projects / packages / openssh.git / blame
| Commit | Line | Data |
|---|---|---|
| d9d6f0a2 JR |
1 | diff -ur openssh-3.4p1.orig/auth-pam.c openssh-3.4p1/auth-pam.c |
| 2 | --- openssh-3.4p1.orig/auth-pam.c Wed May 8 06:27:56 2002 | |
| 3 | +++ openssh-3.4p1/auth-pam.c Fri Jul 5 23:39:24 2002 | |
| 4 | @@ -29,6 +29,7 @@ | |
| 5 | #include "xmalloc.h" | |
| 6 | #include "log.h" | |
| 7 | #include "auth.h" | |
| 8 | +#include "auth-options.h" | |
| 9 | #include "auth-pam.h" | |
| 10 | #include "servconf.h" | |
| 11 | #include "canohost.h" | |
| 12 | @@ -36,10 +37,14 @@ | |
| 13 | ||
| 14 | extern char *__progname; | |
| 15 | ||
| 16 | +extern int use_privsep; | |
| 17 | + | |
| 18 | RCSID("$Id$"); | |
| 19 | ||
| 20 | #define NEW_AUTHTOK_MSG \ | |
| 21 | - "Warning: Your password has expired, please change it now" | |
| 22 | + "Warning: Your password has expired, please change it now." | |
| 23 | +#define NEW_AUTHTOK_MSG_PRIVSEP \ | |
| 24 | + "Your password has expired, the session cannot proceed." | |
| 25 | ||
| 26 | static int do_pam_conversation(int num_msg, const struct pam_message **msg, | |
| 27 | struct pam_response **resp, void *appdata_ptr); | |
| 28 | @@ -55,7 +60,7 @@ | |
| 29 | ||
| 30 | /* states for do_pam_conversation() */ | |
| 31 | enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN; | |
| 32 | -/* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */ | |
| 33 | +/* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */ | |
| 34 | static int password_change_required = 0; | |
| 35 | /* remember whether the last pam_authenticate() succeeded or not */ | |
| 36 | static int was_authenticated = 0; | |
| 37 | @@ -254,13 +259,16 @@ | |
| 38 | case PAM_SUCCESS: | |
| 39 | /* This is what we want */ | |
| 40 | break; | |
| 41 | -#if 0 | |
| 42 | case PAM_NEW_AUTHTOK_REQD: | |
| 43 | - message_cat(&__pam_msg, NEW_AUTHTOK_MSG); | |
| 44 | + message_cat(&__pam_msg, use_privsep ? | |
| 45 | + NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); | |
| 46 | /* flag that password change is necessary */ | |
| 47 | password_change_required = 1; | |
| 48 | + /* disallow other functionality for now */ | |
| 49 | + no_port_forwarding_flag |= 2; | |
| 50 | + no_agent_forwarding_flag |= 2; | |
| 51 | + no_x11_forwarding_flag |= 2; | |
| 52 | break; | |
| 53 | -#endif | |
| 54 | default: | |
| 55 | log("PAM rejected by account configuration[%d]: " | |
| 56 | "%.200s", pam_retval, PAM_STRERROR(__pamh, | |
| 57 | @@ -328,7 +336,7 @@ | |
| 58 | * Have user change authentication token if pam_acct_mgmt() indicated | |
| 59 | * it was expired. This needs to be called after an interactive | |
| 60 | * session is established and the user's pty is connected to | |
| 61 | - * stdin/stout/stderr. | |
| 62 | + * stdin/stdout/stderr. | |
| 63 | */ | |
| 64 | void do_pam_chauthtok(void) | |
| 65 | { | |
| 66 | @@ -337,11 +345,23 @@ | |
| 67 | do_pam_set_conv(&conv); | |
| 68 | ||
| 69 | if (password_change_required) { | |
| 70 | + if (use_privsep) | |
| 71 | + fatal("Password changing is currently unsupported" | |
| 72 | + " with privilege separation"); | |
| 73 | pamstate = OTHER; | |
| 74 | pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); | |
| 75 | if (pam_retval != PAM_SUCCESS) | |
| 76 | fatal("PAM pam_chauthtok failed[%d]: %.200s", | |
| 77 | pam_retval, PAM_STRERROR(__pamh, pam_retval)); | |
| 78 | +#if 0 | |
| 79 | + /* XXX: This would need to be done in the parent process, | |
| 80 | + * but there's currently no way to pass such request. */ | |
| 81 | + no_port_forwarding_flag &= ~2; | |
| 82 | + no_agent_forwarding_flag &= ~2; | |
| 83 | + no_x11_forwarding_flag &= ~2; | |
| 84 | + if (!no_port_forwarding_flag && options.allow_tcp_forwarding) | |
| 85 | + channel_permit_all_opens(); | |
| 86 | +#endif | |
| 87 | } | |
| 88 | } | |
| 89 |