andersk Git - openssh.git/blame_incremental

... / ...

Commit	Line	Data
	1	/*-
	2	* Copyright (c) 2002 Networks Associates Technology, Inc.
	3	* All rights reserved.
	4	*
	5	* This software was developed for the FreeBSD Project by ThinkSec AS and
	6	* NAI Labs, the Security Research Division of Network Associates, Inc.
	7	* under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
	8	* DARPA CHATS research program.
	9	*
	10	* Redistribution and use in source and binary forms, with or without
	11	* modification, are permitted provided that the following conditions
	12	* are met:
	13	* 1. Redistributions of source code must retain the above copyright
	14	* notice, this list of conditions and the following disclaimer.
	15	* 2. Redistributions in binary form must reproduce the above copyright
	16	* notice, this list of conditions and the following disclaimer in the
	17	* documentation and/or other materials provided with the distribution.
	18	*
	19	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
	20	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	21	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	22	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	23	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	24	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	25	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	26	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	27	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	28	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	29	* SUCH DAMAGE.
	30	*/
	31
	32	/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
	33	#include "includes.h"
	34	RCSID("$Id$");
	35
	36	#ifdef USE_PAM
	37	#include <security/pam_appl.h>
	38
	39	#include "auth.h"
	40	#include "auth-pam.h"
	41	#include "buffer.h"
	42	#include "bufaux.h"
	43	#include "canohost.h"
	44	#include "log.h"
	45	#include "monitor_wrap.h"
	46	#include "msg.h"
	47	#include "packet.h"
	48	#include "readpass.h"
	49	#include "servconf.h"
	50	#include "ssh2.h"
	51	#include "xmalloc.h"
	52
	53	extern ServerOptions options;
	54
	55	#define __unused
	56
	57	#ifdef USE_POSIX_THREADS
	58	#include <pthread.h>
	59	/*
	60	* Avoid namespace clash when not using pthreads for systems with
	61	* pthreads, which unconditionally define pthread_t via sys/types.h
	62	* (e.g. Linux)
	63	*/
	64	typedef pthread_t sp_pthread_t;
	65	#else
	66	/*
	67	* Simulate threads with processes.
	68	*/
	69	typedef pid_t sp_pthread_t;
	70
	71	static void
	72	pthread_exit(void *value __unused)
	73	{
	74	_exit(0);
	75	}
	76
	77	static int
	78	pthread_create(sp_pthread_t thread, const void attr __unused,
	79	void (thread_start)(void ), void arg)
	80	{
	81	pid_t pid;
	82
	83	switch ((pid = fork())) {
	84	case -1:
	85	error("fork(): %s", strerror(errno));
	86	return (-1);
	87	case 0:
	88	thread_start(arg);
	89	_exit(1);
	90	default:
	91	*thread = pid;
	92	return (0);
	93	}
	94	}
	95
	96	static int
	97	pthread_cancel(sp_pthread_t thread)
	98	{
	99	return (kill(thread, SIGTERM));
	100	}
	101
	102	static int
	103	pthread_join(sp_pthread_t thread, void **value __unused)
	104	{
	105	int status;
	106
	107	waitpid(thread, &status, 0);
	108	return (status);
	109	}
	110	#endif
	111
	112
	113	static pam_handle_t *sshpam_handle;
	114	static int sshpam_err;
	115	static int sshpam_authenticated;
	116	static int sshpam_new_authtok_reqd;
	117	static int sshpam_session_open;
	118	static int sshpam_cred_established;
	119
	120	struct pam_ctxt {
	121	sp_pthread_t pam_thread;
	122	int pam_psock;
	123	int pam_csock;
	124	int pam_done;
	125	};
	126
	127	static void sshpam_free_ctx(void *);
	128
	129	/*
	130	* Conversation function for authentication thread.
	131	*/
	132	static int
	133	sshpam_thread_conv(int n,
	134	const struct pam_message **msg,
	135	struct pam_response **resp,
	136	void *data)
	137	{
	138	Buffer buffer;
	139	struct pam_ctxt *ctxt;
	140	int i;
	141
	142	ctxt = data;
	143	if (n <= 0 \|\| n > PAM_MAX_NUM_MSG)
	144	return (PAM_CONV_ERR);
	145	resp = xmalloc(n sizeof **resp);
	146	buffer_init(&buffer);
	147	for (i = 0; i < n; ++i) {
	148	resp[i]->resp_retcode = 0;
	149	resp[i]->resp = NULL;
	150	switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
	151	case PAM_PROMPT_ECHO_OFF:
	152	buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg));
	153	ssh_msg_send(ctxt->pam_csock,
	154	PAM_MSG_MEMBER(msg, i, msg_style), &buffer);
	155	ssh_msg_recv(ctxt->pam_csock, &buffer);
	156	if (buffer_get_char(&buffer) != PAM_AUTHTOK)
	157	goto fail;
	158	resp[i]->resp = buffer_get_string(&buffer, NULL);
	159	break;
	160	case PAM_PROMPT_ECHO_ON:
	161	buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg));
	162	ssh_msg_send(ctxt->pam_csock,
	163	PAM_MSG_MEMBER(msg, i, msg_style), &buffer);
	164	ssh_msg_recv(ctxt->pam_csock, &buffer);
	165	if (buffer_get_char(&buffer) != PAM_AUTHTOK)
	166	goto fail;
	167	resp[i]->resp = buffer_get_string(&buffer, NULL);
	168	break;
	169	case PAM_ERROR_MSG:
	170	buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg));
	171	ssh_msg_send(ctxt->pam_csock,
	172	PAM_MSG_MEMBER(msg, i, msg_style), &buffer);
	173	break;
	174	case PAM_TEXT_INFO:
	175	buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg));
	176	ssh_msg_send(ctxt->pam_csock,
	177	PAM_MSG_MEMBER(msg, i, msg_style), &buffer);
	178	break;
	179	default:
	180	goto fail;
	181	}
	182	buffer_clear(&buffer);
	183	}
	184	buffer_free(&buffer);
	185	return (PAM_SUCCESS);
	186	fail:
	187	while (i)
	188	xfree(resp[--i]);
	189	xfree(*resp);
	190	*resp = NULL;
	191	buffer_free(&buffer);
	192	return (PAM_CONV_ERR);
	193	}
	194
	195	/*
	196	* Authentication thread.
	197	*/
	198	static void *
	199	sshpam_thread(void *ctxtp)
	200	{
	201	struct pam_ctxt *ctxt = ctxtp;
	202	Buffer buffer;
	203	struct pam_conv sshpam_conv = { sshpam_thread_conv, ctxt };
	204	#ifndef USE_POSIX_THREADS
	205	const char *pam_user;
	206
	207	pam_get_item(sshpam_handle, PAM_USER, (const void **)&pam_user);
	208	setproctitle("%s [pam]", pam_user);
	209	#endif
	210
	211	buffer_init(&buffer);
	212	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
	213	(const void *)&sshpam_conv);
	214	if (sshpam_err != PAM_SUCCESS)
	215	goto auth_fail;
	216	sshpam_err = pam_authenticate(sshpam_handle, 0);
	217	if (sshpam_err != PAM_SUCCESS)
	218	goto auth_fail;
	219	sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
	220	if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD)
	221	goto auth_fail;
	222	buffer_put_cstring(&buffer, "OK");
	223	ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer);
	224	buffer_free(&buffer);
	225	pthread_exit(NULL);
	226
	227	auth_fail:
	228	buffer_put_cstring(&buffer,
	229	pam_strerror(sshpam_handle, sshpam_err));
	230	ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
	231	buffer_free(&buffer);
	232	pthread_exit(NULL);
	233
	234	return (NULL); /* Avoid warning for non-pthread case */
	235	}
	236
	237	static void
	238	sshpam_thread_cleanup(void *ctxtp)
	239	{
	240	struct pam_ctxt *ctxt = ctxtp;
	241
	242	pthread_cancel(ctxt->pam_thread);
	243	pthread_join(ctxt->pam_thread, NULL);
	244	close(ctxt->pam_psock);
	245	close(ctxt->pam_csock);
	246	}
	247
	248	static int
	249	sshpam_null_conv(int n,
	250	const struct pam_message **msg,
	251	struct pam_response **resp,
	252	void *data)
	253	{
	254
	255	return (PAM_CONV_ERR);
	256	}
	257
	258	static struct pam_conv null_conv = { sshpam_null_conv, NULL };
	259
	260	static void
	261	sshpam_cleanup(void *arg)
	262	{
	263	(void)arg;
	264	debug("PAM: cleanup");
	265	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
	266	if (sshpam_cred_established) {
	267	pam_setcred(sshpam_handle, PAM_DELETE_CRED);
	268	sshpam_cred_established = 0;
	269	}
	270	if (sshpam_session_open) {
	271	pam_close_session(sshpam_handle, PAM_SILENT);
	272	sshpam_session_open = 0;
	273	}
	274	sshpam_authenticated = sshpam_new_authtok_reqd = 0;
	275	pam_end(sshpam_handle, sshpam_err);
	276	sshpam_handle = NULL;
	277	}
	278
	279	static int
	280	sshpam_init(const char *user)
	281	{
	282	extern u_int utmp_len;
	283	const char pam_rhost, pam_user;
	284
	285	if (sshpam_handle != NULL) {
	286	/* We already have a PAM context; check if the user matches */
	287	sshpam_err = pam_get_item(sshpam_handle,
	288	PAM_USER, (const void **)&pam_user);
	289	if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0)
	290	return (0);
	291	fatal_remove_cleanup(sshpam_cleanup, NULL);
	292	pam_end(sshpam_handle, sshpam_err);
	293	sshpam_handle = NULL;
	294	}
	295	debug("PAM: initializing for \"%s\"", user);
	296	sshpam_err = pam_start("sshd", user, &null_conv, &sshpam_handle);
	297	if (sshpam_err != PAM_SUCCESS) {
	298	pam_end(sshpam_handle, sshpam_err);
	299	sshpam_handle = NULL;
	300	return (-1);
	301	}
	302	pam_rhost = get_remote_name_or_ip(utmp_len,
	303	options.verify_reverse_mapping);
	304	debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
	305	sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);
	306	if (sshpam_err != PAM_SUCCESS) {
	307	pam_end(sshpam_handle, sshpam_err);
	308	sshpam_handle = NULL;
	309	return (-1);
	310	}
	311	#ifdef PAM_TTY_KLUDGE
	312	/*
	313	* Some silly PAM modules (e.g. pam_time) require a TTY to operate.
	314	* sshd doesn't set the tty until too late in the auth process and
	315	* may not even set one (for tty-less connections)
	316	*/
	317	debug("PAM: setting PAM_TTY to \"ssh\"");
	318	sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, "ssh");
	319	if (sshpam_err != PAM_SUCCESS) {
	320	pam_end(sshpam_handle, sshpam_err);
	321	sshpam_handle = NULL;
	322	return (-1);
	323	}
	324	#endif
	325	fatal_add_cleanup(sshpam_cleanup, NULL);
	326	return (0);
	327	}
	328
	329	static void *
	330	sshpam_init_ctx(Authctxt *authctxt)
	331	{
	332	struct pam_ctxt *ctxt;
	333	int socks[2];
	334
	335	/* Refuse to start if we don't have PAM enabled */
	336	if (!options.use_pam)
	337	return NULL;
	338
	339	/* Initialize PAM */
	340	if (sshpam_init(authctxt->user) == -1) {
	341	error("PAM: initialization failed");
	342	return (NULL);
	343	}
	344
	345	ctxt = xmalloc(sizeof *ctxt);
	346	ctxt->pam_done = 0;
	347
	348	/* Start the authentication thread */
	349	if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
	350	error("PAM: failed create sockets: %s", strerror(errno));
	351	xfree(ctxt);
	352	return (NULL);
	353	}
	354	ctxt->pam_psock = socks[0];
	355	ctxt->pam_csock = socks[1];
	356	if (pthread_create(&ctxt->pam_thread, NULL, sshpam_thread, ctxt) == -1) {
	357	error("PAM: failed to start authentication thread: %s",
	358	strerror(errno));
	359	close(socks[0]);
	360	close(socks[1]);
	361	xfree(ctxt);
	362	return (NULL);
	363	}
	364	fatal_add_cleanup(sshpam_thread_cleanup, ctxt);
	365	return (ctxt);
	366	}
	367
	368	static int
	369	sshpam_query(void ctx, char name, char *info,
	370	u_int num, char prompts, u_int echo_on)
	371	{
	372	Buffer buffer;
	373	struct pam_ctxt *ctxt = ctx;
	374	size_t plen;
	375	u_char type;
	376	char *msg;
	377
	378	buffer_init(&buffer);
	379	*name = xstrdup("");
	380	*info = xstrdup("");
	381	prompts = xmalloc(sizeof(char ));
	382	**prompts = NULL;
	383	plen = 0;
	384	*echo_on = xmalloc(sizeof(u_int));
	385	while (ssh_msg_recv(ctxt->pam_psock, &buffer) == 0) {
	386	type = buffer_get_char(&buffer);
	387	msg = buffer_get_string(&buffer, NULL);
	388	switch (type) {
	389	case PAM_PROMPT_ECHO_ON:
	390	case PAM_PROMPT_ECHO_OFF:
	391	*num = 1;
	392	prompts = xrealloc(prompts, plen + strlen(msg) + 1);
	393	plen += sprintf(**prompts + plen, "%s", msg);
	394	**echo_on = (type == PAM_PROMPT_ECHO_ON);
	395	xfree(msg);
	396	return (0);
	397	case PAM_ERROR_MSG:
	398	case PAM_TEXT_INFO:
	399	/* accumulate messages */
	400	prompts = xrealloc(prompts, plen + strlen(msg) + 1);
	401	plen += sprintf(**prompts + plen, "%s", msg);
	402	xfree(msg);
	403	break;
	404	case PAM_NEW_AUTHTOK_REQD:
	405	sshpam_new_authtok_reqd = 1;
	406	/* FALLTHROUGH */
	407	case PAM_SUCCESS:
	408	case PAM_AUTH_ERR:
	409	if (**prompts != NULL) {
	410	/* drain any accumulated messages */
	411	#if 0 /* XXX - not compatible with privsep */
	412	packet_start(SSH2_MSG_USERAUTH_BANNER);
	413	packet_put_cstring(**prompts);
	414	packet_put_cstring("");
	415	packet_send();
	416	packet_write_wait();
	417	#endif
	418	xfree(**prompts);
	419	**prompts = NULL;
	420	}
	421	if (type == PAM_SUCCESS) {
	422	*num = 0;
	423	**echo_on = 0;
	424	ctxt->pam_done = 1;
	425	xfree(msg);
	426	return (0);
	427	}
	428	error("PAM: %s", msg);
	429	default:
	430	*num = 0;
	431	**echo_on = 0;
	432	xfree(msg);
	433	ctxt->pam_done = -1;
	434	return (-1);
	435	}
	436	}
	437	return (-1);
	438	}
	439
	440	/* XXX - see also comment in auth-chall.c:verify_response */
	441	static int
	442	sshpam_respond(void ctx, u_int num, char *resp)
	443	{
	444	Buffer buffer;
	445	struct pam_ctxt *ctxt = ctx;
	446
	447	debug2("PAM: %s", __func__);
	448	switch (ctxt->pam_done) {
	449	case 1:
	450	sshpam_authenticated = 1;
	451	return (0);
	452	case 0:
	453	break;
	454	default:
	455	return (-1);
	456	}
	457	if (num != 1) {
	458	error("PAM: expected one response, got %u", num);
	459	return (-1);
	460	}
	461	buffer_init(&buffer);
	462	buffer_put_cstring(&buffer, *resp);
	463	ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer);
	464	buffer_free(&buffer);
	465	return (1);
	466	}
	467
	468	static void
	469	sshpam_free_ctx(void *ctxtp)
	470	{
	471	struct pam_ctxt *ctxt = ctxtp;
	472
	473	fatal_remove_cleanup(sshpam_thread_cleanup, ctxt);
	474	sshpam_thread_cleanup(ctxtp);
	475	xfree(ctxt);
	476	/*
	477	* We don't call sshpam_cleanup() here because we may need the PAM
	478	* handle at a later stage, e.g. when setting up a session. It's
	479	* still on the cleanup list, so pam_end() will be called before
	480	* the server process terminates.
	481	*/
	482	}
	483
	484	KbdintDevice sshpam_device = {
	485	"pam",
	486	sshpam_init_ctx,
	487	sshpam_query,
	488	sshpam_respond,
	489	sshpam_free_ctx
	490	};
	491
	492	KbdintDevice mm_sshpam_device = {
	493	"pam",
	494	mm_sshpam_init_ctx,
	495	mm_sshpam_query,
	496	mm_sshpam_respond,
	497	mm_sshpam_free_ctx
	498	};
	499
	500	/*
	501	* This replaces auth-pam.c
	502	*/
	503	void
	504	start_pam(const char *user)
	505	{
	506	if (!options.use_pam)
	507	fatal("PAM: initialisation requested when UsePAM=no");
	508
	509	if (sshpam_init(user) == -1)
	510	fatal("PAM: initialisation failed");
	511	}
	512
	513	void
	514	finish_pam(void)
	515	{
	516	fatal_remove_cleanup(sshpam_cleanup, NULL);
	517	sshpam_cleanup(NULL);
	518	}
	519
	520	int
	521	do_pam_account(const char user, const char ruser)
	522	{
	523	/* XXX */
	524	return (1);
	525	}
	526
	527	void
	528	do_pam_session(const char user, const char tty)
	529	{
	530	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
	531	(const void *)&null_conv);
	532	if (sshpam_err != PAM_SUCCESS)
	533	fatal("PAM: failed to set PAM_CONV: %s",
	534	pam_strerror(sshpam_handle, sshpam_err));
	535	debug("PAM: setting PAM_TTY to \"%s\"", tty);
	536	sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, tty);
	537	if (sshpam_err != PAM_SUCCESS)
	538	fatal("PAM: failed to set PAM_TTY: %s",
	539	pam_strerror(sshpam_handle, sshpam_err));
	540	sshpam_err = pam_open_session(sshpam_handle, 0);
	541	if (sshpam_err != PAM_SUCCESS)
	542	fatal("PAM: pam_open_session(): %s",
	543	pam_strerror(sshpam_handle, sshpam_err));
	544	sshpam_session_open = 1;
	545	}
	546
	547	void
	548	do_pam_setcred(int init)
	549	{
	550	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
	551	(const void *)&null_conv);
	552	if (sshpam_err != PAM_SUCCESS)
	553	fatal("PAM: failed to set PAM_CONV: %s",
	554	pam_strerror(sshpam_handle, sshpam_err));
	555	if (init) {
	556	debug("PAM: establishing credentials");
	557	sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED);
	558	} else {
	559	debug("PAM: reinitializing credentials");
	560	sshpam_err = pam_setcred(sshpam_handle, PAM_REINITIALIZE_CRED);
	561	}
	562	if (sshpam_err == PAM_SUCCESS) {
	563	sshpam_cred_established = 1;
	564	return;
	565	}
	566	if (sshpam_authenticated)
	567	fatal("PAM: pam_setcred(): %s",
	568	pam_strerror(sshpam_handle, sshpam_err));
	569	else
	570	debug("PAM: pam_setcred(): %s",
	571	pam_strerror(sshpam_handle, sshpam_err));
	572	}
	573
	574	int
	575	is_pam_password_change_required(void)
	576	{
	577	return (sshpam_new_authtok_reqd);
	578	}
	579
	580	static int
	581	pam_chauthtok_conv(int n,
	582	const struct pam_message **msg,
	583	struct pam_response **resp,
	584	void *data)
	585	{
	586	char input[PAM_MAX_MSG_SIZE];
	587	int i;
	588
	589	if (n <= 0 \|\| n > PAM_MAX_NUM_MSG)
	590	return (PAM_CONV_ERR);
	591	resp = xmalloc(n sizeof **resp);
	592	for (i = 0; i < n; ++i) {
	593	switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
	594	case PAM_PROMPT_ECHO_OFF:
	595	resp[i]->resp =
	596	read_passphrase(PAM_MSG_MEMBER(msg, i, msg),
	597	RP_ALLOW_STDIN);
	598	resp[i]->resp_retcode = PAM_SUCCESS;
	599	break;
	600	case PAM_PROMPT_ECHO_ON:
	601	fputs(PAM_MSG_MEMBER(msg, i, msg), stderr);
	602	fgets(input, sizeof input, stdin);
	603	resp[i]->resp = xstrdup(input);
	604	resp[i]->resp_retcode = PAM_SUCCESS;
	605	break;
	606	case PAM_ERROR_MSG:
	607	case PAM_TEXT_INFO:
	608	fputs(PAM_MSG_MEMBER(msg, i, msg), stderr);
	609	resp[i]->resp_retcode = PAM_SUCCESS;
	610	break;
	611	default:
	612	goto fail;
	613	}
	614	}
	615	return (PAM_SUCCESS);
	616	fail:
	617	while (i)
	618	xfree(resp[--i]);
	619	xfree(*resp);
	620	*resp = NULL;
	621	return (PAM_CONV_ERR);
	622	}
	623
	624	/*
	625	* XXX this should be done in the authentication phase, but ssh1 doesn't
	626	* support that
	627	*/
	628	void
	629	do_pam_chauthtok(void)
	630	{
	631	struct pam_conv pam_conv = { pam_chauthtok_conv, NULL };
	632
	633	if (use_privsep)
	634	fatal("PAM: chauthtok not supprted with privsep");
	635	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
	636	(const void *)&pam_conv);
	637	if (sshpam_err != PAM_SUCCESS)
	638	fatal("PAM: failed to set PAM_CONV: %s",
	639	pam_strerror(sshpam_handle, sshpam_err));
	640	debug("PAM: changing password");
	641	sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK);
	642	if (sshpam_err != PAM_SUCCESS)
	643	fatal("PAM: pam_chauthtok(): %s",
	644	pam_strerror(sshpam_handle, sshpam_err));
	645	}
	646
	647	void
	648	print_pam_messages(void)
	649	{
	650	/* XXX */
	651	}
	652
	653	char **
	654	fetch_pam_environment(void)
	655	{
	656	#ifdef HAVE_PAM_GETENVLIST
	657	debug("PAM: retrieving environment");
	658	return (pam_getenvlist(sshpam_handle));
	659	#else
	660	return (NULL);
	661	#endif
	662	}
	663
	664	void
	665	free_pam_environment(char **env)
	666	{
	667	char **envp;
	668
	669	if (env == NULL)
	670	return;
	671
	672	for (envp = env; *envp; envp++)
	673	xfree(*envp);
	674	xfree(env);
	675	}
	676
	677	#endif /* USE_PAM */