+ pam_retval = pam_setcred(__pamh,
+ init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED);
+ if (pam_retval != PAM_SUCCESS) {
+ if (was_authenticated)
+ fatal("PAM setcred failed[%d]: %.200s",
+ pam_retval, PAM_STRERROR(__pamh, pam_retval));
+ else
+ debug("PAM setcred failed[%d]: %.200s",
+ pam_retval, PAM_STRERROR(__pamh, pam_retval));
+ } else
+ creds_set = 1;
+}
+
+/* accessor function for file scope static variable */
+int is_pam_password_change_required(void)
+{
+ return password_change_required;
+}
+
+/*
+ * Have user change authentication token if pam_acct_mgmt() indicated
+ * it was expired. This needs to be called after an interactive
+ * session is established and the user's pty is connected to
+ * stdin/stdout/stderr.
+ */
+void do_pam_chauthtok(void)
+{
+ int pam_retval;
+
+ do_pam_set_conv(&conv);
+
+ if (password_change_required) {
+ if (use_privsep)
+ fatal("Password changing is currently unsupported"
+ " with privilege separation");
+ pamstate = OTHER;
+ pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (pam_retval != PAM_SUCCESS)
+ fatal("PAM pam_chauthtok failed[%d]: %.200s",
+ pam_retval, PAM_STRERROR(__pamh, pam_retval));
+#if 0
+ /* XXX: This would need to be done in the parent process,
+ * but there's currently no way to pass such request. */
+ no_port_forwarding_flag &= ~2;
+ no_agent_forwarding_flag &= ~2;
+ no_x11_forwarding_flag &= ~2;
+ if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
+ channel_permit_all_opens();
+#endif
+ }