- Prepare for 1.2.1pre20
19991225
- More fixes from Andre Lucas <andre.lucas@dial.pipex.com>
- Cleanup of auth-passwd.c for shadow and MD5 passwords
- Cleanup and bugfix of PAM authentication code
19991223
- Merged later HPUX patch from Andre Lucas
<andre.lucas@dial.pipex.com>
- Above patch included better utmpx support from Ben Taylor
<bent@clark.net>:
diff --git a/ChangeLog b/ChangeLog
index 256711e..394ebc8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+19991225
+ - More fixes from Andre Lucas <andre.lucas@dial.pipex.com>
+ - Cleanup of auth-passwd.c for shadow and MD5 passwords
+ - Cleanup and bugfix of PAM authentication code
+
+19991223
+ - Merged later HPUX patch from Andre Lucas
+ <andre.lucas@dial.pipex.com>
+ - Above patch included better utmpx support from Ben Taylor
+ <bent@clark.net>:
+
19991222
- Fix undefined fd_set type in ssh.h from Povl H. Pedersen
<pope@netguide.dk>
diff --git a/acconfig.h b/acconfig.h
index b02abba..1e706ff 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -30,6 +30,9 @@
/* Define is utmpx.h has a ut_host field */
#undef HAVE_HOST_IN_UTMPX
+/* Define is utmpx.h has a syslen field */
+#undef HAVE_SYSLEN_IN_UTMPX
+
/* Define if you want to use utmpx */
#undef USE_UTMPX
@@ -63,6 +66,9 @@
/* Define if xauth is found in your path */
#undef XAUTH_PATH
+/* Define if rsh is found in your path */
+#undef RSH_PATH
+
/* Define if you want to allow MD5 passwords */
#undef HAVE_MD5_PASSWORDS
@@ -76,6 +82,9 @@
/* to pam_strerror */
#undef HAVE_OLD_PAM
+/* Set this to your mail directory if you don't have maillock.h */
+#undef MAIL_DIRECTORY
+
/* Data types */
#undef HAVE_QUAD_T
#undef HAVE_INTXX_T
@@ -197,36 +206,19 @@
# endif
#endif
-/* Use utmpx if supported */
-#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
-# define UTMP_STR utmpx
-#else
-# ifdef HAVE_UTMP_H
-# define UTMP_STR utmp
-# endif
-#endif
-
#ifndef _PATH_UTMP
-# if defined(UTMPX_FILE) && defined(USE_UTMPX)
-# define _PATH_UTMP UTMPX_FILE
+# ifdef UTMP_FILE
+# define _PATH_UTMP UTMP_FILE
# else
-# ifdef UTMP_FILE
-# define _PATH_UTMP UTMP_FILE
-# else
-# define _PATH_UTMP "/var/adm/utmp"
-# endif
+# define _PATH_UTMP "/var/adm/utmp"
# endif
#endif
#ifndef _PATH_WTMP
-# if defined(WTMPX_FILE) && defined(USE_UTMPX)
-# define _PATH_WTMP WTMPX_FILE
+# ifdef WTMP_FILE
+# define _PATH_WTMP WTMP_FILE
# else
-# ifdef WTMP_FILE
-# define _PATH_WTMP WTMP_FILE
-# else
-# define _PATH_WTMP "/var/adm/wtmp"
-# endif
+# define _PATH_WTMP "/var/adm/wtmp"
# endif
#endif
@@ -242,16 +234,14 @@
# define _PATH_DEVNULL "/dev/null"
#endif
-#ifndef _PATH_MAILDIR
-# ifdef MAILDIR
-# define _PATH_MAILDIR MAILDIR
-# else
-# ifdef MAIL_DIRECTORY
-# define _PATH_MAILDIR MAIL_DIRECTORY
-# endif
-# endif
+#ifndef MAILDIR
+# define MAILDIR MAIL_DIRECTORY
#endif
+#if !defined(_PATH_MAILDIR) && defined(MAILDIR)
+# define _PATH_MAILDIR MAILDIR
+#endif /* !defined(_PATH_MAILDIR) && defined(MAILDIR) */
+
#ifndef MAX
# define MAX(a,b) (((a)>(b))?(a):(b))
# define MIN(a,b) (((a)<(b))?(a):(b))
@@ -287,3 +277,13 @@
#if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID)
# define seteuid(a) setreuid(-1,a)
#endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */
+
+#ifndef HAVE_INNETGR
+# define innetgr(a,b,c,d) (0)
+#endif /* HAVE_INNETGR */
+
+#ifndef _PATH_RSH
+# ifdef RSH_PATH
+# define _PATH_RSH RSH_PATH
+# endif /* RSH_PATH */
+#endif /* _PATH_RSH */
diff --git a/auth-passwd.c b/auth-passwd.c
index fc0809e..058dde8 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -9,9 +9,9 @@
#include "includes.h"
-#ifndef HAVE_PAM
+#ifndef HAVE_LIBPAM
-RCSID("$Id: auth-passwd.c,v 1.10 1999/12/21 10:03:09 damien Exp $");
+RCSID("$Id: auth-passwd.c,v 1.11 1999/12/24 23:11:29 damien Exp $");
#include "packet.h"
#include "ssh.h"
@@ -35,6 +35,8 @@
{
extern ServerOptions options;
char *encrypted_password;
+ char *pw_password;
+ char *salt;
#ifdef HAVE_SHADOW_H
struct spwd *spw;
#endif
@@ -68,48 +70,35 @@
if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0)
return 1;
+ pw_password = pw->pw_passwd;
+
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
spw = getspnam(pw->pw_name);
- if (spw == NULL)
+ if (spw == NULL)
return(0);
- if ((spw->sp_namp == NULL) || (strcmp(pw->pw_name, spw->sp_namp) != 0))
- fatal("Shadow lookup returned garbage.");
-
/* Check for users with no password. */
if (strcmp(password, "") == 0 && strcmp(spw->sp_pwdp, "") == 0)
return 1;
- if (strlen(spw->sp_pwdp) < 3)
- return(0);
-
- /* Encrypt the candidate password using the proper salt. */
-#ifdef HAVE_MD5_PASSWORDS
- if (is_md5_salt(spw->sp_pwdp))
- encrypted_password = md5_crypt(password, spw->sp_pwdp);
- else
- encrypted_password = crypt(password, spw->sp_pwdp);
-#else /* HAVE_MD5_PASSWORDS */
- encrypted_password = crypt(password, spw->sp_pwdp);
-#endif /* HAVE_MD5_PASSWORDS */
- /* Authentication is accepted if the encrypted passwords are identical. */
- return (strcmp(encrypted_password, spw->sp_pwdp) == 0);
-#else /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
-
- if (strlen(pw->pw_passwd) < 3)
- return(0);
-
-#ifdef HAVE_MD5_PASSWORDS
- if (is_md5_salt(pw->pw_passwd))
- encrypted_password = md5_crypt(password, pw->pw_passwd);
- else
- encrypted_password = crypt(password, pw->pw_passwd);
-#else /* HAVE_MD5_PASSWORDS */
- encrypted_password = crypt(password, pw->pw_passwd);
-#endif /* HAVE_MD5_PASSWORDS */
-
- /* Authentication is accepted if the encrypted passwords are identical. */
- return (strcmp(encrypted_password, pw->pw_passwd) == 0);
+ pw_password = spw->sp_pwdp;
#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
+
+ if (pw_password[0] != '\0')
+ salt = pw_password;
+ else
+ salt = "xx";
+
+#ifdef HAVE_MD5_PASSWORDS
+ if (is_md5_salt(salt))
+ encrypted_password = md5_crypt(password, salt);
+ else
+ encrypted_password = crypt(password, salt);
+#else /* HAVE_MD5_PASSWORDS */
+ encrypted_password = crypt(password, salt);
+#endif /* HAVE_MD5_PASSWORDS */
+
+ /* Authentication is accepted if the encrypted passwords are identical. */
+ return (strcmp(encrypted_password, pw_password) == 0);
}
-#endif /* !HAVE_PAM */
+#endif /* !HAVE_LIBPAM */
diff --git a/bsd-login.c b/bsd-login.c
index c0f4c1a..d81e469 100644
--- a/bsd-login.c
+++ b/bsd-login.c
@@ -54,53 +54,63 @@
#include <stdio.h>
#include <string.h>
+#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
+void
+login(utp,utx)
+ struct utmp *utp;
+ struct utmpx *utx;
+#else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
void
login(utp)
- struct UTMP_STR *utp;
+ struct utmp *utp;
+#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
{
- struct UTMP_STR old_ut;
+ struct utmp old_ut;
+#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
+ struct utmpx *old_utx;
+#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
register int fd;
int tty;
#ifndef UT_LINESIZE
# define UT_LINESIZE (sizeof(old_ut.ut_line))
-# if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
-# define UT_NAMESIZE (sizeof(old_ut.ut_user))
-# else
-# define UT_NAMESIZE (sizeof(old_ut.ut_name))
-# endif
+# define UT_NAMESIZE (sizeof(old_ut.ut_name))
# ifdef HAVE_HOST_IN_UTMP
# define UT_HOSTSIZE (sizeof(old_ut.ut_host))
# endif
-# if defined(HAVE_HOST_IN_UTMPX) && defined(USE_UTMPX)
-# define UT_HOSTSIZE (sizeof(old_ut.ut_host))
-# endif
#endif
tty = ttyslot();
if (tty > 0 && (fd = open(_PATH_UTMP, O_RDWR|O_CREAT, 0644)) >= 0) {
-#if defined(HAVE_HOST_IN_UTMP) || defined(HAVE_HOST_IN_UTMPX)
- (void)lseek(fd, (off_t)(tty * sizeof(struct UTMP_STR)), SEEK_SET);
+#if defined(HAVE_HOST_IN_UTMP)
+ (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET);
/*
* Prevent luser from zero'ing out ut_host.
* If the new ut_line is empty but the old one is not
* and ut_line and ut_name match, preserve the old ut_line.
*/
- if (read(fd, &old_ut, sizeof(struct UTMP_STR)) ==
- sizeof(struct UTMP_STR) && utp->ut_host[0] == '\0' &&
+ if (read(fd, &old_ut, sizeof(struct utmp)) ==
+ sizeof(struct utmp) && utp->ut_host[0] == '\0' &&
old_ut.ut_host[0] != '\0' &&
strncmp(old_ut.ut_line, utp->ut_line, UT_LINESIZE) == 0 &&
strncmp(old_ut.ut_name, utp->ut_name, UT_NAMESIZE) == 0)
(void)memcpy(utp->ut_host, old_ut.ut_host, UT_HOSTSIZE);
-#endif /* defined(HAVE_HOST_IN_UTMP) || defined(HAVE_HOST_IN_UTMPX) */
- (void)lseek(fd, (off_t)(tty * sizeof(struct UTMP_STR)), SEEK_SET);
- (void)write(fd, utp, sizeof(struct UTMP_STR));
+#endif /* defined(HAVE_HOST_IN_UTMP) */
+ (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET);
+ (void)write(fd, utp, sizeof(struct utmp));
(void)close(fd);
}
if ((fd = open(_PATH_WTMP, O_WRONLY|O_APPEND, 0)) >= 0) {
- (void)write(fd, utp, sizeof(struct UTMP_STR));
+ (void)write(fd, utp, sizeof(struct utmp));
(void)close(fd);
}
+#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
+ old_utx = pututxline(utx);
+# ifdef HAVE_UPDWTMPX
+ updwtmpx(_PATH_WTMPX, utx);
+# endif /* HAVE_UPDWTMPX */
+ endutxent();
+#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
}
#endif /* HAVE_LOGIN */
diff --git a/bsd-login.h b/bsd-login.h
index 8891ae3..f26f470 100644
--- a/bsd-login.h
+++ b/bsd-login.h
@@ -1,13 +1,22 @@
#ifndef _BSD_LOGIN_H
-#define _BSD_LOGIN_H
+# define _BSD_LOGIN_H
-#include "config.h"
-#ifndef HAVE_LOGIN
+# include "config.h"
+# ifndef HAVE_LOGIN
-#include <utmp.h>
+# include <utmp.h>
-void login(struct UTMP_STR *utp);
+# if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
+# include <utmpx.h>
-#endif /* !HAVE_LOGIN */
+void login(struct utmp *utp, struct utmpx *utx);
+
+# else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
+
+void login(struct utmp *utp);
+
+# endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
+
+# endif /* !HAVE_LOGIN */
#endif /* _BSD_LOGIN_H */
diff --git a/configure.in b/configure.in
index b5ffee7..7bb9627 100644
--- a/configure.in
+++ b/configure.in
@@ -9,10 +9,25 @@
AC_PROG_RANLIB
AC_PROG_INSTALL
AC_CHECK_PROG(AR, ar, ar)
-
-dnl Check for the path to xauth
AC_PATH_PROG(xauth_path, xauth)
-AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path")
+
+dnl Use ip address instead of hostname in $DISPLAY
+AC_ARG_WITH(rsh,
+ [ --with-rsh=PATH Specify path to remote shell program ],
+ [
+ AC_DEFINE_UNQUOTED(RSH_PATH, "$withval")
+ ],
+ [
+ AC_PATH_PROG(rsh_path, rsh)
+ ]
+)
+
+if test ! -z "$xauth_path" ; then
+ AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path")
+fi
+if test ! -z "$rsh_path" ; then
+ AC_DEFINE_UNQUOTED(RSH_PATH, "$rsh_path")
+fi
dnl Checks for compiler characteristics
if test "$GCC" = "yes"; then CFLAGS="$CFLAGS -Wall"; fi
@@ -27,6 +42,7 @@
fi
CFLAGS="$CFLAGS -D_HPUX_SOURCE"
AC_DEFINE(IPADDR_IN_DISPLAY)
+ AC_DEFINE(USE_UTMPX)
AC_MSG_CHECKING(for HPUX trusted system password database)
if test -f /tcb/files/auth/system/default; then
AC_MSG_RESULT(yes)
@@ -80,15 +96,22 @@
AC_CHECK_LIB(nsl, yp_match, , )
AC_CHECK_LIB(socket, main, , )
-dnl libdl is needed by PAM on Redhat systems
-AC_CHECK_LIB(dl, dlopen, , )
-AC_CHECK_LIB(pam, pam_authenticate, , )
+dnl Use ip address instead of hostname in $DISPLAY
+AC_ARG_WITH(pam,
+ [ --without-pam Disable PAM support ],
+ [
+ if test "x$withval" != "xno" ; then
+ AC_CHECK_LIB(dl, dlopen, , )
+ AC_CHECK_LIB(pam, pam_authenticate, , )
+ fi
+ ]
+)
dnl Checks for header files.
-AC_CHECK_HEADERS(endian.h lastlog.h login.h maillock.h netgroup.h paths.h poll.h pty.h shadow_h util.h utmp.h utmpx.h sys/bsdtty.h sys/poll.h sys/select.h sys/stropts.h sys/time.h)
+AC_CHECK_HEADERS(endian.h lastlog.h login.h maillock.h netgroup.h paths.h poll.h pty.h shadow.h util.h utmp.h utmpx.h sys/bsdtty.h sys/poll.h sys/select.h sys/stropts.h sys/time.h sys/ttcompat.h)
dnl Checks for library functions.
-AC_CHECK_FUNCS(arc4random mkdtemp openpty _getpty setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy vsnprintf)
+AC_CHECK_FUNCS(arc4random updwtmpx mkdtemp openpty _getpty innetgr setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy vsnprintf)
AC_CHECK_FUNC(login,
[AC_DEFINE(HAVE_LOGIN)],
@@ -220,19 +243,21 @@
AC_MSG_ERROR([No random device found, and no EGD random pool specified])
fi
-dnl Check for ut_host field in utmp
AC_MSG_CHECKING([whether utmp.h has ut_host field])
AC_EGREP_HEADER(ut_host, utmp.h,
[AC_DEFINE(HAVE_HOST_IN_UTMP) AC_MSG_RESULT(yes); ],
[AC_MSG_RESULT(no)]
)
-
-dnl Check for ut_host field in utmpx
AC_MSG_CHECKING([whether utmpx.h has ut_host field])
AC_EGREP_HEADER(ut_host, utmpx.h,
[AC_DEFINE(HAVE_HOST_IN_UTMPX) AC_MSG_RESULT(yes); ],
[AC_MSG_RESULT(no)]
)
+AC_MSG_CHECKING([whether utmpx.h has syslen field])
+AC_EGREP_HEADER(syslen, utmpx.h,
+ [AC_DEFINE(HAVE_SYSLEN_IN_UTMPX) AC_MSG_RESULT(yes); ],
+ [AC_MSG_RESULT(no)]
+)
dnl Look for lastlog location
AC_ARG_WITH(lastlog,
diff --git a/includes.h b/includes.h
index 308e674..0538bfb 100644
--- a/includes.h
+++ b/includes.h
@@ -81,6 +81,7 @@
#include "bsd-mktemp.h"
#include "bsd-snprintf.h"
#include "bsd-daemon.h"
+#include "bsd-login.h"
/* Define this to be the path of the xauth program. */
#ifndef XAUTH_PATH
diff --git a/login.c b/login.c
index fb9c8f8..c551da8 100644
--- a/login.c
+++ b/login.c
@@ -18,7 +18,7 @@
*/
#include "includes.h"
-RCSID("$Id: login.c,v 1.10 1999/12/22 05:09:48 damien Exp $");
+RCSID("$Id: login.c,v 1.11 1999/12/24 23:11:29 damien Exp $");
#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
# include <utmpx.h>
@@ -133,28 +133,44 @@
struct lastlog ll;
char *lastlog;
#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */
- struct UTMP_STR u;
- const char *utmp, *wtmp;
+ struct utmp u;
+#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
+ struct utmpx utx;
+#endif
/* Construct an utmp/wtmp entry. */
memset(&u, 0, sizeof(u));
strncpy(u.ut_line, ttyname + 5, sizeof(u.ut_line));
-#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
- u.ut_tv.tv_sec = time(NULL);
- strncpy(u.ut_user, user, sizeof(u.ut_name));
-#else
+ u.ut_pid = (pid_t)pid;
u.ut_time = time(NULL);
strncpy(u.ut_name, user, sizeof(u.ut_name));
-#endif
-#if defined(HAVE_HOST_IN_UTMP) || defined(HAVE_HOST_IN_UTMPX)
+ u.ut_type = (uid == -1)?DEAD_PROCESS:USER_PROCESS;
+#if defined(HAVE_HOST_IN_UTMP)
strncpy(u.ut_host, host, sizeof(u.ut_host));
#endif
- /* Figure out the file names. */
- utmp = _PATH_UTMP;
- wtmp = _PATH_WTMP;
+#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
+ memset(&utx, 0, sizeof(utx));
+ strncpy(utx.ut_user, user, sizeof(utx.ut_name));
+ strncpy(utx.ut_line, ttyname + 5, sizeof(utx.ut_line));
+ utx.ut_pid = (pid_t)pid;
+ utx.ut_tv.tv_sec = time(NULL);
+ u.ut_type = (uid == -1)?DEAD_PROCESS:USER_PROCESS;
+#ifdef HAVE_HOST_IN_UTMPX
+#ifdef HAVE_SYSLEN_IN_UTMPX
+ utx.ut_syslen = strlen(host);
+ strncpy(utx.ut_host, host, utx.ut_syslen );
+#else
+ strncpy(utx.ut_host, host, sizeof(utx.ut_host));
+#endif /* HAVE_SYSLEN_IN_UTMPX */
+#endif
+#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
+#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) && !defined(HAVE_LOGIN)
+ login(&u, &utx);
+#else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
login(&u);
+#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */
#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG)
lastlog = _PATH_LASTLOG;
diff --git a/packages/redhat/openssh.spec b/packages/redhat/openssh.spec
index d036f5c..a3e51bb 100644
--- a/packages/redhat/openssh.spec
+++ b/packages/redhat/openssh.spec
@@ -1,6 +1,6 @@
Summary: OpenSSH free Secure Shell (SSH) implementation
Name: openssh
-Version: 1.2.1pre19
+Version: 1.2.1pre20
Release: 1
Packager: Damien Miller <djm@ibs.com.au>
Source0: openssh-%{version}.tar.gz
diff --git a/packages/redhat/sshd.pam b/packages/redhat/sshd.pam
index f466f9b..f010550 100644
--- a/packages/redhat/sshd.pam
+++ b/packages/redhat/sshd.pam
@@ -1,5 +1,5 @@
#%PAM-1.0
-auth required /lib/security/pam_pwdb.so shadow
+auth required /lib/security/pam_pwdb.so shadow nowait
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
diff --git a/packages/suse/openssh.spec b/packages/suse/openssh.spec
index 4632763..c649ef2 100644
--- a/packages/suse/openssh.spec
+++ b/packages/suse/openssh.spec
@@ -1,6 +1,6 @@
Summary: OpenSSH, a free Secure Shell (SSH) implementation
Name: openssh
-Version: 1.2.1pre19
+Version: 1.2.1pre20
Release: 1
Source0: openssh-%{version}.tar.gz
Copyright: BSD
diff --git a/sshd.c b/sshd.c
index 448ca59..9c570ab 100644
--- a/sshd.c
+++ b/sshd.c
@@ -11,7 +11,7 @@
*/
#include "includes.h"
-RCSID("$Id: sshd.c,v 1.39 1999/12/14 04:43:03 damien Exp $");
+RCSID("$Id: sshd.c,v 1.40 1999/12/24 23:11:29 damien Exp $");
#ifdef HAVE_POLL_H
# include <poll.h>
@@ -146,6 +146,7 @@
#ifdef HAVE_LIBPAM
static int pamconv(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr);
+int do_pam_auth(const char *user, const char *password);
void do_pam_account(char *username, char *remote_user);
void do_pam_session(char *username, char *ttyname);
void pam_cleanup_proc(void *context);
@@ -237,6 +238,23 @@
}
}
+int do_pam_auth(const char *user, const char *password)
+{
+ int pam_retval;
+
+ pampasswd = password;
+
+ pam_retval = pam_authenticate((pam_handle_t *)pamh, 0);
+ if (pam_retval == PAM_SUCCESS) {
+ log("PAM Password authentication accepted for user \"%.100s\"", user);
+ return 1;
+ } else {
+ log("PAM Password authentication for \"%.100s\" failed: %s",
+ user, PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ return 0;
+ }
+}
+
void do_pam_account(char *username, char *remote_user)
{
int pam_retval;
@@ -1292,7 +1310,11 @@
#ifdef KRB4
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
#endif /* KRB4 */
+#ifdef HAVE_LIBPAM
+ do_pam_auth(pw->pw_name, "")) {
+#else /* HAVE_LIBPAM */
auth_password(pw, "")) {
+#endif /* HAVE_LIBPAM */
/* Authentication with empty password succeeded. */
log("Login for user %s from %.100s, accepted without authentication.",
pw->pw_name, get_remote_ipaddr());
@@ -1503,29 +1525,14 @@
#ifdef HAVE_LIBPAM
/* Do PAM auth with password */
- pampasswd = password;
- pam_retval = pam_authenticate((pam_handle_t *)pamh, 0);
- if (pam_retval == PAM_SUCCESS) {
- log("PAM Password authentication accepted for user \"%.100s\"", pw->pw_name);
- memset(password, 0, strlen(password));
- xfree(password);
- authenticated = 1;
- break;
- }
-
- log("PAM Password authentication for \"%.100s\" failed: %s",
- pw->pw_name, PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
- memset(password, 0, strlen(password));
- xfree(password);
- break;
+ authenticated = do_pam_auth(pw->pw_name, password);
#else /* HAVE_LIBPAM */
/* Try authentication with the password. */
authenticated = auth_password(pw, password);
-
+#endif /* HAVE_LIBPAM */
memset(password, 0, strlen(password));
xfree(password);
break;
-#endif /* HAVE_LIBPAM */
#ifdef SKEY
case SSH_CMSG_AUTH_TIS:
diff --git a/sshd.pam.generic b/sshd.pam.generic
index 4ec2a2a..8c4f32d 100644
--- a/sshd.pam.generic
+++ b/sshd.pam.generic
@@ -1,5 +1,5 @@
#%PAM-1.0
-auth required /lib/security/pam_unix.so shadow
+auth required /lib/security/pam_unix.so shadow nowait
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so