Attachment #56 for bug #188




	    get_remote_name_or_ip(utmp_len, options.reverse_mapping_check),
	    (struct sockaddr *)&from);

#ifdef USE_PAM
	/*
	 * If password change is needed, do it now.
	 * This needs to occur before the ~/.hushlogin check.
	 */
	if (is_pam_password_change_required()) {
		print_pam_messages();
		do_pam_chauthtok();
	}
#endif

	if (check_quietlogin(s, command))
		return;


Lines 42-48 Link Here

(-)3_0_2p1_w_gssk5_ubsw_devl.32/auth2-pam.c (-1 / +1 lines)
42		42
43	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,	43	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
44	&input_userauth_info_response_pam);	44	&input_userauth_info_response_pam);
45	retval = (do_pam_authenticate(0) == PAM_SUCCESS);	45	retval = (do_pam_authenticate(0, 1) == PAM_SUCCESS);
46	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);	46	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
47		47
48	return retval;	48	return retval;




void finish_pam(void);
int auth_pam_password(struct passwd *pw, const char *password);
char **fetch_pam_environment(void);
int do_pam_authenticate(int flags, int can_age_pw_here);
int do_pam_account(char *username, char *remote_user);
void do_pam_session(char *username, const char *ttyname);
void do_pam_setcred(int init);
void print_pam_messages(void);
int is_pam_password_change_required(void);
void do_pam_chauthtok(void);
void do_pam_set_conv(struct pam_conv *);
int do_pam_putenv(char *, char *);
void message_cat(char **p, const char *a);




static int password_change_required = 0;
/* remember whether the last pam_authenticate() succeeded or not */
static int was_authenticated = 0;
static int acct_mgmt_retval = -1;

/* Remember what has been initialised */
static int session_opened = 0;

}

/* start an authentication run */
int do_pam_authenticate(int flags, int can_age_pw_here)
{
	int retval = pam_authenticate(__pamh, flags);

	was_authenticated = (retval == PAM_SUCCESS);
	if (retval != PAM_SUCCESS)
		return retval;

	acct_mgmt_retval = pam_acct_mgmt(__pamh, 0);

	if (acct_mgmt_retval == PAM_SUCCESS)
		return PAM_SUCCESS;

	was_authenticated = 0;
	if (acct_mgmt_retval != PAM_NEW_AUTHTOK_REQD)
		return acct_mgmt_retval;

	/* (acct_mgmt_retval == PAM_NEW_AUTHTOK_REQD) */
	/* PAM auth token (password) is expired */

	/*
	 * USERAUTH_PASSWORD_CHANGEREQ is not currently
	 * supported. Password aged users using password
	 * userauth are thrown out here.
	 */
	if (!can_age_pw_here)
		return PAM_NEW_AUTHTOK_REQD;

	debug("do_pam_authenticate() - doing password aging");
	retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
	was_authenticated = (retval == PAM_SUCCESS);
	if (retval == PAM_SUCCESS)
		acct_mgmt_retval = PAM_SUCCESS;

	return retval;
}



	pamstate = INITIAL_LOGIN;
	pam_retval = do_pam_authenticate(
	    options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0,
	    0);
	if (pam_retval == PAM_SUCCESS) {
		debug("PAM Password authentication accepted for "
		    "user \"%.100s\"", pw->pw_name);

			    PAM_STRERROR(__pamh, pam_retval));
	}

	/* do_pam_authenticate() may have called pam_acct_mgmt() already */
	pam_retval = acct_mgmt_retval;
	if (pam_retval == -1)
		pam_retval = pam_acct_mgmt(__pamh, 0);

	switch (pam_retval) {
		case PAM_SUCCESS:
			/* This is what we want */

			message_cat(&__pam_msg, NEW_AUTHTOK_MSG);
			/* flag that password change is necessary */
			password_change_required = 1;
			return(0); /* Sorry, no TTY password aging */
			break;
		default:
			log("PAM rejected by account configuration[%d]: "

int is_pam_password_change_required(void)
{
	return password_change_required;
}

/*
 * Have user change authentication token if pam_acct_mgmt() indicated
 * it was expired.  This needs to be called after an interactive
 * session is established and the user's pty is connected to
 * stdin/stout/stderr.
 */
void do_pam_chauthtok(void)
{
	int pam_retval;

	do_pam_set_conv(&conv);

	if (password_change_required) {
		pamstate = OTHER;
		pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
		if (pam_retval != PAM_SUCCESS)
			fatal("PAM pam_chauthtok failed[%d]: %.200s",
			    pam_retval, PAM_STRERROR(__pamh, pam_retval));
	}
}

/* Cleanly shutdown PAM */

Return to bug 188

Lines 734-750 Link Here

(-)3_0_2p1_w_gssk5_ubsw_devl.32/session.c (-11 lines)
734	get_remote_name_or_ip(utmp_len, options.reverse_mapping_check),	734	get_remote_name_or_ip(utmp_len, options.reverse_mapping_check),
735	(struct sockaddr *)&from);	735	(struct sockaddr *)&from);
736		736
737	#ifdef USE_PAM
738	/*
739	* If password change is needed, do it now.
740	* This needs to occur before the ~/.hushlogin check.
741	*/
742	if (is_pam_password_change_required()) {
743	print_pam_messages();
744	do_pam_chauthtok();
745	}
746	#endif
747
748	if (check_quietlogin(s, command))	737	if (check_quietlogin(s, command))
749	return;	738	return;
750		739

Lines 58-63 Link Here

(-)3_0_2p1_w_gssk5_ubsw_devl.32/auth-pam.c (-24 / +40 lines)
58	static int password_change_required = 0;	58	static int password_change_required = 0;
59	/* remember whether the last pam_authenticate() succeeded or not */	59	/* remember whether the last pam_authenticate() succeeded or not */
60	static int was_authenticated = 0;	60	static int was_authenticated = 0;
		61	static int acct_mgmt_retval = -1;
61		62
62	/* Remember what has been initialised */	63	/* Remember what has been initialised */
63	static int session_opened = 0;	64	static int session_opened = 0;
Lines 71-80 Link Here
71	}	72	}
72		73
73	/* start an authentication run */	74	/* start an authentication run */
74	int do_pam_authenticate(int flags)	75	int do_pam_authenticate(int flags, int can_age_pw_here)
75	{	76	{
76	int retval = pam_authenticate(__pamh, flags);	77	int retval = pam_authenticate(__pamh, flags);
		78
		79	was_authenticated = (retval == PAM_SUCCESS);
		80	if (retval != PAM_SUCCESS)
		81	return retval;
		82
		83	acct_mgmt_retval = pam_acct_mgmt(__pamh, 0);
		84
		85	if (acct_mgmt_retval == PAM_SUCCESS)
		86	return PAM_SUCCESS;
		87
		88	was_authenticated = 0;
		89	if (acct_mgmt_retval != PAM_NEW_AUTHTOK_REQD)
		90	return acct_mgmt_retval;
		91
		92	/* (acct_mgmt_retval == PAM_NEW_AUTHTOK_REQD) */
		93	/* PAM auth token (password) is expired */
		94
		95	/*
		96	* USERAUTH_PASSWORD_CHANGEREQ is not currently
		97	* supported. Password aged users using password
		98	* userauth are thrown out here.
		99	*/
		100	if (!can_age_pw_here)
		101	return PAM_NEW_AUTHTOK_REQD;
		102
		103	debug("do_pam_authenticate() - doing password aging");
		104	retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
77	was_authenticated = (retval == PAM_SUCCESS);	105	was_authenticated = (retval == PAM_SUCCESS);
		106	if (retval == PAM_SUCCESS)
		107	acct_mgmt_retval = PAM_SUCCESS;
		108
78	return retval;	109	return retval;
79	}	110	}
80		111
Lines 218-224 Link Here
218		249
219	pamstate = INITIAL_LOGIN;	250	pamstate = INITIAL_LOGIN;
220	pam_retval = do_pam_authenticate(	251	pam_retval = do_pam_authenticate(
221	options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);	252	options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0,
		253	0);
222	if (pam_retval == PAM_SUCCESS) {	254	if (pam_retval == PAM_SUCCESS) {
223	debug("PAM Password authentication accepted for "	255	debug("PAM Password authentication accepted for "
224	"user \"%.100s\"", pw->pw_name);	256	"user \"%.100s\"", pw->pw_name);
Lines 246-252 Link Here
246	PAM_STRERROR(__pamh, pam_retval));	278	PAM_STRERROR(__pamh, pam_retval));
247	}	279	}
248		280
249	pam_retval = pam_acct_mgmt(__pamh, 0);	281	/* do_pam_authenticate() may have called pam_acct_mgmt() already */
		282	pam_retval = acct_mgmt_retval;
		283	if (pam_retval == -1)
		284	pam_retval = pam_acct_mgmt(__pamh, 0);
		285
250	switch (pam_retval) {	286	switch (pam_retval) {
251	case PAM_SUCCESS:	287	case PAM_SUCCESS:
252	/* This is what we want */	288	/* This is what we want */
Lines 255-260 Link Here
255	message_cat(&__pam_msg, NEW_AUTHTOK_MSG);	291	message_cat(&__pam_msg, NEW_AUTHTOK_MSG);
256	/* flag that password change is necessary */	292	/* flag that password change is necessary */
257	password_change_required = 1;	293	password_change_required = 1;
		294	return(0); /* Sorry, no TTY password aging */
258	break;	295	break;
259	default:	296	default:
260	log("PAM rejected by account configuration[%d]: "	297	log("PAM rejected by account configuration[%d]: "
Lines 314-340 Link Here
314	int is_pam_password_change_required(void)	351	int is_pam_password_change_required(void)
315	{	352	{
316	return password_change_required;	353	return password_change_required;
317	}
318
319	/*
320	* Have user change authentication token if pam_acct_mgmt() indicated
321	* it was expired. This needs to be called after an interactive
322	* session is established and the user's pty is connected to
323	* stdin/stout/stderr.
324	*/
325	void do_pam_chauthtok(void)
326	{
327	int pam_retval;
328
329	do_pam_set_conv(&conv);
330
331	if (password_change_required) {
332	pamstate = OTHER;
333	pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
334	if (pam_retval != PAM_SUCCESS)
335	fatal("PAM pam_chauthtok failed[%d]: %.200s",
336	pam_retval, PAM_STRERROR(__pamh, pam_retval));
337	}
338	}	354	}
339		355
340	/* Cleanly shutdown PAM */	356	/* Cleanly shutdown PAM */

Lines 9-21 Link Here

(-)3_0_2p1_w_gssk5_ubsw_devl.32/auth-pam.h (-2 / +1 lines)
9	void finish_pam(void);	9	void finish_pam(void);
10	int auth_pam_password(struct passwd pw, const char password);	10	int auth_pam_password(struct passwd pw, const char password);
11	char **fetch_pam_environment(void);	11	char **fetch_pam_environment(void);
12	int do_pam_authenticate(int flags);	12	int do_pam_authenticate(int flags, int can_age_pw_here);
13	int do_pam_account(char username, char remote_user);	13	int do_pam_account(char username, char remote_user);
14	void do_pam_session(char username, const char ttyname);	14	void do_pam_session(char username, const char ttyname);
15	void do_pam_setcred(int init);	15	void do_pam_setcred(int init);
16	void print_pam_messages(void);	16	void print_pam_messages(void);
17	int is_pam_password_change_required(void);	17	int is_pam_password_change_required(void);
18	void do_pam_chauthtok(void);
19	void do_pam_set_conv(struct pam_conv *);	18	void do_pam_set_conv(struct pam_conv *);
20	int do_pam_putenv(char , char );	19	int do_pam_putenv(char , char );
21	void message_cat(char *p, const char a);	20	void message_cat(char *p, const char a);