]>
Commit | Line | Data |
---|---|---|
d9d6f0a2 JR |
1 | diff -ur openssh-3.4p1.orig/auth-pam.c openssh-3.4p1/auth-pam.c |
2 | --- openssh-3.4p1.orig/auth-pam.c Wed May 8 06:27:56 2002 | |
3 | +++ openssh-3.4p1/auth-pam.c Fri Jul 5 23:39:24 2002 | |
4 | @@ -29,6 +29,7 @@ | |
5 | #include "xmalloc.h" | |
6 | #include "log.h" | |
7 | #include "auth.h" | |
8 | +#include "auth-options.h" | |
9 | #include "auth-pam.h" | |
10 | #include "servconf.h" | |
11 | #include "canohost.h" | |
12 | @@ -36,10 +37,14 @@ | |
13 | ||
14 | extern char *__progname; | |
15 | ||
16 | +extern int use_privsep; | |
17 | + | |
18 | RCSID("$Id$"); | |
19 | ||
20 | #define NEW_AUTHTOK_MSG \ | |
21 | - "Warning: Your password has expired, please change it now" | |
22 | + "Warning: Your password has expired, please change it now." | |
23 | +#define NEW_AUTHTOK_MSG_PRIVSEP \ | |
24 | + "Your password has expired, the session cannot proceed." | |
25 | ||
26 | static int do_pam_conversation(int num_msg, const struct pam_message **msg, | |
27 | struct pam_response **resp, void *appdata_ptr); | |
28 | @@ -55,7 +60,7 @@ | |
29 | ||
30 | /* states for do_pam_conversation() */ | |
31 | enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN; | |
32 | -/* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */ | |
33 | +/* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */ | |
34 | static int password_change_required = 0; | |
35 | /* remember whether the last pam_authenticate() succeeded or not */ | |
36 | static int was_authenticated = 0; | |
37 | @@ -254,13 +259,16 @@ | |
38 | case PAM_SUCCESS: | |
39 | /* This is what we want */ | |
40 | break; | |
41 | -#if 0 | |
42 | case PAM_NEW_AUTHTOK_REQD: | |
43 | - message_cat(&__pam_msg, NEW_AUTHTOK_MSG); | |
44 | + message_cat(&__pam_msg, use_privsep ? | |
45 | + NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); | |
46 | /* flag that password change is necessary */ | |
47 | password_change_required = 1; | |
48 | + /* disallow other functionality for now */ | |
49 | + no_port_forwarding_flag |= 2; | |
50 | + no_agent_forwarding_flag |= 2; | |
51 | + no_x11_forwarding_flag |= 2; | |
52 | break; | |
53 | -#endif | |
54 | default: | |
55 | log("PAM rejected by account configuration[%d]: " | |
56 | "%.200s", pam_retval, PAM_STRERROR(__pamh, | |
57 | @@ -328,7 +336,7 @@ | |
58 | * Have user change authentication token if pam_acct_mgmt() indicated | |
59 | * it was expired. This needs to be called after an interactive | |
60 | * session is established and the user's pty is connected to | |
61 | - * stdin/stout/stderr. | |
62 | + * stdin/stdout/stderr. | |
63 | */ | |
64 | void do_pam_chauthtok(void) | |
65 | { | |
66 | @@ -337,11 +345,23 @@ | |
67 | do_pam_set_conv(&conv); | |
68 | ||
69 | if (password_change_required) { | |
70 | + if (use_privsep) | |
71 | + fatal("Password changing is currently unsupported" | |
72 | + " with privilege separation"); | |
73 | pamstate = OTHER; | |
74 | pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); | |
75 | if (pam_retval != PAM_SUCCESS) | |
76 | fatal("PAM pam_chauthtok failed[%d]: %.200s", | |
77 | pam_retval, PAM_STRERROR(__pamh, pam_retval)); | |
78 | +#if 0 | |
79 | + /* XXX: This would need to be done in the parent process, | |
80 | + * but there's currently no way to pass such request. */ | |
81 | + no_port_forwarding_flag &= ~2; | |
82 | + no_agent_forwarding_flag &= ~2; | |
83 | + no_x11_forwarding_flag &= ~2; | |
84 | + if (!no_port_forwarding_flag && options.allow_tcp_forwarding) | |
85 | + channel_permit_all_opens(); | |
86 | +#endif | |
87 | } | |
88 | } | |
89 |