the assumption that it's being called by "passwd" run by root.
+ * This wraps pam_chauthtok and sets/restore the real uid so PAM will do
+ * the right thing.
+ */
+#ifdef SSHPAM_CHAUTHTOK_NEEDS_RUID
+static int
+sshpam_chauthtok_ruid(pam_handle_t *pamh, int flags)
+{
+        int result;
+
+        if (sshpam_authctxt == NULL)
+                fatal("PAM: sshpam_authctxt not initialized");
+        if (setreuid(sshpam_authctxt->pw->pw_uid, -1) == -1)
+                fatal("%s: setreuid failed: %s", __func__, strerror(errno));
+        result = pam_chauthtok(pamh, flags);
+        if (setreuid(0, -1) == -1)
+                fatal("%s: setreuid failed: %s", __func__, strerror(errno));
+        return result;
+}
+# define pam_chauthtok(a,b)     (sshpam_chauthtok_ruid((a), (b)))
+#endif
+
 void
 sshpam_password_change_required(int reqd)
 {
diff --git a/configure.ac b/configure.ac
index 6954fb47e..36c457728 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.225 2004/08/15 08:40:59 djm Exp $
+# $Id: configure.ac,v 1.226 2004/08/16 13:12:06 dtucker Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -298,6 +298,7 @@ mips-sony-bsd|mips-sony-newsos4)
         AC_DEFINE(LOGIN_NEEDS_UTMPX)
         AC_DEFINE(LOGIN_NEEDS_TERM)
         AC_DEFINE(PAM_TTY_KLUDGE)
+        AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID)
         AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
         # Pushing STREAMS modules will cause sshd to acquire a controlling tty.
         AC_DEFINE(SSHD_ACQUIRES_CTTY)