diff options
Diffstat (limited to 'auth-pam.c')
-rw-r--r-- | auth-pam.c | 29 |
1 files changed, 17 insertions, 12 deletions
diff --git a/auth-pam.c b/auth-pam.c index ea361f171..6f2264c5d 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -31,7 +31,7 @@ | |||
31 | 31 | ||
32 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ | 32 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ |
33 | #include "includes.h" | 33 | #include "includes.h" |
34 | RCSID("$Id: auth-pam.c,v 1.97 2004/03/04 09:03:54 dtucker Exp $"); | 34 | RCSID("$Id: auth-pam.c,v 1.98 2004/03/08 12:04:06 dtucker Exp $"); |
35 | 35 | ||
36 | #ifdef USE_PAM | 36 | #ifdef USE_PAM |
37 | #if defined(HAVE_SECURITY_PAM_APPL_H) | 37 | #if defined(HAVE_SECURITY_PAM_APPL_H) |
@@ -160,7 +160,7 @@ static int sshpam_session_open = 0; | |||
160 | static int sshpam_cred_established = 0; | 160 | static int sshpam_cred_established = 0; |
161 | static int sshpam_account_status = -1; | 161 | static int sshpam_account_status = -1; |
162 | static char **sshpam_env = NULL; | 162 | static char **sshpam_env = NULL; |
163 | static int *force_pwchange; | 163 | static Authctxt *the_authctxt = NULL; |
164 | 164 | ||
165 | /* Some PAM implementations don't implement this */ | 165 | /* Some PAM implementations don't implement this */ |
166 | #ifndef HAVE_PAM_GETENVLIST | 166 | #ifndef HAVE_PAM_GETENVLIST |
@@ -180,7 +180,9 @@ void | |||
180 | pam_password_change_required(int reqd) | 180 | pam_password_change_required(int reqd) |
181 | { | 181 | { |
182 | debug3("%s %d", __func__, reqd); | 182 | debug3("%s %d", __func__, reqd); |
183 | *force_pwchange = reqd; | 183 | if (the_authctxt == NULL) |
184 | fatal("%s: PAM authctxt not initialized", __func__); | ||
185 | the_authctxt->force_pwchange = reqd; | ||
184 | if (reqd) { | 186 | if (reqd) { |
185 | no_port_forwarding_flag |= 2; | 187 | no_port_forwarding_flag |= 2; |
186 | no_agent_forwarding_flag |= 2; | 188 | no_agent_forwarding_flag |= 2; |
@@ -339,6 +341,9 @@ sshpam_thread(void *ctxtp) | |||
339 | sshpam_conv.conv = sshpam_thread_conv; | 341 | sshpam_conv.conv = sshpam_thread_conv; |
340 | sshpam_conv.appdata_ptr = ctxt; | 342 | sshpam_conv.appdata_ptr = ctxt; |
341 | 343 | ||
344 | if (the_authctxt == NULL) | ||
345 | fatal("%s: PAM authctxt not initialized", __func__); | ||
346 | |||
342 | buffer_init(&buffer); | 347 | buffer_init(&buffer); |
343 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | 348 | sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, |
344 | (const void *)&sshpam_conv); | 349 | (const void *)&sshpam_conv); |
@@ -351,7 +356,7 @@ sshpam_thread(void *ctxtp) | |||
351 | if (compat20) { | 356 | if (compat20) { |
352 | if (!do_pam_account()) | 357 | if (!do_pam_account()) |
353 | goto auth_fail; | 358 | goto auth_fail; |
354 | if (*force_pwchange) { | 359 | if (the_authctxt->force_pwchange) { |
355 | sshpam_err = pam_chauthtok(sshpam_handle, | 360 | sshpam_err = pam_chauthtok(sshpam_handle, |
356 | PAM_CHANGE_EXPIRED_AUTHTOK); | 361 | PAM_CHANGE_EXPIRED_AUTHTOK); |
357 | if (sshpam_err != PAM_SUCCESS) | 362 | if (sshpam_err != PAM_SUCCESS) |
@@ -365,7 +370,7 @@ sshpam_thread(void *ctxtp) | |||
365 | #ifndef USE_POSIX_THREADS | 370 | #ifndef USE_POSIX_THREADS |
366 | /* Export variables set by do_pam_account */ | 371 | /* Export variables set by do_pam_account */ |
367 | buffer_put_int(&buffer, sshpam_account_status); | 372 | buffer_put_int(&buffer, sshpam_account_status); |
368 | buffer_put_int(&buffer, *force_pwchange); | 373 | buffer_put_int(&buffer, the_authctxt->force_pwchange); |
369 | 374 | ||
370 | /* Export any environment strings set in child */ | 375 | /* Export any environment strings set in child */ |
371 | for(i = 0; environ[i] != NULL; i++) | 376 | for(i = 0; environ[i] != NULL; i++) |
@@ -446,11 +451,11 @@ sshpam_cleanup(void) | |||
446 | } | 451 | } |
447 | 452 | ||
448 | static int | 453 | static int |
449 | sshpam_init(const char *user) | 454 | sshpam_init(Authctxt *authctxt) |
450 | { | 455 | { |
451 | extern u_int utmp_len; | 456 | extern u_int utmp_len; |
452 | extern char *__progname; | 457 | extern char *__progname; |
453 | const char *pam_rhost, *pam_user; | 458 | const char *pam_rhost, *pam_user, *user = authctxt->user; |
454 | 459 | ||
455 | if (sshpam_handle != NULL) { | 460 | if (sshpam_handle != NULL) { |
456 | /* We already have a PAM context; check if the user matches */ | 461 | /* We already have a PAM context; check if the user matches */ |
@@ -464,6 +469,8 @@ sshpam_init(const char *user) | |||
464 | debug("PAM: initializing for \"%s\"", user); | 469 | debug("PAM: initializing for \"%s\"", user); |
465 | sshpam_err = | 470 | sshpam_err = |
466 | pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle); | 471 | pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle); |
472 | the_authctxt = authctxt; | ||
473 | |||
467 | if (sshpam_err != PAM_SUCCESS) { | 474 | if (sshpam_err != PAM_SUCCESS) { |
468 | pam_end(sshpam_handle, sshpam_err); | 475 | pam_end(sshpam_handle, sshpam_err); |
469 | sshpam_handle = NULL; | 476 | sshpam_handle = NULL; |
@@ -506,7 +513,7 @@ sshpam_init_ctx(Authctxt *authctxt) | |||
506 | return NULL; | 513 | return NULL; |
507 | 514 | ||
508 | /* Initialize PAM */ | 515 | /* Initialize PAM */ |
509 | if (sshpam_init(authctxt->user) == -1) { | 516 | if (sshpam_init(authctxt) == -1) { |
510 | error("PAM: initialization failed"); | 517 | error("PAM: initialization failed"); |
511 | return (NULL); | 518 | return (NULL); |
512 | } | 519 | } |
@@ -514,8 +521,6 @@ sshpam_init_ctx(Authctxt *authctxt) | |||
514 | ctxt = xmalloc(sizeof *ctxt); | 521 | ctxt = xmalloc(sizeof *ctxt); |
515 | memset(ctxt, 0, sizeof(*ctxt)); | 522 | memset(ctxt, 0, sizeof(*ctxt)); |
516 | 523 | ||
517 | force_pwchange = &(authctxt->force_pwchange); | ||
518 | |||
519 | /* Start the authentication thread */ | 524 | /* Start the authentication thread */ |
520 | if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { | 525 | if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { |
521 | error("PAM: failed create sockets: %s", strerror(errno)); | 526 | error("PAM: failed create sockets: %s", strerror(errno)); |
@@ -674,12 +679,12 @@ KbdintDevice mm_sshpam_device = { | |||
674 | * This replaces auth-pam.c | 679 | * This replaces auth-pam.c |
675 | */ | 680 | */ |
676 | void | 681 | void |
677 | start_pam(const char *user) | 682 | start_pam(Authctxt *authctxt) |
678 | { | 683 | { |
679 | if (!options.use_pam) | 684 | if (!options.use_pam) |
680 | fatal("PAM: initialisation requested when UsePAM=no"); | 685 | fatal("PAM: initialisation requested when UsePAM=no"); |
681 | 686 | ||
682 | if (sshpam_init(user) == -1) | 687 | if (sshpam_init(authctxt) == -1) |
683 | fatal("PAM: initialisation failed"); | 688 | fatal("PAM: initialisation failed"); |
684 | } | 689 | } |
685 | 690 | ||