- (djm) Disable PAM password expiry until a complete fix for bug #188 exists

[openssh.git] / auth-pam.c

diff --git a/auth-pam.c b/auth-pam.c
index be783f47c021d7de918415c41faa3ae8d62e5596..e8a9b77bc97a98ef6d62331c0519a4795cfc9b22 100644 (file)
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -28,6 +28,7 @@
 #include "ssh.h"
 #include "xmalloc.h"
 #include "log.h"
+#include "auth.h"
 #include "auth-pam.h"
 #include "servconf.h"
 #include "canohost.h"
@@ -87,7 +88,7 @@ int do_pam_authenticate(int flags)
  * messages with into __pam_msg.  This is used during initial
  * authentication to bypass the normal PAM password prompt.
  *
- * OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase(prompt, 1)
+ * OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase()
  * and outputs messages to stderr. This mode is used if pam_chauthtok()
  * is called to update expired passwords.
  */
@@ -146,9 +147,9 @@ static int do_pam_conversation(int num_msg, const struct pam_message **msg,
                                reply[count].resp_retcode = PAM_SUCCESS;
                                break;
                        case PAM_PROMPT_ECHO_OFF:
-                               reply[count].resp = xstrdup(
-                                   read_passphrase(PAM_MSG_MEMBER(msg, count, 
-                                   msg), 1));
+                               reply[count].resp = 
+                                   read_passphrase(PAM_MSG_MEMBER(msg, count,
+                                       msg), RP_ALLOW_STDIN);
                                reply[count].resp_retcode = PAM_SUCCESS;
                                break;
                        case PAM_ERROR_MSG:
@@ -199,10 +200,11 @@ void do_pam_cleanup_proc(void *context)
 }
 
 /* Attempt password authentation using PAM */
-int auth_pam_password(struct passwd *pw, const char *password)
+int auth_pam_password(Authctxt *authctxt, const char *password)
 {
        extern ServerOptions options;
        int pam_retval;
+       struct passwd *pw = authctxt->pw;
 
        do_pam_set_conv(&conv);
 
@@ -217,7 +219,8 @@ int auth_pam_password(struct passwd *pw, const char *password)
        __pampasswd = password;
 
        pamstate = INITIAL_LOGIN;
-       pam_retval = do_pam_authenticate(0);
+       pam_retval = do_pam_authenticate(
+           options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
        if (pam_retval == PAM_SUCCESS) {
                debug("PAM Password authentication accepted for "
                    "user \"%.100s\"", pw->pw_name);
@@ -246,15 +249,18 @@ int do_pam_account(char *username, char *remote_user)
        }
 
        pam_retval = pam_acct_mgmt(__pamh, 0);
+       debug2("pam_acct_mgmt() = %d", pam_retval);
        switch (pam_retval) {
                case PAM_SUCCESS:
                        /* This is what we want */
                        break;
+#if 0
                case PAM_NEW_AUTHTOK_REQD:
                        message_cat(&__pam_msg, NEW_AUTHTOK_MSG);
                        /* flag that password change is necessary */
                        password_change_required = 1;
                        break;
+#endif
                default:
                        log("PAM rejected by account configuration[%d]: "
                            "%.200s", pam_retval, PAM_STRERROR(__pamh, 
@@ -359,7 +365,7 @@ void start_pam(const char *user)
                fatal("PAM initialisation failed[%d]: %.200s",
                    pam_retval, PAM_STRERROR(__pamh, pam_retval));
 
-       rhost = get_remote_name_or_ip(utmp_len, options.reverse_mapping_check);
+       rhost = get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping);
        debug("PAM setting rhost to \"%.200s\"", rhost);
 
        pam_retval = pam_set_item(__pamh, PAM_RHOST, rhost);
@@ -374,7 +380,7 @@ void start_pam(const char *user)
         * not even need one (for tty-less connections)
         * Kludge: Set a fake PAM_TTY
         */
-       pam_retval = pam_set_item(__pamh, PAM_TTY, "ssh");
+       pam_retval = pam_set_item(__pamh, PAM_TTY, "NODEVssh");
        if (pam_retval != PAM_SUCCESS)
                fatal("PAM set tty failed[%d]: %.200s",
                    pam_retval, PAM_STRERROR(__pamh, pam_retval));