- More platforms for for setproctitle() emulation (testing needed)

- More platforms for for setproctitle() emulation (testing needed)

- Improve PAM support (a pam_lastlog module will cause sshd to exit)

- Improve PAM support (a pam_lastlog module will cause sshd to exit)

  and maybe support alternate forms of authentications like OPIE via

  and maybe support alternate forms of authentications like OPIE via

  pam?

  pam?

/* from environment and PATH */

/* from environment and PATH */

#undef LOGIN_PROGRAM_FALLBACK

#undef LOGIN_PROGRAM_FALLBACK

/* Define if your password has a pw_class field */

/* Define if your password has a pw_class field */

#undef HAVE_PW_CLASS_IN_PASSWD

#undef HAVE_PW_CLASS_IN_PASSWD

/* states for do_pam_conversation() */

/* states for do_pam_conversation() */

enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN;

enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN;

/* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */

/* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */

/* remember whether the last pam_authenticate() succeeded or not */

/* remember whether the last pam_authenticate() succeeded or not */

static int was_authenticated = 0;

static int was_authenticated = 0;

		case PAM_NEW_AUTHTOK_REQD:

		case PAM_NEW_AUTHTOK_REQD:

			message_cat(&__pam_msg, use_privsep ?

			message_cat(&__pam_msg, use_privsep ?

			    NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);

			    NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);

			break;

			break;

#endif

#endif

		default:

		default:

			fatal("PAM pam_chauthtok failed[%d]: %.200s",

			fatal("PAM pam_chauthtok failed[%d]: %.200s",

			    pam_retval, PAM_STRERROR(__pamh, pam_retval));

			    pam_retval, PAM_STRERROR(__pamh, pam_retval));

#if 0

#if 0

#endif

#endif

	}

	}

}

}

#include "log.h"

#include "log.h"

#include "servconf.h"

#include "servconf.h"

#include "auth.h"

#include "auth.h"

#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)

#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)

/* Don't need any of these headers for the PAM or SIA cases */

/* Don't need any of these headers for the PAM or SIA cases */

#endif /* !USE_PAM && !HAVE_OSF_SIA */

#endif /* !USE_PAM && !HAVE_OSF_SIA */

extern ServerOptions options;

extern ServerOptions options;

/*

/*

 * Tries to authenticate the user using password.  Returns true if

 * Tries to authenticate the user using password.  Returns true if

	/* deny if no user. */

	/* deny if no user. */

	if (pw == NULL)

	if (pw == NULL)

		return 0;

		return 0;

#ifndef HAVE_CYGWIN

#ifndef HAVE_CYGWIN

       if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)

       if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)

		return 0;

		return 0;

#endif

#endif

#ifdef WITH_AIXAUTHENTICATE

#ifdef WITH_AIXAUTHENTICATE

	authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);

	authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);

	        /* We don't have a pty yet, so just label the line as "ssh" */

	        /* We don't have a pty yet, so just label the line as "ssh" */

	        if (loginsuccess(authctxt->user,

	        if (loginsuccess(authctxt->user,

	return(authsuccess);

	return(authsuccess);

#endif

#endif

	/* Authentication is accepted if the encrypted passwords are identical. */

	/* Authentication is accepted if the encrypted passwords are identical. */

	return (strcmp(encrypted_password, pw_password) == 0);

	return (strcmp(encrypted_password, pw_password) == 0);

#endif /* !USE_PAM && !HAVE_OSF_SIA */

#endif /* !USE_PAM && !HAVE_OSF_SIA */

}

}

#include "bufaux.h"

#include "bufaux.h"

#include "packet.h"

#include "packet.h"

/* import */

/* import */

extern ServerOptions options;

extern ServerOptions options;

/* Debugging messages */

/* Debugging messages */

Buffer auth_debug;

Buffer auth_debug;

int auth_debug_init;

int auth_debug_init;

/*

/*

 * Check if the user is allowed to log in via ssh. If user is listed

 * Check if the user is allowed to log in via ssh. If user is listed

	const char *hostname = NULL, *ipaddr = NULL, *passwd;

	const char *hostname = NULL, *ipaddr = NULL, *passwd;

	char *shell;

	char *shell;

	int i;

	int i;

#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)

#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)

	struct spwd *spw;

	struct spwd *spw;

#if !defined(USE_PAM) && defined(HAS_SHADOW_EXPIRE)

#if !defined(USE_PAM) && defined(HAS_SHADOW_EXPIRE)

#endif

#endif

#endif

#endif

		return 0;

		return 0;

	}

	}

#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \

#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \

    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)

    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)

	today = time(NULL) / DAY;

	today = time(NULL) / DAY;

	debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"

	debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"

	/*

	/*

	 * We assume account and password expiration occurs the

	 * We assume account and password expiration occurs the

	if (spw->sp_expire != -1 && today > spw->sp_expire) {

	if (spw->sp_expire != -1 && today > spw->sp_expire) {

		log("Account %.100s has expired", pw->pw_name);

		log("Account %.100s has expired", pw->pw_name);

		return 0;

		return 0;

	}

	}

	if (spw->sp_lstchg == 0) {

	if (spw->sp_lstchg == 0) {

		log("User %.100s password has expired (root forced)",

		log("User %.100s password has expired (root forced)",

		    pw->pw_name);

		    pw->pw_name);

		log("User %.100s password has expired (password aged)",

		log("User %.100s password has expired (password aged)",

		    pw->pw_name);

		    pw->pw_name);

	}

	}

#endif

#endif

	/*

	/*

	 * Get the shell from the password data.  An empty shell field is

	 * Get the shell from the password data.  An empty shell field is

	 * legal, and means /bin/sh.

	 * legal, and means /bin/sh.

	 * PermitRootLogin to control logins via ssh), or if running as

	 * PermitRootLogin to control logins via ssh), or if running as

	 * non-root user (since loginrestrictions will always fail).

	 * non-root user (since loginrestrictions will always fail).

	 */

	 */

		int loginrestrict_errno = errno;

		int loginrestrict_errno = errno;

			}

			}

	}

	}

#endif /* WITH_AIXAUTHENTICATE */

#endif /* WITH_AIXAUTHENTICATE */

	/* We found no reason not to let this user try to log on... */

	/* We found no reason not to let this user try to log on... */

#endif

#endif

	struct passwd *pw;

	struct passwd *pw;

	pw = getpwnam(user);

	pw = getpwnam(user);

	if (pw == NULL) {

	if (pw == NULL) {

		log("Illegal user %.100s from %.100s",

		log("Illegal user %.100s from %.100s",

int	 auth_rhosts_rsa(struct passwd *, char *, Key *);

int	 auth_rhosts_rsa(struct passwd *, char *, Key *);

int      auth_password(Authctxt *, const char *);

int      auth_password(Authctxt *, const char *);

int      auth_rsa(struct passwd *, BIGNUM *);

int      auth_rsa(struct passwd *, BIGNUM *);

int      auth_rsa_challenge_dialog(Key *);

int      auth_rsa_challenge_dialog(Key *);

BIGNUM	*auth_rsa_generate_challenge(Key *);

BIGNUM	*auth_rsa_generate_challenge(Key *);

int	allowed_user(struct passwd *);

int	allowed_user(struct passwd *);

struct passwd * getpwnamallow(const char *user);

struct passwd * getpwnamallow(const char *user);

char	*get_challenge(Authctxt *);

char	*get_challenge(Authctxt *);

int	verify_response(Authctxt *, const char *);

int	verify_response(Authctxt *, const char *);

void	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));

void	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));

void	 auth_debug_send(void);

void	 auth_debug_send(void);

void	 auth_debug_reset(void);

void	 auth_debug_reset(void);

#define AUTH_FAIL_MAX 6

#define AUTH_FAIL_MAX 6

#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)

#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)

	fi

	fi

fi

fi

if test -z "$LD" ; then

if test -z "$LD" ; then

	LD=$CC

	LD=$CC

fi

fi

OSSH_CHECK_HEADER_FOR_FIELD(ut_tv, utmpx.h, HAVE_TV_IN_UTMPX)

OSSH_CHECK_HEADER_FOR_FIELD(ut_tv, utmpx.h, HAVE_TV_IN_UTMPX)

AC_CHECK_MEMBERS([struct stat.st_blksize])

AC_CHECK_MEMBERS([struct stat.st_blksize])

AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],

AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],

		ac_cv_have_ss_family_in_struct_ss, [

		ac_cv_have_ss_family_in_struct_ss, [

int mm_answer_moduli(int, Buffer *);

int mm_answer_moduli(int, Buffer *);

int mm_answer_sign(int, Buffer *);

int mm_answer_sign(int, Buffer *);

int mm_answer_pwnamallow(int, Buffer *);

int mm_answer_pwnamallow(int, Buffer *);

int mm_answer_auth2_read_banner(int, Buffer *);

int mm_answer_auth2_read_banner(int, Buffer *);

int mm_answer_authserv(int, Buffer *);

int mm_answer_authserv(int, Buffer *);

int mm_answer_authpassword(int, Buffer *);

int mm_answer_authpassword(int, Buffer *);

    {MONITOR_REQ_PTY, 0, mm_answer_pty},

    {MONITOR_REQ_PTY, 0, mm_answer_pty},

    {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},

    {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},

    {MONITOR_REQ_TERM, 0, mm_answer_term},

    {MONITOR_REQ_TERM, 0, mm_answer_term},

    {0, 0, NULL}

    {0, 0, NULL}

};

};

    {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},

    {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},

    {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},

    {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},

    {MONITOR_REQ_TERM, 0, mm_answer_term},

    {MONITOR_REQ_TERM, 0, mm_answer_term},

    {0, 0, NULL}

    {0, 0, NULL}

};

};

		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);

		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);

		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);

		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);

		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);

		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);

	} else {

	} else {

		mon_dispatch = mon_dispatch_postauth15;

		mon_dispatch = mon_dispatch_postauth15;

		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);

		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);

	}

	}

	if (!no_pty_flag) {

	if (!no_pty_flag) {

		monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);

		monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);

#ifdef USE_PAM

#ifdef USE_PAM

	monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);

	monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);

#endif

#endif

	return (0);

	return (0);

}

}

	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,

	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,

	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,

	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,

	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,

	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,

	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,

	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,

	MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD,

	MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD,

	MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY,

	MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY,

	return (pw);

	return (pw);

}

}

char *mm_auth2_read_banner(void)

char *mm_auth2_read_banner(void)

{

{

	Buffer m;

	Buffer m;

int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);

int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);

void mm_inform_authserv(char *, char *);

void mm_inform_authserv(char *, char *);

struct passwd *mm_getpwnamallow(const char *);

struct passwd *mm_getpwnamallow(const char *);

char *mm_auth2_read_banner(void);

char *mm_auth2_read_banner(void);

int mm_auth_password(struct Authctxt *, char *);

int mm_auth_password(struct Authctxt *, char *);

int mm_key_allowed(enum mm_keytype, char *, char *, Key *);

int mm_key_allowed(enum mm_keytype, char *, char *, Key *);

/* data */

/* data */

#define MAX_SESSIONS 10

#define MAX_SESSIONS 10

Session	sessions[MAX_SESSIONS];

Session	sessions[MAX_SESSIONS];

#ifdef HAVE_LOGIN_CAP

#ifdef HAVE_LOGIN_CAP

login_cap_t *lc;

login_cap_t *lc;

#if defined(USE_PAM)

#if defined(USE_PAM)

	do_pam_session(s->pw->pw_name, NULL);

	do_pam_session(s->pw->pw_name, NULL);

	do_pam_setcred(1);

	do_pam_setcred(1);

		packet_disconnect("Password change required but no "

		packet_disconnect("Password change required but no "

		    "TTY available");

		    "TTY available");

	/* Fork the child. */

	/* Fork the child. */

	if ((pid = fork()) == 0) {

	if ((pid = fork()) == 0) {

	socklen_t fromlen;

	socklen_t fromlen;

	struct sockaddr_storage from;

	struct sockaddr_storage from;

	struct passwd * pw = s->pw;

	struct passwd * pw = s->pw;

	pid_t pid = getpid();

	pid_t pid = getpid();

	/*

	/*

		    options.verify_reverse_mapping),

		    options.verify_reverse_mapping),

		    (struct sockaddr *)&from, fromlen);

		    (struct sockaddr *)&from, fromlen);

	/*

	/*

	 * If password change is needed, do it now.

	 * If password change is needed, do it now.

	 * This needs to occur before the ~/.hushlogin check.

	 * This needs to occur before the ~/.hushlogin check.

	 */

	 */

	if (is_pam_password_change_required()) {

	if (is_pam_password_change_required()) {

		print_pam_messages();

		print_pam_messages();

		do_pam_chauthtok();

		do_pam_chauthtok();

	}

	}

#endif

#endif

	if (check_quietlogin(s, command))

	if (check_quietlogin(s, command))

		return;

		return;

	if (!is_pam_password_change_required())

	if (!is_pam_password_change_required())

		print_pam_messages();

		print_pam_messages();

#endif /* USE_PAM */

#endif /* USE_PAM */

#ifndef NO_SSH_LASTLOG

#ifndef NO_SSH_LASTLOG

	if (options.print_lastlog && s->last_login_time != 0) {

	if (options.print_lastlog && s->last_login_time != 0) {

	xfree(cp);

	xfree(cp);

}

}

#ifdef _AIX

#ifdef _AIX

void aix_usrinfo(struct passwd *pw);

void aix_usrinfo(struct passwd *pw);

#endif /* _AIX */

#endif /* _AIX */