diff options
Diffstat (limited to 'auth-pam.c')
-rw-r--r-- | auth-pam.c | 52 |
1 files changed, 27 insertions, 25 deletions
diff --git a/auth-pam.c b/auth-pam.c index 970ff61cb..c0b6ded12 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -31,7 +31,7 @@ | |||
31 | 31 | ||
32 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ | 32 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ |
33 | #include "includes.h" | 33 | #include "includes.h" |
34 | RCSID("$Id: auth-pam.c,v 1.66 2003/08/08 03:43:37 dtucker Exp $"); | 34 | RCSID("$Id: auth-pam.c,v 1.67 2003/08/25 03:08:49 djm Exp $"); |
35 | 35 | ||
36 | #ifdef USE_PAM | 36 | #ifdef USE_PAM |
37 | #include <security/pam_appl.h> | 37 | #include <security/pam_appl.h> |
@@ -49,6 +49,7 @@ RCSID("$Id: auth-pam.c,v 1.66 2003/08/08 03:43:37 dtucker Exp $"); | |||
49 | #include "servconf.h" | 49 | #include "servconf.h" |
50 | #include "ssh2.h" | 50 | #include "ssh2.h" |
51 | #include "xmalloc.h" | 51 | #include "xmalloc.h" |
52 | #include "auth-options.h" | ||
52 | 53 | ||
53 | extern ServerOptions options; | 54 | extern ServerOptions options; |
54 | 55 | ||
@@ -130,10 +131,8 @@ static void sshpam_free_ctx(void *); | |||
130 | * Conversation function for authentication thread. | 131 | * Conversation function for authentication thread. |
131 | */ | 132 | */ |
132 | static int | 133 | static int |
133 | sshpam_thread_conv(int n, | 134 | sshpam_thread_conv(int n, const struct pam_message **msg, |
134 | const struct pam_message **msg, | 135 | struct pam_response **resp, void *data) |
135 | struct pam_response **resp, | ||
136 | void *data) | ||
137 | { | 136 | { |
138 | Buffer buffer; | 137 | Buffer buffer; |
139 | struct pam_ctxt *ctxt; | 138 | struct pam_ctxt *ctxt; |
@@ -216,9 +215,6 @@ sshpam_thread(void *ctxtp) | |||
216 | sshpam_err = pam_authenticate(sshpam_handle, 0); | 215 | sshpam_err = pam_authenticate(sshpam_handle, 0); |
217 | if (sshpam_err != PAM_SUCCESS) | 216 | if (sshpam_err != PAM_SUCCESS) |
218 | goto auth_fail; | 217 | goto auth_fail; |
219 | sshpam_err = pam_acct_mgmt(sshpam_handle, 0); | ||
220 | if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) | ||
221 | goto auth_fail; | ||
222 | buffer_put_cstring(&buffer, "OK"); | 218 | buffer_put_cstring(&buffer, "OK"); |
223 | ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer); | 219 | ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer); |
224 | buffer_free(&buffer); | 220 | buffer_free(&buffer); |
@@ -246,12 +242,9 @@ sshpam_thread_cleanup(void *ctxtp) | |||
246 | } | 242 | } |
247 | 243 | ||
248 | static int | 244 | static int |
249 | sshpam_null_conv(int n, | 245 | sshpam_null_conv(int n, const struct pam_message **msg, |
250 | const struct pam_message **msg, | 246 | struct pam_response **resp, void *data) |
251 | struct pam_response **resp, | ||
252 | void *data) | ||
253 | { | 247 | { |
254 | |||
255 | return (PAM_CONV_ERR); | 248 | return (PAM_CONV_ERR); |
256 | } | 249 | } |
257 | 250 | ||
@@ -303,7 +296,7 @@ sshpam_init(const char *user) | |||
303 | debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost); | 296 | debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost); |
304 | sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost); | 297 | sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost); |
305 | if (sshpam_err != PAM_SUCCESS) { | 298 | if (sshpam_err != PAM_SUCCESS) { |
306 | pam_end(sshpam_handle, sshpam_err); | 299 | pam_end(sshpam_handle, sshpam_err); |
307 | sshpam_handle = NULL; | 300 | sshpam_handle = NULL; |
308 | return (-1); | 301 | return (-1); |
309 | } | 302 | } |
@@ -403,9 +396,6 @@ sshpam_query(void *ctx, char **name, char **info, | |||
403 | plen += snprintf(**prompts + plen, len, "%s", msg); | 396 | plen += snprintf(**prompts + plen, len, "%s", msg); |
404 | xfree(msg); | 397 | xfree(msg); |
405 | break; | 398 | break; |
406 | case PAM_NEW_AUTHTOK_REQD: | ||
407 | sshpam_new_authtok_reqd = 1; | ||
408 | /* FALLTHROUGH */ | ||
409 | case PAM_SUCCESS: | 399 | case PAM_SUCCESS: |
410 | case PAM_AUTH_ERR: | 400 | case PAM_AUTH_ERR: |
411 | if (**prompts != NULL) { | 401 | if (**prompts != NULL) { |
@@ -519,10 +509,24 @@ finish_pam(void) | |||
519 | sshpam_cleanup(NULL); | 509 | sshpam_cleanup(NULL); |
520 | } | 510 | } |
521 | 511 | ||
522 | int | 512 | u_int |
523 | do_pam_account(const char *user, const char *ruser) | 513 | do_pam_account(void) |
524 | { | 514 | { |
525 | /* XXX */ | 515 | sshpam_err = pam_acct_mgmt(sshpam_handle, 0); |
516 | debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err); | ||
517 | |||
518 | if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) | ||
519 | return (0); | ||
520 | |||
521 | if (sshpam_err == PAM_NEW_AUTHTOK_REQD) { | ||
522 | sshpam_new_authtok_reqd = 1; | ||
523 | |||
524 | /* Prevent forwardings until password changed */ | ||
525 | no_port_forwarding_flag |= 2; | ||
526 | no_agent_forwarding_flag |= 2; | ||
527 | no_x11_forwarding_flag |= 2; | ||
528 | } | ||
529 | |||
526 | return (1); | 530 | return (1); |
527 | } | 531 | } |
528 | 532 | ||
@@ -582,10 +586,8 @@ is_pam_password_change_required(void) | |||
582 | } | 586 | } |
583 | 587 | ||
584 | static int | 588 | static int |
585 | pam_chauthtok_conv(int n, | 589 | pam_chauthtok_conv(int n, const struct pam_message **msg, |
586 | const struct pam_message **msg, | 590 | struct pam_response **resp, void *data) |
587 | struct pam_response **resp, | ||
588 | void *data) | ||
589 | { | 591 | { |
590 | char input[PAM_MAX_MSG_SIZE]; | 592 | char input[PAM_MAX_MSG_SIZE]; |
591 | int i; | 593 | int i; |
@@ -635,7 +637,7 @@ do_pam_chauthtok(void) | |||
635 | struct pam_conv pam_conv = { pam_chauthtok_conv, NULL }; | 637 | struct pam_conv pam_conv = { pam_chauthtok_conv, NULL }; |
636 | 638 | ||
637 | if (use_privsep) | 639 | if (use_privsep) |
638 | fatal("PAM: chauthtok not supprted with privsep"); | 640 | fatal("Password expired (unable to change with privsep)"); |
639 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | 641 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, |
640 | (const void *)&pam_conv); | 642 | (const void *)&pam_conv); |
641 | if (sshpam_err != PAM_SUCCESS) | 643 | if (sshpam_err != PAM_SUCCESS) |