- (dtucker) [auth-pam.c auth-pam.h session.c] Bug #14: Use do_pwchange to
change expired PAM passwords for SSHv1 connections without privsep.
pam_chauthtok is still used when privsep is disabled. ok djm@
diff --git a/auth-pam.c b/auth-pam.c
index 0e2725b..562fb01 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -31,7 +31,7 @@
/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
#include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.92 2004/01/14 13:15:08 dtucker Exp $");
+RCSID("$Id: auth-pam.c,v 1.93 2004/02/10 02:23:29 dtucker Exp $");
#ifdef USE_PAM
#if defined(HAVE_SECURITY_PAM_APPL_H)
@@ -155,11 +155,11 @@
static pam_handle_t *sshpam_handle = NULL;
static int sshpam_err = 0;
static int sshpam_authenticated = 0;
-static int sshpam_new_authtok_reqd = 0;
static int sshpam_session_open = 0;
static int sshpam_cred_established = 0;
static int sshpam_account_status = -1;
static char **sshpam_env = NULL;
+static int *force_pwchange;
/* Some PAM implementations don't implement this */
#ifndef HAVE_PAM_GETENVLIST
@@ -179,7 +179,7 @@
pam_password_change_required(int reqd)
{
debug3("%s %d", __func__, reqd);
- sshpam_new_authtok_reqd = reqd;
+ *force_pwchange = reqd;
if (reqd) {
no_port_forwarding_flag |= 2;
no_agent_forwarding_flag |= 2;
@@ -188,9 +188,9 @@
no_port_forwarding_flag &= ~2;
no_agent_forwarding_flag &= ~2;
no_x11_forwarding_flag &= ~2;
-
}
}
+
/* Import regular and PAM environment from subprocess */
static void
import_environments(Buffer *b)
@@ -348,7 +348,7 @@
if (compat20) {
if (!do_pam_account())
goto auth_fail;
- if (sshpam_new_authtok_reqd) {
+ if (*force_pwchange) {
sshpam_err = pam_chauthtok(sshpam_handle,
PAM_CHANGE_EXPIRED_AUTHTOK);
if (sshpam_err != PAM_SUCCESS)
@@ -362,7 +362,7 @@
#ifndef USE_POSIX_THREADS
/* Export variables set by do_pam_account */
buffer_put_int(&buffer, sshpam_account_status);
- buffer_put_int(&buffer, sshpam_new_authtok_reqd);
+ buffer_put_int(&buffer, *force_pwchange);
/* Export any environment strings set in child */
for(i = 0; environ[i] != NULL; i++)
@@ -437,7 +437,7 @@
pam_close_session(sshpam_handle, PAM_SILENT);
sshpam_session_open = 0;
}
- sshpam_authenticated = sshpam_new_authtok_reqd = 0;
+ sshpam_authenticated = 0;
pam_end(sshpam_handle, sshpam_err);
sshpam_handle = NULL;
}
@@ -511,6 +511,8 @@
ctxt = xmalloc(sizeof *ctxt);
memset(ctxt, 0, sizeof(*ctxt));
+ force_pwchange = &(authctxt->force_pwchange);
+
/* Start the authentication thread */
if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
error("PAM: failed create sockets: %s", strerror(errno));
@@ -744,12 +746,6 @@
pam_strerror(sshpam_handle, sshpam_err));
}
-int
-is_pam_password_change_required(void)
-{
- return (sshpam_new_authtok_reqd);
-}
-
static int
pam_tty_conv(int n, const struct pam_message **msg,
struct pam_response **resp, void *data)
@@ -828,6 +824,7 @@
void
do_pam_session(void)
{
+ debug3("PAM: opening session");
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&tty_conv);
if (sshpam_err != PAM_SUCCESS)
@@ -864,12 +861,6 @@
return (ret);
}
-void
-print_pam_messages(void)
-{
- /* XXX */
-}
-
char **
fetch_pam_child_environment(void)
{