diff options
Diffstat (limited to 'auth-pam.c')
-rw-r--r-- | auth-pam.c | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/auth-pam.c b/auth-pam.c index f31641c28..22807f1a9 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -29,6 +29,7 @@ | |||
29 | #include "xmalloc.h" | 29 | #include "xmalloc.h" |
30 | #include "log.h" | 30 | #include "log.h" |
31 | #include "auth.h" | 31 | #include "auth.h" |
32 | #include "auth-options.h" | ||
32 | #include "auth-pam.h" | 33 | #include "auth-pam.h" |
33 | #include "servconf.h" | 34 | #include "servconf.h" |
34 | #include "canohost.h" | 35 | #include "canohost.h" |
@@ -36,10 +37,14 @@ | |||
36 | 37 | ||
37 | extern char *__progname; | 38 | extern char *__progname; |
38 | 39 | ||
39 | RCSID("$Id: auth-pam.c,v 1.48 2002/07/21 17:26:54 stevesk Exp $"); | 40 | extern int use_privsep; |
41 | |||
42 | RCSID("$Id: auth-pam.c,v 1.49 2002/07/21 17:57:01 stevesk Exp $"); | ||
40 | 43 | ||
41 | #define NEW_AUTHTOK_MSG \ | 44 | #define NEW_AUTHTOK_MSG \ |
42 | "Warning: Your password has expired, please change it now." | 45 | "Warning: Your password has expired, please change it now." |
46 | #define NEW_AUTHTOK_MSG_PRIVSEP \ | ||
47 | "Your password has expired, the session cannot proceed." | ||
43 | 48 | ||
44 | static int do_pam_conversation(int num_msg, const struct pam_message **msg, | 49 | static int do_pam_conversation(int num_msg, const struct pam_message **msg, |
45 | struct pam_response **resp, void *appdata_ptr); | 50 | struct pam_response **resp, void *appdata_ptr); |
@@ -254,9 +259,14 @@ int do_pam_account(char *username, char *remote_user) | |||
254 | break; | 259 | break; |
255 | #if 0 | 260 | #if 0 |
256 | case PAM_NEW_AUTHTOK_REQD: | 261 | case PAM_NEW_AUTHTOK_REQD: |
257 | message_cat(&__pam_msg, NEW_AUTHTOK_MSG); | 262 | message_cat(&__pam_msg, use_privsep ? |
263 | NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); | ||
258 | /* flag that password change is necessary */ | 264 | /* flag that password change is necessary */ |
259 | password_change_required = 1; | 265 | password_change_required = 1; |
266 | /* disallow other functionality for now */ | ||
267 | no_port_forwarding_flag |= 2; | ||
268 | no_agent_forwarding_flag |= 2; | ||
269 | no_x11_forwarding_flag |= 2; | ||
260 | break; | 270 | break; |
261 | #endif | 271 | #endif |
262 | default: | 272 | default: |
@@ -335,11 +345,23 @@ void do_pam_chauthtok(void) | |||
335 | do_pam_set_conv(&conv); | 345 | do_pam_set_conv(&conv); |
336 | 346 | ||
337 | if (password_change_required) { | 347 | if (password_change_required) { |
348 | if (use_privsep) | ||
349 | fatal("Password changing is currently unsupported" | ||
350 | " with privilege separation"); | ||
338 | pamstate = OTHER; | 351 | pamstate = OTHER; |
339 | pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); | 352 | pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); |
340 | if (pam_retval != PAM_SUCCESS) | 353 | if (pam_retval != PAM_SUCCESS) |
341 | fatal("PAM pam_chauthtok failed[%d]: %.200s", | 354 | fatal("PAM pam_chauthtok failed[%d]: %.200s", |
342 | pam_retval, PAM_STRERROR(__pamh, pam_retval)); | 355 | pam_retval, PAM_STRERROR(__pamh, pam_retval)); |
356 | #if 0 | ||
357 | /* XXX: This would need to be done in the parent process, | ||
358 | * but there's currently no way to pass such request. */ | ||
359 | no_port_forwarding_flag &= ~2; | ||
360 | no_agent_forwarding_flag &= ~2; | ||
361 | no_x11_forwarding_flag &= ~2; | ||
362 | if (!no_port_forwarding_flag && options.allow_tcp_forwarding) | ||
363 | channel_permit_all_opens(); | ||
364 | #endif | ||
343 | } | 365 | } |
344 | } | 366 | } |
345 | 367 | ||