Bugzilla – Attachment 504 Details for
Bug 740
Sun's pam_ldap account management is not working
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Call do_pam_account and pam_chauthtok() from authentication thread.
openssh-pamchauthtok5.patch (text/plain), 4.40 KB, created by
Darren Tucker
on 2003-11-20 17:52:08 AEDT
(
hide
)
Description:
Call do_pam_account and pam_chauthtok() from authentication thread.
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2003-11-20 17:52:08 AEDT
Size:
4.40 KB
patch
obsolete
>Index: acconfig.h >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/acconfig.h,v >retrieving revision 1.168 >diff -u -p -r1.168 acconfig.h >--- acconfig.h 15 Oct 2003 06:57:57 -0000 1.168 >+++ acconfig.h 13 Nov 2003 09:02:50 -0000 >@@ -424,6 +424,9 @@ > /* Define if HEADER.ad exists in arpa/nameser.h */ > #undef HAVE_HEADER_AD > >+/* Define to disable pam_chauthtok via keyboard-interactive authentication */ >+#undef DISABLE_KBDINT_CHAUTHTOK >+ > @BOTTOM@ > > /* ******************* Shouldn't need to edit below this line ************** */ >Index: auth-pam.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v >retrieving revision 1.82 >diff -u -p -r1.82 auth-pam.c >--- auth-pam.c 18 Nov 2003 01:45:36 -0000 1.82 >+++ auth-pam.c 21 Nov 2003 00:42:59 -0000 >@@ -53,6 +53,7 @@ RCSID("$Id: auth-pam.c,v 1.82 2003/11/18 > > extern ServerOptions options; > extern Buffer loginmsg; >+extern int compat20; > > #define __unused > >@@ -118,6 +119,7 @@ static int sshpam_authenticated = 0; > static int sshpam_new_authtok_reqd = 0; > static int sshpam_session_open = 0; > static int sshpam_cred_established = 0; >+static int sshpam_account_status = -1; > static char **sshpam_env = NULL; > > struct pam_ctxt { >@@ -144,6 +146,21 @@ pam_getenvlist(pam_handle_t *pamh) > } > #endif > >+void >+pam_password_change_required(int reqd) >+{ >+ sshpam_new_authtok_reqd = reqd; >+ if (reqd) { >+ no_port_forwarding_flag |= 2; >+ no_agent_forwarding_flag |= 2; >+ no_x11_forwarding_flag |= 2; >+ } else { >+ no_port_forwarding_flag &= ~2; >+ no_agent_forwarding_flag &= ~2; >+ no_x11_forwarding_flag &= ~2; >+ >+ } >+} > /* Import regular and PAM environment from subprocess */ > static void > import_environments(Buffer *b) >@@ -152,6 +169,13 @@ import_environments(Buffer *b) > u_int i, num_env; > int err; > >+ /* Import variables set by do_pam_account */ >+ sshpam_account_status = buffer_get_int(b); >+ sshpam_new_authtok_reqd = buffer_get_int(b); >+ >+ if (sshpam_new_authtok_reqd == 1) >+ pam_password_change_required(1); >+ > /* Import environment from subprocess */ > num_env = buffer_get_int(b); > sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env)); >@@ -290,9 +314,28 @@ sshpam_thread(void *ctxtp) > sshpam_err = pam_authenticate(sshpam_handle, 0); > if (sshpam_err != PAM_SUCCESS) > goto auth_fail; >+#ifndef DISABLE_KBDINT_CHAUTHTOK >+ if (compat20) { >+ if (do_pam_account()) { >+ if (sshpam_new_authtok_reqd) { >+ sshpam_err = pam_chauthtok(sshpam_handle, >+ PAM_CHANGE_EXPIRED_AUTHTOK); >+ if (sshpam_err != PAM_SUCCESS) >+ goto auth_fail; >+ pam_password_change_required(0); >+ } >+ } else { >+ goto auth_fail; >+ } >+ } >+#endif > buffer_put_cstring(&buffer, "OK"); > > #ifndef USE_POSIX_THREADS >+ /* Export variables set by do_pam_account */ >+ buffer_put_int(&buffer, sshpam_account_status); >+ buffer_put_int(&buffer, sshpam_new_authtok_reqd); >+ > /* Export any environment strings set in child */ > for(i = 0; environ[i] != NULL; i++) > ; /* Count */ >@@ -611,22 +654,22 @@ finish_pam(void) > u_int > do_pam_account(void) > { >+ if (sshpam_account_status != -1) >+ return (sshpam_account_status); >+ > sshpam_err = pam_acct_mgmt(sshpam_handle, 0); > debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err); > >- if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) >- return (0); >- >- if (sshpam_err == PAM_NEW_AUTHTOK_REQD) { >- sshpam_new_authtok_reqd = 1; >- >- /* Prevent forwardings until password changed */ >- no_port_forwarding_flag |= 2; >- no_agent_forwarding_flag |= 2; >- no_x11_forwarding_flag |= 2; >+ if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { >+ sshpam_account_status = 0; >+ return (sshpam_account_status); > } > >- return (1); >+ if (sshpam_err == PAM_NEW_AUTHTOK_REQD) >+ pam_password_change_required(1); >+ >+ sshpam_account_status = 1; >+ return (sshpam_account_status); > } > > void >Index: configure.ac >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/configure.ac,v >retrieving revision 1.173 >diff -u -p -r1.173 configure.ac >--- configure.ac 15 Oct 2003 06:57:57 -0000 1.173 >+++ configure.ac 13 Nov 2003 09:00:50 -0000 >@@ -105,6 +105,7 @@ case "$host" in > AC_DEFINE(DISABLE_LASTLOG) > AC_DEFINE(LOGIN_NEEDS_UTMPX) > AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) >+ AC_DEFINE(DISABLE_KBDINT_CHAUTHTOK) > ;; > *-*-cygwin*) > check_for_libcrypt_later=1
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=504">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 740
: 504