* messages with into __pam_msg. This is used during initial
* authentication to bypass the normal PAM password prompt.
*
- * OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase(prompt, 1)
+ * OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase()
* and outputs messages to stderr. This mode is used if pam_chauthtok()
* is called to update expired passwords.
*/
reply[count].resp_retcode = PAM_SUCCESS;
break;
case PAM_PROMPT_ECHO_OFF:
- reply[count].resp = xstrdup(
- read_passphrase(PAM_MSG_MEMBER(msg, count,
- msg), 1));
+ reply[count].resp =
+ read_passphrase(PAM_MSG_MEMBER(msg, count,
+ msg), RP_ALLOW_STDIN);
reply[count].resp_retcode = PAM_SUCCESS;
break;
case PAM_ERROR_MSG:
/* deny if no user. */
if (pw == NULL)
return 0;
- if (pw->pw_uid == 0 && options.permit_root_login == 2)
+ if (pw->pw_uid == 0 && options.permit_root_login == PERMIT_NO_PASSWD)
return 0;
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
__pampasswd = password;
pamstate = INITIAL_LOGIN;
- pam_retval = do_pam_authenticate(0);
+ pam_retval = do_pam_authenticate(
+ options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
if (pam_retval == PAM_SUCCESS) {
debug("PAM Password authentication accepted for "
"user \"%.100s\"", pw->pw_name);
fatal("PAM initialisation failed[%d]: %.200s",
pam_retval, PAM_STRERROR(__pamh, pam_retval));
- rhost = get_remote_name_or_ip(utmp_len, options.reverse_mapping_check);
+ rhost = get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping);
debug("PAM setting rhost to \"%.200s\"", rhost);
pam_retval = pam_set_item(__pamh, PAM_RHOST, rhost);
* not even need one (for tty-less connections)
* Kludge: Set a fake PAM_TTY
*/
- pam_retval = pam_set_item(__pamh, PAM_TTY, "ssh");
+ pam_retval = pam_set_item(__pamh, PAM_TTY, "NODEVssh");
if (pam_retval != PAM_SUCCESS)
fatal("PAM set tty failed[%d]: %.200s",
pam_retval, PAM_STRERROR(__pamh, pam_retval));