Attachment #504 for bug #740

View | Details | Raw Unified | Return to bug 740
Collapse All | Expand All

Lines 424-429 Link Here

(-)acconfig.h (+3 lines)
424	/* Define if HEADER.ad exists in arpa/nameser.h */	424	/* Define if HEADER.ad exists in arpa/nameser.h */
425	#undef HAVE_HEADER_AD	425	#undef HAVE_HEADER_AD
426		426
		427	/* Define to disable pam_chauthtok via keyboard-interactive authentication */
		428	#undef DISABLE_KBDINT_CHAUTHTOK
		429
427	@BOTTOM@	430	@BOTTOM@
428		431
429	/* ***************** Shouldn't need to edit below this line ************ */	432	/* ***************** Shouldn't need to edit below this line ************ */





extern ServerOptions options;
extern Buffer loginmsg;
extern int compat20;

#define __unused


static int sshpam_new_authtok_reqd = 0;
static int sshpam_session_open = 0;
static int sshpam_cred_established = 0;
static int sshpam_account_status = -1;
static char **sshpam_env = NULL;

struct pam_ctxt {

}
#endif

void
pam_password_change_required(int reqd)
{
	sshpam_new_authtok_reqd = reqd;
	if (reqd) {
		no_port_forwarding_flag |= 2;
		no_agent_forwarding_flag |= 2;
		no_x11_forwarding_flag |= 2;
	} else {
		no_port_forwarding_flag &= ~2;
		no_agent_forwarding_flag &= ~2;
		no_x11_forwarding_flag &= ~2;

	}
}
/* Import regular and PAM environment from subprocess */
static void
import_environments(Buffer *b)

	u_int i, num_env;
	int err;

	/* Import variables set by do_pam_account */
	sshpam_account_status = buffer_get_int(b);
	sshpam_new_authtok_reqd = buffer_get_int(b);

	if (sshpam_new_authtok_reqd == 1)
		pam_password_change_required(1);

	/* Import environment from subprocess */
	num_env = buffer_get_int(b);
	sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env));

	sshpam_err = pam_authenticate(sshpam_handle, 0);
	if (sshpam_err != PAM_SUCCESS)
		goto auth_fail;
#ifndef DISABLE_KBDINT_CHAUTHTOK
	if (compat20) {
		if (do_pam_account()) {
		       if (sshpam_new_authtok_reqd) {
				sshpam_err = pam_chauthtok(sshpam_handle,
				    PAM_CHANGE_EXPIRED_AUTHTOK);
				if (sshpam_err != PAM_SUCCESS)
					goto auth_fail;
				pam_password_change_required(0);
			}
		} else {
			goto auth_fail;
		}
	}
#endif
	buffer_put_cstring(&buffer, "OK");

#ifndef USE_POSIX_THREADS
	/* Export variables set by do_pam_account */
	buffer_put_int(&buffer, sshpam_account_status);
	buffer_put_int(&buffer, sshpam_new_authtok_reqd);

	/* Export any environment strings set in child */
	for(i = 0; environ[i] != NULL; i++)
		; /* Count */

u_int
do_pam_account(void)
{
	if (sshpam_account_status != -1)
		return (sshpam_account_status);

	sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
	debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err);
	
	if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
		sshpam_account_status = 0;
		return (sshpam_account_status);
	if (sshpam_err == PAM_NEW_AUTHTOK_REQD) {
		sshpam_new_authtok_reqd = 1;

		/* Prevent forwardings until password changed */
		no_port_forwarding_flag |= 2;
		no_agent_forwarding_flag |= 2;
		no_x11_forwarding_flag |= 2;
	}

	if (sshpam_err == PAM_NEW_AUTHTOK_REQD)
		pam_password_change_required(1);

	sshpam_account_status = 1;
	return (sshpam_account_status);
}

void

Lines 105-110 case "$host" in Link Here

(-)configure.ac (+1 lines)
105	AC_DEFINE(DISABLE_LASTLOG)	105	AC_DEFINE(DISABLE_LASTLOG)
106	AC_DEFINE(LOGIN_NEEDS_UTMPX)	106	AC_DEFINE(LOGIN_NEEDS_UTMPX)
107	AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)	107	AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)
		108	AC_DEFINE(DISABLE_KBDINT_CHAUTHTOK)
108	;;	109	;;
109	--cygwin*)	110	--cygwin*)
110	check_for_libcrypt_later=1	111	check_for_libcrypt_later=1

Return to bug 740

Lines 53-58 RCSID("$Id: auth-pam.c,v 1.82 2003/11/18 Link Here

(-)auth-pam.c (-11 / +54 lines)
53		53
54	extern ServerOptions options;	54	extern ServerOptions options;
55	extern Buffer loginmsg;	55	extern Buffer loginmsg;
		56	extern int compat20;
56		57
57	#define __unused	58	#define __unused
58		59
Lines 118-123 static int sshpam_authenticated = 0; Link Here
118	static int sshpam_new_authtok_reqd = 0;	119	static int sshpam_new_authtok_reqd = 0;
119	static int sshpam_session_open = 0;	120	static int sshpam_session_open = 0;
120	static int sshpam_cred_established = 0;	121	static int sshpam_cred_established = 0;
		122	static int sshpam_account_status = -1;
121	static char **sshpam_env = NULL;	123	static char **sshpam_env = NULL;
122		124
123	struct pam_ctxt {	125	struct pam_ctxt {
Lines 144-149 pam_getenvlist(pam_handle_t *pamh) Link Here
144	}	146	}
145	#endif	147	#endif
146		148
		149	void
		150	pam_password_change_required(int reqd)
		151	{
		152	sshpam_new_authtok_reqd = reqd;
		153	if (reqd) {
		154	no_port_forwarding_flag \|= 2;
		155	no_agent_forwarding_flag \|= 2;
		156	no_x11_forwarding_flag \|= 2;
		157	} else {
		158	no_port_forwarding_flag &= ~2;
		159	no_agent_forwarding_flag &= ~2;
		160	no_x11_forwarding_flag &= ~2;
		161
		162	}
		163	}
147	/* Import regular and PAM environment from subprocess */	164	/* Import regular and PAM environment from subprocess */
148	static void	165	static void
149	import_environments(Buffer *b)	166	import_environments(Buffer *b)
Lines 152-157 import_environments(Buffer *b) Link Here
152	u_int i, num_env;	169	u_int i, num_env;
153	int err;	170	int err;
154		171
		172	/* Import variables set by do_pam_account */
		173	sshpam_account_status = buffer_get_int(b);
		174	sshpam_new_authtok_reqd = buffer_get_int(b);
		175
		176	if (sshpam_new_authtok_reqd == 1)
		177	pam_password_change_required(1);
		178
155	/* Import environment from subprocess */	179	/* Import environment from subprocess */
156	num_env = buffer_get_int(b);	180	num_env = buffer_get_int(b);
157	sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env));	181	sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env));
Lines 290-298 sshpam_thread(void *ctxtp) Link Here
290	sshpam_err = pam_authenticate(sshpam_handle, 0);	314	sshpam_err = pam_authenticate(sshpam_handle, 0);
291	if (sshpam_err != PAM_SUCCESS)	315	if (sshpam_err != PAM_SUCCESS)
292	goto auth_fail;	316	goto auth_fail;
		317	#ifndef DISABLE_KBDINT_CHAUTHTOK
		318	if (compat20) {
		319	if (do_pam_account()) {
		320	if (sshpam_new_authtok_reqd) {
		321	sshpam_err = pam_chauthtok(sshpam_handle,
		322	PAM_CHANGE_EXPIRED_AUTHTOK);
		323	if (sshpam_err != PAM_SUCCESS)
		324	goto auth_fail;
		325	pam_password_change_required(0);
		326	}
		327	} else {
		328	goto auth_fail;
		329	}
		330	}
		331	#endif
293	buffer_put_cstring(&buffer, "OK");	332	buffer_put_cstring(&buffer, "OK");
294		333
295	#ifndef USE_POSIX_THREADS	334	#ifndef USE_POSIX_THREADS
		335	/* Export variables set by do_pam_account */
		336	buffer_put_int(&buffer, sshpam_account_status);
		337	buffer_put_int(&buffer, sshpam_new_authtok_reqd);
		338
296	/* Export any environment strings set in child */	339	/* Export any environment strings set in child */
297	for(i = 0; environ[i] != NULL; i++)	340	for(i = 0; environ[i] != NULL; i++)
298	; /* Count */	341	; /* Count */
Lines 611-632 finish_pam(void) Link Here
611	u_int	654	u_int
612	do_pam_account(void)	655	do_pam_account(void)
613	{	656	{
		657	if (sshpam_account_status != -1)
		658	return (sshpam_account_status);
		659
614	sshpam_err = pam_acct_mgmt(sshpam_handle, 0);	660	sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
615	debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err);	661	debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err);
616		662
617	if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD)	663	if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
618	return (0);	664	sshpam_account_status = 0;
619		665	return (sshpam_account_status);
620	if (sshpam_err == PAM_NEW_AUTHTOK_REQD) {
621	sshpam_new_authtok_reqd = 1;
622
623	/* Prevent forwardings until password changed */
624	no_port_forwarding_flag \|= 2;
625	no_agent_forwarding_flag \|= 2;
626	no_x11_forwarding_flag \|= 2;
627	}	666	}
628		667
629	return (1);	668	if (sshpam_err == PAM_NEW_AUTHTOK_REQD)
		669	pam_password_change_required(1);
		670
		671	sshpam_account_status = 1;
		672	return (sshpam_account_status);
630	}	673	}
631		674
632	void	675	void