Attachment #543 for bug #14

View | Details | Raw Unified | Return to bug 14 | Differences between

and this patch




static pam_handle_t *sshpam_handle = NULL;
static int sshpam_err = 0;
static int sshpam_authenticated = 0;
static int sshpam_new_authtok_reqd = 0;
static int sshpam_session_open = 0;
static int sshpam_cred_established = 0;
static int sshpam_account_status = -1;
static int *force_pwchange;
static char **sshpam_env = NULL;

/* Some PAM implementations don't implement this */

pam_password_change_required(int reqd)
{
	debug3("%s %d", __func__, reqd);
	*force_pwchange = reqd;
	if (reqd) {
		no_port_forwarding_flag |= 2;
		no_agent_forwarding_flag |= 2;

		no_port_forwarding_flag &= ~2;
		no_agent_forwarding_flag &= ~2;
		no_x11_forwarding_flag &= ~2;

	}
}

/* Import regular and PAM environment from subprocess */
static void
import_environments(Buffer *b)

	if (compat20) {
		if (!do_pam_account())
			goto auth_fail;
		if (*force_pwchange) {
			sshpam_err = pam_chauthtok(sshpam_handle,
			    PAM_CHANGE_EXPIRED_AUTHTOK);
			if (sshpam_err != PAM_SUCCESS)

#ifndef USE_POSIX_THREADS
	/* Export variables set by do_pam_account */
	buffer_put_int(&buffer, sshpam_account_status);
	buffer_put_int(&buffer, *force_pwchange);

	/* Export any environment strings set in child */
	for(i = 0; environ[i] != NULL; i++)

		pam_close_session(sshpam_handle, PAM_SILENT);
		sshpam_session_open = 0;
	}
	sshpam_authenticated = 0;
	pam_end(sshpam_handle, sshpam_err);
	sshpam_handle = NULL;
}

	ctxt = xmalloc(sizeof *ctxt);
	memset(ctxt, 0, sizeof(*ctxt));

	force_pwchange = &(authctxt->force_pwchange);

	/* Start the authentication thread */
	if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
		error("PAM: failed create sockets: %s", strerror(errno));

		    pam_strerror(sshpam_handle, sshpam_err));
}

int
is_pam_password_change_required(void)
{
	return (sshpam_new_authtok_reqd);
}

static int
pam_tty_conv(int n, const struct pam_message **msg,
    struct pam_response **resp, void *data)

void
do_pam_chauthtok(void)
{
	debug3("PAM: %s called", __func__);
	if (use_privsep)
		fatal("Password expired (unable to change with privsep)");
	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,

void
do_pam_session(void)
{
	debug3("PAM: %s called", __func__);
	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
	    (const void *)&tty_conv);
	if (sshpam_err != PAM_SUCCESS)

#endif

	return (ret);
}

void
print_pam_messages(void)
{
	/* XXX */
}

char **

Lines 37-46 u_int do_pam_account(void); Link Here

(-)auth-pam.h (-2 lines)
37	void do_pam_session(void);	37	void do_pam_session(void);
38	void do_pam_set_tty(const char *);	38	void do_pam_set_tty(const char *);
39	void do_pam_setcred(int );	39	void do_pam_setcred(int );
40	int is_pam_password_change_required(void);
41	void do_pam_chauthtok(void);	40	void do_pam_chauthtok(void);
42	int do_pam_putenv(char , char );	41	int do_pam_putenv(char , char );
43	void print_pam_messages(void);
44	char ** fetch_pam_environment(void);	42	char ** fetch_pam_environment(void);
45	char ** fetch_pam_child_environment(void);	43	char ** fetch_pam_child_environment(void);
46	void free_pam_environment(char **);	44	void free_pam_environment(char **);




	return 1;
}

static void
display_loginmsg(void)
{
	if (buffer_len(&loginmsg) > 0) {
		buffer_append(&loginmsg, "\0", 1);
		printf("%s\n", (char *)buffer_ptr(&loginmsg));
		buffer_clear(&loginmsg);
	}
}

void
do_authenticated(Authctxt *authctxt)

	session_proctitle(s);

#if defined(USE_PAM)
	if (options.use_pam)
		do_pam_setcred(1);
		if (is_pam_password_change_required())
			packet_disconnect("Password change required but no "
			    "TTY available");
	}
#endif /* USE_PAM */

	/* Fork the child. */

	 * If password change is needed, do it now.
	 * This needs to occur before the ~/.hushlogin check.
	 */
	if (options.use_pam && !use_privsep && s->authctxt->force_pwchange) {
		display_loginmsg();
		do_pam_chauthtok();
		/* XXX - signal [net] parent to enable forwardings */
	}

	if (check_quietlogin(s, command))
		return;

	display_loginmsg();
	if (options.use_pam && !is_pam_password_change_required())
		print_pam_messages();
#endif /* USE_PAM */

	/* display post-login message */
	if (buffer_len(&loginmsg) > 0) {
		buffer_append(&loginmsg, "\0", 1);
		printf("%s\n", (char *)buffer_ptr(&loginmsg));
	}
	buffer_free(&loginmsg);

#ifndef NO_SSH_LASTLOG
	if (options.print_lastlog && s->last_login_time != 0) {

	destroy_sensitive_data();

	/* Force a password change */
	if (s->authctxt->force_pwchange && !(options.use_pam && !use_privsep)) {
		do_setusercontext(pw);
		child_close_fds();
		do_pwchange(s);

Return to bug 14

Lines 155-164 pthread_join(sp_pthread_t thread, void * Link Here

(-)auth-pam.c (-18 / +10 lines)
155	static pam_handle_t *sshpam_handle = NULL;	155	static pam_handle_t *sshpam_handle = NULL;
156	static int sshpam_err = 0;	156	static int sshpam_err = 0;
157	static int sshpam_authenticated = 0;	157	static int sshpam_authenticated = 0;
158	static int sshpam_new_authtok_reqd = 0;
159	static int sshpam_session_open = 0;	158	static int sshpam_session_open = 0;
160	static int sshpam_cred_established = 0;	159	static int sshpam_cred_established = 0;
161	static int sshpam_account_status = -1;	160	static int sshpam_account_status = -1;
		161	static int *force_pwchange;
162	static char **sshpam_env = NULL;	162	static char **sshpam_env = NULL;
163		163
164	/* Some PAM implementations don't implement this */	164	/* Some PAM implementations don't implement this */
Lines 179-185 void Link Here
179	pam_password_change_required(int reqd)	179	pam_password_change_required(int reqd)
180	{	180	{
181	debug3("%s %d", __func__, reqd);	181	debug3("%s %d", __func__, reqd);
182	sshpam_new_authtok_reqd = reqd;	182	*force_pwchange = reqd;
183	if (reqd) {	183	if (reqd) {
184	no_port_forwarding_flag \|= 2;	184	no_port_forwarding_flag \|= 2;
185	no_agent_forwarding_flag \|= 2;	185	no_agent_forwarding_flag \|= 2;
Lines 188-196 pam_password_change_required(int reqd) Link Here
188	no_port_forwarding_flag &= ~2;	188	no_port_forwarding_flag &= ~2;
189	no_agent_forwarding_flag &= ~2;	189	no_agent_forwarding_flag &= ~2;
190	no_x11_forwarding_flag &= ~2;	190	no_x11_forwarding_flag &= ~2;
191
192	}	191	}
193	}	192	}
		193
194	/* Import regular and PAM environment from subprocess */	194	/* Import regular and PAM environment from subprocess */
195	static void	195	static void
196	import_environments(Buffer *b)	196	import_environments(Buffer *b)
Lines 348-354 sshpam_thread(void *ctxtp) Link Here
348	if (compat20) {	348	if (compat20) {
349	if (!do_pam_account())	349	if (!do_pam_account())
350	goto auth_fail;	350	goto auth_fail;
351	if (sshpam_new_authtok_reqd) {	351	if (*force_pwchange) {
352	sshpam_err = pam_chauthtok(sshpam_handle,	352	sshpam_err = pam_chauthtok(sshpam_handle,
353	PAM_CHANGE_EXPIRED_AUTHTOK);	353	PAM_CHANGE_EXPIRED_AUTHTOK);
354	if (sshpam_err != PAM_SUCCESS)	354	if (sshpam_err != PAM_SUCCESS)
Lines 362-368 sshpam_thread(void *ctxtp) Link Here
362	#ifndef USE_POSIX_THREADS	362	#ifndef USE_POSIX_THREADS
363	/* Export variables set by do_pam_account */	363	/* Export variables set by do_pam_account */
364	buffer_put_int(&buffer, sshpam_account_status);	364	buffer_put_int(&buffer, sshpam_account_status);
365	buffer_put_int(&buffer, sshpam_new_authtok_reqd);	365	buffer_put_int(&buffer, *force_pwchange);
366		366
367	/* Export any environment strings set in child */	367	/* Export any environment strings set in child */
368	for(i = 0; environ[i] != NULL; i++)	368	for(i = 0; environ[i] != NULL; i++)
Lines 437-443 sshpam_cleanup(void) Link Here
437	pam_close_session(sshpam_handle, PAM_SILENT);	437	pam_close_session(sshpam_handle, PAM_SILENT);
438	sshpam_session_open = 0;	438	sshpam_session_open = 0;
439	}	439	}
440	sshpam_authenticated = sshpam_new_authtok_reqd = 0;	440	sshpam_authenticated = 0;
441	pam_end(sshpam_handle, sshpam_err);	441	pam_end(sshpam_handle, sshpam_err);
442	sshpam_handle = NULL;	442	sshpam_handle = NULL;
443	}	443	}
Lines 511-516 sshpam_init_ctx(Authctxt *authctxt) Link Here
511	ctxt = xmalloc(sizeof *ctxt);	511	ctxt = xmalloc(sizeof *ctxt);
512	memset(ctxt, 0, sizeof(*ctxt));	512	memset(ctxt, 0, sizeof(*ctxt));
513		513
		514	force_pwchange = &(authctxt->force_pwchange);
		515
514	/* Start the authentication thread */	516	/* Start the authentication thread */
515	if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {	517	if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
516	error("PAM: failed create sockets: %s", strerror(errno));	518	error("PAM: failed create sockets: %s", strerror(errno));
Lines 744-755 do_pam_setcred(int init) Link Here
744	pam_strerror(sshpam_handle, sshpam_err));	746	pam_strerror(sshpam_handle, sshpam_err));
745	}	747	}
746		748
747	int
748	is_pam_password_change_required(void)
749	{
750	return (sshpam_new_authtok_reqd);
751	}
752
753	static int	749	static int
754	pam_tty_conv(int n, const struct pam_message **msg,	750	pam_tty_conv(int n, const struct pam_message **msg,
755	struct pam_response *resp, void data)	751	struct pam_response *resp, void data)
Lines 811-816 static struct pam_conv tty_conv = { pam_ Link Here
811	void	807	void
812	do_pam_chauthtok(void)	808	do_pam_chauthtok(void)
813	{	809	{
		810	debug3("PAM: %s called", __func__);
814	if (use_privsep)	811	if (use_privsep)
815	fatal("Password expired (unable to change with privsep)");	812	fatal("Password expired (unable to change with privsep)");
816	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,	813	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
Lines 828-833 do_pam_chauthtok(void) Link Here
828	void	825	void
829	do_pam_session(void)	826	do_pam_session(void)
830	{	827	{
		828	debug3("PAM: %s called", __func__);
831	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,	829	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
832	(const void *)&tty_conv);	830	(const void *)&tty_conv);
833	if (sshpam_err != PAM_SUCCESS)	831	if (sshpam_err != PAM_SUCCESS)
Lines 862-873 do_pam_putenv(char name, char value) Link Here
862	#endif	860	#endif
863		861
864	return (ret);	862	return (ret);
865	}
866
867	void
868	print_pam_messages(void)
869	{
870	/* XXX */
871	}	863	}
872		864
873	char **	865	char **

Lines 193-198 auth_input_request_forwarding(struct pas Link Here

(-)session.c (-19 / +14 lines)
193	return 1;	193	return 1;
194	}	194	}
195		195
		196	static void
		197	display_loginmsg(void)
		198	{
		199	if (buffer_len(&loginmsg) > 0) {
		200	buffer_append(&loginmsg, "\0", 1);
		201	printf("%s\n", (char *)buffer_ptr(&loginmsg));
		202	buffer_clear(&loginmsg);
		203	}
		204	}
196		205
197	void	206	void
198	do_authenticated(Authctxt *authctxt)	207	do_authenticated(Authctxt *authctxt)
Lines 389-400 do_exec_no_pty(Session s, const char c Link Here
389	session_proctitle(s);	398	session_proctitle(s);
390		399
391	#if defined(USE_PAM)	400	#if defined(USE_PAM)
392	if (options.use_pam) {	401	if (options.use_pam)
393	do_pam_setcred(1);	402	do_pam_setcred(1);
394	if (is_pam_password_change_required())
395	packet_disconnect("Password change required but no "
396	"TTY available");
397	}
398	#endif /* USE_PAM */	403	#endif /* USE_PAM */
399		404
400	/* Fork the child. */	405	/* Fork the child. */
Lines 698-705 do_login(Session s, const char command Link Here
698	* If password change is needed, do it now.	703	* If password change is needed, do it now.
699	* This needs to occur before the ~/.hushlogin check.	704	* This needs to occur before the ~/.hushlogin check.
700	*/	705	*/
701	if (options.use_pam && is_pam_password_change_required()) {	706	if (options.use_pam && !use_privsep && s->authctxt->force_pwchange) {
702	print_pam_messages();	707	display_loginmsg();
703	do_pam_chauthtok();	708	do_pam_chauthtok();
704	/* XXX - signal [net] parent to enable forwardings */	709	/* XXX - signal [net] parent to enable forwardings */
705	}	710	}
Lines 708-724 do_login(Session s, const char command Link Here
708	if (check_quietlogin(s, command))	713	if (check_quietlogin(s, command))
709	return;	714	return;
710		715
711	#ifdef USE_PAM	716	display_loginmsg();
712	if (options.use_pam && !is_pam_password_change_required())
713	print_pam_messages();
714	#endif /* USE_PAM */
715
716	/* display post-login message */
717	if (buffer_len(&loginmsg) > 0) {
718	buffer_append(&loginmsg, "\0", 1);
719	printf("%s\n", (char *)buffer_ptr(&loginmsg));
720	}
721	buffer_free(&loginmsg);
722		717
723	#ifndef NO_SSH_LASTLOG	718	#ifndef NO_SSH_LASTLOG
724	if (options.print_lastlog && s->last_login_time != 0) {	719	if (options.print_lastlog && s->last_login_time != 0) {
Lines 1392-1398 do_child(Session s, const char command Link Here
1392	destroy_sensitive_data();	1387	destroy_sensitive_data();
1393		1388
1394	/* Force a password change */	1389	/* Force a password change */
1395	if (s->authctxt->force_pwchange) {	1390	if (s->authctxt->force_pwchange && !(options.use_pam && !use_privsep)) {
1396	do_setusercontext(pw);	1391	do_setusercontext(pw);
1397	child_close_fds();	1392	child_close_fds();
1398	do_pwchange(s);	1393	do_pwchange(s);