extern ServerOptions options;
extern Buffer loginmsg;
extern int compat20;
+extern u_int utmp_len;
#ifdef USE_POSIX_THREADS
#include <pthread.h>
{
pid_t pid;
+ sshpam_thread_status = -1;
switch ((pid = fork())) {
case -1:
error("fork(): %s", strerror(errno));
static int sshpam_cred_established = 0;
static int sshpam_account_status = -1;
static char **sshpam_env = NULL;
-static int *force_pwchange;
+static Authctxt *sshpam_authctxt = NULL;
/* Some PAM implementations don't implement this */
#ifndef HAVE_PAM_GETENVLIST
pam_password_change_required(int reqd)
{
debug3("%s %d", __func__, reqd);
- *force_pwchange = reqd;
+ if (sshpam_authctxt == NULL)
+ fatal("%s: PAM authctxt not initialized", __func__);
+ sshpam_authctxt->force_pwchange = reqd;
if (reqd) {
no_port_forwarding_flag |= 2;
no_agent_forwarding_flag |= 2;
debug3("PAM: %s entering", __func__);
+#ifndef USE_POSIX_THREADS
/* Import variables set by do_pam_account */
sshpam_account_status = buffer_get_int(b);
pam_password_change_required(buffer_get_int(b));
}
#endif
}
+#endif
}
/*
sshpam_conv.conv = sshpam_thread_conv;
sshpam_conv.appdata_ptr = ctxt;
+ if (sshpam_authctxt == NULL)
+ fatal("%s: PAM authctxt not initialized", __func__);
+
buffer_init(&buffer);
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&sshpam_conv);
if (compat20) {
if (!do_pam_account())
goto auth_fail;
- if (*force_pwchange) {
+ if (sshpam_authctxt->force_pwchange) {
sshpam_err = pam_chauthtok(sshpam_handle,
PAM_CHANGE_EXPIRED_AUTHTOK);
if (sshpam_err != PAM_SUCCESS)
#ifndef USE_POSIX_THREADS
/* Export variables set by do_pam_account */
buffer_put_int(&buffer, sshpam_account_status);
- buffer_put_int(&buffer, *force_pwchange);
+ buffer_put_int(&buffer, sshpam_authctxt->force_pwchange);
/* Export any environment strings set in child */
for(i = 0; environ[i] != NULL; i++)
}
static int
-sshpam_init(const char *user)
+sshpam_init(Authctxt *authctxt)
{
- extern u_int utmp_len;
extern char *__progname;
- const char *pam_rhost, *pam_user;
+ const char *pam_rhost, *pam_user, *user = authctxt->user;
if (sshpam_handle != NULL) {
/* We already have a PAM context; check if the user matches */
debug("PAM: initializing for \"%s\"", user);
sshpam_err =
pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle);
+ sshpam_authctxt = authctxt;
+
if (sshpam_err != PAM_SUCCESS) {
pam_end(sshpam_handle, sshpam_err);
sshpam_handle = NULL;
return NULL;
/* Initialize PAM */
- if (sshpam_init(authctxt->user) == -1) {
+ if (sshpam_init(authctxt) == -1) {
error("PAM: initialization failed");
return (NULL);
}
ctxt = xmalloc(sizeof *ctxt);
memset(ctxt, 0, sizeof(*ctxt));
- force_pwchange = &(authctxt->force_pwchange);
-
/* Start the authentication thread */
if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
error("PAM: failed create sockets: %s", strerror(errno));
xfree(msg);
return (0);
}
- error("PAM: %s", msg);
+ error("PAM: %s for %s%.100s from %.100s", msg,
+ sshpam_authctxt->valid ? "" : "illegal user ",
+ sshpam_authctxt->user,
+ get_remote_name_or_ip(utmp_len, options.use_dns));
/* FALLTHROUGH */
default:
*num = 0;
* This replaces auth-pam.c
*/
void
-start_pam(const char *user)
+start_pam(Authctxt *authctxt)
{
if (!options.use_pam)
fatal("PAM: initialisation requested when UsePAM=no");
- if (sshpam_init(user) == -1)
+ if (sshpam_init(authctxt) == -1)
fatal("PAM: initialisation failed");
}