Bugzilla – Attachment 544 Details for
Bug 14
Can't change expired /etc/shadow password without PAM
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Use do_pwchange for SSHv1 password change without privsep
openssh-pamexpire-sshv1.patch (text/plain), 5.75 KB, created by
Darren Tucker
on 2004-02-10 12:37:12 AEDT
(
hide
)
Description:
Use do_pwchange for SSHv1 password change without privsep
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2004-02-10 12:37:12 AEDT
Size:
5.75 KB
patch
obsolete
>Index: auth-pam.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v >retrieving revision 1.92 >diff -u -p -r1.92 auth-pam.c >--- auth-pam.c 14 Jan 2004 13:15:08 -0000 1.92 >+++ auth-pam.c 10 Feb 2004 00:39:33 -0000 >@@ -155,10 +155,10 @@ pthread_join(sp_pthread_t thread, void * > static pam_handle_t *sshpam_handle = NULL; > static int sshpam_err = 0; > static int sshpam_authenticated = 0; >-static int sshpam_new_authtok_reqd = 0; > static int sshpam_session_open = 0; > static int sshpam_cred_established = 0; > static int sshpam_account_status = -1; >+static int *force_pwchange; > static char **sshpam_env = NULL; > > /* Some PAM implementations don't implement this */ >@@ -179,7 +179,7 @@ void > pam_password_change_required(int reqd) > { > debug3("%s %d", __func__, reqd); >- sshpam_new_authtok_reqd = reqd; >+ *force_pwchange = reqd; > if (reqd) { > no_port_forwarding_flag |= 2; > no_agent_forwarding_flag |= 2; >@@ -188,9 +188,9 @@ pam_password_change_required(int reqd) > no_port_forwarding_flag &= ~2; > no_agent_forwarding_flag &= ~2; > no_x11_forwarding_flag &= ~2; >- > } > } >+ > /* Import regular and PAM environment from subprocess */ > static void > import_environments(Buffer *b) >@@ -348,7 +348,7 @@ sshpam_thread(void *ctxtp) > if (compat20) { > if (!do_pam_account()) > goto auth_fail; >- if (sshpam_new_authtok_reqd) { >+ if (*force_pwchange) { > sshpam_err = pam_chauthtok(sshpam_handle, > PAM_CHANGE_EXPIRED_AUTHTOK); > if (sshpam_err != PAM_SUCCESS) >@@ -362,7 +362,7 @@ sshpam_thread(void *ctxtp) > #ifndef USE_POSIX_THREADS > /* Export variables set by do_pam_account */ > buffer_put_int(&buffer, sshpam_account_status); >- buffer_put_int(&buffer, sshpam_new_authtok_reqd); >+ buffer_put_int(&buffer, *force_pwchange); > > /* Export any environment strings set in child */ > for(i = 0; environ[i] != NULL; i++) >@@ -437,7 +437,7 @@ sshpam_cleanup(void) > pam_close_session(sshpam_handle, PAM_SILENT); > sshpam_session_open = 0; > } >- sshpam_authenticated = sshpam_new_authtok_reqd = 0; >+ sshpam_authenticated = 0; > pam_end(sshpam_handle, sshpam_err); > sshpam_handle = NULL; > } >@@ -511,6 +511,8 @@ sshpam_init_ctx(Authctxt *authctxt) > ctxt = xmalloc(sizeof *ctxt); > memset(ctxt, 0, sizeof(*ctxt)); > >+ force_pwchange = &(authctxt->force_pwchange); >+ > /* Start the authentication thread */ > if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { > error("PAM: failed create sockets: %s", strerror(errno)); >@@ -744,12 +746,6 @@ do_pam_setcred(int init) > pam_strerror(sshpam_handle, sshpam_err)); > } > >-int >-is_pam_password_change_required(void) >-{ >- return (sshpam_new_authtok_reqd); >-} >- > static int > pam_tty_conv(int n, const struct pam_message **msg, > struct pam_response **resp, void *data) >@@ -828,6 +824,7 @@ do_pam_chauthtok(void) > void > do_pam_session(void) > { >+ debug3("PAM: opening session"); > sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, > (const void *)&tty_conv); > if (sshpam_err != PAM_SUCCESS) >@@ -862,12 +859,6 @@ do_pam_putenv(char *name, char *value) > #endif > > return (ret); >-} >- >-void >-print_pam_messages(void) >-{ >- /* XXX */ > } > > char ** >Index: auth-pam.h >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.h,v >retrieving revision 1.23 >diff -u -p -r1.23 auth-pam.h >--- auth-pam.h 17 Nov 2003 10:41:42 -0000 1.23 >+++ auth-pam.h 10 Feb 2004 00:11:12 -0000 >@@ -37,10 +37,8 @@ u_int do_pam_account(void); > void do_pam_session(void); > void do_pam_set_tty(const char *); > void do_pam_setcred(int ); >-int is_pam_password_change_required(void); > void do_pam_chauthtok(void); > int do_pam_putenv(char *, char *); >-void print_pam_messages(void); > char ** fetch_pam_environment(void); > char ** fetch_pam_child_environment(void); > void free_pam_environment(char **); >Index: session.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/session.c,v >retrieving revision 1.273 >diff -u -p -r1.273 session.c >--- session.c 6 Feb 2004 05:24:32 -0000 1.273 >+++ session.c 10 Feb 2004 01:30:46 -0000 >@@ -193,6 +193,15 @@ auth_input_request_forwarding(struct pas > return 1; > } > >+static void >+display_loginmsg(void) >+{ >+ if (buffer_len(&loginmsg) > 0) { >+ buffer_append(&loginmsg, "\0", 1); >+ printf("%s\n", (char *)buffer_ptr(&loginmsg)); >+ buffer_clear(&loginmsg); >+ } >+} > > void > do_authenticated(Authctxt *authctxt) >@@ -389,12 +398,8 @@ do_exec_no_pty(Session *s, const char *c > session_proctitle(s); > > #if defined(USE_PAM) >- if (options.use_pam) { >+ if (options.use_pam) > do_pam_setcred(1); >- if (is_pam_password_change_required()) >- packet_disconnect("Password change required but no " >- "TTY available"); >- } > #endif /* USE_PAM */ > > /* Fork the child. */ >@@ -698,9 +703,10 @@ do_login(Session *s, const char *command > * If password change is needed, do it now. > * This needs to occur before the ~/.hushlogin check. > */ >- if (options.use_pam && is_pam_password_change_required()) { >- print_pam_messages(); >+ if (options.use_pam && !use_privsep && s->authctxt->force_pwchange) { >+ display_loginmsg(); > do_pam_chauthtok(); >+ s->authctxt->force_pwchange = 0; > /* XXX - signal [net] parent to enable forwardings */ > } > #endif >@@ -708,17 +714,7 @@ do_login(Session *s, const char *command > if (check_quietlogin(s, command)) > return; > >-#ifdef USE_PAM >- if (options.use_pam && !is_pam_password_change_required()) >- print_pam_messages(); >-#endif /* USE_PAM */ >- >- /* display post-login message */ >- if (buffer_len(&loginmsg) > 0) { >- buffer_append(&loginmsg, "\0", 1); >- printf("%s\n", (char *)buffer_ptr(&loginmsg)); >- } >- buffer_free(&loginmsg); >+ display_loginmsg(); > > #ifndef NO_SSH_LASTLOG > if (options.print_lastlog && s->last_login_time != 0) {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=544">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
djm
:
ok+
Actions:
View
|
Diff
Attachments on
bug 14
:
5
|
199
|
200
|
201
|
205
|
215
|
234
|
240
|
248
|
278
|
540
|
541
|
542
|
543
| 544