summaryrefslogtreecommitdiff
path: root/auth-pam.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth-pam.c')
-rw-r--r--auth-pam.c47
1 files changed, 35 insertions, 12 deletions
diff --git a/auth-pam.c b/auth-pam.c
index bc8e5e02d..de29c04c9 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -106,7 +106,6 @@ extern char *__progname;
106 106
107extern ServerOptions options; 107extern ServerOptions options;
108extern Buffer loginmsg; 108extern Buffer loginmsg;
109extern int compat20;
110extern u_int utmp_len; 109extern u_int utmp_len;
111 110
112/* so we don't silently change behaviour */ 111/* so we don't silently change behaviour */
@@ -468,18 +467,16 @@ sshpam_thread(void *ctxtp)
468 if (sshpam_err != PAM_SUCCESS) 467 if (sshpam_err != PAM_SUCCESS)
469 goto auth_fail; 468 goto auth_fail;
470 469
471 if (compat20) { 470 if (!do_pam_account()) {
472 if (!do_pam_account()) { 471 sshpam_err = PAM_ACCT_EXPIRED;
473 sshpam_err = PAM_ACCT_EXPIRED; 472 goto auth_fail;
473 }
474 if (sshpam_authctxt->force_pwchange) {
475 sshpam_err = pam_chauthtok(sshpam_handle,
476 PAM_CHANGE_EXPIRED_AUTHTOK);
477 if (sshpam_err != PAM_SUCCESS)
474 goto auth_fail; 478 goto auth_fail;
475 } 479 sshpam_password_change_required(0);
476 if (sshpam_authctxt->force_pwchange) {
477 sshpam_err = pam_chauthtok(sshpam_handle,
478 PAM_CHANGE_EXPIRED_AUTHTOK);
479 if (sshpam_err != PAM_SUCCESS)
480 goto auth_fail;
481 sshpam_password_change_required(0);
482 }
483 } 480 }
484 481
485 buffer_put_cstring(&buffer, "OK"); 482 buffer_put_cstring(&buffer, "OK");
@@ -929,6 +926,27 @@ finish_pam(void)
929 sshpam_cleanup(); 926 sshpam_cleanup();
930} 927}
931 928
929static void
930expose_authinfo(const char *caller)
931{
932 char *auth_info;
933
934 /*
935 * Expose authentication information to PAM.
936 * The enviornment variable is versioned. Please increment the
937 * version suffix if the format of session_info changes.
938 */
939 if (sshpam_authctxt->session_info == NULL)
940 auth_info = xstrdup("");
941 else if ((auth_info = sshbuf_dup_string(
942 sshpam_authctxt->session_info)) == NULL)
943 fatal("%s: sshbuf_dup_string failed", __func__);
944
945 debug2("%s: auth information in SSH_AUTH_INFO_0", caller);
946 do_pam_putenv("SSH_AUTH_INFO_0", auth_info);
947 free(auth_info);
948}
949
932u_int 950u_int
933do_pam_account(void) 951do_pam_account(void)
934{ 952{
@@ -936,6 +954,8 @@ do_pam_account(void)
936 if (sshpam_account_status != -1) 954 if (sshpam_account_status != -1)
937 return (sshpam_account_status); 955 return (sshpam_account_status);
938 956
957 expose_authinfo(__func__);
958
939 sshpam_err = pam_acct_mgmt(sshpam_handle, 0); 959 sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
940 debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err, 960 debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err,
941 pam_strerror(sshpam_handle, sshpam_err)); 961 pam_strerror(sshpam_handle, sshpam_err));
@@ -1060,6 +1080,9 @@ void
1060do_pam_session(void) 1080do_pam_session(void)
1061{ 1081{
1062 debug3("PAM: opening session"); 1082 debug3("PAM: opening session");
1083
1084 expose_authinfo(__func__);
1085
1063 sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, 1086 sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
1064 (const void *)&store_conv); 1087 (const void *)&store_conv);
1065 if (sshpam_err != PAM_SUCCESS) 1088 if (sshpam_err != PAM_SUCCESS)
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-30 03:41:12 +0000