1 diff -ur openssh-3.2.3p1/auth-pam.c openssh-3.2.3p1.new/auth-pam.c
2 --- openssh-3.2.3p1/auth-pam.c Wed May 8 04:27:56 2002
3 +++ openssh-3.2.3p1.new/auth-pam.c Fri Jun 28 14:48:26 2002
5 static int password_change_required = 0;
6 /* remember whether the last pam_authenticate() succeeded or not */
7 static int was_authenticated = 0;
8 +static int acct_mgmt_retval = -1;
10 /* Remember what has been initialised */
11 static int session_opened = 0;
15 /* start an authentication run */
16 -int do_pam_authenticate(int flags)
17 +int do_pam_authenticate(int flags, int can_age_pw_here)
19 int retval = pam_authenticate(__pamh, flags);
21 + was_authenticated = (retval == PAM_SUCCESS);
22 + if (retval != PAM_SUCCESS)
25 + acct_mgmt_retval = pam_acct_mgmt(__pamh, 0);
27 + if (acct_mgmt_retval == PAM_SUCCESS)
30 + was_authenticated = 0;
31 + if (acct_mgmt_retval != PAM_NEW_AUTHTOK_REQD)
32 + return acct_mgmt_retval;
34 + /* (acct_mgmt_retval == PAM_NEW_AUTHTOK_REQD) */
35 + /* PAM auth token (password) is expired */
38 + * USERAUTH_PASSWORD_CHANGEREQ is not currently
39 + * supported. Password aged users using password
40 + * userauth are thrown out here.
42 + if (!can_age_pw_here)
43 + return PAM_NEW_AUTHTOK_REQD;
45 + debug("do_pam_authenticate() - doing password aging");
46 + retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
47 was_authenticated = (retval == PAM_SUCCESS);
48 + if (retval == PAM_SUCCESS)
49 + acct_mgmt_retval = PAM_SUCCESS;
56 pamstate = INITIAL_LOGIN;
57 pam_retval = do_pam_authenticate(
58 - options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
59 + options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0,
61 if (pam_retval == PAM_SUCCESS) {
62 debug("PAM Password authentication accepted for "
63 "user \"%.100s\"", pw->pw_name);
65 PAM_STRERROR(__pamh, pam_retval));
68 - pam_retval = pam_acct_mgmt(__pamh, 0);
69 + /* do_pam_authenticate() may have called pam_acct_mgmt() already */
70 + pam_retval = acct_mgmt_retval;
71 debug2("pam_acct_mgmt() = %d", pam_retval);
72 + if (pam_retval == -1)
73 + pam_retval = pam_acct_mgmt(__pamh, 0);
77 /* This is what we want */
80 case PAM_NEW_AUTHTOK_REQD:
81 message_cat(&__pam_msg, NEW_AUTHTOK_MSG);
82 /* flag that password change is necessary */
83 password_change_required = 1;
84 + return(0); /* Sorry, no TTY password aging */
88 log("PAM rejected by account configuration[%d]: "
89 "%.200s", pam_retval, PAM_STRERROR(__pamh,
91 return password_change_required;
95 - * Have user change authentication token if pam_acct_mgmt() indicated
96 - * it was expired. This needs to be called after an interactive
97 - * session is established and the user's pty is connected to
98 - * stdin/stout/stderr.
100 -void do_pam_chauthtok(void)
104 - do_pam_set_conv(&conv);
106 - if (password_change_required) {
108 - pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
109 - if (pam_retval != PAM_SUCCESS)
110 - fatal("PAM pam_chauthtok failed[%d]: %.200s",
111 - pam_retval, PAM_STRERROR(__pamh, pam_retval));
115 /* Cleanly shutdown PAM */
116 void finish_pam(void)
118 diff -ur openssh-3.2.3p1/auth-pam.h openssh-3.2.3p1.new/auth-pam.h
119 --- openssh-3.2.3p1/auth-pam.h Thu Apr 4 21:02:28 2002
120 +++ openssh-3.2.3p1.new/auth-pam.h Fri Jun 28 14:46:18 2002
122 void finish_pam(void);
123 int auth_pam_password(Authctxt *authctxt, const char *password);
124 char **fetch_pam_environment(void);
125 -int do_pam_authenticate(int flags);
126 +int do_pam_authenticate(int flags, int can_age_pw_here);
127 int do_pam_account(char *username, char *remote_user);
128 void do_pam_session(char *username, const char *ttyname);
129 void do_pam_setcred(int init);
130 void print_pam_messages(void);
131 int is_pam_password_change_required(void);
132 -void do_pam_chauthtok(void);
133 void do_pam_set_conv(struct pam_conv *);
134 void message_cat(char **p, const char *a);
136 diff -ur openssh-3.2.3p1/auth2-pam.c openssh-3.2.3p1.new/auth2-pam.c
137 --- openssh-3.2.3p1/auth2-pam.c Fri Jun 28 14:48:46 2002
138 +++ openssh-3.2.3p1.new/auth2-pam.c Fri Jun 28 14:46:18 2002
141 dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
142 &input_userauth_info_response_pam);
143 - retval = (do_pam_authenticate(0) == PAM_SUCCESS);
144 + retval = (do_pam_authenticate(0, 1) == PAM_SUCCESS);
145 dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
148 diff -ur openssh-3.2.3p1/session.c openssh-3.2.3p1.new/session.c
149 --- openssh-3.2.3p1/session.c Mon May 13 02:48:58 2002
150 +++ openssh-3.2.3p1.new/session.c Fri Jun 28 14:46:18 2002
152 options.verify_reverse_mapping),
153 (struct sockaddr *)&from);
157 - * If password change is needed, do it now.
158 - * This needs to occur before the ~/.hushlogin check.
160 - if (is_pam_password_change_required()) {
161 - print_pam_messages();
162 - do_pam_chauthtok();
166 if (check_quietlogin(s, command))