1 files changed, 51 insertions, 13 deletions
diff --git a/auth-pam.c b/auth-pam.c
index 621940ab9..2fe1e3382 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -31,7 +31,7 @@
 /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.84 2003/11/21 12:56:47 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.85 2003/12/18 04:34:32 dtucker Exp $");
 #ifdef USE_PAM
 #include <security/pam_appl.h>
@@ -53,6 +53,7 @@ RCSID("$Id: auth-pam.c,v 1.84 2003/11/21 12:56:47 djm Exp $");
 extern ServerOptions options;
 extern Buffer loginmsg;
+extern int compat20;
 #define __unused
@@ -118,6 +119,7 @@ static int sshpam_authenticated = 0;
 static int sshpam_new_authtok_reqd = 0;
 static int sshpam_session_open = 0;
 static int sshpam_cred_established = 0;
+static int sshpam_account_status = -1;
 static char **sshpam_env = NULL;
 struct pam_ctxt {
@@ -144,6 +146,21 @@ pam_getenvlist(pam_handle_t *pamh)
 }
 #endif
+void
+pam_password_change_required(int reqd)
+{
+        sshpam_new_authtok_reqd = reqd;
+        if (reqd) {
+                no_port_forwarding_flag |= 2;
+                no_agent_forwarding_flag |= 2;
+                no_x11_forwarding_flag |= 2;
+        } else {
+                no_port_forwarding_flag &= ~2;
+                no_agent_forwarding_flag &= ~2;
+                no_x11_forwarding_flag &= ~2;
+        }
+}
 /* Import regular and PAM environment from subprocess */
 static void
 import_environments(Buffer *b)
@@ -152,6 +169,10 @@ import_environments(Buffer *b)
        u_int i, num_env;
        int err;
+        /* Import variables set by do_pam_account */
+        sshpam_account_status = buffer_get_int(b);
+        pam_password_change_required(buffer_get_int(b));
        /* Import environment from subprocess */
        num_env = buffer_get_int(b);
        sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env));
@@ -290,9 +311,26 @@ sshpam_thread(void *ctxtp)
        sshpam_err = pam_authenticate(sshpam_handle, 0);
        if (sshpam_err != PAM_SUCCESS)
                goto auth_fail;
+        /* if (compat20) { */
+                if (!do_pam_account())
+                        goto auth_fail;
+                if (sshpam_new_authtok_reqd) {
+                        sshpam_err = pam_chauthtok(sshpam_handle,
+                            PAM_CHANGE_EXPIRED_AUTHTOK);
+                        if (sshpam_err != PAM_SUCCESS)
+                                goto auth_fail;
+                        pam_password_change_required(0);
+                }
+        /* } */
        buffer_put_cstring(&buffer, "OK");
 #ifndef USE_POSIX_THREADS
+        /* Export variables set by do_pam_account */
+        buffer_put_int(&buffer, sshpam_account_status);
+        buffer_put_int(&buffer, sshpam_new_authtok_reqd);
        /* Export any environment strings set in child */
        for(i = 0; environ[i] != NULL; i++)
                ; /* Count */
@@ -611,22 +649,22 @@ finish_pam(void)
 u_int
 do_pam_account(void)
 {
+        if (sshpam_account_status != -1)
+                return (sshpam_account_status);
        sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
        debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err);
+        
-        if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD)
+        if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
-                return (0);
+                sshpam_account_status = 0;
+                return (sshpam_account_status);
-        if (sshpam_err == PAM_NEW_AUTHTOK_REQD) {
-                sshpam_new_authtok_reqd = 1;
-                /* Prevent forwardings until password changed */
-                no_port_forwarding_flag |= 2;
-                no_agent_forwarding_flag |= 2;
-                no_x11_forwarding_flag |= 2;
        }
-        return (1);
+        if (sshpam_err == PAM_NEW_AUTHTOK_REQD)
+                pam_password_change_required(1);
+        sshpam_account_status = 1;
+        return (sshpam_account_status);
 }
 void

diff --git a/auth-pam.c b/auth-pam.c index 621940ab9..2fe1e3382 100644 --- a/auth-pam.c +++ b/auth-pam.c
@@ -31,7 +31,7 @@
31		31
32	/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */	32	/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
33	#include "includes.h"	33	#include "includes.h"
34	RCSID("$Id: auth-pam.c,v 1.84 2003/11/21 12:56:47 djm Exp $");	34	RCSID("$Id: auth-pam.c,v 1.85 2003/12/18 04:34:32 dtucker Exp $");
35		35
36	#ifdef USE_PAM	36	#ifdef USE_PAM
37	#include <security/pam_appl.h>	37	#include <security/pam_appl.h>
@@ -53,6 +53,7 @@ RCSID("$Id: auth-pam.c,v 1.84 2003/11/21 12:56:47 djm Exp $");
53		53
54	extern ServerOptions options;	54	extern ServerOptions options;
55	extern Buffer loginmsg;	55	extern Buffer loginmsg;
		56	extern int compat20;
56		57
57	#define __unused	58	#define __unused
58		59
@@ -118,6 +119,7 @@ static int sshpam_authenticated = 0;
118	static int sshpam_new_authtok_reqd = 0;	119	static int sshpam_new_authtok_reqd = 0;
119	static int sshpam_session_open = 0;	120	static int sshpam_session_open = 0;
120	static int sshpam_cred_established = 0;	121	static int sshpam_cred_established = 0;
		122	static int sshpam_account_status = -1;
121	static char **sshpam_env = NULL;	123	static char **sshpam_env = NULL;
122		124
123	struct pam_ctxt {	125	struct pam_ctxt {
@@ -144,6 +146,21 @@ pam_getenvlist(pam_handle_t *pamh)
144	}	146	}
145	#endif	147	#endif
146		148
		149	void
		150	pam_password_change_required(int reqd)
		151	{
		152	sshpam_new_authtok_reqd = reqd;
		153	if (reqd) {
		154	no_port_forwarding_flag \|= 2;
		155	no_agent_forwarding_flag \|= 2;
		156	no_x11_forwarding_flag \|= 2;
		157	} else {
		158	no_port_forwarding_flag &= ~2;
		159	no_agent_forwarding_flag &= ~2;
		160	no_x11_forwarding_flag &= ~2;
		161
		162	}
		163	}
147	/* Import regular and PAM environment from subprocess */	164	/* Import regular and PAM environment from subprocess */
148	static void	165	static void
149	import_environments(Buffer *b)	166	import_environments(Buffer *b)
@@ -152,6 +169,10 @@ import_environments(Buffer *b)
152	u_int i, num_env;	169	u_int i, num_env;
153	int err;	170	int err;
154		171
		172	/* Import variables set by do_pam_account */
		173	sshpam_account_status = buffer_get_int(b);
		174	pam_password_change_required(buffer_get_int(b));
		175
155	/* Import environment from subprocess */	176	/* Import environment from subprocess */
156	num_env = buffer_get_int(b);	177	num_env = buffer_get_int(b);
157	sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env));	178	sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env));
@@ -290,9 +311,26 @@ sshpam_thread(void *ctxtp)
290	sshpam_err = pam_authenticate(sshpam_handle, 0);	311	sshpam_err = pam_authenticate(sshpam_handle, 0);
291	if (sshpam_err != PAM_SUCCESS)	312	if (sshpam_err != PAM_SUCCESS)
292	goto auth_fail;	313	goto auth_fail;
		314
		315	/* if (compat20) { */
		316	if (!do_pam_account())
		317	goto auth_fail;
		318	if (sshpam_new_authtok_reqd) {
		319	sshpam_err = pam_chauthtok(sshpam_handle,
		320	PAM_CHANGE_EXPIRED_AUTHTOK);
		321	if (sshpam_err != PAM_SUCCESS)
		322	goto auth_fail;
		323	pam_password_change_required(0);
		324	}
		325	/* } */
		326
293	buffer_put_cstring(&buffer, "OK");	327	buffer_put_cstring(&buffer, "OK");
294		328
295	#ifndef USE_POSIX_THREADS	329	#ifndef USE_POSIX_THREADS
		330	/* Export variables set by do_pam_account */
		331	buffer_put_int(&buffer, sshpam_account_status);
		332	buffer_put_int(&buffer, sshpam_new_authtok_reqd);
		333
296	/* Export any environment strings set in child */	334	/* Export any environment strings set in child */
297	for(i = 0; environ[i] != NULL; i++)	335	for(i = 0; environ[i] != NULL; i++)
298	; /* Count */	336	; /* Count */
@@ -611,22 +649,22 @@ finish_pam(void)
611	u_int	649	u_int
612	do_pam_account(void)	650	do_pam_account(void)
613	{	651	{
		652	if (sshpam_account_status != -1)
		653	return (sshpam_account_status);
		654
614	sshpam_err = pam_acct_mgmt(sshpam_handle, 0);	655	sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
615	debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err);	656	debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err);
616		657
617	if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD)	658	if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
618	return (0);	659	sshpam_account_status = 0;
619		660	return (sshpam_account_status);
620	if (sshpam_err == PAM_NEW_AUTHTOK_REQD) {
621	sshpam_new_authtok_reqd = 1;
622
623	/* Prevent forwardings until password changed */
624	no_port_forwarding_flag \|= 2;
625	no_agent_forwarding_flag \|= 2;
626	no_x11_forwarding_flag \|= 2;
627	}	661	}
628		662
629	return (1);	663	if (sshpam_err == PAM_NEW_AUTHTOK_REQD)
		664	pam_password_change_required(1);
		665
		666	sshpam_account_status = 1;
		667	return (sshpam_account_status);
630	}	668	}
631		669
632	void	670	void