summaryrefslogtreecommitdiff
path: root/auth-pam.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth-pam.c')
-rw-r--r--auth-pam.c25
1 files changed, 17 insertions, 8 deletions
diff --git a/auth-pam.c b/auth-pam.c
index de29c04c9..00ba87775 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -287,18 +287,27 @@ sshpam_chauthtok_ruid(pam_handle_t *pamh, int flags)
287void 287void
288sshpam_password_change_required(int reqd) 288sshpam_password_change_required(int reqd)
289{ 289{
290 extern struct sshauthopt *auth_opts;
291 static int saved_port, saved_agent, saved_x11;
292
290 debug3("%s %d", __func__, reqd); 293 debug3("%s %d", __func__, reqd);
291 if (sshpam_authctxt == NULL) 294 if (sshpam_authctxt == NULL)
292 fatal("%s: PAM authctxt not initialized", __func__); 295 fatal("%s: PAM authctxt not initialized", __func__);
293 sshpam_authctxt->force_pwchange = reqd; 296 sshpam_authctxt->force_pwchange = reqd;
294 if (reqd) { 297 if (reqd) {
295 no_port_forwarding_flag |= 2; 298 saved_port = auth_opts->permit_port_forwarding_flag;
296 no_agent_forwarding_flag |= 2; 299 saved_agent = auth_opts->permit_agent_forwarding_flag;
297 no_x11_forwarding_flag |= 2; 300 saved_x11 = auth_opts->permit_x11_forwarding_flag;
301 auth_opts->permit_port_forwarding_flag = 0;
302 auth_opts->permit_agent_forwarding_flag = 0;
303 auth_opts->permit_x11_forwarding_flag = 0;
298 } else { 304 } else {
299 no_port_forwarding_flag &= ~2; 305 if (saved_port)
300 no_agent_forwarding_flag &= ~2; 306 auth_opts->permit_port_forwarding_flag = saved_port;
301 no_x11_forwarding_flag &= ~2; 307 if (saved_agent)
308 auth_opts->permit_agent_forwarding_flag = saved_agent;
309 if (saved_x11)
310 auth_opts->permit_x11_forwarding_flag = saved_x11;
302 } 311 }
303} 312}
304 313
@@ -1077,7 +1086,7 @@ do_pam_chauthtok(void)
1077} 1086}
1078 1087
1079void 1088void
1080do_pam_session(void) 1089do_pam_session(struct ssh *ssh)
1081{ 1090{
1082 debug3("PAM: opening session"); 1091 debug3("PAM: opening session");
1083 1092
@@ -1093,7 +1102,7 @@ do_pam_session(void)
1093 sshpam_session_open = 1; 1102 sshpam_session_open = 1;
1094 else { 1103 else {
1095 sshpam_session_open = 0; 1104 sshpam_session_open = 0;
1096 disable_forwarding(); 1105 auth_restrict_session(ssh);
1097 error("PAM: pam_open_session(): %s", 1106 error("PAM: pam_open_session(): %s",
1098 pam_strerror(sshpam_handle, sshpam_err)); 1107 pam_strerror(sshpam_handle, sshpam_err));
1099 } 1108 }
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 14:02:07 +0000