diff options
Diffstat (limited to 'auth-pam.c')
-rw-r--r-- | auth-pam.c | 60 |
1 files changed, 30 insertions, 30 deletions
diff --git a/auth-pam.c b/auth-pam.c index 122896c7f..ab985d15b 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -32,7 +32,7 @@ | |||
32 | #include "canohost.h" | 32 | #include "canohost.h" |
33 | #include "readpass.h" | 33 | #include "readpass.h" |
34 | 34 | ||
35 | RCSID("$Id: auth-pam.c,v 1.23 2001/02/04 12:20:19 djm Exp $"); | 35 | RCSID("$Id: auth-pam.c,v 1.24 2001/02/05 12:42:17 stevesk Exp $"); |
36 | 36 | ||
37 | #define NEW_AUTHTOK_MSG \ | 37 | #define NEW_AUTHTOK_MSG \ |
38 | "Warning: Your password has expired, please change it now" | 38 | "Warning: Your password has expired, please change it now" |
@@ -97,7 +97,7 @@ static int pamconv(int num_msg, const struct pam_message **msg, | |||
97 | /* PAM will free this later */ | 97 | /* PAM will free this later */ |
98 | reply = malloc(num_msg * sizeof(*reply)); | 98 | reply = malloc(num_msg * sizeof(*reply)); |
99 | if (reply == NULL) | 99 | if (reply == NULL) |
100 | return PAM_CONV_ERR; | 100 | return PAM_CONV_ERR; |
101 | 101 | ||
102 | for (count = 0; count < num_msg; count++) { | 102 | for (count = 0; count < num_msg; count++) { |
103 | switch(PAM_MSG_MEMBER(msg, count, msg_style)) { | 103 | switch(PAM_MSG_MEMBER(msg, count, msg_style)) { |
@@ -120,7 +120,7 @@ static int pamconv(int num_msg, const struct pam_message **msg, | |||
120 | } | 120 | } |
121 | reply[count].resp = xstrdup(pampasswd); | 121 | reply[count].resp = xstrdup(pampasswd); |
122 | } else { | 122 | } else { |
123 | reply[count].resp = | 123 | reply[count].resp = |
124 | xstrdup(read_passphrase(PAM_MSG_MEMBER(msg, count, msg), 1)); | 124 | xstrdup(read_passphrase(PAM_MSG_MEMBER(msg, count, msg), 1)); |
125 | } | 125 | } |
126 | reply[count].resp_retcode = PAM_SUCCESS; | 126 | reply[count].resp_retcode = PAM_SUCCESS; |
@@ -158,19 +158,19 @@ void pam_cleanup_proc(void *context) | |||
158 | { | 158 | { |
159 | pam_retval = pam_close_session(pamh, 0); | 159 | pam_retval = pam_close_session(pamh, 0); |
160 | if (pam_retval != PAM_SUCCESS) { | 160 | if (pam_retval != PAM_SUCCESS) { |
161 | log("Cannot close PAM session[%d]: %.200s", | 161 | log("Cannot close PAM session[%d]: %.200s", |
162 | pam_retval, PAM_STRERROR(pamh, pam_retval)); | 162 | pam_retval, PAM_STRERROR(pamh, pam_retval)); |
163 | } | 163 | } |
164 | 164 | ||
165 | pam_retval = pam_setcred(pamh, PAM_DELETE_CRED); | 165 | pam_retval = pam_setcred(pamh, PAM_DELETE_CRED); |
166 | if (pam_retval != PAM_SUCCESS) { | 166 | if (pam_retval != PAM_SUCCESS) { |
167 | debug("Cannot delete credentials[%d]: %.200s", | 167 | debug("Cannot delete credentials[%d]: %.200s", |
168 | pam_retval, PAM_STRERROR(pamh, pam_retval)); | 168 | pam_retval, PAM_STRERROR(pamh, pam_retval)); |
169 | } | 169 | } |
170 | 170 | ||
171 | pam_retval = pam_end(pamh, pam_retval); | 171 | pam_retval = pam_end(pamh, pam_retval); |
172 | if (pam_retval != PAM_SUCCESS) { | 172 | if (pam_retval != PAM_SUCCESS) { |
173 | log("Cannot release PAM authentication[%d]: %.200s", | 173 | log("Cannot release PAM authentication[%d]: %.200s", |
174 | pam_retval, PAM_STRERROR(pamh, pam_retval)); | 174 | pam_retval, PAM_STRERROR(pamh, pam_retval)); |
175 | } | 175 | } |
176 | } | 176 | } |
@@ -193,15 +193,15 @@ int auth_pam_password(struct passwd *pw, const char *password) | |||
193 | return 0; | 193 | return 0; |
194 | 194 | ||
195 | pampasswd = password; | 195 | pampasswd = password; |
196 | 196 | ||
197 | pamstate = INITIAL_LOGIN; | 197 | pamstate = INITIAL_LOGIN; |
198 | pam_retval = do_pam_authenticate(0); | 198 | pam_retval = do_pam_authenticate(0); |
199 | if (pam_retval == PAM_SUCCESS) { | 199 | if (pam_retval == PAM_SUCCESS) { |
200 | debug("PAM Password authentication accepted for user \"%.100s\"", | 200 | debug("PAM Password authentication accepted for user \"%.100s\"", |
201 | pw->pw_name); | 201 | pw->pw_name); |
202 | return 1; | 202 | return 1; |
203 | } else { | 203 | } else { |
204 | debug("PAM Password authentication for \"%.100s\" failed[%d]: %s", | 204 | debug("PAM Password authentication for \"%.100s\" failed[%d]: %s", |
205 | pw->pw_name, pam_retval, PAM_STRERROR(pamh, pam_retval)); | 205 | pw->pw_name, pam_retval, PAM_STRERROR(pamh, pam_retval)); |
206 | return 0; | 206 | return 0; |
207 | } | 207 | } |
@@ -212,13 +212,13 @@ int do_pam_account(char *username, char *remote_user) | |||
212 | { | 212 | { |
213 | int pam_retval; | 213 | int pam_retval; |
214 | extern ServerOptions options; | 214 | extern ServerOptions options; |
215 | 215 | ||
216 | debug("PAM setting rhost to \"%.200s\"", | 216 | debug("PAM setting rhost to \"%.200s\"", |
217 | get_canonical_hostname(options.reverse_mapping_check)); | 217 | get_canonical_hostname(options.reverse_mapping_check)); |
218 | pam_retval = pam_set_item(pamh, PAM_RHOST, | 218 | pam_retval = pam_set_item(pamh, PAM_RHOST, |
219 | get_canonical_hostname(options.reverse_mapping_check)); | 219 | get_canonical_hostname(options.reverse_mapping_check)); |
220 | if (pam_retval != PAM_SUCCESS) { | 220 | if (pam_retval != PAM_SUCCESS) { |
221 | fatal("PAM set rhost failed[%d]: %.200s", | 221 | fatal("PAM set rhost failed[%d]: %.200s", |
222 | pam_retval, PAM_STRERROR(pamh, pam_retval)); | 222 | pam_retval, PAM_STRERROR(pamh, pam_retval)); |
223 | } | 223 | } |
224 | 224 | ||
@@ -226,7 +226,7 @@ int do_pam_account(char *username, char *remote_user) | |||
226 | debug("PAM setting ruser to \"%.200s\"", remote_user); | 226 | debug("PAM setting ruser to \"%.200s\"", remote_user); |
227 | pam_retval = pam_set_item(pamh, PAM_RUSER, remote_user); | 227 | pam_retval = pam_set_item(pamh, PAM_RUSER, remote_user); |
228 | if (pam_retval != PAM_SUCCESS) { | 228 | if (pam_retval != PAM_SUCCESS) { |
229 | fatal("PAM set ruser failed[%d]: %.200s", | 229 | fatal("PAM set ruser failed[%d]: %.200s", |
230 | pam_retval, PAM_STRERROR(pamh, pam_retval)); | 230 | pam_retval, PAM_STRERROR(pamh, pam_retval)); |
231 | } | 231 | } |
232 | } | 232 | } |
@@ -242,11 +242,11 @@ int do_pam_account(char *username, char *remote_user) | |||
242 | password_change_required = 1; | 242 | password_change_required = 1; |
243 | break; | 243 | break; |
244 | default: | 244 | default: |
245 | log("PAM rejected by account configuration[%d]: %.200s", | 245 | log("PAM rejected by account configuration[%d]: %.200s", |
246 | pam_retval, PAM_STRERROR(pamh, pam_retval)); | 246 | pam_retval, PAM_STRERROR(pamh, pam_retval)); |
247 | return(0); | 247 | return(0); |
248 | } | 248 | } |
249 | 249 | ||
250 | return(1); | 250 | return(1); |
251 | } | 251 | } |
252 | 252 | ||
@@ -259,31 +259,31 @@ void do_pam_session(char *username, const char *ttyname) | |||
259 | debug("PAM setting tty to \"%.200s\"", ttyname); | 259 | debug("PAM setting tty to \"%.200s\"", ttyname); |
260 | pam_retval = pam_set_item(pamh, PAM_TTY, ttyname); | 260 | pam_retval = pam_set_item(pamh, PAM_TTY, ttyname); |
261 | if (pam_retval != PAM_SUCCESS) { | 261 | if (pam_retval != PAM_SUCCESS) { |
262 | fatal("PAM set tty failed[%d]: %.200s", | 262 | fatal("PAM set tty failed[%d]: %.200s", |
263 | pam_retval, PAM_STRERROR(pamh, pam_retval)); | 263 | pam_retval, PAM_STRERROR(pamh, pam_retval)); |
264 | } | 264 | } |
265 | } | 265 | } |
266 | 266 | ||
267 | pam_retval = pam_open_session(pamh, 0); | 267 | pam_retval = pam_open_session(pamh, 0); |
268 | if (pam_retval != PAM_SUCCESS) { | 268 | if (pam_retval != PAM_SUCCESS) { |
269 | fatal("PAM session setup failed[%d]: %.200s", | 269 | fatal("PAM session setup failed[%d]: %.200s", |
270 | pam_retval, PAM_STRERROR(pamh, pam_retval)); | 270 | pam_retval, PAM_STRERROR(pamh, pam_retval)); |
271 | } | 271 | } |
272 | } | 272 | } |
273 | 273 | ||
274 | /* Set PAM credentials */ | 274 | /* Set PAM credentials */ |
275 | void do_pam_setcred(void) | 275 | void do_pam_setcred(void) |
276 | { | 276 | { |
277 | int pam_retval; | 277 | int pam_retval; |
278 | 278 | ||
279 | debug("PAM establishing creds"); | 279 | debug("PAM establishing creds"); |
280 | pam_retval = pam_setcred(pamh, PAM_ESTABLISH_CRED); | 280 | pam_retval = pam_setcred(pamh, PAM_ESTABLISH_CRED); |
281 | if (pam_retval != PAM_SUCCESS) { | 281 | if (pam_retval != PAM_SUCCESS) { |
282 | if(was_authenticated) { | 282 | if(was_authenticated) { |
283 | fatal("PAM setcred failed[%d]: %.200s", | 283 | fatal("PAM setcred failed[%d]: %.200s", |
284 | pam_retval, PAM_STRERROR(pamh, pam_retval)); | 284 | pam_retval, PAM_STRERROR(pamh, pam_retval)); |
285 | } else { | 285 | } else { |
286 | debug("PAM setcred failed[%d]: %.200s", | 286 | debug("PAM setcred failed[%d]: %.200s", |
287 | pam_retval, PAM_STRERROR(pamh, pam_retval)); | 287 | pam_retval, PAM_STRERROR(pamh, pam_retval)); |
288 | } | 288 | } |
289 | } | 289 | } |
@@ -295,7 +295,7 @@ int pam_password_change_required(void) | |||
295 | return password_change_required; | 295 | return password_change_required; |
296 | } | 296 | } |
297 | 297 | ||
298 | /* | 298 | /* |
299 | * Have user change authentication token if pam_acct_mgmt() indicated | 299 | * Have user change authentication token if pam_acct_mgmt() indicated |
300 | * it was expired. This needs to be called after an interactive | 300 | * it was expired. This needs to be called after an interactive |
301 | * session is established and the user's pty is connected to | 301 | * session is established and the user's pty is connected to |
@@ -313,7 +313,7 @@ void do_pam_chauthtok(void) | |||
313 | do { | 313 | do { |
314 | pam_retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); | 314 | pam_retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); |
315 | if (pam_retval != PAM_SUCCESS) { | 315 | if (pam_retval != PAM_SUCCESS) { |
316 | log("PAM pam_chauthtok failed[%d]: %.200s", | 316 | log("PAM pam_chauthtok failed[%d]: %.200s", |
317 | pam_retval, PAM_STRERROR(pamh, pam_retval)); | 317 | pam_retval, PAM_STRERROR(pamh, pam_retval)); |
318 | } | 318 | } |
319 | } while (pam_retval != PAM_SUCCESS); | 319 | } while (pam_retval != PAM_SUCCESS); |
@@ -337,21 +337,21 @@ void start_pam(const char *user) | |||
337 | pam_retval = pam_start(SSHD_PAM_SERVICE, user, &conv, &pamh); | 337 | pam_retval = pam_start(SSHD_PAM_SERVICE, user, &conv, &pamh); |
338 | 338 | ||
339 | if (pam_retval != PAM_SUCCESS) { | 339 | if (pam_retval != PAM_SUCCESS) { |
340 | fatal("PAM initialisation failed[%d]: %.200s", | 340 | fatal("PAM initialisation failed[%d]: %.200s", |
341 | pam_retval, PAM_STRERROR(pamh, pam_retval)); | 341 | pam_retval, PAM_STRERROR(pamh, pam_retval)); |
342 | } | 342 | } |
343 | 343 | ||
344 | #ifdef PAM_TTY_KLUDGE | 344 | #ifdef PAM_TTY_KLUDGE |
345 | /* | 345 | /* |
346 | * Some PAM modules (e.g. pam_time) require a TTY to operate, | 346 | * Some PAM modules (e.g. pam_time) require a TTY to operate, |
347 | * and will fail in various stupid ways if they don't get one. | 347 | * and will fail in various stupid ways if they don't get one. |
348 | * sshd doesn't set the tty until too late in the auth process and may | 348 | * sshd doesn't set the tty until too late in the auth process and may |
349 | * not even need one (for tty-less connections) | 349 | * not even need one (for tty-less connections) |
350 | * Kludge: Set a fake PAM_TTY | 350 | * Kludge: Set a fake PAM_TTY |
351 | */ | 351 | */ |
352 | pam_retval = pam_set_item(pamh, PAM_TTY, "ssh"); | 352 | pam_retval = pam_set_item(pamh, PAM_TTY, "ssh"); |
353 | if (pam_retval != PAM_SUCCESS) { | 353 | if (pam_retval != PAM_SUCCESS) { |
354 | fatal("PAM set tty failed[%d]: %.200s", | 354 | fatal("PAM set tty failed[%d]: %.200s", |
355 | pam_retval, PAM_STRERROR(pamh, pam_retval)); | 355 | pam_retval, PAM_STRERROR(pamh, pam_retval)); |
356 | } | 356 | } |
357 | #endif /* PAM_TTY_KLUDGE */ | 357 | #endif /* PAM_TTY_KLUDGE */ |
@@ -383,9 +383,9 @@ void pam_msg_cat(const char *msg) | |||
383 | char *p; | 383 | char *p; |
384 | size_t new_msg_len; | 384 | size_t new_msg_len; |
385 | size_t pam_msg_len; | 385 | size_t pam_msg_len; |
386 | 386 | ||
387 | new_msg_len = strlen(msg); | 387 | new_msg_len = strlen(msg); |
388 | 388 | ||
389 | if (pam_msg) { | 389 | if (pam_msg) { |
390 | pam_msg_len = strlen(pam_msg); | 390 | pam_msg_len = strlen(pam_msg); |
391 | pam_msg = xrealloc(pam_msg, new_msg_len + pam_msg_len + 2); | 391 | pam_msg = xrealloc(pam_msg, new_msg_len + pam_msg_len + 2); |