summaryrefslogtreecommitdiff
path: root/auth-pam.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth-pam.c')
-rw-r--r--auth-pam.c26
1 files changed, 24 insertions, 2 deletions
diff --git a/auth-pam.c b/auth-pam.c
index f31641c28..22807f1a9 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -29,6 +29,7 @@
29#include "xmalloc.h" 29#include "xmalloc.h"
30#include "log.h" 30#include "log.h"
31#include "auth.h" 31#include "auth.h"
32#include "auth-options.h"
32#include "auth-pam.h" 33#include "auth-pam.h"
33#include "servconf.h" 34#include "servconf.h"
34#include "canohost.h" 35#include "canohost.h"
@@ -36,10 +37,14 @@
36 37
37extern char *__progname; 38extern char *__progname;
38 39
39RCSID("$Id: auth-pam.c,v 1.48 2002/07/21 17:26:54 stevesk Exp $"); 40extern int use_privsep;
41
42RCSID("$Id: auth-pam.c,v 1.49 2002/07/21 17:57:01 stevesk Exp $");
40 43
41#define NEW_AUTHTOK_MSG \ 44#define NEW_AUTHTOK_MSG \
42 "Warning: Your password has expired, please change it now." 45 "Warning: Your password has expired, please change it now."
46#define NEW_AUTHTOK_MSG_PRIVSEP \
47 "Your password has expired, the session cannot proceed."
43 48
44static int do_pam_conversation(int num_msg, const struct pam_message **msg, 49static int do_pam_conversation(int num_msg, const struct pam_message **msg,
45 struct pam_response **resp, void *appdata_ptr); 50 struct pam_response **resp, void *appdata_ptr);
@@ -254,9 +259,14 @@ int do_pam_account(char *username, char *remote_user)
254 break; 259 break;
255#if 0 260#if 0
256 case PAM_NEW_AUTHTOK_REQD: 261 case PAM_NEW_AUTHTOK_REQD:
257 message_cat(&__pam_msg, NEW_AUTHTOK_MSG); 262 message_cat(&__pam_msg, use_privsep ?
263 NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);
258 /* flag that password change is necessary */ 264 /* flag that password change is necessary */
259 password_change_required = 1; 265 password_change_required = 1;
266 /* disallow other functionality for now */
267 no_port_forwarding_flag |= 2;
268 no_agent_forwarding_flag |= 2;
269 no_x11_forwarding_flag |= 2;
260 break; 270 break;
261#endif 271#endif
262 default: 272 default:
@@ -335,11 +345,23 @@ void do_pam_chauthtok(void)
335 do_pam_set_conv(&conv); 345 do_pam_set_conv(&conv);
336 346
337 if (password_change_required) { 347 if (password_change_required) {
348 if (use_privsep)
349 fatal("Password changing is currently unsupported"
350 " with privilege separation");
338 pamstate = OTHER; 351 pamstate = OTHER;
339 pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); 352 pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
340 if (pam_retval != PAM_SUCCESS) 353 if (pam_retval != PAM_SUCCESS)
341 fatal("PAM pam_chauthtok failed[%d]: %.200s", 354 fatal("PAM pam_chauthtok failed[%d]: %.200s",
342 pam_retval, PAM_STRERROR(__pamh, pam_retval)); 355 pam_retval, PAM_STRERROR(__pamh, pam_retval));
356#if 0
357 /* XXX: This would need to be done in the parent process,
358 * but there's currently no way to pass such request. */
359 no_port_forwarding_flag &= ~2;
360 no_agent_forwarding_flag &= ~2;
361 no_x11_forwarding_flag &= ~2;
362 if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
363 channel_permit_all_opens();
364#endif
343 } 365 }
344} 366}
345 367