- More platforms for for setproctitle() emulation (testing needed)

- More platforms for for setproctitle() emulation (testing needed)

- Improve PAM support (a pam_lastlog module will cause sshd to exit)

- Improve PAM support (a pam_lastlog module will cause sshd to exit)

  and maybe support alternate forms of authentications like OPIE via

  and maybe support alternate forms of authentications like OPIE via

  pam?

  pam?

/* from environment and PATH */

/* from environment and PATH */

#undef LOGIN_PROGRAM_FALLBACK

#undef LOGIN_PROGRAM_FALLBACK

/* Define if your password has a pw_class field */

/* Define if your password has a pw_class field */

#undef HAVE_PW_CLASS_IN_PASSWD

#undef HAVE_PW_CLASS_IN_PASSWD

#define NEW_AUTHTOK_MSG \

#define NEW_AUTHTOK_MSG \

	"Warning: Your password has expired, please change it now."

	"Warning: Your password has expired, please change it now."

static int do_pam_conversation(int num_msg, const struct pam_message **msg,

static int do_pam_conversation(int num_msg, const struct pam_message **msg,

	struct pam_response **resp, void *appdata_ptr);

	struct pam_response **resp, void *appdata_ptr);

/* states for do_pam_conversation() */

/* states for do_pam_conversation() */

enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN;

enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN;

/* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */

/* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */

/* remember whether the last pam_authenticate() succeeded or not */

/* remember whether the last pam_authenticate() succeeded or not */

static int was_authenticated = 0;

static int was_authenticated = 0;

		case PAM_SUCCESS:

		case PAM_SUCCESS:

			/* This is what we want */

			/* This is what we want */

			break;

			break;

		case PAM_NEW_AUTHTOK_REQD:

		case PAM_NEW_AUTHTOK_REQD:

			break;

			break;

		default:

		default:

			log("PAM rejected by account configuration[%d]: "

			log("PAM rejected by account configuration[%d]: "

			    "%.200s", pam_retval, PAM_STRERROR(__pamh, 

			    "%.200s", pam_retval, PAM_STRERROR(__pamh, 

			fatal("PAM pam_chauthtok failed[%d]: %.200s",

			fatal("PAM pam_chauthtok failed[%d]: %.200s",

			    pam_retval, PAM_STRERROR(__pamh, pam_retval));

			    pam_retval, PAM_STRERROR(__pamh, pam_retval));

#if 0

#if 0

#endif

#endif

	}

	}

}

}

#include "log.h"

#include "log.h"

#include "servconf.h"

#include "servconf.h"

#include "auth.h"

#include "auth.h"

#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)

#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)

/* Don't need any of these headers for the PAM or SIA cases */

/* Don't need any of these headers for the PAM or SIA cases */

#endif /* !USE_PAM && !HAVE_OSF_SIA */

#endif /* !USE_PAM && !HAVE_OSF_SIA */

extern ServerOptions options;

extern ServerOptions options;

/*

/*

 * Tries to authenticate the user using password.  Returns true if

 * Tries to authenticate the user using password.  Returns true if

# endif

# endif

# ifdef WITH_AIXAUTHENTICATE

# ifdef WITH_AIXAUTHENTICATE

	authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);

	authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);

	if (authsuccess)

	if (authsuccess)

# endif

# endif

# ifdef KRB4

# ifdef KRB4

	if (options.kerberos_authentication == 1) {

	if (options.kerberos_authentication == 1) {

	/* Authentication is accepted if the encrypted passwords are identical. */

	/* Authentication is accepted if the encrypted passwords are identical. */

	return (strcmp(encrypted_password, pw_password) == 0);

	return (strcmp(encrypted_password, pw_password) == 0);

#endif /* !USE_PAM && !HAVE_OSF_SIA */

#endif /* !USE_PAM && !HAVE_OSF_SIA */

}

}

 */

 */

#include "includes.h"

#include "includes.h"

#ifdef HAVE_LOGIN_H

#ifdef HAVE_LOGIN_H

#include <login.h>

#include <login.h>

#include <libgen.h>

#include <libgen.h>

#endif

#endif

#include "xmalloc.h"

#include "xmalloc.h"

#include "match.h"

#include "match.h"

#include "groupaccess.h"

#include "groupaccess.h"

#include "misc.h"

#include "misc.h"

#include "bufaux.h"

#include "bufaux.h"

#include "packet.h"

#include "packet.h"

/* import */

/* import */

extern ServerOptions options;

extern ServerOptions options;

/* Debugging messages */

/* Debugging messages */

Buffer auth_debug;

Buffer auth_debug;

	const char *hostname = NULL, *ipaddr = NULL;

	const char *hostname = NULL, *ipaddr = NULL;

	char *shell;

	char *shell;

	int i;

	int i;

#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \

#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \

    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)

    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)

	struct spwd *spw;

	struct spwd *spw;

	if (!pw || !pw->pw_name)

	if (!pw || !pw->pw_name)

		return 0;

		return 0;

#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \

#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \

    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)

    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)

	if ((spw = getspnam(pw->pw_name)) != NULL) {

	if ((spw = getspnam(pw->pw_name)) != NULL) {

		today = time(NULL) / DAY;

		today = time(NULL) / DAY;

		debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"

		debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"

		/*

		/*

		 * We assume account and password expiration occurs the

		 * We assume account and password expiration occurs the

		 * day after the day specified.

		 * day after the day specified.

		 */

		 */

			log("Account %.100s has expired", pw->pw_name);

			log("Account %.100s has expired", pw->pw_name);

			return 0;

			return 0;

		if (spw->sp_lstchg == 0) {

		if (spw->sp_lstchg == 0) {

			log("User %.100s password has expired (root forced)",

			log("User %.100s password has expired (root forced)",

			    pw->pw_name);

			    pw->pw_name);

			log("User %.100s password has expired (password aged)",

			log("User %.100s password has expired (password aged)",

			    pw->pw_name);

			    pw->pw_name);

		}

		}

	}

	}

#endif

#endif

	 * PermitRootLogin to control logins via ssh), or if running as

	 * PermitRootLogin to control logins via ssh), or if running as

	 * non-root user (since loginrestrictions will always fail).

	 * non-root user (since loginrestrictions will always fail).

	 */

	 */

		int loginrestrict_errno = errno;

		int loginrestrict_errno = errno;

			}

			}

	}

	}

#endif /* WITH_AIXAUTHENTICATE */

#endif /* WITH_AIXAUTHENTICATE */

	return authctxt;

	return authctxt;

}

}

void

void

auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)

auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)

{

{

	    get_remote_port(),

	    get_remote_port(),

	    info);

	    info);

#ifdef WITH_AIXAUTHENTICATE

#ifdef WITH_AIXAUTHENTICATE

	if (authenticated == 0 && strcmp(method, "password") == 0)

	if (authenticated == 0 && strcmp(method, "password") == 0)

	    loginfailed(authctxt->user,

	    loginfailed(authctxt->user,

int	allowed_user(struct passwd *);

int	allowed_user(struct passwd *);

struct passwd * getpwnamallow(const char *user);

struct passwd * getpwnamallow(const char *user);

char	*get_challenge(Authctxt *);

char	*get_challenge(Authctxt *);

int	verify_response(Authctxt *, const char *);

int	verify_response(Authctxt *, const char *);

	fi

	fi

fi

fi

if test -z "$LD" ; then

if test -z "$LD" ; then

	LD=$CC

	LD=$CC

fi

fi

	 * reliably search wtmp(x) for the last login (see

	 * reliably search wtmp(x) for the last login (see

	 * wtmp_get_entry().)

	 * wtmp_get_entry().)

	 */

	 */

	pw = getpwuid(uid);

	pw = getpwuid(uid);

	if (pw == NULL)

	if (pw == NULL)

		fatal("login_get_lastlog: Cannot find account for uid %i", uid);

		fatal("login_get_lastlog: Cannot find account for uid %i", uid);

extern u_int utmp_len;

extern u_int utmp_len;

extern int startup_pipe;

extern int startup_pipe;

extern void destroy_sensitive_data(void);

extern void destroy_sensitive_data(void);

/* original command from peer. */

/* original command from peer. */

const char *original_command = NULL;

const char *original_command = NULL;

#define MAX_SESSIONS 10

#define MAX_SESSIONS 10

Session	sessions[MAX_SESSIONS];

Session	sessions[MAX_SESSIONS];

#ifdef HAVE_LOGIN_CAP

#ifdef HAVE_LOGIN_CAP

login_cap_t *lc;

login_cap_t *lc;

#endif

#endif

#if defined(USE_PAM)

#if defined(USE_PAM)

	do_pam_session(s->pw->pw_name, NULL);

	do_pam_session(s->pw->pw_name, NULL);

	do_pam_setcred(1);

	do_pam_setcred(1);

		packet_disconnect("Password change required but no "

		packet_disconnect("Password change required but no "

		    "TTY available");

		    "TTY available");

	/* Fork the child. */

	/* Fork the child. */

	if ((pid = fork()) == 0) {

	if ((pid = fork()) == 0) {

void

void

do_login(Session *s, const char *command)

do_login(Session *s, const char *command)

{

{

	socklen_t fromlen;

	socklen_t fromlen;

	struct sockaddr_storage from;

	struct sockaddr_storage from;

	struct passwd * pw = s->pw;

	struct passwd * pw = s->pw;

	pid_t pid = getpid();

	pid_t pid = getpid();

	/*

	/*

		    options.verify_reverse_mapping),

		    options.verify_reverse_mapping),

		    (struct sockaddr *)&from, fromlen);

		    (struct sockaddr *)&from, fromlen);

	/*

	/*

	 * If password change is needed, do it now.

	 * If password change is needed, do it now.

	 * This needs to occur before the ~/.hushlogin check.

	 * This needs to occur before the ~/.hushlogin check.

	 */

	 */

	if (is_pam_password_change_required()) {

	if (is_pam_password_change_required()) {

		print_pam_messages();

		print_pam_messages();

		do_pam_chauthtok();

		do_pam_chauthtok();

	}

	}

#endif

#endif

	if (check_quietlogin(s, command))

	if (check_quietlogin(s, command))

		return;

		return;

	if (!is_pam_password_change_required())

	if (!is_pam_password_change_required())

		print_pam_messages();

		print_pam_messages();

#endif /* USE_PAM */

#endif /* USE_PAM */

	do_motd();

	do_motd();

}

}

	if (s->ttyfd != -1) {

	if (s->ttyfd != -1) {

		packet_disconnect("Protocol error: you already have a pty.");

		packet_disconnect("Protocol error: you already have a pty.");

		return 0;

		return 0;

	}

	}

	s->term = packet_get_string(&len);

	s->term = packet_get_string(&len);

	int	ptyfd, ttyfd, ptymaster;

	int	ptyfd, ttyfd, ptymaster;

	u_int	row, col, xpixel, ypixel;

	u_int	row, col, xpixel, ypixel;

	char	tty[TTYSZ];

	char	tty[TTYSZ];

	/* X11 */

	/* X11 */

	u_int	display_number;

	u_int	display_number;

	char	*display;

	char	*display;

int use_privsep;

int use_privsep;

struct monitor *pmonitor;

struct monitor *pmonitor;

/* Prototypes for various functions defined later in this file. */

/* Prototypes for various functions defined later in this file. */

void destroy_sensitive_data(void);

void destroy_sensitive_data(void);

void demote_sensitive_data(void);

void demote_sensitive_data(void);

	if (use_privsep)

	if (use_privsep)

		if ((authctxt = privsep_preauth()) != NULL)

		if ((authctxt = privsep_preauth()) != NULL)

			goto authenticated;

			goto authenticated;

	/* perform the key exchange */

	/* perform the key exchange */

	/* authenticate user and start session */

	/* authenticate user and start session */

/* $OpenBSD: version.h,v 1.35 2002/10/01 13:24:50 markus Exp $ */

/* $OpenBSD: version.h,v 1.35 2002/10/01 13:24:50 markus Exp $ */

	xfree(cp);

	xfree(cp);

}

}

#endif

#endif

void aix_usrinfo(struct passwd *pw);

void aix_usrinfo(struct passwd *pw);

#endif /* _AIX */

#endif /* _AIX */