Attachment 55 Details for Bug 188 – Patch to do pw aging in kbd-interactive

[patch] Patch to do pw aging in kbd-interactive

openssh-kbdint-pam.patch1 (text/plain), 3.22 KB, created by Nicolas Williams on 2002-03-28 02:43:27 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Nicolas Williams

Created: 2002-03-28 02:43:27 AEDT

Size: 3.22 KB

patch

obsolete

>Index: 3_0_2p1_w_gssk5_ubsw_devl.32/auth2-pam.c
>--- 3_0_2p1_w_gssk5_ubsw_devl.32/auth2-pam.c Wed, 21 Nov 2001 10:38:46 -0500
>+++ 3_0_2p1_w_gssk5_ubsw_devl.33(w)/auth2-pam.c Wed, 27 Mar 2002 10:28:30 -0500
>@@ -42,7 +42,7 @@
> 
> 	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
> 	    &input_userauth_info_response_pam);
>-	retval = (do_pam_authenticate(0) == PAM_SUCCESS);
>+	retval = (do_pam_authenticate(0, 1) == PAM_SUCCESS);
> 	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
> 
> 	return retval;
>Index: 3_0_2p1_w_gssk5_ubsw_devl.32/auth-pam.h
>--- 3_0_2p1_w_gssk5_ubsw_devl.32/auth-pam.h Thu, 10 Jan 2002 14:22:14 -0500
>+++ 3_0_2p1_w_gssk5_ubsw_devl.33(w)/auth-pam.h Wed, 27 Mar 2002 10:28:30 -0500
>@@ -9,7 +9,7 @@
> void finish_pam(void);
> int auth_pam_password(struct passwd *pw, const char *password);
> char **fetch_pam_environment(void);
>-int do_pam_authenticate(int flags);
>+int do_pam_authenticate(int flags, int can_age_pw_here);
> int do_pam_account(char *username, char *remote_user);
> void do_pam_session(char *username, const char *ttyname);
> void do_pam_setcred(int init);
>Index: 3_0_2p1_w_gssk5_ubsw_devl.32/auth-pam.c
>--- 3_0_2p1_w_gssk5_ubsw_devl.32/auth-pam.c Thu, 10 Jan 2002 14:22:14 -0500
>+++ 3_0_2p1_w_gssk5_ubsw_devl.33(w)/auth-pam.c Wed, 27 Mar 2002 10:28:30 -0500
>@@ -58,6 +58,8 @@
> static int password_change_required = 0;
> /* remember whether the last pam_authenticate() succeeded or not */
> static int was_authenticated = 0;
>+static int acct_mgmt_retval = -1;
>+static int chauthtok_retval = -1;
> 
> /* Remember what has been initialised */
> static int session_opened = 0;
>@@ -71,10 +73,20 @@
> }
> 
> /* start an authentication run */
>-int do_pam_authenticate(int flags)
>+int do_pam_authenticate(int flags, int can_age_pw_here)
> {
> 	int retval = pam_authenticate(__pamh, flags);
> 	was_authenticated = (retval == PAM_SUCCESS);
>+	acct_mgmt_retval = pam_acct_mgmt(__pamh, 0);
>+	if ((acct_mgmt_retval == PAM_NEW_AUTHTOK_REQD) &&
>+	    can_age_pw_here) {
>+		debug("do_pam_authenticate() doing password aging");
>+		chauthtok_retval = pam_chauthtok(__pamh,
>+			PAM_CHANGE_EXPIRED_AUTHTOK);
>+		was_authenticated = (chauthtok_retval == PAM_SUCCESS);
>+		retval = (chauthtok_retval == PAM_SUCCESS) ?
>+			 retval : chauthtok_retval;
>+	}
> 	return retval;
> }
> 
>@@ -218,7 +230,8 @@
> 
> 	pamstate = INITIAL_LOGIN;
> 	pam_retval = do_pam_authenticate(
>-	    options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
>+	    options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0,
>+	    0);
> 	if (pam_retval == PAM_SUCCESS) {
> 		debug("PAM Password authentication accepted for "
> 		    "user \"%.100s\"", pw->pw_name);
>@@ -246,12 +259,19 @@
> 			    PAM_STRERROR(__pamh, pam_retval));
> 	}
> 
>-	pam_retval = pam_acct_mgmt(__pamh, 0);
>+	/* do_pam_authenticate() may have called pam_acct_mgmt() already */
>+	pam_retval = acct_mgmt_retval;
>+	if (pam_retval == -1)
>+		pam_retval = pam_acct_mgmt(__pamh, 0);
>+
> 	switch (pam_retval) {
> 		case PAM_SUCCESS:
> 			/* This is what we want */
> 			break;
> 		case PAM_NEW_AUTHTOK_REQD:
>+			/* pam_chauthtok() may have been called already */
>+			if (chauthtok_retval != -1) 
>+				return (chauthtok_retval == PAM_SUCCESS);
> 			message_cat(&__pam_msg, NEW_AUTHTOK_MSG);
> 			/* flag that password change is necessary */
> 			password_change_required = 1;

Actions: View | Diff

Attachments on bug 188: 55 | 56