summaryrefslogtreecommitdiff
path: root/auth-pam.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth-pam.c')
-rw-r--r--auth-pam.c52
1 files changed, 27 insertions, 25 deletions
diff --git a/auth-pam.c b/auth-pam.c
index 970ff61cb..c0b6ded12 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -31,7 +31,7 @@
31 31
32/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ 32/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
33#include "includes.h" 33#include "includes.h"
34RCSID("$Id: auth-pam.c,v 1.66 2003/08/08 03:43:37 dtucker Exp $"); 34RCSID("$Id: auth-pam.c,v 1.67 2003/08/25 03:08:49 djm Exp $");
35 35
36#ifdef USE_PAM 36#ifdef USE_PAM
37#include <security/pam_appl.h> 37#include <security/pam_appl.h>
@@ -49,6 +49,7 @@ RCSID("$Id: auth-pam.c,v 1.66 2003/08/08 03:43:37 dtucker Exp $");
49#include "servconf.h" 49#include "servconf.h"
50#include "ssh2.h" 50#include "ssh2.h"
51#include "xmalloc.h" 51#include "xmalloc.h"
52#include "auth-options.h"
52 53
53extern ServerOptions options; 54extern ServerOptions options;
54 55
@@ -130,10 +131,8 @@ static void sshpam_free_ctx(void *);
130 * Conversation function for authentication thread. 131 * Conversation function for authentication thread.
131 */ 132 */
132static int 133static int
133sshpam_thread_conv(int n, 134sshpam_thread_conv(int n, const struct pam_message **msg,
134 const struct pam_message **msg, 135 struct pam_response **resp, void *data)
135 struct pam_response **resp,
136 void *data)
137{ 136{
138 Buffer buffer; 137 Buffer buffer;
139 struct pam_ctxt *ctxt; 138 struct pam_ctxt *ctxt;
@@ -216,9 +215,6 @@ sshpam_thread(void *ctxtp)
216 sshpam_err = pam_authenticate(sshpam_handle, 0); 215 sshpam_err = pam_authenticate(sshpam_handle, 0);
217 if (sshpam_err != PAM_SUCCESS) 216 if (sshpam_err != PAM_SUCCESS)
218 goto auth_fail; 217 goto auth_fail;
219 sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
220 if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD)
221 goto auth_fail;
222 buffer_put_cstring(&buffer, "OK"); 218 buffer_put_cstring(&buffer, "OK");
223 ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer); 219 ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer);
224 buffer_free(&buffer); 220 buffer_free(&buffer);
@@ -246,12 +242,9 @@ sshpam_thread_cleanup(void *ctxtp)
246} 242}
247 243
248static int 244static int
249sshpam_null_conv(int n, 245sshpam_null_conv(int n, const struct pam_message **msg,
250 const struct pam_message **msg, 246 struct pam_response **resp, void *data)
251 struct pam_response **resp,
252 void *data)
253{ 247{
254
255 return (PAM_CONV_ERR); 248 return (PAM_CONV_ERR);
256} 249}
257 250
@@ -303,7 +296,7 @@ sshpam_init(const char *user)
303 debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost); 296 debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
304 sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost); 297 sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);
305 if (sshpam_err != PAM_SUCCESS) { 298 if (sshpam_err != PAM_SUCCESS) {
306 pam_end(sshpam_handle, sshpam_err); 299 pam_end(sshpam_handle, sshpam_err);
307 sshpam_handle = NULL; 300 sshpam_handle = NULL;
308 return (-1); 301 return (-1);
309 } 302 }
@@ -403,9 +396,6 @@ sshpam_query(void *ctx, char **name, char **info,
403 plen += snprintf(**prompts + plen, len, "%s", msg); 396 plen += snprintf(**prompts + plen, len, "%s", msg);
404 xfree(msg); 397 xfree(msg);
405 break; 398 break;
406 case PAM_NEW_AUTHTOK_REQD:
407 sshpam_new_authtok_reqd = 1;
408 /* FALLTHROUGH */
409 case PAM_SUCCESS: 399 case PAM_SUCCESS:
410 case PAM_AUTH_ERR: 400 case PAM_AUTH_ERR:
411 if (**prompts != NULL) { 401 if (**prompts != NULL) {
@@ -519,10 +509,24 @@ finish_pam(void)
519 sshpam_cleanup(NULL); 509 sshpam_cleanup(NULL);
520} 510}
521 511
522int 512u_int
523do_pam_account(const char *user, const char *ruser) 513do_pam_account(void)
524{ 514{
525 /* XXX */ 515 sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
516 debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err);
517
518 if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD)
519 return (0);
520
521 if (sshpam_err == PAM_NEW_AUTHTOK_REQD) {
522 sshpam_new_authtok_reqd = 1;
523
524 /* Prevent forwardings until password changed */
525 no_port_forwarding_flag |= 2;
526 no_agent_forwarding_flag |= 2;
527 no_x11_forwarding_flag |= 2;
528 }
529
526 return (1); 530 return (1);
527} 531}
528 532
@@ -582,10 +586,8 @@ is_pam_password_change_required(void)
582} 586}
583 587
584static int 588static int
585pam_chauthtok_conv(int n, 589pam_chauthtok_conv(int n, const struct pam_message **msg,
586 const struct pam_message **msg, 590 struct pam_response **resp, void *data)
587 struct pam_response **resp,
588 void *data)
589{ 591{
590 char input[PAM_MAX_MSG_SIZE]; 592 char input[PAM_MAX_MSG_SIZE];
591 int i; 593 int i;
@@ -635,7 +637,7 @@ do_pam_chauthtok(void)
635 struct pam_conv pam_conv = { pam_chauthtok_conv, NULL }; 637 struct pam_conv pam_conv = { pam_chauthtok_conv, NULL };
636 638
637 if (use_privsep) 639 if (use_privsep)
638 fatal("PAM: chauthtok not supprted with privsep"); 640 fatal("Password expired (unable to change with privsep)");
639 sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, 641 sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
640 (const void *)&pam_conv); 642 (const void *)&pam_conv);
641 if (sshpam_err != PAM_SUCCESS) 643 if (sshpam_err != PAM_SUCCESS)
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-21 06:28:38 +0000