[packages/openssh.git] / openssh-pam-age.patch

diff -ur openssh-3.2.3p1/auth-pam.c openssh-3.2.3p1.new/auth-pam.c
--- openssh-3.2.3p1/auth-pam.c	Wed May  8 04:27:56 2002
+++ openssh-3.2.3p1.new/auth-pam.c	Fri Jun 28 14:48:26 2002
@@ -59,6 +59,7 @@
 static int password_change_required = 0;
 /* remember whether the last pam_authenticate() succeeded or not */
 static int was_authenticated = 0;
+static int acct_mgmt_retval = -1;
 
 /* Remember what has been initialised */
 static int session_opened = 0;
@@ -72,10 +73,40 @@
 }
 
 /* start an authentication run */
-int do_pam_authenticate(int flags)
+int do_pam_authenticate(int flags, int can_age_pw_here)
 {
 	int retval = pam_authenticate(__pamh, flags);
+
+	was_authenticated = (retval == PAM_SUCCESS);
+	if (retval != PAM_SUCCESS)
+		return retval;
+
+	acct_mgmt_retval = pam_acct_mgmt(__pamh, 0);
+
+	if (acct_mgmt_retval == PAM_SUCCESS)
+		return PAM_SUCCESS;
+
+	was_authenticated = 0;
+	if (acct_mgmt_retval != PAM_NEW_AUTHTOK_REQD)
+		return acct_mgmt_retval;
+
+	/* (acct_mgmt_retval == PAM_NEW_AUTHTOK_REQD) */
+	/* PAM auth token (password) is expired */
+
+	/*
+	 * USERAUTH_PASSWORD_CHANGEREQ is not currently
+	 * supported. Password aged users using password
+	 * userauth are thrown out here.
+	 */
+	if (!can_age_pw_here)
+		return PAM_NEW_AUTHTOK_REQD;
+
+	debug("do_pam_authenticate() - doing password aging");
+	retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
 	was_authenticated = (retval == PAM_SUCCESS);
+	if (retval == PAM_SUCCESS)
+		acct_mgmt_retval = PAM_SUCCESS;
+
 	return retval;
 }
 
@@ -220,7 +251,8 @@
 
 	pamstate = INITIAL_LOGIN;
 	pam_retval = do_pam_authenticate(
-	    options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
+	    options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0,
+	    0);
 	if (pam_retval == PAM_SUCCESS) {
 		debug("PAM Password authentication accepted for "
 		    "user \"%.100s\"", pw->pw_name);
@@ -248,19 +280,22 @@
 			    PAM_STRERROR(__pamh, pam_retval));
 	}
 
-	pam_retval = pam_acct_mgmt(__pamh, 0);
+	/* do_pam_authenticate() may have called pam_acct_mgmt() already */
+	pam_retval = acct_mgmt_retval;
 	debug2("pam_acct_mgmt() = %d", pam_retval);
+	if (pam_retval == -1)
+		pam_retval = pam_acct_mgmt(__pamh, 0);
+
 	switch (pam_retval) {
 		case PAM_SUCCESS:
 			/* This is what we want */
 			break;
-#if 0
 		case PAM_NEW_AUTHTOK_REQD:
 			message_cat(&__pam_msg, NEW_AUTHTOK_MSG);
 			/* flag that password change is necessary */
 			password_change_required = 1;
+			return(0); /* Sorry, no TTY password aging */
 			break;
-#endif
 		default:
 			log("PAM rejected by account configuration[%d]: "
 			    "%.200s", pam_retval, PAM_STRERROR(__pamh, 
@@ -324,27 +359,6 @@
 	return password_change_required;
 }
 
-/*
- * Have user change authentication token if pam_acct_mgmt() indicated
- * it was expired.  This needs to be called after an interactive
- * session is established and the user's pty is connected to
- * stdin/stout/stderr.
- */
-void do_pam_chauthtok(void)
-{
-	int pam_retval;
-
-	do_pam_set_conv(&conv);
-
-	if (password_change_required) {
-		pamstate = OTHER;
-		pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
-		if (pam_retval != PAM_SUCCESS)
-			fatal("PAM pam_chauthtok failed[%d]: %.200s",
-			    pam_retval, PAM_STRERROR(__pamh, pam_retval));
-	}
-}
-
 /* Cleanly shutdown PAM */
 void finish_pam(void)
 {
diff -ur openssh-3.2.3p1/auth-pam.h openssh-3.2.3p1.new/auth-pam.h
--- openssh-3.2.3p1/auth-pam.h	Thu Apr  4 21:02:28 2002
+++ openssh-3.2.3p1.new/auth-pam.h	Fri Jun 28 14:46:18 2002
@@ -9,13 +9,12 @@
 void finish_pam(void);
 int auth_pam_password(Authctxt *authctxt, const char *password);
 char **fetch_pam_environment(void);
-int do_pam_authenticate(int flags);
+int do_pam_authenticate(int flags, int can_age_pw_here);
 int do_pam_account(char *username, char *remote_user);
 void do_pam_session(char *username, const char *ttyname);
 void do_pam_setcred(int init);
 void print_pam_messages(void);
 int is_pam_password_change_required(void);
-void do_pam_chauthtok(void);
 void do_pam_set_conv(struct pam_conv *);
 void message_cat(char **p, const char *a);
 
diff -ur openssh-3.2.3p1/auth2-pam.c openssh-3.2.3p1.new/auth2-pam.c
--- openssh-3.2.3p1/auth2-pam.c	Fri Jun 28 14:48:46 2002
+++ openssh-3.2.3p1.new/auth2-pam.c	Fri Jun 28 14:46:18 2002
@@ -42,7 +42,7 @@
 
 	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
 	    &input_userauth_info_response_pam);
-	retval = (do_pam_authenticate(0) == PAM_SUCCESS);
+	retval = (do_pam_authenticate(0, 1) == PAM_SUCCESS);
 	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
 
 	return retval;
diff -ur openssh-3.2.3p1/session.c openssh-3.2.3p1.new/session.c
--- openssh-3.2.3p1/session.c	Mon May 13 02:48:58 2002
+++ openssh-3.2.3p1.new/session.c	Fri Jun 28 14:46:18 2002
@@ -645,17 +645,6 @@
 		    options.verify_reverse_mapping),
 		    (struct sockaddr *)&from);
 
-#ifdef USE_PAM
-	/*
-	 * If password change is needed, do it now.
-	 * This needs to occur before the ~/.hushlogin check.
-	 */
-	if (is_pam_password_change_required()) {
-		print_pam_messages();
-		do_pam_chauthtok();
-	}
-#endif
-
 	if (check_quietlogin(s, command))
 		return;
Commit	Line	Data
06ce5bf8 JR	1	diff -ur openssh-3.2.3p1/auth-pam.c openssh-3.2.3p1.new/auth-pam.c
	2	--- openssh-3.2.3p1/auth-pam.c Wed May 8 04:27:56 2002
	3	+++ openssh-3.2.3p1.new/auth-pam.c Fri Jun 28 14:48:26 2002
	4	@@ -59,6 +59,7 @@
	5	static int password_change_required = 0;
	6	/* remember whether the last pam_authenticate() succeeded or not */
	7	static int was_authenticated = 0;
	8	+static int acct_mgmt_retval = -1;
	9
	10	/* Remember what has been initialised */
	11	static int session_opened = 0;
	12	@@ -72,10 +73,40 @@
	13	}
	14
	15	/* start an authentication run */
	16	-int do_pam_authenticate(int flags)
	17	+int do_pam_authenticate(int flags, int can_age_pw_here)
	18	{
	19	int retval = pam_authenticate(__pamh, flags);
	20	+
	21	+ was_authenticated = (retval == PAM_SUCCESS);
	22	+ if (retval != PAM_SUCCESS)
	23	+ return retval;
	24	+
	25	+ acct_mgmt_retval = pam_acct_mgmt(__pamh, 0);
	26	+
	27	+ if (acct_mgmt_retval == PAM_SUCCESS)
	28	+ return PAM_SUCCESS;
	29	+
	30	+ was_authenticated = 0;
	31	+ if (acct_mgmt_retval != PAM_NEW_AUTHTOK_REQD)
	32	+ return acct_mgmt_retval;
	33	+
	34	+ /* (acct_mgmt_retval == PAM_NEW_AUTHTOK_REQD) */
	35	+ /* PAM auth token (password) is expired */
	36	+
	37	+ /*
	38	+ * USERAUTH_PASSWORD_CHANGEREQ is not currently
	39	+ * supported. Password aged users using password
	40	+ * userauth are thrown out here.
	41	+ */
	42	+ if (!can_age_pw_here)
	43	+ return PAM_NEW_AUTHTOK_REQD;
	44	+
	45	+ debug("do_pam_authenticate() - doing password aging");
	46	+ retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
	47	was_authenticated = (retval == PAM_SUCCESS);
	48	+ if (retval == PAM_SUCCESS)
	49	+ acct_mgmt_retval = PAM_SUCCESS;
	50	+
	51	return retval;
	52	}
	53
	54	@@ -220,7 +251,8 @@
	55
	56	pamstate = INITIAL_LOGIN;
	57	pam_retval = do_pam_authenticate(
	58	- options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
	59	+ options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0,
	60	+ 0);
	61	if (pam_retval == PAM_SUCCESS) {
	62	debug("PAM Password authentication accepted for "
	63	"user \"%.100s\"", pw->pw_name);
	64	@@ -248,19 +280,22 @@
65	PAM_STRERROR(__pamh, pam_retval));
66	}
67
68	- pam_retval = pam_acct_mgmt(__pamh, 0);
69	+ /* do_pam_authenticate() may have called pam_acct_mgmt() already */
70	+ pam_retval = acct_mgmt_retval;
71	debug2("pam_acct_mgmt() = %d", pam_retval);
72	+ if (pam_retval == -1)
73	+ pam_retval = pam_acct_mgmt(__pamh, 0);
74	+
75	switch (pam_retval) {
76	case PAM_SUCCESS:
77	/* This is what we want */
78	break;
79	-#if 0
80	case PAM_NEW_AUTHTOK_REQD:
81	message_cat(&__pam_msg, NEW_AUTHTOK_MSG);
82	/* flag that password change is necessary */
83	password_change_required = 1;
84	+ return(0); /* Sorry, no TTY password aging */
85	break;
86	-#endif
87	default:
88	log("PAM rejected by account configuration[%d]: "
89	"%.200s", pam_retval, PAM_STRERROR(__pamh,
90	@@ -324,27 +359,6 @@
91	return password_change_required;
92	}
93
94	-/*
95	- * Have user change authentication token if pam_acct_mgmt() indicated
96	- * it was expired. This needs to be called after an interactive
97	- * session is established and the user's pty is connected to
98	- * stdin/stout/stderr.
99	- */
100	-void do_pam_chauthtok(void)
101	-{
102	- int pam_retval;
103	-
104	- do_pam_set_conv(&conv);
105	-
106	- if (password_change_required) {
107	- pamstate = OTHER;
108	- pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
109	- if (pam_retval != PAM_SUCCESS)
110	- fatal("PAM pam_chauthtok failed[%d]: %.200s",
111	- pam_retval, PAM_STRERROR(__pamh, pam_retval));
112	- }
113	-}
114	-
115	/* Cleanly shutdown PAM */
116	void finish_pam(void)
117	{
118	diff -ur openssh-3.2.3p1/auth-pam.h openssh-3.2.3p1.new/auth-pam.h
119	--- openssh-3.2.3p1/auth-pam.h Thu Apr 4 21:02:28 2002
120	+++ openssh-3.2.3p1.new/auth-pam.h Fri Jun 28 14:46:18 2002
121	@@ -9,13 +9,12 @@
122	void finish_pam(void);
123	int auth_pam_password(Authctxt authctxt, const char password);
124	char **fetch_pam_environment(void);
125	-int do_pam_authenticate(int flags);
126	+int do_pam_authenticate(int flags, int can_age_pw_here);
127	int do_pam_account(char username, char remote_user);
128	void do_pam_session(char username, const char ttyname);
129	void do_pam_setcred(int init);
130	void print_pam_messages(void);
131	int is_pam_password_change_required(void);
132	-void do_pam_chauthtok(void);
133	void do_pam_set_conv(struct pam_conv *);
134	void message_cat(char *p, const char a);
135
136	diff -ur openssh-3.2.3p1/auth2-pam.c openssh-3.2.3p1.new/auth2-pam.c
137	--- openssh-3.2.3p1/auth2-pam.c Fri Jun 28 14:48:46 2002
138	+++ openssh-3.2.3p1.new/auth2-pam.c Fri Jun 28 14:46:18 2002
139	@@ -42,7 +42,7 @@
140
141	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
142	&input_userauth_info_response_pam);
143	- retval = (do_pam_authenticate(0) == PAM_SUCCESS);
144	+ retval = (do_pam_authenticate(0, 1) == PAM_SUCCESS);
145	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
146
147	return retval;
148	diff -ur openssh-3.2.3p1/session.c openssh-3.2.3p1.new/session.c
149	--- openssh-3.2.3p1/session.c Mon May 13 02:48:58 2002
150	+++ openssh-3.2.3p1.new/session.c Fri Jun 28 14:46:18 2002
151	@@ -645,17 +645,6 @@
152	options.verify_reverse_mapping),
153	(struct sockaddr *)&from);
154
155	-#ifdef USE_PAM
156	- /*
157	- * If password change is needed, do it now.
158	- * This needs to occur before the ~/.hushlogin check.
159	- */
160	- if (is_pam_password_change_required()) {
161	- print_pam_messages();
162	- do_pam_chauthtok();
163	- }
164	-#endif
165	-
166	if (check_quietlogin(s, command))
167	return;
168