]>
Commit | Line | Data |
---|---|---|
06ce5bf8 JR |
1 | diff -ur openssh-3.2.3p1/auth-pam.c openssh-3.2.3p1.new/auth-pam.c |
2 | --- openssh-3.2.3p1/auth-pam.c Wed May 8 04:27:56 2002 | |
3 | +++ openssh-3.2.3p1.new/auth-pam.c Fri Jun 28 14:48:26 2002 | |
4 | @@ -59,6 +59,7 @@ | |
5 | static int password_change_required = 0; | |
6 | /* remember whether the last pam_authenticate() succeeded or not */ | |
7 | static int was_authenticated = 0; | |
8 | +static int acct_mgmt_retval = -1; | |
9 | ||
10 | /* Remember what has been initialised */ | |
11 | static int session_opened = 0; | |
12 | @@ -72,10 +73,40 @@ | |
13 | } | |
14 | ||
15 | /* start an authentication run */ | |
16 | -int do_pam_authenticate(int flags) | |
17 | +int do_pam_authenticate(int flags, int can_age_pw_here) | |
18 | { | |
19 | int retval = pam_authenticate(__pamh, flags); | |
20 | + | |
21 | + was_authenticated = (retval == PAM_SUCCESS); | |
22 | + if (retval != PAM_SUCCESS) | |
23 | + return retval; | |
24 | + | |
25 | + acct_mgmt_retval = pam_acct_mgmt(__pamh, 0); | |
26 | + | |
27 | + if (acct_mgmt_retval == PAM_SUCCESS) | |
28 | + return PAM_SUCCESS; | |
29 | + | |
30 | + was_authenticated = 0; | |
31 | + if (acct_mgmt_retval != PAM_NEW_AUTHTOK_REQD) | |
32 | + return acct_mgmt_retval; | |
33 | + | |
34 | + /* (acct_mgmt_retval == PAM_NEW_AUTHTOK_REQD) */ | |
35 | + /* PAM auth token (password) is expired */ | |
36 | + | |
37 | + /* | |
38 | + * USERAUTH_PASSWORD_CHANGEREQ is not currently | |
39 | + * supported. Password aged users using password | |
40 | + * userauth are thrown out here. | |
41 | + */ | |
42 | + if (!can_age_pw_here) | |
43 | + return PAM_NEW_AUTHTOK_REQD; | |
44 | + | |
45 | + debug("do_pam_authenticate() - doing password aging"); | |
46 | + retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); | |
47 | was_authenticated = (retval == PAM_SUCCESS); | |
48 | + if (retval == PAM_SUCCESS) | |
49 | + acct_mgmt_retval = PAM_SUCCESS; | |
50 | + | |
51 | return retval; | |
52 | } | |
53 | ||
54 | @@ -220,7 +251,8 @@ | |
55 | ||
56 | pamstate = INITIAL_LOGIN; | |
57 | pam_retval = do_pam_authenticate( | |
58 | - options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); | |
59 | + options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0, | |
60 | + 0); | |
61 | if (pam_retval == PAM_SUCCESS) { | |
62 | debug("PAM Password authentication accepted for " | |
63 | "user \"%.100s\"", pw->pw_name); | |
64 | @@ -248,19 +280,22 @@ | |
65 | PAM_STRERROR(__pamh, pam_retval)); | |
66 | } | |
67 | ||
68 | - pam_retval = pam_acct_mgmt(__pamh, 0); | |
69 | + /* do_pam_authenticate() may have called pam_acct_mgmt() already */ | |
70 | + pam_retval = acct_mgmt_retval; | |
71 | debug2("pam_acct_mgmt() = %d", pam_retval); | |
72 | + if (pam_retval == -1) | |
73 | + pam_retval = pam_acct_mgmt(__pamh, 0); | |
74 | + | |
75 | switch (pam_retval) { | |
76 | case PAM_SUCCESS: | |
77 | /* This is what we want */ | |
78 | break; | |
79 | -#if 0 | |
80 | case PAM_NEW_AUTHTOK_REQD: | |
81 | message_cat(&__pam_msg, NEW_AUTHTOK_MSG); | |
82 | /* flag that password change is necessary */ | |
83 | password_change_required = 1; | |
84 | + return(0); /* Sorry, no TTY password aging */ | |
85 | break; | |
86 | -#endif | |
87 | default: | |
88 | log("PAM rejected by account configuration[%d]: " | |
89 | "%.200s", pam_retval, PAM_STRERROR(__pamh, | |
90 | @@ -324,27 +359,6 @@ | |
91 | return password_change_required; | |
92 | } | |
93 | ||
94 | -/* | |
95 | - * Have user change authentication token if pam_acct_mgmt() indicated | |
96 | - * it was expired. This needs to be called after an interactive | |
97 | - * session is established and the user's pty is connected to | |
98 | - * stdin/stout/stderr. | |
99 | - */ | |
100 | -void do_pam_chauthtok(void) | |
101 | -{ | |
102 | - int pam_retval; | |
103 | - | |
104 | - do_pam_set_conv(&conv); | |
105 | - | |
106 | - if (password_change_required) { | |
107 | - pamstate = OTHER; | |
108 | - pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); | |
109 | - if (pam_retval != PAM_SUCCESS) | |
110 | - fatal("PAM pam_chauthtok failed[%d]: %.200s", | |
111 | - pam_retval, PAM_STRERROR(__pamh, pam_retval)); | |
112 | - } | |
113 | -} | |
114 | - | |
115 | /* Cleanly shutdown PAM */ | |
116 | void finish_pam(void) | |
117 | { | |
118 | diff -ur openssh-3.2.3p1/auth-pam.h openssh-3.2.3p1.new/auth-pam.h | |
119 | --- openssh-3.2.3p1/auth-pam.h Thu Apr 4 21:02:28 2002 | |
120 | +++ openssh-3.2.3p1.new/auth-pam.h Fri Jun 28 14:46:18 2002 | |
121 | @@ -9,13 +9,12 @@ | |
122 | void finish_pam(void); | |
123 | int auth_pam_password(Authctxt *authctxt, const char *password); | |
124 | char **fetch_pam_environment(void); | |
125 | -int do_pam_authenticate(int flags); | |
126 | +int do_pam_authenticate(int flags, int can_age_pw_here); | |
127 | int do_pam_account(char *username, char *remote_user); | |
128 | void do_pam_session(char *username, const char *ttyname); | |
129 | void do_pam_setcred(int init); | |
130 | void print_pam_messages(void); | |
131 | int is_pam_password_change_required(void); | |
132 | -void do_pam_chauthtok(void); | |
133 | void do_pam_set_conv(struct pam_conv *); | |
134 | void message_cat(char **p, const char *a); | |
135 | ||
136 | diff -ur openssh-3.2.3p1/auth2-pam.c openssh-3.2.3p1.new/auth2-pam.c | |
137 | --- openssh-3.2.3p1/auth2-pam.c Fri Jun 28 14:48:46 2002 | |
138 | +++ openssh-3.2.3p1.new/auth2-pam.c Fri Jun 28 14:46:18 2002 | |
139 | @@ -42,7 +42,7 @@ | |
140 | ||
141 | dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, | |
142 | &input_userauth_info_response_pam); | |
143 | - retval = (do_pam_authenticate(0) == PAM_SUCCESS); | |
144 | + retval = (do_pam_authenticate(0, 1) == PAM_SUCCESS); | |
145 | dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL); | |
146 | ||
147 | return retval; | |
148 | diff -ur openssh-3.2.3p1/session.c openssh-3.2.3p1.new/session.c | |
149 | --- openssh-3.2.3p1/session.c Mon May 13 02:48:58 2002 | |
150 | +++ openssh-3.2.3p1.new/session.c Fri Jun 28 14:46:18 2002 | |
151 | @@ -645,17 +645,6 @@ | |
152 | options.verify_reverse_mapping), | |
153 | (struct sockaddr *)&from); | |
154 | ||
155 | -#ifdef USE_PAM | |
156 | - /* | |
157 | - * If password change is needed, do it now. | |
158 | - * This needs to occur before the ~/.hushlogin check. | |
159 | - */ | |
160 | - if (is_pam_password_change_required()) { | |
161 | - print_pam_messages(); | |
162 | - do_pam_chauthtok(); | |
163 | - } | |
164 | -#endif | |
165 | - | |
166 | if (check_quietlogin(s, command)) | |
167 | return; | |
168 |