- enhanced openssh-chroot.patch with UseChroot configuration option

[packages/openssh.git] / openssh-pam-age.patch

diff -ur openssh-3.2.3p1/auth-pam.c openssh-3.2.3p1.new/auth-pam.c
--- openssh-3.2.3p1/auth-pam.c  Wed May  8 04:27:56 2002
+++ openssh-3.2.3p1.new/auth-pam.c      Fri Jun 28 14:48:26 2002
@@ -59,6 +59,7 @@
 static int password_change_required = 0;
 /* remember whether the last pam_authenticate() succeeded or not */
 static int was_authenticated = 0;
+static int acct_mgmt_retval = -1;
 
 /* Remember what has been initialised */
 static int session_opened = 0;
@@ -72,10 +73,40 @@
 }
 
 /* start an authentication run */
-int do_pam_authenticate(int flags)
+int do_pam_authenticate(int flags, int can_age_pw_here)
 {
        int retval = pam_authenticate(__pamh, flags);
+
+       was_authenticated = (retval == PAM_SUCCESS);
+       if (retval != PAM_SUCCESS)
+               return retval;
+
+       acct_mgmt_retval = pam_acct_mgmt(__pamh, 0);
+
+       if (acct_mgmt_retval == PAM_SUCCESS)
+               return PAM_SUCCESS;
+
+       was_authenticated = 0;
+       if (acct_mgmt_retval != PAM_NEW_AUTHTOK_REQD)
+               return acct_mgmt_retval;
+
+       /* (acct_mgmt_retval == PAM_NEW_AUTHTOK_REQD) */
+       /* PAM auth token (password) is expired */
+
+       /*
+        * USERAUTH_PASSWORD_CHANGEREQ is not currently
+        * supported. Password aged users using password
+        * userauth are thrown out here.
+        */
+       if (!can_age_pw_here)
+               return PAM_NEW_AUTHTOK_REQD;
+
+       debug("do_pam_authenticate() - doing password aging");
+       retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
        was_authenticated = (retval == PAM_SUCCESS);
+       if (retval == PAM_SUCCESS)
+               acct_mgmt_retval = PAM_SUCCESS;
+
        return retval;
 }
 
@@ -220,7 +251,8 @@
 
        pamstate = INITIAL_LOGIN;
        pam_retval = do_pam_authenticate(
-           options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
+           options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0,
+           0);
        if (pam_retval == PAM_SUCCESS) {
                debug("PAM Password authentication accepted for "
                    "user \"%.100s\"", pw->pw_name);
@@ -248,19 +280,22 @@
                            PAM_STRERROR(__pamh, pam_retval));
        }
 
-       pam_retval = pam_acct_mgmt(__pamh, 0);
+       /* do_pam_authenticate() may have called pam_acct_mgmt() already */
+       pam_retval = acct_mgmt_retval;
        debug2("pam_acct_mgmt() = %d", pam_retval);
+       if (pam_retval == -1)
+               pam_retval = pam_acct_mgmt(__pamh, 0);
+
        switch (pam_retval) {
                case PAM_SUCCESS:
                        /* This is what we want */
                        break;
-#if 0
                case PAM_NEW_AUTHTOK_REQD:
                        message_cat(&__pam_msg, NEW_AUTHTOK_MSG);
                        /* flag that password change is necessary */
                        password_change_required = 1;
+                       return(0); /* Sorry, no TTY password aging */
                        break;
-#endif
                default:
                        log("PAM rejected by account configuration[%d]: "
                            "%.200s", pam_retval, PAM_STRERROR(__pamh, 
@@ -324,27 +359,6 @@
        return password_change_required;
 }
 
-/*
- * Have user change authentication token if pam_acct_mgmt() indicated
- * it was expired.  This needs to be called after an interactive
- * session is established and the user's pty is connected to
- * stdin/stout/stderr.
- */
-void do_pam_chauthtok(void)
-{
-       int pam_retval;
-
-       do_pam_set_conv(&conv);
-
-       if (password_change_required) {
-               pamstate = OTHER;
-               pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
-               if (pam_retval != PAM_SUCCESS)
-                       fatal("PAM pam_chauthtok failed[%d]: %.200s",
-                           pam_retval, PAM_STRERROR(__pamh, pam_retval));
-       }
-}
-
 /* Cleanly shutdown PAM */
 void finish_pam(void)
 {
diff -ur openssh-3.2.3p1/auth-pam.h openssh-3.2.3p1.new/auth-pam.h
--- openssh-3.2.3p1/auth-pam.h  Thu Apr  4 21:02:28 2002
+++ openssh-3.2.3p1.new/auth-pam.h      Fri Jun 28 14:46:18 2002
@@ -9,13 +9,12 @@
 void finish_pam(void);
 int auth_pam_password(Authctxt *authctxt, const char *password);
 char **fetch_pam_environment(void);
-int do_pam_authenticate(int flags);
+int do_pam_authenticate(int flags, int can_age_pw_here);
 int do_pam_account(char *username, char *remote_user);
 void do_pam_session(char *username, const char *ttyname);
 void do_pam_setcred(int init);
 void print_pam_messages(void);
 int is_pam_password_change_required(void);
-void do_pam_chauthtok(void);
 void do_pam_set_conv(struct pam_conv *);
 void message_cat(char **p, const char *a);
 
diff -ur openssh-3.2.3p1/auth2-pam.c openssh-3.2.3p1.new/auth2-pam.c
--- openssh-3.2.3p1/auth2-pam.c Fri Jun 28 14:48:46 2002
+++ openssh-3.2.3p1.new/auth2-pam.c     Fri Jun 28 14:46:18 2002
@@ -42,7 +42,7 @@
 
        dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
            &input_userauth_info_response_pam);
-       retval = (do_pam_authenticate(0) == PAM_SUCCESS);
+       retval = (do_pam_authenticate(0, 1) == PAM_SUCCESS);
        dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
 
        return retval;
diff -ur openssh-3.2.3p1/session.c openssh-3.2.3p1.new/session.c
--- openssh-3.2.3p1/session.c   Mon May 13 02:48:58 2002
+++ openssh-3.2.3p1.new/session.c       Fri Jun 28 14:46:18 2002
@@ -645,17 +645,6 @@
                    options.verify_reverse_mapping),
                    (struct sockaddr *)&from);
 
-#ifdef USE_PAM
-       /*
-        * If password change is needed, do it now.
-        * This needs to occur before the ~/.hushlogin check.
-        */
-       if (is_pam_password_change_required()) {
-               print_pam_messages();
-               do_pam_chauthtok();
-       }
-#endif
-
        if (check_quietlogin(s, command))
                return;