#include "ssh.h"
#include "xmalloc.h"
#include "log.h"
+#include "auth.h"
#include "auth-pam.h"
#include "servconf.h"
#include "canohost.h"
* messages with into __pam_msg. This is used during initial
* authentication to bypass the normal PAM password prompt.
*
- * OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase(prompt, 1)
+ * OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase()
* and outputs messages to stderr. This mode is used if pam_chauthtok()
* is called to update expired passwords.
*/
char buf[1024];
/* PAM will free this later */
- reply = malloc(num_msg * sizeof(*reply));
- if (reply == NULL)
- return PAM_CONV_ERR;
+ reply = xmalloc(num_msg * sizeof(*reply));
for (count = 0; count < num_msg; count++) {
if (pamstate == INITIAL_LOGIN) {
*/
switch(PAM_MSG_MEMBER(msg, count, msg_style)) {
case PAM_PROMPT_ECHO_ON:
- free(reply);
+ xfree(reply);
return PAM_CONV_ERR;
case PAM_PROMPT_ECHO_OFF:
if (__pampasswd == NULL) {
- free(reply);
+ xfree(reply);
return PAM_CONV_ERR;
}
reply[count].resp = xstrdup(__pampasswd);
break;
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
- if ((*msg)[count].msg != NULL) {
+ if (PAM_MSG_MEMBER(msg, count, msg) != NULL) {
message_cat(&__pam_msg,
PAM_MSG_MEMBER(msg, count, msg));
}
reply[count].resp_retcode = PAM_SUCCESS;
break;
default:
- free(reply);
+ xfree(reply);
return PAM_CONV_ERR;
}
} else {
reply[count].resp_retcode = PAM_SUCCESS;
break;
case PAM_PROMPT_ECHO_OFF:
- reply[count].resp = xstrdup(
- read_passphrase(PAM_MSG_MEMBER(msg, count,
- msg), 1));
+ reply[count].resp =
+ read_passphrase(PAM_MSG_MEMBER(msg, count,
+ msg), RP_ALLOW_STDIN);
reply[count].resp_retcode = PAM_SUCCESS;
break;
case PAM_ERROR_MSG:
reply[count].resp_retcode = PAM_SUCCESS;
break;
default:
- free(reply);
+ xfree(reply);
return PAM_CONV_ERR;
}
}
}
/* Attempt password authentation using PAM */
-int auth_pam_password(struct passwd *pw, const char *password)
+int auth_pam_password(Authctxt *authctxt, const char *password)
{
extern ServerOptions options;
int pam_retval;
+ struct passwd *pw = authctxt->pw;
do_pam_set_conv(&conv);
__pampasswd = password;
pamstate = INITIAL_LOGIN;
- pam_retval = do_pam_authenticate(0);
+ pam_retval = do_pam_authenticate(
+ options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
if (pam_retval == PAM_SUCCESS) {
debug("PAM Password authentication accepted for "
"user \"%.100s\"", pw->pw_name);
}
pam_retval = pam_acct_mgmt(__pamh, 0);
+ debug2("pam_acct_mgmt() = %d", pam_retval);
switch (pam_retval) {
case PAM_SUCCESS:
/* This is what we want */
break;
+#if 0
case PAM_NEW_AUTHTOK_REQD:
message_cat(&__pam_msg, NEW_AUTHTOK_MSG);
/* flag that password change is necessary */
password_change_required = 1;
break;
+#endif
default:
log("PAM rejected by account configuration[%d]: "
"%.200s", pam_retval, PAM_STRERROR(__pamh,
{
int pam_retval;
+ if (__pamh == NULL)
+ return;
+
do_pam_set_conv(&conv);
debug("PAM establishing creds");
fatal("PAM initialisation failed[%d]: %.200s",
pam_retval, PAM_STRERROR(__pamh, pam_retval));
- rhost = get_remote_name_or_ip(utmp_len, options.reverse_mapping_check);
+ rhost = get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping);
debug("PAM setting rhost to \"%.200s\"", rhost);
pam_retval = pam_set_item(__pamh, PAM_RHOST, rhost);
* not even need one (for tty-less connections)
* Kludge: Set a fake PAM_TTY
*/
- pam_retval = pam_set_item(__pamh, PAM_TTY, "ssh");
+ pam_retval = pam_set_item(__pamh, PAM_TTY, "NODEVssh");
if (pam_retval != PAM_SUCCESS)
fatal("PAM set tty failed[%d]: %.200s",
pam_retval, PAM_STRERROR(__pamh, pam_retval));
andersk / openssh.git / blobdiff